Edit tour

Windows Analysis Report
RFQ-HL51L05.exe

Overview

General Information

Sample name:	RFQ-HL51L05.exe
Analysis ID:	1431499
MD5:	254d0303fffb227dde317b5e2bb664ae
SHA1:	f538ce2f5b72eaf0ecfb4a0b4a8af43436c0fb46
SHA256:	78fad406a45c2723861ac043560f4fcbe8ff4df4c5e49e702833944af1220e53
Tags:	AgentTeslaexe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Binary is likely a compiled AutoIt script file

Contains functionality to log keystrokes (.Net Source)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Maps a DLL or memory area into another process

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Outbound SMTP Connections

Uses 32bit PE files

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

RFQ-HL51L05.exe (PID: 5012 cmdline: "C:\Users\user\Desktop\RFQ-HL51L05.exe" MD5: 254D0303FFFB227DDE317B5E2BB664AE)

RegSvcs.exe (PID: 4924 cmdline: "C:\Users\user\Desktop\RFQ-HL51L05.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://asec.ahnlab.com/ko/29133/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.cmcapama.top", "Username": "bangalee@cmcapama.top", "Password": "EVEitDp@^lu~                    "}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.3301412264.0000000002729000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.3301412264.00000000026FE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.2068321175.0000000001260000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2068321175.0000000001260000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.2068321175.0000000001260000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334cd:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3353f:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335c9:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3365b:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336c5:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33737:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337cd:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3385d:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
00000002.00000002.3300590413.00000000007C2000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.3300590413.00000000007C2000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.3301412264.00000000026B1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.3301412264.00000000026B1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RFQ-HL51L05.exe PID: 5012	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RFQ-HL51L05.exe PID: 5012	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegSvcs.exe PID: 4924	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 4924	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 8 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.RegSvcs.exe.7c0000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.7c0000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.7c0000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334cd:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3353f:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335c9:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3365b:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336c5:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33737:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337cd:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3385d:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.RFQ-HL51L05.exe.1260000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.RFQ-HL51L05.exe.1260000.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.RFQ-HL51L05.exe.1260000.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x316cd:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3173f:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x317c9:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3185b:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x318c5:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x31937:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x319cd:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x31a5d:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.RFQ-HL51L05.exe.1260000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.RFQ-HL51L05.exe.1260000.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.RFQ-HL51L05.exe.1260000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x334cd:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3353f:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x335c9:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x3365b:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x336c5:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33737:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x337cd:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3385d:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Click to see the 4 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 194.36.191.196, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 4924, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49699

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 2.2.RegSvcs.exe.7c0000.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.cmcapama.top", "Username": "bangalee@cmcapama.top", "Password": "EVEitDp@^lu~ "}

Multi AV Scanner detection for submitted file

Source: RFQ-HL51L05.exe	ReversingLabs: Detection: 28%
Source: RFQ-HL51L05.exe	Virustotal: Detection: 30%			Perma Link

Machine Learning detection for sample

Source: RFQ-HL51L05.exe

Joe Sandbox ML: detected

Source: RFQ-HL51L05.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: wntdll.pdbUGP source: RFQ-HL51L05.exe, 00000000.00000003.2063316779.0000000003AB0000.00000004.00001000.00020000.00000000.sdmp, RFQ-HL51L05.exe, 00000000.00000003.2060169865.0000000003C10000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: RFQ-HL51L05.exe, 00000000.00000003.2063316779.0000000003AB0000.00000004.00001000.00020000.00000000.sdmp, RFQ-HL51L05.exe, 00000000.00000003.2060169865.0000000003C10000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_00F44696 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00F44696
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_00F4C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00F4C9C7
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_00F4C93C FindFirstFileW,FindClose,	0_2_00F4C93C
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_00F4F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00F4F200
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_00F4F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00F4F35D
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_00F4F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00F4F65E
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_00F43A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00F43A2B
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_00F43D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00F43D4E
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_00F4BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00F4BF27

Source: global traffic

TCP traffic: 192.168.2.6:49699 -> 194.36.191.196:587

Source: Joe Sandbox View

IP Address: 194.36.191.196 194.36.191.196

Source: global traffic

TCP traffic: 192.168.2.6:49699 -> 194.36.191.196:587

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\RFQ-HL51L05.exe

Code function: 0_2_00F525E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_00F525E2

Source: global traffic

DNS traffic detected: DNS query: mail.cmcapama.top

Source: RegSvcs.exe, 00000002.00000002.3301412264.00000000026FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cmcapama.top
Source: RegSvcs.exe, 00000002.00000002.3301412264.00000000026FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.cmcapama.top
Source: RegSvcs.exe, 00000002.00000002.3301412264.00000000026FE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3303315424.0000000005A02000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3303315424.0000000005A40000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3300886228.0000000000A30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r3.i.lencr.org/0
Source: RegSvcs.exe, 00000002.00000002.3301412264.00000000026FE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3303315424.0000000005A02000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3303315424.0000000005A40000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3300886228.0000000000A30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r3.o.lencr.org0
Source: RegSvcs.exe, 00000002.00000002.3301412264.00000000026FE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3303315424.0000000005A02000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3303315424.0000000005A40000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3300886228.0000000000A30000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3300706007.00000000009D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: RegSvcs.exe, 00000002.00000002.3301412264.00000000026FE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3303315424.0000000005A02000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3303315424.0000000005A40000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3300886228.0000000000A30000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3300706007.00000000009D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: RFQ-HL51L05.exe, 00000000.00000002.2068321175.0000000001260000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3300590413.00000000007C2000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.RFQ-HL51L05.exe.1260000.1.raw.unpack, cPKWk.cs

.Net Code: aQrPdLx

Source: C:\Users\user\Desktop\RFQ-HL51L05.exe

Code function: 0_2_00F5425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00F5425A

Source: C:\Users\user\Desktop\RFQ-HL51L05.exe

Code function: 0_2_00F54458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00F54458

Source: C:\Users\user\Desktop\RFQ-HL51L05.exe

0_2_00F5425A

Source: C:\Users\user\Desktop\RFQ-HL51L05.exe

Code function: 0_2_00F40219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_00F40219

Source: C:\Users\user\Desktop\RFQ-HL51L05.exe

Code function: 0_2_00F6CDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00F6CDAC

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.RegSvcs.exe.7c0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.RFQ-HL51L05.exe.1260000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.RFQ-HL51L05.exe.1260000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000000.00000002.2068321175.0000000001260000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00EE3B4C
Source: RFQ-HL51L05.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: RFQ-HL51L05.exe, 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_f1c9ecbd-c
Source: RFQ-HL51L05.exe, 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_1968dd43-d
Source: RFQ-HL51L05.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_bf2593e8-a
Source: RFQ-HL51L05.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_2bd4949c-f

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: RFQ-HL51L05.exe

Source: C:\Users\user\Desktop\RFQ-HL51L05.exe

Code function: 0_2_00F440B1: CreateFileW,_memset,DeviceIoControl,CloseHandle,

0_2_00F440B1

Source: C:\Users\user\Desktop\RFQ-HL51L05.exe

Code function: 0_2_00F38858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00F38858

Source: C:\Users\user\Desktop\RFQ-HL51L05.exe

Code function: 0_2_00F4545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00F4545F

Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_00EEE800	0_2_00EEE800
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_00F0DBB5	0_2_00F0DBB5
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_00EEE060	0_2_00EEE060
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_00F6804A	0_2_00F6804A
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_00EF4140	0_2_00EF4140
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_00F02405	0_2_00F02405
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_00F16522	0_2_00F16522
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_00F1267E	0_2_00F1267E
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_00F60665	0_2_00F60665
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_00EF6843	0_2_00EF6843
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_00F0283A	0_2_00F0283A
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_00F189DF	0_2_00F189DF
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_00F60AE2	0_2_00F60AE2
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_00F16A94	0_2_00F16A94
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_00EF8A0E	0_2_00EF8A0E
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_00F48B13	0_2_00F48B13
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_00F3EB07	0_2_00F3EB07
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_00F0CD61	0_2_00F0CD61
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_00F17006	0_2_00F17006
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_00EF3190	0_2_00EF3190
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_00EF710E	0_2_00EF710E
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_00EE1287	0_2_00EE1287
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_00F033C7	0_2_00F033C7
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_00F0F419	0_2_00F0F419
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_00F016C4	0_2_00F016C4
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_00EF5680	0_2_00EF5680
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_00F078D3	0_2_00F078D3
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_00EF58C0	0_2_00EF58C0
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_00F01BB8	0_2_00F01BB8
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_00F19D05	0_2_00F19D05
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_00EEFE40	0_2_00EEFE40
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_00F0BFE6	0_2_00F0BFE6
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_00F01FD0	0_2_00F01FD0
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_011B3680	0_2_011B3680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_04BB41C8	2_2_04BB41C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_04BB9370	2_2_04BB9370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_04BB3E80	2_2_04BB3E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_04BBCE68	2_2_04BBCE68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_04BB4A98	2_2_04BB4A98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_04BB9B30	2_2_04BB9B30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05AFBCC8	2_2_05AFBCC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05AFDCD8	2_2_05AFDCD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05AF3F08	2_2_05AF3F08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05AF5690	2_2_05AF5690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05AF0040	2_2_05AF0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05AF8B48	2_2_05AF8B48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05AF9AA0	2_2_05AF9AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05AF2AF0	2_2_05AF2AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05AF4FB0	2_2_05AF4FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_05AF3208	2_2_05AF3208

Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: String function: 00F08B40 appears 42 times
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: String function: 00EE7F41 appears 35 times
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: String function: 00F00D27 appears 70 times

Source: RFQ-HL51L05.exe, 00000000.00000003.2060169865.0000000003D3D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs RFQ-HL51L05.exe
Source: RFQ-HL51L05.exe, 00000000.00000003.2060028762.0000000003B93000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs RFQ-HL51L05.exe
Source: RFQ-HL51L05.exe, 00000000.00000002.2068321175.0000000001260000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilename2476821b-522d-4413-ae7d-3517dfb022e4.exe4 vs RFQ-HL51L05.exe

Source: RFQ-HL51L05.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 2.2.RegSvcs.exe.7c0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.RFQ-HL51L05.exe.1260000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.RFQ-HL51L05.exe.1260000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000000.00000002.2068321175.0000000001260000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: 0.2.RFQ-HL51L05.exe.1260000.1.raw.unpack, cPs8D.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.RFQ-HL51L05.exe.1260000.1.raw.unpack, 72CF8egH.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.RFQ-HL51L05.exe.1260000.1.raw.unpack, G5CXsdn.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.RFQ-HL51L05.exe.1260000.1.raw.unpack, 3uPsILA6U.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.RFQ-HL51L05.exe.1260000.1.raw.unpack, 6oQOw74dfIt.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.RFQ-HL51L05.exe.1260000.1.raw.unpack, aMIWm.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: 0.2.RFQ-HL51L05.exe.1260000.1.raw.unpack, 3QjbQ514BDx.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.RFQ-HL51L05.exe.1260000.1.raw.unpack, 3QjbQ514BDx.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/4@1/1

Source: C:\Users\user\Desktop\RFQ-HL51L05.exe

Code function: 0_2_00F4A2D5 GetLastError,FormatMessageW,

0_2_00F4A2D5

Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_00F38713 AdjustTokenPrivileges,CloseHandle,		0_2_00F38713
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_00F38CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00F38CC3

Source: C:\Users\user\Desktop\RFQ-HL51L05.exe

Code function: 0_2_00F4B59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00F4B59E

Source: C:\Users\user\Desktop\RFQ-HL51L05.exe

Code function: 0_2_00F5F121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00F5F121

Source: C:\Users\user\Desktop\RFQ-HL51L05.exe

Code function: 0_2_00F586D0 CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,

0_2_00F586D0

Source: C:\Users\user\Desktop\RFQ-HL51L05.exe

Code function: 0_2_00EE4FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00EE4FE9

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\RFQ-HL51L05.exe

File created: C:\Users\user\AppData\Local\Temp\autED7A.tmp

Jump to behavior

Source: RFQ-HL51L05.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\RFQ-HL51L05.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RFQ-HL51L05.exe	ReversingLabs: Detection: 28%
Source: RFQ-HL51L05.exe	Virustotal: Detection: 30%

Source: unknown	Process created: C:\Users\user\Desktop\RFQ-HL51L05.exe "C:\Users\user\Desktop\RFQ-HL51L05.exe"
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\RFQ-HL51L05.exe"
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\RFQ-HL51L05.exe"	Jump to behavior

Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: RFQ-HL51L05.exe

Static file information: File size 1116160 > 1048576

Source: RFQ-HL51L05.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: RFQ-HL51L05.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: RFQ-HL51L05.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: RFQ-HL51L05.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: RFQ-HL51L05.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: RFQ-HL51L05.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: RFQ-HL51L05.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: RFQ-HL51L05.exe, 00000000.00000003.2063316779.0000000003AB0000.00000004.00001000.00020000.00000000.sdmp, RFQ-HL51L05.exe, 00000000.00000003.2060169865.0000000003C10000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: RFQ-HL51L05.exe, 00000000.00000003.2063316779.0000000003AB0000.00000004.00001000.00020000.00000000.sdmp, RFQ-HL51L05.exe, 00000000.00000003.2060169865.0000000003C10000.00000004.00001000.00020000.00000000.sdmp

Source: RFQ-HL51L05.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: RFQ-HL51L05.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: RFQ-HL51L05.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: RFQ-HL51L05.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: RFQ-HL51L05.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\RFQ-HL51L05.exe

Code function: 0_2_00F5C304 LoadLibraryA,GetProcAddress,

0_2_00F5C304

Source: C:\Users\user\Desktop\RFQ-HL51L05.exe

Code function: 0_2_00F08B85 push ecx; ret

0_2_00F08B98

Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_00EE4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00EE4A35
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_00F655FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00F655FD

Source: C:\Users\user\Desktop\RFQ-HL51L05.exe

Code function: 0_2_00F033C7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00F033C7

Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 1088			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 4780			Jump to behavior

Source: C:\Users\user\Desktop\RFQ-HL51L05.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-99369

Source: C:\Users\user\Desktop\RFQ-HL51L05.exe

API coverage: 4.6 %

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_00F44696 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00F44696
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_00F4C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00F4C9C7
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_00F4C93C FindFirstFileW,FindClose,	0_2_00F4C93C
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_00F4F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00F4F200
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_00F4F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00F4F35D
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_00F4F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00F4F65E
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_00F43A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00F43A2B
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_00F43D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00F43D4E
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_00F4BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00F4BF27

Source: C:\Users\user\Desktop\RFQ-HL51L05.exe

Code function: 0_2_00EE4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00EE4AFE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99657	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99532	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99313	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98938	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98813	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98513	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98407	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97938	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97813	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97688	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97579	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97454	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97329	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97204	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97079	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96954	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96829	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96704	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96579	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: RegSvcs.exe, 00000002.00000002.3303315424.0000000005A02000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	API call chain: ExitProcess graph end node			graph_0-98728
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	API call chain: ExitProcess graph end node			graph_0-98299

Source: C:\Users\user\Desktop\RFQ-HL51L05.exe

Code function: 0_2_00F541FD BlockInput,

0_2_00F541FD

Source: C:\Users\user\Desktop\RFQ-HL51L05.exe

Code function: 0_2_00EE3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00EE3B4C

Source: C:\Users\user\Desktop\RFQ-HL51L05.exe

Code function: 0_2_00F15CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00F15CCC

Source: C:\Users\user\Desktop\RFQ-HL51L05.exe

Code function: 0_2_00F5C304 LoadLibraryA,GetProcAddress,

0_2_00F5C304

Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_011B3510 mov eax, dword ptr fs:[00000030h]	0_2_011B3510
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_011B3570 mov eax, dword ptr fs:[00000030h]	0_2_011B3570
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_011B1ED0 mov eax, dword ptr fs:[00000030h]	0_2_011B1ED0

Source: C:\Users\user\Desktop\RFQ-HL51L05.exe

Code function: 0_2_00F381F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00F381F7

Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_00F0A395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_00F0A395
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_00F0A364 SetUnhandledExceptionFilter,		0_2_00F0A364

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\RFQ-HL51L05.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\RFQ-HL51L05.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 5F4008

Jump to behavior

Source: C:\Users\user\Desktop\RFQ-HL51L05.exe

Code function: 0_2_00F38C93 LogonUserW,

0_2_00F38C93

Source: C:\Users\user\Desktop\RFQ-HL51L05.exe

Code function: 0_2_00EE3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00EE3B4C

Source: C:\Users\user\Desktop\RFQ-HL51L05.exe

Code function: 0_2_00EE4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_00EE4A35

Source: C:\Users\user\Desktop\RFQ-HL51L05.exe

Code function: 0_2_00F44EF5 mouse_event,

0_2_00F44EF5

Source: C:\Users\user\Desktop\RFQ-HL51L05.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\RFQ-HL51L05.exe"

Jump to behavior

Source: C:\Users\user\Desktop\RFQ-HL51L05.exe

0_2_00F381F7

Source: C:\Users\user\Desktop\RFQ-HL51L05.exe

Code function: 0_2_00F44C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00F44C03

Source: RFQ-HL51L05.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: RFQ-HL51L05.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\RFQ-HL51L05.exe

Code function: 0_2_00F0886B cpuid

0_2_00F0886B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\RFQ-HL51L05.exe

Code function: 0_2_00F150D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00F150D7

Source: C:\Users\user\Desktop\RFQ-HL51L05.exe

Code function: 0_2_00F22230 GetUserNameW,

0_2_00F22230

Source: C:\Users\user\Desktop\RFQ-HL51L05.exe

Code function: 0_2_00F1418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00F1418A

Source: C:\Users\user\Desktop\RFQ-HL51L05.exe

Code function: 0_2_00EE4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00EE4AFE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 2.2.RegSvcs.exe.7c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ-HL51L05.exe.1260000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ-HL51L05.exe.1260000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3301412264.0000000002729000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3301412264.00000000026FE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2068321175.0000000001260000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3300590413.00000000007C2000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3301412264.00000000026B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RFQ-HL51L05.exe PID: 5012, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4924, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: RFQ-HL51L05.exe	Binary or memory string: WIN_81
Source: RFQ-HL51L05.exe	Binary or memory string: WIN_XP
Source: RFQ-HL51L05.exe	Binary or memory string: WIN_XPe
Source: RFQ-HL51L05.exe	Binary or memory string: WIN_VISTA
Source: RFQ-HL51L05.exe	Binary or memory string: WIN_7
Source: RFQ-HL51L05.exe	Binary or memory string: WIN_8
Source: RFQ-HL51L05.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Source: Yara match	File source: 2.2.RegSvcs.exe.7c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ-HL51L05.exe.1260000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ-HL51L05.exe.1260000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2068321175.0000000001260000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3300590413.00000000007C2000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3301412264.00000000026B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RFQ-HL51L05.exe PID: 5012, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4924, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 2.2.RegSvcs.exe.7c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ-HL51L05.exe.1260000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ-HL51L05.exe.1260000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3301412264.0000000002729000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3301412264.00000000026FE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2068321175.0000000001260000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3300590413.00000000007C2000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3301412264.00000000026B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RFQ-HL51L05.exe PID: 5012, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4924, type: MEMORYSTR

Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_00F56596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_00F56596
Source: C:\Users\user\Desktop\RFQ-HL51L05.exe	Code function: 0_2_00F56A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00F56A5A

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Native API	2 Valid Accounts	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	121 Input Capture	1 Account Discovery	Remote Desktop Protocol	2 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	2 Obfuscated Files or Information	1 Credentials in Registry	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	38 System Information Discovery	Distributed Component Object Model	121 Input Capture	1 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	2 Valid Accounts	LSA Secrets	141 Security Software Discovery	SSH	3 Clipboard Data	11 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	121 Virtualization/Sandbox Evasion	Cached Domain Credentials	121 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Access Token Manipulation	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	212 Process Injection	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Link
RFQ-HL51L05.exe	29%	ReversingLabs
RFQ-HL51L05.exe	30%	Virustotal	Browse
RFQ-HL51L05.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
cmcapama.top	2%	Virustotal		Browse
mail.cmcapama.top	2%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://r3.o.lencr.org0	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
http://r3.i.lencr.org/0	0%	URL Reputation	safe
http://mail.cmcapama.top	0%	Avira URL Cloud	safe
http://mail.cmcapama.top	2%	Virustotal		Browse
http://cmcapama.top	0%	Avira URL Cloud	safe
http://cmcapama.top	2%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
cmcapama.top	194.36.191.196	true	false	2%, Virustotal, Browse	unknown
mail.cmcapama.top	unknown	unknown	true	2%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://r3.o.lencr.org0	RegSvcs.exe, 00000002.00000002.3301412264.00000000026FE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3303315424.0000000005A02000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3303315424.0000000005A40000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3300886228.0000000000A30000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://account.dyn.com/	RFQ-HL51L05.exe, 00000000.00000002.2068321175.0000000001260000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3300590413.00000000007C2000.00000040.80000000.00040000.00000000.sdmp	false		high
http://mail.cmcapama.top	RegSvcs.exe, 00000002.00000002.3301412264.00000000026FE000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://x1.c.lencr.org/0	RegSvcs.exe, 00000002.00000002.3301412264.00000000026FE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3303315424.0000000005A02000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3303315424.0000000005A40000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3300886228.0000000000A30000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3300706007.00000000009D4000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	RegSvcs.exe, 00000002.00000002.3301412264.00000000026FE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3303315424.0000000005A02000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3303315424.0000000005A40000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3300886228.0000000000A30000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3300706007.00000000009D4000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
http://cmcapama.top	RegSvcs.exe, 00000002.00000002.3301412264.00000000026FE000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://r3.i.lencr.org/0	RegSvcs.exe, 00000002.00000002.3301412264.00000000026FE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3303315424.0000000005A02000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3303315424.0000000005A40000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3300886228.0000000000A30000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
194.36.191.196	cmcapama.top	Netherlands		60117	HSAE	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1431499
Start date and time:	2024-04-25 10:38:04 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 42s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	RFQ-HL51L05.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/4@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 56 Number of non-executed functions: 271
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
10:38:49	API Interceptor	29x Sleep call for process: RegSvcs.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
194.36.191.196	http://store.avast.com/store?SiteID=avast&Action=DisplayRedirectCustomPage&Locale=en_US&v=1&t=event&tid=UA-58120669-65&cid=725399894.1568213989&ec=Emailing_Digital%20River&aip=1&cm10=1&ds=Avast&ul=en_US&cs=Digital%20River&cm=email&cd2=Paid&cd3=725399894.1568213989&cd4=Business&cd5=BMG-00-001-36-AR&cd7=13306019910&cd6=22895593139&cd8=0&cd9=4871168000&cd10=USD&cd11=44&cd12=1659005853297&ea=Click&el=http://0gjysc.wildlifewalkabout.com/am9lbC5uYXNzaWZAYXJuLmFl	Get hash	malicious	Unknown	Browse	0gjysc.wildlifewalkabout.com/am9lbC5uYXNzaWZAYXJuLmFl
	#U6025-146102220896 BSIU2505935-Remitance Advise.xlsx	Get hash	malicious	FormBook	Browse	www.firstflightmdelivery.services/inug/?LJBd06wP=my5vzthd/gf6h+YfXGHF51EmCUBukXLQvdzfbkPp7mscRjHMsb7qcEfg2/kZIm7kG7WZ0g==&-ZcxnF=8p74g4BxA
	jun.exe	Get hash	malicious	AZORult	Browse	squerad.com/cgi-sys/suspendedpage.cgi
	Player offer.exe	Get hash	malicious	AZORult	Browse	squerad.com/frank/index.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
HSAE	RFQ-HL51L05.exe	Get hash	malicious	AgentTesla	Browse	194.36.191.196
	RFQ-HL51L05.exe	Get hash	malicious	AgentTesla	Browse	194.36.191.196
	Order Enquiry MX-M754N_20240207_114441.exe	Get hash	malicious	AgentTesla	Browse	194.36.191.196
	PDT_7367027738832_789257820__________________________.exe	Get hash	malicious	AgentTesla	Browse	185.244.151.84
	SecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.1274.17126.exe	Get hash	malicious	AgentTesla	Browse	194.36.191.196
	Arba Outstanding Statement.exe	Get hash	malicious	AgentTesla, PureLog Stealer, RedLine	Browse	185.244.151.84
	WZM.exe	Get hash	malicious	AgentTesla, PureLog Stealer, RedLine	Browse	185.244.151.84
	z1RFQ20838_CMC_RITM50736681.exe	Get hash	malicious	AgentTesla	Browse	194.36.191.196
	https://doggygangers.com/YfMv2QsjpCQl845BWSYNfNOQitweyze_Z6lIlrRr43MRjX_HrM/downloadsdownloadfile/dwnl_standart.php	Get hash	malicious	LummaC, PureLog Stealer, RedLine, SectopRAT, zgRAT	Browse	194.36.191.196
	BOQ- AE20003 0084 20240408 .exe	Get hash	malicious	AgentTesla	Browse	194.36.191.196

Process:	C:\Users\user\Desktop\RFQ-HL51L05.exe
File Type:	data
Category:	dropped
Size (bytes):	155572
Entropy (8bit):	7.943685591814366
Encrypted:	false
SSDEEP:	3072:uPs76F+ygKB60ExuppKFWhGOohDzq77vzGiejsr3nya8ulj5RpCFg:l5ygKBRRtkOohDz67vzGXs7ya8urB
MD5:	93FE612DDACC7ADF67709D389A985D3B
SHA1:	C638EFA1465D40487FBD7B198C06654470D45A7E
SHA-256:	D4BD2E54CEF664BEBCE1D93BEFBC065F7E75311BC136FD1963D4EF7F9D30DE4B
SHA-512:	4B307DE839EEA2AAB9873DADF0F44D8DD7A711930661F27409685D407101D8572B9DE53094BDA53AA1F23A329541A60378B9E20315C526B367ED0A598DBD43B9
Malicious:	false
Reputation:	low
Preview:	EA06.....G....5..j.]..H.Pht.E&.5.Q(U0.r...Siu:D.._4@..t...mK.G..i....a..].3....#.V...d..$.J.R.<FcP...5.l.{h.C...,.GP.Ri.....cqjD..B.R:~....s[I.>.X...4?m..G..9.W.U&.....B..!4y...\..\`....P.S..@.1I..64..v.I..\49.NJ.q....p..N....i.8t......).....S....V.D............f4...q..P)..H...\l..@...0.P....J`..b&...,........D........B....Z...H.zh..?...5..\\|....-...(4.m'7..Q5V9.Nl..M)....7../.W=.].k.}.C'....e...\.F..'.\|.h5".Q..h...#H...y...G.A).ZD....../..a...&U-V.3...%4.%Y..G..M.c....m......I....?.-..+u..69..{m.}.y..L.q..NO..U....R{;..cQ)..S;.c(............S.]..".ZU"Wp.N....k5q.Sc~....?..%.....<..g.0..x..K@9...1<.E.`.......~......]...H...W(....I;.n.E(&.ag..t...3u..d.W..f...^..EG.......]....C....r...N/....]R.@.uJL.F...I.....0.J...0........l2qM.....u}.Y.....J{...\|r..N......u`s......]......8.K..U1.Tl3y..w".J..I.F7a..n.Y..V...E.m@.R.`9.n...R.t(..y..Rh\|..P...[..Z../K..#...6.4.Mh..G.g-....D..\.Zj..E..7.P..9.V.i..&s.p..k...s<.n.TfR.p.)..........Q.U-....G....A..&.Z.J..

C:\Users\user\AppData\Local\Temp\autEDC9.tmp

Download File

Process:	C:\Users\user\Desktop\RFQ-HL51L05.exe
File Type:	data
Category:	dropped
Size (bytes):	9904
Entropy (8bit):	7.592896424843614
Encrypted:	false
SSDEEP:	192:m+cK6f01Ehm0qek9Gh0qWbK307sZY3x22MN5+mP+8Hd63y:976Mkm7ek9y0pbK307sAk205z2i8y
MD5:	5782D7B1FE783588B079680D49D97992
SHA1:	1D65E14CB4FE74A87126A39D305A6FED0440D82D
SHA-256:	D7020168C7CB8EBDAC76C8AFA6DC599078A6A2160D09FDB7292F577A8759E275
SHA-512:	88593DFD2B9DF1D7AA782AEDDCA0A73DCE0F51BF5B3556B6E8042AC424B7F818AD32F53F12436E5694FABF3E83E2A3B1D7F8E2EE6EEAC7963BA282FC19162820
Malicious:	false
Reputation:	low
Preview:	EA06..t0.M'.)..e4.N'.).......T9..l.0L.s.5..3..s.4.8.......k8.Yls....c..&S...k6...S....1.L&.i..i5.M,S....K.@...7...p. ....P.o...m.X.V........9....3...f....s2.Xf@.]..g3@..h.m.M.......8.l..6.....a........i4........g3Y...c ._..k4...d....H, ......Ac.H..g...(.F..=d....>....C`....@02..N@...u......Y..ab.M.]>.$....M.x>;$....N.j.;%....X.j.;%......j.;,....P'.b.5... .^..f./Z..@F.6.z..G......`......i..G../Z...zqd...l.;.........\|......7...}3{(........;^..l =..p.........3p.o....,.......x.....H<.lX.:...b.....,. ...2...f.[...K.)....b..i\|v F......X......`....,.9....5...._..l......>K.....ir.e....[4..d..f.y.....,.....S >..p...........s9.... !..Y....f...ja4....ea.h,.p.....,.a8.,..3........f.....f ....,j.0..&...J......f ....6K%.ke..f....L..;2.X...4.Y.V@.Fn.....f@....l..05.....!;3.X...c )D.g6... ...'&`....,f.6..&....r...Brh.....l...i2...B....@.......d.L.`!.....P...@X5d..lSK...9...!;5.X...cVY......'.B...,vl.!..>.a..l...M..@...X...b.M&.X..B.a.Q...sp..X..9..o5..f.!...,vn......d...

C:\Users\user\AppData\Local\Temp\cunili

Download File

Process:	C:\Users\user\Desktop\RFQ-HL51L05.exe
File Type:	ASCII text, with very long lines (29744), with no line terminators
Category:	dropped
Size (bytes):	29744
Entropy (8bit):	3.546870904705114
Encrypted:	false
SSDEEP:	768:wiTZ+2QoioGRk6ZklputwjpjBkCiw2RuJ3nXKUrvzjsNbQE+I+h6584vfF3if6gC:wiTZ+2QoioGRk6ZklputwjpjBkCiw2R/
MD5:	FC07DAD5742A4DD0AC136FB77F77B596
SHA1:	5CC3D57287172195AE517E2D8BA3DB0C94EC06E9
SHA-256:	14247DBD5C77A03AE43D583675D028B1700A99A7ACA4964DC6A937E48FE6136A
SHA-512:	5CB620F16F21B940A73A5C9FD02860E88B384B20764FCCDB568A43D9F3E766B2692C7F18B16D8DCC8856BC0B05289C6E9679C826D4ACE2105C1E2C268019D3D7
Malicious:	false
Reputation:	low
Preview:	048B4C24088B008B093BC8760483C8FFC31BC0F7D8C38B0x558bec81eccc0200005657b86b00000066894584b96500000066894d86ba7200000066895588b86e0000006689458ab96500000066894d8cba6c0000006689558eb83300000066894590b93200000066894d92ba2e00000066895594b86400000066894596b96c00000066894d98ba6c0000006689559a33c06689459cb96e00000066898d44ffffffba7400000066899546ffffffb86400000066898548ffffffb96c00000066898d4affffffba6c0000006689954cffffffb82e0000006689854effffffb96400000066898d50ffffffba6c00000066899552ffffffb86c00000066898554ffffff33c966898d56ffffffba75000000668955d0b873000000668945d2b96500000066894dd4ba72000000668955d6b833000000668945d8b93200000066894ddaba2e000000668955dcb864000000668945deb96c00000066894de0ba6c000000668955e233c0668945e4b96100000066898d68ffffffba640000006689956affffffb8760000006689856cffffffb96100000066898d6effffffba7000000066899570ffffffb86900000066898572ffffffb93300000066898d74ffffffba3200000066899576ffffffb82e00000066898578ffffffb96400000066898d7affffffba6c0000006689957cffffffb86c00000066

C:\Users\user\AppData\Local\Temp\meshummad

Download File

Process:	C:\Users\user\Desktop\RFQ-HL51L05.exe
File Type:	data
Category:	dropped
Size (bytes):	240128
Entropy (8bit):	6.6446670359003885
Encrypted:	false
SSDEEP:	6144:pQCpbZXx3HuQLYM9VN5NlbAhaHSZw++X0KjvfcsukHk:pQCfXUY7PlG9ZwrX0Kj8x
MD5:	CF5CFE01C27FBFDC6B35AC8641820555
SHA1:	B6D043554BC280E20004680555D36F2652E688F4
SHA-256:	26FDCCA4F8C548FF59722C50B4E68C42ADE7DA6358259665BB74751D07ED2160
SHA-512:	B5AD09FA507F6C623D0D5AF6E6E0DBCC172A445D7C6ECB2C3EE8C8C37C32AE5FB4CDBC92CA62BCBEBEE577ADBFB5490734146664DAC5A4224F04032FA780B6A5
Malicious:	false
Reputation:	low
Preview:	x..BP1S5SET5..SH.ACMHIG5.DBS1S5WET5MKSH4ACMHIG5DDBS1S5WET5MK.H4AMR.GG.M.c.0..v.<\>k#:[&1,%i$T**-'.1Pw7![m"=hp..m%&#PjIOY.S5WET5M..H4.BNH..."DBS1S5WE.5OJXI?AC.KIG=DDBS1S+.FT5mKSH.BCMH.G5dDBS3S5SET5MKSH0ACMHIG5DDFS1Q5WET5MIS..AC]HIW5DDBC1S%WET5MKCH4ACMHIG5DD..2SbWET5.HS.1ACMHIG5DDBS1S5WET5M.PH8ACMHIG5DDBS1S5WET5MKSH4ACMHIG5DDBS1S5WET5MKSH4ACMHIG.DDJS1S5WET5MKS@.AC.HIG5DDBS1S5y11M9KSH..@MHiG5D.AS1Q5WET5MKSH4ACMHiG5$j0 C05WE.0MKS.7ACKHIG.GDBS1S5WET5MKS.4A.c:,+Z'DB_1S5W.W5MISH4.@MHIG5DDBS1S5W.T5.KSH4ACMHIG5DDBS1S.TET5MK.H4AAMMI..FD.c0S6WET4MKUH4ACMHIG5DDBS1S5WET5MKSH4ACMHIG5DDBS1S5WET5MKSH4\...}z.?m;12.c.R.H..'..4..HtQ.9G..~.H.....oAG..H.H...Z....0.=H2R.....p)LDJ,.$.\T.X...ni@...N'.O...-..[Qa.....n.....F3k...'..V8(zT=;?-.."+);..F.CS1S5........]9..eJH+pV:....qFM....?CMH-G5D6BS125WE.5MK<H4A-MHI95DD<S1SsWETuMKS.4AChHIGXDDBw1S5)ET5.6\G..$;.5DDBS...g.9........~8.K.&z..Q...oH..G\.4.....J.8}."..R...TI2EFOOMD9yJ....UAP0OLWK8\|M......b.....4....).HACMHIG.DD.S1S..E.5MK.H.A..HIG..D.S.S...T

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.96200754410385
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	RFQ-HL51L05.exe
File size:	1'116'160 bytes
MD5:	254d0303fffb227dde317b5e2bb664ae
SHA1:	f538ce2f5b72eaf0ecfb4a0b4a8af43436c0fb46
SHA256:	78fad406a45c2723861ac043560f4fcbe8ff4df4c5e49e702833944af1220e53
SHA512:	a9ef2d93e73edeac629d4c927c4e439e9e5b5a67e718edc8e638f7a99bb25745335bf633091dfda02ff6df4b21100106d0f48f4e1882e24ed19294c984213203
SSDEEP:	24576:NAHnh+eWsN3skA4RV1Hom2KXMmHa+Lm1ESsb5:sh+ZkldoPK8Ya+6af
TLSH:	75359C3263918336FFAB9D73DB5DB20D56BC6D250123852FD29C2F79A9F01A1122D263
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

File Icon


Icon Hash:	1a5ada12a98c3689

Static PE Info

General

Entrypoint:	0x42800a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x6629FCF6 [Thu Apr 25 06:49:26 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007FE0E929F1FDh
jmp 00007FE0E9291FB4h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007FE0E929213Ah
cmp edi, eax
jc 00007FE0E929249Eh
bt dword ptr [004C41FCh], 01h
jnc 00007FE0E9292139h
rep movsb
jmp 00007FE0E929244Ch
cmp ecx, 00000080h
jc 00007FE0E9292304h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007FE0E9292140h
bt dword ptr [004BF324h], 01h
jc 00007FE0E9292610h
bt dword ptr [004C41FCh], 00000000h
jnc 00007FE0E92922DDh
test edi, 00000003h
jne 00007FE0E92922EEh
test esi, 00000003h
jne 00007FE0E92922CDh
bt edi, 02h
jnc 00007FE0E929213Fh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007FE0E9292143h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007FE0E9292195h
bt esi, 03h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD5 build 40629
[RES] VS2013 build 21005
[LNK] VS2013 UPD5 build 40629

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xbc0cc	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc8000	0x461c0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x10f000	0x7134	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4b50	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dfdd	0x8e000	310e36668512d53489c005622bb1b4a9	False	0.5735602580325704	data	6.675248351711057	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2fd8e	0x2fe00	748cf1ab2605ce1fd72d53d912abb68f	False	0.32828818537859006	data	5.763244005758284	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbf000	0x8f74	0x5200	aae9601d920f07080bdfadf43dfeff12	False	0.1017530487804878	data	1.1963819235530628	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc8000	0x461c0	0x46200	861a08688826dbb14bdcf0e8d43f88b9	False	0.7480608010249554	data	7.302403058634704	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x10f000	0x7134	0x7200	f04128ad0f87f42830e4a6cdbc38c719	False	0.7617530153508771	data	6.783955557128661	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc8458	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc8580	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc86a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc87d0	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	English	Great Britain	0.046891636105524666
RT_MENU	0xd8ff8	0x50	data	English	Great Britain	0.9
RT_STRING	0xd9048	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xd95dc	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xd9c68	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xda0f8	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xda6f4	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdad50	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdb1b8	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdb310	0x32964	data			1.0003426574776548
RT_GROUP_ICON	0x10dc74	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x10dc88	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x10dc9c	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x10dcb0	0x14	data	English	Great Britain	1.25
RT_VERSION	0x10dcc4	0x10c	data	English	Great Britain	0.5970149253731343
RT_MANIFEST	0x10ddd0	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 25, 2024 10:38:51.535284996 CEST	49699	587	192.168.2.6	194.36.191.196
Apr 25, 2024 10:38:51.750116110 CEST	587	49699	194.36.191.196	192.168.2.6
Apr 25, 2024 10:38:51.753864050 CEST	49699	587	192.168.2.6	194.36.191.196
Apr 25, 2024 10:38:52.004832029 CEST	587	49699	194.36.191.196	192.168.2.6
Apr 25, 2024 10:38:52.005814075 CEST	49699	587	192.168.2.6	194.36.191.196
Apr 25, 2024 10:38:52.220531940 CEST	587	49699	194.36.191.196	192.168.2.6
Apr 25, 2024 10:38:52.220737934 CEST	49699	587	192.168.2.6	194.36.191.196
Apr 25, 2024 10:38:52.436496973 CEST	587	49699	194.36.191.196	192.168.2.6
Apr 25, 2024 10:38:52.451708078 CEST	49699	587	192.168.2.6	194.36.191.196
Apr 25, 2024 10:38:52.674819946 CEST	587	49699	194.36.191.196	192.168.2.6
Apr 25, 2024 10:38:52.674887896 CEST	587	49699	194.36.191.196	192.168.2.6
Apr 25, 2024 10:38:52.674925089 CEST	587	49699	194.36.191.196	192.168.2.6
Apr 25, 2024 10:38:52.675097942 CEST	49699	587	192.168.2.6	194.36.191.196
Apr 25, 2024 10:38:52.710145950 CEST	49699	587	192.168.2.6	194.36.191.196
Apr 25, 2024 10:38:52.924798012 CEST	587	49699	194.36.191.196	192.168.2.6
Apr 25, 2024 10:38:52.939492941 CEST	49699	587	192.168.2.6	194.36.191.196
Apr 25, 2024 10:38:53.154066086 CEST	587	49699	194.36.191.196	192.168.2.6
Apr 25, 2024 10:38:53.155169964 CEST	49699	587	192.168.2.6	194.36.191.196
Apr 25, 2024 10:38:53.370079994 CEST	587	49699	194.36.191.196	192.168.2.6
Apr 25, 2024 10:38:53.371134043 CEST	49699	587	192.168.2.6	194.36.191.196
Apr 25, 2024 10:38:53.590020895 CEST	587	49699	194.36.191.196	192.168.2.6
Apr 25, 2024 10:38:53.590328932 CEST	49699	587	192.168.2.6	194.36.191.196
Apr 25, 2024 10:38:53.804815054 CEST	587	49699	194.36.191.196	192.168.2.6
Apr 25, 2024 10:38:53.805350065 CEST	49699	587	192.168.2.6	194.36.191.196
Apr 25, 2024 10:38:54.028633118 CEST	587	49699	194.36.191.196	192.168.2.6
Apr 25, 2024 10:38:54.028862953 CEST	49699	587	192.168.2.6	194.36.191.196
Apr 25, 2024 10:38:54.243525028 CEST	587	49699	194.36.191.196	192.168.2.6
Apr 25, 2024 10:38:54.244178057 CEST	49699	587	192.168.2.6	194.36.191.196
Apr 25, 2024 10:38:54.244252920 CEST	49699	587	192.168.2.6	194.36.191.196
Apr 25, 2024 10:38:54.244293928 CEST	49699	587	192.168.2.6	194.36.191.196
Apr 25, 2024 10:38:54.244294882 CEST	49699	587	192.168.2.6	194.36.191.196
Apr 25, 2024 10:38:54.458966970 CEST	587	49699	194.36.191.196	192.168.2.6
Apr 25, 2024 10:38:54.459012032 CEST	587	49699	194.36.191.196	192.168.2.6
Apr 25, 2024 10:38:54.459044933 CEST	587	49699	194.36.191.196	192.168.2.6
Apr 25, 2024 10:38:54.459098101 CEST	587	49699	194.36.191.196	192.168.2.6
Apr 25, 2024 10:38:54.483700991 CEST	587	49699	194.36.191.196	192.168.2.6
Apr 25, 2024 10:38:54.537426949 CEST	49699	587	192.168.2.6	194.36.191.196
Apr 25, 2024 10:40:31.005996943 CEST	49699	587	192.168.2.6	194.36.191.196
Apr 25, 2024 10:40:31.221339941 CEST	587	49699	194.36.191.196	192.168.2.6
Apr 25, 2024 10:40:31.225168943 CEST	49699	587	192.168.2.6	194.36.191.196

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 25, 2024 10:38:50.985814095 CEST	57415	53	192.168.2.6	1.1.1.1
Apr 25, 2024 10:38:51.528414011 CEST	53	57415	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 25, 2024 10:38:50.985814095 CEST	192.168.2.6	1.1.1.1	0x819b	Standard query (0)	mail.cmcapama.top	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 25, 2024 10:38:51.528414011 CEST	1.1.1.1	192.168.2.6	0x819b	No error (0)	mail.cmcapama.top	cmcapama.top		CNAME (Canonical name)	IN (0x0001)	false
Apr 25, 2024 10:38:51.528414011 CEST	1.1.1.1	192.168.2.6	0x819b	No error (0)	cmcapama.top		194.36.191.196	A (IP address)	IN (0x0001)	false

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Apr 25, 2024 10:38:52.004832029 CEST	587	49699	194.36.191.196	192.168.2.6	220-hosting1.nl.hostsailor.com ESMTP Exim 4.96.2 #2 Thu, 25 Apr 2024 10:38:51 +0200 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Apr 25, 2024 10:38:52.005814075 CEST	49699	587	192.168.2.6	194.36.191.196	EHLO 818225
Apr 25, 2024 10:38:52.220531940 CEST	587	49699	194.36.191.196	192.168.2.6	250-hosting1.nl.hostsailor.com Hello 818225 [185.152.66.230] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Apr 25, 2024 10:38:52.220737934 CEST	49699	587	192.168.2.6	194.36.191.196	STARTTLS
Apr 25, 2024 10:38:52.436496973 CEST	587	49699	194.36.191.196	192.168.2.6	220 TLS go ahead

Target ID:	0
Start time:	10:38:47
Start date:	25/04/2024
Path:	C:\Users\user\Desktop\RFQ-HL51L05.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\RFQ-HL51L05.exe"
Imagebase:	0xee0000
File size:	1'116'160 bytes
MD5 hash:	254D0303FFFB227DDE317B5E2BB664AE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2068321175.0000000001260000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2068321175.0000000001260000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000000.00000002.2068321175.0000000001260000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	10:38:48
Start date:	25/04/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\RFQ-HL51L05.exe"
Imagebase:	0x3f0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.3301412264.0000000002729000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.3301412264.00000000026FE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3300590413.00000000007C2000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.3300590413.00000000007C2000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3301412264.00000000026B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.3301412264.00000000026B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	4.1%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	5.6%
Total number of Nodes:	2000
Total number of Limit Nodes:	180

Executed Functions

Function 00EE3B4C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00EE3B7A
IsDebuggerPresent.KERNEL32 ref: 00EE3B8C
GetFullPathNameW.KERNEL32(00007FFF,?,?,00FA62F8,00FA62E0,?,?), ref: 00EE3BFD

Part of subcall function 00EE7D2C: _memmove.LIBCMT ref: 00EE7D66

Part of subcall function 00EF0A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00EE3C26,00FA62F8,?,?,?), ref: 00EF0ACE

SetCurrentDirectoryW.KERNEL32(?), ref: 00EE3C81
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00F993F0,00000010), ref: 00F1D4BC
SetCurrentDirectoryW.KERNEL32(?,00FA62F8,?,?,?), ref: 00F1D4F4
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00F95D40,00FA62F8,?,?,?), ref: 00F1D57A
ShellExecuteW.SHELL32(00000000,?,?), ref: 00F1D581

Part of subcall function 00EE3A58: GetSysColorBrush.USER32(0000000F), ref: 00EE3A62
Part of subcall function 00EE3A58: LoadCursorW.USER32(00000000,00007F00), ref: 00EE3A71
Part of subcall function 00EE3A58: LoadIconW.USER32(00000063), ref: 00EE3A88
Part of subcall function 00EE3A58: LoadIconW.USER32(000000A4), ref: 00EE3A9A
Part of subcall function 00EE3A58: LoadIconW.USER32(000000A2), ref: 00EE3AAC
Part of subcall function 00EE3A58: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00EE3AD2
Part of subcall function 00EE3A58: RegisterClassExW.USER32(?), ref: 00EE3B28

Part of subcall function 00EE39E7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00EE3A15
Part of subcall function 00EE39E7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00EE3A36
Part of subcall function 00EE39E7: ShowWindow.USER32(00000000,?,?), ref: 00EE3A4A
Part of subcall function 00EE39E7: ShowWindow.USER32(00000000,?,?), ref: 00EE3A53

Part of subcall function 00EE43DB: _memset.LIBCMT ref: 00EE4401
Part of subcall function 00EE43DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00EE44A6

Strings

runas, xrefs: 00F1D575
This is a third-party compiled AutoIt script., xrefs: 00F1D4B4

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas
API String ID: 529118366-3287110873
Opcode ID: b62112d789e7b23219eefcb3f54d3db216325200459f59d6dbf53c5dda32abc5
Instruction ID: ea3203c849b78512f10f98bbbdcab528282f344a3023553077eaa926c2af0e6f
Opcode Fuzzy Hash: b62112d789e7b23219eefcb3f54d3db216325200459f59d6dbf53c5dda32abc5
Instruction Fuzzy Hash: 49512AB190828CAEDF11EBB5DC05EFDBBF8AF05300F145069F461B31A2CA749645EB21

Uniqueness

Uniqueness Score: -1.00%

Function 00EE4FE9 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00EE4EEE,?,?,00000000,00000000), ref: 00EE4FF9
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00EE4EEE,?,?,00000000,00000000), ref: 00EE5010
LoadResource.KERNEL32(?,00000000,?,?,00EE4EEE,?,?,00000000,00000000,?,?,?,?,?,?,00EE4F8F), ref: 00F1DD60
SizeofResource.KERNEL32(?,00000000,?,?,00EE4EEE,?,?,00000000,00000000,?,?,?,?,?,?,00EE4F8F), ref: 00F1DD75
LockResource.KERNEL32(N,?,?,00EE4EEE,?,?,00000000,00000000,?,?,?,?,?,?,00EE4F8F,00000000), ref: 00F1DD88

Strings

N, xrefs: 00F1DD85
SCRIPT, xrefs: 00EE5006

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT$N
API String ID: 3051347437-3852340653
Opcode ID: 6d47fcbd67ded2e25cab306b553bac7bd5bbaece215d489de0e4995dda2024dd
Instruction ID: 3d234680d6686f6e52f96294035df70afa84221f3cf618c30bbbd4e63cc045b7
Opcode Fuzzy Hash: 6d47fcbd67ded2e25cab306b553bac7bd5bbaece215d489de0e4995dda2024dd
Instruction Fuzzy Hash: 87117C76200708BFD7218B66EC58F677BB9EBC9B15F20456CF416D6260DBB1EC049A60

Uniqueness

Uniqueness Score: -1.00%

Function 00EE4AFE Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00EE4B2B

Part of subcall function 00EE7D2C: _memmove.LIBCMT ref: 00EE7D66

GetCurrentProcess.KERNEL32(?,00F6FAEC,00000000,00000000,?), ref: 00EE4BF8
IsWow64Process.KERNEL32(00000000), ref: 00EE4BFF
GetNativeSystemInfo.KERNELBASE(00000000), ref: 00EE4C45
FreeLibrary.KERNEL32(00000000), ref: 00EE4C50
GetSystemInfo.KERNEL32(00000000), ref: 00EE4C81
GetSystemInfo.KERNEL32(00000000), ref: 00EE4C8D

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: 24e644a9022126d64ebc517ecee76d00dde268667fc393fcc2eb417986ba7b3a
Instruction ID: 59fd4e5255f62f7f3abe344f1fc8905ee1dd978b20b69574f4bbbc9e8a4008eb
Opcode Fuzzy Hash: 24e644a9022126d64ebc517ecee76d00dde268667fc393fcc2eb417986ba7b3a
Instruction Fuzzy Hash: F291F37194ABC8DEC731CB6994511EAFFF4AF2A300B544D9DD0CBA3A41D220F948D759

Uniqueness

Uniqueness Score: -1.00%

Function 00F44696 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00F1E7C1), ref: 00F446A6
FindFirstFileW.KERNELBASE(?,?), ref: 00F446B7
FindClose.KERNEL32(00000000), ref: 00F446C7

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 61409348db10b8e08ee6efba4df6d7b17f8e8a68608ac7d9dcb85b035be0f5dc
Instruction ID: 61957843237b3bb18fce18fd5e01dd7567e7fc503b4c3c3bc1fc0b0ffb991459
Opcode Fuzzy Hash: 61409348db10b8e08ee6efba4df6d7b17f8e8a68608ac7d9dcb85b035be0f5dc
Instruction Fuzzy Hash: 5AE020328104045B4210A738FC4D4EABF5CDE06335F100726FC35D11E0E7F06D54A9D5

Uniqueness

Uniqueness Score: -1.00%

Function 00EEE800 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 00F2428C

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: 28c00d0e459145b574f3e83ac5da153cf29af50c16fd2af633e7378c56c3ea15
Instruction ID: 1722fa5eee535ef1ce33d959c1e5d0b3f7764906180d4cd2c82205d92baa32f8
Opcode Fuzzy Hash: 28c00d0e459145b574f3e83ac5da153cf29af50c16fd2af633e7378c56c3ea15
Instruction Fuzzy Hash: 7BA2AD74A04299CFCB24CF9AC880AADB7B1FF49314F249069E906BB351D775ED42DB81

Uniqueness

Uniqueness Score: -1.00%

Function 00EF0B30 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00EF0BBB
timeGetTime.WINMM ref: 00EF0E76
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00EF0FB3
TranslateMessage.USER32(?), ref: 00EF0FC7
DispatchMessageW.USER32(?), ref: 00EF0FD5
Sleep.KERNEL32(0000000A), ref: 00EF0FDF
LockWindowUpdate.USER32(00000000,?,?), ref: 00EF105A
DestroyWindow.USER32 ref: 00EF1066
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00EF1080
Sleep.KERNEL32(0000000A,?,?), ref: 00F252AD
TranslateMessage.USER32(?), ref: 00F2608A
DispatchMessageW.USER32(?), ref: 00F26098
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00F260AC

Strings

@COM_EVENTOBJ, xrefs: 00F2591A
@TRAY_ID, xrefs: 00F25BB9
@GUI_CTRLID, xrefs: 00F25364
@GUI_CTRLHANDLE, xrefs: 00F2540E
@GUI_WINHANDLE, xrefs: 00F253B9

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: Message$DispatchPeekSleepTranslateWindow$DestroyLockTimeUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 4003667617-3242690629
Opcode ID: b54bca183fb8f8a9c7a449e703d38059aab42876768420ecfdac7f64b90e0bb3
Instruction ID: 43d7d39c3df979903e6d32c58b5b0c77352702246a163d0e93066719a4d84107
Opcode Fuzzy Hash: b54bca183fb8f8a9c7a449e703d38059aab42876768420ecfdac7f64b90e0bb3
Instruction Fuzzy Hash: E7B23670608755DFDB24DF24D884BAABBE0FF84704F14491DF58AA7292DB74E844EB82

Uniqueness

Uniqueness Score: -1.00%

Function 00F493DF Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00F491E9: __time64.LIBCMT ref: 00F491F3

Part of subcall function 00EE5045: _fseek.LIBCMT ref: 00EE505D

__wsplitpath.LIBCMT ref: 00F494BE

Part of subcall function 00F0432E: __wsplitpath_helper.LIBCMT ref: 00F0436E

_wcscpy.LIBCMT ref: 00F494D1
_wcscat.LIBCMT ref: 00F494E4
__wsplitpath.LIBCMT ref: 00F49509
_wcscat.LIBCMT ref: 00F4951F
_wcscat.LIBCMT ref: 00F49532

Part of subcall function 00F4922F: _memmove.LIBCMT ref: 00F49268
Part of subcall function 00F4922F: _memmove.LIBCMT ref: 00F49277

_wcscmp.LIBCMT ref: 00F49479

Part of subcall function 00F499BE: _wcscmp.LIBCMT ref: 00F49AAE
Part of subcall function 00F499BE: _wcscmp.LIBCMT ref: 00F49AC1

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00F496DC
_wcsncpy.LIBCMT ref: 00F4974F
DeleteFileW.KERNEL32(?,?), ref: 00F49785
CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00F4979B
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00F497AC
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00F497BE

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: 274a2ed5d8b1e1d533645a82492dd5251cd74682cd37ad69433a77f7fdceb8e3
Instruction ID: 9c471001e517fa0fa4e0bebba127b423d81c3034dced78786af775ed8e93bf1c
Opcode Fuzzy Hash: 274a2ed5d8b1e1d533645a82492dd5251cd74682cd37ad69433a77f7fdceb8e3
Instruction Fuzzy Hash: EDC15CB1E0021DAADF21DF95CC85ADFBBBCEF44314F0040AAF609E6141DB749A84AF65

Uniqueness

Uniqueness Score: -1.00%

Function 00EE3015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00EE3074
RegisterClassExW.USER32(00000030), ref: 00EE309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00EE30AF
InitCommonControlsEx.COMCTL32(?), ref: 00EE30CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00EE30DC
LoadIconW.USER32(000000A9), ref: 00EE30F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00EE3101

Strings

TaskbarCreated, xrefs: 00EE30A4
+, xrefs: 00EE305D
AutoIt v3 GUI, xrefs: 00EE3090
0, xrefs: 00EE3056

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: a1217cdf7b7a04e51a4964837ed46af844e05b7b3f986c1db907f72a2a2747ed
Instruction ID: 15121b3048fa039ed87d63d3b59188ba9349f7aab04c3512a228e45f8c5e4db9
Opcode Fuzzy Hash: a1217cdf7b7a04e51a4964837ed46af844e05b7b3f986c1db907f72a2a2747ed
Instruction Fuzzy Hash: 5C314BB1845309AFDB40DFA4EC85AC9BBF4FF09310F14452AE590E62A0D3B90589EF51

Uniqueness

Uniqueness Score: -1.00%

Function 00EE3041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00EE3074
RegisterClassExW.USER32(00000030), ref: 00EE309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00EE30AF
InitCommonControlsEx.COMCTL32(?), ref: 00EE30CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00EE30DC
LoadIconW.USER32(000000A9), ref: 00EE30F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00EE3101

Strings

TaskbarCreated, xrefs: 00EE30A4
+, xrefs: 00EE305D
AutoIt v3 GUI, xrefs: 00EE3090
0, xrefs: 00EE3056

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 3f420d7f2283ebb6ec654a83647e32ecca2c2d461611c21dcdc37c8df1e78cff
Instruction ID: d973da633733409320f5535263733a09247ca3634c034cd79d09958fd07a35ff
Opcode Fuzzy Hash: 3f420d7f2283ebb6ec654a83647e32ecca2c2d461611c21dcdc37c8df1e78cff
Instruction Fuzzy Hash: 9721C3B191121CAFDB00DFA4ED89B9DBBF8FB09700F04412AF921E62A0D7B54548AF91

Uniqueness

Uniqueness Score: -1.00%

Function 00EE71EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00EE4864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00FA62F8,?,00EE37C0,?), ref: 00EE4882

Part of subcall function 00F0074F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00EE72C5), ref: 00F00771

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00EE7308
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00F1ECF1
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00F1ED32
RegCloseKey.ADVAPI32(?), ref: 00F1ED70
_wcscat.LIBCMT ref: 00F1EDC9

Strings

Include, xrefs: 00F1ECE8, 00F1ED29
\, xrefs: 00F1EDEC
Software\AutoIt v3\AutoIt, xrefs: 00EE72FE
\Include\, xrefs: 00EE72C5

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: f5392a7864b3524a0dd0758b3161e82d8c4399e90acc83e238e3db308f61e9a5
Instruction ID: 66035953c748fc69160c00ec06523cb391914f5380f7c7d63abfe3f7fcefbe6d
Opcode Fuzzy Hash: f5392a7864b3524a0dd0758b3161e82d8c4399e90acc83e238e3db308f61e9a5
Instruction Fuzzy Hash: 59716FB15083499EC314EF66EC81E9BBBE8FF95350F40452EF485931A1DB709948EF62

Uniqueness

Uniqueness Score: -1.00%

Function 00EE3A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00EE3A62
LoadCursorW.USER32(00000000,00007F00), ref: 00EE3A71
LoadIconW.USER32(00000063), ref: 00EE3A88
LoadIconW.USER32(000000A4), ref: 00EE3A9A
LoadIconW.USER32(000000A2), ref: 00EE3AAC
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00EE3AD2
RegisterClassExW.USER32(?), ref: 00EE3B28

Part of subcall function 00EE3041: GetSysColorBrush.USER32(0000000F), ref: 00EE3074
Part of subcall function 00EE3041: RegisterClassExW.USER32(00000030), ref: 00EE309E
Part of subcall function 00EE3041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00EE30AF
Part of subcall function 00EE3041: InitCommonControlsEx.COMCTL32(?), ref: 00EE30CC
Part of subcall function 00EE3041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00EE30DC
Part of subcall function 00EE3041: LoadIconW.USER32(000000A9), ref: 00EE30F2
Part of subcall function 00EE3041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00EE3101

Strings

#, xrefs: 00EE3B0D
0, xrefs: 00EE3B06
AutoIt v3, xrefs: 00EE3B17

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 43c54062e99eb7ce1fea8ae5f395f026d68a51055e23f92e358b4ef7f6fd6585
Instruction ID: 5a6427d8122f03494e96dc218774ae81d0ef2b52d3a9111261d1faa7c33a1d09
Opcode Fuzzy Hash: 43c54062e99eb7ce1fea8ae5f395f026d68a51055e23f92e358b4ef7f6fd6585
Instruction Fuzzy Hash: B22117B1A0030CAFEF109FA5ED09B9D7BF4FB0A711F04412AE504E62A0D3B65654AF94

Uniqueness

Uniqueness Score: -1.00%

Function 00EE3633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 00EE36D2
KillTimer.USER32(?,00000001), ref: 00EE36FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00EE371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00EE372A
CreatePopupMenu.USER32 ref: 00EE373E
PostQuitMessage.USER32(00000000), ref: 00EE375F

Strings

TaskbarCreated, xrefs: 00EE3725

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: fa838e77f20bcc1bf651034f128cf615ddf2c32e2cf1932b559d695c81fb9aef
Instruction ID: 668198a860f2bd4c8eab283b3d4807e0fea112ebd93f0589141e98585e416bab
Opcode Fuzzy Hash: fa838e77f20bcc1bf651034f128cf615ddf2c32e2cf1932b559d695c81fb9aef
Instruction Fuzzy Hash: 67412CF220418DBBDF149F75EC0DBBA37A8EB01300F181129F512F72A2CAA59E54B361

Uniqueness

Uniqueness Score: -1.00%

Function 00EE3778 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

/AutoIt3ExecuteScript, xrefs: 00EE38CE
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 00EE37C0
CMDLINERAW, xrefs: 00EE380D
CMDLINE, xrefs: 00EE3834
/AutoIt3OutputDebug, xrefs: 00EE38A4
/ErrorStdOut, xrefs: 00EE388F
/AutoIt3ExecuteLine, xrefs: 00EE38B9

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
API String ID: 1825951767-3513169116
Opcode ID: 89f01fe4a97bfda67c56e56a853b38d2d462c389ecc8c7025c8d3a4350931638
Instruction ID: 50dd817be948ebd382e692ffe15a17c9af5e57a4eee28b099c6f57256f9d0c99
Opcode Fuzzy Hash: 89f01fe4a97bfda67c56e56a853b38d2d462c389ecc8c7025c8d3a4350931638
Instruction Fuzzy Hash: 37A150B1D1025D9ACF04EBE2DC95AEEB7F8BF14300F04142AF416B7192EB759A09DB60

Uniqueness

Uniqueness Score: -1.00%

Function 011B2660 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 011B2731
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 011B2957

Memory Dump Source

Source File: 00000000.00000002.2068180092.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11b0000_RFQ-HL51L05.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: 30e8af4b53c3aa052917812e21e5e8fbde56ed90f0e39d50c947676a587081b9
Instruction ID: babf637cc3fec6315e4a947c5a963987453bdbe611f26a0ed76dc5fe3a5047e1
Opcode Fuzzy Hash: 30e8af4b53c3aa052917812e21e5e8fbde56ed90f0e39d50c947676a587081b9
Instruction Fuzzy Hash: 47A10B74E00209EBDB18CFA4C894BEEBBB5FF48304F208559E515BB280D775AA45CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00EE39E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00EE3A15
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00EE3A36
ShowWindow.USER32(00000000,?,?), ref: 00EE3A4A
ShowWindow.USER32(00000000,?,?), ref: 00EE3A53

Strings

edit, xrefs: 00EE3A30
AutoIt v3, xrefs: 00EE3A0D, 00EE3A12, 00EE3A13

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: b7adfcf76a430895676e55d45457702b02d2020454704b22be5785c40454fc3f
Instruction ID: 36920e884d6180da6394871a1e6d45aab6d56e428431732a2ad3b77e6aa81022
Opcode Fuzzy Hash: b7adfcf76a430895676e55d45457702b02d2020454704b22be5785c40454fc3f
Instruction Fuzzy Hash: 87F03AB06102987EEF3017237C08F273EBDD7C7F50B04002AB900E2170C6A50800FAB0

Uniqueness

Uniqueness Score: -1.00%

Function 011B2410 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 151
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 011B2300: Sleep.KERNELBASE(000001F4), ref: 011B2311

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 011B254D

Strings

5DDBS1S5WET5MKSH4ACMHIG, xrefs: 011B25B0, 011B25B3

Memory Dump Source

Source File: 00000000.00000002.2068180092.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11b0000_RFQ-HL51L05.jbxd

Similarity

API ID: CreateFileSleep
String ID: 5DDBS1S5WET5MKSH4ACMHIG
API String ID: 2694422964-2418774687
Opcode ID: 6665b4a4c06d1f112903364188da20fecc1e8b772625641b2e3368c3952ec3d9
Instruction ID: 27ff81de59d5c1e22ee82bb42e2b0ee68071606c0379554889d12bb779e96a3b
Opcode Fuzzy Hash: 6665b4a4c06d1f112903364188da20fecc1e8b772625641b2e3368c3952ec3d9
Instruction Fuzzy Hash: 0E51E530D04288DAEF15CBB4C854BDFBB74AF18304F004198E209BB2C1DBB91B48CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00EE410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00F1D5EC

Part of subcall function 00EE7D2C: _memmove.LIBCMT ref: 00EE7D66

_memset.LIBCMT ref: 00EE418D
_wcscpy.LIBCMT ref: 00EE41E1
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00EE41F1

Strings

Line: , xrefs: 00F1D615

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: 27516f3db496bdfcda800062e0ec4589076d4a446933005c2efd6bba92af8600
Instruction ID: 4c96fc01b562fb5e2e9247c78e69f0189cd93fff686b707ff80919fb07f6c251
Opcode Fuzzy Hash: 27516f3db496bdfcda800062e0ec4589076d4a446933005c2efd6bba92af8600
Instruction Fuzzy Hash: 9431DFB100938CAAEB21EB61DC46BDB77ECAF45304F14551EF194A20E1EF74A688D793

Uniqueness

Uniqueness Score: -1.00%

Function 00F0564D Relevance: 7.7, APIs: 5, Instructions: 163
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 00F056AB
_memcpy_s.LIBCMT ref: 00F0571D
__read_nolock.LIBCMT ref: 00F0577B
__filbuf.LIBCMT ref: 00F0579E
_memset.LIBCMT ref: 00F057E2

Part of subcall function 00F08D68: __getptd_noexit.LIBCMT ref: 00F08D68

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
Instruction ID: e0334fb44fb9f18431f55dce1a1520a9bc3e8fa8851ffb39ec1ef5dc8d4585f1
Opcode Fuzzy Hash: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
Instruction Fuzzy Hash: 32519E31E00B09DBDB248EA988806AF77A5AF40B30F648729E829962D0D7F59D51BF50

Uniqueness

Uniqueness Score: -1.00%

Function 00EE69CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 00EE4F3D: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00FA62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00EE4F6F

_free.LIBCMT ref: 00F1E68C
_free.LIBCMT ref: 00F1E6D3

Part of subcall function 00EE6BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00EE6D0D

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00F1E462
Bad directive syntax error, xrefs: 00F1E6BB

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: 20e0f4c12a08cdd6daacdd1f3cd7eb49d381be9ab440430bd99cef939a65d434
Instruction ID: c6f86add0f89f24321146add8a8ae8d17063baf830118d117609ed361bdc57ab
Opcode Fuzzy Hash: 20e0f4c12a08cdd6daacdd1f3cd7eb49d381be9ab440430bd99cef939a65d434
Instruction Fuzzy Hash: 9A917D71A10259EFCF04EFA5CC919EDB7B5FF18314F44442AF815AB2A1EB349944EB60

Uniqueness

Uniqueness Score: -1.00%

Function 00EE35B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00EE35A1,SwapMouseButtons,00000004,?), ref: 00EE35D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00EE35A1,SwapMouseButtons,00000004,?,?,?,?,00EE2754), ref: 00EE35F5
RegCloseKey.KERNELBASE(00000000,?,?,00EE35A1,SwapMouseButtons,00000004,?,?,?,?,00EE2754), ref: 00EE3617

Strings

Control Panel\Mouse, xrefs: 00EE35D2

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 397eab22b4e4538452d477a171b53f09ac99c8090db8c5565b6c4f0b8296b49c
Instruction ID: 8e86be9755432757d3a269296389a3b1f1a487077fbfeabf98681f700ed9b842
Opcode Fuzzy Hash: 397eab22b4e4538452d477a171b53f09ac99c8090db8c5565b6c4f0b8296b49c
Instruction Fuzzy Hash: 3511487191024DBFDB20CFB5EC489EEBBB8EF05744F0164A9E805E7210D2719E44A760

Uniqueness

Uniqueness Score: -1.00%

Function 011B1300 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 011B1B2D
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 011B1B51
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 011B1B73

Memory Dump Source

Source File: 00000000.00000002.2068180092.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11b0000_RFQ-HL51L05.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: e8e7a77c1c38f92167ec50984bffac71589908538948dc0fdf133907e09ee162
Instruction ID: 367b41808973d0e8da63293dc3d6433257a1eed02a7b2b75a5b83fa19612143e
Opcode Fuzzy Hash: e8e7a77c1c38f92167ec50984bffac71589908538948dc0fdf133907e09ee162
Instruction Fuzzy Hash: CA620C30A14258DBEB28CFA4D890BDEB772EF58300F1095A9D10DEB394E7759E81CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00F497E5 Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00EE5045: _fseek.LIBCMT ref: 00EE505D

Part of subcall function 00F499BE: _wcscmp.LIBCMT ref: 00F49AAE
Part of subcall function 00F499BE: _wcscmp.LIBCMT ref: 00F49AC1

_free.LIBCMT ref: 00F4992C
_free.LIBCMT ref: 00F49933
_free.LIBCMT ref: 00F4999E

Part of subcall function 00F02F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00F09C64), ref: 00F02FA9
Part of subcall function 00F02F95: GetLastError.KERNEL32(00000000,?,00F09C64), ref: 00F02FBB

_free.LIBCMT ref: 00F499A6

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: d9ae0c5d453641694606f69828c3ed73b5fd5779769f00272cc49afe01aba135
Instruction ID: de63571fd1cf6a0c222fcc179ce3c9fea8e343f28fa822d5a0b89f9c204ce65c
Opcode Fuzzy Hash: d9ae0c5d453641694606f69828c3ed73b5fd5779769f00272cc49afe01aba135
Instruction Fuzzy Hash: 355172B1E04258AFDF249F65DC45A9EBBB9EF48310F0004AEF609A7241DB755E80DF58

Uniqueness

Uniqueness Score: -1.00%

Function 00F0493A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00F049D0
__flush.LIBCMT ref: 00F049F0
__write.LIBCMT ref: 00F04A23
__flsbuf.LIBCMT ref: 00F04A51

Part of subcall function 00F08D68: __getptd_noexit.LIBCMT ref: 00F08D68

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
Instruction ID: 5420d6fd43d922079ca202577af9799b79c3a8ab32c217c5d9db3fbaab7ccb2d
Opcode Fuzzy Hash: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
Instruction Fuzzy Hash: 3E41D6B1B006069BDF28CEA9C88096F77A6EF84360B24813DEA55C76D0D774BD41BB44

Uniqueness

Uniqueness Score: -1.00%

Function 00EE73E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F1EE62
GetOpenFileNameW.COMDLG32(?), ref: 00F1EEAC

Part of subcall function 00EE48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00EE48A1,?,?,00EE37C0,?), ref: 00EE48CE

Part of subcall function 00F009D5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00F009F4

Strings

X, xrefs: 00F1EE7A

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: 92e8e56daebc7cdfa3d3cbc928d732b6a4d62a36ee1b9b348436908b9a13bff0
Instruction ID: 79ad09f54b8748c73385fe01fc391e2826aaf569c9603635a208c5b578a3bb24
Opcode Fuzzy Hash: 92e8e56daebc7cdfa3d3cbc928d732b6a4d62a36ee1b9b348436908b9a13bff0
Instruction Fuzzy Hash: FD21C67190429C9BDF11DF94CC457EE7BF89F49314F00401AE409F7282DBF859899B91

Uniqueness

Uniqueness Score: -1.00%

Function 00F4901B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00F49036
__fread_nolock.LIBCMT ref: 00F4904B

Strings

EA06, xrefs: 00F4907D

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: 2a2833aff74a7718adc8a1b5c68ecb9d5f03fa6a955ed30d939b7b100ef5d1f7
Instruction ID: 00356f110727fcc2786d9814823a8bdac5ff6e4c0f90d7a1e18a06afa261e393
Opcode Fuzzy Hash: 2a2833aff74a7718adc8a1b5c68ecb9d5f03fa6a955ed30d939b7b100ef5d1f7
Instruction Fuzzy Hash: 2A01BE719042586EDB24C7A8CC56FEE7BFC9B15711F00415AF552D21C1D5B9E604EB60

Uniqueness

Uniqueness Score: -1.00%

Function 00F49B6D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00F49B82
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00F49B99

Strings

aut, xrefs: 00F49B93

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 2b6dc7407cd7e0ade702beddb796b6d27f8211ffd729e71de61732742993d671
Instruction ID: d176e1f0e4619979a12102dd064efb74ca27ab688d8ccb735f4e27673638f1f3
Opcode Fuzzy Hash: 2b6dc7407cd7e0ade702beddb796b6d27f8211ffd729e71de61732742993d671
Instruction Fuzzy Hash: DFD05E7954030DABDB10DBA4EC0EF9A772CE704704F0042A1FE64910A1DEF0959C9FD2

Uniqueness

Uniqueness Score: -1.00%

Function 00F5CDF1 Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17562af527d9d858f38849f4903d303c981da926a6e2dfbd070da0a6a9724ac9
Instruction ID: dbceecea21a4ad37fb40bf1c37a66e0c3cfa7d4deec7f929c7e7a69e34c2072b
Opcode Fuzzy Hash: 17562af527d9d858f38849f4903d303c981da926a6e2dfbd070da0a6a9724ac9
Instruction Fuzzy Hash: CBF17D719083459FC724DF28C880A6ABBE5FF88314F14892DF9999B352D735E946CF82

Uniqueness

Uniqueness Score: -1.00%

Function 00EEF8CF Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON

Download Yara Rule

APIs

Part of subcall function 00F003A2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00F003D3
Part of subcall function 00F003A2: MapVirtualKeyW.USER32(00000010,00000000), ref: 00F003DB
Part of subcall function 00F003A2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00F003E6
Part of subcall function 00F003A2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00F003F1
Part of subcall function 00F003A2: MapVirtualKeyW.USER32(00000011,00000000), ref: 00F003F9
Part of subcall function 00F003A2: MapVirtualKeyW.USER32(00000012,00000000), ref: 00F00401

Part of subcall function 00EF6259: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00EEFA90), ref: 00EF62B4

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00EEFB2D
OleInitialize.OLE32(00000000), ref: 00EEFBAA
CloseHandle.KERNEL32(00000000), ref: 00F249F2

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 1baf923e071c6a0a4ccd9acb00c020a6dc704d53bcac894f89e44d5dbccfcff6
Instruction ID: fcaeaa7d2fb4c5f3e6716fdf46132fa48d537907a2bbe615fa7d962903b99d12
Opcode Fuzzy Hash: 1baf923e071c6a0a4ccd9acb00c020a6dc704d53bcac894f89e44d5dbccfcff6
Instruction Fuzzy Hash: 5081A8F49142888FCB84DF3AE9546157BE4FB9E308718813AD829C73A2EB754409BF61

Uniqueness

Uniqueness Score: -1.00%

Function 00EE43DB Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00EE4401
Shell_NotifyIconW.SHELL32(00000000,?), ref: 00EE44A6
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00EE44C3

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: 4dd0f4624a8749d990d7aa665853d1ec6fa193001ce304cdd28f30ef66c79dbf
Instruction ID: 5190520f007847e1c9daf2b894a0e0b325acc3f7dcbb4511b3cd2e46bb8d3236
Opcode Fuzzy Hash: 4dd0f4624a8749d990d7aa665853d1ec6fa193001ce304cdd28f30ef66c79dbf
Instruction Fuzzy Hash: 363180F06053458FD720DF25D884797BBE8BB49308F04092EF59AD32D0D7B56948DB52

Uniqueness

Uniqueness Score: -1.00%

Function 00F0594C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00F05963

Part of subcall function 00F0A3AB: __NMSG_WRITE.LIBCMT ref: 00F0A3D2
Part of subcall function 00F0A3AB: __NMSG_WRITE.LIBCMT ref: 00F0A3DC

__NMSG_WRITE.LIBCMT ref: 00F0596A

Part of subcall function 00F0A408: GetModuleFileNameW.KERNEL32(00000000,00FA43BA,00000104,?,00000001,00000000), ref: 00F0A49A
Part of subcall function 00F0A408: ___crtMessageBoxW.LIBCMT ref: 00F0A548

Part of subcall function 00F032DF: ___crtCorExitProcess.LIBCMT ref: 00F032E5
Part of subcall function 00F032DF: ExitProcess.KERNEL32 ref: 00F032EE

Part of subcall function 00F08D68: __getptd_noexit.LIBCMT ref: 00F08D68

RtlAllocateHeap.NTDLL(012A0000,00000000,00000001,00000000,?,?,?,00F01013,?), ref: 00F0598F

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 0b7a3cf9a3fd142a18690edc1b3610ddbbc8e4750f9df6c31f81ec7e60b2cd74
Instruction ID: c9ec42a83c82df714ebc1e770bd5cea724a648fa56fa3fea2b5093d622019f25
Opcode Fuzzy Hash: 0b7a3cf9a3fd142a18690edc1b3610ddbbc8e4750f9df6c31f81ec7e60b2cd74
Instruction Fuzzy Hash: D901F536601B1ADEE6112B64EC42B3F73988F82F70F50013AF4019A1D1DEF49D01BA60

Uniqueness

Uniqueness Score: -1.00%

Function 00F49B2C Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00F497D2,?,?,?,?,?,00000004), ref: 00F49B45
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00F497D2,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00F49B5B
CloseHandle.KERNEL32(00000000,?,00F497D2,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00F49B62

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 5f8c5e1954a2adb2806d5049622ecbf742181edf122e9fc38db957d399176abf
Instruction ID: a821c9c0d7c8aea3f7cea8dda9f69a67c8faf795cf62570b83550f16a459681f
Opcode Fuzzy Hash: 5f8c5e1954a2adb2806d5049622ecbf742181edf122e9fc38db957d399176abf
Instruction Fuzzy Hash: AEE08632681218B7D7211B54FC0AFCA7F58EB067B1F104220FB74691E087F12A15A798

Uniqueness

Uniqueness Score: -1.00%

Function 00F48F97 Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00F48FA5

Part of subcall function 00F02F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00F09C64), ref: 00F02FA9
Part of subcall function 00F02F95: GetLastError.KERNEL32(00000000,?,00F09C64), ref: 00F02FBB

_free.LIBCMT ref: 00F48FB6
_free.LIBCMT ref: 00F48FC8

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: efa5cfa9b1b2f41bce9affd07bef402890ef9bb67adc050918c04926c1923072
Instruction ID: 23cdac53749a8cc4c995e90e88e86efefca7134802f27cfa5279a7c71cb649ea
Opcode Fuzzy Hash: efa5cfa9b1b2f41bce9affd07bef402890ef9bb67adc050918c04926c1923072
Instruction Fuzzy Hash: 56E012A1B097024ACA64A578AD44A976BEE5F483F1758081DBC19DB186DE28E846B134

Uniqueness

Uniqueness Score: -1.00%

Function 00EEAB23 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 00F2002B

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: e0dc48eb1c5e94cd3c1e4a920d2c0bb55a63e51e6eed24c834f71e6237caaa91
Instruction ID: e29a2e16ec996d5021afc2a1c14b7f50b1181d4bf5abd3e3d468b60d2d866552
Opcode Fuzzy Hash: e0dc48eb1c5e94cd3c1e4a920d2c0bb55a63e51e6eed24c834f71e6237caaa91
Instruction Fuzzy Hash: A5226B71508395CFC724DF15C890B6AB7E1BF84304F18996DE886AB362DB35EC85DB82

Uniqueness

Uniqueness Score: -1.00%

Function 00EE4DD0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00EE4E1A

Strings

EA06, xrefs: 00F1DCF5

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: _memmove
String ID: EA06
API String ID: 4104443479-3962188686
Opcode ID: 5af7595ef66e7c0d056ccbd21ed53be11894722e796c9dcb1328ca549d2ef427
Instruction ID: 80b493b85dcbbca2b12c763c84c461afef1a9dfe9f55b22a5296578d1707a7a3
Opcode Fuzzy Hash: 5af7595ef66e7c0d056ccbd21ed53be11894722e796c9dcb1328ca549d2ef427
Instruction Fuzzy Hash: 89415CB2A041DC5BCF215B668C517FE7FA6AB05304F286065F882BF2D2C6619D44D3E1

Uniqueness

Uniqueness Score: -1.00%

Function 00EE492E Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00EE4992

Part of subcall function 00F035AC: __lock.LIBCMT ref: 00F035B2
Part of subcall function 00F035AC: DecodePointer.KERNEL32(00000001,?,00EE49A7,00F381BC), ref: 00F035BE
Part of subcall function 00F035AC: EncodePointer.KERNEL32(?,?,00EE49A7,00F381BC), ref: 00F035C9

Part of subcall function 00EE4A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00EE4A73
Part of subcall function 00EE4A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00EE4A88

Part of subcall function 00EE3B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00EE3B7A
Part of subcall function 00EE3B4C: IsDebuggerPresent.KERNEL32 ref: 00EE3B8C
Part of subcall function 00EE3B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,00FA62F8,00FA62E0,?,?), ref: 00EE3BFD
Part of subcall function 00EE3B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 00EE3C81

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00EE49D2

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: 14dec5c7c23650efe6f8e5ecc35d9cee68760a7f4c55b8a0fa9cee931b5ec1c5
Instruction ID: f25660c524a385374e20ead403d597379481f8c4fa5f442d32dd6f01eacc9b64
Opcode Fuzzy Hash: 14dec5c7c23650efe6f8e5ecc35d9cee68760a7f4c55b8a0fa9cee931b5ec1c5
Instruction Fuzzy Hash: 9911CDB19083499BC700EF2AEC0590AFBF8EF9A710F00452EF455932B2DBB18544EB92

Uniqueness

Uniqueness Score: -1.00%

Function 00EE5DF9 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000,?,00EE5981,?,?,?,?), ref: 00EE5E27
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000000,?,00EE5981,?,?,?,?), ref: 00F1E19C

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: fc6e65d5d382b9cd228af2e3ca6e57d6767a9479db3a008118a9d9229d9350ff
Instruction ID: 8ca4436e553625b3f4da36ad68417641cdee3ce108eb1a05ca9d2bf6c822031e
Opcode Fuzzy Hash: fc6e65d5d382b9cd228af2e3ca6e57d6767a9479db3a008118a9d9229d9350ff
Instruction Fuzzy Hash: BC01927124474CBEF3240E25DC8AFA63BDCAB0176CF108318FAE56A1E0C6B01E499B50

Uniqueness

Uniqueness Score: -1.00%

Function 00F00FF6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00F0594C: __FF_MSGBANNER.LIBCMT ref: 00F05963
Part of subcall function 00F0594C: __NMSG_WRITE.LIBCMT ref: 00F0596A
Part of subcall function 00F0594C: RtlAllocateHeap.NTDLL(012A0000,00000000,00000001,00000000,?,?,?,00F01013,?), ref: 00F0598F

std::exception::exception.LIBCMT ref: 00F0102C
__CxxThrowException@8.LIBCMT ref: 00F01041

Part of subcall function 00F087DB: RaiseException.KERNEL32(?,?,?,00F9BAF8,00000000,?,?,?,?,00F01046,?,00F9BAF8,?,00000001), ref: 00F08830

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: 7238a2e06a0d7a5c2a67fb32ca64424e616f9aacf936e2871a89f699bcec1ad3
Instruction ID: cdd8b2acfaa726a9e88b05150fe91523ee4dc954a24ec9063ff2429c947c52c9
Opcode Fuzzy Hash: 7238a2e06a0d7a5c2a67fb32ca64424e616f9aacf936e2871a89f699bcec1ad3
Instruction Fuzzy Hash: 47F0A435900319A6DB21AB58ED059EF7BACEF00361F104426F888966D2DFB58A81B691

Uniqueness

Uniqueness Score: -1.00%

Function 00F0582D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F0585C
__lock_file.LIBCMT ref: 00F0587D

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: ed7fb55f1006339a0c276be710228f8ba19b8a88a1d99f9adb153351e1955450
Instruction ID: 471948b57a5cc82583ab73e2c31c8a2a93c36e353e7c26fd8d0bd2e31d4376ac
Opcode Fuzzy Hash: ed7fb55f1006339a0c276be710228f8ba19b8a88a1d99f9adb153351e1955450
Instruction Fuzzy Hash: 68014871C41619EBCF21AF658C0559F7BA1AF80760F148215FC145B1E1DB75CA22FF51

Uniqueness

Uniqueness Score: -1.00%

Function 00F055D6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00F08D68: __getptd_noexit.LIBCMT ref: 00F08D68

__lock_file.LIBCMT ref: 00F0561B

Part of subcall function 00F06E4E: __lock.LIBCMT ref: 00F06E71

__fclose_nolock.LIBCMT ref: 00F05626

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: ff3a807ada12711e931fce45ea819d07f424ee0d65f8f650a2ebb5dc28ef8cd7
Instruction ID: 519af771567395ecd352a18c0ece0e1554311a785acf1bac0b5febfec7dafdab
Opcode Fuzzy Hash: ff3a807ada12711e931fce45ea819d07f424ee0d65f8f650a2ebb5dc28ef8cd7
Instruction Fuzzy Hash: 30F09072901A059ADB20AB758C0276F77A16F40B74F558209A465AB1C1CFBC8902BF55

Uniqueness

Uniqueness Score: -1.00%

Function 011B12FD Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 011B1B2D
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 011B1B51
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 011B1B73

Memory Dump Source

Source File: 00000000.00000002.2068180092.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11b0000_RFQ-HL51L05.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 45c0bcdfd50c24934144be52d4489c8f4aeee23b26077383fd0484b0fd6f3e51
Instruction ID: 8aeb8eb13c744fb5760a411785ec3767ed601e3a70a17ec3f1455407ced34c0c
Opcode Fuzzy Hash: 45c0bcdfd50c24934144be52d4489c8f4aeee23b26077383fd0484b0fd6f3e51
Instruction Fuzzy Hash: 2B12DE24E24658C6EB24DF64D8507DEB232FF68300F1090E9D10DEB7A4E77A4E81CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00EF2123 Relevance: 1.7, APIs: 1, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11eb8e0689f572cd32cf627276f30e91c60709e7de24853b7c7b087070686419
Instruction ID: 7aafaf8bcac045db7907953ee28bbed9705184264c65ca52e7f1df736a3a136d
Opcode Fuzzy Hash: 11eb8e0689f572cd32cf627276f30e91c60709e7de24853b7c7b087070686419
Instruction Fuzzy Hash: D8518035600618AFCF14EB54C991FBE77E5AF85324F149068F946BB292CB34ED00EB55

Uniqueness

Uniqueness Score: -1.00%

Function 00EE5C4E Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000000,?,?,00000000), ref: 00EE5CF6

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 7747b82e57a9cc4f1ec823ce282c7ac2948fa53468cdd8cce965615a49ccf5a9
Instruction ID: 9e090f3b438972f49b35ef567a4025fd57633aeac03c891f9cdb06dd482d5285
Opcode Fuzzy Hash: 7747b82e57a9cc4f1ec823ce282c7ac2948fa53468cdd8cce965615a49ccf5a9
Instruction Fuzzy Hash: 01314D72A00B49AFCB18DF6EC8946ADF7B5FF48318F248629D819A3710D771B950DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00F200D6 Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00F200E1

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 5a4972d619576a6926ea742e0eb757058ffad1d9405554f31d906106bbc4cef1
Instruction ID: 7aa6945fa3ded69cf2e6e538daf682be8802e253cd30814141c03db737309844
Opcode Fuzzy Hash: 5a4972d619576a6926ea742e0eb757058ffad1d9405554f31d906106bbc4cef1
Instruction Fuzzy Hash: BE411674904395CFDB24DF15C884B1ABBE0BF45318F0988ACE8995B362C736E885DB52

Uniqueness

Uniqueness Score: -1.00%

Function 00EE79AB Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00EE79F9

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 64602025b210a69d44d795642d596fdfc93abb49ffaa1266944914acc7b2a18e
Instruction ID: 62d7d2aae6a4319bdb881285d055fc6c54fe07cb96461a7a61469fced743ba9f
Opcode Fuzzy Hash: 64602025b210a69d44d795642d596fdfc93abb49ffaa1266944914acc7b2a18e
Instruction Fuzzy Hash: 23110631209149AFD714DF19C881C7EB3A8EF45324724952AF859EB2A1DB32EC11C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 00EE4F3D Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE4D13: FreeLibrary.KERNEL32(00000000,?), ref: 00EE4D4D

Part of subcall function 00F0548B: __wfsopen.LIBCMT ref: 00F05496

LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00FA62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00EE4F6F

Part of subcall function 00EE4CC8: FreeLibrary.KERNEL32(00000000), ref: 00EE4D02

Part of subcall function 00EE4DD0: _memmove.LIBCMT ref: 00EE4E1A

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: b8df79efdafda9600ede7ef960f3e58ed2236cdeb004d0f677d77c93bfbfed57
Instruction ID: 5f485557af25196260e80f0fb6643050f95d627698fde2e5287e555047200613
Opcode Fuzzy Hash: b8df79efdafda9600ede7ef960f3e58ed2236cdeb004d0f677d77c93bfbfed57
Instruction Fuzzy Hash: E411E772B0020DAACB10FF71DC12FAE77E89F40B10F249429F541B72C1DAB59A05EB50

Uniqueness

Uniqueness Score: -1.00%

Function 00F201AF Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00F201BB

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 3f1722ac1be730adb0ffcc617fbcf1a0658359975c39184eb41526367266d30a
Instruction ID: ffdf9a0445584c1d28cffd6cbf57c51ead4b3278186d95567dbe7c9b5605ff14
Opcode Fuzzy Hash: 3f1722ac1be730adb0ffcc617fbcf1a0658359975c39184eb41526367266d30a
Instruction Fuzzy Hash: 7E2124B4508395CFDB14DF54C844B1ABBE0BF84304F09896CE89A67762D731F849DB52

Uniqueness

Uniqueness Score: -1.00%

Function 00EE5D20 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,00010000,?,00000000,00000000,?,00010000,?,00EE5807,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00EE5D76

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 869b615e372ff4641b68a0bcbbc454b69c3af90d6e8fd9de4ab1fd4c1a6f0a1a
Instruction ID: 1cd5e0a3111b59030bcacac980ac9b039ea3943fdbfc447ccba8dc7ae08a0a65
Opcode Fuzzy Hash: 869b615e372ff4641b68a0bcbbc454b69c3af90d6e8fd9de4ab1fd4c1a6f0a1a
Instruction Fuzzy Hash: B6113A32200B499FD3308F16C884B63B7E9EF45768F10D92EE4AA96A50D7B0E945CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00F04A93 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00F04AD6

Part of subcall function 00F08D68: __getptd_noexit.LIBCMT ref: 00F08D68

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: 455a56d8e70b34a64fbd0ecf7a10d0258985a6fd565052c28ed2f9b21ade7ab7
Instruction ID: 4eb5dee28122bb26462e549378d602e2930912af1799a7c4d4aa96d54536dc08
Opcode Fuzzy Hash: 455a56d8e70b34a64fbd0ecf7a10d0258985a6fd565052c28ed2f9b21ade7ab7
Instruction Fuzzy Hash: BEF0AFB1A40209ABDF61BF74CC0639E36A1AF40366F448524F524AA1D1CB7C9A61FF55

Uniqueness

Uniqueness Score: -1.00%

Function 00EE4FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00FA62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00EE4FDE

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: ea9236f601cdfc972fa81001df09fc8f04aa615ccf656428c6e2a5c56e0b69bc
Instruction ID: 51efaa8ba60b9afd00d53095e679fed73e2a909a2606d5779bda5d434e4739da
Opcode Fuzzy Hash: ea9236f601cdfc972fa81001df09fc8f04aa615ccf656428c6e2a5c56e0b69bc
Instruction Fuzzy Hash: C4F065B1205755CFC7349F65E894852BBF1BF0472D324AA3EE1D792650C7719844DF50

Uniqueness

Uniqueness Score: -1.00%

Function 00F009D5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00F009F4

Part of subcall function 00EE7D2C: _memmove.LIBCMT ref: 00EE7D66

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: 23956af6ce0b82afef24d1ebe52788c84e21f94fa2e2e07110f5b0d32f902914
Instruction ID: 1d35893ec30e404f90f1a9476fd14425547618ffc3c16c618bddd00c66b6692f
Opcode Fuzzy Hash: 23956af6ce0b82afef24d1ebe52788c84e21f94fa2e2e07110f5b0d32f902914
Instruction Fuzzy Hash: C8E0CD7690422C57C720D6589C05FFA77EDDFC9790F0501B5FD4CD7304D9A49C818690

Uniqueness

Uniqueness Score: -1.00%

Function 00F49129 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00F4914B

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
Instruction ID: 89687b4d1b2a0bd3aba7dc5a501e56f821b73b3a2a8484750ab5728ea30c112f
Opcode Fuzzy Hash: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
Instruction Fuzzy Hash: 7FE092B0608B005FEB348A24D8107E377E0AB06325F00081DF69A83341EBA27841DB59

Uniqueness

Uniqueness Score: -1.00%

Function 00EE5DAE Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001,?,?,?,00F1E16B,?,?,00000000), ref: 00EE5DBF

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 4010094197a08bc98aac9eafcbcae97231105ce52ef1739ebdcd82c2b5af14b4
Instruction ID: 7ccf2c3a9c2311e00df89cf735c16914bd7e5a5e9257127dcbab22bbf5619bbc
Opcode Fuzzy Hash: 4010094197a08bc98aac9eafcbcae97231105ce52ef1739ebdcd82c2b5af14b4
Instruction Fuzzy Hash: 6CD0C77464420CBFE710DB80DC46FA9777CD705710F100294FD0456290D6F27D549795

Uniqueness

Uniqueness Score: -1.00%

Function 00F0548B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00F05496

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: 9108cdabbb3d3ff1c8815388d4a48d96517612bbfa68151298dc0d000dc12ca1
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: 71B09B7544010C77DE011D81EC02A557B195740674F404010FB0C18161957795606585

Uniqueness

Uniqueness Score: -1.00%

Function 00F4D2E6 Relevance: 1.4, APIs: 1, Instructions: 198COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000002,00000000), ref: 00F4D46A

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 38c7327054217f659c290f58a24d81f951f2872618916379841b849bde040746
Instruction ID: 07a050d0fa069a14abb4489c4111acae3d1a1f49922a64ec222402c81553b60c
Opcode Fuzzy Hash: 38c7327054217f659c290f58a24d81f951f2872618916379841b849bde040746
Instruction Fuzzy Hash: 237192316043468FC714EF25D491A6EBBE0AF88314F04596DF89A9B3A2DF30ED49DB52

Uniqueness

Uniqueness Score: -1.00%

Function 00F00E48 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00F00EF7

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: f6701cd915cd5ad86accef64c5f9bc0d8f3a3d42b0d1c7a4591ec735283a2013
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 6431B371A00106DBC718DF58D480A69F7A6FF59310F648AA5E409DB692DB31EDC1EB80

Uniqueness

Uniqueness Score: -1.00%

Function 011B2300 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 011B2311

Memory Dump Source

Source File: 00000000.00000002.2068180092.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11b0000_RFQ-HL51L05.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 1b3b37b187a7bad8b40964760711d7e41585ffa4d67577072549f1f7a11af185
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: BDE0BF7494510D9FDB00EFB4D54969E7BB4EF04301F100661FD0192281D73099508A62

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00F6CDAC Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 637windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE2612: GetWindowLongW.USER32(?,000000EB), ref: 00EE2623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00F6CE50
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00F6CE91
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00F6CED6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00F6CF00
SendMessageW.USER32 ref: 00F6CF29
_wcsncpy.LIBCMT ref: 00F6CFA1
GetKeyState.USER32(00000011), ref: 00F6CFC2
GetKeyState.USER32(00000009), ref: 00F6CFCF
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00F6CFE5
GetKeyState.USER32(00000010), ref: 00F6CFEF
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00F6D018
SendMessageW.USER32 ref: 00F6D03F
SendMessageW.USER32(?,00001030,?,00F6B602), ref: 00F6D145
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00F6D15B
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00F6D16E
SetCapture.USER32(?), ref: 00F6D177
ClientToScreen.USER32(?,?), ref: 00F6D1DC
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00F6D1E9
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00F6D203
ReleaseCapture.USER32 ref: 00F6D20E
GetCursorPos.USER32(?), ref: 00F6D248
ScreenToClient.USER32(?,?), ref: 00F6D255
SendMessageW.USER32(?,00001012,00000000,?), ref: 00F6D2B1
SendMessageW.USER32 ref: 00F6D2DF
SendMessageW.USER32(?,00001111,00000000,?), ref: 00F6D31C
SendMessageW.USER32 ref: 00F6D34B
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00F6D36C
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00F6D37B
GetCursorPos.USER32(?), ref: 00F6D39B
ScreenToClient.USER32(?,?), ref: 00F6D3A8
GetParent.USER32(?), ref: 00F6D3C8
SendMessageW.USER32(?,00001012,00000000,?), ref: 00F6D431
SendMessageW.USER32 ref: 00F6D462
ClientToScreen.USER32(?,?), ref: 00F6D4C0
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00F6D4F0
SendMessageW.USER32(?,00001111,00000000,?), ref: 00F6D51A
SendMessageW.USER32 ref: 00F6D53D
ClientToScreen.USER32(?,?), ref: 00F6D58F
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00F6D5C3

Part of subcall function 00EE25DB: GetWindowLongW.USER32(?,000000EB), ref: 00EE25EC

GetWindowLongW.USER32(?,000000F0), ref: 00F6D65F

Strings

F, xrefs: 00F6D543
@GUI_DRAGID, xrefs: 00F6D1AA

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F
API String ID: 3977979337-4164748364
Opcode ID: d600c07085d677946670d308e1bc5da4ea5b89718474f2e9aac161beb08f1363
Instruction ID: 5cdaae1c1f4657862aa744ef55a492f1b5d51447ae28bdbf7e3cb3f9c639e079
Opcode Fuzzy Hash: d600c07085d677946670d308e1bc5da4ea5b89718474f2e9aac161beb08f1363
Instruction Fuzzy Hash: 6642BD70A04245AFD721CF28C844FAABBF5FF49324F18451DF6A6972A1C7729C44EB92

Uniqueness

Uniqueness Score: -1.00%

Function 00F6804A Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 571windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000400,00000000,00000000), ref: 00F6873F

Strings

%d/%02d/%02d, xrefs: 00F68478

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: MessageSend
String ID: %d/%02d/%02d
API String ID: 3850602802-328681919
Opcode ID: ffa485b06329bbafeefe0e3637e5e22d271a832a8630ff795f05c471ce8891b6
Instruction ID: d45c214ec13d7e9ffa2f5d222728e09457440956a87d47e2b079a70a866910dd
Opcode Fuzzy Hash: ffa485b06329bbafeefe0e3637e5e22d271a832a8630ff795f05c471ce8891b6
Instruction Fuzzy Hash: B812D471500248ABEB258F24DC49FAA7BB4EF45760F14422DF526EB2E1DF748946EB10

Uniqueness

Uniqueness Score: -1.00%

Function 00EF710E Relevance: 50.6, APIs: 19, Strings: 7, Instructions: 5093COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00EF75C2
_memset.LIBCMT ref: 00EF76B1
_memmove.LIBCMT ref: 00EF7C4B
_memmove.LIBCMT ref: 00EF7E4F

Strings

\b(?=\w), xrefs: 00F33C34
[:<:]], xrefs: 00EF75F1
DEFINE, xrefs: 00F325AF
Q\E, xrefs: 00EF81C1
Oa, xrefs: 00F3287E
[:>:]], xrefs: 00EF760A
\b(?<=\w), xrefs: 00F33C41

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: _memmove$_memset
String ID: DEFINE$Oa$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
API String ID: 1357608183-2202602582
Opcode ID: bb0d68b0060c693085ae55939d86ad1f48e98ea55677dde3078cb65aa96dc139
Instruction ID: 14bd5cc0b33d4afd17f9a87207391849671daa065cf94046245f5e6da4c68fa0
Opcode Fuzzy Hash: bb0d68b0060c693085ae55939d86ad1f48e98ea55677dde3078cb65aa96dc139
Instruction Fuzzy Hash: 9C939171E04219DBDB24CF58C881BBDB7B1FF48724F25816AE945EB290E770AE81DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00EE4A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 00EE4A3D
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00F1DA8E
IsIconic.USER32(?), ref: 00F1DA97
ShowWindow.USER32(?,00000009), ref: 00F1DAA4
SetForegroundWindow.USER32(?), ref: 00F1DAAE
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00F1DAC4
GetCurrentThreadId.KERNEL32 ref: 00F1DACB
GetWindowThreadProcessId.USER32(?,00000000), ref: 00F1DAD7
AttachThreadInput.USER32(?,00000000,00000001), ref: 00F1DAE8
AttachThreadInput.USER32(?,00000000,00000001), ref: 00F1DAF0
AttachThreadInput.USER32(00000000,?,00000001), ref: 00F1DAF8
SetForegroundWindow.USER32(?), ref: 00F1DAFB
MapVirtualKeyW.USER32(00000012,00000000), ref: 00F1DB10
keybd_event.USER32(00000012,00000000), ref: 00F1DB1B
MapVirtualKeyW.USER32(00000012,00000000), ref: 00F1DB25
keybd_event.USER32(00000012,00000000), ref: 00F1DB2A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00F1DB33
keybd_event.USER32(00000012,00000000), ref: 00F1DB38
MapVirtualKeyW.USER32(00000012,00000000), ref: 00F1DB42
keybd_event.USER32(00000012,00000000), ref: 00F1DB47
SetForegroundWindow.USER32(?), ref: 00F1DB4A
AttachThreadInput.USER32(?,?,00000000), ref: 00F1DB71

Strings

Shell_TrayWnd, xrefs: 00F1DA89

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 577127d82acf562ad7a2cfda413b003ac7633371d37909cb9f1a8b1da700161e
Instruction ID: e36cfc83425d9b20f99382226a81531918ca4d1430b50b229c0b0e39e6812222
Opcode Fuzzy Hash: 577127d82acf562ad7a2cfda413b003ac7633371d37909cb9f1a8b1da700161e
Instruction Fuzzy Hash: 5431A371A4031CBBEB206F61AC49FBF3E6CEB84B60F154025FA05EA1D1C6B15D40BAA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F38858 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 00F38CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00F38D0D
Part of subcall function 00F38CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00F38D3A
Part of subcall function 00F38CC3: GetLastError.KERNEL32 ref: 00F38D47

_memset.LIBCMT ref: 00F3889B
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00F388ED
CloseHandle.KERNEL32(?), ref: 00F388FE
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00F38915
GetProcessWindowStation.USER32 ref: 00F3892E
SetProcessWindowStation.USER32(00000000), ref: 00F38938
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00F38952

Part of subcall function 00F38713: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00F38851), ref: 00F38728
Part of subcall function 00F38713: CloseHandle.KERNEL32(?,?,00F38851), ref: 00F3873A

Strings

winsta0, xrefs: 00F38910
, xrefs: 00F388AA
default, xrefs: 00F3894D

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: 3d5013c5e11c69a4927d28f23ebd24e2429d9af21018a456586032934fc45261
Instruction ID: e8430083f1d817dc2f5691477a5c8fc0071a8a627fe2842c595a0cf66253c318
Opcode Fuzzy Hash: 3d5013c5e11c69a4927d28f23ebd24e2429d9af21018a456586032934fc45261
Instruction Fuzzy Hash: 71814E71D00309BFDF11DFA4DC45AEE7B78EF043A4F18416AF920A6161DB798E16AB60

Uniqueness

Uniqueness Score: -1.00%

Function 00F5425A Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00F6F910), ref: 00F54284
IsClipboardFormatAvailable.USER32(0000000D), ref: 00F54292
GetClipboardData.USER32(0000000D), ref: 00F5429A
CloseClipboard.USER32 ref: 00F542A6
GlobalLock.KERNEL32(00000000), ref: 00F542C2
CloseClipboard.USER32 ref: 00F542CC
GlobalUnlock.KERNEL32(00000000,00000000), ref: 00F542E1
IsClipboardFormatAvailable.USER32(00000001), ref: 00F542EE
GetClipboardData.USER32(00000001), ref: 00F542F6
GlobalLock.KERNEL32(00000000), ref: 00F54303
GlobalUnlock.KERNEL32(00000000,00000000,?), ref: 00F54337
CloseClipboard.USER32 ref: 00F54447

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: 2bd1f2d60e8b01b3ada26586df738d6523231a88f85d34c947e811d361f28ff2
Instruction ID: bcaf117ea8d3f41c8dd98f2b76764000537a62406b486e073d08ab8b02bc1754
Opcode Fuzzy Hash: 2bd1f2d60e8b01b3ada26586df738d6523231a88f85d34c947e811d361f28ff2
Instruction Fuzzy Hash: D751B5312043096BD301EF61EC95F6E77A8AF44B15F00452DFA66D21A1DFB0E949AB62

Uniqueness

Uniqueness Score: -1.00%

Function 00F4C9C7 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00F4C9F8
FindClose.KERNEL32(00000000), ref: 00F4CA4C
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00F4CA71
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00F4CA88
FileTimeToSystemTime.KERNEL32(?,?), ref: 00F4CAAF
__swprintf.LIBCMT ref: 00F4CAFB
__swprintf.LIBCMT ref: 00F4CB3E

Part of subcall function 00EE7F41: _memmove.LIBCMT ref: 00EE7F82

__swprintf.LIBCMT ref: 00F4CB92

Part of subcall function 00F038D8: __woutput_l.LIBCMT ref: 00F03931

__swprintf.LIBCMT ref: 00F4CBE0

Part of subcall function 00F038D8: __flsbuf.LIBCMT ref: 00F03953
Part of subcall function 00F038D8: __flsbuf.LIBCMT ref: 00F0396B

__swprintf.LIBCMT ref: 00F4CC2F
__swprintf.LIBCMT ref: 00F4CC7E
__swprintf.LIBCMT ref: 00F4CCCD

Strings

%02d, xrefs: 00F4CB86, 00F4CB90, 00F4CBDE, 00F4CC2D, 00F4CC7C, 00F4CCCB
%4d, xrefs: 00F4CB38
%4d%02d%02d%02d%02d%02d, xrefs: 00F4CAF5

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: 829c62b04058b9a12ff03a597b0678ad07ad7fb08a8f32bb9f43f8ddf769e9e8
Instruction ID: 3a9283e28f4980d37475feab7f18d7b02cb64aabef4f505a6a1665bcb2362f2f
Opcode Fuzzy Hash: 829c62b04058b9a12ff03a597b0678ad07ad7fb08a8f32bb9f43f8ddf769e9e8
Instruction Fuzzy Hash: BEA15EB2508348ABC710EB65CC85DAFB7ECEF94700F405929F586D3192EB34DA08DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00F4F200 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 00F4F221
_wcscmp.LIBCMT ref: 00F4F236
_wcscmp.LIBCMT ref: 00F4F24D
GetFileAttributesW.KERNEL32(?), ref: 00F4F25F
SetFileAttributesW.KERNEL32(?,?), ref: 00F4F279
FindNextFileW.KERNEL32(00000000,?), ref: 00F4F291
FindClose.KERNEL32(00000000), ref: 00F4F29C
FindFirstFileW.KERNEL32(*.*,?), ref: 00F4F2B8
_wcscmp.LIBCMT ref: 00F4F2DF
_wcscmp.LIBCMT ref: 00F4F2F6
SetCurrentDirectoryW.KERNEL32(?), ref: 00F4F308
SetCurrentDirectoryW.KERNEL32(00F9A5A0), ref: 00F4F326
FindNextFileW.KERNEL32(00000000,00000010), ref: 00F4F330
FindClose.KERNEL32(00000000), ref: 00F4F33D
FindClose.KERNEL32(00000000), ref: 00F4F34F

Strings

*.*, xrefs: 00F4F2B3

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: 82b8b6ed3e9ec42e9d3062281f6334887433f830b5c8bbce629fb90a1b00c517
Instruction ID: 811a2e69a0bb86abed667ca81f14c4e5c189af5cacef6f8d47e9186cc3d4541e
Opcode Fuzzy Hash: 82b8b6ed3e9ec42e9d3062281f6334887433f830b5c8bbce629fb90a1b00c517
Instruction Fuzzy Hash: ED31C576A0021D6BDF10DFB4EC59AEE7BAC9F48370F140176E918D3090EB74DA49EA60

Uniqueness

Uniqueness Score: -1.00%

Function 00F60AE2 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F60BDE
RegCreateKeyExW.ADVAPI32(?,?,00000000,00F6F910,00000000,?,00000000,?,?), ref: 00F60C4C
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00F60C94
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00F60D1D
RegCloseKey.ADVAPI32(?), ref: 00F6103D
RegCloseKey.ADVAPI32(00000000), ref: 00F6104A

Strings

REG_DWORD, xrefs: 00F60F0E
REG_EXPAND_SZ, xrefs: 00F60CBA
REG_QWORD, xrefs: 00F60F8B
REG_BINARY, xrefs: 00F60FD8
REG_MULTI_SZ, xrefs: 00F60E05
REG_SZ, xrefs: 00F60D5B

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: b93f57edc373ae794283ed4d5d83c255840c6c5c599c15e256a9ce5798b1bcfd
Instruction ID: 6a4921f8c782776227bad4d8882077bd36a6a0abac1cb95a8bd255c0f7fb3393
Opcode Fuzzy Hash: b93f57edc373ae794283ed4d5d83c255840c6c5c599c15e256a9ce5798b1bcfd
Instruction Fuzzy Hash: 0B029075600655AFCB14EF15C881E2AB7E5FF88724F04885DF88AAB362CB35EC41DB81

Uniqueness

Uniqueness Score: -1.00%

Function 00F4F35D Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 00F4F37E
_wcscmp.LIBCMT ref: 00F4F393
_wcscmp.LIBCMT ref: 00F4F3AA

Part of subcall function 00F445C1: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00F445DC

FindNextFileW.KERNEL32(00000000,?), ref: 00F4F3D9
FindClose.KERNEL32(00000000), ref: 00F4F3E4
FindFirstFileW.KERNEL32(*.*,?), ref: 00F4F400
_wcscmp.LIBCMT ref: 00F4F427
_wcscmp.LIBCMT ref: 00F4F43E
SetCurrentDirectoryW.KERNEL32(?), ref: 00F4F450
SetCurrentDirectoryW.KERNEL32(00F9A5A0), ref: 00F4F46E
FindNextFileW.KERNEL32(00000000,00000010), ref: 00F4F478
FindClose.KERNEL32(00000000), ref: 00F4F485
FindClose.KERNEL32(00000000), ref: 00F4F497

Strings

*.*, xrefs: 00F4F3FB

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: 743ab6d59b7f2099051e46a26dad70af84cf51d488839357e9714b04af896900
Instruction ID: 562e84a34e7fac6ae8602fc8b657db8ffd38c75d98d60f9ba2308f557736c04b
Opcode Fuzzy Hash: 743ab6d59b7f2099051e46a26dad70af84cf51d488839357e9714b04af896900
Instruction Fuzzy Hash: C431C6729011196BDF10DFA4EC88ADE7BAC9F45330F140175EC18A21A0DB74DA48FA60

Uniqueness

Uniqueness Score: -1.00%

Function 00F381F7 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F3874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00F38766
Part of subcall function 00F3874A: GetLastError.KERNEL32(?,00F3822A,?,?,?), ref: 00F38770
Part of subcall function 00F3874A: GetProcessHeap.KERNEL32(00000008,?,?,00F3822A,?,?,?), ref: 00F3877F
Part of subcall function 00F3874A: HeapAlloc.KERNEL32(00000000,?,00F3822A,?,?,?), ref: 00F38786
Part of subcall function 00F3874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00F3879D

Part of subcall function 00F387E7: GetProcessHeap.KERNEL32(00000008,00F38240,00000000,00000000,?,00F38240,?), ref: 00F387F3
Part of subcall function 00F387E7: HeapAlloc.KERNEL32(00000000,?,00F38240,?), ref: 00F387FA
Part of subcall function 00F387E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00F38240,?), ref: 00F3880B

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00F3825B
_memset.LIBCMT ref: 00F38270
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00F3828F
GetLengthSid.ADVAPI32(?), ref: 00F382A0
GetAce.ADVAPI32(?,00000000,?), ref: 00F382DD
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00F382F9
GetLengthSid.ADVAPI32(?), ref: 00F38316
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00F38325
HeapAlloc.KERNEL32(00000000), ref: 00F3832C
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00F3834D
CopySid.ADVAPI32(00000000), ref: 00F38354
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00F38385
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00F383AB
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00F383BF

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: f46b006dcada1a30ae321d9e71fb6fe7bc0693c99fcf5c03ff2ed6f941458f46
Instruction ID: 4c16c9065688c2488385b0007a6a154b3ee1480a61f92b587fd2ceda9c8a33ef
Opcode Fuzzy Hash: f46b006dcada1a30ae321d9e71fb6fe7bc0693c99fcf5c03ff2ed6f941458f46
Instruction Fuzzy Hash: 69616D71900209EFDF00DF94DC45AEEBBB9FF44760F148129F825A7291DB799A06EB60

Uniqueness

Uniqueness Score: -1.00%

Function 00EF6843 Relevance: 19.6, Strings: 15, Instructions: 883COMMON

Download Yara Rule

Strings

CR), xrefs: 00F316C0
NO_START_OPT), xrefs: 00F31588
LIMIT_MATCH=, xrefs: 00F315A9
LIMIT_RECURSION=, xrefs: 00F31635
UCP), xrefs: 00F31546
BSR_ANYCRLF), xrefs: 00F31757
UTF16), xrefs: 00F31508
LF), xrefs: 00F316DD
UTF), xrefs: 00F31533
NO_AUTO_POSSESS), xrefs: 00F31567
Oa, xrefs: 00F31888, 00F3192F, 00F319DD
CRLF), xrefs: 00F316FA
ANY), xrefs: 00F31717
ANYCRLF), xrefs: 00F31734
BSR_UNICODE), xrefs: 00F31771

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID:
String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$Oa$UCP)$UTF)$UTF16)
API String ID: 0-3700951917
Opcode ID: e90f78df8ce02ed7d0fd290d7312cc9ae0a23824fb92811def853f8a8ccf571e
Instruction ID: 724033d6ade2f2edeb9c75e41001b9edd61590bfb8fbd5c99c34bc3d266849f6
Opcode Fuzzy Hash: e90f78df8ce02ed7d0fd290d7312cc9ae0a23824fb92811def853f8a8ccf571e
Instruction Fuzzy Hash: 9F725D75E002199BDF24DF58C8807BEB7B5FF48720F14816AE949EB290EB749D81DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00F60665 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F610A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F60038,?,?), ref: 00F610BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F60737

Part of subcall function 00EE9997: __itow.LIBCMT ref: 00EE99C2
Part of subcall function 00EE9997: __swprintf.LIBCMT ref: 00EE9A0C

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00F607D6
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00F6086E
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00F60AAD
RegCloseKey.ADVAPI32(00000000), ref: 00F60ABA

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: e6083116a19fd3287ae5b3fae002cdf287ba438fbbe497214a8567a21f249d50
Instruction ID: 729d8a9a306f8fe6e8870277229d3cfba6b7346ac58a7386922f3a6f84c2bada
Opcode Fuzzy Hash: e6083116a19fd3287ae5b3fae002cdf287ba438fbbe497214a8567a21f249d50
Instruction Fuzzy Hash: B7E15C31604204AFCB14DF25C891E2BBBE4EF89714F14896DF89ADB262DA34ED05DB51

Uniqueness

Uniqueness Score: -1.00%

Function 00F40219 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00F40241
GetAsyncKeyState.USER32(000000A0), ref: 00F402C2
GetKeyState.USER32(000000A0), ref: 00F402DD
GetAsyncKeyState.USER32(000000A1), ref: 00F402F7
GetKeyState.USER32(000000A1), ref: 00F4030C
GetAsyncKeyState.USER32(00000011), ref: 00F40324
GetKeyState.USER32(00000011), ref: 00F40336
GetAsyncKeyState.USER32(00000012), ref: 00F4034E
GetKeyState.USER32(00000012), ref: 00F40360
GetAsyncKeyState.USER32(0000005B), ref: 00F40378
GetKeyState.USER32(0000005B), ref: 00F4038A

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: a46b6c30888fcdb052617fb5478e7afd507f3caaf4c008860930f2bc3256fe91
Instruction ID: a87fc57786f776db03208a1a61015a72a68c9ceb8a6e3b453de45125d182c6a5
Opcode Fuzzy Hash: a46b6c30888fcdb052617fb5478e7afd507f3caaf4c008860930f2bc3256fe91
Instruction Fuzzy Hash: 24416624D047C96AFF319A6498083B5BEA06B12364F08455EDFC6571C2EFF45EC8AB92

Uniqueness

Uniqueness Score: -1.00%

Function 00F586D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE9997: __itow.LIBCMT ref: 00EE99C2
Part of subcall function 00EE9997: __swprintf.LIBCMT ref: 00EE9A0C

CoInitialize.OLE32 ref: 00F58718
CoUninitialize.OLE32 ref: 00F58723
CoCreateInstance.OLE32(?,00000000,00000017,00F72BEC,?), ref: 00F58783
IIDFromString.OLE32(?,?), ref: 00F587F6
VariantInit.OLEAUT32(?), ref: 00F58890
VariantClear.OLEAUT32(?), ref: 00F588F1

Strings

Invalid parameter, xrefs: 00F5880F
Failed to create object, xrefs: 00F5878E, 00F58844
NULL Pointer assignment, xrefs: 00F587C8

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: bb65fab4c3ad7683e405b1fe1e8735e8899dec1aeda156199f087ea72fe3fae4
Instruction ID: d97406ff805ff98ac7941263edc160fc891951c40af1fec851f60f9b0efdfb3f
Opcode Fuzzy Hash: bb65fab4c3ad7683e405b1fe1e8735e8899dec1aeda156199f087ea72fe3fae4
Instruction Fuzzy Hash: 2361D271608701AFD710DF24D844B6ABBE4EF48756F10481DFA85AB291CB70ED4DEB92

Uniqueness

Uniqueness Score: -1.00%

Function 00F54458 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00F5447F
EmptyClipboard.USER32 ref: 00F54485
GlobalAlloc.KERNEL32(00000002,?), ref: 00F5449A
CloseClipboard.USER32 ref: 00F54539

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 0c2508fb11327fc5e931543074ba42cc50c9419fca2c485dd2dd237e72f5d3a6
Instruction ID: ef09888b70c24294fc48a716e7c2a9b374f69e6c4ecf49a43e5fda932e487847
Opcode Fuzzy Hash: 0c2508fb11327fc5e931543074ba42cc50c9419fca2c485dd2dd237e72f5d3a6
Instruction Fuzzy Hash: F621A175300218AFDB10AF20EC09B6977E8EF44725F14802AFD16DB2B2DBB5AD05EB54

Uniqueness

Uniqueness Score: -1.00%

Function 00F43A2B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00EE48A1,?,?,00EE37C0,?), ref: 00EE48CE

Part of subcall function 00F44CD3: GetFileAttributesW.KERNEL32(?,00F43947), ref: 00F44CD4

FindFirstFileW.KERNEL32(?,?), ref: 00F43ADF
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00F43B87
MoveFileW.KERNEL32(?,?), ref: 00F43B9A
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00F43BB7
FindNextFileW.KERNEL32(00000000,00000010), ref: 00F43BD9
FindClose.KERNEL32(00000000,?,?,?,?), ref: 00F43BF5

Strings

\*.*, xrefs: 00F43A8A, 00F43A93, 00F43AA8

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: 2785ca8ad7c7adb0ec21dc577be1cf7aebf1a863525a2a1395a2c0524878e277
Instruction ID: af815ea1a93ae9ad5b42884c04e1ccbcb2570e59021d64c5382909e69a7580d0
Opcode Fuzzy Hash: 2785ca8ad7c7adb0ec21dc577be1cf7aebf1a863525a2a1395a2c0524878e277
Instruction Fuzzy Hash: 2E51A331C0518D9ACF15EBA1DD929EDBBB8AF54300F6441A9E84677091EF706F0DDBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00EF4140 Relevance: 13.4, APIs: 1, Strings: 6, Instructions: 1132COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00EF4520
VUUU, xrefs: 00EF44DB
VUUU, xrefs: 00F27B0C
ERCP, xrefs: 00EF421F
Oa, xrefs: 00EF4984, 00F28173
VUUU, xrefs: 00EF44ED

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID:
String ID: ERCP$Oa$VUUU$VUUU$VUUU$VUUU
API String ID: 0-3486589167
Opcode ID: e861f0fbbbbbdc7116d945307e09132e2120e3ae4e87ab4c8e6495dc03f3f06f
Instruction ID: 2494473f727e6b8602a6b8e0c5d9c1dbe4c9bd2d1752cfe00a3ae30d1d89007c
Opcode Fuzzy Hash: e861f0fbbbbbdc7116d945307e09132e2120e3ae4e87ab4c8e6495dc03f3f06f
Instruction Fuzzy Hash: F8A28CB0E0422ECBDF24DF58D9807BEB7B1BB54314F1491AAD956B7280E7749E81DB80

Uniqueness

Uniqueness Score: -1.00%

Function 00F4F65E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE7F41: _memmove.LIBCMT ref: 00EE7F82

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00F4F6AB
Sleep.KERNEL32(0000000A), ref: 00F4F6DB
_wcscmp.LIBCMT ref: 00F4F6EF
_wcscmp.LIBCMT ref: 00F4F70A
FindNextFileW.KERNEL32(?,?), ref: 00F4F7A8
FindClose.KERNEL32(00000000), ref: 00F4F7BE

Strings

*.*, xrefs: 00F4F690

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: 95bc544d77a0e0ec6e8a3b1f64c6e9bdf52d318322a906890350137ef04db243
Instruction ID: 8f34ef654a945daa58612eeb68c8b1a5040b542fb23a4dde6364f7ba73c77592
Opcode Fuzzy Hash: 95bc544d77a0e0ec6e8a3b1f64c6e9bdf52d318322a906890350137ef04db243
Instruction Fuzzy Hash: 8541607190020E9FDF11DF64DC45AEEBBB4FF05310F14456AE819A21A1EB349E48EB90

Uniqueness

Uniqueness Score: -1.00%

Function 00EF58C0 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00EF5A05
_memmove.LIBCMT ref: 00EF5A55
_memmove.LIBCMT ref: 00EF5ABB

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 068da2524f2aab650d15014c9498ae7aefaff406efb18ba7d9d2f7642ee918ca
Instruction ID: dacff10e7093c58aaaacb5d3c90b939f54779f69643ce4fda01a8a53323b2ff6
Opcode Fuzzy Hash: 068da2524f2aab650d15014c9498ae7aefaff406efb18ba7d9d2f7642ee918ca
Instruction Fuzzy Hash: 20129871A0060DDBDF14CFA5D981AEEB3F5FF48310F10816AE946E7291EB39AA11DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00EF5680 Relevance: 11.0, APIs: 5, Strings: 1, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 00F00FF6: std::exception::exception.LIBCMT ref: 00F0102C
Part of subcall function 00F00FF6: __CxxThrowException@8.LIBCMT ref: 00F01041

_memmove.LIBCMT ref: 00F3062F
_memmove.LIBCMT ref: 00F30744
_memmove.LIBCMT ref: 00F307EB

Strings

yZ, xrefs: 00F30881, 00F307FF

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID: yZ
API String ID: 1300846289-3798167742
Opcode ID: b56b70fbe9b668f5623d29499eb98803673189f35d96fd1b12c65745f85cc315
Instruction ID: 98c09c49b48b067d931519bf4e5fbfcb33acdf68c9f1aa388c08e09d25cac1fa
Opcode Fuzzy Hash: b56b70fbe9b668f5623d29499eb98803673189f35d96fd1b12c65745f85cc315
Instruction Fuzzy Hash: 3002C071E00209DBCF04DF64D991ABEBBB5FF44310F14806AE946EB295EB35D950EB90

Uniqueness

Uniqueness Score: -1.00%

Function 00F4545F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00F38CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00F38D0D
Part of subcall function 00F38CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00F38D3A
Part of subcall function 00F38CC3: GetLastError.KERNEL32 ref: 00F38D47

ExitWindowsEx.USER32(?,00000000), ref: 00F4549B

Strings

@, xrefs: 00F4548E
, xrefs: 00F45489
SeShutdownPrivilege, xrefs: 00F4546B

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 5121245a476caa26c52e15664cfed548172a7823b5b6dd62150f25a0d27ed81e
Instruction ID: c3c69a4ad1ccaf4a8a4dfcfc7ba3b0a17c6d18471ecbce644d06f8a4a0b5762d
Opcode Fuzzy Hash: 5121245a476caa26c52e15664cfed548172a7823b5b6dd62150f25a0d27ed81e
Instruction Fuzzy Hash: 3F014C71A55B052BF728F274EC6ABB67A58EB00B62F240021FC17DA0E3D6944C84B190

Uniqueness

Uniqueness Score: -1.00%

Function 00EF3190 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 587COMMON

Download Yara Rule

Strings

Oa, xrefs: 00EF3482

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: __itow__swprintf
String ID: Oa
API String ID: 674341424-3945284152
Opcode ID: fe87f4f3df6c7c2d529744c80735fdd9073ba09ae7a8f7e498cb0c705653b954
Instruction ID: fe4b5a8517626d9bff6ba8a95d4e9a30822d266a480d82f8e124d6303747711d
Opcode Fuzzy Hash: fe87f4f3df6c7c2d529744c80735fdd9073ba09ae7a8f7e498cb0c705653b954
Instruction Fuzzy Hash: 5322BC716083559FC724EF24C881BAFB7E4BF84714F10591DF99AA7292DB30EA04DB92

Uniqueness

Uniqueness Score: -1.00%

Function 00F56596 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00F565EF
WSAGetLastError.WSOCK32(00000000), ref: 00F565FE
bind.WSOCK32(00000000,?,00000010), ref: 00F5661A
listen.WSOCK32(00000000,00000005), ref: 00F56629
WSAGetLastError.WSOCK32(00000000), ref: 00F56643
closesocket.WSOCK32(00000000,00000000), ref: 00F56657

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: c0a9e03595b7bc33696160db94c53902454418e33b4a56dd24d198a6bac127da
Instruction ID: b09e1a78e2da8ab3fb53ebd6b3c00bc21cce33f0b63fe554e9e1df02449b5fce
Opcode Fuzzy Hash: c0a9e03595b7bc33696160db94c53902454418e33b4a56dd24d198a6bac127da
Instruction Fuzzy Hash: 002193316002049FCB10AF24DC45B6EB7E9EF44321F148159E966E73D2CB70AD05AB51

Uniqueness

Uniqueness Score: -1.00%

Function 00EE1287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 00EE2612: GetWindowLongW.USER32(?,000000EB), ref: 00EE2623

DefDlgProcW.USER32(?,?,?,?,?), ref: 00EE19FA
GetSysColor.USER32(0000000F), ref: 00EE1A4E
SetBkColor.GDI32(?,00000000), ref: 00EE1A61

Part of subcall function 00EE1290: DefDlgProcW.USER32(?,00000020,?), ref: 00EE12D8

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: fa04a1e44d8eeb8daeb67d70678341bc9490ea78e03c0354737efb6d765faab7
Instruction ID: 2301d1d9a8974326dceb9041abc9c102ea6f7ae49c85e6562ffa68e35411147e
Opcode Fuzzy Hash: fa04a1e44d8eeb8daeb67d70678341bc9490ea78e03c0354737efb6d765faab7
Instruction Fuzzy Hash: 6EA156B11054CCFAD628AB2B8C44EFF369DDB86395B14116DF446F6196CA398CC1B2B2

Uniqueness

Uniqueness Score: -1.00%

Function 00F56A5A Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00F580A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00F580CB

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00F56AB1
WSAGetLastError.WSOCK32(00000000), ref: 00F56ADA
bind.WSOCK32(00000000,?,00000010), ref: 00F56B13
WSAGetLastError.WSOCK32(00000000), ref: 00F56B20
closesocket.WSOCK32(00000000,00000000), ref: 00F56B34

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: d1e03f11a1b1972b306ee5329f7e09b3a3be2e455bbd88584dd9341c22986722
Instruction ID: 5426f411b6368f53bcb8bb2e49aa924e2c628025219864fcc3c951c14fed6a31
Opcode Fuzzy Hash: d1e03f11a1b1972b306ee5329f7e09b3a3be2e455bbd88584dd9341c22986722
Instruction Fuzzy Hash: 6841B175A00218AFEB10AF25DC86F6E77E89F48720F448058FA1ABB3D3DA749D019791

Uniqueness

Uniqueness Score: -1.00%

Function 00F655FD Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00F6564C
IsWindowEnabled.USER32 ref: 00F6565A
GetForegroundWindow.USER32(?,?,00000001), ref: 00F65667
IsIconic.USER32 ref: 00F65675
IsZoomed.USER32 ref: 00F65683

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: ad000c709c43ea4574dc750fc92d1ecddf9f0b628735f8f24f6b081f7dfaded2
Instruction ID: 84ad9c11e5ad2f7b752a4ef30fcd7b431b64034ae1fe5a35c0e89f331bc40019
Opcode Fuzzy Hash: ad000c709c43ea4574dc750fc92d1ecddf9f0b628735f8f24f6b081f7dfaded2
Instruction Fuzzy Hash: 6A11B2727009156FE7211F26DC44B2B7798EF84B21F444029E806E7241CB729D01EAA5

Uniqueness

Uniqueness Score: -1.00%

Function 00F5C304 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00F21D88,?), ref: 00F5C312
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00F5C324

Strings

kernel32.dll, xrefs: 00F5C30D
GetSystemWow64DirectoryW, xrefs: 00F5C31E

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: fa8d27e871dbf6f41ddc4896b974840f12bdef2870f7dd6302b821f9406bcaf9
Instruction ID: fb0b5675a28d63f28626636f1dc7bf70db531eb6a027d0fb55483b88855fd838
Opcode Fuzzy Hash: fa8d27e871dbf6f41ddc4896b974840f12bdef2870f7dd6302b821f9406bcaf9
Instruction Fuzzy Hash: 06E01274A00717CFDB305F25E814A8676D4EF0976AB80C439ED96D2260E7B4D888EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F5F121 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00F5F151
Process32FirstW.KERNEL32(00000000,?), ref: 00F5F15F

Part of subcall function 00EE7F41: _memmove.LIBCMT ref: 00EE7F82

Process32NextW.KERNEL32(00000000,?), ref: 00F5F21F
CloseHandle.KERNEL32(00000000,?,?,?), ref: 00F5F22E

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: c2ebe29c478f41eaa2bc3cb871132c2873dd591618fb297717bdba68bcb49e6f
Instruction ID: 9d1ea2310128990a34beb03eac05487f664b41249095a9d31e374c719275464a
Opcode Fuzzy Hash: c2ebe29c478f41eaa2bc3cb871132c2873dd591618fb297717bdba68bcb49e6f
Instruction Fuzzy Hash: CD5172715043459FD310EF25DC85E6BB7E8FF98710F10582DF996972A2EB709908CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00F440B1 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00F440D1
_memset.LIBCMT ref: 00F440F2
DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 00F44144
CloseHandle.KERNEL32(00000000), ref: 00F4414D

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset
String ID:
API String ID: 1157408455-0
Opcode ID: c915887a90271777a4364bb5b97a765b7a8f6c341d43cf334241ae4f314c1121
Instruction ID: c48c6bf816437a054419f928b6709e6cefa306f85b85327926fcd1b40875318d
Opcode Fuzzy Hash: c915887a90271777a4364bb5b97a765b7a8f6c341d43cf334241ae4f314c1121
Instruction Fuzzy Hash: FF11EB75D0122C7AD7305BA5AC4DFABBB7CEF44760F104196F908E7180D6744E849BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00F3EB07 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00F3EB19

Strings

(, xrefs: 00F3EB5F
|, xrefs: 00F3EB49

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: ce8581a4389efbd961af3683aeb16252143dca9e4da6734ba6e66206e83880af
Instruction ID: dbe4026b96b5c15f85fd1cbbeb5956a8a63309a5a54c5eb74daf84b8198db64c
Opcode Fuzzy Hash: ce8581a4389efbd961af3683aeb16252143dca9e4da6734ba6e66206e83880af
Instruction Fuzzy Hash: 9E321575A046059FDB28CF29C481A6AB7F1FF48320F15C56EE89ADB3A1D770E941DB40

Uniqueness

Uniqueness Score: -1.00%

Function 00F525E2 Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000), ref: 00F526D5
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00F5270C

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 3f532a618d048bf52f893ab7fc7cfd580d36144a33360cc20ab9a884b0fa231f
Instruction ID: 9095e22e61b3ccc4ba787f286d280658af9568eb8c2b8b5ff1eb1278fea59827
Opcode Fuzzy Hash: 3f532a618d048bf52f893ab7fc7cfd580d36144a33360cc20ab9a884b0fa231f
Instruction Fuzzy Hash: 6541F971900209BFEB60DF54DC85FBB77BCEB45726F10416AFF01A6140EA719E49B650

Uniqueness

Uniqueness Score: -1.00%

Function 00F4B59E Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00F4B5AE
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00F4B608
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00F4B655

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 2e2cf8965697cf2ca8566b406cbcc9dcd7dbf399462fc2c04a724226a202b3c6
Instruction ID: d29dcf94c6888b24205ab778f73e6c792f53e7f00ccecf799f7b9943044cd49a
Opcode Fuzzy Hash: 2e2cf8965697cf2ca8566b406cbcc9dcd7dbf399462fc2c04a724226a202b3c6
Instruction Fuzzy Hash: 7C216075A0051CEFCB00EF65E880AADBBF8FF49314F1480AAE805AB352DB31A955DB51

Uniqueness

Uniqueness Score: -1.00%

Function 00F38CC3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00F00FF6: std::exception::exception.LIBCMT ref: 00F0102C
Part of subcall function 00F00FF6: __CxxThrowException@8.LIBCMT ref: 00F01041

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00F38D0D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00F38D3A
GetLastError.KERNEL32 ref: 00F38D47

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: c00fd510e7e19d21c2b8e0eb345b614edb98f214869f83537855753d88037851
Instruction ID: e7ee3d2832ab901e0c75cc80ff629c632448ebf490bf5f3818a65577d9ae2a49
Opcode Fuzzy Hash: c00fd510e7e19d21c2b8e0eb345b614edb98f214869f83537855753d88037851
Instruction Fuzzy Hash: E611BFB2914309AFE7289F54EC85D6BB7B8FB04760B20852EF45683241EF74AC41AB20

Uniqueness

Uniqueness Score: -1.00%

Function 00F44C03 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00F44C2C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00F44C43
FreeSid.ADVAPI32(?), ref: 00F44C53

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 6200a16c98227232fec19bab57f21a19fa0dbb0376768ca04befe8db2910c819
Instruction ID: b52293e71d39db05e98a2f9f0746d8a6cde7b6b5d1e85ab3c4aebf41df981968
Opcode Fuzzy Hash: 6200a16c98227232fec19bab57f21a19fa0dbb0376768ca04befe8db2910c819
Instruction Fuzzy Hash: 01F04F7591130CBFDF04DFF0DD89AADBBBCEF08311F004469E911E2181D6706A049B50

Uniqueness

Uniqueness Score: -1.00%

Function 00EEE060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab55f2cd4723794928104679dfd6633221a175f6fd4a475b09043a47ac0104f7
Instruction ID: 65be54cb7c78f0ef5be7a2eb8ff809b66f75c079212d22223b01ecd2a993ba48
Opcode Fuzzy Hash: ab55f2cd4723794928104679dfd6633221a175f6fd4a475b09043a47ac0104f7
Instruction Fuzzy Hash: 9E22CEB0A0025ACFDB24DF55D880ABEB7F0FF08314F149069E856AB395E734AD85DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00F4C93C Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00F4C966
FindClose.KERNEL32(00000000), ref: 00F4C996

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 4105497da799abcba0be6255a45494ed6a29a165fcac25e17130b1bc47e26b08
Instruction ID: b110bac5e0af54ec4e73899e93c8bf26deb5c23c43fc11a4ab167372247284e0
Opcode Fuzzy Hash: 4105497da799abcba0be6255a45494ed6a29a165fcac25e17130b1bc47e26b08
Instruction Fuzzy Hash: 9F1184726106049FDB10EF29D845A2AFBE9FF84324F00851EF8AAD7391DB74AC05DB81

Uniqueness

Uniqueness Score: -1.00%

Function 00F4A2D5 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00F5977D,?,00F6FB84,?), ref: 00F4A302
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00F5977D,?,00F6FB84,?), ref: 00F4A314

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 4f99d0036c65e80cf68b06bf764f7e52f339bf8e17485e83d873071efd2299f4
Instruction ID: 99115a031b39b9c2dbf5fd237db153116c3a9551c412c3d918e76bc7cbb606ea
Opcode Fuzzy Hash: 4f99d0036c65e80cf68b06bf764f7e52f339bf8e17485e83d873071efd2299f4
Instruction Fuzzy Hash: 98F0E23154822DABDB209FA4CC48FEA776CBF08761F004265F918D2180E6709944DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F38713 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00F38851), ref: 00F38728
CloseHandle.KERNEL32(?,?,00F38851), ref: 00F3873A

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: c526ed049cb7ace857aecc98c637e83664b12eb3aedb45e661d6a724cae15b84
Instruction ID: f6cfee85e0d5dbec52baf28f11aaa817409d0454aea916315aaad8fe39347d55
Opcode Fuzzy Hash: c526ed049cb7ace857aecc98c637e83664b12eb3aedb45e661d6a724cae15b84
Instruction Fuzzy Hash: 7FE0B676014611EFE7252B60FC09D777BA9FB04360B248829F4A680470DBA6AC91FB50

Uniqueness

Uniqueness Score: -1.00%

Function 00F0A395 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00F08F97,?,?,?,00000001), ref: 00F0A39A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00F0A3A3

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 85239e0854a08da84e2d35a1533e334105a92e5fac3313ed3b46a8f3fab9dbf4
Instruction ID: 34febaf63c8de296c5c2f863d2d465cf02f4b0323e9098fddd618e98d46ffe81
Opcode Fuzzy Hash: 85239e0854a08da84e2d35a1533e334105a92e5fac3313ed3b46a8f3fab9dbf4
Instruction Fuzzy Hash: 05B0923105820CABCA002B91FC0AB883F68EB44AA2F404020F61D84262EBA25454AA91

Uniqueness

Uniqueness Score: -1.00%

Function 00F0F419 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f72ca9ac58f87e3945d516926e767231ab518f2a49e34ebbc416ddcba43deeed
Instruction ID: 3b98550e40b80691d8c07364d2ebc988ad8f18350d4a9c06a091c8e34fe6037a
Opcode Fuzzy Hash: f72ca9ac58f87e3945d516926e767231ab518f2a49e34ebbc416ddcba43deeed
Instruction Fuzzy Hash: CD320322D69F054DD723A638D832335A249AFB73D4F15D737E819B5EAAEB28C4C36101

Uniqueness

Uniqueness Score: -1.00%

Function 00F1267E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 716e3faa98484710214b60d8c5760e7b2fe4c406faac6f92ba2937fb94860ea4
Instruction ID: 93247ec96b2127e1edd89e6d288b671631158b863ebfa63320cffc04590591c7
Opcode Fuzzy Hash: 716e3faa98484710214b60d8c5760e7b2fe4c406faac6f92ba2937fb94860ea4
Instruction Fuzzy Hash: 5DB1F120D2AF454DD2639A398835336B64CAFFB2C5F52D71BFC1A74D22EB2281C35142

Uniqueness

Uniqueness Score: -1.00%

Function 00F48B13 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 00F48B25

Part of subcall function 00F0543A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00F491F8,00000000,?,?,?,?,00F493A9,00000000,?), ref: 00F05443
Part of subcall function 00F0543A: __aulldiv.LIBCMT ref: 00F05463

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID:
API String ID: 2893107130-0
Opcode ID: e90dc19366598cef7a06e9ebb2f4f041638d900d42041a501af573d5cb0fabe7
Instruction ID: 7d64e1f2d649f961dc16d256cf201970c31e13b62d14e3bd25489039d29508ea
Opcode Fuzzy Hash: e90dc19366598cef7a06e9ebb2f4f041638d900d42041a501af573d5cb0fabe7
Instruction Fuzzy Hash: B121E472A356108FC329CF25D841A52B7E1EFA5321F288E6CD4E5CB2D0CA74BD45EB94

Uniqueness

Uniqueness Score: -1.00%

Function 00F541FD Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00F54218

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 3aa7c2a637fda30c553bad7aaf702f294c01a176b80edd0342a3e2aa9efc8452
Instruction ID: 0c0687b14990b5bb7914afab0f71a755dde6e4ada7679d625dac79e9ad82f324
Opcode Fuzzy Hash: 3aa7c2a637fda30c553bad7aaf702f294c01a176b80edd0342a3e2aa9efc8452
Instruction Fuzzy Hash: 2BE04F722402189FC710EF5AE844A9AF7E8AF94761F009026FD4AD7352DAB0F8459BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F44EF5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 00F44F18

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: dce994e2147a0eeebdc3a0d5a2cb01bbcc96e3431a81c25f6ad45c422750e32a
Instruction ID: 89c6f2ed5ef47e15f98f24c1d5c29001a6d87761acd5178cdf15542ffb5d6bce
Opcode Fuzzy Hash: dce994e2147a0eeebdc3a0d5a2cb01bbcc96e3431a81c25f6ad45c422750e32a
Instruction Fuzzy Hash: 74D05EB156821938FC184B20AC0FF761908E3407B1F8449897E02B74C299E57C08B435

Uniqueness

Uniqueness Score: -1.00%

Function 00F38C93 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00F388D1), ref: 00F38CB3

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 657ae60a8982976ea0887ff52f4a01ddc4f1da492d562795d6e88cf3d79b6114
Instruction ID: 89c00bb1137ac640cc947b92f1e261452b03a82d09223ec977ca6f36cf28da4a
Opcode Fuzzy Hash: 657ae60a8982976ea0887ff52f4a01ddc4f1da492d562795d6e88cf3d79b6114
Instruction Fuzzy Hash: 40D09E3226450EBBEF019EA4ED05EAE3B69EB04B01F408511FE25D51A1C7B5D935AB60

Uniqueness

Uniqueness Score: -1.00%

Function 00F22230 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00F22242

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: cb92f20f922010ab920765bc455d5d0ccdcf52a765f4cec13a1d1f7134ce418c
Instruction ID: 40f7f57f4a4239d93b1630293e15893cdf754865a8ef7d9db7c74959b3599a22
Opcode Fuzzy Hash: cb92f20f922010ab920765bc455d5d0ccdcf52a765f4cec13a1d1f7134ce418c
Instruction Fuzzy Hash: 57C04CF180011DDBDB05DB90E988DEE77BCBB04304F104155E111F2100D7749B449A71

Uniqueness

Uniqueness Score: -1.00%

Function 00F0A364 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 00F0A36A

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 4d716bd5cbbffff2990be9590a877a2bfa89cc0bc55ff2636551ccc56b765d65
Instruction ID: 8a15b5eac10adf69e0bda62cbafd2b8f2397e3c6c2566d93a928b2c50ca75550
Opcode Fuzzy Hash: 4d716bd5cbbffff2990be9590a877a2bfa89cc0bc55ff2636551ccc56b765d65
Instruction Fuzzy Hash: F0A0243000010CF7CF001F41FC054447F5CD7001D07004030F40C40133D773541055C0

Uniqueness

Uniqueness Score: -1.00%

Function 00EF8A0E Relevance: .6, Instructions: 608COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ced3c188a58a0badac9884d55b564691d44689832930996af9f1781fef5a816f
Instruction ID: 155d83f1c10652941406d20794e9339b5d9d8c03253944337080d30cd26b3d5e
Opcode Fuzzy Hash: ced3c188a58a0badac9884d55b564691d44689832930996af9f1781fef5a816f
Instruction Fuzzy Hash: 01225C31A0165DCBCF288F14C5D477DB7A1FF82724F28946ADA42AB291DB30DD81EB61

Uniqueness

Uniqueness Score: -1.00%

Function 00F02405 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: b801aa5934ade0de1fb13b1eaea74920fb5f6c0f950a3c7a952441db90d62d0b
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: 7CC1A23660509309DF6D8739D93813EBAE16EA27B235A075DE8B3CB5C5EF20D524F620

Uniqueness

Uniqueness Score: -1.00%

Function 00F0283A Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 2df79d439895cb709cec13d8a3e0fa4bc004bd38cb51a652a7b791a6aac30108
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: A1C1A23360519309DFAD473A953813EBBE16BA27B235A076DE4B2DB5C4EF20D524F620

Uniqueness

Uniqueness Score: -1.00%

Function 00F01BB8 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: 1f99071361e7a9f606fe5cb53aaf710280143fb0c4af3b4d0f7cbbf573ef4520
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 5CC181326051930ADF2D473AD53417EBAE17AA27B235A076DE4B2CB5C4EF20D524F620

Uniqueness

Uniqueness Score: -1.00%

Function 011B3680 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2068180092.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11b0000_RFQ-HL51L05.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: d67f5fef8a3345296a833e2715e898114419c43caf7431d1fe79d491edb64ca6
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: D341D371D1051CEBCF48CFADC991AEEBBF2AF88201F548299D516AB345D730AB41DB90

Uniqueness

Uniqueness Score: -1.00%

Function 011B3510 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2068180092.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11b0000_RFQ-HL51L05.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: 062bf780e5265ad590bec0f3981e797832962294c16e123404f2084148c54770
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: 81019D78A10209EFCB49DF98C5909AEFBB5FB48310F208599E819A7341E730AE51DB80

Uniqueness

Uniqueness Score: -1.00%

Function 011B3570 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2068180092.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11b0000_RFQ-HL51L05.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: f199e5e73dcfb2c01583c730e0c56388e5f46af75c52e0e8209da5464305590a
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: 42019278A10109EFCB48DF98C5909AEF7B5FB48310F208699D919A7301E730AE51DB80

Uniqueness

Uniqueness Score: -1.00%

Function 011B1ED0 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2068180092.00000000011B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11b0000_RFQ-HL51L05.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Uniqueness

Uniqueness Score: -1.00%

Function 00F637F3 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,00F6F910), ref: 00F638AF
IsWindowVisible.USER32(?), ref: 00F638D3

Strings

FINDSTRING, xrefs: 00F639FE
DELSTRING, xrefs: 00F639D1
GETCURRENTCOL, xrefs: 00F63BB0
ISVISIBLE, xrefs: 00F638BF
GETCURRENTLINE, xrefs: 00F63B75
EDITPASTE, xrefs: 00F63BE7
GETLINECOUNT, xrefs: 00F63B4E
SENDCOMMANDID, xrefs: 00F63C62
TABRIGHT, xrefs: 00F63925
ISCHECKED, xrefs: 00F63AC1
CHECK, xrefs: 00F63AF5
ISENABLED, xrefs: 00F638F3
SETCURRENTSELECTION, xrefs: 00F63A3E
GETCURRENTSELECTION, xrefs: 00F63A6B
SELECTSTRING, xrefs: 00F63A8E
TABLEFT, xrefs: 00F6390F
ADDSTRING, xrefs: 00F6399E
CURRENTTAB, xrefs: 00F63945
UNCHECK, xrefs: 00F63B0B
GETLINE, xrefs: 00F63C23
SHOWDROPDOWN, xrefs: 00F63968
HIDEDROPDOWN, xrefs: 00F63988
GETSELECTED, xrefs: 00F63B2B

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: 0f19b83959b4cc0c7c5c00daf67711557a6a9ba61b38c6cf6f652665dddb2e7c
Instruction ID: c704e0adefa998a049fe4cc4a01d806d52d8d1d2e74190994306636b74771471
Opcode Fuzzy Hash: 0f19b83959b4cc0c7c5c00daf67711557a6a9ba61b38c6cf6f652665dddb2e7c
Instruction Fuzzy Hash: 57D18F302083069BCB14EF21C951B6ABBE1AF94754F104458B8866B3E3CF75EE0AFB51

Uniqueness

Uniqueness Score: -1.00%

Function 00F6A849 Relevance: 49.8, APIs: 33, Instructions: 274COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00F6A89F
GetSysColorBrush.USER32(0000000F), ref: 00F6A8D0
GetSysColor.USER32(0000000F), ref: 00F6A8DC
SetBkColor.GDI32(?,000000FF), ref: 00F6A8F6
SelectObject.GDI32(?,?), ref: 00F6A905
InflateRect.USER32(?,000000FF,000000FF), ref: 00F6A930
GetSysColor.USER32(00000010), ref: 00F6A938
CreateSolidBrush.GDI32(00000000), ref: 00F6A93F
FrameRect.USER32(?,?,00000000), ref: 00F6A94E
DeleteObject.GDI32(00000000), ref: 00F6A955
InflateRect.USER32(?,000000FE,000000FE), ref: 00F6A9A0
FillRect.USER32(?,?,?), ref: 00F6A9D2
GetWindowLongW.USER32(?,000000F0), ref: 00F6A9FD

Part of subcall function 00F6AB60: GetSysColor.USER32(00000012), ref: 00F6AB99
Part of subcall function 00F6AB60: SetTextColor.GDI32(?,?), ref: 00F6AB9D
Part of subcall function 00F6AB60: GetSysColorBrush.USER32(0000000F), ref: 00F6ABB3
Part of subcall function 00F6AB60: GetSysColor.USER32(0000000F), ref: 00F6ABBE
Part of subcall function 00F6AB60: GetSysColor.USER32(00000011), ref: 00F6ABDB
Part of subcall function 00F6AB60: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00F6ABE9
Part of subcall function 00F6AB60: SelectObject.GDI32(?,00000000), ref: 00F6ABFA
Part of subcall function 00F6AB60: SetBkColor.GDI32(?,00000000), ref: 00F6AC03
Part of subcall function 00F6AB60: SelectObject.GDI32(?,?), ref: 00F6AC10
Part of subcall function 00F6AB60: InflateRect.USER32(?,000000FF,000000FF), ref: 00F6AC2F
Part of subcall function 00F6AB60: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00F6AC46
Part of subcall function 00F6AB60: GetWindowLongW.USER32(00000000,000000F0), ref: 00F6AC5B

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: d065bdce3dcadb5be826a23369bb8b3a24ff2180e3ae9494b4838a9ae3147a72
Instruction ID: b6f4ce73a2f03bffbe1242301c9a895688713dfb2dd62c44154e67ed8fc8c949
Opcode Fuzzy Hash: d065bdce3dcadb5be826a23369bb8b3a24ff2180e3ae9494b4838a9ae3147a72
Instruction Fuzzy Hash: D0A19F72408305EFD7109F64EC08A5B7BA9FF89331F144A29F962E61A0D775D848EF52

Uniqueness

Uniqueness Score: -1.00%

Function 00F577BE Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00F577F1
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00F578B0
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00F578EE
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00F57900
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00F57946
GetClientRect.USER32(00000000,?), ref: 00F57952
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00F57996
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00F579A5
GetStockObject.GDI32(00000011), ref: 00F579B5
SelectObject.GDI32(00000000,00000000), ref: 00F579B9
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00F579C9
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00F579D2
DeleteDC.GDI32(00000000), ref: 00F579DB
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00F57A07
SendMessageW.USER32(00000030,00000000,00000001), ref: 00F57A1E
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00F57A59
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00F57A6D
SendMessageW.USER32(00000404,00000001,00000000), ref: 00F57A7E
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00F57AAE
GetStockObject.GDI32(00000011), ref: 00F57AB9
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00F57AC4
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00F57ACE

Strings

static, xrefs: 00F57990, 00F57AA8
msctls_progress32, xrefs: 00F57A4F
DISPLAY, xrefs: 00F5799B
AutoIt v3, xrefs: 00F5793E

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 88b93cc9cf381f9134d5d019d400e0e37e46ec2e0d4589356aca663df3409095
Instruction ID: f7759ff63a105fa5787ec7be1677e297a4d06db76ed5ece260f0f78bd68351ae
Opcode Fuzzy Hash: 88b93cc9cf381f9134d5d019d400e0e37e46ec2e0d4589356aca663df3409095
Instruction Fuzzy Hash: 0DA181B1A40219BFEB14DBA4EC4AFAE7BB9EB45711F144114FA15E71E0C7B0AD04DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00F4AF7B Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00F4AF89
GetDriveTypeW.KERNEL32(?,00F6FAC0,?,\\.\,00F6F910), ref: 00F4B066
SetErrorMode.KERNEL32(00000000,00F6FAC0,?,\\.\,00F6F910), ref: 00F4B1C4

Strings

FileBackedVirtual, xrefs: 00F4B193
SSA, xrefs: 00F4B14D
Fixed, xrefs: 00F4B0AE
MMC, xrefs: 00F4B185
SAS, xrefs: 00F4B170
ATA, xrefs: 00F4B13F
ATAPI, xrefs: 00F4B138
SCSI, xrefs: 00F4B131
SSD, xrefs: 00F4B0F1
RAID, xrefs: 00F4B162
CDROM, xrefs: 00F4B09A
iSCSI, xrefs: 00F4B169
USB, xrefs: 00F4B15B
Fibre, xrefs: 00F4B154
1394, xrefs: 00F4B146
SATA, xrefs: 00F4B177
RAMDisk, xrefs: 00F4B090
Removable, xrefs: 00F4B0B8
\\.\, xrefs: 00F4AFDB
Virtual, xrefs: 00F4B18C
Network, xrefs: 00F4B0A4
PhysicalDrive, xrefs: 00F4B012
Unknown, xrefs: 00F4B086, 00F4B12A

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: fc2d7f867ee704a04b36f77fd92b527357f2e2d77151b26833292a9b1d69fa5d
Instruction ID: 14c6755c1ce7fccf8c2c57bdd7fde1365dc6e469821765ffb4e441135ae83dc3
Opcode Fuzzy Hash: fc2d7f867ee704a04b36f77fd92b527357f2e2d77151b26833292a9b1d69fa5d
Instruction Fuzzy Hash: EE51E231A8434AABDF04DB54CD92ABD7BB0AB943557204016EC0AB7292C775ED41FB83

Uniqueness

Uniqueness Score: -1.00%

Function 00EE6A3C Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00EE6A91
__wcsnicmp.LIBCMT ref: 00EE6AA9
__wcsnicmp.LIBCMT ref: 00EE6AC1
__wcsnicmp.LIBCMT ref: 00EE6AD9
__wcsnicmp.LIBCMT ref: 00EE6AF1
__wcsnicmp.LIBCMT ref: 00EE6B09
__wcsnicmp.LIBCMT ref: 00EE6B21
__wcsnicmp.LIBCMT ref: 00EE6B35
__wcsnicmp.LIBCMT ref: 00EE6B76
__wcsnicmp.LIBCMT ref: 00EE6B8A
__wcsnicmp.LIBCMT ref: 00EE6B9E
__wcsnicmp.LIBCMT ref: 00EE6BB2

Strings

Cannot parse #include, xrefs: 00F1E819
#requireadmin, xrefs: 00EE6ABB
Bad directive syntax error, xrefs: 00F1E743
#pragma compile, xrefs: 00EE6A8B
Unterminated group of comments, xrefs: 00F1E82C
#comments-end, xrefs: 00EE6B98
#OnAutoItStartRegister, xrefs: 00EE6AD3
#ce, xrefs: 00EE6BAC
#include, xrefs: 00EE6B03
#cs, xrefs: 00EE6B2F, 00EE6B84
#comments-start, xrefs: 00EE6B1B, 00EE6B70
#notrayicon, xrefs: 00EE6AA3
#include-once, xrefs: 00EE6AEB

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: 11a507dd5fb92f3f8f839f28dbf108d71e8322f5fbbc2952976a9a1384265a58
Instruction ID: 81e14e65a0310f754e2eb03b04eaf7455d43348ae111bd69d71cbf29f3efbbd5
Opcode Fuzzy Hash: 11a507dd5fb92f3f8f839f28dbf108d71e8322f5fbbc2952976a9a1384265a58
Instruction Fuzzy Hash: 21812E71B40289BADB20AF61DC82FFF7798AF24750F045025FD49BA1C2EB64DA45F261

Uniqueness

Uniqueness Score: -1.00%

Function 00F6AB60 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00F6AB99
SetTextColor.GDI32(?,?), ref: 00F6AB9D
GetSysColorBrush.USER32(0000000F), ref: 00F6ABB3
GetSysColor.USER32(0000000F), ref: 00F6ABBE
CreateSolidBrush.GDI32(?), ref: 00F6ABC3
GetSysColor.USER32(00000011), ref: 00F6ABDB
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00F6ABE9
SelectObject.GDI32(?,00000000), ref: 00F6ABFA
SetBkColor.GDI32(?,00000000), ref: 00F6AC03
SelectObject.GDI32(?,?), ref: 00F6AC10
InflateRect.USER32(?,000000FF,000000FF), ref: 00F6AC2F
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00F6AC46
GetWindowLongW.USER32(00000000,000000F0), ref: 00F6AC5B
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00F6ACA7
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00F6ACCE
InflateRect.USER32(?,000000FD,000000FD), ref: 00F6ACEC
DrawFocusRect.USER32(?,?), ref: 00F6ACF7
GetSysColor.USER32(00000011), ref: 00F6AD05
SetTextColor.GDI32(?,00000000), ref: 00F6AD0D
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00F6AD21
SelectObject.GDI32(?,00F6A869), ref: 00F6AD38
DeleteObject.GDI32(?), ref: 00F6AD43
SelectObject.GDI32(?,?), ref: 00F6AD49
DeleteObject.GDI32(?), ref: 00F6AD4E
SetTextColor.GDI32(?,?), ref: 00F6AD54
SetBkColor.GDI32(?,?), ref: 00F6AD5E

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 8f8074354ac8cf1cbd34dec3d428d887e03bf155aacd6b7f588394ae7d531588
Instruction ID: d2163520465436bd5e9c7ee0758aad8646b10255c0304efeaf987f9418c78345
Opcode Fuzzy Hash: 8f8074354ac8cf1cbd34dec3d428d887e03bf155aacd6b7f588394ae7d531588
Instruction Fuzzy Hash: D8614D72900218EFDB119FA4EC48EAE7B79FF08320F144125F925AB2A1D7B59D40EF90

Uniqueness

Uniqueness Score: -1.00%

Function 00F68C44 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00F68D34
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00F68D45
CharNextW.USER32(0000014E), ref: 00F68D74
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00F68DB5
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00F68DCB
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00F68DDC
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00F68DF9
SetWindowTextW.USER32(?,0000014E), ref: 00F68E45
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00F68E5B
SendMessageW.USER32(?,00001002,00000000,?), ref: 00F68E8C
_memset.LIBCMT ref: 00F68EB1
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00F68EFA
_memset.LIBCMT ref: 00F68F59
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00F68F83
SendMessageW.USER32(?,00001074,?,00000001), ref: 00F68FDB
SendMessageW.USER32(?,0000133D,?,?), ref: 00F69088
InvalidateRect.USER32(?,00000000,00000001), ref: 00F690AA
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00F690F4
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00F69121
DrawMenuBar.USER32(?), ref: 00F69130
SetWindowTextW.USER32(?,0000014E), ref: 00F69158

Strings

0, xrefs: 00F690C2

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: 6e3c4445a84b2bb4ad30975c3ef73e892b4ebb1eaed102231e5d660f715938b4
Instruction ID: eaf4ecf847ad0970fad4d90399e5134d0f54012d6c9d09d3b5e63303bdea447b
Opcode Fuzzy Hash: 6e3c4445a84b2bb4ad30975c3ef73e892b4ebb1eaed102231e5d660f715938b4
Instruction Fuzzy Hash: 8FE1C571904209ABDF20DF50CC88EEE7B79FF05760F108259F925AA191DB708A86FF60

Uniqueness

Uniqueness Score: -1.00%

Function 00F64B16 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00F64C51
GetDesktopWindow.USER32 ref: 00F64C66
GetWindowRect.USER32(00000000), ref: 00F64C6D
GetWindowLongW.USER32(?,000000F0), ref: 00F64CCF
DestroyWindow.USER32(?), ref: 00F64CFB
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00F64D24
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00F64D42
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00F64D68
SendMessageW.USER32(?,00000421,?,?), ref: 00F64D7D
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00F64D90
IsWindowVisible.USER32(?), ref: 00F64DB0
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00F64DCB
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00F64DDF
GetWindowRect.USER32(?,?), ref: 00F64DF7
MonitorFromPoint.USER32(?,?,00000002), ref: 00F64E1D
GetMonitorInfoW.USER32(00000000,?), ref: 00F64E37
CopyRect.USER32(?,?), ref: 00F64E4E
SendMessageW.USER32(?,00000412,00000000), ref: 00F64EB9

Strings

tooltips_class32, xrefs: 00F64D1D
0, xrefs: 00F64BFC
(, xrefs: 00F64E2A

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 42b0be5317648249dada0840a8590e18fbe6e1aadc1a066c1846cea0c1d1f095
Instruction ID: df8018a84ec0b5a40c1a43773d88cb793b09d5495f0daf983243552cf63786e3
Opcode Fuzzy Hash: 42b0be5317648249dada0840a8590e18fbe6e1aadc1a066c1846cea0c1d1f095
Instruction Fuzzy Hash: B4B19E71A08341AFDB04EF25D844B6ABBE4FF88710F00891DF599AB2A2D771EC04DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00F446D6 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00F446E8
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00F4470E
_wcscpy.LIBCMT ref: 00F4473C
_wcscmp.LIBCMT ref: 00F44747
_wcscat.LIBCMT ref: 00F4475D
_wcsstr.LIBCMT ref: 00F44768
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00F44784
_wcscat.LIBCMT ref: 00F447CD
_wcscat.LIBCMT ref: 00F447D4
_wcsncpy.LIBCMT ref: 00F447FF

Strings

StringFileInfo\, xrefs: 00F44757
%u.%u.%u.%u, xrefs: 00F44862
DefaultLangCodepage, xrefs: 00F447E7
\VarFileInfo\Translation, xrefs: 00F4477C
04090000, xrefs: 00F447BA

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: 3efc16187e20411ec4a1d9a83419dee2725a371043d33293f902dcd729c1f758
Instruction ID: 3e0af72a8f14b722d5cd024d9004ae2011c8e23d9464408adc4fa7987d7e4a95
Opcode Fuzzy Hash: 3efc16187e20411ec4a1d9a83419dee2725a371043d33293f902dcd729c1f758
Instruction Fuzzy Hash: DE41E572A002057AEB10A7649C46FBF7BACEF41710F10006AF904F61C2EB69E901B6B5

Uniqueness

Uniqueness Score: -1.00%

Function 00EE27D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00EE28BC
GetSystemMetrics.USER32(00000007), ref: 00EE28C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00EE28EF
GetSystemMetrics.USER32(00000008), ref: 00EE28F7
GetSystemMetrics.USER32(00000004), ref: 00EE291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00EE2939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00EE2949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00EE297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00EE2990
GetClientRect.USER32(00000000,000000FF), ref: 00EE29AE
GetStockObject.GDI32(00000011), ref: 00EE29CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 00EE29D5

Part of subcall function 00EE2344: GetCursorPos.USER32(?), ref: 00EE2357
Part of subcall function 00EE2344: ScreenToClient.USER32(00FA67B0,?), ref: 00EE2374
Part of subcall function 00EE2344: GetAsyncKeyState.USER32(00000001), ref: 00EE2399
Part of subcall function 00EE2344: GetAsyncKeyState.USER32(00000002), ref: 00EE23A7

SetTimer.USER32(00000000,00000000,00000028,00EE1256), ref: 00EE29FC

Strings

AutoIt v3 GUI, xrefs: 00EE2974

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: b3b4264d8bd010e5f7c355e422cda577e6aefa44a82ecff217193c27691ac131
Instruction ID: 5a645a26919409bae575867fde1e0e438eabb74709aefd78cee7a47d0608983f
Opcode Fuzzy Hash: b3b4264d8bd010e5f7c355e422cda577e6aefa44a82ecff217193c27691ac131
Instruction Fuzzy Hash: 06B14D71A4024EAFDB14DFA9DC45BED7BB8FB08314F149229FA26E6290DB749840DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00F64069 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00F640F6
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00F641B6

Strings

SELECTCLEAR, xrefs: 00F64235
SELECTINVERT, xrefs: 00F64286
SELECTALL, xrefs: 00F6421D
GETITEMCOUNT, xrefs: 00F64128
ISSELECTED, xrefs: 00F641C1
VIEWCHANGE, xrefs: 00F64375
GETTEXT, xrefs: 00F6415F
DESELECT, xrefs: 00F642A4
GETSELECTEDCOUNT, xrefs: 00F64199
GETSUBITEMCOUNT, xrefs: 00F64141
GETSELECTED, xrefs: 00F642E4
SELECT, xrefs: 00F64250
FINDITEM, xrefs: 00F64329

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-719923060
Opcode ID: d62ee970557834cb0ab82e0e0659caa1497f5412f4859736fa8c1b5e6e807dbb
Instruction ID: d53c1a8221c606337fa12bd628ac677682c778541e4deed9cf77821d31ff2455
Opcode Fuzzy Hash: d62ee970557834cb0ab82e0e0659caa1497f5412f4859736fa8c1b5e6e807dbb
Instruction Fuzzy Hash: 77A17D302142459BCB14FF20C952B6AB3E5AF94324F14596CB8AAAB3D3DB74FC05EB51

Uniqueness

Uniqueness Score: -1.00%

Function 00F552F0 Relevance: 27.1, APIs: 18, Instructions: 124COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00F55309
LoadCursorW.USER32(00000000,00007F8A), ref: 00F55314
LoadCursorW.USER32(00000000,00007F00), ref: 00F5531F
LoadCursorW.USER32(00000000,00007F03), ref: 00F5532A
LoadCursorW.USER32(00000000,00007F8B), ref: 00F55335
LoadCursorW.USER32(00000000,00007F01), ref: 00F55340
LoadCursorW.USER32(00000000,00007F81), ref: 00F5534B
LoadCursorW.USER32(00000000,00007F88), ref: 00F55356
LoadCursorW.USER32(00000000,00007F80), ref: 00F55361
LoadCursorW.USER32(00000000,00007F86), ref: 00F5536C
LoadCursorW.USER32(00000000,00007F83), ref: 00F55377
LoadCursorW.USER32(00000000,00007F85), ref: 00F55382
LoadCursorW.USER32(00000000,00007F82), ref: 00F5538D
LoadCursorW.USER32(00000000,00007F84), ref: 00F55398
LoadCursorW.USER32(00000000,00007F04), ref: 00F553A3
LoadCursorW.USER32(00000000,00007F02), ref: 00F553AE
GetCursorInfo.USER32(?), ref: 00F553BE
GetLastError.KERNEL32(00000001,00000000), ref: 00F553E9

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 8110b2aa25da7587472096a5caf27762727089cbdd4eb06869b53dff0eaf186a
Instruction ID: 9d4ad43142fa57b8d81fde9c77bc820206a0c5210e3e4c638535eaaf8ba7c505
Opcode Fuzzy Hash: 8110b2aa25da7587472096a5caf27762727089cbdd4eb06869b53dff0eaf186a
Instruction Fuzzy Hash: 11418470E043196ADB109FBA8C4996FFFF8EF51B20F10452FE519E7291DAB8A405CE51

Uniqueness

Uniqueness Score: -1.00%

Function 00F3AA64 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00F3AAA5
__swprintf.LIBCMT ref: 00F3AB46
_wcscmp.LIBCMT ref: 00F3AB59
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00F3ABAE
_wcscmp.LIBCMT ref: 00F3ABEA
GetClassNameW.USER32(?,?,00000400), ref: 00F3AC21
GetDlgCtrlID.USER32(?), ref: 00F3AC73
GetWindowRect.USER32(?,?), ref: 00F3ACA9
GetParent.USER32(?), ref: 00F3ACC7
ScreenToClient.USER32(00000000), ref: 00F3ACCE
GetClassNameW.USER32(?,?,00000100), ref: 00F3AD48
_wcscmp.LIBCMT ref: 00F3AD5C
GetWindowTextW.USER32(?,?,00000400), ref: 00F3AD82
_wcscmp.LIBCMT ref: 00F3AD96

Part of subcall function 00F0386C: _iswctype.LIBCMT ref: 00F03874

Strings

%s%u, xrefs: 00F3AB40

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: 59121f83340e8f91c95c7d83adfee19e07cf1a8df38e1fe9e8201703a2380cee
Instruction ID: 9f011f2751d032c3538cba836763e9bfbfdeba3d0f0871d8e34a76cb85e9d680
Opcode Fuzzy Hash: 59121f83340e8f91c95c7d83adfee19e07cf1a8df38e1fe9e8201703a2380cee
Instruction Fuzzy Hash: 6EA1D072604706AFDB14DF21C884BAAF7E8FF04365F004629F9E9D2190D734E955EBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00F3B397 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 00F3B3DB
_wcscmp.LIBCMT ref: 00F3B3EC
GetWindowTextW.USER32(00000001,?,00000400), ref: 00F3B414
CharUpperBuffW.USER32(?,00000000), ref: 00F3B431
_wcscmp.LIBCMT ref: 00F3B44F
_wcsstr.LIBCMT ref: 00F3B460
GetClassNameW.USER32(00000018,?,00000400), ref: 00F3B498
_wcscmp.LIBCMT ref: 00F3B4A8
GetWindowTextW.USER32(00000002,?,00000400), ref: 00F3B4CF
GetClassNameW.USER32(00000018,?,00000400), ref: 00F3B518
_wcscmp.LIBCMT ref: 00F3B528
GetClassNameW.USER32(00000010,?,00000400), ref: 00F3B550
GetWindowRect.USER32(00000004,?), ref: 00F3B5B9

Strings

ThumbnailClass, xrefs: 00F3B4A3, 00F3B523
@, xrefs: 00F3B3BC

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: 9b242a72784b3587137e4d3400dfaacdb106a0a2d32bf1ea0f9e5ded2d993d96
Instruction ID: 9624edcb042dd42368bba625ed536391f2e4b2a0d639eb44bb3078f54d770c73
Opcode Fuzzy Hash: 9b242a72784b3587137e4d3400dfaacdb106a0a2d32bf1ea0f9e5ded2d993d96
Instruction Fuzzy Hash: A981D1714083099BDB01CF10D895FAA7BE8FF44334F0885A9FE899A096DB34DD49EB61

Uniqueness

Uniqueness Score: -1.00%

Function 00F3B1E0 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00F3B23F

Strings

[LAST, xrefs: 00F3B2EC
[ACTIVE, xrefs: 00F3B22C
[ALL, xrefs: 00F3B2E5
[REGEXPTITLE:, xrefs: 00F3B267
ACTIVE, xrefs: 00F3B21A
ALL, xrefs: 00F3B2D3
[CLASS:, xrefs: 00F3B28F
CLASSNAME=, xrefs: 00F3B27C
[HANDLE:, xrefs: 00F3B24B
HANDLE=, xrefs: 00F3B238
REGEXP=, xrefs: 00F3B254
LAST, xrefs: 00F3B204

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 2443b579780b43f91c8c162de505fd447a259733b3bac32a164d227cd13c93c6
Instruction ID: 9f0705a48eec3ac37ae7539666f79bd6a701ad837c82a21537a834235b37d7da
Opcode Fuzzy Hash: 2443b579780b43f91c8c162de505fd447a259733b3bac32a164d227cd13c93c6
Instruction Fuzzy Hash: DF310431A08249A6EF11FAA5CD53EEE77A89F14760F20012DF545710D2EFA1EF04F652

Uniqueness

Uniqueness Score: -1.00%

Function 00F3C4C1 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00F3C4D4
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00F3C4E6
SetWindowTextW.USER32(?,?), ref: 00F3C4FD
GetDlgItem.USER32(?,000003EA), ref: 00F3C512
SetWindowTextW.USER32(00000000,?), ref: 00F3C518
GetDlgItem.USER32(?,000003E9), ref: 00F3C528
SetWindowTextW.USER32(00000000,?), ref: 00F3C52E
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00F3C54F
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00F3C569
GetWindowRect.USER32(?,?), ref: 00F3C572
SetWindowTextW.USER32(?,?), ref: 00F3C5DD
GetDesktopWindow.USER32 ref: 00F3C5E3
GetWindowRect.USER32(00000000), ref: 00F3C5EA
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 00F3C636
GetClientRect.USER32(?,?), ref: 00F3C643
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 00F3C668
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00F3C693

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: a04c637e64557c01a1389020ecc2c0f1527e27004d99423582b9d564483e852a
Instruction ID: 45e330a819f5a9bea42b662e9253999dea066ec699cba3481c6128949432f335
Opcode Fuzzy Hash: a04c637e64557c01a1389020ecc2c0f1527e27004d99423582b9d564483e852a
Instruction Fuzzy Hash: 15517F71900709EFDB20DFA8DD89B6EBBF5FF04715F004928E696A25A0C7B5B904EB50

Uniqueness

Uniqueness Score: -1.00%

Function 00F6A428 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F6A4C8
DestroyWindow.USER32(?,?), ref: 00F6A542

Part of subcall function 00EE7D2C: _memmove.LIBCMT ref: 00EE7D66

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00F6A5BC
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00F6A5DE
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00F6A5F1
DestroyWindow.USER32(00000000), ref: 00F6A613
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00EE0000,00000000), ref: 00F6A64A
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00F6A663
GetDesktopWindow.USER32 ref: 00F6A67C
GetWindowRect.USER32(00000000), ref: 00F6A683
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00F6A69B
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00F6A6B3

Part of subcall function 00EE25DB: GetWindowLongW.USER32(?,000000EB), ref: 00EE25EC

Strings

tooltips_class32, xrefs: 00F6A5B5, 00F6A643
0, xrefs: 00F6A4DE

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: f7e232c74cee69d1ebe38ea3059c4bfbe3020dbb9662120b6684ab57bb034529
Instruction ID: 14d84b9e71690a208166e92a2a3351e417d3613489b6b2b5cd21c9dd5cc8da5a
Opcode Fuzzy Hash: f7e232c74cee69d1ebe38ea3059c4bfbe3020dbb9662120b6684ab57bb034529
Instruction Fuzzy Hash: 8E71EF71540209AFD720CF28CC48F667BE9FB89714F08452CF995972A0C7B6E916EF12

Uniqueness

Uniqueness Score: -1.00%

Function 00F6C8EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE2612: GetWindowLongW.USER32(?,000000EB), ref: 00EE2623

DragQueryPoint.SHELL32(?,?), ref: 00F6C917

Part of subcall function 00F6ADF1: ClientToScreen.USER32(?,?), ref: 00F6AE1A
Part of subcall function 00F6ADF1: GetWindowRect.USER32(?,?), ref: 00F6AE90
Part of subcall function 00F6ADF1: PtInRect.USER32(?,?,00F6C304), ref: 00F6AEA0

SendMessageW.USER32(?,000000B0,?,?), ref: 00F6C980
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00F6C98B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00F6C9AE
_wcscat.LIBCMT ref: 00F6C9DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00F6C9F5
SendMessageW.USER32(?,000000B0,?,?), ref: 00F6CA0E
SendMessageW.USER32(?,000000B1,?,?), ref: 00F6CA25
SendMessageW.USER32(?,000000B1,?,?), ref: 00F6CA47
DragFinish.SHELL32(?), ref: 00F6CA4E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00F6CB41

Strings

@GUI_DROPID, xrefs: 00F6CA6E
@GUI_DRAGID, xrefs: 00F6CAB9
@GUI_DRAGFILE, xrefs: 00F6CAF0

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 169749273-3440237614
Opcode ID: 04b4a108624fd86574b0068917e8905ba48d7c86cc3f7f12c3df0c02df368a3a
Instruction ID: 6b883df199077d815fc50f175c52711fced6885ce63404460a13d5864e035746
Opcode Fuzzy Hash: 04b4a108624fd86574b0068917e8905ba48d7c86cc3f7f12c3df0c02df368a3a
Instruction Fuzzy Hash: E1617C71108344AFC701DF65DC85DAFBBE8FF89710F000A2EF5A5921A1DB709A49DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00F64619 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00F646AB
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00F646F6

Strings

GETITEMCOUNT, xrefs: 00F647D8
UNCHECK, xrefs: 00F648D2
EXISTS, xrefs: 00F6475F
GETTOTALCOUNT, xrefs: 00F646DD
GETTEXT, xrefs: 00F64849
ISCHECKED, xrefs: 00F64879
CHECK, xrefs: 00F64716
GETSELECTED, xrefs: 00F64806
SELECT, xrefs: 00F648A7
COLLAPSE, xrefs: 00F6473C
EXPAND, xrefs: 00F647A8

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: cf466aacf87c8ba6c83f7168389436fb818962e6097aa7f5c5b5de52beccd0c3
Instruction ID: 5e28e473334fa59303194aa8b0381a17fd6cca02ff35e6126b4f09e913f236ef
Opcode Fuzzy Hash: cf466aacf87c8ba6c83f7168389436fb818962e6097aa7f5c5b5de52beccd0c3
Instruction Fuzzy Hash: 86919E346043469BCB14FF21C851A6AB7E1AF94314F04546CF8966B3A3CB35FD4AEB91

Uniqueness

Uniqueness Score: -1.00%

Function 00F6BAB8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00F6BB6E
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00F69431), ref: 00F6BBCA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00F6BC03
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00F6BC46
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00F6BC7D
FreeLibrary.KERNEL32(?), ref: 00F6BC89
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00F6BC99
DestroyIcon.USER32(?,?,?,?,?,00F69431), ref: 00F6BCA8
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00F6BCC5
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00F6BCD1

Part of subcall function 00F0313D: __wcsicmp_l.LIBCMT ref: 00F031C6

Strings

.icl, xrefs: 00F6BAE4
.dll, xrefs: 00F6BB27
.exe, xrefs: 00F6BB04

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: 8297a4eb363dbf2cc5140236072647c9447e073680292a3c749c11ea6d55f055
Instruction ID: ad04dbccca58ef5236f531beba2d2b6fead2f69f6c2d6dd7b9d5813310293995
Opcode Fuzzy Hash: 8297a4eb363dbf2cc5140236072647c9447e073680292a3c749c11ea6d55f055
Instruction Fuzzy Hash: CB61F271900219BEEB14DF64DC85FBE77A8FB08720F104115F825D61D1DBB49A94EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F4A5BD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00EE9997: __itow.LIBCMT ref: 00EE99C2
Part of subcall function 00EE9997: __swprintf.LIBCMT ref: 00EE9A0C

CharLowerBuffW.USER32(?,?), ref: 00F4A636
GetDriveTypeW.KERNEL32 ref: 00F4A683
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00F4A6CB
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00F4A702
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00F4A730

Part of subcall function 00EE7D2C: _memmove.LIBCMT ref: 00EE7D66

Strings

close, xrefs: 00F4A63C
closed, xrefs: 00F4A64A, 00F4A653
close cd wait, xrefs: 00F4A71B
type cdaudio alias cd wait, xrefs: 00F4A6AE
wait, xrefs: 00F4A6ED
set cd door , xrefs: 00F4A6D1
open, xrefs: 00F4A65D
open , xrefs: 00F4A692

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: 5f3f5a14ac75c640e9ee68e4f22c073da77d4e8b33c41782038fe64d2d3d1c51
Instruction ID: 131fc1a107547667484b20369a12928f94ea81c6b98345dc6e4782a2448bf1ca
Opcode Fuzzy Hash: 5f3f5a14ac75c640e9ee68e4f22c073da77d4e8b33c41782038fe64d2d3d1c51
Instruction Fuzzy Hash: B751A1711083499FD700EF21C88196AB7F4FF98718F04596DF89A67262DB31EE09DB92

Uniqueness

Uniqueness Score: -1.00%

Function 00F4A45A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00F4A47A
__swprintf.LIBCMT ref: 00F4A49C
CreateDirectoryW.KERNEL32(?,00000000), ref: 00F4A4D9
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00F4A4FE
_memset.LIBCMT ref: 00F4A51D
_wcsncpy.LIBCMT ref: 00F4A559
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00F4A58E
CloseHandle.KERNEL32(00000000), ref: 00F4A599
RemoveDirectoryW.KERNEL32(?), ref: 00F4A5A2
CloseHandle.KERNEL32(00000000), ref: 00F4A5AC

Strings

\, xrefs: 00F4A4B2
:, xrefs: 00F4A4BD
\??\%s, xrefs: 00F4A496

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: cd4bc895c1e22bc8e6d87ff2af51c29b76511486b291aa50c462908458973889
Instruction ID: d9cbfbb46225178614646b0e309dfa3e64fc82e226922e6f2a8994f544b1faff
Opcode Fuzzy Hash: cd4bc895c1e22bc8e6d87ff2af51c29b76511486b291aa50c462908458973889
Instruction Fuzzy Hash: 0231B2B2940109ABDB20DFA0DC49FEB37BCEF88711F1041B6F918D6160E7B49644AB25

Uniqueness

Uniqueness Score: -1.00%

Function 00F6C49C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE2612: GetWindowLongW.USER32(?,000000EB), ref: 00EE2623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00F6C4EC
GetFocus.USER32 ref: 00F6C4FC
GetDlgCtrlID.USER32(00000000), ref: 00F6C507
_memset.LIBCMT ref: 00F6C632
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00F6C65D
GetMenuItemCount.USER32(?), ref: 00F6C67D
GetMenuItemID.USER32(?,00000000), ref: 00F6C690
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00F6C6C4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00F6C70C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00F6C744
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00F6C779

Strings

0, xrefs: 00F6C62A

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: 88ae52dea1e4c10211c5d910a751e87e1d059a1b557eaaef3b5a8a4eebf93414
Instruction ID: 2f9dbdabd0646f0617fc4ed62a80fcea303f1fa00e7adb9ef877578b55543933
Opcode Fuzzy Hash: 88ae52dea1e4c10211c5d910a751e87e1d059a1b557eaaef3b5a8a4eebf93414
Instruction Fuzzy Hash: A5816A716083059FD710CF24D984A7ABBE8FB88324F04452DF9DA97291DB71ED05EBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00F383F4 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F3874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00F38766
Part of subcall function 00F3874A: GetLastError.KERNEL32(?,00F3822A,?,?,?), ref: 00F38770
Part of subcall function 00F3874A: GetProcessHeap.KERNEL32(00000008,?,?,00F3822A,?,?,?), ref: 00F3877F
Part of subcall function 00F3874A: HeapAlloc.KERNEL32(00000000,?,00F3822A,?,?,?), ref: 00F38786
Part of subcall function 00F3874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00F3879D

Part of subcall function 00F387E7: GetProcessHeap.KERNEL32(00000008,00F38240,00000000,00000000,?,00F38240,?), ref: 00F387F3
Part of subcall function 00F387E7: HeapAlloc.KERNEL32(00000000,?,00F38240,?), ref: 00F387FA
Part of subcall function 00F387E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00F38240,?), ref: 00F3880B

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00F38458
_memset.LIBCMT ref: 00F3846D
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00F3848C
GetLengthSid.ADVAPI32(?), ref: 00F3849D
GetAce.ADVAPI32(?,00000000,?), ref: 00F384DA
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00F384F6
GetLengthSid.ADVAPI32(?), ref: 00F38513
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00F38522
HeapAlloc.KERNEL32(00000000), ref: 00F38529
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00F3854A
CopySid.ADVAPI32(00000000), ref: 00F38551
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00F38582
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00F385A8
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00F385BC

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: d16def138b698686fe2eff23488d03ea96f43c083425725841311114a3e1981a
Instruction ID: 470c9b3eb1a6ccf0703e60c079c7a78e1487aea81fefe5a1b5c0cf93f83d845b
Opcode Fuzzy Hash: d16def138b698686fe2eff23488d03ea96f43c083425725841311114a3e1981a
Instruction Fuzzy Hash: A8615D71900209EBDF00DF91DC45AEEBBB9FF04360F148129F815A7291DB799A05EF60

Uniqueness

Uniqueness Score: -1.00%

Function 00F5762D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00F576A2
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00F576AE
CreateCompatibleDC.GDI32(?), ref: 00F576BA
SelectObject.GDI32(00000000,?), ref: 00F576C7
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00F5771B
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00F57757
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00F5777B
SelectObject.GDI32(00000006,?), ref: 00F57783
DeleteObject.GDI32(?), ref: 00F5778C
DeleteDC.GDI32(00000006), ref: 00F57793
ReleaseDC.USER32(00000000,?), ref: 00F5779E

Strings

(, xrefs: 00F57723

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: c7e8bac632badbccc47a0ad5c6b0ee3d74643b689509f6bc47c0c657ac89c421
Instruction ID: ebb9cdc82cf33d988d8857ee8f0413816ca2d77f29ec047b77ba82311bddb292
Opcode Fuzzy Hash: c7e8bac632badbccc47a0ad5c6b0ee3d74643b689509f6bc47c0c657ac89c421
Instruction Fuzzy Hash: 1E514875904309EFCB15DFA8EC84EAEBBB9EF48310F14842DFA5A97210D771A844DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00F4A0B5 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 156COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00F6FB78), ref: 00F4A0FC

Part of subcall function 00EE7F41: _memmove.LIBCMT ref: 00EE7F82

LoadStringW.USER32(?,?,00000FFF,?), ref: 00F4A11E
__swprintf.LIBCMT ref: 00F4A177
__swprintf.LIBCMT ref: 00F4A190
_wprintf.LIBCMT ref: 00F4A246
_wprintf.LIBCMT ref: 00F4A264

Strings

^ ERROR, xrefs: 00F4A1E8
Line %d (File "%s"):, xrefs: 00F4A171, 00F4A18A
"%s" (%d) : ==> %s:, xrefs: 00F4A25F
"%s" (%d) : ==> %s:%s%s, xrefs: 00F4A241
Error: , xrefs: 00F4A20E

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-2391861430
Opcode ID: 6934cc1b24e2b2324abf2d8bb39b7bbc7eac249ffcb1212a854c6231f6486faf
Instruction ID: 2c968a26bf5447ea51eb9c9ccf009e31efee15b81eb3fc5b796e67f50e2cce66
Opcode Fuzzy Hash: 6934cc1b24e2b2324abf2d8bb39b7bbc7eac249ffcb1212a854c6231f6486faf
Instruction Fuzzy Hash: 8751817294424DABDF15EBE0CD86EEEB7B8AF04300F140169F905720A1EB756F58EB61

Uniqueness

Uniqueness Score: -1.00%

Function 00EE6BEC Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00F00B9B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00EE6C6C,?,00008000), ref: 00F00BB7

Part of subcall function 00EE48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00EE48A1,?,?,00EE37C0,?), ref: 00EE48CE

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00EE6D0D
SetCurrentDirectoryW.KERNEL32(?), ref: 00EE6E5A

Part of subcall function 00EE59CD: _wcscpy.LIBCMT ref: 00EE5A05

Part of subcall function 00F0387D: _iswctype.LIBCMT ref: 00F03885

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00F1E8BF
AU3!, xrefs: 00EE6CC1
Unterminated string, xrefs: 00F1EC0D
Error opening the file, xrefs: 00F1E866, 00F1E8E1
Bad directive syntax error, xrefs: 00F1EBC6
#include depth exceeded. Make sure there are no recursive includes, xrefs: 00F1E84A
EA06, xrefs: 00F1E87B

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: d7e21fb6a4f839bdd04737c693dd7a2351e705a734abdfdf6f82597b1a68448b
Instruction ID: 70be44ce7fb33403823a2e36683d2ecacac770501cb01670be658fc463249117
Opcode Fuzzy Hash: d7e21fb6a4f839bdd04737c693dd7a2351e705a734abdfdf6f82597b1a68448b
Instruction Fuzzy Hash: 6A02B2315083859FC724EF25C881AAFBBE5BF98354F04191DF8C6A72A1DB30D949EB42

Uniqueness

Uniqueness Score: -1.00%

Function 00EE45DF Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00EE45F9
GetMenuItemCount.USER32(00FA6890), ref: 00F1D7CD
GetMenuItemCount.USER32(00FA6890), ref: 00F1D87D
GetCursorPos.USER32(?), ref: 00F1D8C1
SetForegroundWindow.USER32(00000000), ref: 00F1D8CA
TrackPopupMenuEx.USER32(00FA6890,00000000,?,00000000,00000000,00000000), ref: 00F1D8DD
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00F1D8E9

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 2751501086-0
Opcode ID: 76222e20636114f40d45b3d27f6653f3b1e4606b17baf64975bcbe7baef25fc0
Instruction ID: 75c0495396c679b18e6bd99ab87b76ca51584ce220a8a974c8310a5c7a80bcbf
Opcode Fuzzy Hash: 76222e20636114f40d45b3d27f6653f3b1e4606b17baf64975bcbe7baef25fc0
Instruction Fuzzy Hash: 62710670A0124ABEEB209F15DC89FEABF74FF05368F240216F525A61E0C7B16C50EB95

Uniqueness

Uniqueness Score: -1.00%

Function 00F610A5 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F60038,?,?), ref: 00F610BC

Strings

HKEY_CLASSES_ROOT, xrefs: 00F6114F
HKU, xrefs: 00F611CE
HKEY_CURRENT_CONFIG, xrefs: 00F61179
HKLM, xrefs: 00F6113A
HKCC, xrefs: 00F6118A
HKEY_USERS, xrefs: 00F611BD
HKEY_LOCAL_MACHINE, xrefs: 00F61125
HKCU, xrefs: 00F611AC
HKEY_CURRENT_USER, xrefs: 00F6119B
HKCR, xrefs: 00F61164

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: 017d481937c8c45f8210c2ed6bead12c304a5bc66f7b90a195912a7826ee390f
Instruction ID: 0c6cad9278f5bd181f41c0e6f4d2dc2b6468265cc34b867f30b975bd9552ec61
Opcode Fuzzy Hash: 017d481937c8c45f8210c2ed6bead12c304a5bc66f7b90a195912a7826ee390f
Instruction Fuzzy Hash: 3C417A3150524E8BEF10EF90EDA1AEA3764BF26310F144415FD915B2A2DB30A95AFBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F45569 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00EE7D2C: _memmove.LIBCMT ref: 00EE7D66

Part of subcall function 00EE7A84: _memmove.LIBCMT ref: 00EE7B0D

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00F455D2
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00F455E8
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00F455F9
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00F4560B
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00F4561C

Strings

alias PlayMe, xrefs: 00F455AB
close PlayMe, xrefs: 00F455E3, 00F45610
play PlayMe, xrefs: 00F45617
status PlayMe mode, xrefs: 00F455CD
play PlayMe wait, xrefs: 00F45606
open , xrefs: 00F45581

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: 472b4efcbc5806f2570f7df88eab7c966dae411b8259616274a35e81e905401e
Instruction ID: bbc03d7d86b8814812ba0d0535d447f5b3e74aa951bd8dcdfd62d8e606adb7b5
Opcode Fuzzy Hash: 472b4efcbc5806f2570f7df88eab7c966dae411b8259616274a35e81e905401e
Instruction Fuzzy Hash: 2C11C4219501AD7AEB20B762CC4ADFF7FBCEF91F00F401429B815A20D2EEA14D05D5E2

Uniqueness

Uniqueness Score: -1.00%

Function 00F448F3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00F4490E
gethostname.WSOCK32(?,00000100), ref: 00F44928
gethostbyname.WSOCK32(?), ref: 00F44935
_wcscpy.LIBCMT ref: 00F4495D
_memmove.LIBCMT ref: 00F44970
inet_ntoa.WSOCK32(?), ref: 00F4497B
_strcat.LIBCMT ref: 00F44989
_wcscpy.LIBCMT ref: 00F449A0
WSACleanup.WSOCK32 ref: 00F449AE
_wcscpy.LIBCMT ref: 00F449BC

Strings

0.0.0.0, xrefs: 00F44957

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: 8cdd83874579ee824eaf023b1123941242a3829b5c8bdf60d3995419c052357e
Instruction ID: b213ad948b1bf996a0738fd82d4b168b382cf75613b298b0ea6eaada223417c5
Opcode Fuzzy Hash: 8cdd83874579ee824eaf023b1123941242a3829b5c8bdf60d3995419c052357e
Instruction Fuzzy Hash: 7F11D831E04119ABDB20EB34AC09FDB7BBC9F40720F0401B6F855A6091EFB5AA85F661

Uniqueness

Uniqueness Score: -1.00%

Function 00F45217 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00F4521C

Part of subcall function 00F00719: timeGetTime.WINMM(?,7694B400,00EF0FF9), ref: 00F0071D

Sleep.KERNEL32(0000000A), ref: 00F45248
EnumThreadWindows.USER32(?,Function_000651CA,00000000), ref: 00F4526C
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00F4528E
SetActiveWindow.USER32 ref: 00F452AD
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00F452BB
SendMessageW.USER32(00000010,00000000,00000000), ref: 00F452DA
Sleep.KERNEL32(000000FA), ref: 00F452E5
IsWindow.USER32 ref: 00F452F1
EndDialog.USER32(00000000), ref: 00F45302

Strings

BUTTON, xrefs: 00F45280

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 05156a2c66a462904316613894e9e20c05cba972c8b6f797b7919b105ea2ff1a
Instruction ID: 52f08a244aeaf5553e64a68655cabf298d8b1282a84e940e99b3d8a941012ead
Opcode Fuzzy Hash: 05156a2c66a462904316613894e9e20c05cba972c8b6f797b7919b105ea2ff1a
Instruction Fuzzy Hash: 482192B150470CAFE7017F60FC88F253F6AEB46B96F081425F811811B6CBA59D48BA62

Uniqueness

Uniqueness Score: -1.00%

Function 00F4D7F8 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE9997: __itow.LIBCMT ref: 00EE99C2
Part of subcall function 00EE9997: __swprintf.LIBCMT ref: 00EE9A0C

CoInitialize.OLE32(00000000), ref: 00F4D855
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00F4D8E8
SHGetDesktopFolder.SHELL32(?), ref: 00F4D8FC
CoCreateInstance.OLE32(00F72D7C,00000000,00000001,00F9A89C,?), ref: 00F4D948
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00F4D9B7
CoTaskMemFree.OLE32(?,?), ref: 00F4DA0F
_memset.LIBCMT ref: 00F4DA4C
SHBrowseForFolderW.SHELL32(?), ref: 00F4DA88
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00F4DAAB
CoTaskMemFree.OLE32(00000000), ref: 00F4DAB2
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 00F4DAE9
CoUninitialize.OLE32(00000001,00000000), ref: 00F4DAEB

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: 0ff1fccda4de8b2b0ba524fad5fead22eeb562e26fa9feba90c080d4f25fc002
Instruction ID: 647e614ba246061f1bed85320c7ff09f002c2e7377f54d1f8a36a0dade7e1c69
Opcode Fuzzy Hash: 0ff1fccda4de8b2b0ba524fad5fead22eeb562e26fa9feba90c080d4f25fc002
Instruction Fuzzy Hash: 4EB10B75A00109AFDB04DFA5C888DAEBBF9FF48314B1484A9F909EB261DB30ED45DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00F4052C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00F405A7
SetKeyboardState.USER32(?), ref: 00F40612
GetAsyncKeyState.USER32(000000A0), ref: 00F40632
GetKeyState.USER32(000000A0), ref: 00F40649
GetAsyncKeyState.USER32(000000A1), ref: 00F40678
GetKeyState.USER32(000000A1), ref: 00F40689
GetAsyncKeyState.USER32(00000011), ref: 00F406B5
GetKeyState.USER32(00000011), ref: 00F406C3
GetAsyncKeyState.USER32(00000012), ref: 00F406EC
GetKeyState.USER32(00000012), ref: 00F406FA
GetAsyncKeyState.USER32(0000005B), ref: 00F40723
GetKeyState.USER32(0000005B), ref: 00F40731

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 3b9acaa7edaed5bb37e70b0e6f59675607849c99f1564ef848c53f5d6d72b197
Instruction ID: 193faa39617724732950fff7e69e14654673d2dfb5c6077d12cd3702f4291005
Opcode Fuzzy Hash: 3b9acaa7edaed5bb37e70b0e6f59675607849c99f1564ef848c53f5d6d72b197
Instruction Fuzzy Hash: C751CA60E0478829FB35EBA088547EABFB49F41390F084599DEC2575C2DE789A8CDF52

Uniqueness

Uniqueness Score: -1.00%

Function 00F3C72A Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00F3C746
GetWindowRect.USER32(00000000,?), ref: 00F3C758
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00F3C7B6
GetDlgItem.USER32(?,00000002), ref: 00F3C7C1
GetWindowRect.USER32(00000000,?), ref: 00F3C7D3
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00F3C827
GetDlgItem.USER32(?,000003E9), ref: 00F3C835
GetWindowRect.USER32(00000000,?), ref: 00F3C846
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00F3C889
GetDlgItem.USER32(?,000003EA), ref: 00F3C897
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00F3C8B4
InvalidateRect.USER32(?,00000000,00000001), ref: 00F3C8C1

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: eed9436b27e811cf4ea5a20dffa3e3ac87415dfee632ce2562bfa5565cbf62cc
Instruction ID: 5bed50fd6566b2825dcd82590a25e61964b26430197694e190d2b8dec93a64d4
Opcode Fuzzy Hash: eed9436b27e811cf4ea5a20dffa3e3ac87415dfee632ce2562bfa5565cbf62cc
Instruction Fuzzy Hash: 47513271F00209AFDB18CF69DD85AAEBBB6FB88320F14812DF515E7290D7B09D049B50

Uniqueness

Uniqueness Score: -1.00%

Function 00EE201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00EE2036,?,00000000,?,?,?,?,00EE16CB,00000000,?), ref: 00EE1B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00EE20D3
KillTimer.USER32(-00000001,?,?,?,?,00EE16CB,00000000,?,?,00EE1AE2,?,?), ref: 00EE216E
DestroyAcceleratorTable.USER32(00000000), ref: 00F1BEF6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00EE16CB,00000000,?,?,00EE1AE2,?,?), ref: 00F1BF27
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00EE16CB,00000000,?,?,00EE1AE2,?,?), ref: 00F1BF3E
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00EE16CB,00000000,?,?,00EE1AE2,?,?), ref: 00F1BF5A
DeleteObject.GDI32(00000000), ref: 00F1BF6C

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 68f88b185743ed49cf83c0fa6a96bb24cb6ed2f2d9d4cb7db9dab4b11398c8fb
Instruction ID: 1464061e594ffdb0d49a27b946c8637b0836147668efead423cf189f7a9af8bf
Opcode Fuzzy Hash: 68f88b185743ed49cf83c0fa6a96bb24cb6ed2f2d9d4cb7db9dab4b11398c8fb
Instruction Fuzzy Hash: 4861FC70500698DFCB359F16DC48B6AB7F9FF41326F18952CE252A69A0C775AC81EF80

Uniqueness

Uniqueness Score: -1.00%

Function 00EE21A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 00EE25DB: GetWindowLongW.USER32(?,000000EB), ref: 00EE25EC

GetSysColor.USER32(0000000F), ref: 00EE21D3

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 467338e5d2e24eb48258610f4db90f3a63b6c29ee03d4edcdebc7f9134117a12
Instruction ID: 2b01af214c3bc340d71fe0e62269f77a2b9e53bdc28ee0ca90ec52d80449e287
Opcode Fuzzy Hash: 467338e5d2e24eb48258610f4db90f3a63b6c29ee03d4edcdebc7f9134117a12
Instruction Fuzzy Hash: 7C41F731400188AFDB115F29EC48BB93769EB0A335F184269FF659A1F2C7718C41EB61

Uniqueness

Uniqueness Score: -1.00%

Function 00F4AB12 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00F6F910), ref: 00F4AB76
GetDriveTypeW.KERNEL32(00000061,00F9A620,00000061), ref: 00F4AC40
_wcscpy.LIBCMT ref: 00F4AC6A

Strings

cdrom, xrefs: 00F4AB92
all, xrefs: 00F4AB7C
ramdisk, xrefs: 00F4ABEA
network, xrefs: 00F4ABD4
unknown, xrefs: 00F4AC01
fixed, xrefs: 00F4ABBE
removable, xrefs: 00F4ABA8

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: d320c36e79ec7752279cd679e56a65669b5a1b3142f6933f920a7d8b988df0a5
Instruction ID: 1ed665587e207673f7d9c402e3f0be6495f40082b90d658d2c65852d53e89ba1
Opcode Fuzzy Hash: d320c36e79ec7752279cd679e56a65669b5a1b3142f6933f920a7d8b988df0a5
Instruction Fuzzy Hash: A251CF316483469BC710EF14CC81AAEBBE5EF94310F54482DF896A72A2DB31DD09EB53

Uniqueness

Uniqueness Score: -1.00%

Function 00EE9997 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 00EE99C2
__swprintf.LIBCMT ref: 00EE9A0C
__i64tow.LIBCMT ref: 00F1FA0F

Strings

0x%p, xrefs: 00F1F9F1
%.15g, xrefs: 00EE9A06
False, xrefs: 00F1F9D7
True, xrefs: 00F1F9D0

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: b8162ce058d214cf91a63fd09317e1b190a2e2d70e555d18c48df965a3a43b36
Instruction ID: 0f971eff7f611bbeb646806047aed999230167d2281af0026bb57b4e4daa6168
Opcode Fuzzy Hash: b8162ce058d214cf91a63fd09317e1b190a2e2d70e555d18c48df965a3a43b36
Instruction Fuzzy Hash: 4941E971A04209AFEB24EF39DC42FB673E8EF44310F20446EE549D7292EA769945FB11

Uniqueness

Uniqueness Score: -1.00%

Function 00F673C1 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F673D9
CreateMenu.USER32 ref: 00F673F4
SetMenu.USER32(?,00000000), ref: 00F67403
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00F67490
IsMenu.USER32(?), ref: 00F674A6
CreatePopupMenu.USER32 ref: 00F674B0
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00F674DD
DrawMenuBar.USER32 ref: 00F674E5

Strings

F, xrefs: 00F674D1
0, xrefs: 00F673CF

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: e86f6062f41233d095122beed90329e77b7409b55b697b0448cdf5988a24bdf7
Instruction ID: ad6794077d285915a2187ffa626cdb8c6fe3db14767405d39990d3dee12727d2
Opcode Fuzzy Hash: e86f6062f41233d095122beed90329e77b7409b55b697b0448cdf5988a24bdf7
Instruction Fuzzy Hash: E2416975A00309EFDB10EF64E848A9ABBB9FF49314F184028E92697360DB74AD14EB50

Uniqueness

Uniqueness Score: -1.00%

Function 00F6772A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00F677CD
CreateCompatibleDC.GDI32(00000000), ref: 00F677D4
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00F677E7
SelectObject.GDI32(00000000,00000000), ref: 00F677EF
GetPixel.GDI32(00000000,00000000,00000000), ref: 00F677FA
DeleteDC.GDI32(00000000), ref: 00F67803
GetWindowLongW.USER32(?,000000EC), ref: 00F6780D
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00F67821
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00F6782D

Strings

static, xrefs: 00F67765

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: bf6353ac8c19c9fae8b2fedcc761a981a96f3337d5da54850cc1ccf7398e0167
Instruction ID: 99f88d5eeeec939de614cf827b2ff43a7cb3eb3db80bd3d1c448f9c9efd493fa
Opcode Fuzzy Hash: bf6353ac8c19c9fae8b2fedcc761a981a96f3337d5da54850cc1ccf7398e0167
Instruction Fuzzy Hash: 0B319E32505219BBDF11AFB4EC08FDA3B69FF09335F100224FA25A60A0CB71D855EBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00F07040 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F0707B

Part of subcall function 00F08D68: __getptd_noexit.LIBCMT ref: 00F08D68

__gmtime64_s.LIBCMT ref: 00F07114
__gmtime64_s.LIBCMT ref: 00F0714A
__gmtime64_s.LIBCMT ref: 00F07167
__allrem.LIBCMT ref: 00F071BD
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F071D9
__allrem.LIBCMT ref: 00F071F0
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F0720E
__allrem.LIBCMT ref: 00F07225
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F07243
__invoke_watson.LIBCMT ref: 00F072B4

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
Instruction ID: 7856574c0617f7b7d1618935650f07b08de41517e3f141949269717a78a36f3d
Opcode Fuzzy Hash: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
Instruction Fuzzy Hash: 8371C572E04716ABE714AE79CC41B9BB3A8AF50324F14426AF914E62C1E774F940BBD0

Uniqueness

Uniqueness Score: -1.00%

Function 00F42A16 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F42A31
GetMenuItemInfoW.USER32(00FA6890,000000FF,00000000,00000030), ref: 00F42A92
SetMenuItemInfoW.USER32(00FA6890,00000004,00000000,00000030), ref: 00F42AC8
Sleep.KERNEL32(000001F4), ref: 00F42ADA
GetMenuItemCount.USER32(?), ref: 00F42B1E
GetMenuItemID.USER32(?,00000000), ref: 00F42B3A
GetMenuItemID.USER32(?,-00000001), ref: 00F42B64
GetMenuItemID.USER32(?,?), ref: 00F42BA9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00F42BEF
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00F42C03
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00F42C24

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: ad27302a97e71fae51a1e38d4a45694ea6da6f2182cb298f3b1fb1054ac15040
Instruction ID: 304f23d7c1a7a6d095999aca18a2b8d70cc57631c4586ec35051a23ff0a2b29b
Opcode Fuzzy Hash: ad27302a97e71fae51a1e38d4a45694ea6da6f2182cb298f3b1fb1054ac15040
Instruction Fuzzy Hash: 8761DDB0900249AFDB61CF64DC88EAEBFB8EB41324F940569FC52A3251D775AD45FB20

Uniqueness

Uniqueness Score: -1.00%

Function 00F67192 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00F67214
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00F67217
GetWindowLongW.USER32(?,000000F0), ref: 00F6723B
_memset.LIBCMT ref: 00F6724C
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00F6725E
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00F672D6

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: e9d125175a485f4b1d96eea62f319158e6e82b60b44d768ce0589e53826b6eeb
Instruction ID: 0a6338999e7aa1ede27ba3a4374322900b77329e60de6173a9379c49a390c05b
Opcode Fuzzy Hash: e9d125175a485f4b1d96eea62f319158e6e82b60b44d768ce0589e53826b6eeb
Instruction Fuzzy Hash: 9C6138B5A00208AFDB10DFA4CC81EEE77B8AF0A714F14415AFA15E73A1D774AD45EB60

Uniqueness

Uniqueness Score: -1.00%

Function 00F3710E Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00F37135
SafeArrayAllocData.OLEAUT32(?), ref: 00F3718E
VariantInit.OLEAUT32(?), ref: 00F371A0
SafeArrayAccessData.OLEAUT32(?,?), ref: 00F371C0
VariantCopy.OLEAUT32(?,?), ref: 00F37213
SafeArrayUnaccessData.OLEAUT32(?), ref: 00F37227
VariantClear.OLEAUT32(?), ref: 00F3723C
SafeArrayDestroyData.OLEAUT32(?), ref: 00F37249
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00F37252
VariantClear.OLEAUT32(?), ref: 00F37264
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00F3726F

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: c7a1ac861b9acabc93356a6d830c2e9cebd9937d2c3062a2bc147253b5b97a35
Instruction ID: 0d7d921344fae094f66ad0335c769c83691e0ec05cd600bf64b8bfdf1fd47c16
Opcode Fuzzy Hash: c7a1ac861b9acabc93356a6d830c2e9cebd9937d2c3062a2bc147253b5b97a35
Instruction Fuzzy Hash: C9413C75A04219AFCB10EF65DC449AEBBB8EF08364F008069E915E7261CB70E949DF90

Uniqueness

Uniqueness Score: -1.00%

Function 00F55A45 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00F55AA6
inet_addr.WSOCK32(?,?,?), ref: 00F55AEB
gethostbyname.WSOCK32(?), ref: 00F55AF7
IcmpCreateFile.IPHLPAPI ref: 00F55B05
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00F55B75
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00F55B8B
IcmpCloseHandle.IPHLPAPI(00000000), ref: 00F55C00
WSACleanup.WSOCK32 ref: 00F55C06

Strings

Ping, xrefs: 00F55B29

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 456cf47e51039bc67790fc14155695c01c4bb1ed9371471b127ad246999df6ad
Instruction ID: 82f089de2a8197c68d37af5eedc57c87d55b9bf3b7935ce89e5767f20d1216d7
Opcode Fuzzy Hash: 456cf47e51039bc67790fc14155695c01c4bb1ed9371471b127ad246999df6ad
Instruction Fuzzy Hash: DF51C571604701AFDB10DF25DC59B2AB7E0EF84721F148929FA55EB2A1DB74EC08EB41

Uniqueness

Uniqueness Score: -1.00%

Function 00F4B72E Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00F4B73B
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00F4B7B1
GetLastError.KERNEL32 ref: 00F4B7BB
SetErrorMode.KERNEL32(00000000,READY), ref: 00F4B828

Strings

NOTREADY, xrefs: 00F4B7E7
READY, xrefs: 00F4B801
INVALID, xrefs: 00F4B7FA
READONLY, xrefs: 00F4B7F3
UNKNOWN, xrefs: 00F4B7E0

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 4cc18a9b6094fc82d6c248ba494dacd1da3fa20144edf71377c1ac8474fb4b5a
Instruction ID: 7ee8dd101481971dfb463e7fa1e598eae635a1f6dcad73e3a438dd4379fa1401
Opcode Fuzzy Hash: 4cc18a9b6094fc82d6c248ba494dacd1da3fa20144edf71377c1ac8474fb4b5a
Instruction Fuzzy Hash: 84318135A002099FDB10EF64DC85AAE7BF4EF84750F14802AE805E7292DB75D946EB91

Uniqueness

Uniqueness Score: -1.00%

Function 00F39471 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE7F41: _memmove.LIBCMT ref: 00EE7F82

Part of subcall function 00F3B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00F3B0E7

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00F394F6
GetDlgCtrlID.USER32 ref: 00F39501
GetParent.USER32 ref: 00F3951D
SendMessageW.USER32(00000000,?,00000111,?), ref: 00F39520
GetDlgCtrlID.USER32(?), ref: 00F39529
GetParent.USER32(?), ref: 00F39545
SendMessageW.USER32(00000000,?,?,00000111), ref: 00F39548

Strings

ListBox, xrefs: 00F394B3
ComboBox, xrefs: 00F3947E

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 87d32ad82724dcfc23d97cd6a1e7bc5fa09afec6a8caf0429ce3d95ca175aadf
Instruction ID: 36f079a4dd8ce1257be6fc5159fe701cbc5a6f45f26ab88b1ca542371f20bf8c
Opcode Fuzzy Hash: 87d32ad82724dcfc23d97cd6a1e7bc5fa09afec6a8caf0429ce3d95ca175aadf
Instruction Fuzzy Hash: AC21E574D04108ABDF04AB65DC85DFEB7A4EF45310F104129F572572A1DBF55919EA20

Uniqueness

Uniqueness Score: -1.00%

Function 00F3955C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE7F41: _memmove.LIBCMT ref: 00EE7F82

Part of subcall function 00F3B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00F3B0E7

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00F395DF
GetDlgCtrlID.USER32 ref: 00F395EA
GetParent.USER32 ref: 00F39606
SendMessageW.USER32(00000000,?,00000111,?), ref: 00F39609
GetDlgCtrlID.USER32(?), ref: 00F39612
GetParent.USER32(?), ref: 00F3962E
SendMessageW.USER32(00000000,?,?,00000111), ref: 00F39631

Strings

ListBox, xrefs: 00F3959E
ComboBox, xrefs: 00F39569

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: f9bed75a9c9620011b682b718daaa66cdf01e55a0e052e2c1ca84fe53fe943ec
Instruction ID: 969d9b50577996e4d72fbf679a000104468a3cd7a2b3fa01673ba2204d6d1a26
Opcode Fuzzy Hash: f9bed75a9c9620011b682b718daaa66cdf01e55a0e052e2c1ca84fe53fe943ec
Instruction Fuzzy Hash: 4821D371E04208BBDF04AB60CCC5EFEBBB8EF48310F100019F961971A1DBF59959EA20

Uniqueness

Uniqueness Score: -1.00%

Function 00F39645 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00F39651
GetClassNameW.USER32(00000000,?,00000100), ref: 00F39666
_wcscmp.LIBCMT ref: 00F39678
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00F396F3

Strings

details, xrefs: 00F396A1
list, xrefs: 00F396D5
largeicons, xrefs: 00F39687
smallicons, xrefs: 00F396BB
SHELLDLL_DefView, xrefs: 00F39672

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: e893be54e7b348b85b07922963fe6c4f769a7c715c3d206d5363c8b001262a09
Instruction ID: 3e1b5babc3abbe05dbe56a6251324a446efb9e87b2172b7aed7b199b185dad5e
Opcode Fuzzy Hash: e893be54e7b348b85b07922963fe6c4f769a7c715c3d206d5363c8b001262a09
Instruction Fuzzy Hash: F1114C77A4D307BAFA012625EC07EA777DCCB04370F21002AF910E50E2FEE2A9107A59

Uniqueness

Uniqueness Score: -1.00%

Function 00F58BC0 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00F58BEC
CoInitialize.OLE32(00000000), ref: 00F58C19
CoUninitialize.OLE32 ref: 00F58C23
GetRunningObjectTable.OLE32(00000000,?), ref: 00F58D23
SetErrorMode.KERNEL32(00000001,00000029), ref: 00F58E50
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00F72C0C), ref: 00F58E84
CoGetObject.OLE32(?,00000000,00F72C0C,?), ref: 00F58EA7
SetErrorMode.KERNEL32(00000000), ref: 00F58EBA
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00F58F3A
VariantClear.OLEAUT32(?), ref: 00F58F4A

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: 88a9973490bed529ae1880112e47803a8333898d3bdb56e17325226aade52bb6
Instruction ID: b8c72a7970b7c1aeed9bb9730764aa2f0f47ba61ebc964ba27a498c6c23359ab
Opcode Fuzzy Hash: 88a9973490bed529ae1880112e47803a8333898d3bdb56e17325226aade52bb6
Instruction Fuzzy Hash: 76C13871608305AFC700DF64C88492BB7E9FF89359F00495DF98AAB251DB71ED0ADB52

Uniqueness

Uniqueness Score: -1.00%

Function 00F44189 Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 00F4419D
__swprintf.LIBCMT ref: 00F441AA

Part of subcall function 00F038D8: __woutput_l.LIBCMT ref: 00F03931

FindResourceW.KERNEL32(?,?,0000000E), ref: 00F441D4
LoadResource.KERNEL32(?,00000000), ref: 00F441E0
LockResource.KERNEL32(00000000), ref: 00F441ED
FindResourceW.KERNEL32(?,?,00000003), ref: 00F4420D
LoadResource.KERNEL32(?,00000000), ref: 00F4421F
SizeofResource.KERNEL32(?,00000000), ref: 00F4422E
LockResource.KERNEL32(?), ref: 00F4423A
CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 00F4429B

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
String ID:
API String ID: 1433390588-0
Opcode ID: 312f3bfe694ec4de9ca0b90bc39ab60f87cb5eb189d86c4f3a807c11a6f5004a
Instruction ID: 4349f2399be868aa3e6fd7276559dca0775aee9a73807729ee9398d09777de13
Opcode Fuzzy Hash: 312f3bfe694ec4de9ca0b90bc39ab60f87cb5eb189d86c4f3a807c11a6f5004a
Instruction Fuzzy Hash: 8731AEB2A0521AAFDB119F60EC54FBB7BACFF09301F044565FD11E2150D7B4EA51ABA0

Uniqueness

Uniqueness Score: -1.00%

Function 00EEFBBD Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00EEFC06
OleUninitialize.OLE32(?,00000000), ref: 00EEFCA5
UnregisterHotKey.USER32(?), ref: 00EEFDFC
DestroyWindow.USER32(?), ref: 00F24A00
FreeLibrary.KERNEL32(?), ref: 00F24A65
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00F24A92

Strings

close all, xrefs: 00EEFC01

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: d3e6e8525b392ef64b3270e7a114ef9e0b91d835a8b7b2140dd8312a0cdd86d6
Instruction ID: a50f349e33d39a5424e4621ab5f59e5ef0f489acee8df901051e66e35682fa6f
Opcode Fuzzy Hash: d3e6e8525b392ef64b3270e7a114ef9e0b91d835a8b7b2140dd8312a0cdd86d6
Instruction Fuzzy Hash: 7EA18F31701226CFCB28EF15D894B69F7A4BF04710F1452ADE80ABB262DB74AD16EF54

Uniqueness

Uniqueness Score: -1.00%

Function 00F3A693 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,00F3AA64), ref: 00F3A9A2

Strings

TEXT, xrefs: 00F3A8D9
CLASS, xrefs: 00F3A721
INSTANCE, xrefs: 00F3A8B0
CLASSNN, xrefs: 00F3A744
REGEXPCLASS, xrefs: 00F3A767
NAME, xrefs: 00F3A7D4

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: 13e31d2dda534373dacd3163ff04b85d2039a046015a31ca0621fa40e77f5ee1
Instruction ID: 5cfe8806dc1455650741cf8113f3e4e95d6b6915095b0c6f0a1326d8d4bbc183
Opcode Fuzzy Hash: 13e31d2dda534373dacd3163ff04b85d2039a046015a31ca0621fa40e77f5ee1
Instruction Fuzzy Hash: BE91A43190520A9BDB08DF61C881BE9FB74BF14324F508119D8DAB7191DF346959FBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00EE2E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00EE2EAE

Part of subcall function 00EE1DB3: GetClientRect.USER32(?,?), ref: 00EE1DDC
Part of subcall function 00EE1DB3: GetWindowRect.USER32(?,?), ref: 00EE1E1D
Part of subcall function 00EE1DB3: ScreenToClient.USER32(?,?), ref: 00EE1E45

GetDC.USER32 ref: 00F1CF82
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00F1CF95
SelectObject.GDI32(00000000,00000000), ref: 00F1CFA3
SelectObject.GDI32(00000000,00000000), ref: 00F1CFB8
ReleaseDC.USER32(?,00000000), ref: 00F1CFC0
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00F1D04B

Strings

U, xrefs: 00F1CF20

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 076ed0930743f6a3c257daee5b9287d5b22f1858a43da8a73291fcebc5699502
Instruction ID: 35403d007dc787a8180bb4108761eaf069276257c1315d52467d5e42c736fa30
Opcode Fuzzy Hash: 076ed0930743f6a3c257daee5b9287d5b22f1858a43da8a73291fcebc5699502
Instruction Fuzzy Hash: E971C771900249DFCF25CF64CC84AEA7BB5FF49364F14426AED55AA1A9C7318C82FB60

Uniqueness

Uniqueness Score: -1.00%

Function 00F6C27C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE2612: GetWindowLongW.USER32(?,000000EB), ref: 00EE2623

Part of subcall function 00EE2344: GetCursorPos.USER32(?), ref: 00EE2357
Part of subcall function 00EE2344: ScreenToClient.USER32(00FA67B0,?), ref: 00EE2374
Part of subcall function 00EE2344: GetAsyncKeyState.USER32(00000001), ref: 00EE2399
Part of subcall function 00EE2344: GetAsyncKeyState.USER32(00000002), ref: 00EE23A7

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 00F6C2E4
ImageList_EndDrag.COMCTL32 ref: 00F6C2EA
ReleaseCapture.USER32 ref: 00F6C2F0
SetWindowTextW.USER32(?,00000000), ref: 00F6C39A
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00F6C3AD
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 00F6C48F

Strings

@GUI_DROPID, xrefs: 00F6C3E1
@GUI_DRAGFILE, xrefs: 00F6C424

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: de791e60eed9c47c89ce5bb0d793d479b73d753dc569c90bb8e2c149a583912d
Instruction ID: 10feac18f371205db0828f24dff62aaaf3fffb5ba57bdb01c3a8aae0f7ae6542
Opcode Fuzzy Hash: de791e60eed9c47c89ce5bb0d793d479b73d753dc569c90bb8e2c149a583912d
Instruction Fuzzy Hash: 09519C70604308AFD700EF24DC56F6A7BE5EF88310F04452DF5A59B2E2DB75A948EB52

Uniqueness

Uniqueness Score: -1.00%

Function 00F58F5B Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,00F6F910), ref: 00F5903D
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00F6F910), ref: 00F59071
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00F591EB
SysFreeString.OLEAUT32(?), ref: 00F59215

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: 7042518aef685cd66519081606d6845f4ce11659eaf9ada79c278b48394388a9
Instruction ID: cc8f3a6dc2bfd2c6e1882bb6d078d276e4ea37b49db0d40be1fa21bc490cc664
Opcode Fuzzy Hash: 7042518aef685cd66519081606d6845f4ce11659eaf9ada79c278b48394388a9
Instruction Fuzzy Hash: 3EF15071904119EFCF04DF94C888EAEB7B9FF49315F108059FA16AB291CB71AD4ADB50

Uniqueness

Uniqueness Score: -1.00%

Function 00F5F9A8 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F5F9C9
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00F5FB5C
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00F5FB80
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00F5FBC0
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00F5FBE2
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00F5FD5E
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00F5FD90
CloseHandle.KERNEL32(?), ref: 00F5FDBF
CloseHandle.KERNEL32(?), ref: 00F5FE36

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: 9d749e08797caa0f11161655fb5cba83ae6aeae6094cf39fea64f67513f22d44
Instruction ID: b1485f95ae0c2004b9a352686c5513263e17483a29a697a9a4a48dc5cb949d83
Opcode Fuzzy Hash: 9d749e08797caa0f11161655fb5cba83ae6aeae6094cf39fea64f67513f22d44
Instruction Fuzzy Hash: 0DE1C431604345DFC714EF24C885B6ABBE0BF84360F14846DF9999B2A2DB35DC49EB52

Uniqueness

Uniqueness Score: -1.00%

Function 00F44F63 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00F448AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00F438D3,?), ref: 00F448C7

Part of subcall function 00F448AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00F438D3,?), ref: 00F448E0

Part of subcall function 00F44CD3: GetFileAttributesW.KERNEL32(?,00F43947), ref: 00F44CD4

lstrcmpiW.KERNEL32(?,?), ref: 00F44FE2
_wcscmp.LIBCMT ref: 00F44FFC
MoveFileW.KERNEL32(?,?), ref: 00F45017

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: afac5e2deb66c125fbe211803629a2cb2bcff3e917bef3e081169ccb13736fa4
Instruction ID: 78a601ab95cb2e2ae229f57f0e956ddb320586b79e5f9a66e9f8cd1b4a4ad7da
Opcode Fuzzy Hash: afac5e2deb66c125fbe211803629a2cb2bcff3e917bef3e081169ccb13736fa4
Instruction Fuzzy Hash: 315185B24087859BC720EB54DC81ADFB7ECAF84350F10092EF589D3192EF74A58C9766

Uniqueness

Uniqueness Score: -1.00%

Function 00F688B4 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00F6896E

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: fcf509883e8001ce1b8dc79bfbfbc329d80d092ee9f04f2768cfc6294febcfda
Instruction ID: 8888a8a9bb728ea91621c437b915e254412ae9d234045fa4a4138c7955415805
Opcode Fuzzy Hash: fcf509883e8001ce1b8dc79bfbfbc329d80d092ee9f04f2768cfc6294febcfda
Instruction Fuzzy Hash: 1D51B630900248BFDF209F64DC85BA93BA5BB053A0F50431AFA11E71A1DFB5A986BB51

Uniqueness

Uniqueness Score: -1.00%

Function 00EE2B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00F1C547
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00F1C569
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00F1C581
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00F1C59F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00F1C5C0
DestroyIcon.USER32(00000000), ref: 00F1C5CF
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00F1C5EC
DestroyIcon.USER32(?), ref: 00F1C5FB

Part of subcall function 00F6A71E: DeleteObject.GDI32(00000000), ref: 00F6A757

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: 8d1e49f606566c653a57f6e69ac4eba9a33d2079832bcf8a082e6e3b466bc8b0
Instruction ID: 3996236c582e17abd64603dc19ca01e45947a713977d10560f6d9e4508b51b19
Opcode Fuzzy Hash: 8d1e49f606566c653a57f6e69ac4eba9a33d2079832bcf8a082e6e3b466bc8b0
Instruction Fuzzy Hash: AF516C70A40249AFDB24DF25DC45FAA77B9EF54320F140528F912E72A0DB70ED90EB90

Uniqueness

Uniqueness Score: -1.00%

Function 00F39B50 Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F3AE57: GetWindowThreadProcessId.USER32(?,00000000), ref: 00F3AE77
Part of subcall function 00F3AE57: GetCurrentThreadId.KERNEL32 ref: 00F3AE7E
Part of subcall function 00F3AE57: AttachThreadInput.USER32(00000000,?,00F39B65,?,00000001), ref: 00F3AE85

MapVirtualKeyW.USER32(00000025,00000000), ref: 00F39B70
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00F39B8D
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00F39B90
MapVirtualKeyW.USER32(00000025,00000000), ref: 00F39B99
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00F39BB7
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00F39BBA
MapVirtualKeyW.USER32(00000025,00000000), ref: 00F39BC3
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00F39BDA
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00F39BDD

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 456daff69740186a4761c3890e8541d479967733310d56363011e44d03056931
Instruction ID: 1cb4b4fdc75382da4f84b90391856fc14981ba98e1da21574aea093d0c10bb86
Opcode Fuzzy Hash: 456daff69740186a4761c3890e8541d479967733310d56363011e44d03056931
Instruction Fuzzy Hash: 5C110471550218BEF6106F61EC89F6A7F2DEB4D7A1F100425F264AB0A1C9F35C50FAB4

Uniqueness

Uniqueness Score: -1.00%

Function 00F38E03 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00F38A84,00000B00,?,?), ref: 00F38E0C
HeapAlloc.KERNEL32(00000000,?,00F38A84,00000B00,?,?), ref: 00F38E13
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00F38A84,00000B00,?,?), ref: 00F38E28
GetCurrentProcess.KERNEL32(?,00000000,?,00F38A84,00000B00,?,?), ref: 00F38E30
DuplicateHandle.KERNEL32(00000000,?,00F38A84,00000B00,?,?), ref: 00F38E33
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00F38A84,00000B00,?,?), ref: 00F38E43
GetCurrentProcess.KERNEL32(00F38A84,00000000,?,00F38A84,00000B00,?,?), ref: 00F38E4B
DuplicateHandle.KERNEL32(00000000,?,00F38A84,00000B00,?,?), ref: 00F38E4E
CreateThread.KERNEL32(00000000,00000000,00F38E74,00000000,00000000,00000000), ref: 00F38E68

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: b399ab071008c6c6d0984dbc37e05e4d92f210342fb6bb338bb093b9c1413012
Instruction ID: 9606d8d2cfd595b809b8190a426c28711ed1496a7a2c273c62b4c63e869cc950
Opcode Fuzzy Hash: b399ab071008c6c6d0984dbc37e05e4d92f210342fb6bb338bb093b9c1413012
Instruction Fuzzy Hash: 4601BBB5240308FFE710ABA5EC4DF6B3BACEB89751F004421FA15DB1A1CAB59804EB20

Uniqueness

Uniqueness Score: -1.00%

Function 00F59428 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F5947C
VariantInit.OLEAUT32(?), ref: 00F5954D
VariantInit.OLEAUT32(?), ref: 00F5964E
VariantClear.OLEAUT32(?), ref: 00F59658
VariantClear.OLEAUT32(?), ref: 00F596B5

Strings

Null Object assignment in FOR..IN loop, xrefs: 00F594DD, 00F5960B, 00F596C3
Incorrect Object type in FOR..IN loop, xrefs: 00F59631

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-625585964
Opcode ID: 1e4176d712bbda586e89208191bfa88316132f69c7aa3b78a6422da5a9ce37c4
Instruction ID: 84e0757a76fb67f09c61744018c86bbb5223e14d3bbadcee64da4ab53484e6d9
Opcode Fuzzy Hash: 1e4176d712bbda586e89208191bfa88316132f69c7aa3b78a6422da5a9ce37c4
Instruction Fuzzy Hash: A091A371E04215EBDF28DFA5C844FAEB7B8EF45321F108159FA15AB281D7B09909DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F59A72 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 00F37652: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00F3758C,80070057,?,?,?,00F3799D), ref: 00F3766F
Part of subcall function 00F37652: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00F3758C,80070057,?,?), ref: 00F3768A
Part of subcall function 00F37652: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00F3758C,80070057,?,?), ref: 00F37698
Part of subcall function 00F37652: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00F3758C,80070057,?), ref: 00F376A8

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00F59B1B
_memset.LIBCMT ref: 00F59B28
_memset.LIBCMT ref: 00F59C6B
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00F59C97
CoTaskMemFree.OLE32(?), ref: 00F59CA2

Strings

NULL Pointer assignment, xrefs: 00F59CF0

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: 0036f867953a7ef40d908f0d291f37aa5d1b92f1c3ce6b96ce06d50c4884df45
Instruction ID: 1cb426154678a13f0eeb17036c48ece1fbd459eb2a4ed96bce99a13ddfb2bb16
Opcode Fuzzy Hash: 0036f867953a7ef40d908f0d291f37aa5d1b92f1c3ce6b96ce06d50c4884df45
Instruction Fuzzy Hash: 11913871D0021DEBDF14DFA5DC84ADEBBB8AF08710F20416AF919A7281DB719A45DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F66FEF Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00F67093
SendMessageW.USER32(?,00001036,00000000,?), ref: 00F670A7
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00F670C1
_wcscat.LIBCMT ref: 00F6711C
SendMessageW.USER32(?,00001057,00000000,?), ref: 00F67133
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00F67161

Strings

SysListView32, xrefs: 00F67065

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: 20c9f373636bf4e254a9a34baad47fe1f546cf28a4e9baa071959c9ffd140e7f
Instruction ID: 759829551edb0282ea71a1c0b859a929390fb59df9eea3b7b1540fef45b39f60
Opcode Fuzzy Hash: 20c9f373636bf4e254a9a34baad47fe1f546cf28a4e9baa071959c9ffd140e7f
Instruction Fuzzy Hash: DD41A471904308BFEB21DF64DC85BEE77A8EF08364F10052AF554E7192D7729D84AB60

Uniqueness

Uniqueness Score: -1.00%

Function 00F5EC47 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00F43E91: CreateToolhelp32Snapshot.KERNEL32 ref: 00F43EB6
Part of subcall function 00F43E91: Process32FirstW.KERNEL32(00000000,?), ref: 00F43EC4
Part of subcall function 00F43E91: CloseHandle.KERNEL32(00000000), ref: 00F43F8E

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00F5ECB8
GetLastError.KERNEL32 ref: 00F5ECCB
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00F5ECFA
TerminateProcess.KERNEL32(00000000,00000000), ref: 00F5ED77
GetLastError.KERNEL32(00000000), ref: 00F5ED82
CloseHandle.KERNEL32(00000000), ref: 00F5EDB7

Strings

SeDebugPrivilege, xrefs: 00F5ECD6

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: e7135d81af64b6049380bd7874f4e645db2325be4fff168d8a5f51ac11e309a8
Instruction ID: 3e7b17f8b878637c86f6876505894c065e1b6a8ebbf8f050f681d427e975f158
Opcode Fuzzy Hash: e7135d81af64b6049380bd7874f4e645db2325be4fff168d8a5f51ac11e309a8
Instruction Fuzzy Hash: 6241CE716002049FDB14EF24CC95F6DB7E5AF80720F088018FD469B3C2DBB9A908EB92

Uniqueness

Uniqueness Score: -1.00%

Function 00F43226 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00F432C5

Strings

info, xrefs: 00F43266
warning, xrefs: 00F432AE
stop, xrefs: 00F43296
question, xrefs: 00F4327E
blank, xrefs: 00F43247

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: fb45edd9a792c02c6e9c0f7b3b3e734c1919ebee22834c274aa112f4e2a70bd1
Instruction ID: 5cd29b52d0e2533ddbc220e9de93ee5222e5a2ce93a4d5e50c3f1d172ec9294f
Opcode Fuzzy Hash: fb45edd9a792c02c6e9c0f7b3b3e734c1919ebee22834c274aa112f4e2a70bd1
Instruction Fuzzy Hash: 6911B732A48356BAEB055B55EC43D6ABB9CDF19770F20002AFD00A61C1E7F59B4079E6

Uniqueness

Uniqueness Score: -1.00%

Function 00F44534 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00F4454E
LoadStringW.USER32(00000000), ref: 00F44555
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00F4456B
LoadStringW.USER32(00000000), ref: 00F44572
_wprintf.LIBCMT ref: 00F44598
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00F445B6

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00F44593

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 1927e80d9d8f4ca811382911398d4b4e715e5ebf9c0dc2cc82f73ec1974cd7ad
Instruction ID: 8020b121bb257d354e46a3919b6763e73c2246e833991b0000317b8908320262
Opcode Fuzzy Hash: 1927e80d9d8f4ca811382911398d4b4e715e5ebf9c0dc2cc82f73ec1974cd7ad
Instruction Fuzzy Hash: 4B018FF290420CBFE710A7A0ED89EE6776CEB08300F4005A5FB15E2051EAB59E899B70

Uniqueness

Uniqueness Score: -1.00%

Function 00F6D74C Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE2612: GetWindowLongW.USER32(?,000000EB), ref: 00EE2623

GetSystemMetrics.USER32(0000000F), ref: 00F6D78A
GetSystemMetrics.USER32(0000000F), ref: 00F6D7AA
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00F6D9E5
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00F6DA03
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00F6DA24
ShowWindow.USER32(00000003,00000000), ref: 00F6DA43
InvalidateRect.USER32(?,00000000,00000001), ref: 00F6DA68
DefDlgProcW.USER32(?,00000005,?,?), ref: 00F6DA8B

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: e60786d4e5c7eb23ee3e1f156b1d3f33523a450b22c7e84fe99d45a16a4845fe
Instruction ID: d76a2db5d155d8b6e672f43e763ef1fc1a40183a32f4df5027294e5e3ef441ab
Opcode Fuzzy Hash: e60786d4e5c7eb23ee3e1f156b1d3f33523a450b22c7e84fe99d45a16a4845fe
Instruction Fuzzy Hash: F0B18971E04229EBDF14CF68C9857BD7BB1FF08711F088169EC589B296D734A950EB90

Uniqueness

Uniqueness Score: -1.00%

Function 00EE2A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00F1C417,00000004,00000000,00000000,00000000), ref: 00EE2ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00F1C417,00000004,00000000,00000000,00000000,000000FF), ref: 00EE2B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00F1C417,00000004,00000000,00000000,00000000), ref: 00F1C46A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00F1C417,00000004,00000000,00000000,00000000), ref: 00F1C4D6

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: d7e0e9a3f092177b4b2231fe14d23e6eb593d135ff49b848f75e9601bbbc59e1
Instruction ID: 1fdbbf37bd0177bc7a3196b9cccafeabe208cb3bdef3218c17417c8a79c3588c
Opcode Fuzzy Hash: d7e0e9a3f092177b4b2231fe14d23e6eb593d135ff49b848f75e9601bbbc59e1
Instruction Fuzzy Hash: FE417C316082CC9AC735CF2ADC98BBB3B9AAF45314F18943EE25FA6160C67598C5E750

Uniqueness

Uniqueness Score: -1.00%

Function 00F47368 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00F4737F

Part of subcall function 00F00FF6: std::exception::exception.LIBCMT ref: 00F0102C
Part of subcall function 00F00FF6: __CxxThrowException@8.LIBCMT ref: 00F01041

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00F473B6
EnterCriticalSection.KERNEL32(?), ref: 00F473D2
_memmove.LIBCMT ref: 00F47420
_memmove.LIBCMT ref: 00F4743D
LeaveCriticalSection.KERNEL32(?), ref: 00F4744C
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00F47461
InterlockedExchange.KERNEL32(?,000001F6), ref: 00F47480

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: fe8da3132a7648cbe819182cbc6fc6b71e6489cec31312dee9d8bede9a871e31
Instruction ID: deab7ec1971548af1cefa4b288e6743e3adf77bbdd2b37ba0ea7a554f440227f
Opcode Fuzzy Hash: fe8da3132a7648cbe819182cbc6fc6b71e6489cec31312dee9d8bede9a871e31
Instruction Fuzzy Hash: DD319E31A04209EBCF10EF64DC85AAE7B78FF45710F1440A5FD04EB296DB749A14EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F66442 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00F6645A
GetDC.USER32(00000000), ref: 00F66462
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00F6646D
ReleaseDC.USER32(00000000,00000000), ref: 00F66479
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00F664B5
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00F664C6
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00F69299,?,?,000000FF,00000000,?,000000FF,?), ref: 00F66500
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00F66520

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 412a36d20b368fc9decd5b930674a2ba06ab9a3f4fe5615cf6c2b4a5258e071c
Instruction ID: 9a4a7ca470f4b1140f10f5f4397ad764094059c7de543958c5815c325da88441
Opcode Fuzzy Hash: 412a36d20b368fc9decd5b930674a2ba06ab9a3f4fe5615cf6c2b4a5258e071c
Instruction Fuzzy Hash: C2318B72200214BFEB108F10DC8AFEA3FA9EF09765F080065FE18DA2A1C6B59C41DB70

Uniqueness

Uniqueness Score: -1.00%

Function 00F3C072 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00F3C087
_memcmp.LIBCMT ref: 00F3C0A9
_memcmp.LIBCMT ref: 00F3C0C1
_memcmp.LIBCMT ref: 00F3C0D4
_memcmp.LIBCMT ref: 00F3C0EE
_memcmp.LIBCMT ref: 00F3C101
_memcmp.LIBCMT ref: 00F3C119
_memcmp.LIBCMT ref: 00F3C134

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 2a915f7b8c1b14800346ae2ac40950dc4582dd3c08b62115c6424c9d46a8c8f1
Instruction ID: 7fc75b7f9758d597cafa11f433a1695dc927eea7f9cc2257cb0c0699e3178a66
Opcode Fuzzy Hash: 2a915f7b8c1b14800346ae2ac40950dc4582dd3c08b62115c6424c9d46a8c8f1
Instruction Fuzzy Hash: 712198A2A00205B7D664B6214D52FBF335CAF203B4F444011FD09F6292EB56DD11B3E6

Uniqueness

Uniqueness Score: -1.00%

Function 00F4ED8E Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00EE9997: __itow.LIBCMT ref: 00EE99C2
Part of subcall function 00EE9997: __swprintf.LIBCMT ref: 00EE9A0C

Part of subcall function 00EFFEC6: _wcscpy.LIBCMT ref: 00EFFEE9

_wcstok.LIBCMT ref: 00F4EEFF
_wcscpy.LIBCMT ref: 00F4EF8E
_memset.LIBCMT ref: 00F4EFC1

Strings

X, xrefs: 00F4EFFE

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: 47fb31b4846877f2935ccbde8c8ef378d511be30a1b9573f66251548c3906748
Instruction ID: e18b8a75bae5c37f9aaa22960e9d7787e47796bfad4b4eadebcd4f87224ee92f
Opcode Fuzzy Hash: 47fb31b4846877f2935ccbde8c8ef378d511be30a1b9573f66251548c3906748
Instruction Fuzzy Hash: 4BC182715083449FD724EF24C885A5EBBE4FF84320F14492DF899A72A2DB70ED49DB82

Uniqueness

Uniqueness Score: -1.00%

Function 00F56E17 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00F56F14
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00F56F35
WSAGetLastError.WSOCK32(00000000), ref: 00F56F48
htons.WSOCK32(?,?,?,00000000,?), ref: 00F56FFE
inet_ntoa.WSOCK32(?), ref: 00F56FBB

Part of subcall function 00F3AE14: _strlen.LIBCMT ref: 00F3AE1E
Part of subcall function 00F3AE14: _memmove.LIBCMT ref: 00F3AE40

_strlen.LIBCMT ref: 00F57058
_memmove.LIBCMT ref: 00F570C1

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: 8538b6b34066e53044207c5f3f4340806485a96a75f24f478d925c80f5328946
Instruction ID: 72fee0406385220691c17bfabdd37f3a17df82c26f164699406dbc8e83787700
Opcode Fuzzy Hash: 8538b6b34066e53044207c5f3f4340806485a96a75f24f478d925c80f5328946
Instruction Fuzzy Hash: D281F272508304ABC710EB25DC82F6FB3E9AF84724F50451DFA59AB2E2DB709D08D792

Uniqueness

Uniqueness Score: -1.00%

Function 00EE1424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 957a03b9be7dc18614b2b717a62dd9d8a238648e78ca970cb7e40af887575811
Instruction ID: 0b18559e5cc152560b13553f5227f0f36c38c7a77d27c0023cdb7041eb0577f1
Opcode Fuzzy Hash: 957a03b9be7dc18614b2b717a62dd9d8a238648e78ca970cb7e40af887575811
Instruction Fuzzy Hash: 1C716D3090015DEFCB148F59CC49EFEBB79FF85324F148199F925AA291D730AA91DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00F6B60B Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(012B4C20), ref: 00F6B6A5
IsWindowEnabled.USER32(012B4C20), ref: 00F6B6B1
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00F6B795
SendMessageW.USER32(012B4C20,000000B0,?,?), ref: 00F6B7CC
IsDlgButtonChecked.USER32(?,?), ref: 00F6B809
GetWindowLongW.USER32(012B4C20,000000EC), ref: 00F6B82B
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00F6B843

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 80c55249d33ad1442557d09a4c28e1485bdffec080bf796830ac304de2ada808
Instruction ID: 3c9027597552b3daa81480b566f51a74ec4ef55524e4f382c4bddd5c4ef14d64
Opcode Fuzzy Hash: 80c55249d33ad1442557d09a4c28e1485bdffec080bf796830ac304de2ada808
Instruction Fuzzy Hash: 10718074A04205AFDB209F64C894FBA7BB9EF49320F1440A9E956D73A1C732AD81FB50

Uniqueness

Uniqueness Score: -1.00%

Function 00F5F732 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F5F75C
_memset.LIBCMT ref: 00F5F825
ShellExecuteExW.SHELL32(?), ref: 00F5F86A

Part of subcall function 00EE9997: __itow.LIBCMT ref: 00EE99C2
Part of subcall function 00EE9997: __swprintf.LIBCMT ref: 00EE9A0C

Part of subcall function 00EFFEC6: _wcscpy.LIBCMT ref: 00EFFEE9

GetProcessId.KERNEL32(00000000), ref: 00F5F8E1
CloseHandle.KERNEL32(00000000), ref: 00F5F910

Strings

@, xrefs: 00F5F839

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: 4732eee4fab6dd74aa18841b905300437b2b6a486a4939973bdcb2f1ffd216e2
Instruction ID: 82933061acdddc99a05851ee1bb2537e826723121e85ddc88c3c91a42feedbf1
Opcode Fuzzy Hash: 4732eee4fab6dd74aa18841b905300437b2b6a486a4939973bdcb2f1ffd216e2
Instruction Fuzzy Hash: F861AE75E006599FCB04DF55C8809AEBBF4FF48320F1484A9E849BB352CB31AD45DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00F4145D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00F4149C
GetKeyboardState.USER32(?), ref: 00F414B1
SetKeyboardState.USER32(?), ref: 00F41512
PostMessageW.USER32(?,00000101,00000010,?), ref: 00F41540
PostMessageW.USER32(?,00000101,00000011,?), ref: 00F4155F
PostMessageW.USER32(?,00000101,00000012,?), ref: 00F415A5
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00F415C8

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 205f0e62a905321c796a216c4520b35bab4833edcb0e2ec5b7f1ccc1563a1db0
Instruction ID: 807bafeea885a2b5050ec51cff841c1491fe5e3900340471b76f562b6744d8f9
Opcode Fuzzy Hash: 205f0e62a905321c796a216c4520b35bab4833edcb0e2ec5b7f1ccc1563a1db0
Instruction Fuzzy Hash: 4C51E1A0A047D53EFB3282248C45BBA7FA97B46324F0C8589E9D6468D2D3D8ECD4E750

Uniqueness

Uniqueness Score: -1.00%

Function 00F41276 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00F412B5
GetKeyboardState.USER32(?), ref: 00F412CA
SetKeyboardState.USER32(?), ref: 00F4132B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00F41357
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00F41374
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00F413B8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00F413D9

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: d705bca4460591bbea47646ef3cf108bf99cb4e61a328b288e104e583470140e
Instruction ID: d98b79e26294c005e53813191010c781509726456a805dcf6786ae51c8639ec8
Opcode Fuzzy Hash: d705bca4460591bbea47646ef3cf108bf99cb4e61a328b288e104e583470140e
Instruction Fuzzy Hash: E951E4A09047D93DFB3287248C45B7ABFA97B06310F088589E9D8868D2D795ACD8F761

Uniqueness

Uniqueness Score: -1.00%

Function 00F4589F Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00F458AC
_wcsncpy.LIBCMT ref: 00F458E1
_wcsncpy.LIBCMT ref: 00F45913
_wcsncpy.LIBCMT ref: 00F45946
_wcsncpy.LIBCMT ref: 00F45988
_wcsncpy.LIBCMT ref: 00F459C2
_wcsncpy.LIBCMT ref: 00F459F1

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: 5645f85570c7630863046606e1b546405b1db1f7ad0abafb7dcee605b7b469ce
Instruction ID: d3b0bed05f30900bbc318bfd462383360feb5fa90d8dfdbab6e8a9cfde71a150
Opcode Fuzzy Hash: 5645f85570c7630863046606e1b546405b1db1f7ad0abafb7dcee605b7b469ce
Instruction Fuzzy Hash: 004183A5C2051876CB50FBB4CC8A9CFB7ACAF04710F508556F918E3162E638E715E7A5

Uniqueness

Uniqueness Score: -1.00%

Function 00F438AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00F448AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00F438D3,?), ref: 00F448C7

Part of subcall function 00F448AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00F438D3,?), ref: 00F448E0

lstrcmpiW.KERNEL32(?,?), ref: 00F438F3
_wcscmp.LIBCMT ref: 00F4390F
MoveFileW.KERNEL32(?,?), ref: 00F43927
_wcscat.LIBCMT ref: 00F4396F
SHFileOperationW.SHELL32(?), ref: 00F439DB

Strings

\*.*, xrefs: 00F43969

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: 08c6670336f933791a8a85c679d8c080892b894e75ad0b9ab228363f23800fbb
Instruction ID: b94291b3fcb9cc6489c716964016bce16c96e02fee1248b67c9c6c35c7ce63f9
Opcode Fuzzy Hash: 08c6670336f933791a8a85c679d8c080892b894e75ad0b9ab228363f23800fbb
Instruction Fuzzy Hash: A141B4B250C3449EC751EF64D885ADFBBECAF88340F54092EF889D3191EA78D648D752

Uniqueness

Uniqueness Score: -1.00%

Function 00F67500 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F67519
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00F675C0
IsMenu.USER32(?), ref: 00F675D8
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00F67620
DrawMenuBar.USER32 ref: 00F67633

Strings

0, xrefs: 00F6750D

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: 35517491ccbe6a49c5d3afab7d8babfcf7f89113ce95f90890e92d31587788a9
Instruction ID: 026ce52b2916cef1a082a09d6799b2ca6bf6d13069b3c9a1f38ab0b4f221cd43
Opcode Fuzzy Hash: 35517491ccbe6a49c5d3afab7d8babfcf7f89113ce95f90890e92d31587788a9
Instruction Fuzzy Hash: CD416B71A04708EFDB10EF54D884E9ABBF8FF05328F148129E92697290D731AD40EF90

Uniqueness

Uniqueness Score: -1.00%

Function 00F6122D Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00F6125C
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00F61286
FreeLibrary.KERNEL32(00000000), ref: 00F6133D

Part of subcall function 00F6122D: RegCloseKey.ADVAPI32(?), ref: 00F612A3
Part of subcall function 00F6122D: FreeLibrary.KERNEL32(?), ref: 00F612F5
Part of subcall function 00F6122D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00F61318

RegDeleteKeyW.ADVAPI32(?,?), ref: 00F612E0

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: e1f064b981ae8097e64fc3ae8b95081347e9a7301ab92b932fd32d2103b87d2a
Instruction ID: 2509881eac7141699ec3b550ef2d4536740ed637c0a526bef39992169f42ec14
Opcode Fuzzy Hash: e1f064b981ae8097e64fc3ae8b95081347e9a7301ab92b932fd32d2103b87d2a
Instruction Fuzzy Hash: 33311C71D01109BFDB14DB90EC89AFEB7BCFF08350F040169E512E2251DA749E49ABA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F6653C Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00F6655B
GetWindowLongW.USER32(012B4C20,000000F0), ref: 00F6658E
GetWindowLongW.USER32(012B4C20,000000F0), ref: 00F665C3
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00F665F5
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00F6661F
GetWindowLongW.USER32(00000000,000000F0), ref: 00F66630
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00F6664A

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 5c553f04390c1bf685df76269ce13a11cfc1e2564de287e68ab0d2bf560b543f
Instruction ID: ff64f69e9f530953b12e0536da7a0ac2d051e808cf6a50dc840be1427c378b82
Opcode Fuzzy Hash: 5c553f04390c1bf685df76269ce13a11cfc1e2564de287e68ab0d2bf560b543f
Instruction Fuzzy Hash: 6D31D471A04154AFDB21CF28EC86F553BE5FB4A724F190168F522CB2B5CB72AC44EB51

Uniqueness

Uniqueness Score: -1.00%

Function 00F56486 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00F580A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00F580CB

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00F564D9
WSAGetLastError.WSOCK32(00000000), ref: 00F564E8
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00F56521
connect.WSOCK32(00000000,?,00000010), ref: 00F5652A
WSAGetLastError.WSOCK32 ref: 00F56534
closesocket.WSOCK32(00000000), ref: 00F5655D
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00F56576

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: fbc3eed2df5bf15024ae7771dc97e4d9d738ac9162f3e7e2d6c86345f786002c
Instruction ID: 7a646da33500cedfc6937c862f0c447b48098197c3d9222c9d68e136a459f694
Opcode Fuzzy Hash: fbc3eed2df5bf15024ae7771dc97e4d9d738ac9162f3e7e2d6c86345f786002c
Instruction Fuzzy Hash: DD31B571600118AFDB10AF24DC85BBE77E8EF44725F444069FE15E7291DB74AD08EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F3E0B5 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00F3E0FA
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00F3E120
SysAllocString.OLEAUT32(00000000), ref: 00F3E123
SysAllocString.OLEAUT32 ref: 00F3E144
SysFreeString.OLEAUT32 ref: 00F3E14D
StringFromGUID2.OLE32(?,?,00000028), ref: 00F3E167
SysAllocString.OLEAUT32(?), ref: 00F3E175

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: f420f533d64d0373426bb5b5d829b276205c2f9c4fd4d07fc3b6a7ca7971adf8
Instruction ID: 21aa2e4960db95d9b4fb249fd28d7f26c023c29bf97da29c2d5e181be5e4c3cc
Opcode Fuzzy Hash: f420f533d64d0373426bb5b5d829b276205c2f9c4fd4d07fc3b6a7ca7971adf8
Instruction Fuzzy Hash: C6217176604108AFDB10EFA8DC88DAB77ECEF09770F108125F965CB2A5DA70DC45AB64

Uniqueness

Uniqueness Score: -1.00%

Function 00F3FB6E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00F3FB81
__wcsnicmp.LIBCMT ref: 00F3FBA2
__wcsnicmp.LIBCMT ref: 00F3FBBC

Strings

#OnAutoItStartRegister, xrefs: 00F3FBB6
#requireadmin, xrefs: 00F3FB9C
#notrayicon, xrefs: 00F3FB79

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: 11a8429a2aa0a2854117b6d58cef96cdbe4eb0ff34a5ea4b5ccc1e7fbf043957
Instruction ID: bb7d1a6452058349f6e5d1bc44335b971602c1004b40e0b043cc71ef8fbe2e86
Opcode Fuzzy Hash: 11a8429a2aa0a2854117b6d58cef96cdbe4eb0ff34a5ea4b5ccc1e7fbf043957
Instruction Fuzzy Hash: 8A216772E40256A6D330A620DC12FA7B3DCEF513B0F148036F88586181EB54AE85F2A2

Uniqueness

Uniqueness Score: -1.00%

Function 00F6783C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00EE1D73
Part of subcall function 00EE1D35: GetStockObject.GDI32(00000011), ref: 00EE1D87
Part of subcall function 00EE1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00EE1D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00F678A1
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00F678AE
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00F678B9
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00F678C8
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00F678D4

Strings

Msctls_Progress32, xrefs: 00F67872

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 0bdcc68c47ed7d289909c82bc7e6c545de3a1a6530b33a8b4a9224052afc6629
Instruction ID: cbf1f3fcce8747f58e2d1e3ee2e417d16c99f015f806963993a0de4b51f6697b
Opcode Fuzzy Hash: 0bdcc68c47ed7d289909c82bc7e6c545de3a1a6530b33a8b4a9224052afc6629
Instruction Fuzzy Hash: D4118EB2510219BEEF159E60CC85EE77F6DEF08768F114115BA04A20A0CB729C21EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F041C9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00F04292,?), ref: 00F041E3
GetProcAddress.KERNEL32(00000000), ref: 00F041EA
EncodePointer.KERNEL32(00000000), ref: 00F041F6
DecodePointer.KERNEL32(00000001,00F04292,?), ref: 00F04213

Strings

RoInitialize, xrefs: 00F041D2
combase.dll, xrefs: 00F041DE

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 3489934621-340411864
Opcode ID: a4d11634e8cfc8b40087ee5325b88c7ddb84ffe281a258662615d55224ecd531
Instruction ID: 7796c872ffd2a40f4599f64e239dfce0f4b7eca59f4ce814e50b4cdc66596a46
Opcode Fuzzy Hash: a4d11634e8cfc8b40087ee5325b88c7ddb84ffe281a258662615d55224ecd531
Instruction Fuzzy Hash: 92E01AF0A90308AFEB215BB0FC09B043AA5F7A2B02F108435F521D51E0DBF56099BF01

Uniqueness

Uniqueness Score: -1.00%

Function 00F0429E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00F041B8), ref: 00F042B8
GetProcAddress.KERNEL32(00000000), ref: 00F042BF
EncodePointer.KERNEL32(00000000), ref: 00F042CA
DecodePointer.KERNEL32(00F041B8), ref: 00F042E5

Strings

RoUninitialize, xrefs: 00F042A7
combase.dll, xrefs: 00F042B3

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: 975f4ed69caac5e72e31601cb945ad09c939c6916f013f10d9ab7eeff8e62dda
Instruction ID: 5199a1c84eebe5021a32dd7e0e5193f7a54ca8d2c4d62025927da3871cb4d23b
Opcode Fuzzy Hash: 975f4ed69caac5e72e31601cb945ad09c939c6916f013f10d9ab7eeff8e62dda
Instruction Fuzzy Hash: 16E0B6B8A81308AFEB519B60FD0EB143AA4B766B42F204029F125E11A0CBF4A548FA15

Uniqueness

Uniqueness Score: -1.00%

Function 00F4675A Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00F468AD
_memmove.LIBCMT ref: 00F467E8

Part of subcall function 00EE9997: __itow.LIBCMT ref: 00EE99C2
Part of subcall function 00EE9997: __swprintf.LIBCMT ref: 00EE9A0C

_memmove.LIBCMT ref: 00F4685B
_memmove.LIBCMT ref: 00F46942
_memmove.LIBCMT ref: 00F4695B
_memmove.LIBCMT ref: 00F46977

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: 85db79b2357762b9e250be41096e75e0a8b11e2f4c8f4dceac26103551ccb84f
Instruction ID: 2c07e60dddec3a107663fbbda70ee33db5955780d0108161595e898d11e03d3a
Opcode Fuzzy Hash: 85db79b2357762b9e250be41096e75e0a8b11e2f4c8f4dceac26103551ccb84f
Instruction Fuzzy Hash: 1261AD3150069E9BDF11EF21CC81EFE3BA4AF49708F044519FC99AB292DB349D45EB51

Uniqueness

Uniqueness Score: -1.00%

Function 00F6046F Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE7F41: _memmove.LIBCMT ref: 00EE7F82

Part of subcall function 00F610A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F60038,?,?), ref: 00F610BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F60548
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00F60588
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00F605AB
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00F605D4
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00F60617
RegCloseKey.ADVAPI32(00000000), ref: 00F60624

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: 58f7b978eae95a06004a634f437d62d2e682699ab09ff94414bbea055bd5a235
Instruction ID: 897907a5903520342498d9185b976fdcb01599740a3011bd64b44d0fa369eacd
Opcode Fuzzy Hash: 58f7b978eae95a06004a634f437d62d2e682699ab09ff94414bbea055bd5a235
Instruction Fuzzy Hash: 7D517A31508244AFCB10EB14D885E6FBBE8FF88314F14492DF495972A2DB71E904EB52

Uniqueness

Uniqueness Score: -1.00%

Function 00F65A20 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00F65A82
GetMenuItemCount.USER32(00000000), ref: 00F65AB9
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00F65AE1
GetMenuItemID.USER32(?,?), ref: 00F65B50
GetSubMenu.USER32(?,?), ref: 00F65B5E
PostMessageW.USER32(?,00000111,?,00000000), ref: 00F65BAF

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 2857c00db0642d36e336000c627632dc6daf267975db8798a6f7a57cbf3573b0
Instruction ID: d5ad0c488fc67ea3acbd1941b58fa3fad3ae641fca82847dff91d2768482c651
Opcode Fuzzy Hash: 2857c00db0642d36e336000c627632dc6daf267975db8798a6f7a57cbf3573b0
Instruction Fuzzy Hash: 62518132E00619AFCF11DFA4C845AAEB7F4EF48720F104469E811BB352CB75AE41AB90

Uniqueness

Uniqueness Score: -1.00%

Function 00F3F3DD Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00F3F3F7
VariantClear.OLEAUT32(00000013), ref: 00F3F469
VariantClear.OLEAUT32(00000000), ref: 00F3F4C4
_memmove.LIBCMT ref: 00F3F4EE
VariantClear.OLEAUT32(?), ref: 00F3F53B
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00F3F569

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: a1a962e527f7554e0191da54d280bf363a2b00110fe46bdc70e7734cf2f0dd48
Instruction ID: c62d49a5096a354f11bca50e523df6f92c62e7acb2dc85438e90658e8ae7b1af
Opcode Fuzzy Hash: a1a962e527f7554e0191da54d280bf363a2b00110fe46bdc70e7734cf2f0dd48
Instruction Fuzzy Hash: 8C5146B5A00209EFCB14CF58D884AAAB7B8FF4C364F15856AE959DB310D730E915CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F426F9 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F42747
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00F42792
IsMenu.USER32(00000000), ref: 00F427B2
CreatePopupMenu.USER32 ref: 00F427E6
GetMenuItemCount.USER32(000000FF), ref: 00F42844
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00F42875

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 08ae0f17073fcbe68f00e357d06e199378523ebb9eeed078b3480a9d0f372b0c
Instruction ID: 29b15c1f00bd1e9510b5ab63bccecf432be545fccdeb28d2305a8fc849bf219b
Opcode Fuzzy Hash: 08ae0f17073fcbe68f00e357d06e199378523ebb9eeed078b3480a9d0f372b0c
Instruction Fuzzy Hash: 21518C70A00209EBDB64CF68D888BAEBFF4BF44324F54417AF8119B290D7748944EB61

Uniqueness

Uniqueness Score: -1.00%

Function 00EE1765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00EE2612: GetWindowLongW.USER32(?,000000EB), ref: 00EE2623

BeginPaint.USER32(?,?,?,?,?,?), ref: 00EE179A
GetWindowRect.USER32(?,?), ref: 00EE17FE
ScreenToClient.USER32(?,?), ref: 00EE181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00EE182C
EndPaint.USER32(?,?), ref: 00EE1876

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: 52991102229377249043f05065516353d3457f59171f09577ea931e5d272cd60
Instruction ID: 388f4cb2cb7f34f2c4900851feb05ca2300641cd7e468aa6201ba8323ddb9e2c
Opcode Fuzzy Hash: 52991102229377249043f05065516353d3457f59171f09577ea931e5d272cd60
Instruction Fuzzy Hash: 5C41BE70500348AFC710DF26DC84FBA7BF8EF4A724F040669F9A5D62A1C7759885EB61

Uniqueness

Uniqueness Score: -1.00%

Function 00F6B958 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(00FA67B0,00000000,012B4C20,?,?,00FA67B0,?,00F6B862,?,?), ref: 00F6B9CC
EnableWindow.USER32(00000000,00000000), ref: 00F6B9F0
ShowWindow.USER32(00FA67B0,00000000,012B4C20,?,?,00FA67B0,?,00F6B862,?,?), ref: 00F6BA50
ShowWindow.USER32(00000000,00000004,?,00F6B862,?,?), ref: 00F6BA62
EnableWindow.USER32(00000000,00000001), ref: 00F6BA86
SendMessageW.USER32(?,0000130C,?,00000000), ref: 00F6BAA9

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 4a04f3dfd81d64e8ac5163ea9315c3a2d3aaf5774dbdee4ff5369f45d5db83f3
Instruction ID: a175cc15e2d6176fd889c7b4b3ee0ae8a4ac3600ee01526f7a40b21d94a868fe
Opcode Fuzzy Hash: 4a04f3dfd81d64e8ac5163ea9315c3a2d3aaf5774dbdee4ff5369f45d5db83f3
Instruction Fuzzy Hash: 49418030A00245AFDB26CF64D489B957BE0FF05325F1842B9FE58CF2A2C775A885EB50

Uniqueness

Uniqueness Score: -1.00%

Function 00F573B1 Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,00F55134,?,?,00000000,00000001), ref: 00F573BF

Part of subcall function 00F53C94: GetWindowRect.USER32(?,?), ref: 00F53CA7

GetDesktopWindow.USER32 ref: 00F573E9
GetWindowRect.USER32(00000000), ref: 00F573F0
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00F57422

Part of subcall function 00F454E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00F4555E

GetCursorPos.USER32(?), ref: 00F5744E
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00F574AC

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: c59da93aab5c83846a2c85fcaf35a92aeef0fe1e96c9728ba48f90b5e9c73bcd
Instruction ID: 87835f41681285eda9152586976c52b34ef79b00c5c2fbc3c2a2794f4c7c386a
Opcode Fuzzy Hash: c59da93aab5c83846a2c85fcaf35a92aeef0fe1e96c9728ba48f90b5e9c73bcd
Instruction Fuzzy Hash: F231C372508319ABD720EF14EC49E5ABBA9FB88314F000919F99997191C770ED48DB92

Uniqueness

Uniqueness Score: -1.00%

Function 00F38D5B Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F385F1: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00F38608
Part of subcall function 00F385F1: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00F38612
Part of subcall function 00F385F1: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00F38621
Part of subcall function 00F385F1: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00F38628
Part of subcall function 00F385F1: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00F3863E

GetLengthSid.ADVAPI32(?,00000000,00F38977), ref: 00F38DAC
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00F38DB8
HeapAlloc.KERNEL32(00000000), ref: 00F38DBF
CopySid.ADVAPI32(00000000,00000000,?), ref: 00F38DD8
GetProcessHeap.KERNEL32(00000000,00000000,00F38977), ref: 00F38DEC
HeapFree.KERNEL32(00000000), ref: 00F38DF3

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 3f7e0116f051432d47f8ba4bab44da1f5d3b4d134a55c0b8d1551eab98939c6b
Instruction ID: f73ce9dc7c8e88e47df5617832f2ee38aaa3a14f8aa99eaf77bae1461b26329d
Opcode Fuzzy Hash: 3f7e0116f051432d47f8ba4bab44da1f5d3b4d134a55c0b8d1551eab98939c6b
Instruction Fuzzy Hash: 5111E131900708FFDB108F64DC08BAE7769FF413B5F104029F84593251CB3AA905EB60

Uniqueness

Uniqueness Score: -1.00%

Function 00F38AF9 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00F38B2A
OpenProcessToken.ADVAPI32(00000000), ref: 00F38B31
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00F38B40
CloseHandle.KERNEL32(00000004), ref: 00F38B4B
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00F38B7A
DestroyEnvironmentBlock.USERENV(00000000), ref: 00F38B8E

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: f0306dbe4ad176a3e26df8ddf8bea7ff39729974ed032f70c69a350cfb9b331e
Instruction ID: 3231cee8cce55e9e6e8ddf20be9c9fccffe63bc60ef8bf9dfc12c0692e8a3372
Opcode Fuzzy Hash: f0306dbe4ad176a3e26df8ddf8bea7ff39729974ed032f70c69a350cfb9b331e
Instruction Fuzzy Hash: 65115CB250024EEBDF018FA4ED49FDABBA9EF48368F044064FE04A2160C7758D65AB60

Uniqueness

Uniqueness Score: -1.00%

Function 00F6C19A Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00EE12F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00EE134D
Part of subcall function 00EE12F3: SelectObject.GDI32(?,00000000), ref: 00EE135C
Part of subcall function 00EE12F3: BeginPath.GDI32(?), ref: 00EE1373
Part of subcall function 00EE12F3: SelectObject.GDI32(?,00000000), ref: 00EE139C

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 00F6C1C4
LineTo.GDI32(00000000,00000003,?), ref: 00F6C1D8
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00F6C1E6
LineTo.GDI32(00000000,00000000,?), ref: 00F6C1F6
EndPath.GDI32(00000000), ref: 00F6C206
StrokePath.GDI32(00000000), ref: 00F6C216

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: fb381be3a06c4c1e28371822fbb35615d6bcf9c2125a080f25e161361eccb83b
Instruction ID: 7930e4f51112bae8c79c55a833bb3ee66ea9f5891cd87ab30440786b30c67b08
Opcode Fuzzy Hash: fb381be3a06c4c1e28371822fbb35615d6bcf9c2125a080f25e161361eccb83b
Instruction Fuzzy Hash: 7A110C7640414CBFDB119F91EC48EAA7FADEF093A4F048021FA5896161C7719D59EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F003A2 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00F003D3
MapVirtualKeyW.USER32(00000010,00000000), ref: 00F003DB
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00F003E6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00F003F1
MapVirtualKeyW.USER32(00000011,00000000), ref: 00F003F9
MapVirtualKeyW.USER32(00000012,00000000), ref: 00F00401

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 9a1cd249ea6b78497dbe4fd0efa69144246ed6945068ccd3abac48d35b843542
Instruction ID: ad7bce91a1c3dfed5a9f837cc8bf6ce390385f7673230e0b1792d4b06deb739e
Opcode Fuzzy Hash: 9a1cd249ea6b78497dbe4fd0efa69144246ed6945068ccd3abac48d35b843542
Instruction Fuzzy Hash: F3016CB09017597DE3008F5A8C85B52FFA8FF19354F00411BE15C47941C7F5A868CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 00F4568B Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00F4569B
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00F456B1
GetWindowThreadProcessId.USER32(?,?), ref: 00F456C0
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00F456CF
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00F456D9
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00F456E0

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: ba6802b3620d15c30e85554ff6b3faef275de388f855d68905258d978e30b267
Instruction ID: caa2c5eaacdca8038ff1448c15fcd12447c1644e661b38ab324c02f906a9087f
Opcode Fuzzy Hash: ba6802b3620d15c30e85554ff6b3faef275de388f855d68905258d978e30b267
Instruction Fuzzy Hash: E6F06D3224111CBBE3205BA2EC0EEAB7E7CEBC6B11F000169FA10D105196E11A05A6B5

Uniqueness

Uniqueness Score: -1.00%

Function 00F474D2 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00F474E5
EnterCriticalSection.KERNEL32(?,?,00EF1044,?,?), ref: 00F474F6
TerminateThread.KERNEL32(00000000,000001F6,?,00EF1044,?,?), ref: 00F47503
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00EF1044,?,?), ref: 00F47510

Part of subcall function 00F46ED7: CloseHandle.KERNEL32(00000000,?,00F4751D,?,00EF1044,?,?), ref: 00F46EE1

InterlockedExchange.KERNEL32(?,000001F6), ref: 00F47523
LeaveCriticalSection.KERNEL32(?,?,00EF1044,?,?), ref: 00F4752A

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: e7e56854c7707a9dc4fc7da3a90d1dda96b94c417c5799776055443a2d2a52e7
Instruction ID: 1e7ccaaf1e940fa2d2e915be2a91f1108e0f2e60df362a0b8089c403db2ac09a
Opcode Fuzzy Hash: e7e56854c7707a9dc4fc7da3a90d1dda96b94c417c5799776055443a2d2a52e7
Instruction Fuzzy Hash: D0F05E3A544716EBDB112B64FC9C9EB7B2AFF46312B040531F612950B0CBB55805EF50

Uniqueness

Uniqueness Score: -1.00%

Function 00F38E74 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00F38E7F
UnloadUserProfile.USERENV(?,?), ref: 00F38E8B
CloseHandle.KERNEL32(?), ref: 00F38E94
CloseHandle.KERNEL32(?), ref: 00F38E9C
GetProcessHeap.KERNEL32(00000000,?), ref: 00F38EA5
HeapFree.KERNEL32(00000000), ref: 00F38EAC

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: a2dd3e03ef27e7eb7ff2bad6393ff92a6f0bdb00e72fdb2c3f67f9e8dd014aca
Instruction ID: aa4c2a058a767c17f51b2c1fb629df8a10729c39c9e33fe53c9570e20f9edf35
Opcode Fuzzy Hash: a2dd3e03ef27e7eb7ff2bad6393ff92a6f0bdb00e72fdb2c3f67f9e8dd014aca
Instruction Fuzzy Hash: CAE0C236004009FBDA011FE1FC0C90ABB69FB8A362B108230F22981170CBB29428EB50

Uniqueness

Uniqueness Score: -1.00%

Function 00F58902 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00F58928
CharUpperBuffW.USER32(?,?), ref: 00F58A37
VariantClear.OLEAUT32(?), ref: 00F58BAF

Part of subcall function 00F47804: VariantInit.OLEAUT32(00000000), ref: 00F47844
Part of subcall function 00F47804: VariantCopy.OLEAUT32(00000000,?), ref: 00F4784D
Part of subcall function 00F47804: VariantClear.OLEAUT32(00000000), ref: 00F47859

Strings

AUTOIT.ERROR, xrefs: 00F58A3D
Incorrect Parameter format, xrefs: 00F58960, 00F58B22

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: f2557ff542cb5fda5a74df56bef98be4f60f976b66b3e7487c9ed19405e9624f
Instruction ID: 61369eba935cb88cdd0b8f3afce92b59bfd004c26e1cbe8b296c36c07e9a053c
Opcode Fuzzy Hash: f2557ff542cb5fda5a74df56bef98be4f60f976b66b3e7487c9ed19405e9624f
Instruction Fuzzy Hash: 1091CF71608345DFC700DF24C48096ABBE4EFC8354F04492EF99A9B362DB31E90ADB52

Uniqueness

Uniqueness Score: -1.00%

Function 00F42F86 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00EFFEC6: _wcscpy.LIBCMT ref: 00EFFEE9

_memset.LIBCMT ref: 00F43077
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00F430A6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00F43159
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00F43187

Strings

0, xrefs: 00F43063

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: 20244b153f0cd83a57fe4b8790cb5fcf5ff4b3afd1179b7d71973d6d77b1ce01
Instruction ID: 6f5551f884c9abdfd49d6360f4615091e80787968bc9bf4ddb6abb2f977a7e36
Opcode Fuzzy Hash: 20244b153f0cd83a57fe4b8790cb5fcf5ff4b3afd1179b7d71973d6d77b1ce01
Instruction Fuzzy Hash: 53519E71E083009AD7259F28D845A6BBFE8EF95324F040A2EFC95D21D1DB74CE44E752

Uniqueness

Uniqueness Score: -1.00%

Function 00F3DA5D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00F3DAC5
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00F3DAFB
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00F3DB0C
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00F3DB8E

Strings

DllGetClassObject, xrefs: 00F3DB01

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 553d0584c89ebf851549ef9374d496bb9169efbc11d1eeae02250f2aa7091ab5
Instruction ID: 1a78d664be55f6303a82abd4f6907caad014710b477704386f5fb9f105f2ac22
Opcode Fuzzy Hash: 553d0584c89ebf851549ef9374d496bb9169efbc11d1eeae02250f2aa7091ab5
Instruction Fuzzy Hash: C141B471600208DFDB15CF54D884B9ABBB9EF843A0F1580AEED059F255D7B1DE44EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F42C42 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F42CAF
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00F42CCB
DeleteMenu.USER32(?,00000007,00000000), ref: 00F42D11
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00FA6890,00000000), ref: 00F42D5A

Strings

0, xrefs: 00F42CA4

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 32dc8ddfbd83160bdb06e949853035f924777845c03ccb411b966b80872fa346
Instruction ID: 755777e14a594708174a3a7621ad8ca2e1c54a937b345db1db5d5066496a251d
Opcode Fuzzy Hash: 32dc8ddfbd83160bdb06e949853035f924777845c03ccb411b966b80872fa346
Instruction Fuzzy Hash: 9C41C031A043019FD720DF24CC85B1ABBE8EF85324F444A2EFD66972A1D770E904DB92

Uniqueness

Uniqueness Score: -1.00%

Function 00F5DAB9 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00F5DAD9

Part of subcall function 00EE79AB: _memmove.LIBCMT ref: 00EE79F9

Strings

stdcall, xrefs: 00F5DB5B
cdecl, xrefs: 00F5DB30
none, xrefs: 00F5DBB4
winapi, xrefs: 00F5DB4A

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: 47667ef2179e27ae6ceb9537555ef8077e849b51ebc2271b9721352d94cd3390
Instruction ID: 6053a48ad29904eeafcba66f21d4e664bf27e13e2a33f35e7941d3c0ac8b2909
Opcode Fuzzy Hash: 47667ef2179e27ae6ceb9537555ef8077e849b51ebc2271b9721352d94cd3390
Instruction Fuzzy Hash: F131E47190521AAFCF10EF54CC819EEB3B5FF54320F00862AE965A76E1CB71A909DB80

Uniqueness

Uniqueness Score: -1.00%

Function 00F39372 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE7F41: _memmove.LIBCMT ref: 00EE7F82

Part of subcall function 00F3B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00F3B0E7

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00F393F6
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00F39409
SendMessageW.USER32(?,00000189,?,00000000), ref: 00F39439

Part of subcall function 00EE7D2C: _memmove.LIBCMT ref: 00EE7D66

Strings

ListBox, xrefs: 00F393B5
ComboBox, xrefs: 00F39380

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: aabcf2b6ec4396cd17712ba64c2b7f1927e907c2e764dc4399c3ff0e30e72e8e
Instruction ID: fdd9152631da28266cd771b8e6762ec294ccf6114d3034ba4e72b866a1d362dd
Opcode Fuzzy Hash: aabcf2b6ec4396cd17712ba64c2b7f1927e907c2e764dc4399c3ff0e30e72e8e
Instruction Fuzzy Hash: D82104B2D08108AADB14AB74DC859FFB7A8DF05370F108129F935A72E0DBB5490AA620

Uniqueness

Uniqueness Score: -1.00%

Function 00F51B21 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00F51B40
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00F51B66
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00F51B96
InternetCloseHandle.WININET(00000000), ref: 00F51BDD

Part of subcall function 00F52777: GetLastError.KERNEL32(?,?,00F51B0B,00000000,00000000,00000001), ref: 00F5278C
Part of subcall function 00F52777: SetEvent.KERNEL32(?,?,00F51B0B,00000000,00000000,00000001), ref: 00F527A1

Strings

, xrefs: 00F51B87

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 04fe97c9fe6e08685e4d86cc57c4bcf8cbdb00fb1c26e11b93605e5d24882691
Instruction ID: 7d3412ac417a4a9b9f026bcdb01566b5411aeab85d07b58d3ee3c5ec435b32cc
Opcode Fuzzy Hash: 04fe97c9fe6e08685e4d86cc57c4bcf8cbdb00fb1c26e11b93605e5d24882691
Instruction Fuzzy Hash: 2E2192B150020CBFEB119F609C85FBF77ECFB89759F10412AFA05A6240EB64AD09A761

Uniqueness

Uniqueness Score: -1.00%

Function 00F66656 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00EE1D73
Part of subcall function 00EE1D35: GetStockObject.GDI32(00000011), ref: 00EE1D87
Part of subcall function 00EE1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00EE1D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00F666D0
LoadLibraryW.KERNEL32(?), ref: 00F666D7
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00F666EC
DestroyWindow.USER32(?), ref: 00F666F4

Strings

SysAnimate32, xrefs: 00F666AB

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: bad6b337a996ae42bcf32bd4a481b9d0e8148b407c90ac08ba53befab9466ae6
Instruction ID: 86b6c9510e48f45a987c5bb3666c07a39b26d54e5b02ba7f1cb87e476fe32132
Opcode Fuzzy Hash: bad6b337a996ae42bcf32bd4a481b9d0e8148b407c90ac08ba53befab9466ae6
Instruction Fuzzy Hash: 05216FB150020AABEF104F64EC81EBB77ADEB59378F104629F911D7190DBB2DC51B761

Uniqueness

Uniqueness Score: -1.00%

Function 00F4703E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00F4705E
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00F47091
GetStdHandle.KERNEL32(0000000C), ref: 00F470A3
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00F470DD

Strings

nul, xrefs: 00F470D8

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: a11b5dff17fab9f21c7cdb3d45ec53f49c8f70a4477ea59dad8b2e3afe5d306b
Instruction ID: f17f9c852e6e9a527fa8c3fde54a1ef8d5eb9d19cf3c4799df3a3b41a93408cd
Opcode Fuzzy Hash: a11b5dff17fab9f21c7cdb3d45ec53f49c8f70a4477ea59dad8b2e3afe5d306b
Instruction Fuzzy Hash: 44218E75905309ABDF20AF7CDC05A9A7BA8BF45730F204A19FCA1D72D0E7B09844AB51

Uniqueness

Uniqueness Score: -1.00%

Function 00F4710C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00F4712B
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00F4715D
GetStdHandle.KERNEL32(000000F6), ref: 00F4716E
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00F471A8

Strings

nul, xrefs: 00F471A3

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 3046c97b12fdac2927ab6d80346eafe268bcc613803b560875f2b36234c5a60d
Instruction ID: f0fa619c2bbfa82d7ee1391af5d5951a68289a117b01f7194d4cfa360ee55857
Opcode Fuzzy Hash: 3046c97b12fdac2927ab6d80346eafe268bcc613803b560875f2b36234c5a60d
Instruction Fuzzy Hash: 282195759043099BDF20AF689C04A9ABBE8AF95734F200B19FDB1D72D0D7709845EB51

Uniqueness

Uniqueness Score: -1.00%

Function 00F4AEAB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00F4AEBF
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00F4AF13
__swprintf.LIBCMT ref: 00F4AF2C
SetErrorMode.KERNEL32(00000000,00000001,00000000,00F6F910), ref: 00F4AF6A

Strings

%lu, xrefs: 00F4AF26

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: 7c1aa61bcb3f5e91c6aeb3d0db3585b6022b8f1878cf853c86e49841550cb84b
Instruction ID: 36b9cf97b7ed7f949b7f16883d82495b3f159accf2fcef43628c32b39a81f408
Opcode Fuzzy Hash: 7c1aa61bcb3f5e91c6aeb3d0db3585b6022b8f1878cf853c86e49841550cb84b
Instruction Fuzzy Hash: 92216031A0014DAFCB10DB65DC85EAE7BF8EF89714B0040A9F909EB252DA71EA45DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00F3A52F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE7D2C: _memmove.LIBCMT ref: 00EE7D66

Part of subcall function 00F3A37C: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00F3A399
Part of subcall function 00F3A37C: GetWindowThreadProcessId.USER32(?,00000000), ref: 00F3A3AC
Part of subcall function 00F3A37C: GetCurrentThreadId.KERNEL32 ref: 00F3A3B3
Part of subcall function 00F3A37C: AttachThreadInput.USER32(00000000), ref: 00F3A3BA

GetFocus.USER32 ref: 00F3A554

Part of subcall function 00F3A3C5: GetParent.USER32(?), ref: 00F3A3D3

GetClassNameW.USER32(?,?,00000100), ref: 00F3A59D
EnumChildWindows.USER32(?,00F3A615), ref: 00F3A5C5
__swprintf.LIBCMT ref: 00F3A5DF

Strings

%s%d, xrefs: 00F3A5D9

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
String ID: %s%d
API String ID: 1941087503-1110647743
Opcode ID: 6b0f25bea21657877fab1b5058207999e557b6df518c7332983e474e6fe25582
Instruction ID: 596826589074a192dbbaa2f6bc0849abd78368a93e344a686f169e09ee0d895a
Opcode Fuzzy Hash: 6b0f25bea21657877fab1b5058207999e557b6df518c7332983e474e6fe25582
Instruction Fuzzy Hash: E211E4716042087BDF10BF62EC86FEE37BCAF49320F004075F948AA152CA755945AB72

Uniqueness

Uniqueness Score: -1.00%

Function 00F42017 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00F42048

Strings

APPEND, xrefs: 00F42081
EXISTS, xrefs: 00F42070
KEYS, xrefs: 00F4205F
REMOVE, xrefs: 00F4204E

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: d0bf8372c35e6ac783db2d2ea3f7878f079827fef46015efd4da29d3f1c54913
Instruction ID: b022d8bb76df1240d1ad01ec12f77a5ae9602fcd04bcdc39f41ad362983c8963
Opcode Fuzzy Hash: d0bf8372c35e6ac783db2d2ea3f7878f079827fef46015efd4da29d3f1c54913
Instruction Fuzzy Hash: E2116D3090010ACFCF40EFA8D8515EEB7F4FF25304F508469E855A7292EB32690AEF50

Uniqueness

Uniqueness Score: -1.00%

Function 00F5EE69 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00F5EF1B
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00F5EF4B
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00F5F07E
CloseHandle.KERNEL32(?), ref: 00F5F0FF

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: 6bf1556e97c36f765a3c1862c12b160438d34d85e87538ee0ec717343a5d8e89
Instruction ID: bf30e1bf44429a251e06d31311cb170e0b3d56426f0b0fba3aebe0252848251d
Opcode Fuzzy Hash: 6bf1556e97c36f765a3c1862c12b160438d34d85e87538ee0ec717343a5d8e89
Instruction Fuzzy Hash: D08162B16043009FD720DF25CC46F2AB7E5AF48720F14886DF999EB392DB70AD458B51

Uniqueness

Uniqueness Score: -1.00%

Function 00F602C2 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE7F41: _memmove.LIBCMT ref: 00EE7F82

Part of subcall function 00F610A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F60038,?,?), ref: 00F610BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F60388
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00F603C7
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00F6040E
RegCloseKey.ADVAPI32(?,?), ref: 00F6043A
RegCloseKey.ADVAPI32(00000000), ref: 00F60447

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: be9f2795269c638fdcbc1a39aa961d0f35b320cfb6e4c05a9170f9a98dc08d02
Instruction ID: 022f3aba9c069d3ebcb6ddaa0efd1021ff73cf34a9c491e7d7a1dff9b9e361dd
Opcode Fuzzy Hash: be9f2795269c638fdcbc1a39aa961d0f35b320cfb6e4c05a9170f9a98dc08d02
Instruction Fuzzy Hash: B8516731208244AFC704EB65DC81E6BB7E8FF88314F14892EF595972A2DB31E904EB52

Uniqueness

Uniqueness Score: -1.00%

Function 00F5DBDC Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE9997: __itow.LIBCMT ref: 00EE99C2
Part of subcall function 00EE9997: __swprintf.LIBCMT ref: 00EE9A0C

LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00F5DC3B
GetProcAddress.KERNEL32(00000000,?), ref: 00F5DCBE
GetProcAddress.KERNEL32(00000000,00000000), ref: 00F5DCDA
GetProcAddress.KERNEL32(00000000,?), ref: 00F5DD1B
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00F5DD35

Part of subcall function 00EE5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00F47B20,?,?,00000000), ref: 00EE5B8C
Part of subcall function 00EE5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00F47B20,?,?,00000000,?,?), ref: 00EE5BB0

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: 091212c54ba328f31137d680637801ab03d6e5f1d94950b85bfa9f0b3eaa5a00
Instruction ID: a9de9b62fdc4b3f5fe1081abc6652199829c0732c15603a71f1f683b08a3de89
Opcode Fuzzy Hash: 091212c54ba328f31137d680637801ab03d6e5f1d94950b85bfa9f0b3eaa5a00
Instruction Fuzzy Hash: 14514835A01609DFCB10EF68C4849ADF7F4FF49325B1580A9E919AB312DB70AD49DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00F4E7DC Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00F4E88A
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00F4E8B3
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00F4E8F2

Part of subcall function 00EE9997: __itow.LIBCMT ref: 00EE99C2
Part of subcall function 00EE9997: __swprintf.LIBCMT ref: 00EE9A0C

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00F4E917
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00F4E91F

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: ca41df43d10c957658f5c3e0c3fb9b5cb649d4d5d833cbc1b5f9b078761cbcfe
Instruction ID: a8de65aeca8fb4b698367bc9fea0225e5a73384bb95e3d048ce1e9a6e454505e
Opcode Fuzzy Hash: ca41df43d10c957658f5c3e0c3fb9b5cb649d4d5d833cbc1b5f9b078761cbcfe
Instruction Fuzzy Hash: 58510C35A00249EFCF01EF65C9819ADBBF5FF48314B1480A9E849AB362CB35ED55DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00F6A2C5 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae796d8c5710d7841d19f228105c6bd0053f598b9c02b4ccff1737992cd1c88b
Instruction ID: efb93dad77a51534eab92d1c0bd93ca51ab81739334c40725e194ee20ad10b53
Opcode Fuzzy Hash: ae796d8c5710d7841d19f228105c6bd0053f598b9c02b4ccff1737992cd1c88b
Instruction Fuzzy Hash: 7341B035D00208ABD720DF28DC49FA9BBA8EB09320F184165E966F72E1DB71AD51FE51

Uniqueness

Uniqueness Score: -1.00%

Function 00EE2344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00EE2357
ScreenToClient.USER32(00FA67B0,?), ref: 00EE2374
GetAsyncKeyState.USER32(00000001), ref: 00EE2399
GetAsyncKeyState.USER32(00000002), ref: 00EE23A7

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 1335fe751d07e4b55e3ad04003bc1d95838d8db1959645eef2ed434f32494b75
Instruction ID: a1a84aeb3518f7cc25fd991b6c1cd7e3f8abc2c407231dea9ef4f3f12aa93d41
Opcode Fuzzy Hash: 1335fe751d07e4b55e3ad04003bc1d95838d8db1959645eef2ed434f32494b75
Instruction Fuzzy Hash: D241AF3190415AFBCF158FA9CC44AE9BBB8FB05324F20431AF929A2290C7755D94EFD1

Uniqueness

Uniqueness Score: -1.00%

Function 00F36920 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F3695D
TranslateAcceleratorW.USER32(?,?,?), ref: 00F369A9
TranslateMessage.USER32(?), ref: 00F369D2
DispatchMessageW.USER32(?), ref: 00F369DC
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F369EB

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: e77099c62942272f76d0f678288c2e5da1165ba6aa9b83243101ecefe85bb15f
Instruction ID: ab90c9d7c24f4b3fdcbe233e7337b2eedd4f03b0814d48f52909e6637ce4c8a8
Opcode Fuzzy Hash: e77099c62942272f76d0f678288c2e5da1165ba6aa9b83243101ecefe85bb15f
Instruction Fuzzy Hash: 4C31E57190124ABADF21CF70DC44BB67BECAB06334F188165E422D71A1D7759889F790

Uniqueness

Uniqueness Score: -1.00%

Function 00F38F01 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00F38F12
PostMessageW.USER32(?,00000201,00000001), ref: 00F38FBC
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00F38FC4
PostMessageW.USER32(?,00000202,00000000), ref: 00F38FD2
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00F38FDA

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 32ffbb2494be061f4c4355ccaf59016b0210dded14bf618b3d475a81adaccc98
Instruction ID: b5b0defb4b43a6aef6e86c0db909f5b35593b16b9c2cbd5f82aae60340057caf
Opcode Fuzzy Hash: 32ffbb2494be061f4c4355ccaf59016b0210dded14bf618b3d475a81adaccc98
Instruction Fuzzy Hash: A231DC71900219EBDB00CF78E948A9E7BB6EB04365F104229F924AB2D1C7B49914EB90

Uniqueness

Uniqueness Score: -1.00%

Function 00F3B6AF Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00F3B6C7
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00F3B6E4
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00F3B71C
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00F3B742
_wcsstr.LIBCMT ref: 00F3B74C

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: d5ee3aa480c8a4e1958ad661622595b84117af7459734e7aa3defa6e295b808a
Instruction ID: 210bddf291c044e5d86fc43e1b9b021151a1264e204559f1f3ca2ba535ff1e95
Opcode Fuzzy Hash: d5ee3aa480c8a4e1958ad661622595b84117af7459734e7aa3defa6e295b808a
Instruction Fuzzy Hash: B421D732604204BAEB255B39EC5AE7B7B98DF85770F104079FD05CA1A1EF65DC40B6A0

Uniqueness

Uniqueness Score: -1.00%

Function 00F6B405 Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00EE2612: GetWindowLongW.USER32(?,000000EB), ref: 00EE2623

GetWindowLongW.USER32(?,000000F0), ref: 00F6B44C
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00F6B471
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00F6B489
GetSystemMetrics.USER32(00000004), ref: 00F6B4B2
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00F51184,00000000), ref: 00F6B4D0

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: f92080110f582d49670a6248990adefe7d4167ac0e0f91fb7c673e631ea51429
Instruction ID: 98a2e54cb19d7b745bd3dffc4229ae30d7fcf3a1378b0e8e275672fc531d0c29
Opcode Fuzzy Hash: f92080110f582d49670a6248990adefe7d4167ac0e0f91fb7c673e631ea51429
Instruction Fuzzy Hash: C0215E71914255AFCB10DF38DC08B6A37A4EB05730B144729E926D61E2EB309890EB90

Uniqueness

Uniqueness Score: -1.00%

Function 00F397E9 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00F39802

Part of subcall function 00EE7D2C: _memmove.LIBCMT ref: 00EE7D66

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00F39834
__itow.LIBCMT ref: 00F3984C
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00F39874
__itow.LIBCMT ref: 00F39885

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: 19a094e0ff7c00d02afddde670791bdecfbdb47dcbcde4e58a9fb9fdd23b7e2d
Instruction ID: 5c7025cb124ae0c2521dfebb10714916c555bafa66badd3d631d45e6f25fce67
Opcode Fuzzy Hash: 19a094e0ff7c00d02afddde670791bdecfbdb47dcbcde4e58a9fb9fdd23b7e2d
Instruction Fuzzy Hash: 5521DA31B05248ABDB109B65DC86EEE7BACDF8A730F440029FD14EB291D6F18D45A791

Uniqueness

Uniqueness Score: -1.00%

Function 00EE12F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00EE134D
SelectObject.GDI32(?,00000000), ref: 00EE135C
BeginPath.GDI32(?), ref: 00EE1373
SelectObject.GDI32(?,00000000), ref: 00EE139C

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: df035949b3a3b7c80fdb97e7284385115ca91f50515f0ab7956aad04e7db0c62
Instruction ID: a3448e9ae0001d4a2857826c21509d8d6477eb6e8846819c0f0e43ed31029f5a
Opcode Fuzzy Hash: df035949b3a3b7c80fdb97e7284385115ca91f50515f0ab7956aad04e7db0c62
Instruction Fuzzy Hash: BA216AB080024CEFDB108F26EC047A97BBCFF01725F188266F820E61A0D3B598D5EB90

Uniqueness

Uniqueness Score: -1.00%

Function 00F3C161 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00F3C176
_memcmp.LIBCMT ref: 00F3C194
_memcmp.LIBCMT ref: 00F3C1A7
_memcmp.LIBCMT ref: 00F3C1BF
_memcmp.LIBCMT ref: 00F3C1D7

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: d00ccbd64ba688a4421d3d69d9e50f23d47cf140aa11f5ec842dc294a5fae913
Instruction ID: 72489431f5834f4790272510b5980f5b7ce548e7d4f17090af0a6b9ed0c859a6
Opcode Fuzzy Hash: d00ccbd64ba688a4421d3d69d9e50f23d47cf140aa11f5ec842dc294a5fae913
Instruction Fuzzy Hash: 690175B2A042157BE214B7259C52FBB775CAB613B4F448025FD08A6283EB55EE11B3E2

Uniqueness

Uniqueness Score: -1.00%

Function 00F44D35 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00F44D5C
__beginthreadex.LIBCMT ref: 00F44D7A
MessageBoxW.USER32(?,?,?,?), ref: 00F44D8F
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00F44DA5
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00F44DAC

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: 59d41f9c9cfabe37762814b6624c577b801b94ddf7c9fb67a61df4be037b4c59
Instruction ID: d2c34afcc13fd60109102b139da851d17b10f8652fc61ef559956fade9765372
Opcode Fuzzy Hash: 59d41f9c9cfabe37762814b6624c577b801b94ddf7c9fb67a61df4be037b4c59
Instruction Fuzzy Hash: 9B11C8B6D0424CBBCB119FA8EC04B9A7FECEB4A320F144265FD24E3351D6B59D44A7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00F3874A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00F38766
GetLastError.KERNEL32(?,00F3822A,?,?,?), ref: 00F38770
GetProcessHeap.KERNEL32(00000008,?,?,00F3822A,?,?,?), ref: 00F3877F
HeapAlloc.KERNEL32(00000000,?,00F3822A,?,?,?), ref: 00F38786
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00F3879D

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 73f29324f5f3e2803e5a9a1966761fb4f1cc77df4ed97d39a01ffeb903d1f987
Instruction ID: 38be1d9dd5a49d4c58f9b94165f2312b551418b7f72cb275f8ebb27df532478c
Opcode Fuzzy Hash: 73f29324f5f3e2803e5a9a1966761fb4f1cc77df4ed97d39a01ffeb903d1f987
Instruction Fuzzy Hash: 42016271600208FFDB104FA5EC48D677B6DFF863A5B200439F859C2260DA768C15EB60

Uniqueness

Uniqueness Score: -1.00%

Function 00F454E6 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00F45502
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00F45510
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00F45518
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00F45522
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00F4555E

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 448e517b04befd3e6a9030e05711287a250aeb9b71db16d59aaa2374c680e260
Instruction ID: 179445cabbb3e8f2ac5c3e2aae9e7991a24f5a2ebc0cbfa10d1af2332b30ebfa
Opcode Fuzzy Hash: 448e517b04befd3e6a9030e05711287a250aeb9b71db16d59aaa2374c680e260
Instruction Fuzzy Hash: 4F015B36C00A1DDBDF00EFE8E8486EDBB78BB0AB15F440056E811B2241DB709554E7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00F37652 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00F3758C,80070057,?,?,?,00F3799D), ref: 00F3766F
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00F3758C,80070057,?,?), ref: 00F3768A
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00F3758C,80070057,?,?), ref: 00F37698
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00F3758C,80070057,?), ref: 00F376A8
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00F3758C,80070057,?,?), ref: 00F376B4

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 1c7d044f751ab1da388070f0e149a8111913fcad405c0c7e198a92b80e58c8b8
Instruction ID: d5d361eac497059dff75a071c86ad6bd774a6e8b8ec834cadd2e1ecdb01057a4
Opcode Fuzzy Hash: 1c7d044f751ab1da388070f0e149a8111913fcad405c0c7e198a92b80e58c8b8
Instruction Fuzzy Hash: 180171B3605708ABDB206F69EC45BAA7BEDEB44761F140068FD04D3211E771DD44ABA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F385F1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00F38608
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00F38612
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00F38621
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00F38628
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00F3863E

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 47bb84bbc3aaab419376c99d1d870ec7df56c5d81939e59537e6141d3bdb7594
Instruction ID: b3070134f1d7646932667dae7e3d791a6b14960aab358fb1cdad89f77d909084
Opcode Fuzzy Hash: 47bb84bbc3aaab419376c99d1d870ec7df56c5d81939e59537e6141d3bdb7594
Instruction Fuzzy Hash: 30F04431201308BFD7100FA5EC8AE6B3BACEF467A4F000429F555C7150CBA59C45FA60

Uniqueness

Uniqueness Score: -1.00%

Function 00F38652 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00F38669
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00F38673
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00F38682
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00F38689
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00F3869F

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: c91c81c7b324bb153dff5d7a46231b4cbbd7cc1856d95a04082ef6dac8260f3e
Instruction ID: bc07c9fc168ea44bd3bfbfa3bc0a70977be0797b1aa446e7ab29a0475d76410c
Opcode Fuzzy Hash: c91c81c7b324bb153dff5d7a46231b4cbbd7cc1856d95a04082ef6dac8260f3e
Instruction Fuzzy Hash: AFF04FB1200308BFEB111FA5EC89E673BACEF8A7A4F100025F955C6150CAA5DD45FA60

Uniqueness

Uniqueness Score: -1.00%

Function 00F3C6A6 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00F3C6BA
GetWindowTextW.USER32(00000000,?,00000100), ref: 00F3C6D1
MessageBeep.USER32(00000000), ref: 00F3C6E9
KillTimer.USER32(?,0000040A), ref: 00F3C705
EndDialog.USER32(?,00000001), ref: 00F3C71F

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 7ea8f11d1cea78631d269b94a6cf64d2a931fd22680d34c906eee6f72d5b1aca
Instruction ID: 0438c5a82755e0c4744f14df8684c4d0581d381c72b7be74dd5679b402a7c904
Opcode Fuzzy Hash: 7ea8f11d1cea78631d269b94a6cf64d2a931fd22680d34c906eee6f72d5b1aca
Instruction Fuzzy Hash: 3601863090070CABEB21AB24ED4EF9677B8FF00755F000669F596B14E1DBF1A958AF90

Uniqueness

Uniqueness Score: -1.00%

Function 00EE13B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00EE13BF
StrokeAndFillPath.GDI32(?,?,00F1BAD8,00000000,?), ref: 00EE13DB
SelectObject.GDI32(?,00000000), ref: 00EE13EE
DeleteObject.GDI32 ref: 00EE1401
StrokePath.GDI32(?), ref: 00EE141C

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 4d3cf4423e49a909ef9101487b6f736c615a1d3a7774e7f22a08a136e4649d8c
Instruction ID: 666797da0a613c550532c2367c01537fa144f60bffa4d389fdd8a55256cd09b3
Opcode Fuzzy Hash: 4d3cf4423e49a909ef9101487b6f736c615a1d3a7774e7f22a08a136e4649d8c
Instruction Fuzzy Hash: 73F0C4B400434CEBDB115F66EC0C7583FA8AB0272AF089264E43A951F1C7798999EF51

Uniqueness

Uniqueness Score: -1.00%

Function 00F4C602 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00F4C69D
CoCreateInstance.OLE32(00F72D6C,00000000,00000001,00F72BDC,?), ref: 00F4C6B5

Part of subcall function 00EE7F41: _memmove.LIBCMT ref: 00EE7F82

CoUninitialize.OLE32 ref: 00F4C922

Strings

.lnk, xrefs: 00F4C631, 00F4C659, 00F4C663

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: 0f7cfaac87ccb77213ae54516cdfb4796000416d04ce936e31dbcabee5f3aa49
Instruction ID: d8db0e5a3e69607dae12b66e8566547717d342f275b47066911c3daf6dc76351
Opcode Fuzzy Hash: 0f7cfaac87ccb77213ae54516cdfb4796000416d04ce936e31dbcabee5f3aa49
Instruction Fuzzy Hash: CAA14D71104245AFD700EF64C881EABB7E8EF94304F00592DF59AA7192EB70EE49CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00EF2E5B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00F00FF6: std::exception::exception.LIBCMT ref: 00F0102C
Part of subcall function 00F00FF6: __CxxThrowException@8.LIBCMT ref: 00F01041

Part of subcall function 00EE7F41: _memmove.LIBCMT ref: 00EE7F82

Part of subcall function 00EE7BB1: _memmove.LIBCMT ref: 00EE7C0B

__swprintf.LIBCMT ref: 00EF302D

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00EF2EC6

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: 79d795dba69870f0462dae70f92108ad79577d3006de8c2fc944901f663e8a85
Instruction ID: 89b8a959b4cf11177bfed3caf7536d1659cae0dc16050abb524dff23612c4b8e
Opcode Fuzzy Hash: 79d795dba69870f0462dae70f92108ad79577d3006de8c2fc944901f663e8a85
Instruction Fuzzy Hash: 54919C325082499FCB18EF24D985C7EB7E4EF85750F00591EF986A72A1EE20EE44DB52

Uniqueness

Uniqueness Score: -1.00%

Function 00F4BBA6 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00EE48A1,?,?,00EE37C0,?), ref: 00EE48CE

CoInitialize.OLE32(00000000), ref: 00F4BC26
CoCreateInstance.OLE32(00F72D6C,00000000,00000001,00F72BDC,?), ref: 00F4BC3F
CoUninitialize.OLE32 ref: 00F4BC5C

Part of subcall function 00EE9997: __itow.LIBCMT ref: 00EE99C2
Part of subcall function 00EE9997: __swprintf.LIBCMT ref: 00EE9A0C

Strings

.lnk, xrefs: 00F4BC08, 00F4BC16

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: 5b29708d4caeb7985dbaf067f13bdb62554b249098e59c961dbe75f6661a3bdd
Instruction ID: 20bd27c888cbec59e2cad2643bfd52f768d37dd427f7ee308fab1b3c281418ce
Opcode Fuzzy Hash: 5b29708d4caeb7985dbaf067f13bdb62554b249098e59c961dbe75f6661a3bdd
Instruction Fuzzy Hash: C6A14475A043459FCB00DF15C484D5ABBE5FF88324F148998F899AB3A2CB31ED45DB92

Uniqueness

Uniqueness Score: -1.00%

Function 00F0524D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00F052DD

Part of subcall function 00F10340: __87except.LIBCMT ref: 00F1037B

Strings

pow, xrefs: 00F052B5, 00F052D2

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: b087a739401c3de864a0e4f28786267067c9eff8dbf636731367c1e92bbfd1fd
Instruction ID: 147694e61295a5beca9170655adb6243bd072c7a1275961702c4332b0da06798
Opcode Fuzzy Hash: b087a739401c3de864a0e4f28786267067c9eff8dbf636731367c1e92bbfd1fd
Instruction Fuzzy Hash: 10515961E1D70587CB11B724CD813BB7B949F00B60F604D69E099862E9EEF88CD4BE46

Uniqueness

Uniqueness Score: -1.00%

Function 00F0023B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON

Download Yara Rule

Strings

+, xrefs: 00F00277
#, xrefs: 00F00280

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID:
String ID: #$+
API String ID: 0-2552117581
Opcode ID: c45bd57d65532af05b9c006071e861ca0e8f7ad7ffaf1556ba69154d1f2a2524
Instruction ID: fea18bad9b15060b5276c7685a48e506e21474aaa6dbd693eface0cf2c2a7c15
Opcode Fuzzy Hash: c45bd57d65532af05b9c006071e861ca0e8f7ad7ffaf1556ba69154d1f2a2524
Instruction Fuzzy Hash: 7051237590864A8FCF169F28C8887FE7BA4EF96730F144055EC919B2E0DB349D42E760

Uniqueness

Uniqueness Score: -1.00%

Function 00EF3297 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00EF33D7
_memmove.LIBCMT ref: 00EF3470
_free.LIBCMT ref: 00EF3496
_memmove.LIBCMT ref: 00EF3549

Strings

Oa, xrefs: 00EF3482

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: _memmove$_free
String ID: Oa
API String ID: 2620147621-3945284152
Opcode ID: 7faa0f7d39c94aff97b45f55c9ccab344877b709296955fddf0adb258ad69cae
Instruction ID: aa9aec4f8c92e1f73a8c886394dfe26401a1a16d486f0b57dc80e4505c3025de
Opcode Fuzzy Hash: 7faa0f7d39c94aff97b45f55c9ccab344877b709296955fddf0adb258ad69cae
Instruction Fuzzy Hash: 005169B1A083459FDB24CF28C841B2ABBE1FF85314F04582DEA89D7391DB31D901DB92

Uniqueness

Uniqueness Score: -1.00%

Function 00EF62F2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00EF63A8
_memmove.LIBCMT ref: 00EF6446
_memset.LIBCMT ref: 00EF646A

Strings

ERCP, xrefs: 00EF6313

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: _memset$_memmove
String ID: ERCP
API String ID: 2532777613-1384759551
Opcode ID: 2b9abd2532d773ace59710590807c98a02decda0d0b04c4086d02df4e91df51f
Instruction ID: 17261850477342fc911c55eb0695ac397260b8bf837afd2b1016210336815f34
Opcode Fuzzy Hash: 2b9abd2532d773ace59710590807c98a02decda0d0b04c4086d02df4e91df51f
Instruction Fuzzy Hash: 7651B1719003099BDB24DF65C8817EABBF8FF04724F20856EEA5ADB241E7759984DB40

Uniqueness

Uniqueness Score: -1.00%

Function 00F67BB5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00F6F910,00000000,?,?,?,?), ref: 00F67C4E
GetWindowLongW.USER32 ref: 00F67C6B
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00F67C7B

Strings

SysTreeView32, xrefs: 00F67C20

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 723c81d209c8b1bae5c2c0faf46656aed6516e90d807dc9430c055c51c1b7e83
Instruction ID: 8768238d2ac68fa67ef2e50ed5294e2f284b9591b178b045e3baaf7a376ce145
Opcode Fuzzy Hash: 723c81d209c8b1bae5c2c0faf46656aed6516e90d807dc9430c055c51c1b7e83
Instruction Fuzzy Hash: 7F319E31A0420AABDB119F38DC41BEA77A9EB49338F244725F975E32E0D731EC51AB50

Uniqueness

Uniqueness Score: -1.00%

Function 00F67648 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00F676D0
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00F676E4
SendMessageW.USER32(?,00001002,00000000,?), ref: 00F67708

Strings

SysMonthCal32, xrefs: 00F6769B

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: c19e2956b8a96f8110932cf09c6b3f761a8752fbd023ad49f4cb1f7d6bcfe501
Instruction ID: 827b30ff83a9b8a980b78b658085ad48c61f5fb6c1cd33ea98b567bbd9b7f031
Opcode Fuzzy Hash: c19e2956b8a96f8110932cf09c6b3f761a8752fbd023ad49f4cb1f7d6bcfe501
Instruction Fuzzy Hash: 2F21E532504218BBDF11DF64CC42FEA3B79EF48724F110214FE156B1D0DAB2A850ABA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F66F1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00F66FAA
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00F66FBA
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00F66FDF

Strings

Listbox, xrefs: 00F66F77

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 221bf7f0788f1a24d4613556153270d8a43602838155fc74becd061405ce9581
Instruction ID: 91f26d05c186058a6544eae3d2d3b2c6b51d409f81ddb12226c7b42392739189
Opcode Fuzzy Hash: 221bf7f0788f1a24d4613556153270d8a43602838155fc74becd061405ce9581
Instruction Fuzzy Hash: 7221A472A10118BFDF118F54EC85FAB37AAEF89764F018124F914DB190DA71AC51EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F6797D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00F679E1
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00F679F6
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00F67A03

Strings

msctls_trackbar32, xrefs: 00F679B8

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 09b4e297786f396a48c5c33691d382a183907bd14a4885903b6596acc0a2b352
Instruction ID: eedb627b1321fa65016d03c5b5e2e084afe6f856fe01b635fbde71ed91e1efa4
Opcode Fuzzy Hash: 09b4e297786f396a48c5c33691d382a183907bd14a4885903b6596acc0a2b352
Instruction Fuzzy Hash: 2D110A72654308BBEF10AF70CC05FDB77A9EF89768F110519F651A60A0D671D851EB60

Uniqueness

Uniqueness Score: -1.00%

Function 00EE4C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00EE4C2E), ref: 00EE4CA3
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00EE4CB5

Strings

GetNativeSystemInfo, xrefs: 00EE4CAF
kernel32.dll, xrefs: 00EE4C9E

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 897dcc255c33e8aa7af93b964e80ceea64a60038bb351cb49af551146acbaf19
Instruction ID: c84f08e757e50614e0d55bcb61ebce6f252bec68d4c66d8819965372e85b0485
Opcode Fuzzy Hash: 897dcc255c33e8aa7af93b964e80ceea64a60038bb351cb49af551146acbaf19
Instruction Fuzzy Hash: 6DD05B7051072BCFD7209F31ED18606B6D5AF05799B31DC3ED895D7190E7B0D484D651

Uniqueness

Uniqueness Score: -1.00%

Function 00EE4D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00EE4CE1,?), ref: 00EE4DA2
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00EE4DB4

Strings

kernel32.dll, xrefs: 00EE4D9D
Wow64RevertWow64FsRedirection, xrefs: 00EE4DAE

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 6a730995a0b3d1cd79aec31772754524bf911a8f6041372335dbb2d985a203bb
Instruction ID: d2cb1c82e9b0ce28979a3c506aa1c3880e8ac1baec639e93cfdb517011ef74fe
Opcode Fuzzy Hash: 6a730995a0b3d1cd79aec31772754524bf911a8f6041372335dbb2d985a203bb
Instruction Fuzzy Hash: 95D05E71950717CFDB209F32EC08B8676E4AF0639DB11D83ED8D6E61A0E7B0D884DA51

Uniqueness

Uniqueness Score: -1.00%

Function 00EE4D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00EE4D2E,?,00EE4F4F,?,00FA62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00EE4D6F
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00EE4D81

Strings

kernel32.dll, xrefs: 00EE4D6A
Wow64DisableWow64FsRedirection, xrefs: 00EE4D7B

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 4436e07d93c35116582fd058ebcb17b4729b318a5f24d95e23f04d88b5d42643
Instruction ID: c8441161835cbcb6872c6cb0c552497551bd9effb65de5ce035799690e7bfbe3
Opcode Fuzzy Hash: 4436e07d93c35116582fd058ebcb17b4729b318a5f24d95e23f04d88b5d42643
Instruction Fuzzy Hash: 7AD02E70910317CFDB209F32EC0824272E8BF0A39AB10C83ED492E26A0E7B0D880DE10

Uniqueness

Uniqueness Score: -1.00%

Function 00F61072 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00F612C1), ref: 00F61080
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00F61092

Strings

RegDeleteKeyExW, xrefs: 00F6108C
advapi32.dll, xrefs: 00F6107B

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: f67f94f44b74e2b7ace0305081b69d4937a0f2e9f24d910bd33f6f51d8e8a0ba
Instruction ID: 0600b2834a15a50cbdc671a4e41815e775b358508677f967ee595157d9b11973
Opcode Fuzzy Hash: f67f94f44b74e2b7ace0305081b69d4937a0f2e9f24d910bd33f6f51d8e8a0ba
Instruction Fuzzy Hash: A2D01730910712DFEB209F35E918A1A76E4EF067A1B15DC3AE49ADA150E7B0C8C0EB51

Uniqueness

Uniqueness Score: -1.00%

Function 00F593F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,00F59009,?,00F6F910), ref: 00F59403
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00F59415

Strings

kernel32.dll, xrefs: 00F593FE
GetModuleHandleExW, xrefs: 00F5940F

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 419b74bbec60280e8cdb6e24de81f6abe25d0f7dd3398ec82893688b263754b2
Instruction ID: 18326f95590d7ae188b5755646af021fc4ccf0b6749459804405234190263693
Opcode Fuzzy Hash: 419b74bbec60280e8cdb6e24de81f6abe25d0f7dd3398ec82893688b263754b2
Instruction Fuzzy Hash: A4D01734918717CFDB209F31E90860676E5AF063A6B11C83AE996D6550E6B0C889FA51

Uniqueness

Uniqueness Score: -1.00%

Function 00F21B3E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00F21B42
__swprintf.LIBCMT ref: 00F21B73

Strings

WIN_XPe, xrefs: 00F21BB2
%.3d, xrefs: 00F21B4D

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: 74fab93d5be2504f93e82e9698027273e609f0d5c41bf662abf2057a22273c37
Instruction ID: 8e3bedb66dc688ad28d804e392e7c6c594c2a79e204d6a29e54bbf738165e14d
Opcode Fuzzy Hash: 74fab93d5be2504f93e82e9698027273e609f0d5c41bf662abf2057a22273c37
Instruction Fuzzy Hash: 4BD01273C0816CEACB149B90AC54AF9737CB754301F1005D3F902A1040F2749B85BB2A

Uniqueness

Uniqueness Score: -1.00%

Function 00F376C5 Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcd28ed7a5227497791821d0dab9fc95158a798503f5c951c80e22840e54eddf
Instruction ID: 62d5692c9588d389c51941397a41df2a36bb836af5504afacdbe37b17ab5e590
Opcode Fuzzy Hash: fcd28ed7a5227497791821d0dab9fc95158a798503f5c951c80e22840e54eddf
Instruction Fuzzy Hash: 66C15EB5A04216EFCB24DF94C884EAEB7B5FF48724F218598E805EB251D730ED41EB90

Uniqueness

Uniqueness Score: -1.00%

Function 00F5E33E Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00F5E3D2
CharLowerBuffW.USER32(?,?), ref: 00F5E415

Part of subcall function 00F5DAB9: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00F5DAD9

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00F5E615
_memmove.LIBCMT ref: 00F5E628

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: fe965d6cab9778d66a88d847bf4fc41abc6c33eb0cec87539aecce4f63dd4e30
Instruction ID: 4b44413d79738c9e2aabb1b60be4a911ca493b38b8506a7038977d7e89b8ad6b
Opcode Fuzzy Hash: fe965d6cab9778d66a88d847bf4fc41abc6c33eb0cec87539aecce4f63dd4e30
Instruction Fuzzy Hash: A3C16D71A083419FC714DF28C480A5ABBE4FF88714F14896DF999DB352D731EA49DB82

Uniqueness

Uniqueness Score: -1.00%

Function 00F583A8 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00F583D8
CoUninitialize.OLE32 ref: 00F583E3

Part of subcall function 00F3DA5D: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00F3DAC5

VariantInit.OLEAUT32(?), ref: 00F583EE
VariantClear.OLEAUT32(?), ref: 00F586BF

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: a56e1395f0e3fdd8310081eefb963a8497a2f1670cee020de4c601946a1532c5
Instruction ID: 21644ee62cea3ff846bef94d9832f9b6904cf8e526b84bce745c3d2b76eaacb6
Opcode Fuzzy Hash: a56e1395f0e3fdd8310081eefb963a8497a2f1670cee020de4c601946a1532c5
Instruction Fuzzy Hash: 00A16B756047459FCB10EF15C881B2AB7E4BF88364F14445CFA9AAB3A2CB30ED09DB42

Uniqueness

Uniqueness Score: -1.00%

Function 00F37A78 Relevance: 6.2, APIs: 4, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00F72C7C,?), ref: 00F37C32
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00F72C7C,?), ref: 00F37C4A
CLSIDFromProgID.OLE32(?,?,00000000,00F6FB80,000000FF,?,00000000,00000800,00000000,?,00F72C7C,?), ref: 00F37C6F
_memcmp.LIBCMT ref: 00F37C90

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 9e5367efca7a7811d0ad097c084186a5274f81f9ffb476fa3ed6a494224d222d
Instruction ID: 3dc5820a5499ce0fc53fb3501fe196aae8ef37ea6705935726ca80f1849d973c
Opcode Fuzzy Hash: 9e5367efca7a7811d0ad097c084186a5274f81f9ffb476fa3ed6a494224d222d
Instruction Fuzzy Hash: AC811B71A00209EFCB14DF94C984EEEB7B9FF89325F244198E515AB260DB71AE05DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00F36DF3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00F36E04
SysAllocString.OLEAUT32(00000000), ref: 00F36EAD
VariantCopy.OLEAUT32 ref: 00F36EDC
VariantClear.OLEAUT32(?), ref: 00F36F03

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: a311f05c9abec39327cf939b2a919d5feb82931f291b5a56eeb0f3d28471ea30
Instruction ID: 4494092056a52316142416403b8ec7738da6a444522bbbdd1c50ab4b32a592cf
Opcode Fuzzy Hash: a311f05c9abec39327cf939b2a919d5feb82931f291b5a56eeb0f3d28471ea30
Instruction Fuzzy Hash: BF51D7B5604306AADB34BF75D895B2AB3E4AF48330F20981FE556DB291EF749840BB11

Uniqueness

Uniqueness Score: -1.00%

Function 00F69A63 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(012BE4D0,?), ref: 00F69AD2
ScreenToClient.USER32(00000002,00000002), ref: 00F69B05
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00F69B72

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 4f51472d7b55ec6c6832ec7d230af4dc3863c8f4794065ee840bd5b98f98f2d1
Instruction ID: 51d19ad7913273edca4b55e873da7f05ee83b6bab1573869bd7e86bd803e4c1c
Opcode Fuzzy Hash: 4f51472d7b55ec6c6832ec7d230af4dc3863c8f4794065ee840bd5b98f98f2d1
Instruction Fuzzy Hash: 07512F74A04209EFCF14DF64D9809AE7BF9FF85360F148259F8259B290D770AE41EB50

Uniqueness

Uniqueness Score: -1.00%

Function 00F56CBD Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00F56CE4
WSAGetLastError.WSOCK32(00000000), ref: 00F56CF4

Part of subcall function 00EE9997: __itow.LIBCMT ref: 00EE99C2
Part of subcall function 00EE9997: __swprintf.LIBCMT ref: 00EE9A0C

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00F56D58
WSAGetLastError.WSOCK32(00000000), ref: 00F56D64

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: 0b997b8e596f84879b9de6dcf1bfcbbf4bc7e5cbd1563c17d97e0339c4866445
Instruction ID: c139419d6522626f660586ff07d2eca5dd9043d7e61b139605748aceb100a415
Opcode Fuzzy Hash: 0b997b8e596f84879b9de6dcf1bfcbbf4bc7e5cbd1563c17d97e0339c4866445
Instruction Fuzzy Hash: F541B475740208AFEB20AF25DC86F3A77E5AF44B20F448458FA69EB3D3DA759C009791

Uniqueness

Uniqueness Score: -1.00%

Function 00F5672D Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,00F6F910), ref: 00F567BA
_strlen.LIBCMT ref: 00F567EC

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: a12f7101d044bf7c254ef662699e75e5e8589968f30d0977734758aa8ef28abd
Instruction ID: bf63e0af9a62b87e3f47a4332780397a18c4f93f8a2dc3a2574860164bf48272
Opcode Fuzzy Hash: a12f7101d044bf7c254ef662699e75e5e8589968f30d0977734758aa8ef28abd
Instruction Fuzzy Hash: 5541E631A00108ABCB14EB65DCC1FAEB7E9AF48315F548165FD29E7292DF34AD48E750

Uniqueness

Uniqueness Score: -1.00%

Function 00F4BA5F Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00F4BB09
GetLastError.KERNEL32(?,00000000), ref: 00F4BB2F
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00F4BB54
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00F4BB80

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: b27328ee0bdb9d0a8e3787dc31864d0d945ddcd46025b9fc7d86f8d45cd2d76c
Instruction ID: 4f7b1b5d1f5cf089c8338fd170a04b9cb61ab6e783aa237b5b3ef2a5898424b1
Opcode Fuzzy Hash: b27328ee0bdb9d0a8e3787dc31864d0d945ddcd46025b9fc7d86f8d45cd2d76c
Instruction Fuzzy Hash: DE415539600655DFCB20EF16C584A1DBBE1EF89320B199498EC4AAB363CB35FD01DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00F68AC0 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00F68B4D

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 90cf32c9714c0c155a1ae2ff17187487ad97920762998fdc5c4371a28cde6057
Instruction ID: 1fcbf3a43b4ab256669629f35e9110663e61bdf67809379aebb01933624e61d7
Opcode Fuzzy Hash: 90cf32c9714c0c155a1ae2ff17187487ad97920762998fdc5c4371a28cde6057
Instruction Fuzzy Hash: E131E8B4A00208BFEF249E58DC59FA937A4EB4A3A0F14471AFA51D72E1CE349D42B751

Uniqueness

Uniqueness Score: -1.00%

Function 00F6ADF1 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00F6AE1A
GetWindowRect.USER32(?,?), ref: 00F6AE90
PtInRect.USER32(?,?,00F6C304), ref: 00F6AEA0
MessageBeep.USER32(00000000), ref: 00F6AF11

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 2dcc5575f810a7d62a87c65be641829adee219784af4b3ff17aa726586688c14
Instruction ID: cad8157d1b785f403900f53c7cb9a99db163460196f7ae652844fa60c38a3115
Opcode Fuzzy Hash: 2dcc5575f810a7d62a87c65be641829adee219784af4b3ff17aa726586688c14
Instruction Fuzzy Hash: 2A41CE70A00209DFCB11DF59D884BA9BBF5FF59310F1881A9E825EB251C732E801EF92

Uniqueness

Uniqueness Score: -1.00%

Function 00F40FE6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00F41037
SetKeyboardState.USER32(00000080,?,00000001), ref: 00F41053
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00F410B9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00F4110B

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 807f47c9d6d87591acb26c2073b52ba3510ec3315d17981b1b157a46cf4b5a06
Instruction ID: 99b50468d9eff044cfe64a6562355703d7115d5a6679a22b7bfd80b51b16752b
Opcode Fuzzy Hash: 807f47c9d6d87591acb26c2073b52ba3510ec3315d17981b1b157a46cf4b5a06
Instruction Fuzzy Hash: FF312431E40688AEFB348B698C05BFABFA9BB44320F08431AED91521D1C7798DC4B751

Uniqueness

Uniqueness Score: -1.00%

Function 00F41121 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,7694C0D0,?,00008000), ref: 00F41176
SetKeyboardState.USER32(00000080,?,00008000), ref: 00F41192
PostMessageW.USER32(00000000,00000101,00000000), ref: 00F411F1
SendInput.USER32(00000001,?,0000001C,7694C0D0,?,00008000), ref: 00F41243

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 9a1b24b69e33a4ce32ce7e7a732d261c2d448cdfc893ea37cb076871a6b67e2a
Instruction ID: 3bd6043aa8847bbe2dd93976a4e6d0d427c0af4801205ff67c2473dc849a66da
Opcode Fuzzy Hash: 9a1b24b69e33a4ce32ce7e7a732d261c2d448cdfc893ea37cb076871a6b67e2a
Instruction Fuzzy Hash: 92310630E4061C5AFF208B658C087FA7FAEBB89320F08431AEA91921D1D3794ED5B751

Uniqueness

Uniqueness Score: -1.00%

Function 00F16415 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00F1644B
__isleadbyte_l.LIBCMT ref: 00F16479
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00F164A7
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00F164DD

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: c0f91bb3f94766fc962e415d76e1dda973fdbc2a4aea645f6a422391c9719a47
Instruction ID: a4de308b4be120ab4bbb23e4a9b9edede4c0e54a0d0424e0575da47ebd274e71
Opcode Fuzzy Hash: c0f91bb3f94766fc962e415d76e1dda973fdbc2a4aea645f6a422391c9719a47
Instruction Fuzzy Hash: 2731AB31A0025AAFDB25CF69CC45BFA7BA9FF41360F154069E864C71A1EB35D890FB90

Uniqueness

Uniqueness Score: -1.00%

Function 00F65175 Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00F65189

Part of subcall function 00F4387D: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00F43897
Part of subcall function 00F4387D: GetCurrentThreadId.KERNEL32 ref: 00F4389E
Part of subcall function 00F4387D: AttachThreadInput.USER32(00000000,?,00F452A7), ref: 00F438A5

GetCaretPos.USER32(?), ref: 00F6519A
ClientToScreen.USER32(00000000,?), ref: 00F651D5
GetForegroundWindow.USER32 ref: 00F651DB

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 12ded36ace1d2ce58d93b12dcfbf7512eb61a90335d3943c6158c2db360234a5
Instruction ID: 915a2d9375d1244a73860cf58eaee1c2e0bfea21109efab2b1c46bae80b6e651
Opcode Fuzzy Hash: 12ded36ace1d2ce58d93b12dcfbf7512eb61a90335d3943c6158c2db360234a5
Instruction Fuzzy Hash: 87310172900148AFDB00EFA5CC459EFB7F9EF58300F10506AE415F7241EA759E05DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F6C788 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE2612: GetWindowLongW.USER32(?,000000EB), ref: 00EE2623

GetCursorPos.USER32(?), ref: 00F6C7C2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00F1BBFB,?,?,?,?,?), ref: 00F6C7D7
GetCursorPos.USER32(?), ref: 00F6C824
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00F1BBFB,?,?,?), ref: 00F6C85E

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 95a5719528c57a88a5a1aa97f114364fec993752514cf126ec020dc3739ea40d
Instruction ID: 1a8e4fef2a064e2e1e78a60edf1fc9c79b9511d0e66902791467106cb4149cc8
Opcode Fuzzy Hash: 95a5719528c57a88a5a1aa97f114364fec993752514cf126ec020dc3739ea40d
Instruction Fuzzy Hash: 54319335500018AFCB25CF69C898EFA7BB9EF49720F044169F995C7261C7355D50EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F00BD0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 00F00BF2

Part of subcall function 00EE5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00F47B20,?,?,00000000), ref: 00EE5B8C
Part of subcall function 00EE5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00F47B20,?,?,00000000,?,?), ref: 00EE5BB0

_fprintf.LIBCMT ref: 00F00C29
OutputDebugStringW.KERNEL32(?), ref: 00F36331

Part of subcall function 00F04CDA: _flsall.LIBCMT ref: 00F04CF3

__setmode.LIBCMT ref: 00F00C5E

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: e4b605d99bea95d071206641ce1f53b60e64e6b1c17f9d81f4ead67f44a05059
Instruction ID: b8f3b8b1b0dc36a45cbb06024826345b16e1c52cd06f89c60f2691b805b82490
Opcode Fuzzy Hash: e4b605d99bea95d071206641ce1f53b60e64e6b1c17f9d81f4ead67f44a05059
Instruction Fuzzy Hash: 8B115C729042087BDB0477B5AC43ABE7BA89F85320F14411AF204A71D2DF656D467791

Uniqueness

Uniqueness Score: -1.00%

Function 00F38B9E Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F38652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00F38669
Part of subcall function 00F38652: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00F38673
Part of subcall function 00F38652: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00F38682
Part of subcall function 00F38652: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00F38689
Part of subcall function 00F38652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00F3869F

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00F38BEB
_memcmp.LIBCMT ref: 00F38C0E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00F38C44
HeapFree.KERNEL32(00000000), ref: 00F38C4B

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 8a7f0eb628d29ace301d0a43d4c5a48b521fcfa797480aa98cb518e28174daea
Instruction ID: c7311da637fec6275e7e5dd659dfb7a554d06db78f0e06e95be5c98c6e46dcf2
Opcode Fuzzy Hash: 8a7f0eb628d29ace301d0a43d4c5a48b521fcfa797480aa98cb518e28174daea
Instruction Fuzzy Hash: 5621BD71E01209EFCB00CFA4C955BEEB7B8FF403A0F044059E454A7240DB79AE0AEB60

Uniqueness

Uniqueness Score: -1.00%

Function 00F51A5B Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00F51A97

Part of subcall function 00F51B21: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00F51B40
Part of subcall function 00F51B21: InternetCloseHandle.WININET(00000000), ref: 00F51BDD

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: 038ee64889fa3471cb9b4f06adeadb2059353fef44149983cea70ac551a6e9d7
Instruction ID: 4f1c11cbe810943d371c1035882977293c2a9adf8e5d1dfd21cda22e66cc3658
Opcode Fuzzy Hash: 038ee64889fa3471cb9b4f06adeadb2059353fef44149983cea70ac551a6e9d7
Instruction Fuzzy Hash: 3F21D432600604BFEB129F609C00FBABBADFF88712F14011AFF1196550EB75E819B790

Uniqueness

Uniqueness Score: -1.00%

Function 00F3E1AF Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00F3F5AD: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00F3E1C4,?,?,?,00F3EFB7,00000000,000000EF,00000119,?,?), ref: 00F3F5BC
Part of subcall function 00F3F5AD: lstrcpyW.KERNEL32(00000000,?), ref: 00F3F5E2
Part of subcall function 00F3F5AD: lstrcmpiW.KERNEL32(00000000,?,00F3E1C4,?,?,?,00F3EFB7,00000000,000000EF,00000119,?,?), ref: 00F3F613

lstrlenW.KERNEL32(?,00000002,?,?,?,?,00F3EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 00F3E1DD
lstrcpyW.KERNEL32(00000000,?), ref: 00F3E203
lstrcmpiW.KERNEL32(00000002,cdecl,?,00F3EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 00F3E237

Strings

cdecl, xrefs: 00F3E22E

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 5b03f6d67926bf77ed0bd38e461de027267e1f01c0d4abfbe248452a2b692038
Instruction ID: e27657c7c788ac669906662c0d38a2368d2b2e926fe0425c3bc766a7c7674f32
Opcode Fuzzy Hash: 5b03f6d67926bf77ed0bd38e461de027267e1f01c0d4abfbe248452a2b692038
Instruction Fuzzy Hash: 9611D036600345EFCB25AF64DC45E7A77A8FF85360F40402AF816CB2A0EBB1D855E7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00F15332 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00F15351

Part of subcall function 00F0594C: __FF_MSGBANNER.LIBCMT ref: 00F05963
Part of subcall function 00F0594C: __NMSG_WRITE.LIBCMT ref: 00F0596A
Part of subcall function 00F0594C: RtlAllocateHeap.NTDLL(012A0000,00000000,00000001,00000000,?,?,?,00F01013,?), ref: 00F0598F

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9bb086143882b9f2bb2479c93ee2c951705e80e2e3ad8965b7e36c46ac1af739
Instruction ID: aa9334ec89d90934c7a6898fbb03cc4aa3937062e8ebf27b7a14591a499aeec6
Opcode Fuzzy Hash: 9bb086143882b9f2bb2479c93ee2c951705e80e2e3ad8965b7e36c46ac1af739
Instruction Fuzzy Hash: BD11C432905A15EECB212F70AC0569A379A5F90BF0F24052AF965DB1D0DAB98981B750

Uniqueness

Uniqueness Score: -1.00%

Function 00EE4531 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00EE4560

Part of subcall function 00EE410D: _memset.LIBCMT ref: 00EE418D
Part of subcall function 00EE410D: _wcscpy.LIBCMT ref: 00EE41E1
Part of subcall function 00EE410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00EE41F1

KillTimer.USER32(?,00000001,?,?), ref: 00EE45B5
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00EE45C4
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00F1D6CE

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: aa1520ec953fe5d17570f752b9802fd4272c983b1173d97f4d92a506c20c15c8
Instruction ID: 50420e80c9f702347d99ae025ecd95d5eec713627699be4461049228a44e37d5
Opcode Fuzzy Hash: aa1520ec953fe5d17570f752b9802fd4272c983b1173d97f4d92a506c20c15c8
Instruction Fuzzy Hash: 0C21FCB19047989FEB328B24DC45BE7BBEC9F01318F04009DE69D66181C7B45AC8EB51

Uniqueness

Uniqueness Score: -1.00%

Function 00F5667C Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00F47B20,?,?,00000000), ref: 00EE5B8C
Part of subcall function 00EE5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00F47B20,?,?,00000000,?,?), ref: 00EE5BB0

gethostbyname.WSOCK32(?,?,?), ref: 00F566AC
WSAGetLastError.WSOCK32(00000000), ref: 00F566B7
_memmove.LIBCMT ref: 00F566E4
inet_ntoa.WSOCK32(?), ref: 00F566EF

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: 17495e0ce1c16478709ac70c7272dbee10903cb2f2940929f9d84235c01d4916
Instruction ID: 0d567583ac1801e32e3f29194c4edf22460ceba01d0f71b1b0d2e573c8cabb08
Opcode Fuzzy Hash: 17495e0ce1c16478709ac70c7272dbee10903cb2f2940929f9d84235c01d4916
Instruction Fuzzy Hash: AF116336900509AFCB00EBA5ED86DEEB7F8BF44315B144065F506B7162DF709E08EB51

Uniqueness

Uniqueness Score: -1.00%

Function 00F39023 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00F39043
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00F39055
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00F3906B
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00F39086

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 8ca62ea2c289bb88ad62b43121999c62c1e1c3ac701c86a44105e76a7d8c1f09
Instruction ID: fa24abaca4a80e574768b9260af29a613a3e7c41654b99a4781884de9edaa806
Opcode Fuzzy Hash: 8ca62ea2c289bb88ad62b43121999c62c1e1c3ac701c86a44105e76a7d8c1f09
Instruction Fuzzy Hash: 85115E7A900218FFDB10DFA5CC84F9DBB74FB48320F204095E904B7250D6B26E10EB90

Uniqueness

Uniqueness Score: -1.00%

Function 00EE1290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00EE2612: GetWindowLongW.USER32(?,000000EB), ref: 00EE2623

DefDlgProcW.USER32(?,00000020,?), ref: 00EE12D8
GetClientRect.USER32(?,?), ref: 00F1B84B
GetCursorPos.USER32(?), ref: 00F1B855
ScreenToClient.USER32(?,?), ref: 00F1B860

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 9ffa956b2403d776d348f9b5d2fc930a3148c33ac605d5f07ad465bd9e5a96e1
Instruction ID: 674574dd7c362b95d1dce838b8090dd27e8afad8d56c516de0bc6356dccb7226
Opcode Fuzzy Hash: 9ffa956b2403d776d348f9b5d2fc930a3148c33ac605d5f07ad465bd9e5a96e1
Instruction Fuzzy Hash: 5F11283590005DABCB00DF95DC859EE77B8FB09300F000495FA21E7161C770AA95ABA5

Uniqueness

Uniqueness Score: -1.00%

Function 00F41652 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00F401FD,?,00F41250,?,00008000), ref: 00F4166F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,00F401FD,?,00F41250,?,00008000), ref: 00F41694
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00F401FD,?,00F41250,?,00008000), ref: 00F4169E
Sleep.KERNEL32(?,?,?,?,?,?,?,00F401FD,?,00F41250,?,00008000), ref: 00F416D1

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 8eac9a21a87386e7786ecb7af6110df81e2c8fbe7ed1c260916a4a4331526d9d
Instruction ID: 5adc035c42a701aa6b0001a68f825ab6cbc6cddd05ff9d152e36b2ec5a2ca180
Opcode Fuzzy Hash: 8eac9a21a87386e7786ecb7af6110df81e2c8fbe7ed1c260916a4a4331526d9d
Instruction Fuzzy Hash: 06115E31D0151DD7CF009FA5E948BEEBF78FF0A751F464065ED50B6240CB7095A0AB96

Uniqueness

Uniqueness Score: -1.00%

Function 00F17207 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00F1722B

Part of subcall function 00F17912: __fltout2.LIBCMT ref: 00F1793B

__cftog_l.LIBCMT ref: 00F17251
__cftoe_l.LIBCMT ref: 00F17283

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: b6144f35c0209fcb19b47faa1265e531b35260f98f43937e8a56c6a65f65d8d5
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: D7014C7644828ABBCF126E84DC018EE3F72BF69351B588615FA1C58031D277C9B2BF81

Uniqueness

Uniqueness Score: -1.00%

Function 00F6B57F Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00F6B59E
ScreenToClient.USER32(?,?), ref: 00F6B5B6
ScreenToClient.USER32(?,?), ref: 00F6B5DA
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00F6B5F5

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 73a817bb37679ba79bb93eb9733faaae8302f070208d9e7284ebccc26978c8ce
Instruction ID: 243527d6c951f47065ff6cbda1ebec9c5b103f022cf7466edaf4e7be651f56e8
Opcode Fuzzy Hash: 73a817bb37679ba79bb93eb9733faaae8302f070208d9e7284ebccc26978c8ce
Instruction Fuzzy Hash: DB1166B5D0020DEFDB01DF99D4449EEFBB9FB08310F104166E925E3220D771AA559F50

Uniqueness

Uniqueness Score: -1.00%

Function 00F6B8EF Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F6B8FE
_memset.LIBCMT ref: 00F6B90D
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00FA7F20,00FA7F64), ref: 00F6B93C
CloseHandle.KERNEL32 ref: 00F6B94E

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: eca488277e86e1fe53deae673b5507ea66c68304940e64b7a03ec5e91d4a3c3e
Instruction ID: 93c6e32a8ea5b2a80e8b7d8e38ca22b408ba9ecf7cd4a90d5f5f1e54485ad2fa
Opcode Fuzzy Hash: eca488277e86e1fe53deae673b5507ea66c68304940e64b7a03ec5e91d4a3c3e
Instruction Fuzzy Hash: 9CF0FEF25443587FE2107765AC06FBB7A5CEB0A758F004021FA08D5292E7755A10B7E8

Uniqueness

Uniqueness Score: -1.00%

Function 00F46E7C Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00F46E88

Part of subcall function 00F4794E: _memset.LIBCMT ref: 00F47983

_memmove.LIBCMT ref: 00F46EAB
_memset.LIBCMT ref: 00F46EB8
LeaveCriticalSection.KERNEL32(?), ref: 00F46EC8

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: 559806c366844412118343317ecc842ea5c6a77fac15a168d464211e8f5f6ade
Instruction ID: dc47d36cb7443035bd401ab0a29b3f77702ead84307108ff27101f522669f4e6
Opcode Fuzzy Hash: 559806c366844412118343317ecc842ea5c6a77fac15a168d464211e8f5f6ade
Instruction Fuzzy Hash: CFF05E3A204204ABCF016F55EC85A8ABF2AEF45360B048061FE085E26AC775A955EBB4

Uniqueness

Uniqueness Score: -1.00%

Function 00F6C00C Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00EE12F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00EE134D
Part of subcall function 00EE12F3: SelectObject.GDI32(?,00000000), ref: 00EE135C
Part of subcall function 00EE12F3: BeginPath.GDI32(?), ref: 00EE1373
Part of subcall function 00EE12F3: SelectObject.GDI32(?,00000000), ref: 00EE139C

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00F6C030
LineTo.GDI32(00000000,?,?), ref: 00F6C03D
EndPath.GDI32(00000000), ref: 00F6C04D
StrokePath.GDI32(00000000), ref: 00F6C05B

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 44ad782482eee551c4458f8f5d1655f676f3932ab37d29ce8d0482a5238982f1
Instruction ID: 242851b38fb894bf9a3981beaea62a0582d50ce3e8e739c485e586f883356249
Opcode Fuzzy Hash: 44ad782482eee551c4458f8f5d1655f676f3932ab37d29ce8d0482a5238982f1
Instruction Fuzzy Hash: 39F05E3500525DBBDB126F55AC09FDE3F99AF0A321F144000FA61A10E287B95555EBE5

Uniqueness

Uniqueness Score: -1.00%

Function 00F3A37C Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00F3A399
GetWindowThreadProcessId.USER32(?,00000000), ref: 00F3A3AC
GetCurrentThreadId.KERNEL32 ref: 00F3A3B3
AttachThreadInput.USER32(00000000), ref: 00F3A3BA

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 358b9561ea43f091ad7636392053d0c9f215cf6f878bc418ecc3d5953b9b6b64
Instruction ID: 44188bd770aeb1d4dd80a90326091872eeadf72fbd046449fb7ecdea089814b0
Opcode Fuzzy Hash: 358b9561ea43f091ad7636392053d0c9f215cf6f878bc418ecc3d5953b9b6b64
Instruction Fuzzy Hash: 95E0C93154522CBADB205BA2EC0DED77F5CEF167B1F008025F55995060D6B28544EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00EE2218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00EE2231
SetTextColor.GDI32(?,000000FF), ref: 00EE223B
SetBkMode.GDI32(?,00000001), ref: 00EE2250
GetStockObject.GDI32(00000005), ref: 00EE2258
GetWindowDC.USER32(?,00000000), ref: 00F1C0D3
GetPixel.GDI32(00000000,00000000,00000000), ref: 00F1C0E0
GetPixel.GDI32(00000000,?,00000000), ref: 00F1C0F9
GetPixel.GDI32(00000000,00000000,?), ref: 00F1C112
GetPixel.GDI32(00000000,?,?), ref: 00F1C132
ReleaseDC.USER32(?,00000000), ref: 00F1C13D

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 351339d5c107d00a65301ed74c74b340f289e182a95a5671352b5454869c326b
Instruction ID: fcbc3b7e17fb20c275fda7d94b189204a2018753961cf460f6f02286b1fa6abc
Opcode Fuzzy Hash: 351339d5c107d00a65301ed74c74b340f289e182a95a5671352b5454869c326b
Instruction Fuzzy Hash: 26E0C932944248EBDB215FA4FC097D87B14AB16336F14836AFA79980E187B14994EB52

Uniqueness

Uniqueness Score: -1.00%

Function 00F38C5A Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00F38C63
OpenThreadToken.ADVAPI32(00000000,?,?,?,00F3882E), ref: 00F38C6A
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00F3882E), ref: 00F38C77
OpenProcessToken.ADVAPI32(00000000,?,?,?,00F3882E), ref: 00F38C7E

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 05a5055108809f38c29570af9889a7f8ded329545c13da6072c884707855eb37
Instruction ID: 6a901c73d8ddeaba95cba8a1063497d603e1102c733a31ef46a9b8961096ee90
Opcode Fuzzy Hash: 05a5055108809f38c29570af9889a7f8ded329545c13da6072c884707855eb37
Instruction Fuzzy Hash: 1CE08637A46315EBD7205FB07D0DB563BACEF507E2F144828F245C9040DA74844AEB61

Uniqueness

Uniqueness Score: -1.00%

Function 00F22187 Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00F22187
GetDC.USER32(00000000), ref: 00F22191
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00F221B1
ReleaseDC.USER32(?), ref: 00F221D2

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 74905de0458ecd8fd9ac9e0ce8d86478b66be37fd24a9ede725ece55713339ee
Instruction ID: c05e7699dc1ed3165e605930b9c351060df7acf9ee21f591caf17950be88a906
Opcode Fuzzy Hash: 74905de0458ecd8fd9ac9e0ce8d86478b66be37fd24a9ede725ece55713339ee
Instruction Fuzzy Hash: C6E0E5B5800218EFDB019F61E908A9D7BF1FB4C351F108426F96AE7220CBB98146AF40

Uniqueness

Uniqueness Score: -1.00%

Function 00F2219B Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00F2219B
GetDC.USER32(00000000), ref: 00F221A5
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00F221B1
ReleaseDC.USER32(?), ref: 00F221D2

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: bc520d79d6cf2ffe0dbb7a5649b90a98b147ca43e61e19ab0c19fbba6eed7194
Instruction ID: fc7632fecfa3038e2edeaa91dc6cf014b72600eea3e49c5f86fb45044a4085e7
Opcode Fuzzy Hash: bc520d79d6cf2ffe0dbb7a5649b90a98b147ca43e61e19ab0c19fbba6eed7194
Instruction Fuzzy Hash: 07E012B5800208AFCB019FB1E90869D7BF1FF4C351F108029F96AE7220CBB99146AF40

Uniqueness

Uniqueness Score: -1.00%

Function 00F3B7B6 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 00F3B981

Strings

Container, xrefs: 00F3B8FE
AutoIt3GUI, xrefs: 00F3B8F9

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: dee0b1cf0bd6c2bd1cda8115b8e361867b3dc17db45062404659575f0e205132
Instruction ID: 4b4d35392d5d18ac4b33abe324f1d47b776a17d6e2d8951c943772c38c663992
Opcode Fuzzy Hash: dee0b1cf0bd6c2bd1cda8115b8e361867b3dc17db45062404659575f0e205132
Instruction Fuzzy Hash: 8D915B716006019FDB64DF68C894B6AB7F8FF48720F14856EFA4ACB291DB70E841DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00F4B217 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00EFFEC6: _wcscpy.LIBCMT ref: 00EFFEE9

Part of subcall function 00EE9997: __itow.LIBCMT ref: 00EE99C2
Part of subcall function 00EE9997: __swprintf.LIBCMT ref: 00EE9A0C

__wcsnicmp.LIBCMT ref: 00F4B298
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00F4B361

Strings

LPT, xrefs: 00F4B292

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: 24e6498590a4b0a94db47a33e28cd1cde7eeb0245a26dcb54a6d63ce3ba63cdf
Instruction ID: 0e25d40125b53e5688cf8fc71f360f04e50b9d678e0ad412441cad80d2378833
Opcode Fuzzy Hash: 24e6498590a4b0a94db47a33e28cd1cde7eeb0245a26dcb54a6d63ce3ba63cdf
Instruction Fuzzy Hash: 97617176E00219AFCB14DF95C885EBEBBF4AF48310F114069F946AB292DB70EE40DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00F28A77 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00F28B1E
_memmove.LIBCMT ref: 00F28B78

Strings

Oa, xrefs: 00F28BF2, 00F2E39A, 00F2E3B6

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: _memmove
String ID: Oa
API String ID: 4104443479-3945284152
Opcode ID: 9df4b04708f133eccf16694b55bf6ea013e27ec7de3d15edccf9432cb89e47b5
Instruction ID: 4792d73c7cee74650a555be7f466ea9cf7e724a33cc23a08b93a61ab94ca432e
Opcode Fuzzy Hash: 9df4b04708f133eccf16694b55bf6ea013e27ec7de3d15edccf9432cb89e47b5
Instruction Fuzzy Hash: CC5171B0E01619DFCB24CF68D880ABEBBF1FF44354F24851AE85AD7240DB31A956DB51

Uniqueness

Uniqueness Score: -1.00%

Function 00EF2AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00EF2AC8
GlobalMemoryStatusEx.KERNEL32(?), ref: 00EF2AE1

Strings

@, xrefs: 00EF2AD5

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: b0b8dacab5a0474e5b2fe5446919280962a601267ac60a524df4d4d22d801d66
Instruction ID: 68959388f2843647caf8de01fb3a0a2b8962ad1d91f2fa4d8b183a94b80421a8
Opcode Fuzzy Hash: b0b8dacab5a0474e5b2fe5446919280962a601267ac60a524df4d4d22d801d66
Instruction Fuzzy Hash: CA517CB14187899BD320AF11DC86BAFBBF8FF84310F82485DF1D9511A2DB309929CB16

Uniqueness

Uniqueness Score: -1.00%

Function 00F499BE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00EE506B: __fread_nolock.LIBCMT ref: 00EE5089

_wcscmp.LIBCMT ref: 00F49AAE
_wcscmp.LIBCMT ref: 00F49AC1

Strings

FILE, xrefs: 00F499FA

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: 71829e8e89fa0da2c12df7e5f3483f2e17aa7a2fef8710b57802e7e59a5dc086
Instruction ID: b510978ee437a3cd7baba506e7670c9bee347dce467c92a10eba9a85c65f7141
Opcode Fuzzy Hash: 71829e8e89fa0da2c12df7e5f3483f2e17aa7a2fef8710b57802e7e59a5dc086
Instruction Fuzzy Hash: 6741D672B04619BADF209EA5DC46FEFBBFDDF45714F00006AB900B7181DAB59A04A7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00F52882 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F52892
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00F528C8

Strings

|, xrefs: 00F52899

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: bd66eb7c760a71eca50b939a51f79499967d181ada31e28e28d49e9454c00c97
Instruction ID: 43f112c14eda65fc8163167f7501ddf8d72cd01a121554707c1a498f63e41ea2
Opcode Fuzzy Hash: bd66eb7c760a71eca50b939a51f79499967d181ada31e28e28d49e9454c00c97
Instruction Fuzzy Hash: 8F313A71800119AFCF45AFA1CC85EEEBFB8FF19310F100129F955A6265DA315A16EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F66CD2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00F66D86
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00F66DC2

Strings

static, xrefs: 00F66D22

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: a3c627885d639a34301e74fb9ade43cbc56a9861c0f6f747f3aa156d42ddd78f
Instruction ID: d2678ab24147432f570e7dbaead45d6a982b777554182a4dd278901c58f170b4
Opcode Fuzzy Hash: a3c627885d639a34301e74fb9ade43cbc56a9861c0f6f747f3aa156d42ddd78f
Instruction Fuzzy Hash: 4D319E71600608AADB109F64CC80AFB73B8FF48720F109619F8A9D7190CA31AC91EB60

Uniqueness

Uniqueness Score: -1.00%

Function 00F42D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F42E00
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00F42E3B

Strings

0, xrefs: 00F42DF9

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: ce03bcd1b846c015ab18a90ffa03ecd6517159a7c67c377fa36d1fcf89921214
Instruction ID: 73045f8c92013de5fdb11fde9035059bd162167d945e47fab8c831c168f905b6
Opcode Fuzzy Hash: ce03bcd1b846c015ab18a90ffa03ecd6517159a7c67c377fa36d1fcf89921214
Instruction Fuzzy Hash: F531B131A00209ABEB648F58D845BAEBFB9FF05360F540479FD85D71A0E7709944EB50

Uniqueness

Uniqueness Score: -1.00%

Function 00F66943 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00F669D0
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00F669DB

Strings

Combobox, xrefs: 00F6699D

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 02a848247ce3bde38b5464716918dfe5fad4fc5a1614f3a30d6d87db0f224c32
Instruction ID: 4e5015b25f301a3fb42f43e0b4bd08557746ff6c52cb1e1affed78afb1abd28e
Opcode Fuzzy Hash: 02a848247ce3bde38b5464716918dfe5fad4fc5a1614f3a30d6d87db0f224c32
Instruction Fuzzy Hash: 8511C471B102087FEF119F24DC80EBB3B6AEB893A4F110224FD58D7290D6719C91A7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00F66E76 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00EE1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00EE1D73
Part of subcall function 00EE1D35: GetStockObject.GDI32(00000011), ref: 00EE1D87
Part of subcall function 00EE1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00EE1D91

GetWindowRect.USER32(00000000,?), ref: 00F66EE0
GetSysColor.USER32(00000012), ref: 00F66EFA

Strings

static, xrefs: 00F66EBD

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 952749fea8daa68838d8371e7149a442bf495021cb44cb572587bba833b55c14
Instruction ID: 7b38e4640dc9bcc16a7ebb459a4e77f2ad3af4385ed587fa69dd320147e119f4
Opcode Fuzzy Hash: 952749fea8daa68838d8371e7149a442bf495021cb44cb572587bba833b55c14
Instruction Fuzzy Hash: 5E212972A1020AAFDB04DFA8DD45AEA7BB8FB08314F044629F955D3250E775E861AB50

Uniqueness

Uniqueness Score: -1.00%

Function 00F66B8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00F66C11
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00F66C20

Strings

edit, xrefs: 00F66BF5

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 1d0c58ad83603be4787ebdc097df43678ef420c9f29c4ba1b0af8f41e53736e3
Instruction ID: 3ccd521d64bdc3476d58ede3aa654dcc90d96a2c7b6bbbffbfb92aa08361033a
Opcode Fuzzy Hash: 1d0c58ad83603be4787ebdc097df43678ef420c9f29c4ba1b0af8f41e53736e3
Instruction Fuzzy Hash: 7D118C71901208ABEB109F64DC41EEB3769EB45378F204724F961D71E0CB75DC91BB60

Uniqueness

Uniqueness Score: -1.00%

Function 00F42E9E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F42F11
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00F42F30

Strings

0, xrefs: 00F42F07

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 95c1478ee882e358490fc04ff7fb20d330f45b474af7de84e196b246c539fcb7
Instruction ID: 4092946d8b9502d0d43f365282abbc48d81a5b4473edc731722ab39a28019dac
Opcode Fuzzy Hash: 95c1478ee882e358490fc04ff7fb20d330f45b474af7de84e196b246c539fcb7
Instruction Fuzzy Hash: B511E672E01118ABCB60DB98DC04B997BB9EB11330F8800B1FC55E72A0DBB0AD48E791

Uniqueness

Uniqueness Score: -1.00%

Function 00F524CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00F52520
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00F52549

Strings

<local>, xrefs: 00F52511

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 66e3f46f02993512e955341cc79d82f899575d47663280ddc258945b8341023e
Instruction ID: fd307f27ad12c9868ebc583700fa92fa66f2fd13d2ec96374773340a46ba77c1
Opcode Fuzzy Hash: 66e3f46f02993512e955341cc79d82f899575d47663280ddc258945b8341023e
Instruction Fuzzy Hash: BC11E371500225BADB248F518C94EBBFF68FB07362F10822AFE4542040E2705949E6E1

Uniqueness

Uniqueness Score: -1.00%

Function 00F580A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00F5830B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00F580C8,?,00000000,?,?), ref: 00F58322

inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00F580CB
htons.WSOCK32(00000000,?,00000000), ref: 00F58108

Strings

255.255.255.255, xrefs: 00F580E3

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: ByteCharMultiWidehtonsinet_addr
String ID: 255.255.255.255
API String ID: 2496851823-2422070025
Opcode ID: ead373eb0156c698d6b1a48d47b3a30aed5420d723e90b3651f228c540f900e6
Instruction ID: 3a4229a21f5126444d0181f46223a1ab71113469eca88b2e8d0b5def650c87fb
Opcode Fuzzy Hash: ead373eb0156c698d6b1a48d47b3a30aed5420d723e90b3651f228c540f900e6
Instruction Fuzzy Hash: 4D11E535600209ABDB10AF64DC46FBDB774FF04361F108526EE11A72D1DA72A80AE791

Uniqueness

Uniqueness Score: -1.00%

Function 00F392E7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE7F41: _memmove.LIBCMT ref: 00EE7F82

Part of subcall function 00F3B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00F3B0E7

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00F39355

Strings

ListBox, xrefs: 00F3931F
ComboBox, xrefs: 00F392F4

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 3b389d15363d8361f731954224f4a6fede095b39d8e99ebb866364d96e5054c4
Instruction ID: 7cb15fcc261f04310974150d635cbb06bd851f23c5c5a21c9ee9dbd7c64da190
Opcode Fuzzy Hash: 3b389d15363d8361f731954224f4a6fede095b39d8e99ebb866364d96e5054c4
Instruction Fuzzy Hash: 4B01B5B1A09218ABDB04EB65CC918FE77ADFF46330F140619F972672D1DBB1590CE650

Uniqueness

Uniqueness Score: -1.00%

Function 00F391DF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE7F41: _memmove.LIBCMT ref: 00EE7F82

Part of subcall function 00F3B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00F3B0E7

SendMessageW.USER32(?,00000180,00000000,?), ref: 00F3924D

Strings

ListBox, xrefs: 00F39217
ComboBox, xrefs: 00F391EC

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 4b306a5a01a502896b269234d083bec0def54e2a1588ef2fc267136d7b8d5d9a
Instruction ID: 7a0769472afa6068a8dcbbbd66b1d7a987469ce1baded0809b99ea622a833271
Opcode Fuzzy Hash: 4b306a5a01a502896b269234d083bec0def54e2a1588ef2fc267136d7b8d5d9a
Instruction Fuzzy Hash: 9901F772E451087BDF18EBA0C892EFF73EC9F45310F150029B91677281EA959F0CA271

Uniqueness

Uniqueness Score: -1.00%

Function 00F39264 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE7F41: _memmove.LIBCMT ref: 00EE7F82

Part of subcall function 00F3B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00F3B0E7

SendMessageW.USER32(?,00000182,?,00000000), ref: 00F392D0

Strings

ListBox, xrefs: 00F3929C
ComboBox, xrefs: 00F39271

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: cbbb6a32467cb3160814a9431362f61052064511e03b1f354f52bd630bec0cb1
Instruction ID: 2129cfbc2b2167440095f20e54e6ff3a11dafc8444e13b760991c836f9b09ed0
Opcode Fuzzy Hash: cbbb6a32467cb3160814a9431362f61052064511e03b1f354f52bd630bec0cb1
Instruction Fuzzy Hash: DC012B72E4510877DF04E7A4C892EFF73EC9F01320F141019B91673181DA919F0CA271

Uniqueness

Uniqueness Score: -1.00%

Function 00F451CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00F451E8
_wcscmp.LIBCMT ref: 00F451FA

Strings

#32770, xrefs: 00F451F4

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: 750360176f07585eddb9a64905b5688dc7feb2b5269f3220250345ea7e343c4d
Instruction ID: 0254d2a1dc4edbb87d922ee09a0406322f7a1f281e13b35ce8e30f25cc1fb747
Opcode Fuzzy Hash: 750360176f07585eddb9a64905b5688dc7feb2b5269f3220250345ea7e343c4d
Instruction Fuzzy Hash: 11E0D17290432D2BE710AB95AC45F97FBACEF45B71F000157FD14D3051D5609A4597E1

Uniqueness

Uniqueness Score: -1.00%

Function 00F381BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00F381CA

Part of subcall function 00F03598: _doexit.LIBCMT ref: 00F035A2

Strings

AutoIt, xrefs: 00F381BE
Error allocating memory., xrefs: 00F381C3

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: b402ed4a98360ddffa8bde92b5ea3637e4058c7d41bd7be1b61d4fb051275d12
Instruction ID: 49cd0909aa04ddea45754efa3743a6e8cb68368cc45f1b7cf191e1fb82c47254
Opcode Fuzzy Hash: b402ed4a98360ddffa8bde92b5ea3637e4058c7d41bd7be1b61d4fb051275d12
Instruction Fuzzy Hash: 9ED05B323C535D32E61533ED6D07FC575884B05B61F044026FB48555D38ED6959272DE

Uniqueness

Uniqueness Score: -1.00%

Function 00F1B511 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00F1B564: _memset.LIBCMT ref: 00F1B571

Part of subcall function 00F00B84: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00F1B540,?,?,?,00EE100A), ref: 00F00B89

IsDebuggerPresent.KERNEL32(?,?,?,00EE100A), ref: 00F1B544
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00EE100A), ref: 00F1B553

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00F1B54E

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: f599b9b502b835b62e5987544dbc1376cc5e3ce28b00e29db1f61802bf4b633c
Instruction ID: b67d934e012dc9f307af266dbcd4f7bce345bf512a290c913132147b279bc80c
Opcode Fuzzy Hash: f599b9b502b835b62e5987544dbc1376cc5e3ce28b00e29db1f61802bf4b633c
Instruction Fuzzy Hash: 13E06DB4600355CBD760EF28E8047827BE1AB04714F08892CE456C2651DBB8E588EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F65BEB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00F65BF5
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00F65C08

Part of subcall function 00F454E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00F4555E

Strings

Shell_TrayWnd, xrefs: 00F65BEE

Memory Dump Source

Source File: 00000000.00000002.2067278316.0000000000EE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EE0000, based on PE: true

Associated: 00000000.00000002.2067222299.0000000000EE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F6F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067517855.0000000000F95000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067922877.0000000000F9F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FA8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FAA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067950506.0000000000FB8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_RFQ-HL51L05.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: ff601bc3bad2fc561b61a16a753d84d8f9a386cbf9706837820201eb50d9dd61
Instruction ID: 669188bc415999b0b38b8d8d75fd9b892b769988804cb84613ec07400cdbc312
Opcode Fuzzy Hash: ff601bc3bad2fc561b61a16a753d84d8f9a386cbf9706837820201eb50d9dd61
Instruction Fuzzy Hash: 4FD0C931388315B7E764BB70BC1BF977A14AB40B51F040825B756AA1E1D9E49844D654

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report RFQ-HL51L05.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\autED7A.tmp

C:\Users\user\AppData\Local\Temp\autEDC9.tmp

C:\Users\user\AppData\Local\Temp\cunili

C:\Users\user\AppData\Local\Temp\meshummad

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Windows Analysis Report
RFQ-HL51L05.exe

Function 00EE3B4C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Function 00EE4FE9 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 62
COMMON

Function 00EE4AFE Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 00F493DF Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Function 00EE3015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73
windowregistryCOMMON

Function 00EE3041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Function 00EE71EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00EE3A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Function 00EE3633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Function 00EE3778 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Function 011B2660 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 00EE39E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 011B2410 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 151
fileCOMMON

Function 00EE410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Function 00F0564D Relevance: 7.7, APIs: 5, Instructions: 163
COMMONLIBRARYCODE

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre