Edit tour

Windows Analysis Report
file4232024.exe

Overview

General Information

Sample name:	file4232024.exe
Analysis ID:	1431780
MD5:	982f1903db530be43b0d0fc4ce976e8e
SHA1:	e2a9534e65f2ae33df71b136cfef600eab4f3627
SHA256:	0c0d782dac4f8afdf63e33666febfe1aea6605c1a64ae532a8b84d2d315b176b
Tags:	exe
Infos:

Detection

DarkCloud

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected DarkCloud

Yara detected Generic Dropper

Binary is likely a compiled AutoIt script file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Writes or reads registry keys via WMI

Writes to foreign memory regions

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found evasive API chain (may stop execution after accessing registry keys)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

file4232024.exe (PID: 1680 cmdline: "C:\Users\user\Desktop\file4232024.exe" MD5: 982F1903DB530BE43B0D0FC4CE976E8E)

svchost.exe (PID: 3060 cmdline: "C:\Users\user\Desktop\file4232024.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

WmiPrvSE.exe (PID: 5272 cmdline: C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding MD5: 64ACA4F48771A5BA50CD50F2410632AD)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DarkCloud Stealer	Stealer is written in Visual Basic.	No Attribution	https://asec.ahnlab.com/en/53128/ https://c3rb3ru5d3d53c.github.io/malware-blog/darkcloud-stealer/	https://malpedia.caad.fkie.fraunhofer.de/details/win.darkcloud

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security
00000000.00000002.2026120718.0000000001FE0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security
Process Memory Space: file4232024.exe PID: 1680	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security
Process Memory Space: file4232024.exe PID: 1680	JoeSecurity_GenericDropper	Yara detected Generic Dropper	Joe Security
Process Memory Space: svchost.exe PID: 3060	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security

Unpacked PEs

Source	Rule	Description	Author
0.2.file4232024.exe.1fe0000.2.raw.unpack	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security
0.2.file4232024.exe.1fe0000.2.unpack	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security
2.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security
2.2.svchost.exe.400000.0.unpack	JoeSecurity_DarkCloud	Yara detected DarkCloud	Joe Security

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\file4232024.exe", CommandLine: "C:\Users\user\Desktop\file4232024.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\file4232024.exe", ParentImage: C:\Users\user\Desktop\file4232024.exe, ParentProcessId: 1680, ParentProcessName: file4232024.exe, ProcessCommandLine: "C:\Users\user\Desktop\file4232024.exe", ProcessId: 3060, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\file4232024.exe", CommandLine: "C:\Users\user\Desktop\file4232024.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\file4232024.exe", ParentImage: C:\Users\user\Desktop\file4232024.exe, ParentProcessId: 1680, ParentProcessName: file4232024.exe, ProcessCommandLine: "C:\Users\user\Desktop\file4232024.exe", ProcessId: 3060, ProcessName: svchost.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: file4232024.exe	ReversingLabs: Detection: 63%
Source: file4232024.exe	Virustotal: Detection: 47%			Perma Link

Machine Learning detection for sample

Source: file4232024.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String decryptor: Cookies
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String decryptor: \Default\Login Data
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String decryptor: \Login Data
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String decryptor: //setting[@name='Password']/value
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String decryptor: Password :
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String decryptor: Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String decryptor: Software\Martin Prikryl\WinSCP 2\Sessions
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String decryptor: SMTP Email Address
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String decryptor: NNTP Email Address
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String decryptor: Email
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String decryptor: HTTPMail User Name
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String decryptor: HTTPMail Server
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String decryptor: ^([a-zA-Z0-9_\-\.]+)@([a-zA-Z0-9_\-\.]+)\.([a-zA-Z]{2,5})$
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String decryptor: ^(?!:\/\/)([a-zA-Z0-9-_]+\.)[a-zA-Z0-9][a-zA-Z0-9-_]+\.[a-zA-Z]{2,11}?$
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String decryptor: Password
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String decryptor: ^389[0-9]{11}$
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String decryptor: ^3[47][0-9]{13}$
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String decryptor: ^(6541\|6556)[0-9]{12}$
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String decryptor: ^3(?:0[0-5]\|[68][0-9])[0-9]{11}$
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String decryptor: ^63[7-9][0-9]{13}$
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String decryptor: ^9[0-9]{15}$
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String decryptor: ^(?:2131\|1800\|35\\d{3})\\d{11}$
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String decryptor: ^(6304\|6706\|6709\|6771)[0-9]{12,15}$
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String decryptor: ^(5018\|5020\|5038\|6304\|6759\|6761\|6763)[0-9]{8,15}$
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String decryptor: Mastercard
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String decryptor: ^(6334\|6767)[0-9]{12}\|(6334\|6767)[0-9]{14}\|(6334\|6767)[0-9]{15}$
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String decryptor: ^(62[0-9]{14,17})$
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String decryptor: ^(4903\|4905\|4911\|4936\|6333\|6759)[0-9]{12}\|(4903\|4905\|4911\|4936\|6333\|6759)[0-9]{14}\|(4903\|4905\|4911\|4936\|6333\|6759)[0-9]{15}\|564182[0-9]{10}\|564182[0-9]{12}\|564182[0-9]{13}\|633110[0-9]{10}\|633110[0-9]{12}\|633110[0-9]{13}$
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String decryptor: Visa Card
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String decryptor: ^(?:4[0-9]{12}(?:[0-9]{3})?\|5[1-5][0-9]{14})$
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String decryptor: Visa Master Card
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String decryptor: \logins.json
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String decryptor: \signons.sqlite
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String decryptor: Foxmail.exe
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String decryptor: mail\
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String decryptor: \Accounts\Account.rec0
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String decryptor: \AccCfg\Accounts.tdat
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String decryptor: EnableSignature
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String decryptor: Application : FoxMail
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String decryptor: encryptedUsername
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String decryptor: logins
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String decryptor: encryptedPassword
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String decryptor: office.tony39@mail.ru
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String decryptor: http://schemas.microsoft.com/cdo/configuration/sendusing
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String decryptor: http://schemas.microsoft.com/cdo/configuration/smtpauthenticate
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String decryptor: mail.vinoterra.ru
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String decryptor: http://schemas.microsoft.com/cdo/configuration/smtpserver
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String decryptor: http://schemas.microsoft.com/cdo/configuration/smtpserverport
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String decryptor: http://schemas.microsoft.com/cdo/configuration/smtpusessl
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String decryptor: http://schemas.microsoft.com/cdo/configuration/sendusername
Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String decryptor: http://schemas.microsoft.com/cdo/configuration/sendpassword

Source: file4232024.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: wntdll.pdbUGP source: file4232024.exe, 00000000.00000003.2023518889.0000000003DF0000.00000004.00001000.00020000.00000000.sdmp, file4232024.exe, 00000000.00000003.2024099743.0000000003C50000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: W.pdb4 source: svchost.exe, 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: file4232024.exe, 00000000.00000003.2023518889.0000000003DF0000.00000004.00001000.00020000.00000000.sdmp, file4232024.exe, 00000000.00000003.2024099743.0000000003C50000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\file4232024.exe	Code function: 0_2_00644696 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00644696
Source: C:\Users\user\Desktop\file4232024.exe	Code function: 0_2_0064C93C FindFirstFileW,FindClose,	0_2_0064C93C
Source: C:\Users\user\Desktop\file4232024.exe	Code function: 0_2_0064C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0064C9C7
Source: C:\Users\user\Desktop\file4232024.exe	Code function: 0_2_0064F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0064F200
Source: C:\Users\user\Desktop\file4232024.exe	Code function: 0_2_0064F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0064F35D
Source: C:\Users\user\Desktop\file4232024.exe	Code function: 0_2_0064F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0064F65E
Source: C:\Users\user\Desktop\file4232024.exe	Code function: 0_2_00643A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00643A2B
Source: C:\Users\user\Desktop\file4232024.exe	Code function: 0_2_00643D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00643D4E
Source: C:\Users\user\Desktop\file4232024.exe	Code function: 0_2_0064BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0064BF27

Source: C:\Users\user\Desktop\file4232024.exe

Code function: 0_2_006525E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_006525E2

Source: svchost.exe, 00000002.00000003.2341179217.000000000326E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: svchost.exe, 00000002.00000003.2341179217.000000000326E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: svchost.exe, 00000002.00000003.2341179217.000000000326E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: svchost.exe, 00000002.00000003.2341179217.000000000326E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: svchost.exe, 00000002.00000003.2341179217.000000000326E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: svchost.exe, 00000002.00000003.2341179217.000000000326E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: svchost.exe, 00000002.00000003.2341179217.000000000326E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: svchost.exe, 00000002.00000003.2341179217.000000000326E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: svchost.exe, 00000002.00000003.2341179217.000000000326E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: C:\Users\user\Desktop\file4232024.exe

Code function: 0_2_0065425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0065425A

Source: C:\Users\user\Desktop\file4232024.exe

Code function: 0_2_00654458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00654458

Source: C:\Users\user\Desktop\file4232024.exe

0_2_0065425A

Source: C:\Users\user\Desktop\file4232024.exe

Code function: 0_2_00640219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_00640219

Source: C:\Users\user\Desktop\file4232024.exe

Code function: 0_2_0066CDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_0066CDAC

System Summary

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\file4232024.exe	Code function: This is a third-party compiled AutoIt script.	0_2_005E3B4C
Source: file4232024.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file4232024.exe, 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_1f6a5f1a-f
Source: file4232024.exe, 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_fc1f5706-e
Source: file4232024.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_1fcc7855-b
Source: file4232024.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_57878b67-3

Writes or reads registry keys via WMI

Source: C:\Windows\SysWOW64\svchost.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Windows\SysWOW64\svchost.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Windows\SysWOW64\svchost.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\SysWOW64\svchost.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Windows\SysWOW64\svchost.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Windows\SysWOW64\svchost.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\SysWOW64\svchost.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Windows\SysWOW64\svchost.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Windows\SysWOW64\svchost.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\SysWOW64\svchost.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Windows\SysWOW64\svchost.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Windows\SysWOW64\svchost.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\SysWOW64\svchost.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Windows\SysWOW64\svchost.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Windows\SysWOW64\svchost.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\SysWOW64\svchost.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::enumvalues
Source: C:\Windows\SysWOW64\svchost.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::getstringvalue
Source: C:\Windows\SysWOW64\svchost.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey

Source: C:\Users\user\Desktop\file4232024.exe

Code function: 0_2_00644021: CreateFileW,DeviceIoControl,CloseHandle,

0_2_00644021

Source: C:\Users\user\Desktop\file4232024.exe

Code function: 0_2_00638858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00638858

Source: C:\Users\user\Desktop\file4232024.exe

Code function: 0_2_0064545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_0064545F

Source: C:\Users\user\Desktop\file4232024.exe	Code function: 0_2_005EE800	0_2_005EE800
Source: C:\Users\user\Desktop\file4232024.exe	Code function: 0_2_0060DBB5	0_2_0060DBB5
Source: C:\Users\user\Desktop\file4232024.exe	Code function: 0_2_0066804A	0_2_0066804A
Source: C:\Users\user\Desktop\file4232024.exe	Code function: 0_2_005EE060	0_2_005EE060
Source: C:\Users\user\Desktop\file4232024.exe	Code function: 0_2_005F4140	0_2_005F4140
Source: C:\Users\user\Desktop\file4232024.exe	Code function: 0_2_00602405	0_2_00602405
Source: C:\Users\user\Desktop\file4232024.exe	Code function: 0_2_00616522	0_2_00616522
Source: C:\Users\user\Desktop\file4232024.exe	Code function: 0_2_00660665	0_2_00660665
Source: C:\Users\user\Desktop\file4232024.exe	Code function: 0_2_0061267E	0_2_0061267E
Source: C:\Users\user\Desktop\file4232024.exe	Code function: 0_2_005F6843	0_2_005F6843
Source: C:\Users\user\Desktop\file4232024.exe	Code function: 0_2_0060283A	0_2_0060283A
Source: C:\Users\user\Desktop\file4232024.exe	Code function: 0_2_006189DF	0_2_006189DF
Source: C:\Users\user\Desktop\file4232024.exe	Code function: 0_2_005F8A0E	0_2_005F8A0E
Source: C:\Users\user\Desktop\file4232024.exe	Code function: 0_2_00660AE2	0_2_00660AE2
Source: C:\Users\user\Desktop\file4232024.exe	Code function: 0_2_00616A94	0_2_00616A94
Source: C:\Users\user\Desktop\file4232024.exe	Code function: 0_2_0063EB07	0_2_0063EB07
Source: C:\Users\user\Desktop\file4232024.exe	Code function: 0_2_00648B13	0_2_00648B13
Source: C:\Users\user\Desktop\file4232024.exe	Code function: 0_2_0060CD61	0_2_0060CD61
Source: C:\Users\user\Desktop\file4232024.exe	Code function: 0_2_00617006	0_2_00617006
Source: C:\Users\user\Desktop\file4232024.exe	Code function: 0_2_005F710E	0_2_005F710E
Source: C:\Users\user\Desktop\file4232024.exe	Code function: 0_2_005F3190	0_2_005F3190
Source: C:\Users\user\Desktop\file4232024.exe	Code function: 0_2_005E1287	0_2_005E1287
Source: C:\Users\user\Desktop\file4232024.exe	Code function: 0_2_006033C7	0_2_006033C7
Source: C:\Users\user\Desktop\file4232024.exe	Code function: 0_2_0060F419	0_2_0060F419
Source: C:\Users\user\Desktop\file4232024.exe	Code function: 0_2_006016C4	0_2_006016C4
Source: C:\Users\user\Desktop\file4232024.exe	Code function: 0_2_005F5680	0_2_005F5680
Source: C:\Users\user\Desktop\file4232024.exe	Code function: 0_2_005F58C0	0_2_005F58C0
Source: C:\Users\user\Desktop\file4232024.exe	Code function: 0_2_006078D3	0_2_006078D3
Source: C:\Users\user\Desktop\file4232024.exe	Code function: 0_2_00601BB8	0_2_00601BB8
Source: C:\Users\user\Desktop\file4232024.exe	Code function: 0_2_00619D05	0_2_00619D05
Source: C:\Users\user\Desktop\file4232024.exe	Code function: 0_2_005EFE40	0_2_005EFE40
Source: C:\Users\user\Desktop\file4232024.exe	Code function: 0_2_0060BFE6	0_2_0060BFE6
Source: C:\Users\user\Desktop\file4232024.exe	Code function: 0_2_00601FD0	0_2_00601FD0
Source: C:\Users\user\Desktop\file4232024.exe	Code function: 0_2_01FD3630	0_2_01FD3630
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00426B60	2_2_00426B60

Source: C:\Users\user\Desktop\file4232024.exe	Code function: String function: 00600D27 appears 70 times
Source: C:\Users\user\Desktop\file4232024.exe	Code function: String function: 00608B40 appears 42 times
Source: C:\Users\user\Desktop\file4232024.exe	Code function: String function: 005E7F41 appears 35 times

Source: file4232024.exe, 00000000.00000003.2025112873.0000000003DD3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs file4232024.exe
Source: file4232024.exe, 00000000.00000003.2024555364.0000000003F7D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs file4232024.exe

Source: file4232024.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: svchost.exe	Binary or memory string: C*\AC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Templates\Stub\Project1.vbp
Source: svchost.exe	Binary or memory string: *\AC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Templates\Stub\Project1.vbp
Source: svchost.exe, 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: x;@*\AC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Templates\Stub\Project1.vbp
Source: file4232024.exe, 00000000.00000002.2026120718.0000000001FE0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: ,@`C*\AC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Templates\Stub\Project1.vbp

Source: classification engine

Classification label: mal92.troj.spyw.evad.winEXE@4/6@0/0

Source: C:\Users\user\Desktop\file4232024.exe

Code function: 0_2_0064A2D5 GetLastError,FormatMessageW,

0_2_0064A2D5

Source: C:\Users\user\Desktop\file4232024.exe	Code function: 0_2_00638713 AdjustTokenPrivileges,CloseHandle,		0_2_00638713
Source: C:\Users\user\Desktop\file4232024.exe	Code function: 0_2_00638CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00638CC3

Source: C:\Users\user\Desktop\file4232024.exe

Code function: 0_2_0064B59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_0064B59E

Source: C:\Users\user\Desktop\file4232024.exe

Code function: 0_2_0065F121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0065F121

Source: C:\Users\user\Desktop\file4232024.exe

Code function: 0_2_0064C602 CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0064C602

Source: C:\Users\user\Desktop\file4232024.exe

Code function: 0_2_005E4FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_005E4FE9

Source: C:\Windows\SysWOW64\svchost.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\file4232024.exe

File created: C:\Users\user\AppData\Local\Temp\aut25DE.tmp

Jump to behavior

Source: file4232024.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file4232024.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: svchost.exe	Binary or memory string: SELECT item1 FROM metadata WHERE id = 'password';
Source: svchost.exe, 00000002.00000003.2341453055.0000000003250000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2341919743.0000000003250000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2341065025.000000000324C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2341610473.000000000324B000.00000004.00000020.00020000.00000000.sdmp, LogfireblendeuGDOCADegvvshJYgdfgGWltXxnlOnThLThggfsEYSRpalmitic.2.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: file4232024.exe	ReversingLabs: Detection: 63%
Source: file4232024.exe	Virustotal: Detection: 47%

Source: unknown	Process created: C:\Users\user\Desktop\file4232024.exe "C:\Users\user\Desktop\file4232024.exe"
Source: C:\Users\user\Desktop\file4232024.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\file4232024.exe"
Source: C:\Windows\SysWOW64\svchost.exe	Process created: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\file4232024.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\file4232024.exe"	Jump to behavior

Source: C:\Users\user\Desktop\file4232024.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file4232024.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file4232024.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file4232024.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file4232024.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file4232024.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file4232024.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file4232024.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file4232024.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file4232024.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file4232024.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: msvbvm60.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: vb6zz.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	Section loaded: esscli.dll	Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EE09B103-97E0-11CF-978F-00A02463E06F}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file4232024.exe

Static file information: File size 1204736 > 1048576

Source: file4232024.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file4232024.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file4232024.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file4232024.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file4232024.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file4232024.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file4232024.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: file4232024.exe, 00000000.00000003.2023518889.0000000003DF0000.00000004.00001000.00020000.00000000.sdmp, file4232024.exe, 00000000.00000003.2024099743.0000000003C50000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: W.pdb4 source: svchost.exe, 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: file4232024.exe, 00000000.00000003.2023518889.0000000003DF0000.00000004.00001000.00020000.00000000.sdmp, file4232024.exe, 00000000.00000003.2024099743.0000000003C50000.00000004.00001000.00020000.00000000.sdmp

Source: file4232024.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file4232024.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file4232024.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file4232024.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file4232024.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file4232024.exe

Code function: 0_2_0065C304 LoadLibraryA,GetProcAddress,

0_2_0065C304

Source: C:\Users\user\Desktop\file4232024.exe

Code function: 0_2_00608B85 push ecx; ret

0_2_00608B98

Source: C:\Users\user\Desktop\file4232024.exe	Code function: 0_2_005E4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_005E4A35
Source: C:\Users\user\Desktop\file4232024.exe	Code function: 0_2_006655FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_006655FD

Source: C:\Users\user\Desktop\file4232024.exe

Code function: 0_2_006033C7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_006033C7

Source: C:\Users\user\Desktop\file4232024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file4232024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\file4232024.exe

Evasive API call chain: RegOpenKey,DecisionNodes,Sleep

graph_0-97711

Source: C:\Users\user\Desktop\file4232024.exe	API coverage: 4.6 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 9.1 %

Source: C:\Users\user\Desktop\file4232024.exe	Code function: 0_2_00644696 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00644696
Source: C:\Users\user\Desktop\file4232024.exe	Code function: 0_2_0064C93C FindFirstFileW,FindClose,	0_2_0064C93C
Source: C:\Users\user\Desktop\file4232024.exe	Code function: 0_2_0064C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0064C9C7
Source: C:\Users\user\Desktop\file4232024.exe	Code function: 0_2_0064F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0064F200
Source: C:\Users\user\Desktop\file4232024.exe	Code function: 0_2_0064F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0064F35D
Source: C:\Users\user\Desktop\file4232024.exe	Code function: 0_2_0064F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0064F65E
Source: C:\Users\user\Desktop\file4232024.exe	Code function: 0_2_00643A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00643A2B
Source: C:\Users\user\Desktop\file4232024.exe	Code function: 0_2_00643D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00643D4E
Source: C:\Users\user\Desktop\file4232024.exe	Code function: 0_2_0064BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0064BF27

Source: C:\Users\user\Desktop\file4232024.exe

Code function: 0_2_005E4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_005E4AFE

Source: WebData.2.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: WebData.2.dr	Binary or memory string: discord.comVMware20,11696428655f
Source: WebData.2.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: WebData.2.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: WebData.2.dr	Binary or memory string: global block list test formVMware20,11696428655
Source: WebData.2.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: WebData.2.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: WebData.2.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: WebData.2.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: WebData.2.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: WebData.2.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: WebData.2.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: WebData.2.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: WebData.2.dr	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: WebData.2.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: WebData.2.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: WebData.2.dr	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: WebData.2.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: WebData.2.dr	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: WebData.2.dr	Binary or memory string: AMC password management pageVMware20,11696428655
Source: WebData.2.dr	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: WebData.2.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: WebData.2.dr	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: WebData.2.dr	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: WebData.2.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: WebData.2.dr	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: WebData.2.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: WebData.2.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: WebData.2.dr	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: WebData.2.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: WebData.2.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Users\user\Desktop\file4232024.exe

API call chain: ExitProcess graph end node

graph_0-97845

Source: C:\Users\user\Desktop\file4232024.exe

Code function: 0_2_006541FD BlockInput,

0_2_006541FD

Source: C:\Users\user\Desktop\file4232024.exe

Code function: 0_2_005E3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_005E3B4C

Source: C:\Users\user\Desktop\file4232024.exe

Code function: 0_2_00615CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00615CCC

Source: C:\Users\user\Desktop\file4232024.exe

Code function: 0_2_0065C304 LoadLibraryA,GetProcAddress,

0_2_0065C304

Source: C:\Users\user\Desktop\file4232024.exe	Code function: 0_2_01FD3520 mov eax, dword ptr fs:[00000030h]	0_2_01FD3520
Source: C:\Users\user\Desktop\file4232024.exe	Code function: 0_2_01FD34C0 mov eax, dword ptr fs:[00000030h]	0_2_01FD34C0
Source: C:\Users\user\Desktop\file4232024.exe	Code function: 0_2_01FD1ED0 mov eax, dword ptr fs:[00000030h]	0_2_01FD1ED0

Source: C:\Users\user\Desktop\file4232024.exe

Code function: 0_2_006381F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_006381F7

Source: C:\Users\user\Desktop\file4232024.exe	Code function: 0_2_0060A364 SetUnhandledExceptionFilter,		0_2_0060A364
Source: C:\Users\user\Desktop\file4232024.exe	Code function: 0_2_0060A395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_0060A395

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\file4232024.exe

Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\file4232024.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 2FEE008

Jump to behavior

Source: C:\Users\user\Desktop\file4232024.exe

Code function: 0_2_00638C93 LogonUserW,

0_2_00638C93

Source: C:\Users\user\Desktop\file4232024.exe

Code function: 0_2_005E3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_005E3B4C

Source: C:\Users\user\Desktop\file4232024.exe

Code function: 0_2_005E4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_005E4A35

Source: C:\Users\user\Desktop\file4232024.exe

Code function: 0_2_00644EF5 mouse_event,

0_2_00644EF5

Source: C:\Users\user\Desktop\file4232024.exe

Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\file4232024.exe"

Jump to behavior

Source: C:\Users\user\Desktop\file4232024.exe

0_2_006381F7

Source: C:\Users\user\Desktop\file4232024.exe

Code function: 0_2_00644C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00644C03

Source: file4232024.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file4232024.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\file4232024.exe

Code function: 0_2_0060886B cpuid

0_2_0060886B

Source: C:\Users\user\Desktop\file4232024.exe

Code function: 0_2_006150D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_006150D7

Source: C:\Users\user\Desktop\file4232024.exe

Code function: 0_2_00622230 GetUserNameW,

0_2_00622230

Source: C:\Users\user\Desktop\file4232024.exe

Code function: 0_2_0061418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_0061418A

Source: C:\Users\user\Desktop\file4232024.exe

Code function: 0_2_005E4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_005E4AFE

Stealing of Sensitive Information

Yara detected DarkCloud

Source: Yara match	File source: 0.2.file4232024.exe.1fe0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file4232024.exe.1fe0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2026120718.0000000001FE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file4232024.exe PID: 1680, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 3060, type: MEMORYSTR

Yara detected Generic Dropper

Source: Yara match

File source: Process Memory Space: file4232024.exe PID: 1680, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior

Source: file4232024.exe	Binary or memory string: WIN_81
Source: file4232024.exe	Binary or memory string: WIN_XP
Source: file4232024.exe	Binary or memory string: WIN_XPe
Source: file4232024.exe	Binary or memory string: WIN_VISTA
Source: file4232024.exe	Binary or memory string: WIN_7
Source: file4232024.exe	Binary or memory string: WIN_8
Source: file4232024.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality

Yara detected DarkCloud

Source: Yara match	File source: 0.2.file4232024.exe.1fe0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file4232024.exe.1fe0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2026120718.0000000001FE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file4232024.exe PID: 1680, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 3060, type: MEMORYSTR

Source: C:\Users\user\Desktop\file4232024.exe	Code function: 0_2_00656596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_00656596
Source: C:\Users\user\Desktop\file4232024.exe	Code function: 0_2_00656A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00656A5A

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	21 Input Capture	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	15 System Information Discovery	Distributed Component Object Model	3 Clipboard Data	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	2 Valid Accounts	LSA Secrets	31 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	21 Access Token Manipulation	Cached Domain Credentials	2 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	212 Process Injection	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	1 System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file4232024.exe	63%	ReversingLabs	Win32.Trojan.Strab
file4232024.exe	48%	Virustotal		Browse
file4232024.exe	100%	Joe Sandbox ML

Name	Source	Malicious	Reputation
https://ac.ecosia.org/autocomplete?q=	svchost.exe, 00000002.00000003.2341179217.000000000326E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://duckduckgo.com/chrome_newtab	svchost.exe, 00000002.00000003.2341179217.000000000326E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	svchost.exe, 00000002.00000003.2341179217.000000000326E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	svchost.exe, 00000002.00000003.2341179217.000000000326E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://duckduckgo.com/ac/?q=	svchost.exe, 00000002.00000003.2341179217.000000000326E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	svchost.exe, 00000002.00000003.2341179217.000000000326E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://www.ecosia.org/newtab/	svchost.exe, 00000002.00000003.2341179217.000000000326E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	svchost.exe, 00000002.00000003.2341179217.000000000326E000.00000004.00000020.00020000.00000000.sdmp	false	high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	svchost.exe, 00000002.00000003.2341179217.000000000326E000.00000004.00000020.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1431780
Start date and time:	2024-04-25 19:11:09 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 50s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file4232024.exe
Detection:	MAL
Classification:	mal92.troj.spyw.evad.winEXE@4/6@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 60 Number of non-executed functions: 271
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.

Process:	C:\Users\user\Desktop\file4232024.exe
File Type:	data
Category:	dropped
Size (bytes):	315950
Entropy (8bit):	7.989846970648854
Encrypted:	false
SSDEEP:	6144:Gh9lKtLmOTEQrdjCu9fu1mwfktngNnaejFXyT74OnaCN5Kqo4UzYuWBADp:Gh9lKIOTPrVuHCSFX6bao5Zd4YuWCDp
MD5:	A363651C2D2A42241705EFDE74EED3CD
SHA1:	7A41400D2B6901CB334210D66D541D0B593B82D2
SHA-256:	CE7C51B95D80488FEA00E7B3B1D77A11A71C23EE990BFD99E2A0D1E93D4E49DC
SHA-512:	8E025C6DA5819C48E2C2781B566E4CA5B61C7106538764B22BA848520182B5BE2FD9ED201E50EE275C9229571565DD99C6CDFB5639BECFF3750BFA8484ABBC64
Malicious:	false
Reputation:	low
Preview:	EA06.......Uj]..N.L..NW6.H....`..kr.R(`.y....x...{W.N.^.:.....[.j.;.....KX.Me2...E..Hb.....&.]..x.V.9.I.4:.......R...........+...6....+=......k......y.[.$.A'..d........P.t............j.:.&.V...\.P.Z.....0.Y.....Y.Z..,Q.t...iJ...B ..R.:..k.S.t..:J.Y...........ux].k...g.Y..7........6aV.X....B%U.,.o.yl...g.....e...+.....k2.Y......X.....x.ff....V..-Tz..V.,[...$...w.i.....E..8~6.......x..!QX.....B/ ....._........................'._.o(.....F.q{....K..jti,..[...Z.nuS...3.t..>.^eu.G6.F.G%u.v.3@.TgUJ.".G..'.j..;.y1..O.k#.a.S...gA.J.4i...[.@.....I..~.Y,.IX..fS...YL..3.u..>.O<4)D..F.j?U.w.K@.n.4..p.`.eku]..qT..jr..jG..\|g..n:.(.h+..J....h..N..S..h.[.~.U..guJ...).}.....{0...R..N.".O.....0.Nj.9.J.%.u..]7BuT....Z}..V......(.../..........Q.I.b.5..*...>S..e.@.C-...8.j4..o.....;.......?T.U....R.R..\|.y..s..L1......H.4z4.sN.L!X.MN5...w4z.V...35.l....,/..?.C.T.4Y.....v.3..z.S....^WR.U.p.UH..).H$r..y0.V.2.M.".X.r.?..0.}..8..%..+.^..uT....0..%:.L81............@.

C:\Users\user\AppData\Local\Temp\aut264C.tmp

Download File

Process:	C:\Users\user\Desktop\file4232024.exe
File Type:	data
Category:	dropped
Size (bytes):	9848
Entropy (8bit):	7.603204529326611
Encrypted:	false
SSDEEP:	192:C+cKrLMQ/6Yyu2f82l7dpnoyyF7d8iLZjlNeuPPbed5ADasy65ozT/SGHy/:h7rwLzTyF7CImuPPbed5kn5C7LC
MD5:	2BC55BBBDCC4CEB417340480C51E1AE0
SHA1:	A2A5A2CC189C578832FF4282F21FE041E0580C50
SHA-256:	C779BF213540304E19FC12E48B92C3CF924BA2BD5B326A01734770B5E2606DF3
SHA-512:	A278048BB26008AB56FC791B245A227954B774A3DB66F6E2502B67EE503AB4CD20F8561CE887C3B6087EC31167A16E89C7440B375BFF1216FEF83A6D9BEF53BE
Malicious:	false
Reputation:	low
Preview:	EA06..p0.M'.)..e4.N'.).......T9..l.0L.s.5..3..s.4.8.......k8.Yls....c..&S...k6...S....1.L&.i..i5.M,S....K.@...7...p. ....P.o...m.X.V........9....3...f....s2.Xf@.]..g3@..h.m.M.......8.l..6.....a........i4........g3Y...c ._..k4...d....H, ......Ac.H..g...(.F..=d....>....C`....@02..N@...u......Y..ab.M.]>.$....M.x>;$....N.j.;%....X.j.;%......j.;,....P'.b.5... .^..f./Z..@F.6.z..G......`......i..G../Z...zqd...l.;.........\|......7...}3{(........;^..l =..p.........3p.o....,.......x.....H<.lX.:...b.....,. ...2...f.[...K.)....b..i\|v F......X......`....,.9....5...._..l......>K.....ir.e....[4..d..f.y.....,.....S >..p...........s9.... !..Y....f...ja4....ea.h,.p.....,.a8.,..3........f.....f ....,j.0..&...J......f ....6K%.ke..f....L..;2.X...4.Y.V@.Fn.....f@....l..05.....!;3.X...c )D.g6... ...'&`....,f.6..&....r...Brh.....l...i2...B....@.......d.L.`!.....P...@X5d..lSK...9...!;5.X...cVY......'.B...,vl.!..>.a..l...M..@...X...b.M&.X..B.a.Q...sp..X..9..o5..f.!...,vn......d...

C:\Users\user\AppData\Local\Temp\ghauts

Download File

Process:	C:\Users\user\Desktop\file4232024.exe
File Type:	data
Category:	dropped
Size (bytes):	393216
Entropy (8bit):	7.621252250039071
Encrypted:	false
SSDEEP:	6144:K3oOSiCzGxbQAjINs9GMLuk4ml1lSy1WuOslmb9usWmIoMGdqUV6lo1I9ljsH0Ce:9OCzGPcKGMLukR9SduOumktmIoMyswle
MD5:	3E2FE4A3A6323EE2928D6AE0AE6D7B72
SHA1:	2C58DE43F8AD62B33915C1CEC269121243BED301
SHA-256:	C4FA38A20324E8DC25D0AFDC9230D27B2E88A836DED56F6448241456EAEB4F43
SHA-512:	AD18D1C975982FF9A42B0BB28C06046AF577C1701D5B5B06EB651337B3709ECD9EDCB4BD7FFA53E60075309AD6E1F0590F05C0C9A2DD3708E56D11D8A4D9C790
Malicious:	false
Reputation:	low
Preview:	.o.VKCONR3HD..VH.ONV3HD5rVHCONV3HD52VHCONV3HD52VHCONV3HD52VH.ONV=W.;2.A.n.W..eaZ?;c?<9T:%X.5)-!!".*!.@#&c& vw..._9,&aC[9lD52VHCO..J..%...X.._.?.O...Y...Z..._./.L..."..! '..$.D52VHCONV3HD52VHCONV3HD5b.HC.OU3Z.-TVHCONV3H.5=WCBINVcKD5.THCONV.xD52FHCO.U3HDu2VXCONF3H@52VJCKNR3HD52VHCOHV3XD5..NCMNV3HD%2VXCONV#HD%2VHCONF3HD52VHCONVW.G5.VHCO>U3p.72VHCONV3HD52VHCONV3HD52VHCONV3HD52VHCONV3HD52VHCONV3HD52VHCONV3HD.0VHcONV3XD5.UHCONV3HD52VHCONV3HD52VHCONxG-<A2VH..MV3XD52.KCO^V3HD52VHCONV3Hd526f'.:73HD9<VHC/MV3XD526KCONV3HD52VHCO.V3.jGA$+CONn.JD5BUHC.LV38G52VHCONV3HD52.HC..I..T52VHCONV3HDxa....xf...y2VHCONV3HD52VHCONV3HD52VHCONV3HD52VHCONV3HD52VHCONV3HD52VHCONV3HD52VHCONV3HD52VHCONV3HD52VHCONV3HD52VHCONV3HD52VHCONV3HD52VHCONV3HD52VHCONV3HD52VHCONV3HD52VHCONV3HD52VHCONV3HD52VHCONV3HD52VHCONV3HD52VHCONV3HD52VHCONV3HD52VHCONV3HD52VHCONV3HD52VHCONV3HD52VHCONV3HD52VHCONV3HD52VHCONV3HD52VHCONV3HD52VHCONV3HD52VHCONV3HD52VHCONV3HD52VHCONV3HD52VHCONV3HD52VHCONV3HD52VHCONV3HD52VHCONV3HD52VHCONV3HD52VHCONV3

C:\Users\user\AppData\Local\Temp\hypopygidium

Download File

Process:	C:\Users\user\Desktop\file4232024.exe
File Type:	ASCII text, with very long lines (28720), with no line terminators
Category:	dropped
Size (bytes):	28720
Entropy (8bit):	3.5906320014569393
Encrypted:	false
SSDEEP:	768:wiTZ+2QoioGRk6ZklputwjpjBkCiw2RuJ3nXKUrvzjsNbIE+Ie6gJ4vfF3if6gys:wiTZ+2QoioGRk6ZklputwjpjBkCiw2RA
MD5:	F429058632AB816A74534E3A8C8174EE
SHA1:	75BBEC83815F8E8270927FCEA51CCE20D11B8FC6
SHA-256:	D8085A2181E73A7B64EBBDEA275A125646DC9B9C9C360DCF452A54B925F4605E
SHA-512:	2AD3AB2E91CBDCD7596527F2BC7A66CEA25D7307802C6A95C3A8581FC4B406A21BC5023CE2E790D6A78825B31E1332DE32CC4069256147285849D7ADD9999BEB
Malicious:	false
Reputation:	low
Preview:	048B4C24088B008B093BC8760483C8FFC31BC0F7D8C38B0x558bec81eccc0200005657b86b00000066894584b96500000066894d86ba7200000066895588b86e0000006689458ab96500000066894d8cba6c0000006689558eb83300000066894590b93200000066894d92ba2e00000066895594b86400000066894596b96c00000066894d98ba6c0000006689559a33c06689459cb96e00000066898d44ffffffba7400000066899546ffffffb86400000066898548ffffffb96c00000066898d4affffffba6c0000006689954cffffffb82e0000006689854effffffb96400000066898d50ffffffba6c00000066899552ffffffb86c00000066898554ffffff33c966898d56ffffffba75000000668955d0b873000000668945d2b96500000066894dd4ba72000000668955d6b833000000668945d8b93200000066894ddaba2e000000668955dcb864000000668945deb96c00000066894de0ba6c000000668955e233c0668945e4b96100000066898d68ffffffba640000006689956affffffb8760000006689856cffffffb96100000066898d6effffffba7000000066899570ffffffb86900000066898572ffffffb93300000066898d74ffffffba3200000066899576ffffffb82e00000066898578ffffffb96400000066898d7affffffba6c0000006689957cffffffb86c00000066

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\LogfireblendeuGDOCADegvvshJYgdfgGWltXxnlOnThLThggfsEYSRpalmitic

Download File

Process:	C:\Windows\SysWOW64\svchost.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\WebData

Download File

Process:	C:\Windows\SysWOW64\svchost.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.158042199399989
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file4232024.exe
File size:	1'204'736 bytes
MD5:	982f1903db530be43b0d0fc4ce976e8e
SHA1:	e2a9534e65f2ae33df71b136cfef600eab4f3627
SHA256:	0c0d782dac4f8afdf63e33666febfe1aea6605c1a64ae532a8b84d2d315b176b
SHA512:	80d5a9a05b5079dc99f48ac2497dfa5ef08fb37204d5b6811f5ad3806950d43ddfecea13713e9624ef00473f75c94a661b48b27363461a532bcb237a6afbbd2b
SSDEEP:	24576:DAHnh+eWsN3skA4RV1Hom2KXMmHaoPOpKOWz6zBvxwiruLgP5:Oh+ZkldoPK8YaompKFz6lJw4uA
TLSH:	CF45BD0273D1C036FFABA2739B6AF6415ABC79254123852F13981DB9BC701B2267D763
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x42800a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66275E9C [Tue Apr 23 07:09:16 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007FC1E8F610ADh
jmp 00007FC1E8F53E64h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007FC1E8F53FEAh
cmp edi, eax
jc 00007FC1E8F5434Eh
bt dword ptr [004C41FCh], 01h
jnc 00007FC1E8F53FE9h
rep movsb
jmp 00007FC1E8F542FCh
cmp ecx, 00000080h
jc 00007FC1E8F541B4h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007FC1E8F53FF0h
bt dword ptr [004BF324h], 01h
jc 00007FC1E8F544C0h
bt dword ptr [004C41FCh], 00000000h
jnc 00007FC1E8F5418Dh
test edi, 00000003h
jne 00007FC1E8F5419Eh
test esi, 00000003h
jne 00007FC1E8F5417Dh
bt edi, 02h
jnc 00007FC1E8F53FEFh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007FC1E8F53FF3h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007FC1E8F54045h
bt esi, 03h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD5 build 40629
[RES] VS2013 build 21005
[LNK] VS2013 UPD5 build 40629

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xbc0cc	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc8000	0x5bae0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x124000	0x7134	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4b50	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dfdd	0x8e000	310e36668512d53489c005622bb1b4a9	False	0.5735602580325704	data	6.675248351711057	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2fd8e	0x2fe00	748cf1ab2605ce1fd72d53d912abb68f	False	0.32828818537859006	data	5.763244005758284	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbf000	0x8f74	0x5200	aae9601d920f07080bdfadf43dfeff12	False	0.1017530487804878	data	1.1963819235530628	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc8000	0x5bae0	0x5bc00	248cf3dd5677005b08dc6439c2020055	False	0.9279818417915532	data	7.894804149890428	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x124000	0x7134	0x7200	f04128ad0f87f42830e4a6cdbc38c719	False	0.7617530153508771	data	6.783955557128661	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc85a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc86d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc87f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc8920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc8c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc8d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc9bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xca480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xca9e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xccf90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xce038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xce4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xce4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcea84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xcf110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xcf5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xcfb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xd01f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xd0660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xd07b8	0x52d78	data			1.000327124837911
RT_GROUP_ICON	0x123530	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x1235a8	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x1235bc	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x1235d0	0x14	data	English	Great Britain	1.25
RT_VERSION	0x1235e4	0x10c	data	English	Great Britain	0.5970149253731343
RT_MANIFEST	0x1236f0	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Target ID:	0
Start time:	19:11:56
Start date:	25/04/2024
Path:	C:\Users\user\Desktop\file4232024.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file4232024.exe"
Imagebase:	0x5e0000
File size:	1'204'736 bytes
MD5 hash:	982F1903DB530BE43B0D0FC4CE976E8E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DarkCloud, Description: Yara detected DarkCloud, Source: 00000000.00000002.2026120718.0000000001FE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	19:11:57
Start date:	25/04/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file4232024.exe"
Imagebase:	0x620000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DarkCloud, Description: Yara detected DarkCloud, Source: 00000002.00000002.3267907136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	19:12:30
Start date:	25/04/2024
Path:	C:\Windows\SysWOW64\wbem\WmiPrvSE.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0xf80000
File size:	418'304 bytes
MD5 hash:	64ACA4F48771A5BA50CD50F2410632AD
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	4%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	4.5%
Total number of Nodes:	2000
Total number of Limit Nodes:	40

Executed Functions

Function 005E3B4C Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 005E3B7A
IsDebuggerPresent.KERNEL32 ref: 005E3B8C
GetFullPathNameW.KERNEL32(00007FFF,?,?,006A62F8,006A62E0,?,?), ref: 005E3BFD

Part of subcall function 005E7D2C: _memmove.LIBCMT ref: 005E7D66

Part of subcall function 005F0A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,005E3C26,006A62F8,?,?,?), ref: 005F0ACE

SetCurrentDirectoryW.KERNEL32(?), ref: 005E3C81
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,006993F0,00000010), ref: 0061D4BC
SetCurrentDirectoryW.KERNEL32(?,006A62F8,?,?,?), ref: 0061D4F4
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00695D40,006A62F8,?,?,?), ref: 0061D57A
ShellExecuteW.SHELL32(00000000,?,?), ref: 0061D581

Part of subcall function 005E3A58: GetSysColorBrush.USER32(0000000F), ref: 005E3A62
Part of subcall function 005E3A58: LoadCursorW.USER32(00000000,00007F00), ref: 005E3A71
Part of subcall function 005E3A58: LoadIconW.USER32(00000063), ref: 005E3A88
Part of subcall function 005E3A58: LoadIconW.USER32(000000A4), ref: 005E3A9A
Part of subcall function 005E3A58: LoadIconW.USER32(000000A2), ref: 005E3AAC
Part of subcall function 005E3A58: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 005E3AD2
Part of subcall function 005E3A58: RegisterClassExW.USER32(?), ref: 005E3B28

Part of subcall function 005E39E7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 005E3A15
Part of subcall function 005E39E7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 005E3A36
Part of subcall function 005E39E7: ShowWindow.USER32(00000000,?,?), ref: 005E3A4A
Part of subcall function 005E39E7: ShowWindow.USER32(00000000,?,?), ref: 005E3A53

Part of subcall function 005E43DB: _memset.LIBCMT ref: 005E4401
Part of subcall function 005E43DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 005E44A6

Strings

This is a third-party compiled AutoIt script., xrefs: 0061D4B4
runas, xrefs: 0061D575
%g, xrefs: 005E3C56

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas$%g
API String ID: 529118366-2073506830
Opcode ID: bb3ca689f3fc8535fbdacbf8a72c4209332ed697549e291018377296a31b1b32
Instruction ID: c3e78f243b154269b68c63f8caea15bae9dc9595e693791b3fb189eea88cd8a2
Opcode Fuzzy Hash: bb3ca689f3fc8535fbdacbf8a72c4209332ed697549e291018377296a31b1b32
Instruction Fuzzy Hash: F0511831904289AACF15BBB5DC09AFD7F7BBF4A300B185069F495A31A1DA749B45CF20

Uniqueness

Uniqueness Score: -1.00%

Function 005E4FE9 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,005E4EEE,?,?,00000000,00000000), ref: 005E4FF9
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,005E4EEE,?,?,00000000,00000000), ref: 005E5010
LoadResource.KERNEL32(?,00000000,?,?,005E4EEE,?,?,00000000,00000000,?,?,?,?,?,?,005E4F8F), ref: 0061DD60
SizeofResource.KERNEL32(?,00000000,?,?,005E4EEE,?,?,00000000,00000000,?,?,?,?,?,?,005E4F8F), ref: 0061DD75
LockResource.KERNEL32(N^,?,?,005E4EEE,?,?,00000000,00000000,?,?,?,?,?,?,005E4F8F,00000000), ref: 0061DD88

Strings

SCRIPT, xrefs: 005E5006
N^, xrefs: 0061DD85

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT$N^
API String ID: 3051347437-1861342959
Opcode ID: 44fe1ace0f1ccec32c2f86015015d77a19b2da6861e76cf8236cf470907771f0
Instruction ID: dc8606554263523726a0d58ba85bfc33f165b5f2050192bb6649ec2ceffa614c
Opcode Fuzzy Hash: 44fe1ace0f1ccec32c2f86015015d77a19b2da6861e76cf8236cf470907771f0
Instruction Fuzzy Hash: EE115A75200700BFD7258B66EC58F677BBEFBC9B15F20516CF446C6260EBA1ED008A60

Uniqueness

Uniqueness Score: -1.00%

Function 005E4AFE Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 005E4B2B

Part of subcall function 005E7D2C: _memmove.LIBCMT ref: 005E7D66

GetCurrentProcess.KERNEL32(?,0066FAEC,00000000,00000000,?), ref: 005E4BF8
IsWow64Process.KERNEL32(00000000), ref: 005E4BFF
GetNativeSystemInfo.KERNELBASE(00000000), ref: 005E4C45
FreeLibrary.KERNEL32(00000000), ref: 005E4C50
GetSystemInfo.KERNEL32(00000000), ref: 005E4C81
GetSystemInfo.KERNEL32(00000000), ref: 005E4C8D

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: 495a0eb22fcd6f4f8593439bb5c6b41349dad977286d3019ac12330dbbf982bd
Instruction ID: 653ba722d7986e25b07e3c3243381c476dfb3a19434268b94cc6820a26951cdd
Opcode Fuzzy Hash: 495a0eb22fcd6f4f8593439bb5c6b41349dad977286d3019ac12330dbbf982bd
Instruction Fuzzy Hash: 4B91B23154A7C0DECB35CB7994551EABFE9BF2A300B584D9DE0CB83A01D224F948DB59

Uniqueness

Uniqueness Score: -1.00%

Function 005EE800 Relevance: 7.4, Strings: 5, Instructions: 1102COMMON

Download Yara Rule

Strings

Dtj, xrefs: 005EEC21
Variable must be of type 'Object'., xrefs: 0062428C
Dtj, xrefs: 005EEC1A
Dtj, xrefs: 00623F1F
Dtj, xrefs: 00623F58

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID:
String ID: Dtj$Dtj$Dtj$Dtj$Variable must be of type 'Object'.
API String ID: 0-1753279395
Opcode ID: 7a86347ff71ac8a1ee572efaa70585a09925414ee355a13464d9368c993947d3
Instruction ID: ca51098e10c4255fe41991f4adec1385f80e06d2c8efc32c88e5e0075c61973e
Opcode Fuzzy Hash: 7a86347ff71ac8a1ee572efaa70585a09925414ee355a13464d9368c993947d3
Instruction Fuzzy Hash: B4A2BF74A04255CFCB28CF55C885AADBBB6FF49300F248469E996AB351D731ED42CF81

Uniqueness

Uniqueness Score: -1.00%

Function 00644696 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,0061E7C1), ref: 006446A6
FindFirstFileW.KERNELBASE(?,?), ref: 006446B7
FindClose.KERNEL32(00000000), ref: 006446C7

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 8940aacbd75c98c13a689f94953061e4d3c708fddad7c3e46271f5ac3b3f5a43
Instruction ID: 06ce2e309924b822799e8df5514a2f0639a143c22fd9ba59b6b588f82372667c
Opcode Fuzzy Hash: 8940aacbd75c98c13a689f94953061e4d3c708fddad7c3e46271f5ac3b3f5a43
Instruction Fuzzy Hash: FFE0D8314104005B47106778FC5E4EA775E9F06335F100716F835C11E0EBF05D5089D5

Uniqueness

Uniqueness Score: -1.00%

Function 005F0B30 Relevance: 64.3, APIs: 27, Strings: 9, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 005F0BBB
timeGetTime.WINMM ref: 005F0E76
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 005F0FB3
TranslateMessage.USER32(?), ref: 005F0FC7
DispatchMessageW.USER32(?), ref: 005F0FD5
Sleep.KERNEL32(0000000A), ref: 005F0FDF
LockWindowUpdate.USER32(00000000,?,?), ref: 005F105A
DestroyWindow.USER32 ref: 005F1066
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 005F1080
Sleep.KERNEL32(0000000A,?,?), ref: 006252AD
TranslateMessage.USER32(?), ref: 0062608A
DispatchMessageW.USER32(?), ref: 00626098
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 006260AC

Strings

@COM_EVENTOBJ, xrefs: 0062591A
prj, xrefs: 006253D8
@GUI_WINHANDLE, xrefs: 006253B9
prj, xrefs: 00625BDE
@GUI_CTRLID, xrefs: 00625364
prj, xrefs: 00625383
prj, xrefs: 0062542D
@TRAY_ID, xrefs: 00625BB9
@GUI_CTRLHANDLE, xrefs: 0062540E

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: Message$DispatchPeekSleepTranslateWindow$DestroyLockTimeUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$prj$prj$prj$prj
API String ID: 4003667617-914299402
Opcode ID: 6bbbb92fffdb7092067d13987db7b91decbdef895ebd361ad21c3b2994b16bb8
Instruction ID: add3ef1155cdf36b4c6178bbc08d6b6f065f5103f60aca06d5ce587d98601e09
Opcode Fuzzy Hash: 6bbbb92fffdb7092067d13987db7b91decbdef895ebd361ad21c3b2994b16bb8
Instruction Fuzzy Hash: A6B2B370608B51DFD738DF24D844BAABBE6BF84304F18491DE58A872A1DB75E845CF82

Uniqueness

Uniqueness Score: -1.00%

Function 006493DF Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 006491E9: __time64.LIBCMT ref: 006491F3

Part of subcall function 005E5045: _fseek.LIBCMT ref: 005E505D

__wsplitpath.LIBCMT ref: 006494BE

Part of subcall function 0060432E: __wsplitpath_helper.LIBCMT ref: 0060436E

_wcscpy.LIBCMT ref: 006494D1
_wcscat.LIBCMT ref: 006494E4
__wsplitpath.LIBCMT ref: 00649509
_wcscat.LIBCMT ref: 0064951F
_wcscat.LIBCMT ref: 00649532

Part of subcall function 0064922F: _memmove.LIBCMT ref: 00649268
Part of subcall function 0064922F: _memmove.LIBCMT ref: 00649277

_wcscmp.LIBCMT ref: 00649479

Part of subcall function 006499BE: _wcscmp.LIBCMT ref: 00649AAE
Part of subcall function 006499BE: _wcscmp.LIBCMT ref: 00649AC1

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 006496DC
_wcsncpy.LIBCMT ref: 0064974F
DeleteFileW.KERNEL32(?,?), ref: 00649785
CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0064979B
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 006497AC
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 006497BE

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: 0338aa7918962e92050a9b61fc9f45fc556b9d6cdb542fa45ceb816ae7ec1440
Instruction ID: 3dbbb6ab0b9e7463c50a3ab7ada6f745643927a19cc56226f3960be207351ccf
Opcode Fuzzy Hash: 0338aa7918962e92050a9b61fc9f45fc556b9d6cdb542fa45ceb816ae7ec1440
Instruction Fuzzy Hash: 98C14AB1D40219AEDF25DF95CC85ADFBBBEEF45304F0040AAF609E6241EB709A448F65

Uniqueness

Uniqueness Score: -1.00%

Function 005E3015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 75
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 005E3074
RegisterClassExW.USER32(00000030), ref: 005E309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 005E30AF
InitCommonControlsEx.COMCTL32(?), ref: 005E30CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 005E30DC
LoadIconW.USER32(000000A9), ref: 005E30F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 005E3101

Strings

TaskbarCreated, xrefs: 005E30A4
AutoIt v3 GUI, xrefs: 005E3090
+, xrefs: 005E305D
0, xrefs: 005E3056

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: b37da8c751ad23f042778bbe349fe18705666b96b66773e980c18b9f606d6ffc
Instruction ID: 687aa1090888ccd1cbe6ee1f1807c7d4b6eadc99b8d628db2aff1c08a2063d5c
Opcode Fuzzy Hash: b37da8c751ad23f042778bbe349fe18705666b96b66773e980c18b9f606d6ffc
Instruction Fuzzy Hash: B3316971801308AFDB00DFA4EC48AC9BFF6FB0A310F18552AF590AA2A1D3BA5541CF50

Uniqueness

Uniqueness Score: -1.00%

Function 005E3041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 005E3074
RegisterClassExW.USER32(00000030), ref: 005E309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 005E30AF
InitCommonControlsEx.COMCTL32(?), ref: 005E30CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 005E30DC
LoadIconW.USER32(000000A9), ref: 005E30F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 005E3101

Strings

TaskbarCreated, xrefs: 005E30A4
AutoIt v3 GUI, xrefs: 005E3090
+, xrefs: 005E305D
0, xrefs: 005E3056

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: d52a7ecbeeebe2021eb82b298ea4b5d83718a07dc60d17e39a33dfde7b3ab5a6
Instruction ID: 60e4f00762c3b0186f312173bfa4be2b07eb6398223f352c2267af63595adfee
Opcode Fuzzy Hash: d52a7ecbeeebe2021eb82b298ea4b5d83718a07dc60d17e39a33dfde7b3ab5a6
Instruction Fuzzy Hash: 4121F7B1901208AFDB00EFA4FC49B9DBFFAFB09700F04612AF511A62A0D7B555448FA1

Uniqueness

Uniqueness Score: -1.00%

Function 005E71EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 005E4864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,006A62F8,?,005E37C0,?), ref: 005E4882

Part of subcall function 0060074F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,005E72C5), ref: 00600771

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 005E7308
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0061ECF1
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0061ED32
RegCloseKey.ADVAPI32(?), ref: 0061ED70
_wcscat.LIBCMT ref: 0061EDC9

Strings

Software\AutoIt v3\AutoIt, xrefs: 005E72FE
Include, xrefs: 0061ECE8, 0061ED29
\Include\, xrefs: 005E72C5
\, xrefs: 0061EDEC

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: eddaa36d1cdd6372c0b9ae7523fec3389fda203cdd4d6e451e55723a83a80dbc
Instruction ID: 32de06103021caff2275a80c6249604f7aeec985c6ed21b0f7cdc1ff6b4b7b0a
Opcode Fuzzy Hash: eddaa36d1cdd6372c0b9ae7523fec3389fda203cdd4d6e451e55723a83a80dbc
Instruction Fuzzy Hash: B27191715083469EC318EF65EC4599BBBEAFF9A300F44152EF485831A1EB30EA48CF55

Uniqueness

Uniqueness Score: -1.00%

Function 005E3633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 005E36D2
KillTimer.USER32(?,00000001), ref: 005E36FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 005E371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 005E372A
CreatePopupMenu.USER32 ref: 005E373E
PostQuitMessage.USER32(00000000), ref: 005E375F

Strings

TaskbarCreated, xrefs: 005E3725
%g, xrefs: 0061D2D1, 0061D31F

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated$%g
API String ID: 129472671-2615855565
Opcode ID: f83f6da857b0c08351d90813e5ca894e82fb3d0a17eedc730bf817b9b6ccd138
Instruction ID: 0bbbf150c732c3792b4ef95d8c4d3e41fa090a31f7f830783b5c468282073cd1
Opcode Fuzzy Hash: f83f6da857b0c08351d90813e5ca894e82fb3d0a17eedc730bf817b9b6ccd138
Instruction Fuzzy Hash: 654128B2200285BBDF186F75EC0DBB93F5BF741300F181529F692872B1CAA5AF409B61

Uniqueness

Uniqueness Score: -1.00%

Function 005E3A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 005E3A62
LoadCursorW.USER32(00000000,00007F00), ref: 005E3A71
LoadIconW.USER32(00000063), ref: 005E3A88
LoadIconW.USER32(000000A4), ref: 005E3A9A
LoadIconW.USER32(000000A2), ref: 005E3AAC
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 005E3AD2
RegisterClassExW.USER32(?), ref: 005E3B28

Part of subcall function 005E3041: GetSysColorBrush.USER32(0000000F), ref: 005E3074
Part of subcall function 005E3041: RegisterClassExW.USER32(00000030), ref: 005E309E
Part of subcall function 005E3041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 005E30AF
Part of subcall function 005E3041: InitCommonControlsEx.COMCTL32(?), ref: 005E30CC
Part of subcall function 005E3041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 005E30DC
Part of subcall function 005E3041: LoadIconW.USER32(000000A9), ref: 005E30F2
Part of subcall function 005E3041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 005E3101

Strings

0, xrefs: 005E3B06
#, xrefs: 005E3B0D
AutoIt v3, xrefs: 005E3B17

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 2eb0a3407b6eab8af3c37b5fc29fdc0f17f5d166b75da405c98d21d477480548
Instruction ID: 689fd87eb0f73a9e1655934fe6cc1c1138213ecf70b56788be95beb3d84d19ab
Opcode Fuzzy Hash: 2eb0a3407b6eab8af3c37b5fc29fdc0f17f5d166b75da405c98d21d477480548
Instruction Fuzzy Hash: C0212A71E00308AFEB10AFA5FC09B9D7FF6FB09711F04512AF505A62A0D3B6A6549F94

Uniqueness

Uniqueness Score: -1.00%

Function 005E3778 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

CMDLINERAW, xrefs: 005E380D
/AutoIt3OutputDebug, xrefs: 005E38A4
bj, xrefs: 0061D44E
/ErrorStdOut, xrefs: 005E388F
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 005E37C0
/AutoIt3ExecuteScript, xrefs: 005E38CE
CMDLINE, xrefs: 005E3834
/AutoIt3ExecuteLine, xrefs: 005E38B9

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW$bj
API String ID: 1825951767-3892150585
Opcode ID: bc55f4223cff7dacde0d946f98a99420d1323bc9f67ddc1c4516e4aefd2de596
Instruction ID: a6432792209fd4edfb31f9f8f267fd10ccae430ab30fbfe32ff1268d5caac04c
Opcode Fuzzy Hash: bc55f4223cff7dacde0d946f98a99420d1323bc9f67ddc1c4516e4aefd2de596
Instruction Fuzzy Hash: DFA15271C1026E9ACF08EFA2DC99AEEBB79BF55300F040429F456A7191EF745A09CB60

Uniqueness

Uniqueness Score: -1.00%

Function 005EF8CF Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 006003A2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 006003D3
Part of subcall function 006003A2: MapVirtualKeyW.USER32(00000010,00000000), ref: 006003DB
Part of subcall function 006003A2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 006003E6
Part of subcall function 006003A2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 006003F1
Part of subcall function 006003A2: MapVirtualKeyW.USER32(00000011,00000000), ref: 006003F9
Part of subcall function 006003A2: MapVirtualKeyW.USER32(00000012,00000000), ref: 00600401

Part of subcall function 005F6259: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,005EFA90), ref: 005F62B4

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 005EFB2D
OleInitialize.OLE32(00000000), ref: 005EFBAA
CloseHandle.KERNEL32(00000000), ref: 006249F2

Strings

<gj, xrefs: 005EFA90
cj, xrefs: 005EF94B
\dj, xrefs: 005EF957
%g, xrefs: 005EF8F6, 005EF908, 005EFACE, 005EFBB1

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID: <gj$\dj$%g$cj
API String ID: 1986988660-715575889
Opcode ID: ee205efd8a81eac753c2c63a72b4cf7a7c73b8d4fb788ea09eceeed630a7f7da
Instruction ID: 5c87d5b3f10fd34c85154cb02edb1d3c38e0d920e1e83cc5323ae3a8b9b4a56a
Opcode Fuzzy Hash: ee205efd8a81eac753c2c63a72b4cf7a7c73b8d4fb788ea09eceeed630a7f7da
Instruction Fuzzy Hash: 47819AB09152418ECB84FF29E9546157EE7FB9F308718E13AF029C72A2EB75A8058F51

Uniqueness

Uniqueness Score: -1.00%

Function 01FD2610 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 01FD26E1
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 01FD2907

Memory Dump Source

Source File: 00000000.00000002.2026103312.0000000001FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fd0000_file4232024.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: e3e00bf9dbafeb2e33b0b1731302cb2fbf5584eb46f22b1b855d3d8c7a9348fe
Instruction ID: 73dd5674e373e396813485aab05d5d0ffc708a8955cbded46f39acd14d124e90
Opcode Fuzzy Hash: e3e00bf9dbafeb2e33b0b1731302cb2fbf5584eb46f22b1b855d3d8c7a9348fe
Instruction Fuzzy Hash: 14A11675E00209EBDB14DFA4C895BFEBBB6FF48304F248159E601BB280D7769A41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 005E39E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 005E3A15
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 005E3A36
ShowWindow.USER32(00000000,?,?), ref: 005E3A4A
ShowWindow.USER32(00000000,?,?), ref: 005E3A53

Strings

AutoIt v3, xrefs: 005E3A0D, 005E3A12, 005E3A13
edit, xrefs: 005E3A30

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 1611579a2a83d82b8f536de209265518b350c20483be177f2343e2fbc1ba2c54
Instruction ID: ba92bf3c62759719a187c8de3453bd83d13758ced594e81b01ed545ed524dd25
Opcode Fuzzy Hash: 1611579a2a83d82b8f536de209265518b350c20483be177f2343e2fbc1ba2c54
Instruction Fuzzy Hash: 08F03A70600290BEEB302B23BC08F273E7FD7C7F50B04212AB900A2170C6A62800DEB0

Uniqueness

Uniqueness Score: -1.00%

Function 01FD2410 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 01FD2300: Sleep.KERNELBASE(000001F4), ref: 01FD2311

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 01FD2502

Strings

D52VHCONV3H, xrefs: 01FD2565, 01FD2568

Memory Dump Source

Source File: 00000000.00000002.2026103312.0000000001FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fd0000_file4232024.jbxd

Similarity

API ID: CreateFileSleep
String ID: D52VHCONV3H
API String ID: 2694422964-2875186482
Opcode ID: c23418b155bca6202602b1053a712394eb65cccb1a17b33cf67b664716d02ee3
Instruction ID: 147410f9b549ff05cac121293afa2ffbb8d6d634a3d89afa679a0ef1d6a7c23d
Opcode Fuzzy Hash: c23418b155bca6202602b1053a712394eb65cccb1a17b33cf67b664716d02ee3
Instruction Fuzzy Hash: 6C517131D04249EBEF11DBA4C814BFEBB79AF44300F044199E609BB2C0DB7A5B45CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 005E410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0061D5EC

Part of subcall function 005E7D2C: _memmove.LIBCMT ref: 005E7D66

_memset.LIBCMT ref: 005E418D
_wcscpy.LIBCMT ref: 005E41E1
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 005E41F1

Strings

Line: , xrefs: 0061D615

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: 86e172f3a5c2962d8ff88cc032dcdde560e2145f9b3e59fe3994f09e36a56db1
Instruction ID: dcd465b25b0f90d94b32f8f0fffc18f972471c37bee323027d08ba954de823e4
Opcode Fuzzy Hash: 86e172f3a5c2962d8ff88cc032dcdde560e2145f9b3e59fe3994f09e36a56db1
Instruction Fuzzy Hash: BB31E7710083859AD729EB61DC49FDB7BEDBF95300F14491EF1C5920A1EF70AA48CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0060564D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 006056AB
_memcpy_s.LIBCMT ref: 0060571D
__read_nolock.LIBCMT ref: 0060577B
__filbuf.LIBCMT ref: 0060579E
_memset.LIBCMT ref: 006057E2

Part of subcall function 00608D68: __getptd_noexit.LIBCMT ref: 00608D68

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
Instruction ID: b480d6136ec05233afdd40633b31fd4dbcbf1e32e9d7b8770558b1dc9898b6d3
Opcode Fuzzy Hash: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
Instruction Fuzzy Hash: 18519130A80B05DBDB2C8F6988806AF77A7AF40320F64872DF827963E0D7719D51AF50

Uniqueness

Uniqueness Score: -1.00%

Function 005E69CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 005E4F3D: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,006A62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 005E4F6F

_free.LIBCMT ref: 0061E68C
_free.LIBCMT ref: 0061E6D3

Part of subcall function 005E6BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 005E6D0D

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 0061E462
Bad directive syntax error, xrefs: 0061E6BB

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: d77d8ca3bccceae5b464a34d392b2d37af60a342015dbb041184741ed395915c
Instruction ID: 4c4241d65b84e4d11bc20c1c4496d52c8b8a390ac18ad05d724f8a7f5e57bf0d
Opcode Fuzzy Hash: d77d8ca3bccceae5b464a34d392b2d37af60a342015dbb041184741ed395915c
Instruction Fuzzy Hash: 3791AF7191025AEFCF08EFA5C8959EDBBB6FF18304F044429F856AB291EB31D945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 005E35B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,005E35A1,SwapMouseButtons,00000004,?), ref: 005E35D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,005E35A1,SwapMouseButtons,00000004,?,?,?,?,005E2754), ref: 005E35F5
RegCloseKey.KERNELBASE(00000000,?,?,005E35A1,SwapMouseButtons,00000004,?,?,?,?,005E2754), ref: 005E3617

Strings

Control Panel\Mouse, xrefs: 005E35D2

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 0628498d27eec9c256ba2700b1771e33c6aa125f58db0b061dac989cf53e0ff0
Instruction ID: 7e40c5cb043039eb0bdc9d0fbb2d87b4a524f6c0fcc80c8526a4534aedbc38b8
Opcode Fuzzy Hash: 0628498d27eec9c256ba2700b1771e33c6aa125f58db0b061dac989cf53e0ff0
Instruction Fuzzy Hash: E6114871510248BFDB24CFA5EC489AEBBB9FF05740F016469E845D7210D2719E409760

Uniqueness

Uniqueness Score: -1.00%

Function 01FD1300 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 01FD1ABB
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01FD1B51
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01FD1B73

Memory Dump Source

Source File: 00000000.00000002.2026103312.0000000001FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fd0000_file4232024.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: f7a3111ab7015fd8b62422fe8fc399687c9bf18e9b49b2a513bdf356eeec8a8c
Instruction ID: cb6e9f6b1c627bd621b895a23c20a6d552a9044eaf284b3086dc49b7e2494425
Opcode Fuzzy Hash: f7a3111ab7015fd8b62422fe8fc399687c9bf18e9b49b2a513bdf356eeec8a8c
Instruction Fuzzy Hash: 4E621D30A14258DBEB24CFA4C850BEEB772EF58300F1491A9D10DEB390E7769E81CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0060493A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 006049D0
__flush.LIBCMT ref: 006049F0
__write.LIBCMT ref: 00604A23
__flsbuf.LIBCMT ref: 00604A51

Part of subcall function 00608D68: __getptd_noexit.LIBCMT ref: 00608D68

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 6b900c82ae833c016f0ad4fafe5841f230cacf6ecaddb2f96621bb99e00bcb06
Instruction ID: 912b7b383ddb722399be8faf1f815faa46a0e46e05ea85265b6a9832b25d812f
Opcode Fuzzy Hash: 6b900c82ae833c016f0ad4fafe5841f230cacf6ecaddb2f96621bb99e00bcb06
Instruction Fuzzy Hash: 2241B3B0B806069BDB3CCEA9C8809AF77A7EF84360B24817DEA55876D4DE709D418B44

Uniqueness

Uniqueness Score: -1.00%

Function 005E4DD0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 005E4E1A

Strings

EA06, xrefs: 0061DCF5
AU3!P/g, xrefs: 005E4E14

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: _memmove
String ID: AU3!P/g$EA06
API String ID: 4104443479-1337525066
Opcode ID: 7fb6d3dada1a75a3920d273eb8eb3e51485e0b3eb6ea0655943742ebbd9f2439
Instruction ID: 30f1db97d91ecacb1c3bebffad5d0eee9070bebdbcc8cb9d8956c6a82fcb1e84
Opcode Fuzzy Hash: 7fb6d3dada1a75a3920d273eb8eb3e51485e0b3eb6ea0655943742ebbd9f2439
Instruction Fuzzy Hash: 67417C22A041D45BCF2D5F6688557BF7FAABF45300F2C44A5F8C2AB282D6219D448BE2

Uniqueness

Uniqueness Score: -1.00%

Function 005E73E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0061EE62
GetOpenFileNameW.COMDLG32(?), ref: 0061EEAC

Part of subcall function 005E48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,005E48A1,?,?,005E37C0,?), ref: 005E48CE

Part of subcall function 006009D5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 006009F4

Strings

X, xrefs: 0061EE7A

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: 3153ec57cb965dc8dd9bc166cb3d33702b088bdcefea8a14eae8009864226c84
Instruction ID: c671ca9856421a2e46a05b07e4e6a60c8c7e621e925897a8c1e1118ea405b6eb
Opcode Fuzzy Hash: 3153ec57cb965dc8dd9bc166cb3d33702b088bdcefea8a14eae8009864226c84
Instruction Fuzzy Hash: 4C21C67190429C9BDF55DF94C8457EE7FFDAF49300F04401AE449E7281DBB459898FA1

Uniqueness

Uniqueness Score: -1.00%

Function 0064901B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00649036
__fread_nolock.LIBCMT ref: 0064904B

Strings

EA06, xrefs: 0064907D

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: 3a6d02ef760ec360c564a4928c68a874ed9137f7c4248346a45b833af5ea23eb
Instruction ID: fe2365ac2eb875910aa4c60e99ca303d34c39325a63fa642ac6320d4670fd9cb
Opcode Fuzzy Hash: 3a6d02ef760ec360c564a4928c68a874ed9137f7c4248346a45b833af5ea23eb
Instruction Fuzzy Hash: F701F971844218AEDB28C6A8C816EFF7BFC9B11701F00419EF593D21C1E5B5A6088BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00649B6D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00649B82
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00649B99

Strings

aut, xrefs: 00649B93

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: dfd5c315394f029846c37dfc9db99c9fc0d805993363b81b941aac22c242fc9a
Instruction ID: d263780155123e769c132a17610486925c22c52ffd5699014b1bdbffd3314f1a
Opcode Fuzzy Hash: dfd5c315394f029846c37dfc9db99c9fc0d805993363b81b941aac22c242fc9a
Instruction Fuzzy Hash: F6D05E7954030DABDB109BD0EC0EF9A776DE704B04F0052A1FE54910A1DEF056988FD1

Uniqueness

Uniqueness Score: -1.00%

Function 0065CDF1 Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 062cc5b229d30859b53f8384e85a26e665feeaa0e34f9f9fa94372601c7a7994
Instruction ID: 25bf85d61bd3e7a2da7fc160aa565d02cbc7b4f0b9495d623e3fca06c267c528
Opcode Fuzzy Hash: 062cc5b229d30859b53f8384e85a26e665feeaa0e34f9f9fa94372601c7a7994
Instruction Fuzzy Hash: 74F139706083419FC724DF29C484A6ABBE6FF88314F14896DF8999B391D771E946CF82

Uniqueness

Uniqueness Score: -1.00%

Function 005E43DB Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 005E4401
Shell_NotifyIconW.SHELL32(00000000,?), ref: 005E44A6
Shell_NotifyIconW.SHELL32(00000001,?), ref: 005E44C3

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: 6e8feb5e2ce7b55d45fa0004af9c6d18a454f0ffc8976f411d85bc569c82be10
Instruction ID: 7aea0ded18b8ed11463b872c8a96b875ef55727dfdfd413f66995afa65ed525b
Opcode Fuzzy Hash: 6e8feb5e2ce7b55d45fa0004af9c6d18a454f0ffc8976f411d85bc569c82be10
Instruction Fuzzy Hash: 183181B06043518FDB24DF25D88479BBBE9FB49304F04092EF5DA83291D7B1AA44CF92

Uniqueness

Uniqueness Score: -1.00%

Function 0060594C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00605963

Part of subcall function 0060A3AB: __NMSG_WRITE.LIBCMT ref: 0060A3D2
Part of subcall function 0060A3AB: __NMSG_WRITE.LIBCMT ref: 0060A3DC

__NMSG_WRITE.LIBCMT ref: 0060596A

Part of subcall function 0060A408: GetModuleFileNameW.KERNEL32(00000000,006A43BA,00000104,?,00000001,00000000), ref: 0060A49A
Part of subcall function 0060A408: ___crtMessageBoxW.LIBCMT ref: 0060A548

Part of subcall function 006032DF: ___crtCorExitProcess.LIBCMT ref: 006032E5
Part of subcall function 006032DF: ExitProcess.KERNEL32 ref: 006032EE

Part of subcall function 00608D68: __getptd_noexit.LIBCMT ref: 00608D68

RtlAllocateHeap.NTDLL(013A0000,00000000,00000001,00000000,?,?,?,00601013,?), ref: 0060598F

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 6189bd6274266b2158a2f296d280ffdd580ddd269348a8c07db840a7658af0c0
Instruction ID: f9710bd856d647e236629ee44d3835abb149c602251205d48c36f75664d5966c
Opcode Fuzzy Hash: 6189bd6274266b2158a2f296d280ffdd580ddd269348a8c07db840a7658af0c0
Instruction Fuzzy Hash: 1A01D2312C0B51DEE65D7B64EC42BAF738B8F92771F10012EF4029B2D1DEB09D018A69

Uniqueness

Uniqueness Score: -1.00%

Function 00649B2C Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,006497D2,?,?,?,?,?,00000004), ref: 00649B45
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,006497D2,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00649B5B
CloseHandle.KERNEL32(00000000,?,006497D2,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00649B62

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: a241cf019be0b41e35c20d12052098070c612fd9198be72d60d64dd33113bfc4
Instruction ID: a0b657fcb113fc1655e1814564755e4e072f69a46004b7ef959e3d9fa6c7129e
Opcode Fuzzy Hash: a241cf019be0b41e35c20d12052098070c612fd9198be72d60d64dd33113bfc4
Instruction Fuzzy Hash: C3E08632181214B7D7211B54FC09FCA7B5AEB067A1F104120FB54791E087F129119798

Uniqueness

Uniqueness Score: -1.00%

Function 00648F97 Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00648FA5

Part of subcall function 00602F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00609C64), ref: 00602FA9
Part of subcall function 00602F95: GetLastError.KERNEL32(00000000,?,00609C64), ref: 00602FBB

_free.LIBCMT ref: 00648FB6
_free.LIBCMT ref: 00648FC8

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 7d3b2028e624efae88516297b2f19128b0b5a47fb3bf7ffb404a5919715f4e12
Instruction ID: 7bfd1b235c114e89c9597d958bfb5c38a9fa538ac31c466c2ef2f695c4a5d20b
Opcode Fuzzy Hash: 7d3b2028e624efae88516297b2f19128b0b5a47fb3bf7ffb404a5919715f4e12
Instruction Fuzzy Hash: 1AE012A16497034ECBA8A978AD54AD757EF9F483D0758081DB419DB282DE24E8558128

Uniqueness

Uniqueness Score: -1.00%

Function 005EAB23 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 0062002B

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: 38161a1aa3a655778cab87dd4e86435839c9dd88d0ad1efc4d41e0c07f088dd3
Instruction ID: 82008a7e15362ab1843d4cb8e11d709bd5595943599a2f8319249eb1cad81998
Opcode Fuzzy Hash: 38161a1aa3a655778cab87dd4e86435839c9dd88d0ad1efc4d41e0c07f088dd3
Instruction Fuzzy Hash: D3224970508291DFD728DF25C494B6ABBE2BF85300F14895DE8DA8B362D731ED85CB82

Uniqueness

Uniqueness Score: -1.00%

Function 005EC6DA Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

_wcscmp.LIBCMT ref: 005EC73D

Strings

^, xrefs: 005EC6E1

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: _wcscmp
String ID: ^
API String ID: 856254489-1590793086
Opcode ID: 7f2d62c73df6da5c22bb4e943cfeb3efb33f0af5dbdfd5e4493c55633f341cf1
Instruction ID: d638aa4ea12da63fcf1b5b76892bfc63822d3c8285843dc98e8cdacbc275a3d0
Opcode Fuzzy Hash: 7f2d62c73df6da5c22bb4e943cfeb3efb33f0af5dbdfd5e4493c55633f341cf1
Instruction Fuzzy Hash: 3E11C4329082D55FDB19DB29C8916DAFF75EF57360F15409BD8D0AB2A1E2309C42CF81

Uniqueness

Uniqueness Score: -1.00%

Function 005E492E Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 005E4992

Part of subcall function 006035AC: __lock.LIBCMT ref: 006035B2
Part of subcall function 006035AC: DecodePointer.KERNEL32(00000001,?,005E49A7,006381BC), ref: 006035BE
Part of subcall function 006035AC: EncodePointer.KERNEL32(?,?,005E49A7,006381BC), ref: 006035C9

Part of subcall function 005E4A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 005E4A73
Part of subcall function 005E4A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 005E4A88

Part of subcall function 005E3B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 005E3B7A
Part of subcall function 005E3B4C: IsDebuggerPresent.KERNEL32 ref: 005E3B8C
Part of subcall function 005E3B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,006A62F8,006A62E0,?,?), ref: 005E3BFD
Part of subcall function 005E3B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 005E3C81

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 005E49D2

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: b787c53b419ecb9f778da50017601f560f740c8e5f8847666998e18a2936d6a0
Instruction ID: 57510d20ac28380fa8f76f1bd5b1494b90f87e3564825f3925986f3ebf6e01ab
Opcode Fuzzy Hash: b787c53b419ecb9f778da50017601f560f740c8e5f8847666998e18a2936d6a0
Instruction Fuzzy Hash: 5D116A719183529BC304EF2AEC0990AFFE9FF99710F00552EF095872A1DBB0A644CF96

Uniqueness

Uniqueness Score: -1.00%

Function 005E5DF9 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000,?,005E5981,?,?,?,?), ref: 005E5E27
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000000,?,005E5981,?,?,?,?), ref: 0061E19C

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 16ba365636afaab204d963721fd60f9dd516de15f6c58f7a57f2bb9b1d71300a
Instruction ID: 4c513ea13005d13c4fe832d6440abdc1152d64f85fc25250636c4d4ad0276c2b
Opcode Fuzzy Hash: 16ba365636afaab204d963721fd60f9dd516de15f6c58f7a57f2bb9b1d71300a
Instruction Fuzzy Hash: EF019270244748BEF3280E25DC8AFA67B9CBB0176CF108318FAE55A1E0D6B05E458B50

Uniqueness

Uniqueness Score: -1.00%

Function 00600FF6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0060594C: __FF_MSGBANNER.LIBCMT ref: 00605963
Part of subcall function 0060594C: __NMSG_WRITE.LIBCMT ref: 0060596A
Part of subcall function 0060594C: RtlAllocateHeap.NTDLL(013A0000,00000000,00000001,00000000,?,?,?,00601013,?), ref: 0060598F

std::exception::exception.LIBCMT ref: 0060102C
__CxxThrowException@8.LIBCMT ref: 00601041

Part of subcall function 006087DB: RaiseException.KERNEL32(?,?,?,0069BAF8,00000000,?,?,?,?,00601046,?,0069BAF8,?,00000001), ref: 00608830

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: eb7fc64e9298ab46139bdda8d737341eb4853ad45e1fef97ff2408df6ee9f169
Instruction ID: 2a21c8084cd095fd7ae4eb8624c0a25f13fc6c6f109f5e834e52dc77b6005b65
Opcode Fuzzy Hash: eb7fc64e9298ab46139bdda8d737341eb4853ad45e1fef97ff2408df6ee9f169
Instruction Fuzzy Hash: E9F0F93458031DA6CB29EE58EC119DF7BAEDF01350F104019F889966D1DF718A909694

Uniqueness

Uniqueness Score: -1.00%

Function 0060582D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 0060585C
__lock_file.LIBCMT ref: 0060587D

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: 5d64e461518485be6d7b2f99f57fb75aeb1c11062bb04b0688f20a3a73ee03d6
Instruction ID: 6c80e21c583466c0ba31589f9daa691a1215365f6ecdeb0ca9bf17f693870d66
Opcode Fuzzy Hash: 5d64e461518485be6d7b2f99f57fb75aeb1c11062bb04b0688f20a3a73ee03d6
Instruction Fuzzy Hash: F901B131880A19EBCF6AAF698C0148F7B63AF80360F048219B8155B2E1DB31CA21DF95

Uniqueness

Uniqueness Score: -1.00%

Function 006055D6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00608D68: __getptd_noexit.LIBCMT ref: 00608D68

__lock_file.LIBCMT ref: 0060561B

Part of subcall function 00606E4E: __lock.LIBCMT ref: 00606E71

__fclose_nolock.LIBCMT ref: 00605626

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 519b519d6275bbd6855228dce94a673b9906855aad945b39048df0cc29040ff3
Instruction ID: f1f5427f56be9259e985b9e14b8e8b319bbbf26b428d2d9ba4b7ee132c740faa
Opcode Fuzzy Hash: 519b519d6275bbd6855228dce94a673b9906855aad945b39048df0cc29040ff3
Instruction Fuzzy Hash: 25F0F031890B019EDBA8AB74C80276F77A32F40334F55820EA452AB1D1CFBC89029F49

Uniqueness

Uniqueness Score: -1.00%

Function 01FD12FD Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 01FD1ABB
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01FD1B51
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01FD1B73

Memory Dump Source

Source File: 00000000.00000002.2026103312.0000000001FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fd0000_file4232024.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 47f45bba1b7d6f78db91ee930b61901a72fbf3bd75938062ef2b5451d70cd9db
Instruction ID: 22e84fc22c9875e4ce32267e4d6c80bc11c2979e619058f957e255b4d2d3b844
Opcode Fuzzy Hash: 47f45bba1b7d6f78db91ee930b61901a72fbf3bd75938062ef2b5451d70cd9db
Instruction Fuzzy Hash: 7612DF24E18658C6EB24DF64D8507DEB232EF68300F1091E9910DEB7A5E77A4F81CF5A

Uniqueness

Uniqueness Score: -1.00%

Function 005EF3F0 Relevance: 1.7, APIs: 1, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5132619147255654998fe2637bcfaef8c3cb6f68d89a427af21dbd40fe19860d
Instruction ID: af6f46ca2775eaf9dc4c78cfd014d36c99e0bfcd8da802a4b387cc8fa70efc37
Opcode Fuzzy Hash: 5132619147255654998fe2637bcfaef8c3cb6f68d89a427af21dbd40fe19860d
Instruction Fuzzy Hash: 8E61BE7060068A9FDB18DF65D880AABBBE5FF44300F14847EE9968B281EB70ED51CB51

Uniqueness

Uniqueness Score: -1.00%

Function 005F2123 Relevance: 1.7, APIs: 1, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e0bb24ef1cced1a33958258f4a4586c9f499818acc7fe23d3046bfaf2ecb519
Instruction ID: cb93a0486f5581b7ce38f2ec06420665e37ebb0c51afad7e55eb081607ecd2d5
Opcode Fuzzy Hash: 1e0bb24ef1cced1a33958258f4a4586c9f499818acc7fe23d3046bfaf2ecb519
Instruction Fuzzy Hash: 2651AF34600615AFCF18EB68C995FBE7BA6BF85310F148068F946AB382DE34ED00CB45

Uniqueness

Uniqueness Score: -1.00%

Function 005E5C4E Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000000,?,?,00000000), ref: 005E5CF6

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: dcf76eaa46fe5855c183c4c80cc777a64c0851fd2be3bc9c658017db0ed362a9
Instruction ID: 23a1475ed7cc1dca830768d51d4258c15bce91ced0ef61d72c82303f109c46b6
Opcode Fuzzy Hash: dcf76eaa46fe5855c183c4c80cc777a64c0851fd2be3bc9c658017db0ed362a9
Instruction Fuzzy Hash: F9316071A00B4AAFCB18CF2EC99469DBBB5FF88314F248629D85993710E771BD50DB90

Uniqueness

Uniqueness Score: -1.00%

Function 006200D6 Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 006200E1

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 05e57ad114cc774572be363f90e838a81ddad3e05a2cb0c3cd837da50bde506e
Instruction ID: acbf19914e59d13997a5a593ad41a79258207d27d028c80164fe3bfbf4b76a37
Opcode Fuzzy Hash: 05e57ad114cc774572be363f90e838a81ddad3e05a2cb0c3cd837da50bde506e
Instruction Fuzzy Hash: 0B410874504791CFEB18DF25C484B1ABBE1BF45314F1988ACE8994B762C731E885CF56

Uniqueness

Uniqueness Score: -1.00%

Function 005E5B19 Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 005E5B61

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 75a253a3b5936dfb5ba063aea72c4cbdc6df311c0a88823a2ddca8c3e265d3e6
Instruction ID: aeaedafb09cc7574bc5cf85f3a54c1008959b5d8d2bb2bdc2f978970b771701b
Opcode Fuzzy Hash: 75a253a3b5936dfb5ba063aea72c4cbdc6df311c0a88823a2ddca8c3e265d3e6
Instruction Fuzzy Hash: 5821F031A00A08EBDB145F12E8856AA7FBEFF14390F25886EF886C5410EB72C4E08745

Uniqueness

Uniqueness Score: -1.00%

Function 005EC707 Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

_wcscmp.LIBCMT ref: 005EC73D

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: _wcscmp
String ID:
API String ID: 856254489-0
Opcode ID: 4da7022922b8d34942b19728ef89d59458f1ac5751ef07c82a72115ff01b0df2
Instruction ID: 13a2bb77ba67155a4069e0ef4bb28e8522435815ec964d145f75d08dc0df9d6f
Opcode Fuzzy Hash: 4da7022922b8d34942b19728ef89d59458f1ac5751ef07c82a72115ff01b0df2
Instruction Fuzzy Hash: A711D87290415ADBCF18EF9ADC858EEFB79FF95350F10412AE8519B190E7309D06CB90

Uniqueness

Uniqueness Score: -1.00%

Function 005E4F3D Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 005E4D13: FreeLibrary.KERNEL32(00000000,?), ref: 005E4D4D

Part of subcall function 0060548B: __wfsopen.LIBCMT ref: 00605496

LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,006A62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 005E4F6F

Part of subcall function 005E4CC8: FreeLibrary.KERNEL32(00000000), ref: 005E4D02

Part of subcall function 005E4DD0: _memmove.LIBCMT ref: 005E4E1A

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: 78c377bbbaa31612bfc12609514407a78da94abab5f5f3e61de2a487cc2adf35
Instruction ID: 9a6ea2e6b1bb86017732d4aba18b4c7557f9296ab8c2a806a42708914a3f4a32
Opcode Fuzzy Hash: 78c377bbbaa31612bfc12609514407a78da94abab5f5f3e61de2a487cc2adf35
Instruction Fuzzy Hash: 11110D31A00306ABCB18FF71DC1AFAE7BA5AF80B00F10842DF591972C1DE719A059F50

Uniqueness

Uniqueness Score: -1.00%

Function 006201AF Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 006201BB

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 1084bfdc1bf60068a43c6f29d797492eaff10b9a1bb53539fc728db787515d34
Instruction ID: 5114686f8464c845adff0e4e8ec1cdb38a9eaede8768dd7e21601cf137e34951
Opcode Fuzzy Hash: 1084bfdc1bf60068a43c6f29d797492eaff10b9a1bb53539fc728db787515d34
Instruction Fuzzy Hash: 582102B4508391DFDB18DF24C444A1ABBE5BF85304F05896CE8DA4B762D731F845CB52

Uniqueness

Uniqueness Score: -1.00%

Function 005E5D20 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,00010000,?,00000000,00000000,?,00010000,?,005E5807,00000000,00010000,00000000,00000000,00000000,00000000), ref: 005E5D76

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: d34862c0de61c5334e63b87e19bfbb09f84e37173ef0767eb702dc895a909f24
Instruction ID: 60d65b82d0cad9b6ef5c513653b64e03dbcb95cb66e439b0251d31e73cd8b0b2
Opcode Fuzzy Hash: d34862c0de61c5334e63b87e19bfbb09f84e37173ef0767eb702dc895a909f24
Instruction Fuzzy Hash: 56113D31200B419FD3348F16C944B62BBE9FF45754F14C92DE5EA86A50E7B0EA45CB60

Uniqueness

Uniqueness Score: -1.00%

Function 005E5BDA Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0061E141

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 9b54afcf07a23b9ff4e0bf05bec20c5cd47f57aecc711df460a32f44145caaaf
Instruction ID: 1bc0ba9243efae96692fe48a879f3fe9f6757d51183e9ca0ecc72450277e2124
Opcode Fuzzy Hash: 9b54afcf07a23b9ff4e0bf05bec20c5cd47f57aecc711df460a32f44145caaaf
Instruction Fuzzy Hash: EE01A775600542AFC309DB69C842D26FBAAFF863147148159F855C7702EB71EC21CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 00604A93 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00604AD6

Part of subcall function 00608D68: __getptd_noexit.LIBCMT ref: 00608D68

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: 0bdb8d600f35aac41c08c8bdaae75c00d578fc37630ff1d0ba784e97b421865b
Instruction ID: 12f4d6292bfbafd71d2a6978d476f5060cd28ae6624d103eff146eaabc7531c1
Opcode Fuzzy Hash: 0bdb8d600f35aac41c08c8bdaae75c00d578fc37630ff1d0ba784e97b421865b
Instruction Fuzzy Hash: 98F081719C0209AFDFA9AF64C8063DF3663AF00325F044518B5149B1D5CF788951DB59

Uniqueness

Uniqueness Score: -1.00%

Function 005E4FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,006A62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 005E4FDE

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 27e6d8b186249e78355503d0972a83417044ccf5aaaae59c3bfb944436db1251
Instruction ID: 9dab0f9fa704ec79147d000f86170afdaba28b0ed022fd43658216da6b9dcb63
Opcode Fuzzy Hash: 27e6d8b186249e78355503d0972a83417044ccf5aaaae59c3bfb944436db1251
Instruction Fuzzy Hash: A9F015B1105752CFCB389F66E894812BBE2BF047293208A3EE1E682B10C771A840DF50

Uniqueness

Uniqueness Score: -1.00%

Function 006009D5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 006009F4

Part of subcall function 005E7D2C: _memmove.LIBCMT ref: 005E7D66

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: ef159746d599483057da056aa06aea74e48009e0f506411b3a9f8d4d5790a507
Instruction ID: fbcde0dbb6d7b24b137070c84a9a7f4cea998ddeeb0edb54a575886b95384cf2
Opcode Fuzzy Hash: ef159746d599483057da056aa06aea74e48009e0f506411b3a9f8d4d5790a507
Instruction Fuzzy Hash: A6E0867690422C57C720D6989C15FFA77ADDF89790F0401B5FD4CD7204D9A09D818690

Uniqueness

Uniqueness Score: -1.00%

Function 00649129 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 0064914B

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
Instruction ID: d6f41622eb517e83a25c3142c9b61f67bfc8760f61cc28a4b308d49684ac11dd
Opcode Fuzzy Hash: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
Instruction Fuzzy Hash: A4E092B0144B005FD7388A24D8107E373E1AB06315F00081DF6AB83341EB6278418B5D

Uniqueness

Uniqueness Score: -1.00%

Function 005E5DAE Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001,?,?,?,0061E16B,?,?,00000000), ref: 005E5DBF

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: aecc00bbe54958e6032147d32a61792cad8cd619fce9e1b0025a590de655133e
Instruction ID: b3b3f6d5fa5da840da5c51c6947508daad5583ce47bc9e10e8882b69237fd229
Opcode Fuzzy Hash: aecc00bbe54958e6032147d32a61792cad8cd619fce9e1b0025a590de655133e
Instruction Fuzzy Hash: EED0C77464420CBFE710DB80DC46FA9B77DD705710F100194FD0456290D6F27D508795

Uniqueness

Uniqueness Score: -1.00%

Function 0060548B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00605496

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: a5ccd7e311a192d0c31135787fdf5e29d1bcbb2408dfbfb978c74dc73865e66b
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: D8B09B7544010C77DE411D41EC02A563B595740774F404020FB0C18161957395605589

Uniqueness

Uniqueness Score: -1.00%

Function 0062220E Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 0062221A

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: PathTemp
String ID:
API String ID: 2920410445-0
Opcode ID: 183d8b214816355622e3f59f028f5e9d66c2eff8fb865b0e35e78d9ce2c709ea
Instruction ID: 361110c0bed3c1a1042e15757cd5c5ce2b818cc8a4f91f00559026a91b998cea
Opcode Fuzzy Hash: 183d8b214816355622e3f59f028f5e9d66c2eff8fb865b0e35e78d9ce2c709ea
Instruction Fuzzy Hash: C0C09B704540199FF719A750DCE5BB9733DFF11701F1000D5B14595090D5F45B45CF11

Uniqueness

Uniqueness Score: -1.00%

Function 0064D2E6 Relevance: 1.4, APIs: 1, Instructions: 198COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000002,00000000), ref: 0064D46A

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 1936d13ba0e51870b7fa7d2cee715d27a861c50fcab83ce9d1d4ff6cc53c0bfa
Instruction ID: 7e46ee7f61e0f33b9575eb86503d1c3e3c3eee5a7f2eac7c355fdc8f94e636d4
Opcode Fuzzy Hash: 1936d13ba0e51870b7fa7d2cee715d27a861c50fcab83ce9d1d4ff6cc53c0bfa
Instruction Fuzzy Hash: 4E7163346043428FC718EF25C495AAEBBE1BF89314F04456DF8969B3A2DB70ED49CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00600E48 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00600EF7

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 7faf2722682edf5904f0f54f9a45e5211273b0e9edba9ed5fbe9acdedf81b85b
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: AC31B571A80106DBE718DF58D480AAAF7A6FF59300F648AA5E409DB792D731EDC1DB80

Uniqueness

Uniqueness Score: -1.00%

Function 01FD2300 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 01FD2311

Memory Dump Source

Source File: 00000000.00000002.2026103312.0000000001FD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 01FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1fd0000_file4232024.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 9a3e81ad600ae5c20de31528191ea26080011f5e3c2ebb01ebcf9ea46cd6f94d
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 4FE0E67494010DDFDB00EFB8D5496AE7FB4EF04301F100561FD01D2281DB319D508A72

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0066CDAC Relevance: 75.9, APIs: 40, Strings: 3, Instructions: 637windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 005E2612: GetWindowLongW.USER32(?,000000EB), ref: 005E2623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0066CE50
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0066CE91
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0066CED6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0066CF00
SendMessageW.USER32 ref: 0066CF29
_wcsncpy.LIBCMT ref: 0066CFA1
GetKeyState.USER32(00000011), ref: 0066CFC2
GetKeyState.USER32(00000009), ref: 0066CFCF
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0066CFE5
GetKeyState.USER32(00000010), ref: 0066CFEF
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0066D018
SendMessageW.USER32 ref: 0066D03F
SendMessageW.USER32(?,00001030,?,0066B602), ref: 0066D145
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0066D15B
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0066D16E
SetCapture.USER32(?), ref: 0066D177
ClientToScreen.USER32(?,?), ref: 0066D1DC
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0066D1E9
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0066D203
ReleaseCapture.USER32 ref: 0066D20E
GetCursorPos.USER32(?), ref: 0066D248
ScreenToClient.USER32(?,?), ref: 0066D255
SendMessageW.USER32(?,00001012,00000000,?), ref: 0066D2B1
SendMessageW.USER32 ref: 0066D2DF
SendMessageW.USER32(?,00001111,00000000,?), ref: 0066D31C
SendMessageW.USER32 ref: 0066D34B
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0066D36C
SendMessageW.USER32(?,0000110B,00000009,?), ref: 0066D37B
GetCursorPos.USER32(?), ref: 0066D39B
ScreenToClient.USER32(?,?), ref: 0066D3A8
GetParent.USER32(?), ref: 0066D3C8
SendMessageW.USER32(?,00001012,00000000,?), ref: 0066D431
SendMessageW.USER32 ref: 0066D462
ClientToScreen.USER32(?,?), ref: 0066D4C0
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0066D4F0
SendMessageW.USER32(?,00001111,00000000,?), ref: 0066D51A
SendMessageW.USER32 ref: 0066D53D
ClientToScreen.USER32(?,?), ref: 0066D58F
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0066D5C3

Part of subcall function 005E25DB: GetWindowLongW.USER32(?,000000EB), ref: 005E25EC

GetWindowLongW.USER32(?,000000F0), ref: 0066D65F

Strings

@GUI_DRAGID, xrefs: 0066D1AA
prj, xrefs: 0066D1BD
F, xrefs: 0066D543

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F$prj
API String ID: 3977979337-3855507934
Opcode ID: 74a9f9806c2b6e631acf5e227eb837fc807ff8c9f5f91aba2e10f939e11bdd99
Instruction ID: bf167db35566874b982f75c4d506cd75a2d72f764d0212c4d03019fa4d5a3189
Opcode Fuzzy Hash: 74a9f9806c2b6e631acf5e227eb837fc807ff8c9f5f91aba2e10f939e11bdd99
Instruction Fuzzy Hash: 00429D70604641AFC725DF28C848EAABBF6FF49324F14451DF6A6873A1C772A851CF92

Uniqueness

Uniqueness Score: -1.00%

Function 0066804A Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 571windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000400,00000000,00000000), ref: 0066873F

Strings

%d/%02d/%02d, xrefs: 00668478

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: MessageSend
String ID: %d/%02d/%02d
API String ID: 3850602802-328681919
Opcode ID: e46c97d931a5a521780f99ba3c8480cf7f6f97c288e111183c990a4bca7a5809
Instruction ID: 1ef113d1cccf04fce4ae77ca91521bbe56eeefea83a0296686ed653a6d8c1228
Opcode Fuzzy Hash: e46c97d931a5a521780f99ba3c8480cf7f6f97c288e111183c990a4bca7a5809
Instruction Fuzzy Hash: 5512AD71540249AFEB258F34DC49FAE7BBAEF85710F244229F916EB2E1DB708941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 005F710E Relevance: 52.3, APIs: 19, Strings: 8, Instructions: 5093COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 005F75C2
_memset.LIBCMT ref: 005F76B1
_memmove.LIBCMT ref: 005F7C4B
_memmove.LIBCMT ref: 005F7E4F

Strings

\b(?=\w), xrefs: 00633C34
Q\E, xrefs: 005F81C1
[:<:]], xrefs: 005F75F1
DEFINE, xrefs: 006325AF
\b(?<=\w), xrefs: 00633C41
Oa_, xrefs: 0063287E
0wi, xrefs: 00631F5B
[:>:]], xrefs: 005F760A

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: _memmove$_memset
String ID: 0wi$DEFINE$Oa_$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
API String ID: 1357608183-3055020554
Opcode ID: 3ef4fa534e0531ad2f5abb3349e61f80d6f0e9f588a76547bc818ca35c4eed54
Instruction ID: 148ccbfc3ca4cae700d40abaecc068d5f62389f0126fef2ea55bc709ec6cd35f
Opcode Fuzzy Hash: 3ef4fa534e0531ad2f5abb3349e61f80d6f0e9f588a76547bc818ca35c4eed54
Instruction Fuzzy Hash: 9D939275A0421A9BDB24CF58C8917FDB7B2FF48310F25856AE945AB381E7749E81CB80

Uniqueness

Uniqueness Score: -1.00%

Function 005E4A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 005E4A3D
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0061DA8E
IsIconic.USER32(?), ref: 0061DA97
ShowWindow.USER32(?,00000009), ref: 0061DAA4
SetForegroundWindow.USER32(?), ref: 0061DAAE
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0061DAC4
GetCurrentThreadId.KERNEL32 ref: 0061DACB
GetWindowThreadProcessId.USER32(?,00000000), ref: 0061DAD7
AttachThreadInput.USER32(?,00000000,00000001), ref: 0061DAE8
AttachThreadInput.USER32(?,00000000,00000001), ref: 0061DAF0
AttachThreadInput.USER32(00000000,?,00000001), ref: 0061DAF8
SetForegroundWindow.USER32(?), ref: 0061DAFB
MapVirtualKeyW.USER32(00000012,00000000), ref: 0061DB10
keybd_event.USER32(00000012,00000000), ref: 0061DB1B
MapVirtualKeyW.USER32(00000012,00000000), ref: 0061DB25
keybd_event.USER32(00000012,00000000), ref: 0061DB2A
MapVirtualKeyW.USER32(00000012,00000000), ref: 0061DB33
keybd_event.USER32(00000012,00000000), ref: 0061DB38
MapVirtualKeyW.USER32(00000012,00000000), ref: 0061DB42
keybd_event.USER32(00000012,00000000), ref: 0061DB47
SetForegroundWindow.USER32(?), ref: 0061DB4A
AttachThreadInput.USER32(?,?,00000000), ref: 0061DB71

Strings

Shell_TrayWnd, xrefs: 0061DA89

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 06951b1d4bcc90542eccdfb05f4e81bf1753e12032d0012b1084975278cb89f4
Instruction ID: 094d566a0c1c5564c534a543cbed35a19fba9c5bf43c169c6cd5c78e9dc7b7d3
Opcode Fuzzy Hash: 06951b1d4bcc90542eccdfb05f4e81bf1753e12032d0012b1084975278cb89f4
Instruction Fuzzy Hash: F331C671A40318BFEB206FA1AC49FBF3E6EEB44B50F155025FA01EA1D0C6F05D40ABA1

Uniqueness

Uniqueness Score: -1.00%

Function 00638858 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 00638CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00638D0D
Part of subcall function 00638CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00638D3A
Part of subcall function 00638CC3: GetLastError.KERNEL32 ref: 00638D47

_memset.LIBCMT ref: 0063889B
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 006388ED
CloseHandle.KERNEL32(?), ref: 006388FE
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00638915
GetProcessWindowStation.USER32 ref: 0063892E
SetProcessWindowStation.USER32(00000000), ref: 00638938
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00638952

Part of subcall function 00638713: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00638851), ref: 00638728
Part of subcall function 00638713: CloseHandle.KERNEL32(?,?,00638851), ref: 0063873A

Strings

default, xrefs: 0063894D
winsta0, xrefs: 00638910
, xrefs: 006388AA

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: 2c6b013f6f701a077fbd81dc9f0fe76088f437fdf4fba7f9bc277e9c7897ff49
Instruction ID: ca6b631418e6110799b72d7b6d2bcae81fbbc983d5ebe46da28e520143e06021
Opcode Fuzzy Hash: 2c6b013f6f701a077fbd81dc9f0fe76088f437fdf4fba7f9bc277e9c7897ff49
Instruction Fuzzy Hash: 64812971900349AFDF11DFA4DC45AEEBBBAEF04304F18516AF910A72A1DB718E15DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0065425A Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0066F910), ref: 00654284
IsClipboardFormatAvailable.USER32(0000000D), ref: 00654292
GetClipboardData.USER32(0000000D), ref: 0065429A
CloseClipboard.USER32 ref: 006542A6
GlobalLock.KERNEL32(00000000), ref: 006542C2
CloseClipboard.USER32 ref: 006542CC
GlobalUnlock.KERNEL32(00000000,00000000), ref: 006542E1
IsClipboardFormatAvailable.USER32(00000001), ref: 006542EE
GetClipboardData.USER32(00000001), ref: 006542F6
GlobalLock.KERNEL32(00000000), ref: 00654303
GlobalUnlock.KERNEL32(00000000,00000000,?), ref: 00654337
CloseClipboard.USER32 ref: 00654447

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: 0f9b24cfc881df526fe9733170703c607e21d9a0db0363ed13670aeb2fe03e47
Instruction ID: b43e6986d1e36a2561e3857c66b7c93ec4c0ca570dd3158c10b9f43df0901522
Opcode Fuzzy Hash: 0f9b24cfc881df526fe9733170703c607e21d9a0db0363ed13670aeb2fe03e47
Instruction Fuzzy Hash: E851B5312043026BD300EF61EC99FBE77AABF84B05F104569F996D21A1DFB0D9498B62

Uniqueness

Uniqueness Score: -1.00%

Function 0064C9C7 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0064C9F8
FindClose.KERNEL32(00000000), ref: 0064CA4C
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0064CA71
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0064CA88
FileTimeToSystemTime.KERNEL32(?,?), ref: 0064CAAF
__swprintf.LIBCMT ref: 0064CAFB
__swprintf.LIBCMT ref: 0064CB3E

Part of subcall function 005E7F41: _memmove.LIBCMT ref: 005E7F82

__swprintf.LIBCMT ref: 0064CB92

Part of subcall function 006038D8: __woutput_l.LIBCMT ref: 00603931

__swprintf.LIBCMT ref: 0064CBE0

Part of subcall function 006038D8: __flsbuf.LIBCMT ref: 00603953
Part of subcall function 006038D8: __flsbuf.LIBCMT ref: 0060396B

__swprintf.LIBCMT ref: 0064CC2F
__swprintf.LIBCMT ref: 0064CC7E
__swprintf.LIBCMT ref: 0064CCCD

Strings

%02d, xrefs: 0064CB86, 0064CB90, 0064CBDE, 0064CC2D, 0064CC7C, 0064CCCB
%4d, xrefs: 0064CB38
%4d%02d%02d%02d%02d%02d, xrefs: 0064CAF5

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: 0b058119326f89cd79e33258859fcb0789dd693b107e9f6587925b8c6c9b3857
Instruction ID: 6f7fb986d4fa5370a547a18e1d2639dc5efdc4436613bee5ebce9d1df225559a
Opcode Fuzzy Hash: 0b058119326f89cd79e33258859fcb0789dd693b107e9f6587925b8c6c9b3857
Instruction Fuzzy Hash: 56A150B1508345ABC744EB65C889DAFBBEDFF98700F40492DF585C3291EA74DA08CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0064F200 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 0064F221
_wcscmp.LIBCMT ref: 0064F236
_wcscmp.LIBCMT ref: 0064F24D
GetFileAttributesW.KERNEL32(?), ref: 0064F25F
SetFileAttributesW.KERNEL32(?,?), ref: 0064F279
FindNextFileW.KERNEL32(00000000,?), ref: 0064F291
FindClose.KERNEL32(00000000), ref: 0064F29C
FindFirstFileW.KERNEL32(*.*,?), ref: 0064F2B8
_wcscmp.LIBCMT ref: 0064F2DF
_wcscmp.LIBCMT ref: 0064F2F6
SetCurrentDirectoryW.KERNEL32(?), ref: 0064F308
SetCurrentDirectoryW.KERNEL32(0069A5A0), ref: 0064F326
FindNextFileW.KERNEL32(00000000,00000010), ref: 0064F330
FindClose.KERNEL32(00000000), ref: 0064F33D
FindClose.KERNEL32(00000000), ref: 0064F34F

Strings

*.*, xrefs: 0064F2B3

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: 1a2a43f0abecf79608ca29b7fcdfd927b2b8599b4c9e0418ad4298ec112e5130
Instruction ID: 87611b93f8264b1c1a00b17950dd263ad4b84c4bd97307fc6accacf4ddf8d590
Opcode Fuzzy Hash: 1a2a43f0abecf79608ca29b7fcdfd927b2b8599b4c9e0418ad4298ec112e5130
Instruction Fuzzy Hash: 7131C3766002196BDF11DFF4EC58ADE77AEAF08361F100176E814E3290EBB1DB45CAA4

Uniqueness

Uniqueness Score: -1.00%

Function 00660AE2 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00660BDE
RegCreateKeyExW.ADVAPI32(?,?,00000000,0066F910,00000000,?,00000000,?,?), ref: 00660C4C
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00660C94
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00660D1D
RegCloseKey.ADVAPI32(?), ref: 0066103D
RegCloseKey.ADVAPI32(00000000), ref: 0066104A

Strings

REG_BINARY, xrefs: 00660FD8
REG_MULTI_SZ, xrefs: 00660E05
REG_EXPAND_SZ, xrefs: 00660CBA
REG_DWORD, xrefs: 00660F0E
REG_SZ, xrefs: 00660D5B
REG_QWORD, xrefs: 00660F8B

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: 1af763f8330f0f8814a2baab4960bd54b68bd77683baa75ba0ed6d6d39f68237
Instruction ID: 493f1a7d17774c63fd682b3d5a6e4ff7ac5061d1c52b0e08a0101476f8a78d79
Opcode Fuzzy Hash: 1af763f8330f0f8814a2baab4960bd54b68bd77683baa75ba0ed6d6d39f68237
Instruction Fuzzy Hash: 110271752006529FDB14DF15C895E2ABBE6FF89714F04886DF88A9B362CB30ED41CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0064F35D Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 0064F37E
_wcscmp.LIBCMT ref: 0064F393
_wcscmp.LIBCMT ref: 0064F3AA

Part of subcall function 006445C1: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 006445DC

FindNextFileW.KERNEL32(00000000,?), ref: 0064F3D9
FindClose.KERNEL32(00000000), ref: 0064F3E4
FindFirstFileW.KERNEL32(*.*,?), ref: 0064F400
_wcscmp.LIBCMT ref: 0064F427
_wcscmp.LIBCMT ref: 0064F43E
SetCurrentDirectoryW.KERNEL32(?), ref: 0064F450
SetCurrentDirectoryW.KERNEL32(0069A5A0), ref: 0064F46E
FindNextFileW.KERNEL32(00000000,00000010), ref: 0064F478
FindClose.KERNEL32(00000000), ref: 0064F485
FindClose.KERNEL32(00000000), ref: 0064F497

Strings

*.*, xrefs: 0064F3FB

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: 7f1225fd55df034d0e879eaef549c567725090ed724dab93807bea9ca464503f
Instruction ID: b8462871b50cbd6ac04f625d387c101e80ab7590e5e9b7adc6a2b9616a9e1685
Opcode Fuzzy Hash: 7f1225fd55df034d0e879eaef549c567725090ed724dab93807bea9ca464503f
Instruction Fuzzy Hash: B431E3726012196BCF10AFA4EC98ADF77EE9F49320F100175E814E32A1DBB0DE44CAA4

Uniqueness

Uniqueness Score: -1.00%

Function 006381F7 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0063874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00638766
Part of subcall function 0063874A: GetLastError.KERNEL32(?,0063822A,?,?,?), ref: 00638770
Part of subcall function 0063874A: GetProcessHeap.KERNEL32(00000008,?,?,0063822A,?,?,?), ref: 0063877F
Part of subcall function 0063874A: HeapAlloc.KERNEL32(00000000,?,0063822A,?,?,?), ref: 00638786
Part of subcall function 0063874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0063879D

Part of subcall function 006387E7: GetProcessHeap.KERNEL32(00000008,00638240,00000000,00000000,?,00638240,?), ref: 006387F3
Part of subcall function 006387E7: HeapAlloc.KERNEL32(00000000,?,00638240,?), ref: 006387FA
Part of subcall function 006387E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00638240,?), ref: 0063880B

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0063825B
_memset.LIBCMT ref: 00638270
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0063828F
GetLengthSid.ADVAPI32(?), ref: 006382A0
GetAce.ADVAPI32(?,00000000,?), ref: 006382DD
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 006382F9
GetLengthSid.ADVAPI32(?), ref: 00638316
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00638325
HeapAlloc.KERNEL32(00000000), ref: 0063832C
GetLengthSid.ADVAPI32(?,00000008,?), ref: 0063834D
CopySid.ADVAPI32(00000000), ref: 00638354
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00638385
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 006383AB
SetUserObjectSecurity.USER32(?,00000004,?), ref: 006383BF

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 16dbe81e5043187dd4e1d29ac6dfbabf29e70ee2b679edcb9cea37df5031d601
Instruction ID: cf1c580784c94113a28f6262ed81d7f12fa647a8458c7ec24dcc83ac4d06939e
Opcode Fuzzy Hash: 16dbe81e5043187dd4e1d29ac6dfbabf29e70ee2b679edcb9cea37df5031d601
Instruction Fuzzy Hash: E5614771904219EFDF009FA5DC85AEEBBBAFF44700F148169F815A7391DB719A05CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 005F6843 Relevance: 20.9, Strings: 16, Instructions: 883COMMON

Download Yara Rule

Strings

LIMIT_MATCH=, xrefs: 006315A9
CR), xrefs: 006316C0
NO_AUTO_POSSESS), xrefs: 00631567
BSR_UNICODE), xrefs: 00631771
PJh, xrefs: 005F68B3
ANY), xrefs: 00631717
UTF16), xrefs: 00631508
UTF), xrefs: 00631533
Oa_, xrefs: 00631888, 0063192F, 006319DD
NO_START_OPT), xrefs: 00631588
UCP), xrefs: 00631546
CRLF), xrefs: 006316FA
ANYCRLF), xrefs: 00631734
LIMIT_RECURSION=, xrefs: 00631635
BSR_ANYCRLF), xrefs: 00631757
LF), xrefs: 006316DD

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID:
String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$Oa_$PJh$UCP)$UTF)$UTF16)
API String ID: 0-238074469
Opcode ID: 8671e35c5ae162071c81a6bbaa28cb28635c48b3d6052b7043755e9244bc6a33
Instruction ID: e0991bdaf6668ea1e42f6632979c31e5d7ba8acbfe8774a042c00e26bd3951e9
Opcode Fuzzy Hash: 8671e35c5ae162071c81a6bbaa28cb28635c48b3d6052b7043755e9244bc6a33
Instruction Fuzzy Hash: AB725D75E002199BDB24CF58C8907FEBBB6FF49310F14816AE959EB290DB749D81CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00660665 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 006610A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00660038,?,?), ref: 006610BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00660737

Part of subcall function 005E9997: __itow.LIBCMT ref: 005E99C2
Part of subcall function 005E9997: __swprintf.LIBCMT ref: 005E9A0C

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 006607D6
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0066086E
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00660AAD
RegCloseKey.ADVAPI32(00000000), ref: 00660ABA

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: ce52a3b8b3f1d19147923ebdfcb5caeafac42eb9d1c4998996fbc0a2d6ece1aa
Instruction ID: d86028250269a610be627ee18804372d394f8d04b6ffeff60aee052a0853d1e0
Opcode Fuzzy Hash: ce52a3b8b3f1d19147923ebdfcb5caeafac42eb9d1c4998996fbc0a2d6ece1aa
Instruction Fuzzy Hash: 81E14D31204211AFDB14DF29C895E6BBBEAFF89714F04856DF48ADB262DA31ED01CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00640219 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00640241
GetAsyncKeyState.USER32(000000A0), ref: 006402C2
GetKeyState.USER32(000000A0), ref: 006402DD
GetAsyncKeyState.USER32(000000A1), ref: 006402F7
GetKeyState.USER32(000000A1), ref: 0064030C
GetAsyncKeyState.USER32(00000011), ref: 00640324
GetKeyState.USER32(00000011), ref: 00640336
GetAsyncKeyState.USER32(00000012), ref: 0064034E
GetKeyState.USER32(00000012), ref: 00640360
GetAsyncKeyState.USER32(0000005B), ref: 00640378
GetKeyState.USER32(0000005B), ref: 0064038A

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: f75f03dd8771f9da6bf376ca9fed3eeb884a2546f3ccd400bcfcf398cf001b9d
Instruction ID: 2a1da22219aee3ab87829c043d5e0f408833901492a2e5e80b31e62f632cc9e3
Opcode Fuzzy Hash: f75f03dd8771f9da6bf376ca9fed3eeb884a2546f3ccd400bcfcf398cf001b9d
Instruction Fuzzy Hash: 464199345047EA6EFF729F6494083E6BEA26B51340F18505ED7C6463C2D7F45EC48B92

Uniqueness

Uniqueness Score: -1.00%

Function 00654458 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0065447F
EmptyClipboard.USER32 ref: 00654485
GlobalAlloc.KERNEL32(00000002,?), ref: 0065449A
CloseClipboard.USER32 ref: 00654539

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 70ec259877b418f513e13ca859739058289831e3423c88280157ff92a366f9fd
Instruction ID: f86238a71d3efb9916f25bbbd7964c13a9d750d32aed43d1d056d216044c6716
Opcode Fuzzy Hash: 70ec259877b418f513e13ca859739058289831e3423c88280157ff92a366f9fd
Instruction Fuzzy Hash: B221A135240211AFDB10AF60EC09B6E7BAAFF44715F10906AF946DB2B1DBB0AD41CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00643A2B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 005E48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,005E48A1,?,?,005E37C0,?), ref: 005E48CE

Part of subcall function 00644CD3: GetFileAttributesW.KERNEL32(?,00643947), ref: 00644CD4

FindFirstFileW.KERNEL32(?,?), ref: 00643ADF
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00643B87
MoveFileW.KERNEL32(?,?), ref: 00643B9A
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00643BB7
FindNextFileW.KERNEL32(00000000,00000010), ref: 00643BD9
FindClose.KERNEL32(00000000,?,?,?,?), ref: 00643BF5

Strings

\*.*, xrefs: 00643A8A, 00643A93, 00643AA8

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: 6f2a9960b5568805280ffc777e38f38b104c603332fb543745ba7d379b6ce10a
Instruction ID: 467e169b146408272d5b025dd25bcc5884a06cdb12b8afbb27bbf46ab9ddee13
Opcode Fuzzy Hash: 6f2a9960b5568805280ffc777e38f38b104c603332fb543745ba7d379b6ce10a
Instruction Fuzzy Hash: 1B51C53180119D9ACF09EBA1CD969EDBB7ABF64300F2441A9E44177291EF706F0DCB90

Uniqueness

Uniqueness Score: -1.00%

Function 005F4140 Relevance: 13.4, APIs: 1, Strings: 6, Instructions: 1132COMMON

Download Yara Rule

Strings

VUUU, xrefs: 005F4520
ERCP, xrefs: 005F421F
VUUU, xrefs: 005F44DB
VUUU, xrefs: 005F44ED
Oa_, xrefs: 005F4984, 00628173
VUUU, xrefs: 00627B0C

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID:
String ID: ERCP$Oa_$VUUU$VUUU$VUUU$VUUU
API String ID: 0-3370365514
Opcode ID: 06e0eaebadec35087aa6634dfb79afc16b5b09694c578f0953959daf7f504bcc
Instruction ID: 55315e40b4889eee6bb95cb97a4a21fcb0967fa40b635468e2a9a4042d16548f
Opcode Fuzzy Hash: 06e0eaebadec35087aa6634dfb79afc16b5b09694c578f0953959daf7f504bcc
Instruction Fuzzy Hash: 20A27D74E0462A8BDF24CF58D940BFEBBB2BB54314F1485A9D956A7380E7389E81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0064F65E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 005E7F41: _memmove.LIBCMT ref: 005E7F82

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 0064F6AB
Sleep.KERNEL32(0000000A), ref: 0064F6DB
_wcscmp.LIBCMT ref: 0064F6EF
_wcscmp.LIBCMT ref: 0064F70A
FindNextFileW.KERNEL32(?,?), ref: 0064F7A8
FindClose.KERNEL32(00000000), ref: 0064F7BE

Strings

*.*, xrefs: 0064F690

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: d4bc573a457aff90018aacacd8faf7429abab7870df3113948e98c1bf80f20ed
Instruction ID: e9a63610c4cee6d9c852ca3ad074a6c8693ce3aa5f6add668181bc001569d3ff
Opcode Fuzzy Hash: d4bc573a457aff90018aacacd8faf7429abab7870df3113948e98c1bf80f20ed
Instruction Fuzzy Hash: DC41827190021A9FDF15DF64DC49EEEBBBAFF05310F14456AE815A3290EB349E44CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 005F58C0 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 005F5A05
_memmove.LIBCMT ref: 005F5A55
_memmove.LIBCMT ref: 005F5ABB

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 1e2f508b98d3250dcf3ae504d14b49c601dc58a10dd072383dc3e60d5f38d589
Instruction ID: 93e04ebdfe47f44e3c506357df69ef9f1dbc63a387f4861db694056bf2bd48d1
Opcode Fuzzy Hash: 1e2f508b98d3250dcf3ae504d14b49c601dc58a10dd072383dc3e60d5f38d589
Instruction Fuzzy Hash: 7912AD70A0060ADFDF08CFA5D985AEEBBB6FF48300F104569E546E7291EB35AD15CB50

Uniqueness

Uniqueness Score: -1.00%

Function 005F5680 Relevance: 11.0, APIs: 5, Strings: 1, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 00600FF6: std::exception::exception.LIBCMT ref: 0060102C
Part of subcall function 00600FF6: __CxxThrowException@8.LIBCMT ref: 00601041

_memmove.LIBCMT ref: 0063062F
_memmove.LIBCMT ref: 00630744
_memmove.LIBCMT ref: 006307EB

Strings

yZ_, xrefs: 00630881, 006307FF

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID: yZ_
API String ID: 1300846289-534868854
Opcode ID: 61cf0dca1dfc9519dfdcca0ee78cdefc99fdb8972cb782dfccb1da914c9a2ee5
Instruction ID: ca25f93688b4e4bf9bc1e73aa3e442a0cddafb2844173d66c9f5583f09d87c1d
Opcode Fuzzy Hash: 61cf0dca1dfc9519dfdcca0ee78cdefc99fdb8972cb782dfccb1da914c9a2ee5
Instruction Fuzzy Hash: FF02E370E00209DBDF08DF64D991ABE7BB6FF84300F248069E946DB295EB35D954CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0064545F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00638CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00638D0D
Part of subcall function 00638CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00638D3A
Part of subcall function 00638CC3: GetLastError.KERNEL32 ref: 00638D47

ExitWindowsEx.USER32(?,00000000), ref: 0064549B

Strings

@, xrefs: 0064548E
SeShutdownPrivilege, xrefs: 0064546B
, xrefs: 00645489

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 9434aa2c5d43449d99b155a16f352898b6280313d671d47f842998d91945ce86
Instruction ID: a90d8808774386d9bf118e923ce916cbd232ecfd2a6cba314db189e750c961e2
Opcode Fuzzy Hash: 9434aa2c5d43449d99b155a16f352898b6280313d671d47f842998d91945ce86
Instruction Fuzzy Hash: 72014231655B112FF76863B8EC4ABFA72EAEB00352F200034FC07DA2C3DA900C8581E4

Uniqueness

Uniqueness Score: -1.00%

Function 005F3190 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 587COMMON

Download Yara Rule

Strings

Oa_, xrefs: 005F3482

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: __itow__swprintf
String ID: Oa_
API String ID: 674341424-62195052
Opcode ID: 5b5826b24cefd393600376d5d1cbf957bb08cd7ab9d7087aae6a1e99a7fe7809
Instruction ID: 29c4585a5a94b473396d31a1c6e9cf1f704190a76e52e05f11dae6f366621f06
Opcode Fuzzy Hash: 5b5826b24cefd393600376d5d1cbf957bb08cd7ab9d7087aae6a1e99a7fe7809
Instruction Fuzzy Hash: BD229A715083569FD724DF24C885BABBBE5BFC4300F10492DFA9A97291DB74EA04CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00656596 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 006565EF
WSAGetLastError.WSOCK32(00000000), ref: 006565FE
bind.WSOCK32(00000000,?,00000010), ref: 0065661A
listen.WSOCK32(00000000,00000005), ref: 00656629
WSAGetLastError.WSOCK32(00000000), ref: 00656643
closesocket.WSOCK32(00000000,00000000), ref: 00656657

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: ab2ee618e03b534bd6551c7351cfb7b80f5808a11b15fcad68e1cdbd50d218d9
Instruction ID: 7ada9d3ae2da424c0871f7d7f9af54481c4dd507c8a3b7fc02cad021dfa16fa4
Opcode Fuzzy Hash: ab2ee618e03b534bd6551c7351cfb7b80f5808a11b15fcad68e1cdbd50d218d9
Instruction Fuzzy Hash: 302191306002019FCB10AF24D889A6EB7BAEF84321F148169F956A73D1CBB0AD05CB51

Uniqueness

Uniqueness Score: -1.00%

Function 005E1287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 005E2612: GetWindowLongW.USER32(?,000000EB), ref: 005E2623

DefDlgProcW.USER32(?,?,?,?,?), ref: 005E19FA
GetSysColor.USER32(0000000F), ref: 005E1A4E
SetBkColor.GDI32(?,00000000), ref: 005E1A61

Part of subcall function 005E1290: DefDlgProcW.USER32(?,00000020,?), ref: 005E12D8

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: 186c8a9e809654b90bf35f1d3a73677d248e4cb7fc70a430242ba92e309f8f2a
Instruction ID: ed8da59a6ec3aa7489b79b8b2d7547960e1df22a02185f000acb76f0552f4b86
Opcode Fuzzy Hash: 186c8a9e809654b90bf35f1d3a73677d248e4cb7fc70a430242ba92e309f8f2a
Instruction Fuzzy Hash: 62A11370105DC4BAD62CAE3A9C48DFB2E5FFB82341B181529F482D6292CA349D4192FD

Uniqueness

Uniqueness Score: -1.00%

Function 00656A5A Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 006580A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 006580CB

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00656AB1
WSAGetLastError.WSOCK32(00000000), ref: 00656ADA
bind.WSOCK32(00000000,?,00000010), ref: 00656B13
WSAGetLastError.WSOCK32(00000000), ref: 00656B20
closesocket.WSOCK32(00000000,00000000), ref: 00656B34

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: 288037ed5263b22cf83d2ef1e127ea367cb10500a0523d6dd0fd0b3394f3b627
Instruction ID: a204c286b9281f363e4250968695beb54cb0025371fa696fd9cd6fc029d7808e
Opcode Fuzzy Hash: 288037ed5263b22cf83d2ef1e127ea367cb10500a0523d6dd0fd0b3394f3b627
Instruction Fuzzy Hash: C541C975B00211AFEB14AF25DC8AF7E7BA9EF84710F44805CF95AAB3D2DA705D018791

Uniqueness

Uniqueness Score: -1.00%

Function 006655FD Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 0066564C
IsWindowEnabled.USER32 ref: 0066565A
GetForegroundWindow.USER32(?,?,00000001), ref: 00665667
IsIconic.USER32 ref: 00665675
IsZoomed.USER32 ref: 00665683

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 72c02121b018b205313eab2e254eb3b645870cab0c519f65f693287f2ac3b930
Instruction ID: b17bad36f96b977c9b52cb46119581f3be8854b1b76a4ca90dc03872114e0636
Opcode Fuzzy Hash: 72c02121b018b205313eab2e254eb3b645870cab0c519f65f693287f2ac3b930
Instruction Fuzzy Hash: AD11C471700A116FE7211F26EC49A6FBB9AFF94721F404039F847D7261CB709D02CAA5

Uniqueness

Uniqueness Score: -1.00%

Function 0064C602 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0064C69D
CoCreateInstance.OLE32(00672D6C,00000000,00000001,00672BDC,?), ref: 0064C6B5

Part of subcall function 005E7F41: _memmove.LIBCMT ref: 005E7F82

CoUninitialize.OLE32 ref: 0064C922

Strings

.lnk, xrefs: 0064C631, 0064C659, 0064C663

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: bcc2543ae99a8433c45ecd56b0d003942f0526cb4dbf8b2566ebe87a834859af
Instruction ID: 7b90a70eac3e0a07bfbd166fe5e2975692678bff03d8776491cc0c4d6579d934
Opcode Fuzzy Hash: bcc2543ae99a8433c45ecd56b0d003942f0526cb4dbf8b2566ebe87a834859af
Instruction Fuzzy Hash: 58A13CB1104246AFD704EF55C895EABBBEDFF88304F00496CF19697192EB70EA49CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0065C304 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00621D88,?), ref: 0065C312
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0065C324

Strings

kernel32.dll, xrefs: 0065C30D
GetSystemWow64DirectoryW, xrefs: 0065C31E

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: 65beb4d7ce677091c7f60fc01927f9db19c7d06cd3a716c077ecba8ef209fd1d
Instruction ID: ca0e0e152ff3472b5a5920a13da28f967915683395c20d8b3446cf1720054421
Opcode Fuzzy Hash: 65beb4d7ce677091c7f60fc01927f9db19c7d06cd3a716c077ecba8ef209fd1d
Instruction Fuzzy Hash: 1EE0EC74600717CFDB205F25E814A86B6DAEB0976AF849439E895D2650E7B4D884CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0065F121 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0065F151
Process32FirstW.KERNEL32(00000000,?), ref: 0065F15F

Part of subcall function 005E7F41: _memmove.LIBCMT ref: 005E7F82

Process32NextW.KERNEL32(00000000,?), ref: 0065F21F
CloseHandle.KERNEL32(00000000,?,?,?), ref: 0065F22E

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: cc205648ba343ac6d5adc2570f0413406d3caf6eb532dbe3f769f47b94f67964
Instruction ID: fd504ad9556cbb429a329d57b7be50c9359774e8a16a45a8aff367fda0a2f5f7
Opcode Fuzzy Hash: cc205648ba343ac6d5adc2570f0413406d3caf6eb532dbe3f769f47b94f67964
Instruction Fuzzy Hash: B5516E715083429FD314EF21DC85A6BBBE9FFD8710F10492DF99597291EB70AA08CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0063EB07 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 0063EB19

Strings

|, xrefs: 0063EB49
(, xrefs: 0063EB5F

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: b0ed0db0e1834ca073510b4db391eff57412bb0134c092c9d247ca72706edab8
Instruction ID: 58cce015d0649f74ffb84349b48bfacb0c0b661282e0300ea695970ebea840ab
Opcode Fuzzy Hash: b0ed0db0e1834ca073510b4db391eff57412bb0134c092c9d247ca72706edab8
Instruction Fuzzy Hash: 4B322575A006059FDB28CF19C481AAAB7F1FF48310F15C56EE89ADB3A1D770E941CB94

Uniqueness

Uniqueness Score: -1.00%

Function 006525E2 Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000), ref: 006526D5
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 0065270C

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 0a5e886d79ad52e5eee6b0090572f58be8b629f6e64195a524c21166917d2e18
Instruction ID: 642ed8ca5b6e5f7f2cfd42d49a320aba50941653304820b68d532b5c0cffeb73
Opcode Fuzzy Hash: 0a5e886d79ad52e5eee6b0090572f58be8b629f6e64195a524c21166917d2e18
Instruction Fuzzy Hash: AE41277150020BBFEB20DB54DC95EFB77FEEB45316F10406EFE01A6240EA719D499654

Uniqueness

Uniqueness Score: -1.00%

Function 0064B59E Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0064B5AE
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0064B608
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0064B655

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 5130d45c9ddad5fc20b427886c52dd7d5bf4d5ec73dba927f1af65752d95a3ff
Instruction ID: 6d767407119ff9febe7dc6d08a4188d3f0c462c8fcd5c1c9f2985452daf33e1e
Opcode Fuzzy Hash: 5130d45c9ddad5fc20b427886c52dd7d5bf4d5ec73dba927f1af65752d95a3ff
Instruction Fuzzy Hash: 8D219D35A00108EFCB00EFA5E884AADFBB9FF88310F0480A9E845AB351DB31A945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00638CC3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00600FF6: std::exception::exception.LIBCMT ref: 0060102C
Part of subcall function 00600FF6: __CxxThrowException@8.LIBCMT ref: 00601041

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00638D0D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00638D3A
GetLastError.KERNEL32 ref: 00638D47

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 59c516084fc22fbead733988ecf695bf8333ca2c7305f926878ae9689a4a0abd
Instruction ID: 26be868d206a18c0d7d9d8909a3d09aac5790ff2ef96757b8943be68c92d8fdb
Opcode Fuzzy Hash: 59c516084fc22fbead733988ecf695bf8333ca2c7305f926878ae9689a4a0abd
Instruction Fuzzy Hash: BD118FB2454309AFE7289F54EC85DABB7BEEF44710B20852EF85697241EB70AC418A64

Uniqueness

Uniqueness Score: -1.00%

Function 00644021 Relevance: 4.6, APIs: 3, Instructions: 61fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0064404B
DeviceIoControl.KERNEL32(00000000,002D1400,00000007,0000000C,?,0000000C,?,00000000), ref: 00644088
CloseHandle.KERNEL32(00000000,?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00644091

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 101e84f0a9db7ccbb045149de3fc40364ff6a59d2eb1d9e1ad89b2430c9d0208
Instruction ID: 7099655a4d0d37b4a2e53647667216512aaa6b6630edd3c33a3ec845cac9cfde
Opcode Fuzzy Hash: 101e84f0a9db7ccbb045149de3fc40364ff6a59d2eb1d9e1ad89b2430c9d0208
Instruction Fuzzy Hash: FF1170B1900228BEE7109BE8DC45FABBBBDEB09B50F000656BA04E7290C6B4591587E1

Uniqueness

Uniqueness Score: -1.00%

Function 00644C03 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00644C2C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00644C43
FreeSid.ADVAPI32(?), ref: 00644C53

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 5be4eaf3bbe6f0dea27eee48431ff449dc699e9b7015aa691111fe28b5da3d32
Instruction ID: ae9bd72597060a2549975f8372386843a9804e1fd70b962809dcbd1aa2cda60a
Opcode Fuzzy Hash: 5be4eaf3bbe6f0dea27eee48431ff449dc699e9b7015aa691111fe28b5da3d32
Instruction Fuzzy Hash: FAF04F7591130CBFDF04DFF0DD99AADB7BDEF08201F004469E501E2181D6705A448B50

Uniqueness

Uniqueness Score: -1.00%

Function 00648B13 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 00648B25

Part of subcall function 0060543A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,006491F8,00000000,?,?,?,?,006493A9,00000000,?), ref: 00605443
Part of subcall function 0060543A: __aulldiv.LIBCMT ref: 00605463

Strings

0uj, xrefs: 00648B1C

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID: 0uj
API String ID: 2893107130-604322167
Opcode ID: 728b7c7ab062b08892a9fc1701d9ded7c90c5e76b141b1a751b1628a5dbc08e8
Instruction ID: 80ac1b800ed65a8b209b9ecbde63cd8223b675094a9f17cbb42e90f83dcfa54b
Opcode Fuzzy Hash: 728b7c7ab062b08892a9fc1701d9ded7c90c5e76b141b1a751b1628a5dbc08e8
Instruction Fuzzy Hash: E421A2726255108FC729CF25D841A92B3E2EBA5311F288E6CD4E5CB2D0CE74BD45CF94

Uniqueness

Uniqueness Score: -1.00%

Function 005EE060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d8814eb0e30bbe5633dcb93eca8b10ffaa3ef4305b47d06a1b12eab140b2d77
Instruction ID: c4ded472d915a196dfadcb41f479a4a70e2e086e1362fc006550bc6429eaff28
Opcode Fuzzy Hash: 8d8814eb0e30bbe5633dcb93eca8b10ffaa3ef4305b47d06a1b12eab140b2d77
Instruction Fuzzy Hash: 0022E274A10256CFDB28DF55C482ABEBBF1FF08300F148469E8969B391E734AD81CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0064C93C Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0064C966
FindClose.KERNEL32(00000000), ref: 0064C996

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 12d43fdba71034f50697ae1c54f27e438a53f07e5f4e5fb146b5fdfaa9990773
Instruction ID: bc7ead1b1e297117e94c64b2a5fcde7ed40077d1c709ffa572bc3b28248a8f92
Opcode Fuzzy Hash: 12d43fdba71034f50697ae1c54f27e438a53f07e5f4e5fb146b5fdfaa9990773
Instruction Fuzzy Hash: 7C1184726106019FD714EF29D849A2AFBE9FF84324F00851EF8A9D7391DB70AD01CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0064A2D5 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,0065977D,?,0066FB84,?), ref: 0064A302
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,0065977D,?,0066FB84,?), ref: 0064A314

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 8ae7886e219d1047f37203b1d06e6f0b6eb41ee22577a01f7dcc6c8a18c1a488
Instruction ID: e3e2b5eb028f80ebb8e0fae09108bf7aa1489f58ae1a6c2f465f9c5b44bd0b3b
Opcode Fuzzy Hash: 8ae7886e219d1047f37203b1d06e6f0b6eb41ee22577a01f7dcc6c8a18c1a488
Instruction Fuzzy Hash: CEF0E23114822DBBDB119FA4CC48FEA776EBF09761F004265F918D6280E6709940CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 00638713 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00638851), ref: 00638728
CloseHandle.KERNEL32(?,?,00638851), ref: 0063873A

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 807565b59e74475a007dc4c1d412d4e2f3e72f3c23df92a4c22cae3b76b0753e
Instruction ID: 000cca83d34760406b046acab71d3e43c1b75a57d92118ebcbaa928be344c113
Opcode Fuzzy Hash: 807565b59e74475a007dc4c1d412d4e2f3e72f3c23df92a4c22cae3b76b0753e
Instruction Fuzzy Hash: 13E0B676014611EEE7652B60FC09DB77BAAEB04350B24882DF49684470DBA2ACD0DB50

Uniqueness

Uniqueness Score: -1.00%

Function 0060A395 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00608F97,?,?,?,00000001), ref: 0060A39A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 0060A3A3

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 7809065260f12fe39c0d22695d6f1a3330981357af46727e752add745c90b2c3
Instruction ID: 614537f248353c5397ca64f1fdb805928e7e42e3fd90b44e85c7001f5341497e
Opcode Fuzzy Hash: 7809065260f12fe39c0d22695d6f1a3330981357af46727e752add745c90b2c3
Instruction Fuzzy Hash: 37B09231058208ABCB002B91FC09B883F6AEB44AA2F405020F60D94260EFA254508AD1

Uniqueness

Uniqueness Score: -1.00%

Function 0060F419 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cfad90528810dc710f64d3cc68300fcce36e1356945ee27c67e4c5c32da3bea
Instruction ID: e32bd38bf021886a207879776c9b549a8c84d40a287ebec67ccf03b28343890d
Opcode Fuzzy Hash: 9cfad90528810dc710f64d3cc68300fcce36e1356945ee27c67e4c5c32da3bea
Instruction Fuzzy Hash: 9C32F621D69F414DD72B9A34D832336A24AAFB73D4F15E737E819B5EA6EB29C4C34100

Uniqueness

Uniqueness Score: -1.00%

Function 0061267E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d2adf9a8b33a589363abe0807fd4d7f3f90065d79cec395f4a00f82e251b404
Instruction ID: 92c53eb5c1e3ab62ece470df82ae95b2edaf30b794bac9b1df877c097d891a9e
Opcode Fuzzy Hash: 8d2adf9a8b33a589363abe0807fd4d7f3f90065d79cec395f4a00f82e251b404
Instruction Fuzzy Hash: FDB1CD30D2AF414DD3239A398835336B69DAFBB2D5B51E71BFC1A74922EB2285C34141

Uniqueness

Uniqueness Score: -1.00%

Function 006541FD Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00654218

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 888b1817d7c54e0542cb3322d2f40a350a33aed9b1704f091dba0d7df674aa9b
Instruction ID: eb96323103b50094015d2dbf8bcf212715778b2d653a4a29f9c7d5b1ff42b92e
Opcode Fuzzy Hash: 888b1817d7c54e0542cb3322d2f40a350a33aed9b1704f091dba0d7df674aa9b
Instruction Fuzzy Hash: DEE0DF312402159FC710EF5AE804A8AFBE9AF94360F008026FC4AC7312CAB0EC808BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00644EF5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 00644F18

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: 99098bad913f1cff8d7a5b2321423841cec85d4a43e54909f163d7150bd82556
Instruction ID: c74cfaf1b9c58d61ee11811afdd71f653ea3b81a07204607d05e4f8e08b7b263
Opcode Fuzzy Hash: 99098bad913f1cff8d7a5b2321423841cec85d4a43e54909f163d7150bd82556
Instruction Fuzzy Hash: 9AD05EF016821538FF984B20AC0FFB6050BE3C1781F8459897202955C19CE16C09A035

Uniqueness

Uniqueness Score: -1.00%

Function 00638C93 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,006388D1), ref: 00638CB3

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 8552d97ce417df6ea4694cb33d192ada27ee6ed88495017a8bb434ac11dd0b9a
Instruction ID: 8c3964ad2c4bedc30e820f0694d34c6d0ffd298ea9e6fb2bb3fc134b836566fc
Opcode Fuzzy Hash: 8552d97ce417df6ea4694cb33d192ada27ee6ed88495017a8bb434ac11dd0b9a
Instruction Fuzzy Hash: 17D09E3226450EBBEF019FA4ED05EAE3B6AEB04B01F408511FE15D51A1C7B5D935AB60

Uniqueness

Uniqueness Score: -1.00%

Function 00622230 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00622242

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 550f9bdfb87afdc4ba85b3c399d06fb885f135f8f984cfda9910ef15da6da093
Instruction ID: 1570af136115afa273786d0468487b3dfc45de3bbb9a1cc887dc2faf3701f5cf
Opcode Fuzzy Hash: 550f9bdfb87afdc4ba85b3c399d06fb885f135f8f984cfda9910ef15da6da093
Instruction Fuzzy Hash: 7AC048F1804119DBDB05DBA0EA98DEEB7BDAB08305F2040A6E102F2100E7B4AB448E72

Uniqueness

Uniqueness Score: -1.00%

Function 0060A364 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 0060A36A

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 150489708849ef45a5a68cce93cc1f847bf2508a4dce600d9384df97941d3a8a
Instruction ID: ac08cb9b52718142e1a8be7f8c9e976dbcc1506b2ea3a4b64ea824995e95959e
Opcode Fuzzy Hash: 150489708849ef45a5a68cce93cc1f847bf2508a4dce600d9384df97941d3a8a
Instruction Fuzzy Hash: EAA0223000020CFBCF002F82FC08888BFAEEB002E0B008030F80C80232EFB3A8208AC0

Uniqueness

Uniqueness Score: -1.00%

Function 005F8A0E Relevance: .6, Instructions: 608COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fd98d03719ef86adccb852507a31e810137fa3c3c3c63b26abbad9c913cefe4
Instruction ID: 5f16f4c57644b2b2b2b3475f0234c3921c707ff28c9e088ee5a67ce087bb143e
Opcode Fuzzy Hash: 4fd98d03719ef86adccb852507a31e810137fa3c3c3c63b26abbad9c913cefe4
Instruction Fuzzy Hash: E4222A3060565ACBDF289F14C4946BD7BB2FF42304F68846ADA438F691DB38DD81CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00602405 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 6ab7105dc0754e5da8d22342eb9f09fd6c22a7704ca59ffa7359d910352024b4
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: 2AC181322450930ADF2D4639D5781BFBAE25EA37B131A0B5DE8B2CF6C5EF20D564D620

Uniqueness

Uniqueness Score: -1.00%

Function 0060283A Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 4e45b4fcd5c3ab8e19767fc1e1b1ba11f7d11e1ff52b80ddea1e11cd8e5f1576
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: 9FC1953224519309DF6D463A857807FBBE25EA37B131A0B6DE4B2DF6C4EF20D528D620

Uniqueness

Uniqueness Score: -1.00%

Function 006637F3 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,0066F910), ref: 006638AF
IsWindowVisible.USER32(?), ref: 006638D3

Strings

UNCHECK, xrefs: 00663B0B
CURRENTTAB, xrefs: 00663945
ISVISIBLE, xrefs: 006638BF
SHOWDROPDOWN, xrefs: 00663968
SELECTSTRING, xrefs: 00663A8E
SETCURRENTSELECTION, xrefs: 00663A3E
TABLEFT, xrefs: 0066390F
EDITPASTE, xrefs: 00663BE7
ISENABLED, xrefs: 006638F3
GETLINECOUNT, xrefs: 00663B4E
GETCURRENTCOL, xrefs: 00663BB0
DELSTRING, xrefs: 006639D1
GETCURRENTSELECTION, xrefs: 00663A6B
GETLINE, xrefs: 00663C23
CHECK, xrefs: 00663AF5
TABRIGHT, xrefs: 00663925
FINDSTRING, xrefs: 006639FE
GETCURRENTLINE, xrefs: 00663B75
ISCHECKED, xrefs: 00663AC1
SENDCOMMANDID, xrefs: 00663C62
HIDEDROPDOWN, xrefs: 00663988
ADDSTRING, xrefs: 0066399E
GETSELECTED, xrefs: 00663B2B

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: fa87de786f8eecca3efc200c28e25b6d139fc22a192c8d4f42cba9f9f2ff9e6f
Instruction ID: 296a702d8c31596a4ae9410d0156e05c208d6f59587ed552af3a9e791dbe717e
Opcode Fuzzy Hash: fa87de786f8eecca3efc200c28e25b6d139fc22a192c8d4f42cba9f9f2ff9e6f
Instruction Fuzzy Hash: 30D18F302083169BCB18EF11C555AAABBA7AF94744F10545CF8865B3E2CB71EE0BCB95

Uniqueness

Uniqueness Score: -1.00%

Function 0066A849 Relevance: 49.8, APIs: 33, Instructions: 274COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0066A89F
GetSysColorBrush.USER32(0000000F), ref: 0066A8D0
GetSysColor.USER32(0000000F), ref: 0066A8DC
SetBkColor.GDI32(?,000000FF), ref: 0066A8F6
SelectObject.GDI32(?,?), ref: 0066A905
InflateRect.USER32(?,000000FF,000000FF), ref: 0066A930
GetSysColor.USER32(00000010), ref: 0066A938
CreateSolidBrush.GDI32(00000000), ref: 0066A93F
FrameRect.USER32(?,?,00000000), ref: 0066A94E
DeleteObject.GDI32(00000000), ref: 0066A955
InflateRect.USER32(?,000000FE,000000FE), ref: 0066A9A0
FillRect.USER32(?,?,?), ref: 0066A9D2
GetWindowLongW.USER32(?,000000F0), ref: 0066A9FD

Part of subcall function 0066AB60: GetSysColor.USER32(00000012), ref: 0066AB99
Part of subcall function 0066AB60: SetTextColor.GDI32(?,?), ref: 0066AB9D
Part of subcall function 0066AB60: GetSysColorBrush.USER32(0000000F), ref: 0066ABB3
Part of subcall function 0066AB60: GetSysColor.USER32(0000000F), ref: 0066ABBE
Part of subcall function 0066AB60: GetSysColor.USER32(00000011), ref: 0066ABDB
Part of subcall function 0066AB60: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0066ABE9
Part of subcall function 0066AB60: SelectObject.GDI32(?,00000000), ref: 0066ABFA
Part of subcall function 0066AB60: SetBkColor.GDI32(?,00000000), ref: 0066AC03
Part of subcall function 0066AB60: SelectObject.GDI32(?,?), ref: 0066AC10
Part of subcall function 0066AB60: InflateRect.USER32(?,000000FF,000000FF), ref: 0066AC2F
Part of subcall function 0066AB60: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0066AC46
Part of subcall function 0066AB60: GetWindowLongW.USER32(00000000,000000F0), ref: 0066AC5B

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 8c28905bb52be21b550a99c4ec75b309ea8bde4dc5b1da9f8de2b9374c17fba7
Instruction ID: f74283b2fddf2ec89dd3fa3a40cad3a85906d730e5d92549accaf0dfb49081db
Opcode Fuzzy Hash: 8c28905bb52be21b550a99c4ec75b309ea8bde4dc5b1da9f8de2b9374c17fba7
Instruction Fuzzy Hash: E1A17272408301AFD7109FA4EC08A5BBBAAFF89321F105B29F962E61E1D771D945CF52

Uniqueness

Uniqueness Score: -1.00%

Function 005E2C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 005E2CA2
DeleteObject.GDI32(00000000), ref: 005E2CE8
DeleteObject.GDI32(00000000), ref: 005E2CF3
DestroyIcon.USER32(00000000,?,?,?), ref: 005E2CFE
DestroyWindow.USER32(00000000,?,?,?), ref: 005E2D09
SendMessageW.USER32(?,00001308,?,00000000), ref: 0061C68B
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 0061C6C4
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0061CAED

Part of subcall function 005E1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,005E2036,?,00000000,?,?,?,?,005E16CB,00000000,?), ref: 005E1B9A

SendMessageW.USER32(?,00001053), ref: 0061CB2A
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0061CB41
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0061CB57
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0061CB62

Strings

0, xrefs: 0061C981

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: 25d541aeccb2a0c600d02a9c0dc29a6738e2d8be79d06deee85dcbb3d2d8e907
Instruction ID: 5ef90e51ff4a738564bb447f717bb02e36cb486681bee3cbb14a3da1aa373277
Opcode Fuzzy Hash: 25d541aeccb2a0c600d02a9c0dc29a6738e2d8be79d06deee85dcbb3d2d8e907
Instruction Fuzzy Hash: 8312BE30644241EFCB15CF25C889BEDBBE6BF45320F184569E49ADB262C771EC82CB91

Uniqueness

Uniqueness Score: -1.00%

Function 006577BE Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 006577F1
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 006578B0
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 006578EE
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00657900
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00657946
GetClientRect.USER32(00000000,?), ref: 00657952
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00657996
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 006579A5
GetStockObject.GDI32(00000011), ref: 006579B5
SelectObject.GDI32(00000000,00000000), ref: 006579B9
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 006579C9
GetDeviceCaps.GDI32(00000000,0000005A), ref: 006579D2
DeleteDC.GDI32(00000000), ref: 006579DB
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00657A07
SendMessageW.USER32(00000030,00000000,00000001), ref: 00657A1E
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00657A59
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00657A6D
SendMessageW.USER32(00000404,00000001,00000000), ref: 00657A7E
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00657AAE
GetStockObject.GDI32(00000011), ref: 00657AB9
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00657AC4
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00657ACE

Strings

static, xrefs: 00657990, 00657AA8
msctls_progress32, xrefs: 00657A4F
DISPLAY, xrefs: 0065799B
AutoIt v3, xrefs: 0065793E

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 4555c40bc52d7c861d7d61c5b60fb6c2c7b22f359cd46b2029963e6882fe879f
Instruction ID: 74872e61fa7eb8fdca2f2c8d370bc3e02929338401d7229ae70c58b88502af56
Opcode Fuzzy Hash: 4555c40bc52d7c861d7d61c5b60fb6c2c7b22f359cd46b2029963e6882fe879f
Instruction Fuzzy Hash: 48A17F71A40215BFEB14DFA4EC4AFAE7BBAEB49715F144114FA15A72E0D7B0AD00CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0064AF7B Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0064AF89
GetDriveTypeW.KERNEL32(?,0066FAC0,?,\\.\,0066F910), ref: 0064B066
SetErrorMode.KERNEL32(00000000,0066FAC0,?,\\.\,0066F910), ref: 0064B1C4

Strings

SSA, xrefs: 0064B14D
MMC, xrefs: 0064B185
SAS, xrefs: 0064B170
Fixed, xrefs: 0064B0AE
SSD, xrefs: 0064B0F1
PhysicalDrive, xrefs: 0064B012
Unknown, xrefs: 0064B086, 0064B12A
USB, xrefs: 0064B15B
FileBackedVirtual, xrefs: 0064B193
ATA, xrefs: 0064B13F
SATA, xrefs: 0064B177
RAID, xrefs: 0064B162
ATAPI, xrefs: 0064B138
Virtual, xrefs: 0064B18C
\\.\, xrefs: 0064AFDB
iSCSI, xrefs: 0064B169
Network, xrefs: 0064B0A4
1394, xrefs: 0064B146
CDROM, xrefs: 0064B09A
Fibre, xrefs: 0064B154
SCSI, xrefs: 0064B131
Removable, xrefs: 0064B0B8
RAMDisk, xrefs: 0064B090

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 7327b12071c4d0fb01688ef76e35c794b8a4af7e3ca0ac182728d4918329ffcd
Instruction ID: bdc44ea17e8b670b7de8e99aa64d4b8515259c73c0355db8943da1298927d87c
Opcode Fuzzy Hash: 7327b12071c4d0fb01688ef76e35c794b8a4af7e3ca0ac182728d4918329ffcd
Instruction Fuzzy Hash: 8F51E134684346EBCF04DB90C9A39BD77F7BB547427216016E40AAB690CB75DD06CF82

Uniqueness

Uniqueness Score: -1.00%

Function 005E6A3C Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 005E6A91
__wcsnicmp.LIBCMT ref: 005E6AA9
__wcsnicmp.LIBCMT ref: 005E6AC1
__wcsnicmp.LIBCMT ref: 005E6AD9
__wcsnicmp.LIBCMT ref: 005E6AF1
__wcsnicmp.LIBCMT ref: 005E6B09
__wcsnicmp.LIBCMT ref: 005E6B21
__wcsnicmp.LIBCMT ref: 005E6B35
__wcsnicmp.LIBCMT ref: 005E6B76
__wcsnicmp.LIBCMT ref: 005E6B8A
__wcsnicmp.LIBCMT ref: 005E6B9E
__wcsnicmp.LIBCMT ref: 005E6BB2

Strings

Bad directive syntax error, xrefs: 0061E743
#comments-start, xrefs: 005E6B1B, 005E6B70
#notrayicon, xrefs: 005E6AA3
#pragma compile, xrefs: 005E6A8B
#include-once, xrefs: 005E6AEB
#cs, xrefs: 005E6B2F, 005E6B84
Cannot parse #include, xrefs: 0061E819
#OnAutoItStartRegister, xrefs: 005E6AD3
#include, xrefs: 005E6B03
#comments-end, xrefs: 005E6B98
#requireadmin, xrefs: 005E6ABB
#ce, xrefs: 005E6BAC
Unterminated group of comments, xrefs: 0061E82C

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: 77a3a90cdb7a7ba35b20ecd6533def9236c8d6ec25972b4380f5ace6af235005
Instruction ID: bae5134268edfb18272fc69eeaf195ed75bbea7216461038fab2b4b87d25b514
Opcode Fuzzy Hash: 77a3a90cdb7a7ba35b20ecd6533def9236c8d6ec25972b4380f5ace6af235005
Instruction Fuzzy Hash: 81811D70740256AADB28AF61CC86FFF7F5EBF25780F044025FD85AA1C1EB61DA41C2A5

Uniqueness

Uniqueness Score: -1.00%

Function 0066AB60 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 0066AB99
SetTextColor.GDI32(?,?), ref: 0066AB9D
GetSysColorBrush.USER32(0000000F), ref: 0066ABB3
GetSysColor.USER32(0000000F), ref: 0066ABBE
CreateSolidBrush.GDI32(?), ref: 0066ABC3
GetSysColor.USER32(00000011), ref: 0066ABDB
CreatePen.GDI32(00000000,00000001,00743C00), ref: 0066ABE9
SelectObject.GDI32(?,00000000), ref: 0066ABFA
SetBkColor.GDI32(?,00000000), ref: 0066AC03
SelectObject.GDI32(?,?), ref: 0066AC10
InflateRect.USER32(?,000000FF,000000FF), ref: 0066AC2F
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0066AC46
GetWindowLongW.USER32(00000000,000000F0), ref: 0066AC5B
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0066ACA7
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0066ACCE
InflateRect.USER32(?,000000FD,000000FD), ref: 0066ACEC
DrawFocusRect.USER32(?,?), ref: 0066ACF7
GetSysColor.USER32(00000011), ref: 0066AD05
SetTextColor.GDI32(?,00000000), ref: 0066AD0D
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0066AD21
SelectObject.GDI32(?,0066A869), ref: 0066AD38
DeleteObject.GDI32(?), ref: 0066AD43
SelectObject.GDI32(?,?), ref: 0066AD49
DeleteObject.GDI32(?), ref: 0066AD4E
SetTextColor.GDI32(?,?), ref: 0066AD54
SetBkColor.GDI32(?,?), ref: 0066AD5E

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 2c2e4a0a568bcd726daa3b3b3bcafd683783c60be58ae7c93b0e2c58620cf86c
Instruction ID: ca4ff5e0c5039f44da5315c1ce47976cf2c14276dc8cdfbcbda5c42463098607
Opcode Fuzzy Hash: 2c2e4a0a568bcd726daa3b3b3bcafd683783c60be58ae7c93b0e2c58620cf86c
Instruction Fuzzy Hash: CF611C71900218AFDB119FA8EC48AAEBB7AEF09320F105525F915AB2A1D6B59D40DF90

Uniqueness

Uniqueness Score: -1.00%

Function 00668C44 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00668D34
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00668D45
CharNextW.USER32(0000014E), ref: 00668D74
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00668DB5
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00668DCB
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00668DDC
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00668DF9
SetWindowTextW.USER32(?,0000014E), ref: 00668E45
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00668E5B
SendMessageW.USER32(?,00001002,00000000,?), ref: 00668E8C
_memset.LIBCMT ref: 00668EB1
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00668EFA
_memset.LIBCMT ref: 00668F59
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00668F83
SendMessageW.USER32(?,00001074,?,00000001), ref: 00668FDB
SendMessageW.USER32(?,0000133D,?,?), ref: 00669088
InvalidateRect.USER32(?,00000000,00000001), ref: 006690AA
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 006690F4
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00669121
DrawMenuBar.USER32(?), ref: 00669130
SetWindowTextW.USER32(?,0000014E), ref: 00669158

Strings

0, xrefs: 006690C2

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: eb8f9a596eaab4a82dcbb2c1f91e8c1067757c82e2d3d68ba19405254a137837
Instruction ID: 8adf38c129b5129abd96af4be9f873fbcf39b215809e7387a1507ba09588a527
Opcode Fuzzy Hash: eb8f9a596eaab4a82dcbb2c1f91e8c1067757c82e2d3d68ba19405254a137837
Instruction Fuzzy Hash: E4E16370900219AFDF209F64DC88EEE7B7AFF05710F148259F915AB2A1DB709A85DF60

Uniqueness

Uniqueness Score: -1.00%

Function 00664B16 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00664C51
GetDesktopWindow.USER32 ref: 00664C66
GetWindowRect.USER32(00000000), ref: 00664C6D
GetWindowLongW.USER32(?,000000F0), ref: 00664CCF
DestroyWindow.USER32(?), ref: 00664CFB
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00664D24
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00664D42
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00664D68
SendMessageW.USER32(?,00000421,?,?), ref: 00664D7D
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00664D90
IsWindowVisible.USER32(?), ref: 00664DB0
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00664DCB
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00664DDF
GetWindowRect.USER32(?,?), ref: 00664DF7
MonitorFromPoint.USER32(?,?,00000002), ref: 00664E1D
GetMonitorInfoW.USER32(00000000,?), ref: 00664E37
CopyRect.USER32(?,?), ref: 00664E4E
SendMessageW.USER32(?,00000412,00000000), ref: 00664EB9

Strings

0, xrefs: 00664BFC
tooltips_class32, xrefs: 00664D1D
(, xrefs: 00664E2A

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 42954f003ee6da69c2cba824fb8cbf4ea30dac89d8e9ac1bea5a1e884d3a120f
Instruction ID: 896bd5828db9e1db1d89817ff6cce11b1fb35c1affc7015b794959b827cfed4d
Opcode Fuzzy Hash: 42954f003ee6da69c2cba824fb8cbf4ea30dac89d8e9ac1bea5a1e884d3a120f
Instruction Fuzzy Hash: 5FB19F71608341AFDB04DF25D948B6ABBE6FF88310F00891DF5999B2A1DB71EC05CB92

Uniqueness

Uniqueness Score: -1.00%

Function 006446D6 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 006446E8
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0064470E
_wcscpy.LIBCMT ref: 0064473C
_wcscmp.LIBCMT ref: 00644747
_wcscat.LIBCMT ref: 0064475D
_wcsstr.LIBCMT ref: 00644768
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00644784
_wcscat.LIBCMT ref: 006447CD
_wcscat.LIBCMT ref: 006447D4
_wcsncpy.LIBCMT ref: 006447FF

Strings

\VarFileInfo\Translation, xrefs: 0064477C
DefaultLangCodepage, xrefs: 006447E7
04090000, xrefs: 006447BA
StringFileInfo\, xrefs: 00644757
%u.%u.%u.%u, xrefs: 00644862

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: 5080731eea0448d605930ad26aa9f06a4ae7bc4f387b739f1fa68c80f31e6fcd
Instruction ID: b8b4f48f9a132e9238f34923e145096d2c38912075de8f3a220c0843da339d0b
Opcode Fuzzy Hash: 5080731eea0448d605930ad26aa9f06a4ae7bc4f387b739f1fa68c80f31e6fcd
Instruction Fuzzy Hash: 4A413871680205BAEB14A7709C47FBF77AEEF42710F14006EF905E61C2EF709A0196A9

Uniqueness

Uniqueness Score: -1.00%

Function 005E27D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 005E28BC
GetSystemMetrics.USER32(00000007), ref: 005E28C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 005E28EF
GetSystemMetrics.USER32(00000008), ref: 005E28F7
GetSystemMetrics.USER32(00000004), ref: 005E291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 005E2939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 005E2949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 005E297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 005E2990
GetClientRect.USER32(00000000,000000FF), ref: 005E29AE
GetStockObject.GDI32(00000011), ref: 005E29CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 005E29D5

Part of subcall function 005E2344: GetCursorPos.USER32(?), ref: 005E2357
Part of subcall function 005E2344: ScreenToClient.USER32(006A67B0,?), ref: 005E2374
Part of subcall function 005E2344: GetAsyncKeyState.USER32(00000001), ref: 005E2399
Part of subcall function 005E2344: GetAsyncKeyState.USER32(00000002), ref: 005E23A7

SetTimer.USER32(00000000,00000000,00000028,005E1256), ref: 005E29FC

Strings

AutoIt v3 GUI, xrefs: 005E2974

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 4d24ca10b64a2dcba3d120b9e1ede2ab5ccc74c349a40a7e58e64bf5749c91de
Instruction ID: da4fb56a4598bd0a3d87429f1bf0de583c2cd6d094c5252880fd9786d26c06ec
Opcode Fuzzy Hash: 4d24ca10b64a2dcba3d120b9e1ede2ab5ccc74c349a40a7e58e64bf5749c91de
Instruction Fuzzy Hash: 5AB16E7164024ADFDB14DF69DC45BED7BAAFB08310F149129FA66E6294CB74A840CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00664069 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 006640F6
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 006641B6

Strings

GETSELECTEDCOUNT, xrefs: 00664199
GETSUBITEMCOUNT, xrefs: 00664141
DESELECT, xrefs: 006642A4
SELECTINVERT, xrefs: 00664286
VIEWCHANGE, xrefs: 00664375
SELECTALL, xrefs: 0066421D
GETTEXT, xrefs: 0066415F
SELECTCLEAR, xrefs: 00664235
ISSELECTED, xrefs: 006641C1
SELECT, xrefs: 00664250
GETITEMCOUNT, xrefs: 00664128
GETSELECTED, xrefs: 006642E4
FINDITEM, xrefs: 00664329

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-719923060
Opcode ID: 085254a6e5bbef6a6ca2042f39decbb1162044e0d590a5947cf3ac2b42c09200
Instruction ID: 9c85e4e8ddf4c0fcbf4df51741dfecd5923b0f362544606e6491d7e0b1f96dcd
Opcode Fuzzy Hash: 085254a6e5bbef6a6ca2042f39decbb1162044e0d590a5947cf3ac2b42c09200
Instruction Fuzzy Hash: CBA19F302143429BCB18EF21C951A6ABBABBF85314F14496CB8969B7D2DF30ED06CB51

Uniqueness

Uniqueness Score: -1.00%

Function 006552F0 Relevance: 27.1, APIs: 18, Instructions: 124COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00655309
LoadCursorW.USER32(00000000,00007F8A), ref: 00655314
LoadCursorW.USER32(00000000,00007F00), ref: 0065531F
LoadCursorW.USER32(00000000,00007F03), ref: 0065532A
LoadCursorW.USER32(00000000,00007F8B), ref: 00655335
LoadCursorW.USER32(00000000,00007F01), ref: 00655340
LoadCursorW.USER32(00000000,00007F81), ref: 0065534B
LoadCursorW.USER32(00000000,00007F88), ref: 00655356
LoadCursorW.USER32(00000000,00007F80), ref: 00655361
LoadCursorW.USER32(00000000,00007F86), ref: 0065536C
LoadCursorW.USER32(00000000,00007F83), ref: 00655377
LoadCursorW.USER32(00000000,00007F85), ref: 00655382
LoadCursorW.USER32(00000000,00007F82), ref: 0065538D
LoadCursorW.USER32(00000000,00007F84), ref: 00655398
LoadCursorW.USER32(00000000,00007F04), ref: 006553A3
LoadCursorW.USER32(00000000,00007F02), ref: 006553AE
GetCursorInfo.USER32(?), ref: 006553BE
GetLastError.KERNEL32(00000001,00000000), ref: 006553E9

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 6ec3315f7c45975cda52e2e45dba2d7431355f429fed130e102a759daf125cc9
Instruction ID: 23a13f91c9b93a700b942e1ebcca9d06d33d9cdb48cc3f079e4eb3ebd54ac77c
Opcode Fuzzy Hash: 6ec3315f7c45975cda52e2e45dba2d7431355f429fed130e102a759daf125cc9
Instruction Fuzzy Hash: 1E417370E043196ADB109FBA8C4986EFFF9EF51B10F10452FE509E7290DAB8A4018E51

Uniqueness

Uniqueness Score: -1.00%

Function 0063AA64 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0063AAA5
__swprintf.LIBCMT ref: 0063AB46
_wcscmp.LIBCMT ref: 0063AB59
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0063ABAE
_wcscmp.LIBCMT ref: 0063ABEA
GetClassNameW.USER32(?,?,00000400), ref: 0063AC21
GetDlgCtrlID.USER32(?), ref: 0063AC73
GetWindowRect.USER32(?,?), ref: 0063ACA9
GetParent.USER32(?), ref: 0063ACC7
ScreenToClient.USER32(00000000), ref: 0063ACCE
GetClassNameW.USER32(?,?,00000100), ref: 0063AD48
_wcscmp.LIBCMT ref: 0063AD5C
GetWindowTextW.USER32(?,?,00000400), ref: 0063AD82
_wcscmp.LIBCMT ref: 0063AD96

Part of subcall function 0060386C: _iswctype.LIBCMT ref: 00603874

Strings

%s%u, xrefs: 0063AB40

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: abbabcb6e97b44b6be1bb65e0a215688514ba2b85915060b9acecea4d6d5abcf
Instruction ID: c5469612330cca03e0a8b1112175538ee059adfb3bdafdb326ea6f8cf6c6d2dd
Opcode Fuzzy Hash: abbabcb6e97b44b6be1bb65e0a215688514ba2b85915060b9acecea4d6d5abcf
Instruction Fuzzy Hash: EDA1BD71204206ABD718DFA4C884BEAB7EAFF04315F00862DF9D9C2690DB30E955DBD2

Uniqueness

Uniqueness Score: -1.00%

Function 0063B397 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 0063B3DB
_wcscmp.LIBCMT ref: 0063B3EC
GetWindowTextW.USER32(00000001,?,00000400), ref: 0063B414
CharUpperBuffW.USER32(?,00000000), ref: 0063B431
_wcscmp.LIBCMT ref: 0063B44F
_wcsstr.LIBCMT ref: 0063B460
GetClassNameW.USER32(00000018,?,00000400), ref: 0063B498
_wcscmp.LIBCMT ref: 0063B4A8
GetWindowTextW.USER32(00000002,?,00000400), ref: 0063B4CF
GetClassNameW.USER32(00000018,?,00000400), ref: 0063B518
_wcscmp.LIBCMT ref: 0063B528
GetClassNameW.USER32(00000010,?,00000400), ref: 0063B550
GetWindowRect.USER32(00000004,?), ref: 0063B5B9

Strings

ThumbnailClass, xrefs: 0063B4A3, 0063B523
@, xrefs: 0063B3BC

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: 9ff0b0b4d174910efbe68ed8b587a164fec695e9c11d9a35121a5376c60fea5f
Instruction ID: 128568a4aac4e41b6555e770ea3e60f85f1915eccb13b00cb18271cb6fc4f6de
Opcode Fuzzy Hash: 9ff0b0b4d174910efbe68ed8b587a164fec695e9c11d9a35121a5376c60fea5f
Instruction Fuzzy Hash: EF81B1710083059BDB05DF10D885FAA7BEAFF84314F04A56DFE898A296DB70DD45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0066C8EE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 005E2612: GetWindowLongW.USER32(?,000000EB), ref: 005E2623

DragQueryPoint.SHELL32(?,?), ref: 0066C917

Part of subcall function 0066ADF1: ClientToScreen.USER32(?,?), ref: 0066AE1A
Part of subcall function 0066ADF1: GetWindowRect.USER32(?,?), ref: 0066AE90
Part of subcall function 0066ADF1: PtInRect.USER32(?,?,0066C304), ref: 0066AEA0

SendMessageW.USER32(?,000000B0,?,?), ref: 0066C980
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0066C98B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0066C9AE
_wcscat.LIBCMT ref: 0066C9DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 0066C9F5
SendMessageW.USER32(?,000000B0,?,?), ref: 0066CA0E
SendMessageW.USER32(?,000000B1,?,?), ref: 0066CA25
SendMessageW.USER32(?,000000B1,?,?), ref: 0066CA47
DragFinish.SHELL32(?), ref: 0066CA4E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0066CB41

Strings

@GUI_DRAGID, xrefs: 0066CAB9
@GUI_DROPID, xrefs: 0066CA6E
prj, xrefs: 0066CA8B
@GUI_DRAGFILE, xrefs: 0066CAF0

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$prj
API String ID: 169749273-2123286542
Opcode ID: ec98950d60e1422a7fa672d0bd1fc8ad51e001d12657c18cfe12cd125346f62c
Instruction ID: 8ca4682980e0da5a9f493a2b886678382fa188a0c19a7856c781ee28332c1dff
Opcode Fuzzy Hash: ec98950d60e1422a7fa672d0bd1fc8ad51e001d12657c18cfe12cd125346f62c
Instruction Fuzzy Hash: F2616D71108341AFC705EF65DC89DABBBE9FFC9710F000A2DF5A5921A1DB709A49CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0063B1E0 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0063B23F

Strings

[CLASS:, xrefs: 0063B28F
[REGEXPTITLE:, xrefs: 0063B267
ACTIVE, xrefs: 0063B21A
REGEXP=, xrefs: 0063B254
[HANDLE:, xrefs: 0063B24B
[ACTIVE, xrefs: 0063B22C
[ALL, xrefs: 0063B2E5
CLASSNAME=, xrefs: 0063B27C
HANDLE=, xrefs: 0063B238
LAST, xrefs: 0063B204
ALL, xrefs: 0063B2D3
[LAST, xrefs: 0063B2EC

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 4f8d8b4c627c842997a6508660cc7b612ae0de610fbdd75c0353e64a2de695a1
Instruction ID: 665640d733775743c52f9cb0f17f3167cbcd0c6f3e84b6e033193547ffbf270e
Opcode Fuzzy Hash: 4f8d8b4c627c842997a6508660cc7b612ae0de610fbdd75c0353e64a2de695a1
Instruction Fuzzy Hash: BA310230A4424AA6EF08FA61CD43EFF7BAEAF18750F20012CB540715D2EF616F04C5A5

Uniqueness

Uniqueness Score: -1.00%

Function 0063C4C1 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 0063C4D4
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0063C4E6
SetWindowTextW.USER32(?,?), ref: 0063C4FD
GetDlgItem.USER32(?,000003EA), ref: 0063C512
SetWindowTextW.USER32(00000000,?), ref: 0063C518
GetDlgItem.USER32(?,000003E9), ref: 0063C528
SetWindowTextW.USER32(00000000,?), ref: 0063C52E
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 0063C54F
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 0063C569
GetWindowRect.USER32(?,?), ref: 0063C572
SetWindowTextW.USER32(?,?), ref: 0063C5DD
GetDesktopWindow.USER32 ref: 0063C5E3
GetWindowRect.USER32(00000000), ref: 0063C5EA
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 0063C636
GetClientRect.USER32(?,?), ref: 0063C643
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 0063C668
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 0063C693

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: db7f942b324b81964d81f23be61ff53bea6db003ea1a571a966dcd4237dd817b
Instruction ID: 967d1bedc2a0592d9ca1c84bf113ffe84d9c88c9b8511802e946376ea78e056f
Opcode Fuzzy Hash: db7f942b324b81964d81f23be61ff53bea6db003ea1a571a966dcd4237dd817b
Instruction Fuzzy Hash: ED516171900709AFDB20DFA8DD85BAEBBF6FF04715F004528F696A26A0C7B5A914CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0066A428 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0066A4C8
DestroyWindow.USER32(?,?), ref: 0066A542

Part of subcall function 005E7D2C: _memmove.LIBCMT ref: 005E7D66

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0066A5BC
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0066A5DE
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0066A5F1
DestroyWindow.USER32(00000000), ref: 0066A613
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,005E0000,00000000), ref: 0066A64A
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0066A663
GetDesktopWindow.USER32 ref: 0066A67C
GetWindowRect.USER32(00000000), ref: 0066A683
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0066A69B
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0066A6B3

Part of subcall function 005E25DB: GetWindowLongW.USER32(?,000000EB), ref: 005E25EC

Strings

tooltips_class32, xrefs: 0066A5B5, 0066A643
0, xrefs: 0066A4DE

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: a3a52e56141cd14d061028dbb783bc3b1df0077f7c7f7938eb7519ad8741b384
Instruction ID: db780c0fb5b6a21ec08b8fbcbc0275f2be3cb71e1e05443c39189dd2a4a233f3
Opcode Fuzzy Hash: a3a52e56141cd14d061028dbb783bc3b1df0077f7c7f7938eb7519ad8741b384
Instruction Fuzzy Hash: D1719971140245AFD720DF68DC49FAA7BEAFB89700F08452CF995972A0C7B4E912CF22

Uniqueness

Uniqueness Score: -1.00%

Function 00664619 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 006646AB
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 006646F6

Strings

UNCHECK, xrefs: 006648D2
EXISTS, xrefs: 0066475F
COLLAPSE, xrefs: 0066473C
SELECT, xrefs: 006648A7
GETITEMCOUNT, xrefs: 006647D8
CHECK, xrefs: 00664716
ISCHECKED, xrefs: 00664879
EXPAND, xrefs: 006647A8
GETTEXT, xrefs: 00664849
GETSELECTED, xrefs: 00664806
GETTOTALCOUNT, xrefs: 006646DD

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: f0edccf49e356b59dbf3c4b1ea02c90e7c20a15782a264370df2ed0bd667169b
Instruction ID: a24813cc14604638615d23a905364af0b3fc24f380b1a53be26c636b1a53f881
Opcode Fuzzy Hash: f0edccf49e356b59dbf3c4b1ea02c90e7c20a15782a264370df2ed0bd667169b
Instruction Fuzzy Hash: FD915D742043429BCB18EF11C451A6ABBA7BF94314F04946CF8D65B7A2CF70ED4ACB95

Uniqueness

Uniqueness Score: -1.00%

Function 0066BAB8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0066BB6E
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00669431), ref: 0066BBCA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0066BC03
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 0066BC46
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0066BC7D
FreeLibrary.KERNEL32(?), ref: 0066BC89
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0066BC99
DestroyIcon.USER32(?,?,?,?,?,00669431), ref: 0066BCA8
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0066BCC5
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0066BCD1

Part of subcall function 0060313D: __wcsicmp_l.LIBCMT ref: 006031C6

Strings

.dll, xrefs: 0066BB27
.icl, xrefs: 0066BAE4
.exe, xrefs: 0066BB04

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: 70fabeef08a033b42c4cd99b0d6fe0c232bada0fe01b9091490617da12d76d48
Instruction ID: a8fa8fc87517566a9335dca9cacd179ff5d5bc376ae2d77eb8fad5e775f00756
Opcode Fuzzy Hash: 70fabeef08a033b42c4cd99b0d6fe0c232bada0fe01b9091490617da12d76d48
Instruction Fuzzy Hash: C761EF71540219FAEB14DF64DC45BFA7BAEFF08710F10521AF815D61D0DBB0AA90CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0064A0B5 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 156COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,0066FB78), ref: 0064A0FC

Part of subcall function 005E7F41: _memmove.LIBCMT ref: 005E7F82

LoadStringW.USER32(?,?,00000FFF,?), ref: 0064A11E
__swprintf.LIBCMT ref: 0064A177
__swprintf.LIBCMT ref: 0064A190
_wprintf.LIBCMT ref: 0064A246
_wprintf.LIBCMT ref: 0064A264

Strings

"%s" (%d) : ==> %s:, xrefs: 0064A25F
"%s" (%d) : ==> %s:%s%s, xrefs: 0064A241
Error: , xrefs: 0064A20E
^ ERROR, xrefs: 0064A1E8
Line %d (File "%s"):, xrefs: 0064A171, 0064A18A
%g, xrefs: 0064A0C9

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR$%g
API String ID: 311963372-3054832198
Opcode ID: 27d929d9963664ef1cf46f0dfc0d46311a957db545badc1756beb0ef5d965474
Instruction ID: b10c9e21f2e6f19cf93306615b75c5a8c44105f89b6510d865fb037a43c3c8d1
Opcode Fuzzy Hash: 27d929d9963664ef1cf46f0dfc0d46311a957db545badc1756beb0ef5d965474
Instruction Fuzzy Hash: 58516F3194014ABBCF19EBE0CD86EEEBB7ABF48300F140169F505621A1EB716F58DB61

Uniqueness

Uniqueness Score: -1.00%

Function 0064A5BD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 005E9997: __itow.LIBCMT ref: 005E99C2
Part of subcall function 005E9997: __swprintf.LIBCMT ref: 005E9A0C

CharLowerBuffW.USER32(?,?), ref: 0064A636
GetDriveTypeW.KERNEL32 ref: 0064A683
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0064A6CB
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0064A702
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0064A730

Part of subcall function 005E7D2C: _memmove.LIBCMT ref: 005E7D66

Strings

closed, xrefs: 0064A64A, 0064A653
wait, xrefs: 0064A6ED
open, xrefs: 0064A65D
close, xrefs: 0064A63C
type cdaudio alias cd wait, xrefs: 0064A6AE
close cd wait, xrefs: 0064A71B
set cd door , xrefs: 0064A6D1
open , xrefs: 0064A692

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: bde42b30f7e85150262f25c03f39e1b9734f4747817ed235343a9bc0eea1a46f
Instruction ID: d6d590d501c450c0cc91d28140c4d2f6e72b0e7ed50bd232bf59fc360c08a77c
Opcode Fuzzy Hash: bde42b30f7e85150262f25c03f39e1b9734f4747817ed235343a9bc0eea1a46f
Instruction Fuzzy Hash: 3F5180751043469FC704EF21C89586ABBF9FF98718F04496CF89597291DB31EE0ACB92

Uniqueness

Uniqueness Score: -1.00%

Function 0064A45A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0064A47A
__swprintf.LIBCMT ref: 0064A49C
CreateDirectoryW.KERNEL32(?,00000000), ref: 0064A4D9
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0064A4FE
_memset.LIBCMT ref: 0064A51D
_wcsncpy.LIBCMT ref: 0064A559
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0064A58E
CloseHandle.KERNEL32(00000000), ref: 0064A599
RemoveDirectoryW.KERNEL32(?), ref: 0064A5A2
CloseHandle.KERNEL32(00000000), ref: 0064A5AC

Strings

:, xrefs: 0064A4BD
\??\%s, xrefs: 0064A496
\, xrefs: 0064A4B2

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: a068830c0f413f0c250637bc7a33ba37ee6ba64a75dc138ada692232188f7afe
Instruction ID: 3ed66d47450b550a3917091d690d5d3d70eb88bbe4d89c611e47ab24b7a35228
Opcode Fuzzy Hash: a068830c0f413f0c250637bc7a33ba37ee6ba64a75dc138ada692232188f7afe
Instruction Fuzzy Hash: 333192B5540119ABDB21DFA0DC49FEB73BEEF88701F1041B6F908D6260E7B097448B65

Uniqueness

Uniqueness Score: -1.00%

Function 0064DB04 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 0064DC7B
_wcscat.LIBCMT ref: 0064DC93
_wcscat.LIBCMT ref: 0064DCA5
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0064DCBA
SetCurrentDirectoryW.KERNEL32(?), ref: 0064DCCE
GetFileAttributesW.KERNEL32(?), ref: 0064DCE6
SetFileAttributesW.KERNEL32(?,00000000), ref: 0064DD00
SetCurrentDirectoryW.KERNEL32(?), ref: 0064DD12

Strings

*.*, xrefs: 0064DD51

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: 1dc0218a26ed5f421378268a8e98d353da78e92450d51b28e40c2298c4e63994
Instruction ID: e461afb2ed017983b3d7d9539f3a42880893058cbda81c3d4266219c49bd2db9
Opcode Fuzzy Hash: 1dc0218a26ed5f421378268a8e98d353da78e92450d51b28e40c2298c4e63994
Instruction Fuzzy Hash: FE8192B19042419FCB64EF64C8859AEB7EAFF89350F15882EF885C7350E670DD45CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0066C49C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 005E2612: GetWindowLongW.USER32(?,000000EB), ref: 005E2623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0066C4EC
GetFocus.USER32 ref: 0066C4FC
GetDlgCtrlID.USER32(00000000), ref: 0066C507
_memset.LIBCMT ref: 0066C632
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0066C65D
GetMenuItemCount.USER32(?), ref: 0066C67D
GetMenuItemID.USER32(?,00000000), ref: 0066C690
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0066C6C4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0066C70C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0066C744
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0066C779

Strings

0, xrefs: 0066C62A

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: 9a27ab860c68234dc07ead358b3f651e5c6bf279b28323b967f8dd0575eb485b
Instruction ID: 46149132cc97d7b3234197ed6cc653869bbf3e602c800275f84f73732907e810
Opcode Fuzzy Hash: 9a27ab860c68234dc07ead358b3f651e5c6bf279b28323b967f8dd0575eb485b
Instruction Fuzzy Hash: 99816B70208711AFD710DF24D984ABBBBEAFB88324F00452DF99697291D770E905CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 006383F4 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0063874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00638766
Part of subcall function 0063874A: GetLastError.KERNEL32(?,0063822A,?,?,?), ref: 00638770
Part of subcall function 0063874A: GetProcessHeap.KERNEL32(00000008,?,?,0063822A,?,?,?), ref: 0063877F
Part of subcall function 0063874A: HeapAlloc.KERNEL32(00000000,?,0063822A,?,?,?), ref: 00638786
Part of subcall function 0063874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0063879D

Part of subcall function 006387E7: GetProcessHeap.KERNEL32(00000008,00638240,00000000,00000000,?,00638240,?), ref: 006387F3
Part of subcall function 006387E7: HeapAlloc.KERNEL32(00000000,?,00638240,?), ref: 006387FA
Part of subcall function 006387E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00638240,?), ref: 0063880B

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00638458
_memset.LIBCMT ref: 0063846D
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0063848C
GetLengthSid.ADVAPI32(?), ref: 0063849D
GetAce.ADVAPI32(?,00000000,?), ref: 006384DA
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 006384F6
GetLengthSid.ADVAPI32(?), ref: 00638513
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00638522
HeapAlloc.KERNEL32(00000000), ref: 00638529
GetLengthSid.ADVAPI32(?,00000008,?), ref: 0063854A
CopySid.ADVAPI32(00000000), ref: 00638551
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00638582
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 006385A8
SetUserObjectSecurity.USER32(?,00000004,?), ref: 006385BC

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 7cf93ebd170d08d2e33b048726fd1ba734cada4f5e11e6c95719482707ee32b3
Instruction ID: 9e8a7f82831215321ab34935609f5be610209ab71f17daab2a312e659e0998b1
Opcode Fuzzy Hash: 7cf93ebd170d08d2e33b048726fd1ba734cada4f5e11e6c95719482707ee32b3
Instruction Fuzzy Hash: 8361387190020AAFDF00DFA5EC45AEEBBBAFF45310F148169F815A7291DB719A05CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0065762D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 006576A2
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 006576AE
CreateCompatibleDC.GDI32(?), ref: 006576BA
SelectObject.GDI32(00000000,?), ref: 006576C7
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 0065771B
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00657757
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 0065777B
SelectObject.GDI32(00000006,?), ref: 00657783
DeleteObject.GDI32(?), ref: 0065778C
DeleteDC.GDI32(00000006), ref: 00657793
ReleaseDC.USER32(00000000,?), ref: 0065779E

Strings

(, xrefs: 00657723

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: a9f35e68b8607f8b4c783ac479588f9c8baeb9e36809615a9cd607f9fdbc1e4e
Instruction ID: 61ad9ad1fca4260c064e3d4ee44b5be6b1e39a502e24507407b934385cfef6b2
Opcode Fuzzy Hash: a9f35e68b8607f8b4c783ac479588f9c8baeb9e36809615a9cd607f9fdbc1e4e
Instruction Fuzzy Hash: 1A514875904209EFCB15CFA8EC84EAEBBBAEF48710F14842DF94A97210D771A944CB60

Uniqueness

Uniqueness Score: -1.00%

Function 005E6BEC Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00600B9B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,005E6C6C,?,00008000), ref: 00600BB7

Part of subcall function 005E48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,005E48A1,?,?,005E37C0,?), ref: 005E48CE

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 005E6D0D
SetCurrentDirectoryW.KERNEL32(?), ref: 005E6E5A

Part of subcall function 005E59CD: _wcscpy.LIBCMT ref: 005E5A05

Part of subcall function 0060387D: _iswctype.LIBCMT ref: 00603885

Strings

AU3!, xrefs: 005E6CC1
EA06, xrefs: 0061E87B
>>>AUTOIT SCRIPT<<<, xrefs: 0061E8BF
Bad directive syntax error, xrefs: 0061EBC6
Error opening the file, xrefs: 0061E866, 0061E8E1
Unterminated string, xrefs: 0061EC0D
#include depth exceeded. Make sure there are no recursive includes, xrefs: 0061E84A

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: 649a87c7b2d6c6e3825daad854b4aaa98f2c523fbece72379eceab0779954172
Instruction ID: 1eb6309f57ef61424f7ee4253c824bd112bf13058d2e0e454ed2cf879f6748e4
Opcode Fuzzy Hash: 649a87c7b2d6c6e3825daad854b4aaa98f2c523fbece72379eceab0779954172
Instruction Fuzzy Hash: 68028D311083819FC718EF25C895AAFBBE6BF99354F04091DF8C6972A1DB31D949CB42

Uniqueness

Uniqueness Score: -1.00%

Function 005E45DF Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 005E45F9
GetMenuItemCount.USER32(006A6890), ref: 0061D7CD
GetMenuItemCount.USER32(006A6890), ref: 0061D87D
GetCursorPos.USER32(?), ref: 0061D8C1
SetForegroundWindow.USER32(00000000), ref: 0061D8CA
TrackPopupMenuEx.USER32(006A6890,00000000,?,00000000,00000000,00000000), ref: 0061D8DD
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 0061D8E9

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 2751501086-0
Opcode ID: a80ac0d5031a4f66ba4122ff60c52b36c89039b7b12804d4b73edbc7e810703d
Instruction ID: 9df449e24007a92ec29606989d127f7f4e5e3e3fe0ad9353926e6bdc93334c66
Opcode Fuzzy Hash: a80ac0d5031a4f66ba4122ff60c52b36c89039b7b12804d4b73edbc7e810703d
Instruction Fuzzy Hash: DE71F770600246BFEB249F25DC89FEABF66FF05368F240216F515A62E1C7B16C50DB94

Uniqueness

Uniqueness Score: -1.00%

Function 00658BC0 Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00658BEC
CoInitialize.OLE32(00000000), ref: 00658C19
CoUninitialize.OLE32 ref: 00658C23
GetRunningObjectTable.OLE32(00000000,?), ref: 00658D23
SetErrorMode.KERNEL32(00000001,00000029), ref: 00658E50
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00672C0C), ref: 00658E84
CoGetObject.OLE32(?,00000000,00672C0C,?), ref: 00658EA7
SetErrorMode.KERNEL32(00000000), ref: 00658EBA
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00658F3A
VariantClear.OLEAUT32(?), ref: 00658F4A

Strings

,,g, xrefs: 00658BD6

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID: ,,g
API String ID: 2395222682-619837891
Opcode ID: 3eeb3bc48112c1c00f033d9eee8fbad848011453788d3e208f0948020027a5bc
Instruction ID: caedbbd5b3d8d33c1d9e1b1232556e0cfa9e5f87e64d97df1628467503bf462a
Opcode Fuzzy Hash: 3eeb3bc48112c1c00f033d9eee8fbad848011453788d3e208f0948020027a5bc
Instruction Fuzzy Hash: 43C126B1208305AFD700DF64C88496BBBEAFF89349F10495DF98A9B251DB71ED09CB52

Uniqueness

Uniqueness Score: -1.00%

Function 006610A5 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00660038,?,?), ref: 006610BC

Strings

HKLM, xrefs: 0066113A
HKEY_LOCAL_MACHINE, xrefs: 00661125
HKCU, xrefs: 006611AC
HKEY_CURRENT_CONFIG, xrefs: 00661179
HKCC, xrefs: 0066118A
HKU, xrefs: 006611CE
HKEY_CLASSES_ROOT, xrefs: 0066114F
HKEY_CURRENT_USER, xrefs: 0066119B
HKCR, xrefs: 00661164
HKEY_USERS, xrefs: 006611BD

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: ffdcaa03eac86665b737b2f5b66af4d383938d07eef99cd61c5c2598f1c167e9
Instruction ID: 70be6b037f9b3707a506fe0e19f26d94beba619e7e7fd4740e5afd28ce936639
Opcode Fuzzy Hash: ffdcaa03eac86665b737b2f5b66af4d383938d07eef99cd61c5c2598f1c167e9
Instruction Fuzzy Hash: FF41723014424E8BDF14EF90EDA16EF3B2ABF66300F144458FD915B691D731AE5ACB60

Uniqueness

Uniqueness Score: -1.00%

Function 00645569 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 005E7D2C: _memmove.LIBCMT ref: 005E7D66

Part of subcall function 005E7A84: _memmove.LIBCMT ref: 005E7B0D

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 006455D2
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 006455E8
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 006455F9
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0064560B
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0064561C

Strings

status PlayMe mode, xrefs: 006455CD
play PlayMe wait, xrefs: 00645606
play PlayMe, xrefs: 00645617
close PlayMe, xrefs: 006455E3, 00645610
open , xrefs: 00645581
alias PlayMe, xrefs: 006455AB

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: 0ee45e122c9f090d1a3ed064da477519fa0a621dc863bef02bc4b17fce0bcd12
Instruction ID: a5d7e4a2d157fc964a0f587e61775b71f0f1d0dee3875c40172a889940175851
Opcode Fuzzy Hash: 0ee45e122c9f090d1a3ed064da477519fa0a621dc863bef02bc4b17fce0bcd12
Instruction Fuzzy Hash: D51160305501AE7ADB24A7A2DC5ADFF7EBEFFD5B00F410469B445E20D2EEA01D05C5A1

Uniqueness

Uniqueness Score: -1.00%

Function 006448F3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 0064490E
gethostname.WSOCK32(?,00000100), ref: 00644928
gethostbyname.WSOCK32(?), ref: 00644935
_wcscpy.LIBCMT ref: 0064495D
_memmove.LIBCMT ref: 00644970
inet_ntoa.WSOCK32(?), ref: 0064497B
_strcat.LIBCMT ref: 00644989
_wcscpy.LIBCMT ref: 006449A0
WSACleanup.WSOCK32 ref: 006449AE
_wcscpy.LIBCMT ref: 006449BC

Strings

0.0.0.0, xrefs: 00644957

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: 62dd36c3e0b0bdf339222b489e9dca1977962d7cdd563ee5539032f3f02e94ee
Instruction ID: b1cbb4c5669d80a98e40c72d66d64394ae9efb6096a35b1cbd25c5ca2186f52d
Opcode Fuzzy Hash: 62dd36c3e0b0bdf339222b489e9dca1977962d7cdd563ee5539032f3f02e94ee
Instruction Fuzzy Hash: 0011363194811AAFCB64EB20EC0AFDB77BEDF01710F0001BAF44597191EFB09A81D6A1

Uniqueness

Uniqueness Score: -1.00%

Function 00645217 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0064521C

Part of subcall function 00600719: timeGetTime.WINMM(?,75A8B400,005F0FF9), ref: 0060071D

Sleep.KERNEL32(0000000A), ref: 00645248
EnumThreadWindows.USER32(?,Function_000651CA,00000000), ref: 0064526C
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0064528E
SetActiveWindow.USER32 ref: 006452AD
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 006452BB
SendMessageW.USER32(00000010,00000000,00000000), ref: 006452DA
Sleep.KERNEL32(000000FA), ref: 006452E5
IsWindow.USER32 ref: 006452F1
EndDialog.USER32(00000000), ref: 00645302

Strings

BUTTON, xrefs: 00645280

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: fc1557777bfc85f4dcbb2b7c4cf0254f0466d9240e3647c80eb9c04d5d373417
Instruction ID: ee825a843fb77f29665ab322ac6fcd383cd30e11c3521621c61ec760c038c4a5
Opcode Fuzzy Hash: fc1557777bfc85f4dcbb2b7c4cf0254f0466d9240e3647c80eb9c04d5d373417
Instruction Fuzzy Hash: 5C218470204704AFE7017F70FD89B667B6BEB56786F043429F102812B2DBE1AD408E71

Uniqueness

Uniqueness Score: -1.00%

Function 0064D7F8 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 005E9997: __itow.LIBCMT ref: 005E99C2
Part of subcall function 005E9997: __swprintf.LIBCMT ref: 005E9A0C

CoInitialize.OLE32(00000000), ref: 0064D855
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0064D8E8
SHGetDesktopFolder.SHELL32(?), ref: 0064D8FC
CoCreateInstance.OLE32(00672D7C,00000000,00000001,0069A89C,?), ref: 0064D948
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 0064D9B7
CoTaskMemFree.OLE32(?,?), ref: 0064DA0F
_memset.LIBCMT ref: 0064DA4C
SHBrowseForFolderW.SHELL32(?), ref: 0064DA88
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0064DAAB
CoTaskMemFree.OLE32(00000000), ref: 0064DAB2
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 0064DAE9
CoUninitialize.OLE32(00000001,00000000), ref: 0064DAEB

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: 2c9ce5c9d34ad71d3c067eaf811735225ea3aa61fc31202e2c267f3ac29cf7ef
Instruction ID: 4704c0e1ddbf8bc6e48b747458007df3a1c740e1f297c9e8b2467972e298a855
Opcode Fuzzy Hash: 2c9ce5c9d34ad71d3c067eaf811735225ea3aa61fc31202e2c267f3ac29cf7ef
Instruction Fuzzy Hash: 75B1FE75A00119AFDB04DF65D888DAEBBFAFF88314B1484A9F509EB251DB30ED45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0064052C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 006405A7
SetKeyboardState.USER32(?), ref: 00640612
GetAsyncKeyState.USER32(000000A0), ref: 00640632
GetKeyState.USER32(000000A0), ref: 00640649
GetAsyncKeyState.USER32(000000A1), ref: 00640678
GetKeyState.USER32(000000A1), ref: 00640689
GetAsyncKeyState.USER32(00000011), ref: 006406B5
GetKeyState.USER32(00000011), ref: 006406C3
GetAsyncKeyState.USER32(00000012), ref: 006406EC
GetKeyState.USER32(00000012), ref: 006406FA
GetAsyncKeyState.USER32(0000005B), ref: 00640723
GetKeyState.USER32(0000005B), ref: 00640731

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: dc1be5b4f1173eecee486a212440d65fdb16657c1257690974bfd277d3e3603b
Instruction ID: b1405c2cd5d528abad0ff8afab130680fe751435e5dc69cedcba2c56ae97af40
Opcode Fuzzy Hash: dc1be5b4f1173eecee486a212440d65fdb16657c1257690974bfd277d3e3603b
Instruction Fuzzy Hash: DB511F20A0479419FB34EBB085547EABFB6DF52380F08459DD6C25B2C2D6749B8CCF55

Uniqueness

Uniqueness Score: -1.00%

Function 0063C72A Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 0063C746
GetWindowRect.USER32(00000000,?), ref: 0063C758
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0063C7B6
GetDlgItem.USER32(?,00000002), ref: 0063C7C1
GetWindowRect.USER32(00000000,?), ref: 0063C7D3
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0063C827
GetDlgItem.USER32(?,000003E9), ref: 0063C835
GetWindowRect.USER32(00000000,?), ref: 0063C846
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0063C889
GetDlgItem.USER32(?,000003EA), ref: 0063C897
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0063C8B4
InvalidateRect.USER32(?,00000000,00000001), ref: 0063C8C1

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 8134bafb133f67c7116accc37d12b036266be4845fce8e0a29b7d2c07fac7304
Instruction ID: 4b913d3d833e55a78c5dc555d0a6270baad4a5ed97b41a1f33ca8c689d68d98e
Opcode Fuzzy Hash: 8134bafb133f67c7116accc37d12b036266be4845fce8e0a29b7d2c07fac7304
Instruction Fuzzy Hash: 12512171B00205AFDB18CF69DD99AAEBBB6FB88711F14812DF515E72A0D7B09D40CB50

Uniqueness

Uniqueness Score: -1.00%

Function 005E201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 005E1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,005E2036,?,00000000,?,?,?,?,005E16CB,00000000,?), ref: 005E1B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 005E20D3
KillTimer.USER32(-00000001,?,?,?,?,005E16CB,00000000,?,?,005E1AE2,?,?), ref: 005E216E
DestroyAcceleratorTable.USER32(00000000), ref: 0061BEF6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,005E16CB,00000000,?,?,005E1AE2,?,?), ref: 0061BF27
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,005E16CB,00000000,?,?,005E1AE2,?,?), ref: 0061BF3E
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,005E16CB,00000000,?,?,005E1AE2,?,?), ref: 0061BF5A
DeleteObject.GDI32(00000000), ref: 0061BF6C

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: c68fb6580ca8d3969b442aee47d9cb83da41e9c6680ee5d4ee444d4fb75ef0fa
Instruction ID: bf9a82eba6d7d72fb376dbd6eb185297021a4ad5a0b1fd8665edf34be586afba
Opcode Fuzzy Hash: c68fb6580ca8d3969b442aee47d9cb83da41e9c6680ee5d4ee444d4fb75ef0fa
Instruction Fuzzy Hash: BF61BD31500650DFCB29AF16DD48B69BBF7FB41312F18A828E09286AA4C775AD81CF60

Uniqueness

Uniqueness Score: -1.00%

Function 005E21A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 005E25DB: GetWindowLongW.USER32(?,000000EB), ref: 005E25EC

GetSysColor.USER32(0000000F), ref: 005E21D3

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: fc33823e9bb903b2d4efbb43b80f84f718ab5e9a93283cad4543bfb06340c1ee
Instruction ID: 0e7c84662cb85a691e7411d6ae182b7ee014e5e3a566e4a917fa4a44f7ea4e9f
Opcode Fuzzy Hash: fc33823e9bb903b2d4efbb43b80f84f718ab5e9a93283cad4543bfb06340c1ee
Instruction Fuzzy Hash: 4641C935040180AFDB195F29EC48BB93B6AFB06331F185265FEA58A1E6C7718C41DB61

Uniqueness

Uniqueness Score: -1.00%

Function 0064AB12 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,0066F910), ref: 0064AB76
GetDriveTypeW.KERNEL32(00000061,0069A620,00000061), ref: 0064AC40
_wcscpy.LIBCMT ref: 0064AC6A

Strings

cdrom, xrefs: 0064AB92
unknown, xrefs: 0064AC01
fixed, xrefs: 0064ABBE
network, xrefs: 0064ABD4
removable, xrefs: 0064ABA8
ramdisk, xrefs: 0064ABEA
all, xrefs: 0064AB7C

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: 8a946c538fe5d48ad1d6698c5a5295cd2599423b64e579e49052e3170a5717a3
Instruction ID: 1d3eaea1ff0d6d73fc9636a043cf360b203364dc512eab05bddfabfc964656cb
Opcode Fuzzy Hash: 8a946c538fe5d48ad1d6698c5a5295cd2599423b64e579e49052e3170a5717a3
Instruction Fuzzy Hash: 7851B230188342ABC714EF54C895AABBBABFF94300F54482DF496972E2DB319D09CB53

Uniqueness

Uniqueness Score: -1.00%

Function 0066C27C Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 005E2612: GetWindowLongW.USER32(?,000000EB), ref: 005E2623

Part of subcall function 005E2344: GetCursorPos.USER32(?), ref: 005E2357
Part of subcall function 005E2344: ScreenToClient.USER32(006A67B0,?), ref: 005E2374
Part of subcall function 005E2344: GetAsyncKeyState.USER32(00000001), ref: 005E2399
Part of subcall function 005E2344: GetAsyncKeyState.USER32(00000002), ref: 005E23A7

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 0066C2E4
ImageList_EndDrag.COMCTL32 ref: 0066C2EA
ReleaseCapture.USER32 ref: 0066C2F0
SetWindowTextW.USER32(?,00000000), ref: 0066C39A
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 0066C3AD
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 0066C48F

Strings

prj, xrefs: 0066C3FD
@GUI_DROPID, xrefs: 0066C3E1
prj, xrefs: 0066C438
@GUI_DRAGFILE, xrefs: 0066C424

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$prj$prj
API String ID: 1924731296-2963624789
Opcode ID: 1c62a37feecf61d283e5c97f9163465084c4310b9247df1ffb273c6658fbe7e3
Instruction ID: 10eb032de977124dc7de3d435f00f38335dc85ae3b8742d705225dfdf981c885
Opcode Fuzzy Hash: 1c62a37feecf61d283e5c97f9163465084c4310b9247df1ffb273c6658fbe7e3
Instruction Fuzzy Hash: 3E518D70204305AFD704EF24DC59FAA7BEAFB88310F04452DF5A59B2E1DB70A944CB62

Uniqueness

Uniqueness Score: -1.00%

Function 005E9997 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 005E99C2
__swprintf.LIBCMT ref: 005E9A0C
__i64tow.LIBCMT ref: 0061FA0F

Strings

0x%p, xrefs: 0061F9F1
False, xrefs: 0061F9D7
True, xrefs: 0061F9D0
%.15g, xrefs: 005E9A06

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: a493ce2fbd50aa2c8dc025c3d30a38ac00aacf138a12de963518c0b83d8bad9d
Instruction ID: a0ad5c62664f893d06ff334bc24ad2a0ba20fa1ec34c49099e2e8d6ddcb85468
Opcode Fuzzy Hash: a493ce2fbd50aa2c8dc025c3d30a38ac00aacf138a12de963518c0b83d8bad9d
Instruction Fuzzy Hash: 9A411771544205AFDB28EF39D842FBB77EAFF44300F24486EE589D7282EA719941CB51

Uniqueness

Uniqueness Score: -1.00%

Function 006673C1 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006673D9
CreateMenu.USER32 ref: 006673F4
SetMenu.USER32(?,00000000), ref: 00667403
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00667490
IsMenu.USER32(?), ref: 006674A6
CreatePopupMenu.USER32 ref: 006674B0
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 006674DD
DrawMenuBar.USER32 ref: 006674E5

Strings

F, xrefs: 006674D1
0, xrefs: 006673CF

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: 4a5b728300f91aacc042e9e91734395a227821e302bf8eae556ea7ec07f6011c
Instruction ID: 8f3284d45de6045ffc9f18d36c1ccf97930b10e157ea32f6ec1dbd7d7a30515d
Opcode Fuzzy Hash: 4a5b728300f91aacc042e9e91734395a227821e302bf8eae556ea7ec07f6011c
Instruction Fuzzy Hash: E2411575A01205EFDB10DF64E888A9ABBFAFB89314F144029F95697360DB75AD10CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0066772A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 006677CD
CreateCompatibleDC.GDI32(00000000), ref: 006677D4
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 006677E7
SelectObject.GDI32(00000000,00000000), ref: 006677EF
GetPixel.GDI32(00000000,00000000,00000000), ref: 006677FA
DeleteDC.GDI32(00000000), ref: 00667803
GetWindowLongW.USER32(?,000000EC), ref: 0066780D
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00667821
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 0066782D

Strings

static, xrefs: 00667765

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: c9b7e872ac0ff9f5f31f3ef904c9925d9ddc21f54639b8fe14a69e0a255f30c9
Instruction ID: e3fefc44c9cf16494951a39590ddb19555dc7651aabe834cbc3d1e4008c02255
Opcode Fuzzy Hash: c9b7e872ac0ff9f5f31f3ef904c9925d9ddc21f54639b8fe14a69e0a255f30c9
Instruction Fuzzy Hash: CE316B32105215BBDF119FA4EC09FDA3F6AFF09365F111228FA15A61A0CB71DC61DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00607040 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0060707B

Part of subcall function 00608D68: __getptd_noexit.LIBCMT ref: 00608D68

__gmtime64_s.LIBCMT ref: 00607114
__gmtime64_s.LIBCMT ref: 0060714A
__gmtime64_s.LIBCMT ref: 00607167
__allrem.LIBCMT ref: 006071BD
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006071D9
__allrem.LIBCMT ref: 006071F0
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0060720E
__allrem.LIBCMT ref: 00607225
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00607243
__invoke_watson.LIBCMT ref: 006072B4

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
Instruction ID: bdbd633b79a79cf46cd8538a06956eb3a7bbf1b9a51f6f439b9e34259c5e7421
Opcode Fuzzy Hash: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
Instruction Fuzzy Hash: A871A2B1E84716ABE7189E79CC41B9BB3AAAF50324F14422EF515E73C1E770FA408794

Uniqueness

Uniqueness Score: -1.00%

Function 00642A16 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00642A31
GetMenuItemInfoW.USER32(006A6890,000000FF,00000000,00000030), ref: 00642A92
SetMenuItemInfoW.USER32(006A6890,00000004,00000000,00000030), ref: 00642AC8
Sleep.KERNEL32(000001F4), ref: 00642ADA
GetMenuItemCount.USER32(?), ref: 00642B1E
GetMenuItemID.USER32(?,00000000), ref: 00642B3A
GetMenuItemID.USER32(?,-00000001), ref: 00642B64
GetMenuItemID.USER32(?,?), ref: 00642BA9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00642BEF
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00642C03
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00642C24

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 3cf178a9f43ca9b1a3a5d954694b69b7a66bf8246775583a48b7bea27a0e898e
Instruction ID: b9894889d07bcca9385b89c64c241fdba903a99b7c841678fb07e78a80b06492
Opcode Fuzzy Hash: 3cf178a9f43ca9b1a3a5d954694b69b7a66bf8246775583a48b7bea27a0e898e
Instruction Fuzzy Hash: C561C2B090024AAFDB11CF64DCA8EFEBBBAFB51308FA40559F84293251D771AD45DB21

Uniqueness

Uniqueness Score: -1.00%

Function 00667192 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00667214
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00667217
GetWindowLongW.USER32(?,000000F0), ref: 0066723B
_memset.LIBCMT ref: 0066724C
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0066725E
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 006672D6

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 916d99be02fbdd8acbde8e028669cc5222fe6238bab202b4127e63985da3ed69
Instruction ID: 96cdc456151b1e4df700d5498d005903f9c9d1da39f410f3aad14aae4f27e08b
Opcode Fuzzy Hash: 916d99be02fbdd8acbde8e028669cc5222fe6238bab202b4127e63985da3ed69
Instruction Fuzzy Hash: D1617A71900208AFDB10DFA4CC81EEE77BAAB09704F140199FA15A73A1D774AE41DF60

Uniqueness

Uniqueness Score: -1.00%

Function 0063710E Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00637135
SafeArrayAllocData.OLEAUT32(?), ref: 0063718E
VariantInit.OLEAUT32(?), ref: 006371A0
SafeArrayAccessData.OLEAUT32(?,?), ref: 006371C0
VariantCopy.OLEAUT32(?,?), ref: 00637213
SafeArrayUnaccessData.OLEAUT32(?), ref: 00637227
VariantClear.OLEAUT32(?), ref: 0063723C
SafeArrayDestroyData.OLEAUT32(?), ref: 00637249
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00637252
VariantClear.OLEAUT32(?), ref: 00637264
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0063726F

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 423b945a11d2d7b918f0a03bef0880af0589be3ac958266b5678cc2b0f102008
Instruction ID: 5ace8763c9dd38d1331f540ef279f96d15f68283822fc31f8c13117a1d988a73
Opcode Fuzzy Hash: 423b945a11d2d7b918f0a03bef0880af0589be3ac958266b5678cc2b0f102008
Instruction Fuzzy Hash: 9C415F75A04219AFCF14DF64D8489EEBBFAFF48354F008069F955E7262CB70AA45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 006586D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 005E9997: __itow.LIBCMT ref: 005E99C2
Part of subcall function 005E9997: __swprintf.LIBCMT ref: 005E9A0C

CoInitialize.OLE32 ref: 00658718
CoUninitialize.OLE32 ref: 00658723
CoCreateInstance.OLE32(?,00000000,00000017,00672BEC,?), ref: 00658783
IIDFromString.OLE32(?,?), ref: 006587F6
VariantInit.OLEAUT32(?), ref: 00658890
VariantClear.OLEAUT32(?), ref: 006588F1

Strings

Failed to create object, xrefs: 0065878E, 00658844
NULL Pointer assignment, xrefs: 006587C8
Invalid parameter, xrefs: 0065880F

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 7d760aa11fef5640fb3b9cc72d1ca0a67f44e1396791dfb8d8a33e02c4a52bca
Instruction ID: 51ba1a714c7ef2085c55a2ea5d613a2850af5ef7b976bdd0377c2650a82f8767
Opcode Fuzzy Hash: 7d760aa11fef5640fb3b9cc72d1ca0a67f44e1396791dfb8d8a33e02c4a52bca
Instruction Fuzzy Hash: DC61C270608301AFD710DF64C849B6EBBEAEF88715F14481DF985AB691CB70ED49CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00655A45 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00655AA6
inet_addr.WSOCK32(?,?,?), ref: 00655AEB
gethostbyname.WSOCK32(?), ref: 00655AF7
IcmpCreateFile.IPHLPAPI ref: 00655B05
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00655B75
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00655B8B
IcmpCloseHandle.IPHLPAPI(00000000), ref: 00655C00
WSACleanup.WSOCK32 ref: 00655C06

Strings

Ping, xrefs: 00655B29

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 8e5fd77236e3e8fc27b3bcdbaf576d72bb527a50b1272e13e6095b557b012660
Instruction ID: 4f8b97e8820db08c097abfc28204f045708cd9503891bbb1586ea6373b8841b7
Opcode Fuzzy Hash: 8e5fd77236e3e8fc27b3bcdbaf576d72bb527a50b1272e13e6095b557b012660
Instruction Fuzzy Hash: 6951BF312047019FDB10AF25DC6DB6ABBE6EF48310F14892AF996DB2A1DB70E804CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0064B72E Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0064B73B
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0064B7B1
GetLastError.KERNEL32 ref: 0064B7BB
SetErrorMode.KERNEL32(00000000,READY), ref: 0064B828

Strings

READONLY, xrefs: 0064B7F3
NOTREADY, xrefs: 0064B7E7
UNKNOWN, xrefs: 0064B7E0
READY, xrefs: 0064B801
INVALID, xrefs: 0064B7FA

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: b8182c425136ef280803843cdb445f7a453f06b58e42f65c08fb7aaecf11c1d3
Instruction ID: 7c34996f55400408ba39e5589188e8032d50e18d1d6faac3922a1e1271822a79
Opcode Fuzzy Hash: b8182c425136ef280803843cdb445f7a453f06b58e42f65c08fb7aaecf11c1d3
Instruction Fuzzy Hash: 96319035A002099FDB04EFA4D889AFEBBBAFF85740F149029E402D7291DB71D942CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00639471 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 005E7F41: _memmove.LIBCMT ref: 005E7F82

Part of subcall function 0063B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0063B0E7

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 006394F6
GetDlgCtrlID.USER32 ref: 00639501
GetParent.USER32 ref: 0063951D
SendMessageW.USER32(00000000,?,00000111,?), ref: 00639520
GetDlgCtrlID.USER32(?), ref: 00639529
GetParent.USER32(?), ref: 00639545
SendMessageW.USER32(00000000,?,?,00000111), ref: 00639548

Strings

ComboBox, xrefs: 0063947E
ListBox, xrefs: 006394B3

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 6fa17dae99bc05229464c45c558a9df8e850e9037b4703d00c595fd0b1294373
Instruction ID: 24399db791323ffa4d107b93061ee1694818e1dd5a5b4aaa7d01873826a3ce2a
Opcode Fuzzy Hash: 6fa17dae99bc05229464c45c558a9df8e850e9037b4703d00c595fd0b1294373
Instruction Fuzzy Hash: DF21B270900104BBCF05AB65CC85DFEBB7AFF89310F104129F562972A2DBB55919DA70

Uniqueness

Uniqueness Score: -1.00%

Function 0063955C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 005E7F41: _memmove.LIBCMT ref: 005E7F82

Part of subcall function 0063B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0063B0E7

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 006395DF
GetDlgCtrlID.USER32 ref: 006395EA
GetParent.USER32 ref: 00639606
SendMessageW.USER32(00000000,?,00000111,?), ref: 00639609
GetDlgCtrlID.USER32(?), ref: 00639612
GetParent.USER32(?), ref: 0063962E
SendMessageW.USER32(00000000,?,?,00000111), ref: 00639631

Strings

ComboBox, xrefs: 00639569
ListBox, xrefs: 0063959E

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: cbf24c502107a87f3e5628674fd3b5644a1c2a6a43f4ba957b3cd32c44b117e1
Instruction ID: 103d0cec1a9e7a2a5dab0f4bbd15ecb09c69acc4d066133ce8f1b456f862c5c4
Opcode Fuzzy Hash: cbf24c502107a87f3e5628674fd3b5644a1c2a6a43f4ba957b3cd32c44b117e1
Instruction Fuzzy Hash: CC21B374900208BBDF05AB65CCC5EFEBB7AFF49300F104019F961972A1DBB59919DA70

Uniqueness

Uniqueness Score: -1.00%

Function 00639645 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00639651
GetClassNameW.USER32(00000000,?,00000100), ref: 00639666
_wcscmp.LIBCMT ref: 00639678
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 006396F3

Strings

smallicons, xrefs: 006396BB
list, xrefs: 006396D5
largeicons, xrefs: 00639687
SHELLDLL_DefView, xrefs: 00639672
details, xrefs: 006396A1

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: 622dcc9f48726fbfd9b1b3259437f95636201f3cc4db6c2fb44a411ee568640a
Instruction ID: 5a47f194013d4491e7ada9d822bc34e496aceb93492b3a9282a1d67e284ae748
Opcode Fuzzy Hash: 622dcc9f48726fbfd9b1b3259437f95636201f3cc4db6c2fb44a411ee568640a
Instruction Fuzzy Hash: 7F110A76289317BAFB052625EC07DE7779F8B06361F21002AF900A55D1FED259114DF8

Uniqueness

Uniqueness Score: -1.00%

Function 00644189 Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 0064419D
__swprintf.LIBCMT ref: 006441AA

Part of subcall function 006038D8: __woutput_l.LIBCMT ref: 00603931

FindResourceW.KERNEL32(?,?,0000000E), ref: 006441D4
LoadResource.KERNEL32(?,00000000), ref: 006441E0
LockResource.KERNEL32(00000000), ref: 006441ED
FindResourceW.KERNEL32(?,?,00000003), ref: 0064420D
LoadResource.KERNEL32(?,00000000), ref: 0064421F
SizeofResource.KERNEL32(?,00000000), ref: 0064422E
LockResource.KERNEL32(?), ref: 0064423A
CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 0064429B

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
String ID:
API String ID: 1433390588-0
Opcode ID: d21e6e4770ebe548371ef0150a66f982373df310e0378cd59465ad64a55981d9
Instruction ID: e6731ef4ab831213cde84bbfb93251c0b1194b01741df1395350e5cbbcff1cb0
Opcode Fuzzy Hash: d21e6e4770ebe548371ef0150a66f982373df310e0378cd59465ad64a55981d9
Instruction Fuzzy Hash: 23317072A0521AAFDB119FA0EC55EBF7BAEFF09301F004525F915D2250DBB0DE518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 006416DE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00641700
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00640778,?,00000001), ref: 00641714
GetWindowThreadProcessId.USER32(00000000), ref: 0064171B
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00640778,?,00000001), ref: 0064172A
GetWindowThreadProcessId.USER32(?,00000000), ref: 0064173C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00640778,?,00000001), ref: 00641755
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00640778,?,00000001), ref: 00641767
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00640778,?,00000001), ref: 006417AC
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00640778,?,00000001), ref: 006417C1
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00640778,?,00000001), ref: 006417CC

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: d55fee359ccaf66de41a4338586a5c7b41ecd3d99ee3e523f71713b55ad7cd6e
Instruction ID: e3d7139ced60d5852c354b38fbaedae02305e1b040fa9be75be125898c646922
Opcode Fuzzy Hash: d55fee359ccaf66de41a4338586a5c7b41ecd3d99ee3e523f71713b55ad7cd6e
Instruction Fuzzy Hash: 63318F75604204BFEB11AF15ED84BA97BABEB57711F105025F904CA3A0E7B4AE818F61

Uniqueness

Uniqueness Score: -1.00%

Function 00659428 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0065947C
VariantInit.OLEAUT32(?), ref: 0065954D
VariantInit.OLEAUT32(?), ref: 0065964E
VariantClear.OLEAUT32(?), ref: 00659658
VariantClear.OLEAUT32(?), ref: 006596B5

Strings

Incorrect Object type in FOR..IN loop, xrefs: 00659631
,,g, xrefs: 006594FA
Null Object assignment in FOR..IN loop, xrefs: 006594DD, 0065960B, 006596C3

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: ,,g$Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-4066664511
Opcode ID: 626a88eb787c44085c3e3fd388e5bbc00856a43087d5e72f9dd8fab461fb793b
Instruction ID: 0968003aca0bdc933600978f4c25ba768d56612530348bb6ada7b4c4d49a1694
Opcode Fuzzy Hash: 626a88eb787c44085c3e3fd388e5bbc00856a43087d5e72f9dd8fab461fb793b
Instruction Fuzzy Hash: DE918D71A00215EBDF24DFA5C848FAEBBBAEF45711F108159F915AB280D7709949CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0063A693 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,0063AA64), ref: 0063A9A2

Strings

TEXT, xrefs: 0063A8D9
CLASSNN, xrefs: 0063A744
CLASS, xrefs: 0063A721
INSTANCE, xrefs: 0063A8B0
REGEXPCLASS, xrefs: 0063A767
NAME, xrefs: 0063A7D4

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: 8b9374c5b965cad23668c073d3deb21de4d6d4842808d8c46e2d0e0e78fc8013
Instruction ID: ef7341a0ef8fcfeb1c06f65b0112b13656645150997cb5931e2f076f12afa815
Opcode Fuzzy Hash: 8b9374c5b965cad23668c073d3deb21de4d6d4842808d8c46e2d0e0e78fc8013
Instruction Fuzzy Hash: 569185309006469BDB5CDFA0C481BEAFB7ABF14304F10811DD4DAA7691DF30695ADBE1

Uniqueness

Uniqueness Score: -1.00%

Function 005E2E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 005E2EAE

Part of subcall function 005E1DB3: GetClientRect.USER32(?,?), ref: 005E1DDC
Part of subcall function 005E1DB3: GetWindowRect.USER32(?,?), ref: 005E1E1D
Part of subcall function 005E1DB3: ScreenToClient.USER32(?,?), ref: 005E1E45

GetDC.USER32 ref: 0061CF82
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0061CF95
SelectObject.GDI32(00000000,00000000), ref: 0061CFA3
SelectObject.GDI32(00000000,00000000), ref: 0061CFB8
ReleaseDC.USER32(?,00000000), ref: 0061CFC0
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0061D04B

Strings

U, xrefs: 0061CF20

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: df1a7e1dde8a01b0d0b1aa3e94ed01affd64182c055528646edecfdcb0bb7efe
Instruction ID: 2f596fa4b05a64136ea5e16e44a9b9c104eb6302de5768bd0e7ba96f62038cf8
Opcode Fuzzy Hash: df1a7e1dde8a01b0d0b1aa3e94ed01affd64182c055528646edecfdcb0bb7efe
Instruction Fuzzy Hash: 0571B471400245DFCF259F64C884AFA7BBBFF49361F184269ED95962AAC7318C82DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00658F5B Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,0066F910), ref: 0065903D
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0066F910), ref: 00659071
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 006591EB
SysFreeString.OLEAUT32(?), ref: 00659215

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: 21f797ed9bc122ed906adffadcfa95f6ad557a035f065e5e6c344cf477833383
Instruction ID: b8160691a134824409f6024742b926436a41746caf653c6b3b02f4c3f4b4480e
Opcode Fuzzy Hash: 21f797ed9bc122ed906adffadcfa95f6ad557a035f065e5e6c344cf477833383
Instruction Fuzzy Hash: D3F12B71900119EFDB14DF94C888EEEB7BABF49315F108459F916AB251CB31AE4ACB60

Uniqueness

Uniqueness Score: -1.00%

Function 0065F9A8 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0065F9C9
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0065FB5C
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0065FB80
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0065FBC0
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0065FBE2
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0065FD5E
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 0065FD90
CloseHandle.KERNEL32(?), ref: 0065FDBF
CloseHandle.KERNEL32(?), ref: 0065FE36

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: 376bbe79e214430155b37b5bb5b99f6242b90fa91a32791dac3324e7b93b5b1f
Instruction ID: 6d3fdbdc7374d4ce038cf2a94cac9d7fa24324d2701c73ecc6575319010d4ba0
Opcode Fuzzy Hash: 376bbe79e214430155b37b5bb5b99f6242b90fa91a32791dac3324e7b93b5b1f
Instruction Fuzzy Hash: 80E1A031204242DFC714EF24C895A6BBBE6BF85314F14896DF8999B3A2DB31DC45CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00644F63 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 006448AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,006438D3,?), ref: 006448C7

Part of subcall function 006448AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,006438D3,?), ref: 006448E0

Part of subcall function 00644CD3: GetFileAttributesW.KERNEL32(?,00643947), ref: 00644CD4

lstrcmpiW.KERNEL32(?,?), ref: 00644FE2
_wcscmp.LIBCMT ref: 00644FFC
MoveFileW.KERNEL32(?,?), ref: 00645017

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: 1bc3047c7020113ea5de4a736d4ef6afbff5debb760f4901def519eb0baf3321
Instruction ID: 25c5fd3fd60f64e6a87631f070122ee473a36325fb5fb85a6919742463ae5ac6
Opcode Fuzzy Hash: 1bc3047c7020113ea5de4a736d4ef6afbff5debb760f4901def519eb0baf3321
Instruction Fuzzy Hash: 015186B20087859BC764DB60DC859DFB7EDAF84341F10092EF189D3192EF74A68C876A

Uniqueness

Uniqueness Score: -1.00%

Function 006688B4 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0066896E

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 70cd9c096e4330962d1a705050e3ad1ada80b2a06658420bb5993d1d5aaaae50
Instruction ID: 41c4a206d9abcdb9f5df95a3df1bae2136a63fd41802ce1fb00490e1a5f4ef1f
Opcode Fuzzy Hash: 70cd9c096e4330962d1a705050e3ad1ada80b2a06658420bb5993d1d5aaaae50
Instruction Fuzzy Hash: 0151B330600208BFDF249F78DC89BA97B67FB05310F644316FA11E72A1DFB1A9808B91

Uniqueness

Uniqueness Score: -1.00%

Function 005E2B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0061C547
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0061C569
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0061C581
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0061C59F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0061C5C0
DestroyIcon.USER32(00000000), ref: 0061C5CF
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0061C5EC
DestroyIcon.USER32(?), ref: 0061C5FB

Part of subcall function 0066A71E: DeleteObject.GDI32(00000000), ref: 0066A757

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: b367cb25dd7137d67a34d77a3eb555f3e81f1649e4035349b3d63fefb4933297
Instruction ID: 7a59f3d67854d63594b188bc8fd35e33104e98571f964082bfff7f26443e5e57
Opcode Fuzzy Hash: b367cb25dd7137d67a34d77a3eb555f3e81f1649e4035349b3d63fefb4933297
Instruction Fuzzy Hash: 18517B70640249AFDB24DF25DC45FAA3BBAFB54320F144528F956D72A0DBB0ED90DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00639B50 Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0063AE57: GetWindowThreadProcessId.USER32(?,00000000), ref: 0063AE77
Part of subcall function 0063AE57: GetCurrentThreadId.KERNEL32 ref: 0063AE7E
Part of subcall function 0063AE57: AttachThreadInput.USER32(00000000,?,00639B65,?,00000001), ref: 0063AE85

MapVirtualKeyW.USER32(00000025,00000000), ref: 00639B70
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00639B8D
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00639B90
MapVirtualKeyW.USER32(00000025,00000000), ref: 00639B99
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00639BB7
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00639BBA
MapVirtualKeyW.USER32(00000025,00000000), ref: 00639BC3
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00639BDA
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00639BDD

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 30c43eeb218cbb4bfda942231b3004af72fdb2fe31d65c25a40e739d0ee74160
Instruction ID: 307cf63b2960864f4c9d6f6a11c9779688f3dcda70665eecf31938e969e5e6fe
Opcode Fuzzy Hash: 30c43eeb218cbb4bfda942231b3004af72fdb2fe31d65c25a40e739d0ee74160
Instruction Fuzzy Hash: A011E171550218BEF7106F60EC89F6A7B2EEB4D791F101429F254AB0A0C9F26C10EAB4

Uniqueness

Uniqueness Score: -1.00%

Function 00638E03 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00638A84,00000B00,?,?), ref: 00638E0C
HeapAlloc.KERNEL32(00000000,?,00638A84,00000B00,?,?), ref: 00638E13
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00638A84,00000B00,?,?), ref: 00638E28
GetCurrentProcess.KERNEL32(?,00000000,?,00638A84,00000B00,?,?), ref: 00638E30
DuplicateHandle.KERNEL32(00000000,?,00638A84,00000B00,?,?), ref: 00638E33
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00638A84,00000B00,?,?), ref: 00638E43
GetCurrentProcess.KERNEL32(00638A84,00000000,?,00638A84,00000B00,?,?), ref: 00638E4B
DuplicateHandle.KERNEL32(00000000,?,00638A84,00000B00,?,?), ref: 00638E4E
CreateThread.KERNEL32(00000000,00000000,00638E74,00000000,00000000,00000000), ref: 00638E68

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 29fc83e3fac5d3b9e2ce2f89be52b9de4b89a753d6535ac2c73677760d3679b6
Instruction ID: 99e77cd4e85a887e4de81ab1f6e37ca373cb2b6ca0e804e43d9a0962a165b821
Opcode Fuzzy Hash: 29fc83e3fac5d3b9e2ce2f89be52b9de4b89a753d6535ac2c73677760d3679b6
Instruction Fuzzy Hash: 3601BBB5240308FFE710ABA5EC4DF6B7BADEB89751F015421FA05DB1A1CAB1A800CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00659A72 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 00637652: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0063758C,80070057,?,?,?,0063799D), ref: 0063766F
Part of subcall function 00637652: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0063758C,80070057,?,?), ref: 0063768A
Part of subcall function 00637652: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0063758C,80070057,?,?), ref: 00637698
Part of subcall function 00637652: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0063758C,80070057,?), ref: 006376A8

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00659B1B
_memset.LIBCMT ref: 00659B28
_memset.LIBCMT ref: 00659C6B
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00659C97
CoTaskMemFree.OLE32(?), ref: 00659CA2

Strings

NULL Pointer assignment, xrefs: 00659CF0

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: 4a7936397fdbd8f96be5147722894a5f28c4328492ecec0e23f4865591855724
Instruction ID: 0cb4a7b3061fd30d250c74d07622caeb0d252235edd5d0e47779e83d6b068a88
Opcode Fuzzy Hash: 4a7936397fdbd8f96be5147722894a5f28c4328492ecec0e23f4865591855724
Instruction Fuzzy Hash: 75913871D00219EBDB14DFA5DC85ADEBBBAFF48310F204169F819A7281DB715A45CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00666FEF Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00667093
SendMessageW.USER32(?,00001036,00000000,?), ref: 006670A7
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 006670C1
_wcscat.LIBCMT ref: 0066711C
SendMessageW.USER32(?,00001057,00000000,?), ref: 00667133
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00667161

Strings

SysListView32, xrefs: 00667065

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: 48144a9173142402a6310d48044e2cda6cdd6e8d625202e914cd4c24dc96839e
Instruction ID: 963ca4ab3b71428cdb20afbf69d4174d6c2e881fd724f6af7af8bb40ce40e00a
Opcode Fuzzy Hash: 48144a9173142402a6310d48044e2cda6cdd6e8d625202e914cd4c24dc96839e
Instruction Fuzzy Hash: 3B41C370904308AFDB21DFA4DC85BEEB7EAEF08354F10052AF554E7292D6719D848B60

Uniqueness

Uniqueness Score: -1.00%

Function 0065EC47 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00643E91: CreateToolhelp32Snapshot.KERNEL32 ref: 00643EB6
Part of subcall function 00643E91: Process32FirstW.KERNEL32(00000000,?), ref: 00643EC4
Part of subcall function 00643E91: CloseHandle.KERNEL32(00000000), ref: 00643F8E

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0065ECB8
GetLastError.KERNEL32 ref: 0065ECCB
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0065ECFA
TerminateProcess.KERNEL32(00000000,00000000), ref: 0065ED77
GetLastError.KERNEL32(00000000), ref: 0065ED82
CloseHandle.KERNEL32(00000000), ref: 0065EDB7

Strings

SeDebugPrivilege, xrefs: 0065ECD6

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: a4d0c113f9fe12a6cb413b1852327415e414ada90dd3ebb970b18397d33f0aee
Instruction ID: 9f994dcd91d586201ba69de92594fbfa9b1b146c7268cf15b68df0cc25dd58c9
Opcode Fuzzy Hash: a4d0c113f9fe12a6cb413b1852327415e414ada90dd3ebb970b18397d33f0aee
Instruction Fuzzy Hash: 254191716002019FDB18EF14CC95F6DBBA6BF80714F08845DF9429B3D2DBB6A948CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00643226 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 006432C5

Strings

info, xrefs: 00643266
blank, xrefs: 00643247
warning, xrefs: 006432AE
stop, xrefs: 00643296
question, xrefs: 0064327E

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: b81995f0b2d779914770326bfe3d97770b724e020e639dc2657c1b7b6abb8232
Instruction ID: 77f2827c37175751caf55f5931eff1d7acd77123c78aac0bcf36a1afb0fbc6d4
Opcode Fuzzy Hash: b81995f0b2d779914770326bfe3d97770b724e020e639dc2657c1b7b6abb8232
Instruction Fuzzy Hash: CC11E731248366BAEB055B54EC43CABB7DEDF19370F20006AF900A63C1E7E69B4145E5

Uniqueness

Uniqueness Score: -1.00%

Function 00644534 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0064454E
LoadStringW.USER32(00000000), ref: 00644555
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0064456B
LoadStringW.USER32(00000000), ref: 00644572
_wprintf.LIBCMT ref: 00644598
MessageBoxW.USER32(00000000,?,?,00011010), ref: 006445B6

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00644593

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: be0968ef5c629a59371ab808c5cd13a9b2e39e9d58c3627db52d076529d63c7d
Instruction ID: fe797f5ef0d66730ca7d80708dd6617823df78d9e92b796991527bb3848ae9d6
Opcode Fuzzy Hash: be0968ef5c629a59371ab808c5cd13a9b2e39e9d58c3627db52d076529d63c7d
Instruction Fuzzy Hash: 6B0162F2904208BFE750EBA4ED89EF7776DEB08301F0005A5FB45E2151EAB49E858B74

Uniqueness

Uniqueness Score: -1.00%

Function 0066D74C Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 005E2612: GetWindowLongW.USER32(?,000000EB), ref: 005E2623

GetSystemMetrics.USER32(0000000F), ref: 0066D78A
GetSystemMetrics.USER32(0000000F), ref: 0066D7AA
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0066D9E5
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0066DA03
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0066DA24
ShowWindow.USER32(00000003,00000000), ref: 0066DA43
InvalidateRect.USER32(?,00000000,00000001), ref: 0066DA68
DefDlgProcW.USER32(?,00000005,?,?), ref: 0066DA8B

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: bf18c14707bcbd82ef2e5a4f0871ed78da665ffb9fe59ff80eb7144cf6ad157e
Instruction ID: f87638275d36113a0511db743f846478a986d019ebb3ed0b63a271a664067fb4
Opcode Fuzzy Hash: bf18c14707bcbd82ef2e5a4f0871ed78da665ffb9fe59ff80eb7144cf6ad157e
Instruction Fuzzy Hash: 95B17971A04225EBDF14CF69C9857FD7BB2FF44701F088169EC489B295DB34A950CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 005E2A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0061C417,00000004,00000000,00000000,00000000), ref: 005E2ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0061C417,00000004,00000000,00000000,00000000,000000FF), ref: 005E2B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0061C417,00000004,00000000,00000000,00000000), ref: 0061C46A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0061C417,00000004,00000000,00000000,00000000), ref: 0061C4D6

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 8c5ff4871a9b7b6093f71a5d6d5cc2f3a0e58ff0942ced1a7363f381b686f05e
Instruction ID: 1ab58ef4b8d32af07dbea011e6ff24e63fb8d4ced5bff9e65232edd40fd7f2db
Opcode Fuzzy Hash: 8c5ff4871a9b7b6093f71a5d6d5cc2f3a0e58ff0942ced1a7363f381b686f05e
Instruction Fuzzy Hash: 1A41E9312086C09AC73D9B2ADC987BE7F9BBB85310F1C883DE0D786565C6B5A8C1D711

Uniqueness

Uniqueness Score: -1.00%

Function 00647368 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0064737F

Part of subcall function 00600FF6: std::exception::exception.LIBCMT ref: 0060102C
Part of subcall function 00600FF6: __CxxThrowException@8.LIBCMT ref: 00601041

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 006473B6
EnterCriticalSection.KERNEL32(?), ref: 006473D2
_memmove.LIBCMT ref: 00647420
_memmove.LIBCMT ref: 0064743D
LeaveCriticalSection.KERNEL32(?), ref: 0064744C
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00647461
InterlockedExchange.KERNEL32(?,000001F6), ref: 00647480

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: 89b6806805e596c8e3a4f0b95c83fccac85c5791e16ac9e26fc7aa60b01ba1bc
Instruction ID: 6f5f54d317dd33c567b7d64083ee1ce3dbe8a5a501f91cf31f4717190e57790a
Opcode Fuzzy Hash: 89b6806805e596c8e3a4f0b95c83fccac85c5791e16ac9e26fc7aa60b01ba1bc
Instruction Fuzzy Hash: 5F31CF31904205EBDF10DFA4DC85AAFBBBAFF45310F1440A9F904EB286DB709A14CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00666442 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 0066645A
GetDC.USER32(00000000), ref: 00666462
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0066646D
ReleaseDC.USER32(00000000,00000000), ref: 00666479
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 006664B5
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 006664C6
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00669299,?,?,000000FF,00000000,?,000000FF,?), ref: 00666500
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00666520

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 58404c33c1f4d7a662bb2f15b86a5887371ccb2ea9b545921a4535f9bb10d758
Instruction ID: 27ea2ba059a7b585ebee1137f8a733b8e6baf144fa75b642089aa899dc3aa0cd
Opcode Fuzzy Hash: 58404c33c1f4d7a662bb2f15b86a5887371ccb2ea9b545921a4535f9bb10d758
Instruction Fuzzy Hash: AF316F72101214BFEB118F50EC4AFEA3FAAEF09765F045065FE09DA2A1D6B59841CBB4

Uniqueness

Uniqueness Score: -1.00%

Function 0063C072 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 0063C087
_memcmp.LIBCMT ref: 0063C0A9
_memcmp.LIBCMT ref: 0063C0C1
_memcmp.LIBCMT ref: 0063C0D4
_memcmp.LIBCMT ref: 0063C0EE
_memcmp.LIBCMT ref: 0063C101
_memcmp.LIBCMT ref: 0063C119
_memcmp.LIBCMT ref: 0063C134

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: f7c46e0f1a2e1a312ac932c1badd6eb018476282c322eb99eb1b9b9aa728f209
Instruction ID: 9f9258d27b1caf012181f01a27e8eff2ffa9e5e00eaa26212450f730b33030c7
Opcode Fuzzy Hash: f7c46e0f1a2e1a312ac932c1badd6eb018476282c322eb99eb1b9b9aa728f209
Instruction Fuzzy Hash: 28219561640206B7D668A6218D62FBF239FAF213B4F044024FD09AA392EB53DD1193E9

Uniqueness

Uniqueness Score: -1.00%

Function 0064ED8E Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 005E9997: __itow.LIBCMT ref: 005E99C2
Part of subcall function 005E9997: __swprintf.LIBCMT ref: 005E9A0C

Part of subcall function 005FFEC6: _wcscpy.LIBCMT ref: 005FFEE9

_wcstok.LIBCMT ref: 0064EEFF
_wcscpy.LIBCMT ref: 0064EF8E
_memset.LIBCMT ref: 0064EFC1

Strings

X, xrefs: 0064EFFE

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: 62edd7a10a32c8f6f82aabaf805fa9ea4d9698623081ed92835c8dd5e6c7992c
Instruction ID: 7809cfe4f829204e14c39811f9034d2a3be67933ac9bdbc5cba5392e2796ac57
Opcode Fuzzy Hash: 62edd7a10a32c8f6f82aabaf805fa9ea4d9698623081ed92835c8dd5e6c7992c
Instruction Fuzzy Hash: F6C171715083429FC768EF24C895A9ABBE5FF84310F10496DF8D9972A2DB70ED45CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00656E17 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00656F14
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00656F35
WSAGetLastError.WSOCK32(00000000), ref: 00656F48
htons.WSOCK32(?,?,?,00000000,?), ref: 00656FFE
inet_ntoa.WSOCK32(?), ref: 00656FBB

Part of subcall function 0063AE14: _strlen.LIBCMT ref: 0063AE1E
Part of subcall function 0063AE14: _memmove.LIBCMT ref: 0063AE40

_strlen.LIBCMT ref: 00657058
_memmove.LIBCMT ref: 006570C1

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: bd3c2f81463f408d28e68865b9087850069c424025e3753f63823d24f5d2934d
Instruction ID: 4da0ba1787f7e0543473168c9613de2c74fd0236c6d23b26c46bfde635698731
Opcode Fuzzy Hash: bd3c2f81463f408d28e68865b9087850069c424025e3753f63823d24f5d2934d
Instruction Fuzzy Hash: 74810171508301ABC714EF24DC86E6FBBEAAFC4714F10491CF9999B2D2DA70AD09C792

Uniqueness

Uniqueness Score: -1.00%

Function 005E1424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72ceabd72ceea735b177bb1f7aaee80e5873ef0dc965e3bb00164bcfd4da3d6e
Instruction ID: acb29118509620e0418b7ed8c769c5e32b15fd9f95465dcf96ab6f7a25f119ed
Opcode Fuzzy Hash: 72ceabd72ceea735b177bb1f7aaee80e5873ef0dc965e3bb00164bcfd4da3d6e
Instruction Fuzzy Hash: C9717A30900549EFCF188F99CC48EAEBF79FF8A310F148549F955AA291D730AA51CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0066B60B Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(013B6BE0), ref: 0066B6A5
IsWindowEnabled.USER32(013B6BE0), ref: 0066B6B1
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0066B795
SendMessageW.USER32(013B6BE0,000000B0,?,?), ref: 0066B7CC
IsDlgButtonChecked.USER32(?,?), ref: 0066B809
GetWindowLongW.USER32(013B6BE0,000000EC), ref: 0066B82B
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0066B843

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: b3fb54e9e2a193c6a0bc26d3f717f2a5b1b481184e0bd06636693f9d11a792f8
Instruction ID: 21a463eb07e8f7d0c9b802ad9e2d8c8cc965d81ad0e4129446cfc681bdfaa509
Opcode Fuzzy Hash: b3fb54e9e2a193c6a0bc26d3f717f2a5b1b481184e0bd06636693f9d11a792f8
Instruction Fuzzy Hash: 93717D34604204EFDB249F64C894FEA7BABEB4A300F146069F956D73A1C771AD81CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0065F732 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0065F75C
_memset.LIBCMT ref: 0065F825
ShellExecuteExW.SHELL32(?), ref: 0065F86A

Part of subcall function 005E9997: __itow.LIBCMT ref: 005E99C2
Part of subcall function 005E9997: __swprintf.LIBCMT ref: 005E9A0C

Part of subcall function 005FFEC6: _wcscpy.LIBCMT ref: 005FFEE9

GetProcessId.KERNEL32(00000000), ref: 0065F8E1
CloseHandle.KERNEL32(00000000), ref: 0065F910

Strings

@, xrefs: 0065F839

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: 86d732defd4a014991934d4f93dc80ee9987301d73159dd42ceba45ce1ef3f54
Instruction ID: d5863ee6c0d10ee02e286f63291e4ca153ce6d0fb99500a38c0e2e39d3868ce8
Opcode Fuzzy Hash: 86d732defd4a014991934d4f93dc80ee9987301d73159dd42ceba45ce1ef3f54
Instruction Fuzzy Hash: D5619F75A0065ADFCF18EF55C5849AEBBF6FF88310F148469E886AB351CB30AD45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0064145D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0064149C
GetKeyboardState.USER32(?), ref: 006414B1
SetKeyboardState.USER32(?), ref: 00641512
PostMessageW.USER32(?,00000101,00000010,?), ref: 00641540
PostMessageW.USER32(?,00000101,00000011,?), ref: 0064155F
PostMessageW.USER32(?,00000101,00000012,?), ref: 006415A5
PostMessageW.USER32(?,00000101,0000005B,?), ref: 006415C8

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: a53eb3582151f289331839a772b0854842d8aaf00fa0a90819a0cd6ec69f59b8
Instruction ID: a8515698ebf8d654b6951dac60c5bad135ccd47b70466027407ba2945ba77cf2
Opcode Fuzzy Hash: a53eb3582151f289331839a772b0854842d8aaf00fa0a90819a0cd6ec69f59b8
Instruction Fuzzy Hash: 3551C0A0A047D53EFB3647248C45BFA7FAB6B47304F088489E1D64A9C2D2D4EDD4D760

Uniqueness

Uniqueness Score: -1.00%

Function 00641276 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 006412B5
GetKeyboardState.USER32(?), ref: 006412CA
SetKeyboardState.USER32(?), ref: 0064132B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00641357
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00641374
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 006413B8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 006413D9

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 6c8c131458f40f1ad0e55d6e89918fad8a45aa3e1c6f8210c8ef58b9094d4f2a
Instruction ID: 8c2b87ab6898c25ce29cf46d0d665d7ee7a9cd24aa6eaedecb3a0a2da5da009c
Opcode Fuzzy Hash: 6c8c131458f40f1ad0e55d6e89918fad8a45aa3e1c6f8210c8ef58b9094d4f2a
Instruction Fuzzy Hash: 1751D1A05046D57DFB338B248C55BBABFAB6B07300F088589E1D88E9C2D795ACD4D761

Uniqueness

Uniqueness Score: -1.00%

Function 0064589F Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 006458AC
_wcsncpy.LIBCMT ref: 006458E1
_wcsncpy.LIBCMT ref: 00645913
_wcsncpy.LIBCMT ref: 00645946
_wcsncpy.LIBCMT ref: 00645988
_wcsncpy.LIBCMT ref: 006459C2
_wcsncpy.LIBCMT ref: 006459F1

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: a374d038cb7d45d9c9b2b4e0db68a050f16779b897edd35a6a919ed487cf4997
Instruction ID: 8e474b69b003564db5323ce3ba41241f1a4d310be038a5554bb74c877797c210
Opcode Fuzzy Hash: a374d038cb7d45d9c9b2b4e0db68a050f16779b897edd35a6a919ed487cf4997
Instruction Fuzzy Hash: 1041B4A5C6012876CB54FBB4C88A9CF77AEAF04310F50885AF519E3262FA34D754C7AD

Uniqueness

Uniqueness Score: -1.00%

Function 0063DA5D Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0063DAC5
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0063DAFB
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0063DB0C
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 0063DB8E

Strings

,,g, xrefs: 0063DA69
DllGetClassObject, xrefs: 0063DB01

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: ,,g$DllGetClassObject
API String ID: 753597075-3601260016
Opcode ID: 44bec7095bbd6f8d390735e909fbb62c1faf6a913b35ecd09c1babac861e6af0
Instruction ID: 0ec894414aa8f8a97f2a9cea73200ffe0c6ebafb6a453c2b925afe49020ba138
Opcode Fuzzy Hash: 44bec7095bbd6f8d390735e909fbb62c1faf6a913b35ecd09c1babac861e6af0
Instruction Fuzzy Hash: 4F4160B1600209EFDB15CF55D884A9ABBBAEF48350F1580ADED069F205D7B1DE44CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 006438AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 006448AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,006438D3,?), ref: 006448C7

Part of subcall function 006448AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,006438D3,?), ref: 006448E0

lstrcmpiW.KERNEL32(?,?), ref: 006438F3
_wcscmp.LIBCMT ref: 0064390F
MoveFileW.KERNEL32(?,?), ref: 00643927
_wcscat.LIBCMT ref: 0064396F
SHFileOperationW.SHELL32(?), ref: 006439DB

Strings

\*.*, xrefs: 00643969

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: 682fcbe1b100710ac8a3f6139da236b9d1eb028e6ad54ea0b2211e6cf38877df
Instruction ID: 91868a8c9aa1a3dcd509576c4b17c6a8fd017c5d4a63f04380ca393b8cd72443
Opcode Fuzzy Hash: 682fcbe1b100710ac8a3f6139da236b9d1eb028e6ad54ea0b2211e6cf38877df
Instruction Fuzzy Hash: 204191B240C3859EC755EF64C486AEFB7EDAF88340F14192EF489C3291EA74D688C756

Uniqueness

Uniqueness Score: -1.00%

Function 00667500 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00667519
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 006675C0
IsMenu.USER32(?), ref: 006675D8
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00667620
DrawMenuBar.USER32 ref: 00667633

Strings

0, xrefs: 0066750D

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: 5a73b4bf7922f03ecaa58a5d4d598625a94671d4c2dcd1904c6e095be9e51cce
Instruction ID: d055b2f5c22d44dc920aaed0a159d4a9a4be89c6c29041e795cef065c65ae124
Opcode Fuzzy Hash: 5a73b4bf7922f03ecaa58a5d4d598625a94671d4c2dcd1904c6e095be9e51cce
Instruction Fuzzy Hash: E8413875A04609AFDB10DF54D884EDABBFAFB05328F149069F91697390D730AD50CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0066122D Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 0066125C
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00661286
FreeLibrary.KERNEL32(00000000), ref: 0066133D

Part of subcall function 0066122D: RegCloseKey.ADVAPI32(?), ref: 006612A3
Part of subcall function 0066122D: FreeLibrary.KERNEL32(?), ref: 006612F5
Part of subcall function 0066122D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00661318

RegDeleteKeyW.ADVAPI32(?,?), ref: 006612E0

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: cd84d39bee910fa33cca285a19f2615d0ed93b9644f847936f5b379660b53779
Instruction ID: 67132beb997b93aa73904bad68b4fc396f1d8e4ef04658e0e6a4eed6c4ccc29d
Opcode Fuzzy Hash: cd84d39bee910fa33cca285a19f2615d0ed93b9644f847936f5b379660b53779
Instruction Fuzzy Hash: 8D312D71901109BFDB14DBA0EC99AFEB7BDEF09340F04016AE502E6251DA749F859AA0

Uniqueness

Uniqueness Score: -1.00%

Function 0066653C Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 0066655B
GetWindowLongW.USER32(013B6BE0,000000F0), ref: 0066658E
GetWindowLongW.USER32(013B6BE0,000000F0), ref: 006665C3
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 006665F5
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 0066661F
GetWindowLongW.USER32(00000000,000000F0), ref: 00666630
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 0066664A

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: f19dc5df8489bfd64857cfd2a767b33ab73cc21ee1a3b0022b69536c76b68f44
Instruction ID: dea710bace3ee03df1b4e3800b80392fcfb272e525555430b5adedff83b9c130
Opcode Fuzzy Hash: f19dc5df8489bfd64857cfd2a767b33ab73cc21ee1a3b0022b69536c76b68f44
Instruction Fuzzy Hash: 2731E630604150AFDB21DF28EC86F953BE6FB4A714F1911A8F512CB2B6CB71AC40DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00656486 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 006580A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 006580CB

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 006564D9
WSAGetLastError.WSOCK32(00000000), ref: 006564E8
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00656521
connect.WSOCK32(00000000,?,00000010), ref: 0065652A
WSAGetLastError.WSOCK32 ref: 00656534
closesocket.WSOCK32(00000000), ref: 0065655D
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00656576

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: 1f2bcbdb98ca091dec20e396873b3a54c8cc61d163950ba87aa95bd65dc89d5f
Instruction ID: 0beed4ba4ef5da887da61d24622e1c361f1f097b91b4510e12d1f345b5345ab8
Opcode Fuzzy Hash: 1f2bcbdb98ca091dec20e396873b3a54c8cc61d163950ba87aa95bd65dc89d5f
Instruction Fuzzy Hash: 1131B371600118AFDB10AF24DC85BBE7BBAEF44711F408069FD45A7291DBB0AD48CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0063E0B5 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0063E0FA
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0063E120
SysAllocString.OLEAUT32(00000000), ref: 0063E123
SysAllocString.OLEAUT32 ref: 0063E144
SysFreeString.OLEAUT32 ref: 0063E14D
StringFromGUID2.OLE32(?,?,00000028), ref: 0063E167
SysAllocString.OLEAUT32(?), ref: 0063E175

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 10ccf53ea746b52dd1703889b83ccbb4ac27a225833385cca7a33f0dbf541e1d
Instruction ID: 37ac75c3c4be5771b129d489be6a61f4af40eac8b3b9c511803b3a1bf4e9cc74
Opcode Fuzzy Hash: 10ccf53ea746b52dd1703889b83ccbb4ac27a225833385cca7a33f0dbf541e1d
Instruction Fuzzy Hash: F1214135604108AFDB109FA8DC88DAB77EEEB09760F108125F955CB2A5DA71EC418BB4

Uniqueness

Uniqueness Score: -1.00%

Function 0063FB6E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0063FB81
__wcsnicmp.LIBCMT ref: 0063FBA2
__wcsnicmp.LIBCMT ref: 0063FBBC

Strings

#OnAutoItStartRegister, xrefs: 0063FBB6
#notrayicon, xrefs: 0063FB79
#requireadmin, xrefs: 0063FB9C

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: acff837bc7f4cf5393b975f92de99fa4d10c4cbcdb3e41bd5bc852595af7ca4b
Instruction ID: 6216750d62e9471a743d3df7584ef520c69cbbadf74dd7c21ef110d0a755f821
Opcode Fuzzy Hash: acff837bc7f4cf5393b975f92de99fa4d10c4cbcdb3e41bd5bc852595af7ca4b
Instruction Fuzzy Hash: 2D217C72A80155A6D334E730DC12EE7B39FEF65300F10803AF88687281EB519D82C2E5

Uniqueness

Uniqueness Score: -1.00%

Function 0066783C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 005E1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 005E1D73
Part of subcall function 005E1D35: GetStockObject.GDI32(00000011), ref: 005E1D87
Part of subcall function 005E1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 005E1D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 006678A1
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 006678AE
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 006678B9
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 006678C8
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 006678D4

Strings

Msctls_Progress32, xrefs: 00667872

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: a8a997126565c06f2df6ac4d5bdd39d93c884ac6aee6347b0ee86f0f967b428b
Instruction ID: 156d3af078a4283273da9eb3742f2839a7d9e2aebecef631e1c34e5e699d0c19
Opcode Fuzzy Hash: a8a997126565c06f2df6ac4d5bdd39d93c884ac6aee6347b0ee86f0f967b428b
Instruction Fuzzy Hash: D51190B2110219BFEF159F60CC85EE77F6EEF08758F014129FA04A61A0C772AC21DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 006041C9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00604292,?), ref: 006041E3
GetProcAddress.KERNEL32(00000000), ref: 006041EA
EncodePointer.KERNEL32(00000000), ref: 006041F6
DecodePointer.KERNEL32(00000001,00604292,?), ref: 00604213

Strings

combase.dll, xrefs: 006041DE
RoInitialize, xrefs: 006041D2

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 3489934621-340411864
Opcode ID: 249e1d890b85b6ede9fc3a1920597279a90234f5235eeb15cd97abeccc8e8e09
Instruction ID: 7c9c1c0897cc98195dd75b974972f7fc858c6682b78350dd32fa73d3123bb056
Opcode Fuzzy Hash: 249e1d890b85b6ede9fc3a1920597279a90234f5235eeb15cd97abeccc8e8e09
Instruction Fuzzy Hash: 4EE01AB0690301AFEB206BB1FC19B653AE7FBA2B02F10A424F511E51E0DFF568958F00

Uniqueness

Uniqueness Score: -1.00%

Function 0060429E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,006041B8), ref: 006042B8
GetProcAddress.KERNEL32(00000000), ref: 006042BF
EncodePointer.KERNEL32(00000000), ref: 006042CA
DecodePointer.KERNEL32(006041B8), ref: 006042E5

Strings

RoUninitialize, xrefs: 006042A7
combase.dll, xrefs: 006042B3

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: 02a34fd9aff3194e16986f7d4dc9cb04d8ddd3fcdf7870520e4d0d40ac602485
Instruction ID: 353dd40cbe4538b0181c01b2ba150f19ac9792166939e793454e1231ddacc084
Opcode Fuzzy Hash: 02a34fd9aff3194e16986f7d4dc9cb04d8ddd3fcdf7870520e4d0d40ac602485
Instruction Fuzzy Hash: AFE0BF786813019FDB20AB61FD5EB653AA7BB56742F106024F111E15A0CFF45944CE14

Uniqueness

Uniqueness Score: -1.00%

Function 0064675A Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 006468AD
_memmove.LIBCMT ref: 006467E8

Part of subcall function 005E9997: __itow.LIBCMT ref: 005E99C2
Part of subcall function 005E9997: __swprintf.LIBCMT ref: 005E9A0C

_memmove.LIBCMT ref: 0064685B
_memmove.LIBCMT ref: 00646942
_memmove.LIBCMT ref: 0064695B
_memmove.LIBCMT ref: 00646977

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: 2ac74d2e030658137b5ee0dcb8b02025e330d3075783c8fac3e9a08f62e1acb0
Instruction ID: 69673135681687e102afb7fb29946796dfc5c78d3cc8043087bae20328791d85
Opcode Fuzzy Hash: 2ac74d2e030658137b5ee0dcb8b02025e330d3075783c8fac3e9a08f62e1acb0
Instruction Fuzzy Hash: C161CE3050069B9BDF19EF21CC85EFE3BAABF46308F044519F89A5B292DB709C45CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0066046F Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 005E7F41: _memmove.LIBCMT ref: 005E7F82

Part of subcall function 006610A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00660038,?,?), ref: 006610BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00660548
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00660588
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 006605AB
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 006605D4
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00660617
RegCloseKey.ADVAPI32(00000000), ref: 00660624

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: 5d9416eb135ce5c4ad0a7ab9dd489989b9222427a90ac497a254ac69f12b35f0
Instruction ID: 72b12441b566fd676d3038d69a0768243f840dc7d5f4dc8248d1f0c741a9e6c2
Opcode Fuzzy Hash: 5d9416eb135ce5c4ad0a7ab9dd489989b9222427a90ac497a254ac69f12b35f0
Instruction Fuzzy Hash: 25516A31108241AFDB14EF64D885E6FBBEAFF89314F04492DF586872A2DB71E905CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00665A20 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00665A82
GetMenuItemCount.USER32(00000000), ref: 00665AB9
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00665AE1
GetMenuItemID.USER32(?,?), ref: 00665B50
GetSubMenu.USER32(?,?), ref: 00665B5E
PostMessageW.USER32(?,00000111,?,00000000), ref: 00665BAF

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 3429b9e0365e063fa2c5847e2fe9a061b416b5a2bccdd8f336a501fc385d315b
Instruction ID: 99bd1b10b0ebbd3b6e2cb95173cd0bcca67408d59cb43b7d9bc52b99d1d1a6f5
Opcode Fuzzy Hash: 3429b9e0365e063fa2c5847e2fe9a061b416b5a2bccdd8f336a501fc385d315b
Instruction Fuzzy Hash: C6517235A00616AFDF15EFA4C856AAEBBB6FF48310F104469E842B7351CB70AE41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0063F3DD Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0063F3F7
VariantClear.OLEAUT32(00000013), ref: 0063F469
VariantClear.OLEAUT32(00000000), ref: 0063F4C4
_memmove.LIBCMT ref: 0063F4EE
VariantClear.OLEAUT32(?), ref: 0063F53B
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0063F569

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: 23945c31431220182b2c61ad06f98b66942acdb2c1f6a8912da7417e42ff9b0e
Instruction ID: 45acc68b801dea1b8f150c55c5ac084912d749bcfa626134f951d9d1465b4621
Opcode Fuzzy Hash: 23945c31431220182b2c61ad06f98b66942acdb2c1f6a8912da7417e42ff9b0e
Instruction Fuzzy Hash: B25146B5A00209AFCB14CF58D884AAAB7F9FF4C354F15856AE959DB311D730E912CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 006426F9 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00642747
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00642792
IsMenu.USER32(00000000), ref: 006427B2
CreatePopupMenu.USER32 ref: 006427E6
GetMenuItemCount.USER32(000000FF), ref: 00642844
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00642875

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: e36fdbdeb869d3032c7ad80825fcece2bc85643e26c9bc71ad82a90f36a92101
Instruction ID: 1a751547841086af3c81631ae2355c1367a4ca8bb1228702b06bcb10e11f6235
Opcode Fuzzy Hash: e36fdbdeb869d3032c7ad80825fcece2bc85643e26c9bc71ad82a90f36a92101
Instruction Fuzzy Hash: EC519070A00207DFDF24CF68D8A8AEEBBF6AF54314F604169F4119B291D7709949CB51

Uniqueness

Uniqueness Score: -1.00%

Function 005E1765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 005E2612: GetWindowLongW.USER32(?,000000EB), ref: 005E2623

BeginPaint.USER32(?,?,?,?,?,?), ref: 005E179A
GetWindowRect.USER32(?,?), ref: 005E17FE
ScreenToClient.USER32(?,?), ref: 005E181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 005E182C
EndPaint.USER32(?,?), ref: 005E1876

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: 960cd4eae478e10ec5585ea96f438ae3cbcee2023d98bc0f323ad5ee70df5bd0
Instruction ID: e90fe46be4d5ae715f53cade4adee69cbf8674f3bd6b0efa689d0e3874a62adb
Opcode Fuzzy Hash: 960cd4eae478e10ec5585ea96f438ae3cbcee2023d98bc0f323ad5ee70df5bd0
Instruction Fuzzy Hash: 3941BE70104741AFC710EF26DC84FBA7FEAFB4A724F080629F9A5862A1C771AC45DB61

Uniqueness

Uniqueness Score: -1.00%

Function 0066B958 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(006A67B0,00000000,013B6BE0,?,?,006A67B0,?,0066B862,?,?), ref: 0066B9CC
EnableWindow.USER32(00000000,00000000), ref: 0066B9F0
ShowWindow.USER32(006A67B0,00000000,013B6BE0,?,?,006A67B0,?,0066B862,?,?), ref: 0066BA50
ShowWindow.USER32(00000000,00000004,?,0066B862,?,?), ref: 0066BA62
EnableWindow.USER32(00000000,00000001), ref: 0066BA86
SendMessageW.USER32(?,0000130C,?,00000000), ref: 0066BAA9

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 5081583299fe0110790adc93beb2cf2614afee63952a4bdaac1fd4ad0eadb7c6
Instruction ID: c13b29802c5a2d5a85b6ff442827b15556530e5dd19ff986291801f83228d666
Opcode Fuzzy Hash: 5081583299fe0110790adc93beb2cf2614afee63952a4bdaac1fd4ad0eadb7c6
Instruction Fuzzy Hash: 6B415C30600241EFDB26CF68D499BD57BE2FB46314F1852B9FA48CF2A2C771A885CB51

Uniqueness

Uniqueness Score: -1.00%

Function 006573B1 Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,00655134,?,?,00000000,00000001), ref: 006573BF

Part of subcall function 00653C94: GetWindowRect.USER32(?,?), ref: 00653CA7

GetDesktopWindow.USER32 ref: 006573E9
GetWindowRect.USER32(00000000), ref: 006573F0
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00657422

Part of subcall function 006454E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0064555E

GetCursorPos.USER32(?), ref: 0065744E
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 006574AC

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: bdd7f62ac257749a96ff16866ea05b257907b652bc9f8d8ff77bb230ca89d160
Instruction ID: d6fa975189c66d74bfde64a1f1b3f3452056fa2b8f213e2f98c0d589c2c21286
Opcode Fuzzy Hash: bdd7f62ac257749a96ff16866ea05b257907b652bc9f8d8ff77bb230ca89d160
Instruction Fuzzy Hash: 5131E472508306ABD720DF14E849F9BBBEAFF88314F000919F98997191CB70ED49CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00638D5B Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 006385F1: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00638608
Part of subcall function 006385F1: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00638612
Part of subcall function 006385F1: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00638621
Part of subcall function 006385F1: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00638628
Part of subcall function 006385F1: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0063863E

GetLengthSid.ADVAPI32(?,00000000,00638977), ref: 00638DAC
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00638DB8
HeapAlloc.KERNEL32(00000000), ref: 00638DBF
CopySid.ADVAPI32(00000000,00000000,?), ref: 00638DD8
GetProcessHeap.KERNEL32(00000000,00000000,00638977), ref: 00638DEC
HeapFree.KERNEL32(00000000), ref: 00638DF3

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: d09e4553e137a46b931bf0e4c91a9805e67ee8905a585e077990caf9f980a97f
Instruction ID: a93103a58428f4184d0f426c9a8a7577c092dfa5168ef2e71575f61d0a548cbc
Opcode Fuzzy Hash: d09e4553e137a46b931bf0e4c91a9805e67ee8905a585e077990caf9f980a97f
Instruction Fuzzy Hash: E711A932600605FFDB109FA4EC09BEEBBAAFF55355F105029F84597250CB72AA04CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00638AF9 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00638B2A
OpenProcessToken.ADVAPI32(00000000), ref: 00638B31
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00638B40
CloseHandle.KERNEL32(00000004), ref: 00638B4B
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00638B7A
DestroyEnvironmentBlock.USERENV(00000000), ref: 00638B8E

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: e65c6e74b9259394d59f1f3134cf98921af6df92ecde11d5391f66eebdaed7dd
Instruction ID: e873851a4bf964b44881956833d94a67fa700ebcb69f8e535bb4a9550e329098
Opcode Fuzzy Hash: e65c6e74b9259394d59f1f3134cf98921af6df92ecde11d5391f66eebdaed7dd
Instruction Fuzzy Hash: 67112CB250124AEFDF018FA4ED49FDABBAAEF08304F145065FE05A2160C7759D619BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0066C19A Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 005E12F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 005E134D
Part of subcall function 005E12F3: SelectObject.GDI32(?,00000000), ref: 005E135C
Part of subcall function 005E12F3: BeginPath.GDI32(?), ref: 005E1373
Part of subcall function 005E12F3: SelectObject.GDI32(?,00000000), ref: 005E139C

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 0066C1C4
LineTo.GDI32(00000000,00000003,?), ref: 0066C1D8
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0066C1E6
LineTo.GDI32(00000000,00000000,?), ref: 0066C1F6
EndPath.GDI32(00000000), ref: 0066C206
StrokePath.GDI32(00000000), ref: 0066C216

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 8a202add66c32b5fe272c563ebe4399a3919dcf704710555c5b61ed4961bd45d
Instruction ID: 93b6fd104b1c4799aec52473eb98cdbbb4ba87c0a48730379eab883f71730987
Opcode Fuzzy Hash: 8a202add66c32b5fe272c563ebe4399a3919dcf704710555c5b61ed4961bd45d
Instruction Fuzzy Hash: A0113C7600010CBFDB019F95EC48EEA7FAEFB08390F048021FA0846161C7B19E54DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 006003A2 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 006003D3
MapVirtualKeyW.USER32(00000010,00000000), ref: 006003DB
MapVirtualKeyW.USER32(000000A0,00000000), ref: 006003E6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 006003F1
MapVirtualKeyW.USER32(00000011,00000000), ref: 006003F9
MapVirtualKeyW.USER32(00000012,00000000), ref: 00600401

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 0b0d99490c7ce82c2e514eb6db2fc30c38e66f73171b9ab06e8ef5dcbc5d4417
Instruction ID: ab469080b3293e9461cd8d5df578e56dc5db26a65a8109de4672565b06bb25d0
Opcode Fuzzy Hash: 0b0d99490c7ce82c2e514eb6db2fc30c38e66f73171b9ab06e8ef5dcbc5d4417
Instruction Fuzzy Hash: 3D016CB09017597DE3008F5A8C85B52FFA8FF19354F00411BE15C87941C7F5A864CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 0064568B Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0064569B
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 006456B1
GetWindowThreadProcessId.USER32(?,?), ref: 006456C0
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 006456CF
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 006456D9
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 006456E0

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: b29690a017e44ac83fde016bd394babb8550273d09ab153fff785db6212c5ef4
Instruction ID: 91c113dd9a2d56d655f82e862837c6f1527e25d4a68324fb59fd16dbe8ccc98b
Opcode Fuzzy Hash: b29690a017e44ac83fde016bd394babb8550273d09ab153fff785db6212c5ef4
Instruction Fuzzy Hash: B0F06732241158BBE3205BA2EC0EEEB7A7DEBCAB11F001169FA00D10A09AE01A0186B5

Uniqueness

Uniqueness Score: -1.00%

Function 006474D2 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 006474E5
EnterCriticalSection.KERNEL32(?,?,005F1044,?,?), ref: 006474F6
TerminateThread.KERNEL32(00000000,000001F6,?,005F1044,?,?), ref: 00647503
WaitForSingleObject.KERNEL32(00000000,000003E8,?,005F1044,?,?), ref: 00647510

Part of subcall function 00646ED7: CloseHandle.KERNEL32(00000000,?,0064751D,?,005F1044,?,?), ref: 00646EE1

InterlockedExchange.KERNEL32(?,000001F6), ref: 00647523
LeaveCriticalSection.KERNEL32(?,?,005F1044,?,?), ref: 0064752A

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: f3fd1b8f7a90ce91eed5de94e5599832f149090cd0828d6693fe56d4e758f5f7
Instruction ID: 8c06b13d5c11d65fbea96e0780effe140a8ac54773d59b4e351a3dc9598c0d1c
Opcode Fuzzy Hash: f3fd1b8f7a90ce91eed5de94e5599832f149090cd0828d6693fe56d4e758f5f7
Instruction Fuzzy Hash: 8AF05E3A144612EBDB112BA4FC9C9EB772FFF45302B001531F202954B0CBB56A01CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00638E74 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00638E7F
UnloadUserProfile.USERENV(?,?), ref: 00638E8B
CloseHandle.KERNEL32(?), ref: 00638E94
CloseHandle.KERNEL32(?), ref: 00638E9C
GetProcessHeap.KERNEL32(00000000,?), ref: 00638EA5
HeapFree.KERNEL32(00000000), ref: 00638EAC

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 73c1a5371a6d288cd984929919681fd3b776469ef1b4f05bb3bae1c5b447dad3
Instruction ID: 662daae840f83f0ce40ca7614098ba1a08c7784e034b28c49252e3e1a747238c
Opcode Fuzzy Hash: 73c1a5371a6d288cd984929919681fd3b776469ef1b4f05bb3bae1c5b447dad3
Instruction Fuzzy Hash: 84E0C236004001FBDB011FE2FC0C90AFF6AFB8A362B109230F21981170CBB2A420DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00637A78 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00672C7C,?), ref: 00637C32
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00672C7C,?), ref: 00637C4A
CLSIDFromProgID.OLE32(?,?,00000000,0066FB80,000000FF,?,00000000,00000800,00000000,?,00672C7C,?), ref: 00637C6F
_memcmp.LIBCMT ref: 00637C90

Strings

,,g, xrefs: 00637A85

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID: ,,g
API String ID: 314563124-619837891
Opcode ID: 4b3d9d5ff7793b802038627598ad082d1a7106558c5837a8f535df401d28cfa1
Instruction ID: 3bb5479573c7a0ac569edc423c36b561371b1f6019ddad7ee1de841e1312dfdd
Opcode Fuzzy Hash: 4b3d9d5ff7793b802038627598ad082d1a7106558c5837a8f535df401d28cfa1
Instruction Fuzzy Hash: 7B811D75A00109EFCB14DF94C984DEEB7BAFF89315F204198F516AB250DB71AE05CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00658902 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00658928
CharUpperBuffW.USER32(?,?), ref: 00658A37
VariantClear.OLEAUT32(?), ref: 00658BAF

Part of subcall function 00647804: VariantInit.OLEAUT32(00000000), ref: 00647844
Part of subcall function 00647804: VariantCopy.OLEAUT32(00000000,?), ref: 0064784D
Part of subcall function 00647804: VariantClear.OLEAUT32(00000000), ref: 00647859

Strings

AUTOIT.ERROR, xrefs: 00658A3D
Incorrect Parameter format, xrefs: 00658960, 00658B22

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 349a002f4e80e3966bbbe856588e58c7b9d870446f409870830aa580ce078519
Instruction ID: 74147e603788f0513a218eb9d195a5f9cabd911af3db7fe97673438b25b9b19e
Opcode Fuzzy Hash: 349a002f4e80e3966bbbe856588e58c7b9d870446f409870830aa580ce078519
Instruction Fuzzy Hash: D69180706043429FC704DF29C48496ABBE9FFC8315F04496EF8969B361DB30E909CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00642F86 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 005FFEC6: _wcscpy.LIBCMT ref: 005FFEE9

_memset.LIBCMT ref: 00643077
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 006430A6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00643159
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00643187

Strings

0, xrefs: 00643063

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: 83f49fda7950f26ef34bdadceeb17f0e848d47ce11869d1671d9bdb449c6199b
Instruction ID: 27d102d255811645ad37bc2d84d9d32b79bc1f6b052234d1b76d4c5dc9d9d3ee
Opcode Fuzzy Hash: 83f49fda7950f26ef34bdadceeb17f0e848d47ce11869d1671d9bdb449c6199b
Instruction Fuzzy Hash: 3351F5316083219BD715AF28D845AABBBEAEF95720F040A2DF895D73D1DB70CE44CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00642C42 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00642CAF
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00642CCB
DeleteMenu.USER32(?,00000007,00000000), ref: 00642D11
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,006A6890,00000000), ref: 00642D5A

Strings

0, xrefs: 00642CA4

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 2e21d18d1d5a96a4c1d8137c008c3961451dece79e0221dc3a88de7ecd07cbd5
Instruction ID: 83f14c84ba89f100289f75deb6efdfa783a63a0176b91fb6d814a59069b55932
Opcode Fuzzy Hash: 2e21d18d1d5a96a4c1d8137c008c3961451dece79e0221dc3a88de7ecd07cbd5
Instruction Fuzzy Hash: 5A41AE306043029FD724DF24C895B5ABBAAFF85320F644A6EF96697291D770E904CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0065DAB9 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0065DAD9

Part of subcall function 005E79AB: _memmove.LIBCMT ref: 005E79F9

Strings

cdecl, xrefs: 0065DB30
stdcall, xrefs: 0065DB5B
winapi, xrefs: 0065DB4A
none, xrefs: 0065DBB4

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: fa8c8713311c30db9ec2938f545ecd2fc6dd803d4bbecd116da716c7cabba98f
Instruction ID: 0e45916aff6dfea82012cbb4d5adc5ad8506c7c2e36cc120ce3b56cbaa38cd2b
Opcode Fuzzy Hash: fa8c8713311c30db9ec2938f545ecd2fc6dd803d4bbecd116da716c7cabba98f
Instruction Fuzzy Hash: 7731C1B090461AABCF14EF54CC819EEB7B6FF55310F008629E865977D1DB71A909CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00639372 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 005E7F41: _memmove.LIBCMT ref: 005E7F82

Part of subcall function 0063B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0063B0E7

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 006393F6
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00639409
SendMessageW.USER32(?,00000189,?,00000000), ref: 00639439

Part of subcall function 005E7D2C: _memmove.LIBCMT ref: 005E7D66

Strings

ComboBox, xrefs: 00639380
ListBox, xrefs: 006393B5

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: e1c0e7af47473e71c0bc662c7f57bd51dd989d67ddacb667f08f61ef8970c92c
Instruction ID: 81ef83c4a8de161beef2fcdac9ce3611147617817447149615305a8e77b55ec0
Opcode Fuzzy Hash: e1c0e7af47473e71c0bc662c7f57bd51dd989d67ddacb667f08f61ef8970c92c
Instruction Fuzzy Hash: 4F210471900108BADB18AB74DC898FFBBBEEF45350F104129F962972E1DB74090ADA70

Uniqueness

Uniqueness Score: -1.00%

Function 00651B21 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00651B40
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00651B66
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00651B96
InternetCloseHandle.WININET(00000000), ref: 00651BDD

Part of subcall function 00652777: GetLastError.KERNEL32(?,?,00651B0B,00000000,00000000,00000001), ref: 0065278C
Part of subcall function 00652777: SetEvent.KERNEL32(?,?,00651B0B,00000000,00000000,00000001), ref: 006527A1

Strings

, xrefs: 00651B87

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 1ce489861e3fb89d8642582c63e584c2c0d8d680701b22d0d5678c4e03f46dc6
Instruction ID: 06a2eed349f55848a1c4fc1fc8096dfd1f038f54e61d7258a242330ef1f090a1
Opcode Fuzzy Hash: 1ce489861e3fb89d8642582c63e584c2c0d8d680701b22d0d5678c4e03f46dc6
Instruction Fuzzy Hash: 732192B1500209BFEB119F60DC85FBF77EEEB4A74AF10412EF905AA240EB609D099765

Uniqueness

Uniqueness Score: -1.00%

Function 00666656 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 005E1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 005E1D73
Part of subcall function 005E1D35: GetStockObject.GDI32(00000011), ref: 005E1D87
Part of subcall function 005E1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 005E1D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 006666D0
LoadLibraryW.KERNEL32(?), ref: 006666D7
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 006666EC
DestroyWindow.USER32(?), ref: 006666F4

Strings

SysAnimate32, xrefs: 006666AB

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: 390eddc4324abb5ea33b0624e65b445b212cff8186c0d6ecd0900509c4213f52
Instruction ID: 53784ffb9d63746b140512e9336a6a1cdb20c28e81a03c1b0a31934bd3f77c72
Opcode Fuzzy Hash: 390eddc4324abb5ea33b0624e65b445b212cff8186c0d6ecd0900509c4213f52
Instruction Fuzzy Hash: 82215EB1100206BBEF104F64FC80EAB77AFEB59368F105629F951D22A0D7B2DC5197A1

Uniqueness

Uniqueness Score: -1.00%

Function 0064703E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 0064705E
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00647091
GetStdHandle.KERNEL32(0000000C), ref: 006470A3
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 006470DD

Strings

nul, xrefs: 006470D8

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 2367ffadd96338fb6f369141fec33d975c86e567691f0ff7fca01f7de5a6bb33
Instruction ID: 80834d6d24be504c65ea58a837f2fbd5bb8409c037e0e176fdfa25173286f8d4
Opcode Fuzzy Hash: 2367ffadd96338fb6f369141fec33d975c86e567691f0ff7fca01f7de5a6bb33
Instruction Fuzzy Hash: 9F2190B4505209ABDF209F79DC05A9A77FABF45B20F204A19FCA0D73D0E7B09940CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0064710C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 0064712B
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0064715D
GetStdHandle.KERNEL32(000000F6), ref: 0064716E
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 006471A8

Strings

nul, xrefs: 006471A3

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 4fbbf1cdf3611e5d7ca909bf27a09e293e13a5b29c880ecc3bc79eb354f7636e
Instruction ID: 5daf4159bed76f6e8333f4549f107ec1c9ca08c20edfef8aec2b1130b3f6b0ab
Opcode Fuzzy Hash: 4fbbf1cdf3611e5d7ca909bf27a09e293e13a5b29c880ecc3bc79eb354f7636e
Instruction Fuzzy Hash: 6621C5755043059BDF209F68DC04A9AB7EAAF55730F240A19FCB0D33D0D770A941CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0064AEAB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0064AEBF
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0064AF13
__swprintf.LIBCMT ref: 0064AF2C
SetErrorMode.KERNEL32(00000000,00000001,00000000,0066F910), ref: 0064AF6A

Strings

%lu, xrefs: 0064AF26

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: 4a060de99205bcc37ab850fc0b03e9675739c066ec87056fa571fc48ade851d3
Instruction ID: 3dab0f9530a2ff940d2b1056809b76625fe273b62cc96c4c50a4492cd903f0ea
Opcode Fuzzy Hash: 4a060de99205bcc37ab850fc0b03e9675739c066ec87056fa571fc48ade851d3
Instruction Fuzzy Hash: AB217130A00149AFCB10DFA5DD85DEEBBB9FF89704B0040A9F909EB251DB71EA45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0063A52F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON

Download Yara Rule

APIs

Part of subcall function 005E7D2C: _memmove.LIBCMT ref: 005E7D66

Part of subcall function 0063A37C: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0063A399
Part of subcall function 0063A37C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0063A3AC
Part of subcall function 0063A37C: GetCurrentThreadId.KERNEL32 ref: 0063A3B3
Part of subcall function 0063A37C: AttachThreadInput.USER32(00000000), ref: 0063A3BA

GetFocus.USER32 ref: 0063A554

Part of subcall function 0063A3C5: GetParent.USER32(?), ref: 0063A3D3

GetClassNameW.USER32(?,?,00000100), ref: 0063A59D
EnumChildWindows.USER32(?,0063A615), ref: 0063A5C5
__swprintf.LIBCMT ref: 0063A5DF

Strings

%s%d, xrefs: 0063A5D9

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
String ID: %s%d
API String ID: 1941087503-1110647743
Opcode ID: 5e602fa64ac9ffbe59d63e06a88d8908d54b90ce83b1cf0f6e9430b77a754d1f
Instruction ID: 0d2a7234199b9fff25c311241fec0ea3bafe24eb9c98d65c58b7111482c76df0
Opcode Fuzzy Hash: 5e602fa64ac9ffbe59d63e06a88d8908d54b90ce83b1cf0f6e9430b77a754d1f
Instruction Fuzzy Hash: 81110671204209BBDF10BFB0EC8AFEA377EAF89300F004079FD48AA152CA7159459BB5

Uniqueness

Uniqueness Score: -1.00%

Function 00642017 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00642048

Strings

EXISTS, xrefs: 00642070
KEYS, xrefs: 0064205F
APPEND, xrefs: 00642081
REMOVE, xrefs: 0064204E

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: 45d11958e15dced4f1b37dfda664b0f9796e40764745ea57a7cfd5ae3059da2c
Instruction ID: d07bb12af767dd0756a573955986ea3b69c30bb570fa47e38fa6d015d584d10c
Opcode Fuzzy Hash: 45d11958e15dced4f1b37dfda664b0f9796e40764745ea57a7cfd5ae3059da2c
Instruction Fuzzy Hash: 2111393094010ACFCF04EFA4D8515EEBBF6BF25304F608569E855A7392EB326D1ACB50

Uniqueness

Uniqueness Score: -1.00%

Function 0065EE69 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0065EF1B
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0065EF4B
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0065F07E
CloseHandle.KERNEL32(?), ref: 0065F0FF

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: a8ca0a5fc4381657f108b598c31462dab59018f21319067550c7b71012971c4a
Instruction ID: 67e0f863bcd506c1fda2048bd40249b265f2b47c49efc04aae201acd51b014ba
Opcode Fuzzy Hash: a8ca0a5fc4381657f108b598c31462dab59018f21319067550c7b71012971c4a
Instruction Fuzzy Hash: 5D8194B16003019FD724DF25C846F6ABBE6BF88710F14886DF999D7392DBB1AC448B91

Uniqueness

Uniqueness Score: -1.00%

Function 006602C2 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 005E7F41: _memmove.LIBCMT ref: 005E7F82

Part of subcall function 006610A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00660038,?,?), ref: 006610BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00660388
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 006603C7
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0066040E
RegCloseKey.ADVAPI32(?,?), ref: 0066043A
RegCloseKey.ADVAPI32(00000000), ref: 00660447

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: 4fc4e29fe94f772eaf8424526ff4f2558713b9fb634d9903850d434d26dd0096
Instruction ID: 2059c93dd980a66eedd92595be848236aeba72e891b04a37bdbf91d7ab8100aa
Opcode Fuzzy Hash: 4fc4e29fe94f772eaf8424526ff4f2558713b9fb634d9903850d434d26dd0096
Instruction Fuzzy Hash: 3D517A31208245AFD704EF65D885EAFBBE9FF88304F04892DF595972A2DB31E905CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0064E7DC Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 0064E88A
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 0064E8B3
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0064E8F2

Part of subcall function 005E9997: __itow.LIBCMT ref: 005E99C2
Part of subcall function 005E9997: __swprintf.LIBCMT ref: 005E9A0C

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0064E917
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0064E91F

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 19224863c3a243680debbff2c0620b5ccaf2484f03fd04b15a84ecaf45ca889c
Instruction ID: fd3f55a4a07bfbbfe30730ce3dc52854141a18603192601ec32355266e4e9d81
Opcode Fuzzy Hash: 19224863c3a243680debbff2c0620b5ccaf2484f03fd04b15a84ecaf45ca889c
Instruction Fuzzy Hash: 05512B35A00206EFCF05EF65C9859AEBBF5FF48310B1480A9E849AB362CB31ED51DB50

Uniqueness

Uniqueness Score: -1.00%

Function 0066A2C5 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9980f733770dc131eabac931e5049007133477c59012447c350e910fe6ece75
Instruction ID: ff1daefe3b45c7871bdd7c21aee3ffff552be9be3d6bfc23b90e4f985307e533
Opcode Fuzzy Hash: d9980f733770dc131eabac931e5049007133477c59012447c350e910fe6ece75
Instruction Fuzzy Hash: 8A41AF35900214ABD720DFA8DC48BE9BBAAEB09310F184165F866F73E1DB70AD519E61

Uniqueness

Uniqueness Score: -1.00%

Function 005E2344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 005E2357
ScreenToClient.USER32(006A67B0,?), ref: 005E2374
GetAsyncKeyState.USER32(00000001), ref: 005E2399
GetAsyncKeyState.USER32(00000002), ref: 005E23A7

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 0cba29e732c72be6c558315164ef3f5294783f216557c6ae8f578c1e63bf4fbb
Instruction ID: 6be88388ec74a9dbffb76ba2ea686e047da465d48532185cc6925a4ab623cb93
Opcode Fuzzy Hash: 0cba29e732c72be6c558315164ef3f5294783f216557c6ae8f578c1e63bf4fbb
Instruction Fuzzy Hash: 3C41C231504159FBCF198F69D844AEDBB7AFB09330F20431AF869A2294C7706E90DF91

Uniqueness

Uniqueness Score: -1.00%

Function 00636920 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0063695D
TranslateAcceleratorW.USER32(?,?,?), ref: 006369A9
TranslateMessage.USER32(?), ref: 006369D2
DispatchMessageW.USER32(?), ref: 006369DC
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 006369EB

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: fddc5f90c9c0246d4967462090ed396e5728039cab9b2109547273bf01fc20e8
Instruction ID: b96ecb4706a7b47311fb24b3ba7d5c9d9587c17a1c6c904788d77c49a4e436d9
Opcode Fuzzy Hash: fddc5f90c9c0246d4967462090ed396e5728039cab9b2109547273bf01fc20e8
Instruction Fuzzy Hash: D031BE31904247BADB21DF74DC44BF67BABAB12304F189169F422D72A1D674A886DBE0

Uniqueness

Uniqueness Score: -1.00%

Function 00638F01 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00638F12
PostMessageW.USER32(?,00000201,00000001), ref: 00638FBC
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00638FC4
PostMessageW.USER32(?,00000202,00000000), ref: 00638FD2
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00638FDA

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 388d28b0b84ee7832d39370015dbc273e092af1356a4f6c1b8d31d9798db75c9
Instruction ID: c5dc5b2f1bfc2d1115b5d25b2781126f1c394a72e6a03a48a2ede7c7d34fd78f
Opcode Fuzzy Hash: 388d28b0b84ee7832d39370015dbc273e092af1356a4f6c1b8d31d9798db75c9
Instruction Fuzzy Hash: 8431BA71500219EFDB14CFA8E948AEE7BB7EB45365F104229F925EB2D0CBB09914DB90

Uniqueness

Uniqueness Score: -1.00%

Function 0063B6AF Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0063B6C7
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0063B6E4
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0063B71C
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0063B742
_wcsstr.LIBCMT ref: 0063B74C

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: 303a8a3b16d4a63e2628f7b3ffdaefece8782632fb1c7b0186f34448d1cc67f3
Instruction ID: 63e6fc7018c6eb2cc02a41af2569b91af588939e3a25b11ab4154b9a8d7b8747
Opcode Fuzzy Hash: 303a8a3b16d4a63e2628f7b3ffdaefece8782632fb1c7b0186f34448d1cc67f3
Instruction Fuzzy Hash: 7F21D731644204BAEB255B39EC4AE7B7BAEDF86750F10502DFD05CA2A1EFA1DC4197A0

Uniqueness

Uniqueness Score: -1.00%

Function 0066B405 Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 005E2612: GetWindowLongW.USER32(?,000000EB), ref: 005E2623

GetWindowLongW.USER32(?,000000F0), ref: 0066B44C
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0066B471
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0066B489
GetSystemMetrics.USER32(00000004), ref: 0066B4B2
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00651184,00000000), ref: 0066B4D0

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: bd51dd1c5b05337aa2eb2add10769411e1c2ca6e785d0f849e388f7334408e00
Instruction ID: ae330c5fa8d5e5ad3425d2bda7934aaecfe1db5d34627d1e848dfff696d1be1d
Opcode Fuzzy Hash: bd51dd1c5b05337aa2eb2add10769411e1c2ca6e785d0f849e388f7334408e00
Instruction Fuzzy Hash: 6D219131514255EFCB109F38DC04AAA3BE6FB05720F146738F926C22E6EB309C91DB90

Uniqueness

Uniqueness Score: -1.00%

Function 006397E9 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00639802

Part of subcall function 005E7D2C: _memmove.LIBCMT ref: 005E7D66

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00639834
__itow.LIBCMT ref: 0063984C
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00639874
__itow.LIBCMT ref: 00639885

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: baaf230e573d9561476333af1d8adbf65fd7dabc269f0e148689595159df9bc4
Instruction ID: ae8613929e885c47e20169065369113aa17fcd80333e53026b22a8e49ee23ad0
Opcode Fuzzy Hash: baaf230e573d9561476333af1d8adbf65fd7dabc269f0e148689595159df9bc4
Instruction Fuzzy Hash: B921B631600248BBDB149B659C8AEEE7BBEEF8A710F040029F904DB291D6B08D418BE1

Uniqueness

Uniqueness Score: -1.00%

Function 005E12F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 005E134D
SelectObject.GDI32(?,00000000), ref: 005E135C
BeginPath.GDI32(?), ref: 005E1373
SelectObject.GDI32(?,00000000), ref: 005E139C

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 5b62a3680c8a64886c3feb8f320fd090d074e1f8a14ff8d5b92b9c06116e09d1
Instruction ID: 2874ff56981e781934926e863706c4826dcaae93b599740b8c6cd93ecb84880c
Opcode Fuzzy Hash: 5b62a3680c8a64886c3feb8f320fd090d074e1f8a14ff8d5b92b9c06116e09d1
Instruction Fuzzy Hash: 7C21B070900748EFDB10AF26EC047A97FBEFB05721F189626F850961E0D7B5A891CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0063C161 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 0063C176
_memcmp.LIBCMT ref: 0063C194
_memcmp.LIBCMT ref: 0063C1A7
_memcmp.LIBCMT ref: 0063C1BF
_memcmp.LIBCMT ref: 0063C1D7

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: c7ba9e06323a7a6aebb222ec66ef6c2af772cc9aec4cbc4e7ec9d889d974f947
Instruction ID: ccd7e9ab2a7e11e9610e78b35222d06871213fe65951d67e558e075847610237
Opcode Fuzzy Hash: c7ba9e06323a7a6aebb222ec66ef6c2af772cc9aec4cbc4e7ec9d889d974f947
Instruction Fuzzy Hash: B501DDB26442067BD614A5205C52FBB735F9F213B4F048015FD04B7383EB51DE11A3E4

Uniqueness

Uniqueness Score: -1.00%

Function 00644D35 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00644D5C
__beginthreadex.LIBCMT ref: 00644D7A
MessageBoxW.USER32(?,?,?,?), ref: 00644D8F
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00644DA5
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00644DAC

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: 69f91271a37fa07ecdafda19cf0ceabcdbe54a22bf3728e99ff4069fc92600fa
Instruction ID: 7f0405879d3efd3633b742dfe3a9ad135db080198732267480fd6f54778599b5
Opcode Fuzzy Hash: 69f91271a37fa07ecdafda19cf0ceabcdbe54a22bf3728e99ff4069fc92600fa
Instruction Fuzzy Hash: 4911C8B6D04244BBC7119FA8EC05BDB7FAEEB46320F144265F914D3351DAB59D448BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0063874A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00638766
GetLastError.KERNEL32(?,0063822A,?,?,?), ref: 00638770
GetProcessHeap.KERNEL32(00000008,?,?,0063822A,?,?,?), ref: 0063877F
HeapAlloc.KERNEL32(00000000,?,0063822A,?,?,?), ref: 00638786
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0063879D

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: ed090fbb520d5003d9e0bd8ed397ce9d876eb3393ec2b6225c0aab42728c14b4
Instruction ID: 740ae8a440cd975e1cce3364617eed880d53e3343cf518e9385ccf432d4912bb
Opcode Fuzzy Hash: ed090fbb520d5003d9e0bd8ed397ce9d876eb3393ec2b6225c0aab42728c14b4
Instruction Fuzzy Hash: CC01FF71601244EFDB104FA5EC48DAB7B7EFF86755B201569F849C3360DA71DD10CAA0

Uniqueness

Uniqueness Score: -1.00%

Function 006454E6 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00645502
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00645510
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00645518
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00645522
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0064555E

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: f5e0872521899d35ff9d68945e0dfc4002418c3a573994ebae95b8b186957f54
Instruction ID: 0225bcefa5a3befa6850adb18b24f1920c18ea54cd6d0091f45c2982c86ca8aa
Opcode Fuzzy Hash: f5e0872521899d35ff9d68945e0dfc4002418c3a573994ebae95b8b186957f54
Instruction Fuzzy Hash: 8F011B36D00A1DDBCF04DFE8E8885EDBB7ABB09711F041596E906B2241DB705A54C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00637652 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0063758C,80070057,?,?,?,0063799D), ref: 0063766F
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0063758C,80070057,?,?), ref: 0063768A
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0063758C,80070057,?,?), ref: 00637698
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0063758C,80070057,?), ref: 006376A8
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0063758C,80070057,?,?), ref: 006376B4

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 823dc02fb38cbfad0b07639c4f9bc44aa6a1cac70d0beb1a427d86983470b4dd
Instruction ID: 1fb079d8256798572dc1755c90222f09a2bd2b43b0b9cb7aa94997242e913b0d
Opcode Fuzzy Hash: 823dc02fb38cbfad0b07639c4f9bc44aa6a1cac70d0beb1a427d86983470b4dd
Instruction Fuzzy Hash: 1E01B1B2604604ABDB204F59EC05AAA7BFEEB45751F100068FD04D3211E771DE0087E0

Uniqueness

Uniqueness Score: -1.00%

Function 006385F1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00638608
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00638612
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00638621
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00638628
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0063863E

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 790fae2f946daf712fdd7cce1d41972a8f4bfd3c32289d273aea2077fe7c4489
Instruction ID: d0844fc377ed0a073a24fcd2013965d126690c2d55b1d6efac4fc59c883e8c70
Opcode Fuzzy Hash: 790fae2f946daf712fdd7cce1d41972a8f4bfd3c32289d273aea2077fe7c4489
Instruction Fuzzy Hash: E2F04F31201304AFEB100FA5EC9AEAB3BAEEF8B754F001429F945C7250CBA19C41DAA0

Uniqueness

Uniqueness Score: -1.00%

Function 00638652 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00638669
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00638673
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00638682
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00638689
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0063869F

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 43492354fc98dd7345eaf79d2098bbdf43c9f85e5f3f698831cfc528578f0255
Instruction ID: eae6178ab0d57f9db34853a67e272273f6c28f6ffadf81f66e8916aca5642fb9
Opcode Fuzzy Hash: 43492354fc98dd7345eaf79d2098bbdf43c9f85e5f3f698831cfc528578f0255
Instruction Fuzzy Hash: 20F04FB1200314AFEB111FA5EC89EA73BAEEF8A754F101025F945C7250CAA5D941DAA0

Uniqueness

Uniqueness Score: -1.00%

Function 0063C6A6 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 0063C6BA
GetWindowTextW.USER32(00000000,?,00000100), ref: 0063C6D1
MessageBeep.USER32(00000000), ref: 0063C6E9
KillTimer.USER32(?,0000040A), ref: 0063C705
EndDialog.USER32(?,00000001), ref: 0063C71F

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 6256e717e0b63d6e7cd8861b045820ca709e1965a3d4cb9d49b656443c39f526
Instruction ID: 910c7003307a6fbca352bc25c3643d9e13bb0b5eb38e4c77b9a1ce04c08b44cf
Opcode Fuzzy Hash: 6256e717e0b63d6e7cd8861b045820ca709e1965a3d4cb9d49b656443c39f526
Instruction Fuzzy Hash: 5401A230400304ABEB20AB24ED4EF967BBAFF00745F001669F582F10E0DBE1A9548FD0

Uniqueness

Uniqueness Score: -1.00%

Function 005E13B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 005E13BF
StrokeAndFillPath.GDI32(?,?,0061BAD8,00000000,?), ref: 005E13DB
SelectObject.GDI32(?,00000000), ref: 005E13EE
DeleteObject.GDI32 ref: 005E1401
StrokePath.GDI32(?), ref: 005E141C

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: ff79020cb9b2a78ec5f4e972f6e546c4b1a6325e645a5aa9eb3dfdfd630b0754
Instruction ID: 7e1d613fe9c27ad80a1995ec33f9cd6679bd235d3ec6e6115876fcb99aebeaf5
Opcode Fuzzy Hash: ff79020cb9b2a78ec5f4e972f6e546c4b1a6325e645a5aa9eb3dfdfd630b0754
Instruction Fuzzy Hash: A8F04934014748EBDB156F26EC0C7583FAABB02326F08E224F46A841F1C7799995DF34

Uniqueness

Uniqueness Score: -1.00%

Function 005F2E5B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00600FF6: std::exception::exception.LIBCMT ref: 0060102C
Part of subcall function 00600FF6: __CxxThrowException@8.LIBCMT ref: 00601041

Part of subcall function 005E7F41: _memmove.LIBCMT ref: 005E7F82

Part of subcall function 005E7BB1: _memmove.LIBCMT ref: 005E7C0B

__swprintf.LIBCMT ref: 005F302D

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 005F2EC6

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: fe6f75e6e3485155f2f3c110065aea08303d02f94d316956e57c6b628c62a461
Instruction ID: 64205206448252cb4ba665aed37cab4e26f6764d3352f8d851eb1103547ec41a
Opcode Fuzzy Hash: fe6f75e6e3485155f2f3c110065aea08303d02f94d316956e57c6b628c62a461
Instruction Fuzzy Hash: 5C91B0311086569FDB18EF24D989C7FBBA9FF85740F00491EF582972A1EE24EE44CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0063B7B6 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 0063B981

Strings

Container, xrefs: 0063B8FE
AutoIt3GUI, xrefs: 0063B8F9
%g, xrefs: 0063BA24

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container$%g
API String ID: 3565006973-565656749
Opcode ID: 99399ed36de1a2cb1306080833fb90730ec3b354f84b91852a4d502e377f02ba
Instruction ID: 919f883ae2368e471282d048ebd12b2cafa4fcccdf8e2182eac4eddefdc92d94
Opcode Fuzzy Hash: 99399ed36de1a2cb1306080833fb90730ec3b354f84b91852a4d502e377f02ba
Instruction Fuzzy Hash: 0A913B706006019FDB64DF68C884B6ABBEAFF49710F14956DFA49CB791DB70E841CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0060524D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 006052DD

Part of subcall function 00610340: __87except.LIBCMT ref: 0061037B

Strings

pow, xrefs: 006052B5, 006052D2

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 1ec0970598be06515edbc6e8bf5f81b0f2f9cea384bddde111b56ac68d425de4
Instruction ID: fba1956c4651bdf2b6189fb07ef5545451449336e3a80131561dd76b826577de
Opcode Fuzzy Hash: 1ec0970598be06515edbc6e8bf5f81b0f2f9cea384bddde111b56ac68d425de4
Instruction Fuzzy Hash: 86513921A49602C6EF1DB724C9813EB2BD79F00750F284D59E09A863E5EFB48DD49E86

Uniqueness

Uniqueness Score: -1.00%

Function 0060023B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON

Download Yara Rule

Strings

#, xrefs: 00600280
+, xrefs: 00600277

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID:
String ID: #$+
API String ID: 0-2552117581
Opcode ID: 11e60077c1486993198dac0f43f2207933d88049a2648e45665dedcc7edf1a3c
Instruction ID: 51b6d0e3fe1b17be601856f887196560ceec31ff004b611f932d6b014bda8734
Opcode Fuzzy Hash: 11e60077c1486993198dac0f43f2207933d88049a2648e45665dedcc7edf1a3c
Instruction Fuzzy Hash: F65121755046469FDF1A9F28C8886FA7BAAFF59310F144055EC929B3E0D7309D42CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 005F3297 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 005F33D7
_memmove.LIBCMT ref: 005F3470
_free.LIBCMT ref: 005F3496
_memmove.LIBCMT ref: 005F3549

Strings

Oa_, xrefs: 005F3482

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: _memmove$_free
String ID: Oa_
API String ID: 2620147621-62195052
Opcode ID: 3e6325fac4bd7c0163935e358aefc03340332acc2f7fae16026fa9d1ba591c21
Instruction ID: 79fb7900ce30b41bcb52f9231e4009f12d49c52f91b7d38822e000994da5ef32
Opcode Fuzzy Hash: 3e6325fac4bd7c0163935e358aefc03340332acc2f7fae16026fa9d1ba591c21
Instruction Fuzzy Hash: 08515AB16093469FEB24CF28C481B6BBBE5BF85310F04492DEA89C7351DB35E901CB92

Uniqueness

Uniqueness Score: -1.00%

Function 005F62F2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 005F63A8
_memmove.LIBCMT ref: 005F6446
_memset.LIBCMT ref: 005F646A

Strings

ERCP, xrefs: 005F6313

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: _memset$_memmove
String ID: ERCP
API String ID: 2532777613-1384759551
Opcode ID: fa917746c7d0bd384fe383afa2d0452659b967d83de74d89b60806158cfc373e
Instruction ID: b0fcdfaf4ec97c750b94287b0cf2d16b58e1ef7f2429dbbcacc449c14b1c1e9c
Opcode Fuzzy Hash: fa917746c7d0bd384fe383afa2d0452659b967d83de74d89b60806158cfc373e
Instruction Fuzzy Hash: 1E518E719003099BDB24DF65C8857AABFF9FF04714F20856EEA4ACB281E7759984CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00667648 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 006676D0
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 006676E4
SendMessageW.USER32(?,00001002,00000000,?), ref: 00667708

Strings

SysMonthCal32, xrefs: 0066769B

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: d954b371cd50fb1c9d9216c6c6d81a9b7e82b67d6442687b0b2d643b5f93545b
Instruction ID: 69824b3782aff703172736809201e1553eae0417b7defaba17158060135c9616
Opcode Fuzzy Hash: d954b371cd50fb1c9d9216c6c6d81a9b7e82b67d6442687b0b2d643b5f93545b
Instruction Fuzzy Hash: E221B232504219BBDF15CFA4DC46FEA3B7AFF48718F110214FE15AB1D1DAB1A8518BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00666F1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00666FAA
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00666FBA
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00666FDF

Strings

Listbox, xrefs: 00666F77

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 0d4696bac9f6ab19cfc056be6b910905eb347d361a82f11859d9123a4598a7ff
Instruction ID: e286b81f7e7126d53c866fba15fb33153769aafea19e8de4d48777d383a9d8a3
Opcode Fuzzy Hash: 0d4696bac9f6ab19cfc056be6b910905eb347d361a82f11859d9123a4598a7ff
Instruction Fuzzy Hash: 5E21A432610118BFDF118F54EC85FEB3BABEF89754F018124F9159B290C6B1AC51CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0066797D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 006679E1
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 006679F6
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00667A03

Strings

msctls_trackbar32, xrefs: 006679B8

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 8f8c7d745303bf1da4853720cc48e3f1dde340ffa53721aa091ebec21a4d412b
Instruction ID: 8bada7ddd665d6eaa7a808b8217ddc6ffedeeb3e2104cc8dfdb1c0d63bc9005b
Opcode Fuzzy Hash: 8f8c7d745303bf1da4853720cc48e3f1dde340ffa53721aa091ebec21a4d412b
Instruction Fuzzy Hash: 2911E772244208BBDF149F70CC05FEB37AAEF89768F110619F641A6191D271D851CB60

Uniqueness

Uniqueness Score: -1.00%

Function 005E4C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,005E4C2E), ref: 005E4CA3
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 005E4CB5

Strings

kernel32.dll, xrefs: 005E4C9E
GetNativeSystemInfo, xrefs: 005E4CAF

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 469b8bb417d89a05643369045cd8d466d8f6d63db02e260aafe07ee2ac19037a
Instruction ID: 3311e4055f25f925a1405abd212832019da0d65ea865c4e9c6421d2dbd874f0d
Opcode Fuzzy Hash: 469b8bb417d89a05643369045cd8d466d8f6d63db02e260aafe07ee2ac19037a
Instruction Fuzzy Hash: 06D01730510723CFD7209F32EA18606BAE7BF06791B229C3AD8CAD6150EAB0D880CA50

Uniqueness

Uniqueness Score: -1.00%

Function 005E4D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,005E4D2E,?,005E4F4F,?,006A62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 005E4D6F
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 005E4D81

Strings

Wow64DisableWow64FsRedirection, xrefs: 005E4D7B
kernel32.dll, xrefs: 005E4D6A

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 429b15e1f1676afc80a9dfc9186a306ebaeca273c5e64a5be3ea90897f8d4197
Instruction ID: dffe56f400fa97ca655f4bdae94a734535a750b86027aee37da8768e7e6cc201
Opcode Fuzzy Hash: 429b15e1f1676afc80a9dfc9186a306ebaeca273c5e64a5be3ea90897f8d4197
Instruction Fuzzy Hash: 8BD01270510753CFD7209F31ED08656B6D9BF15391B119879D4C6D6650D6B0D480CE50

Uniqueness

Uniqueness Score: -1.00%

Function 005E4D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,005E4CE1,?), ref: 005E4DA2
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 005E4DB4

Strings

Wow64RevertWow64FsRedirection, xrefs: 005E4DAE
kernel32.dll, xrefs: 005E4D9D

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 4d07309ed37bbd3ed505f4ab911ca435e2d64d8910e8b5b3ed21fb6789e9ea71
Instruction ID: f211ee98c226f088d74485f64553aa7519142b307da084c0d0db4c7db682be3d
Opcode Fuzzy Hash: 4d07309ed37bbd3ed505f4ab911ca435e2d64d8910e8b5b3ed21fb6789e9ea71
Instruction Fuzzy Hash: 3AD05E71550713CFDB209F32ED08B86BAEABF06395B12D83ED8C6D6550EBB0D880CA50

Uniqueness

Uniqueness Score: -1.00%

Function 00661072 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,006612C1), ref: 00661080
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00661092

Strings

RegDeleteKeyExW, xrefs: 0066108C
advapi32.dll, xrefs: 0066107B

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: b1fdd3d325066bc13dcaa9274a8d3d71c2ab114ee2714fa35c67a9ffd91e6233
Instruction ID: 48ebf6bad1b7713ecd1314f472e796374809cd77d60cb8fe5f5b08bb4dcf8fd2
Opcode Fuzzy Hash: b1fdd3d325066bc13dcaa9274a8d3d71c2ab114ee2714fa35c67a9ffd91e6233
Instruction Fuzzy Hash: FBD01230510712CFDB205F35E928566B6EAEF06791B15EC39E485DA650DBB0C4C0C650

Uniqueness

Uniqueness Score: -1.00%

Function 006593F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,00659009,?,0066F910), ref: 00659403
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00659415

Strings

kernel32.dll, xrefs: 006593FE
GetModuleHandleExW, xrefs: 0065940F

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 9ea66f6b6e60c53b3ffd53677361a47db282bcdaf6681fa50882d13871428b9b
Instruction ID: 13af7bd90ad6df140a8fffd4a655da3b35a71689bdba7dbe0614221d198f60b0
Opcode Fuzzy Hash: 9ea66f6b6e60c53b3ffd53677361a47db282bcdaf6681fa50882d13871428b9b
Instruction Fuzzy Hash: 12D05B34514713CFD7209F71E908547B6D7AF06392F11D83DD885D6650D7B0C884D760

Uniqueness

Uniqueness Score: -1.00%

Function 00621B3E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00621B42
__swprintf.LIBCMT ref: 00621B73

Strings

WIN_XPe, xrefs: 00621BB2
%.3d, xrefs: 00621B4D

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: 7419f3b20fead062e264dc4fcc4a0fd139e6186127d74b4a4045fe974f73d000
Instruction ID: 80dbc105fbf58a210ba17d749335e11d5d4fc2b5019456fa0b08d9be12ff6c89
Opcode Fuzzy Hash: 7419f3b20fead062e264dc4fcc4a0fd139e6186127d74b4a4045fe974f73d000
Instruction Fuzzy Hash: 59D01271C0C56CEACB489B90AC548FA777EAB25303F1045D2F90299440F2749B869F25

Uniqueness

Uniqueness Score: -1.00%

Function 006376C5 Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2288092cf3532fc00a03c446cded5f8ed2eeb344e9be968d3b01ea3148ae462a
Instruction ID: f7d6d19793a752c4ab23051e4ed960d5a221cd7d3ae984990d2e2661a25448e2
Opcode Fuzzy Hash: 2288092cf3532fc00a03c446cded5f8ed2eeb344e9be968d3b01ea3148ae462a
Instruction Fuzzy Hash: D5C13CB5A0421AEFCB24CF94C884AAEB7B6FF48714F158599E805EB351D730ED81DB90

Uniqueness

Uniqueness Score: -1.00%

Function 0065E33E Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 0065E3D2
CharLowerBuffW.USER32(?,?), ref: 0065E415

Part of subcall function 0065DAB9: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0065DAD9

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0065E615
_memmove.LIBCMT ref: 0065E628

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: d4b11024557279fdc4cfaa48cd83d1933e318a8e36ed2cc2e5e2602ade8ffcab
Instruction ID: 7c3a265a9a96de13c7f731f1cd28f85d3aabafe98b10f003dde3194d34c0dca3
Opcode Fuzzy Hash: d4b11024557279fdc4cfaa48cd83d1933e318a8e36ed2cc2e5e2602ade8ffcab
Instruction Fuzzy Hash: 21C16D716083419FCB18DF28C48095ABBE5FF88314F14896DF899DB351E731EA4ACB82

Uniqueness

Uniqueness Score: -1.00%

Function 006583A8 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 006583D8
CoUninitialize.OLE32 ref: 006583E3

Part of subcall function 0063DA5D: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0063DAC5

VariantInit.OLEAUT32(?), ref: 006583EE
VariantClear.OLEAUT32(?), ref: 006586BF

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: b5572c4b9443b0cb8219503fe40b585052c473a56bff15ac16dd61dc83667821
Instruction ID: 357762ae721e7dd08fdca4115909cf41dbdf189fd8ef248ad40fc7f12304a397
Opcode Fuzzy Hash: b5572c4b9443b0cb8219503fe40b585052c473a56bff15ac16dd61dc83667821
Instruction Fuzzy Hash: 27A17B752047429FCB14DF15C485B6ABBE6BF88314F14445CF99AAB7A2CB30ED04CB86

Uniqueness

Uniqueness Score: -1.00%

Function 00636DF3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00636E04
SysAllocString.OLEAUT32(00000000), ref: 00636EAD
VariantCopy.OLEAUT32 ref: 00636EDC
VariantClear.OLEAUT32(?), ref: 00636F03

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 6168ae1fcb1aa48f9b3d8ad14b0837de5e229f78c58662250c910f7a8e04f511
Instruction ID: a734f255387fe20cb0dd410bbc0b1e48e4acea32069b181f6a5cb6a22a4e6d10
Opcode Fuzzy Hash: 6168ae1fcb1aa48f9b3d8ad14b0837de5e229f78c58662250c910f7a8e04f511
Instruction Fuzzy Hash: A8510DB4608302AADB74AF65D885A7EB7E7AF44310F20C81FF596DB291DF709840DB85

Uniqueness

Uniqueness Score: -1.00%

Function 006497E5 Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 005E5045: _fseek.LIBCMT ref: 005E505D

Part of subcall function 006499BE: _wcscmp.LIBCMT ref: 00649AAE
Part of subcall function 006499BE: _wcscmp.LIBCMT ref: 00649AC1

_free.LIBCMT ref: 0064992C
_free.LIBCMT ref: 00649933
_free.LIBCMT ref: 0064999E

Part of subcall function 00602F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00609C64), ref: 00602FA9
Part of subcall function 00602F95: GetLastError.KERNEL32(00000000,?,00609C64), ref: 00602FBB

_free.LIBCMT ref: 006499A6

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: 524c7517910f68098ecd1505304e53dc2ab353584dbe7d24e86b344c5f7c1620
Instruction ID: 410e88ae3a86e06a8d8a3e069951ac6adbbe9f275e4cc800684625206226b65f
Opcode Fuzzy Hash: 524c7517910f68098ecd1505304e53dc2ab353584dbe7d24e86b344c5f7c1620
Instruction Fuzzy Hash: C3515FB1D44259AFDF289F65CC45A9EBBBAFF48300F0404AEB249A7241DB715E90CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00669A63 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(013BF690,?), ref: 00669AD2
ScreenToClient.USER32(00000002,00000002), ref: 00669B05
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00669B72

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: b66682101cd9361fce791708a20fc6551ffbf9d860a0f6a5886eb1d8bdcbb42e
Instruction ID: a9523e8c74780170752ee69bd797d290b5d8ad7e813c157d80ac67958d724e68
Opcode Fuzzy Hash: b66682101cd9361fce791708a20fc6551ffbf9d860a0f6a5886eb1d8bdcbb42e
Instruction Fuzzy Hash: 66510A34A00249EFCF14DF68E9819EE7BBAFB55360F148169F8259B390D770AD41CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00656CBD Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00656CE4
WSAGetLastError.WSOCK32(00000000), ref: 00656CF4

Part of subcall function 005E9997: __itow.LIBCMT ref: 005E99C2
Part of subcall function 005E9997: __swprintf.LIBCMT ref: 005E9A0C

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00656D58
WSAGetLastError.WSOCK32(00000000), ref: 00656D64

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: 6410c773306b79ff94c5bdb25f3f354aa7d565235a7b9057e94eb063309f037d
Instruction ID: ed1f1c3740646b8bf03b8d1cd012f81524add12eab7eaf71f01dd7e8baf6797b
Opcode Fuzzy Hash: 6410c773306b79ff94c5bdb25f3f354aa7d565235a7b9057e94eb063309f037d
Instruction Fuzzy Hash: A441B774740201AFEB14AF25DC8AF7A7BE9AF84B10F44845CFA599B3D2DA709C008791

Uniqueness

Uniqueness Score: -1.00%

Function 0065672D Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,0066F910), ref: 006567BA
_strlen.LIBCMT ref: 006567EC

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: b89fce1b3c1913836724ad076d6817349b1938c1d41a51d2ab42beb3776b1e98
Instruction ID: c30cf66b19e7583ab4f6180c91bffab6dbcd6e153da6944c296221ecec1a1498
Opcode Fuzzy Hash: b89fce1b3c1913836724ad076d6817349b1938c1d41a51d2ab42beb3776b1e98
Instruction Fuzzy Hash: 3441C631A00105AFCB18EB65DCC5FAEB7AABF48315F548169FC1997292DB70AD08C7A4

Uniqueness

Uniqueness Score: -1.00%

Function 0064BA5F Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0064BB09
GetLastError.KERNEL32(?,00000000), ref: 0064BB2F
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0064BB54
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0064BB80

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 95c5a5906d6355acc2957d21ce27a003216abb92f6b0cabc884ec2477fddf6d6
Instruction ID: e2953dc9b65a1d862ec6247baba43cc2ab59fcf298cec7412cb4cb3c56f93941
Opcode Fuzzy Hash: 95c5a5906d6355acc2957d21ce27a003216abb92f6b0cabc884ec2477fddf6d6
Instruction Fuzzy Hash: 55413A39200652DFCB14EF15C589A5DBBE2FF89310B199498EC8A9B362CB34FD41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00668AC0 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00668B4D

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 81bbff2787a3aafd6beac0991b5e96dfc187d1d965716b60dd8816b54c8ea1ce
Instruction ID: 4da24ed77dfb28367ab1ec47ed63acf1cd4a4de258db29d49f8c6720f24dc146
Opcode Fuzzy Hash: 81bbff2787a3aafd6beac0991b5e96dfc187d1d965716b60dd8816b54c8ea1ce
Instruction Fuzzy Hash: A931AFB4600244BEEF249F78DC99FE937A7EB0A310F248716FA51D73A1CE70A9409B51

Uniqueness

Uniqueness Score: -1.00%

Function 0066ADF1 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0066AE1A
GetWindowRect.USER32(?,?), ref: 0066AE90
PtInRect.USER32(?,?,0066C304), ref: 0066AEA0
MessageBeep.USER32(00000000), ref: 0066AF11

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: e1f0d03c6b91d5a9e8caf6d1adfb012450aea8d1d8b8f38523ec0fdcc37e0ef3
Instruction ID: 111ab848e82a09357445883f89e7228b385ed3822757ede668b23ac67b94f72c
Opcode Fuzzy Hash: e1f0d03c6b91d5a9e8caf6d1adfb012450aea8d1d8b8f38523ec0fdcc37e0ef3
Instruction Fuzzy Hash: 05418070600115DFCB11DF98D884AA9BBF7FF89740F1881A9E415EB351D731A802DFA2

Uniqueness

Uniqueness Score: -1.00%

Function 00640FE6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00641037
SetKeyboardState.USER32(00000080,?,00000001), ref: 00641053
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 006410B9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 0064110B

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 458c1a7c18a3e47c85fefa20ca58afbf53070b2e4bf9796c4de56c47d9543ba2
Instruction ID: a584e4bb3beb8033df53020b1bda7c973f8f07b76f72dc018f9529ba32df33fb
Opcode Fuzzy Hash: 458c1a7c18a3e47c85fefa20ca58afbf53070b2e4bf9796c4de56c47d9543ba2
Instruction Fuzzy Hash: DD318C30E40698AEFF348B65CC05BF9BBABAB56710F04431AF5819A2D1CB748DC18765

Uniqueness

Uniqueness Score: -1.00%

Function 00641121 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 00641176
SetKeyboardState.USER32(00000080,?,00008000), ref: 00641192
PostMessageW.USER32(00000000,00000101,00000000), ref: 006411F1
SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 00641243

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: d8da46b7b9c2bf7f4641a8fc244597ab88adc8e98726df735373a0946fc30c00
Instruction ID: 56de2364c301de8f7e385c5d5c9940ef45a0d89b16d07b0af97bf64d62de4a0e
Opcode Fuzzy Hash: d8da46b7b9c2bf7f4641a8fc244597ab88adc8e98726df735373a0946fc30c00
Instruction Fuzzy Hash: 13312830A407189AFF208B65CC087FA7BABAB4A310F04431EE691DB6D1C3754AD59755

Uniqueness

Uniqueness Score: -1.00%

Function 00616415 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0061644B
__isleadbyte_l.LIBCMT ref: 00616479
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 006164A7
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 006164DD

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 2b3ea7509026c48acd43b8369b792ad79f9c58c7297daeded03144d1766a7294
Instruction ID: 4e34f99e167a8f23d30af0a09963d93a6e007c1db18123b22e1428eab65ef9b1
Opcode Fuzzy Hash: 2b3ea7509026c48acd43b8369b792ad79f9c58c7297daeded03144d1766a7294
Instruction Fuzzy Hash: 7431DE35600256AFDB25CF69C844BFA7BEBFF41310F198069F864872A0EB31D891DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00665175 Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00665189

Part of subcall function 0064387D: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00643897
Part of subcall function 0064387D: GetCurrentThreadId.KERNEL32 ref: 0064389E
Part of subcall function 0064387D: AttachThreadInput.USER32(00000000,?,006452A7), ref: 006438A5

GetCaretPos.USER32(?), ref: 0066519A
ClientToScreen.USER32(00000000,?), ref: 006651D5
GetForegroundWindow.USER32 ref: 006651DB

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: adf2ef0e3483c70bdcdb8e1a19581964ca292583e7c5452af2e91d160bdf8a3d
Instruction ID: 57c1c3abc3397f08ccedb33fca511962ad900ee627ca887ef4cf6b52a34b6e36
Opcode Fuzzy Hash: adf2ef0e3483c70bdcdb8e1a19581964ca292583e7c5452af2e91d160bdf8a3d
Instruction Fuzzy Hash: 49312FB1900149AFDB04EFA5CC459EFFBFAEF98300F10506AE455E7241EA759E45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0066C788 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 005E2612: GetWindowLongW.USER32(?,000000EB), ref: 005E2623

GetCursorPos.USER32(?), ref: 0066C7C2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0061BBFB,?,?,?,?,?), ref: 0066C7D7
GetCursorPos.USER32(?), ref: 0066C824
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0061BBFB,?,?,?), ref: 0066C85E

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 5124016d2f94a89890a137e31f67d5db23136d8b4b8f4f65aeb2460b7b792e68
Instruction ID: e077af05a15b7035885ce509a07faa557cafb2ce7fc0d339499eda1bb5c27bbd
Opcode Fuzzy Hash: 5124016d2f94a89890a137e31f67d5db23136d8b4b8f4f65aeb2460b7b792e68
Instruction Fuzzy Hash: A8319E35600418AFCB25DF59C898EFA7FBBEB49720F0480A9F9458B261C731AD50DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00600BD0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 00600BF2

Part of subcall function 005E5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00647B20,?,?,00000000), ref: 005E5B8C
Part of subcall function 005E5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00647B20,?,?,00000000,?,?), ref: 005E5BB0

_fprintf.LIBCMT ref: 00600C29
OutputDebugStringW.KERNEL32(?), ref: 00636331

Part of subcall function 00604CDA: _flsall.LIBCMT ref: 00604CF3

__setmode.LIBCMT ref: 00600C5E

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: 65f845aa160a967af89f2c9565bc9238974134e927b0b80e304707524fd07797
Instruction ID: 6f52d8e85c161286bd0164303aacaa8dcc690e71417f77837b76be06f8ea21ce
Opcode Fuzzy Hash: 65f845aa160a967af89f2c9565bc9238974134e927b0b80e304707524fd07797
Instruction Fuzzy Hash: A91135729442047AEB1CB3B49C46ABF7B6BAF81320F14011EF204971D2EF311D424799

Uniqueness

Uniqueness Score: -1.00%

Function 00638B9E Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00638652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00638669
Part of subcall function 00638652: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00638673
Part of subcall function 00638652: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00638682
Part of subcall function 00638652: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00638689
Part of subcall function 00638652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0063869F

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00638BEB
_memcmp.LIBCMT ref: 00638C0E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00638C44
HeapFree.KERNEL32(00000000), ref: 00638C4B

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: fe685e436cc68e149341b902c61134f5d3a9522d859852ff009ca1ac81c0d6c4
Instruction ID: 212c76266444e8329d097739380c284727cb5e3f46273b5235d9f03bf566ca02
Opcode Fuzzy Hash: fe685e436cc68e149341b902c61134f5d3a9522d859852ff009ca1ac81c0d6c4
Instruction Fuzzy Hash: 6C21AC71E01209EFCB00CFA4C955BEEB7BAEF40340F044099E454AB240DB75AE06CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00651A5B Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00651A97

Part of subcall function 00651B21: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00651B40
Part of subcall function 00651B21: InternetCloseHandle.WININET(00000000), ref: 00651BDD

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: c9d3a2aa5a2b27473c7e2d138daaadd933de0652bfa8b392ad7a2332bd8f1de7
Instruction ID: fb7197ec04296a77ca1188835ace49dcc14657ccf634ec5c6d37038f9fe3946b
Opcode Fuzzy Hash: c9d3a2aa5a2b27473c7e2d138daaadd933de0652bfa8b392ad7a2332bd8f1de7
Instruction Fuzzy Hash: 4D21A135200605BFDB129F60DC01FBABBAFFF4A702F14001AFE119A650EB71D8199BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0063E1AF Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0063F5AD: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,0063E1C4,?,?,?,0063EFB7,00000000,000000EF,00000119,?,?), ref: 0063F5BC
Part of subcall function 0063F5AD: lstrcpyW.KERNEL32(00000000,?), ref: 0063F5E2
Part of subcall function 0063F5AD: lstrcmpiW.KERNEL32(00000000,?,0063E1C4,?,?,?,0063EFB7,00000000,000000EF,00000119,?,?), ref: 0063F613

lstrlenW.KERNEL32(?,00000002,?,?,?,?,0063EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 0063E1DD
lstrcpyW.KERNEL32(00000000,?), ref: 0063E203
lstrcmpiW.KERNEL32(00000002,cdecl,?,0063EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 0063E237

Strings

cdecl, xrefs: 0063E22E

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: a111305f20b75607040e32de0068bbb50e4c8e021aacabd5e4cba2a3f6d76785
Instruction ID: dffbc08e43ff05cc7d6545f9ff838d064a3a4fa878a38e68dfdbb5cc568a6b5f
Opcode Fuzzy Hash: a111305f20b75607040e32de0068bbb50e4c8e021aacabd5e4cba2a3f6d76785
Instruction Fuzzy Hash: 78118E36200345EFDB25AF64D845ABB77AAFF85350F40402AF806CB3A4EB729951D7E4

Uniqueness

Uniqueness Score: -1.00%

Function 00615332 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00615351

Part of subcall function 0060594C: __FF_MSGBANNER.LIBCMT ref: 00605963
Part of subcall function 0060594C: __NMSG_WRITE.LIBCMT ref: 0060596A
Part of subcall function 0060594C: RtlAllocateHeap.NTDLL(013A0000,00000000,00000001,00000000,?,?,?,00601013,?), ref: 0060598F

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 6aa52b16dfff66fbf5b776ab8d030ba1ae461f98171d8265d91cb2c2f8fec9a5
Instruction ID: 0ed49c5bf1abf281af3c60c4d19d848d09d76887edde9eee6615402b4ff44046
Opcode Fuzzy Hash: 6aa52b16dfff66fbf5b776ab8d030ba1ae461f98171d8265d91cb2c2f8fec9a5
Instruction Fuzzy Hash: 9D11C432544A15EECB292F70AC046DB779B9F903A0B28052EF956972E0FFB189819694

Uniqueness

Uniqueness Score: -1.00%

Function 005E4531 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 005E4560

Part of subcall function 005E410D: _memset.LIBCMT ref: 005E418D
Part of subcall function 005E410D: _wcscpy.LIBCMT ref: 005E41E1
Part of subcall function 005E410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 005E41F1

KillTimer.USER32(?,00000001,?,?), ref: 005E45B5
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 005E45C4
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0061D6CE

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: de8eaabdc0f609337626c4e91d3f54802842f257f7ec6f93ba87e539452c062c
Instruction ID: 2cf6112bcc72b74332404a7fb57cc4803c76a6a0f41c3edf729cfc8af6fdf904
Opcode Fuzzy Hash: de8eaabdc0f609337626c4e91d3f54802842f257f7ec6f93ba87e539452c062c
Instruction Fuzzy Hash: A421C8705047949FEB328B24D855BE7BFEEAF02304F04009EE6DE56281C7B45A858F91

Uniqueness

Uniqueness Score: -1.00%

Function 006440B1 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 006440D1
_memset.LIBCMT ref: 006440F2
DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 00644144
CloseHandle.KERNEL32(00000000), ref: 0064414D

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset
String ID:
API String ID: 1157408455-0
Opcode ID: 9e8046495005f4dee731b5675d282f1279c3afe02cfc4f82a2ff6d34af3466f1
Instruction ID: 55fdd94838b1cb2f6ae65914fc68fd1ec1709592483ddeeeb750e37c711e8ae3
Opcode Fuzzy Hash: 9e8046495005f4dee731b5675d282f1279c3afe02cfc4f82a2ff6d34af3466f1
Instruction Fuzzy Hash: 0711CD759012287AD7305BA5AC4DFEBBB7DEF45760F10419AF908D7280D6744F80CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0065667C Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 005E5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00647B20,?,?,00000000), ref: 005E5B8C
Part of subcall function 005E5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00647B20,?,?,00000000,?,?), ref: 005E5BB0

gethostbyname.WSOCK32(?,?,?), ref: 006566AC
WSAGetLastError.WSOCK32(00000000), ref: 006566B7
_memmove.LIBCMT ref: 006566E4
inet_ntoa.WSOCK32(?), ref: 006566EF

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: 3b9d3dbd4a3d47900177219c9961997d7687d043977a00b6e7b4af14447a67ed
Instruction ID: 9669f9127b03fe985a3f73670d66b56aafa391bda4721124a9548ce05c67a06c
Opcode Fuzzy Hash: 3b9d3dbd4a3d47900177219c9961997d7687d043977a00b6e7b4af14447a67ed
Instruction Fuzzy Hash: C3119335500106AFCB04EBA1DD8ADEE7BB9BF44311B144069F546A7161EF709E04CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00639023 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00639043
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00639055
SendMessageW.USER32(?,000000C9,?,00000000), ref: 0063906B
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00639086

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: a9650a32bf6b191a5727e6d0eac76b87fdec9164d89a40a908a3051c5326a21b
Instruction ID: bc871b683f2695b9fac1beb429f7b90d2fc0b4521d5511a70dec94bb054c1ce1
Opcode Fuzzy Hash: a9650a32bf6b191a5727e6d0eac76b87fdec9164d89a40a908a3051c5326a21b
Instruction Fuzzy Hash: EE114C79900218FFDB10DFA5C884E9DBB75FB48310F204095E904B7250D7716E10DBE4

Uniqueness

Uniqueness Score: -1.00%

Function 005E1290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 005E2612: GetWindowLongW.USER32(?,000000EB), ref: 005E2623

DefDlgProcW.USER32(?,00000020,?), ref: 005E12D8
GetClientRect.USER32(?,?), ref: 0061B84B
GetCursorPos.USER32(?), ref: 0061B855
ScreenToClient.USER32(?,?), ref: 0061B860

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 4a58363e2dfdda768b22383941da13e5b2467b599b29f655217bbd2024c1956e
Instruction ID: f43fee49bcdd86825ae066a204c79273a3b0ca1d9ca1b852f27c02acc5d27fba
Opcode Fuzzy Hash: 4a58363e2dfdda768b22383941da13e5b2467b599b29f655217bbd2024c1956e
Instruction Fuzzy Hash: 74113A3990045AAFCB04EF96DC899FE7BB9FB45300F000455FA51E7251C770BA518BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00641652 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,006401FD,?,00641250,?,00008000), ref: 0064166F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,006401FD,?,00641250,?,00008000), ref: 00641694
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,006401FD,?,00641250,?,00008000), ref: 0064169E
Sleep.KERNEL32(?,?,?,?,?,?,?,006401FD,?,00641250,?,00008000), ref: 006416D1

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 133b1ae453c880a5445e130475822b2e1983429d3389d5aecb0485a60429f698
Instruction ID: c5c37a0cdfcf60b396c1a3bbbd8d46708c106d17b76ab273063241b8120e807e
Opcode Fuzzy Hash: 133b1ae453c880a5445e130475822b2e1983429d3389d5aecb0485a60429f698
Instruction Fuzzy Hash: 46115E31C0151DD7CF009FA5E948AEEBB7AFF0A751F164059E940BA240CB7095A08B96

Uniqueness

Uniqueness Score: -1.00%

Function 00617207 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 0061722B

Part of subcall function 00617912: __fltout2.LIBCMT ref: 0061793B

__cftog_l.LIBCMT ref: 00617251
__cftoe_l.LIBCMT ref: 00617283

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 25060d06297efc1d672fcd6e8db22c89fa4b4b793c7207820e5e56575ba6e56b
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: D0018C3204814ABBCF525E84DC018EE3F73BF29350B188615FA1858131C237CAB2AB81

Uniqueness

Uniqueness Score: -1.00%

Function 0066B57F Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0066B59E
ScreenToClient.USER32(?,?), ref: 0066B5B6
ScreenToClient.USER32(?,?), ref: 0066B5DA
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0066B5F5

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 66740dc8be85a3e8eab87a4110a56a15cb6ccf1c15cd26afb5e1e6560e48c724
Instruction ID: 678fdebc43410ca0fe374297d578ad13856de714df7b1e16c704038ff48a95d9
Opcode Fuzzy Hash: 66740dc8be85a3e8eab87a4110a56a15cb6ccf1c15cd26afb5e1e6560e48c724
Instruction Fuzzy Hash: B11143B9D00209EFDB41DFA9D8849EEFBB9FB08310F109166E915E3220D775AA558F90

Uniqueness

Uniqueness Score: -1.00%

Function 0066B8EF Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0066B8FE
_memset.LIBCMT ref: 0066B90D
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,006A7F20,006A7F64), ref: 0066B93C
CloseHandle.KERNEL32 ref: 0066B94E

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: 22e7f7601893dbd04a2094f039e0845994eb4dccb5cb08971b7d18d9698556b2
Instruction ID: ebb293253367020d97db7e78dccb28e7167f9034e14f76a850504a923cae1277
Opcode Fuzzy Hash: 22e7f7601893dbd04a2094f039e0845994eb4dccb5cb08971b7d18d9698556b2
Instruction Fuzzy Hash: 6FF05EB2544350BFE3103B61AC05FBB3A5EEB0A355F006060FA08E5292E7715E108BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00646E7C Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00646E88

Part of subcall function 0064794E: _memset.LIBCMT ref: 00647983

_memmove.LIBCMT ref: 00646EAB
_memset.LIBCMT ref: 00646EB8
LeaveCriticalSection.KERNEL32(?), ref: 00646EC8

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: f11d1e198191bb4eebfc2d80f258549d296f1a569c444b7504acb30743d6674b
Instruction ID: ac8ddbe1955136e83153a05b04976607fc13e75ecfe243f79d89047b9afc4009
Opcode Fuzzy Hash: f11d1e198191bb4eebfc2d80f258549d296f1a569c444b7504acb30743d6674b
Instruction Fuzzy Hash: 63F0543A104210ABCF416F55EC85A4ABB2BEF45320B048065FE095F256C771A911DBB4

Uniqueness

Uniqueness Score: -1.00%

Function 0066C00C Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 005E12F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 005E134D
Part of subcall function 005E12F3: SelectObject.GDI32(?,00000000), ref: 005E135C
Part of subcall function 005E12F3: BeginPath.GDI32(?), ref: 005E1373
Part of subcall function 005E12F3: SelectObject.GDI32(?,00000000), ref: 005E139C

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0066C030
LineTo.GDI32(00000000,?,?), ref: 0066C03D
EndPath.GDI32(00000000), ref: 0066C04D
StrokePath.GDI32(00000000), ref: 0066C05B

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: bc279857105831b4f775041886a7090638ec5396a5e0c8f206594f0abdb4cdef
Instruction ID: 913726a9fa0af10645a1288e9b4d4518429bfa298d6313fd045399d81c572237
Opcode Fuzzy Hash: bc279857105831b4f775041886a7090638ec5396a5e0c8f206594f0abdb4cdef
Instruction Fuzzy Hash: 5BF05E35005659BBDB126F56EC0DFDE3F5AAF06321F145000FA11611E287B95561CFE9

Uniqueness

Uniqueness Score: -1.00%

Function 0063A37C Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0063A399
GetWindowThreadProcessId.USER32(?,00000000), ref: 0063A3AC
GetCurrentThreadId.KERNEL32 ref: 0063A3B3
AttachThreadInput.USER32(00000000), ref: 0063A3BA

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 7258dfb9ebe5c53f8d5e70d8bb3f9d7cbe8c67f012f4e8b34ebc91fd535fbf4f
Instruction ID: b0057aab2b2844c34dbfd42fc77e97b214a328039b6500f4a1b77a9115c60b3b
Opcode Fuzzy Hash: 7258dfb9ebe5c53f8d5e70d8bb3f9d7cbe8c67f012f4e8b34ebc91fd535fbf4f
Instruction Fuzzy Hash: 76E0C931545228BAEB205BA2EC0DED77F5EEF167A1F009025F549D5060C6B19541DBE1

Uniqueness

Uniqueness Score: -1.00%

Function 005E2218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 005E2231
SetTextColor.GDI32(?,000000FF), ref: 005E223B
SetBkMode.GDI32(?,00000001), ref: 005E2250
GetStockObject.GDI32(00000005), ref: 005E2258
GetWindowDC.USER32(?,00000000), ref: 0061C0D3
GetPixel.GDI32(00000000,00000000,00000000), ref: 0061C0E0
GetPixel.GDI32(00000000,?,00000000), ref: 0061C0F9
GetPixel.GDI32(00000000,00000000,?), ref: 0061C112
GetPixel.GDI32(00000000,?,?), ref: 0061C132
ReleaseDC.USER32(?,00000000), ref: 0061C13D

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: eeaeb9e3af8de5c9d5ac62247664e3bc6f0a554849cffca23d21fec061ada0ad
Instruction ID: 0d76303d4dd98e00c879c7fc468fbc85efbe4dd302eff939f3b02ab45e032d7e
Opcode Fuzzy Hash: eeaeb9e3af8de5c9d5ac62247664e3bc6f0a554849cffca23d21fec061ada0ad
Instruction Fuzzy Hash: E9E06D32544244EBDB215FA4FC0D7D87B16EB16336F048366FAA9880E187B249C0DB12

Uniqueness

Uniqueness Score: -1.00%

Function 00638C5A Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00638C63
OpenThreadToken.ADVAPI32(00000000,?,?,?,0063882E), ref: 00638C6A
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,0063882E), ref: 00638C77
OpenProcessToken.ADVAPI32(00000000,?,?,?,0063882E), ref: 00638C7E

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: fa789c148387cbdf1de34d6058d1c80403d9163fe933fb98635e6a00f1a3ab45
Instruction ID: b84b1e75814a59ba41d31cd8ea47a4e422f91b71a759ba00c52f1cb14d040c20
Opcode Fuzzy Hash: fa789c148387cbdf1de34d6058d1c80403d9163fe933fb98635e6a00f1a3ab45
Instruction Fuzzy Hash: F2E04F36646311ABD7205FB17D0CB963BAEAF50792F146828F245DA040DA7488418BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00622187 Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00622187
GetDC.USER32(00000000), ref: 00622191
GetDeviceCaps.GDI32(00000000,0000000C), ref: 006221B1
ReleaseDC.USER32(?), ref: 006221D2

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 28c27e25fbb37db6c643501b132c9e350264a187c482002b239355315631cb54
Instruction ID: 335ce23b3733270369c4a2ef6dfc9e3d08edae6592418987a1e4c52424dc8057
Opcode Fuzzy Hash: 28c27e25fbb37db6c643501b132c9e350264a187c482002b239355315631cb54
Instruction Fuzzy Hash: F8E0E5B5800615EFDB019F61E808A9D7FB2FB4C351F109429F95AD7220CBB981429F40

Uniqueness

Uniqueness Score: -1.00%

Function 0062219B Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0062219B
GetDC.USER32(00000000), ref: 006221A5
GetDeviceCaps.GDI32(00000000,0000000C), ref: 006221B1
ReleaseDC.USER32(?), ref: 006221D2

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: c310718b44ccaa7e0a598674d39024917325c8a82ffe6767f6ed394faef372a6
Instruction ID: 70eea43578f9f551b14f38b629f9d917e89ba131b03be96d67283b2d9be14e81
Opcode Fuzzy Hash: c310718b44ccaa7e0a598674d39024917325c8a82ffe6767f6ed394faef372a6
Instruction Fuzzy Hash: 6DE012B5800204AFCB019FB1E80869DBFF2FF4C351F109429F99AE7220CBB991429F40

Uniqueness

Uniqueness Score: -1.00%

Function 005E63A0 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON

Download Yara Rule

Strings

%g, xrefs: 005E63AE

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID:
String ID: %g
API String ID: 0-3742675072
Opcode ID: 9c272ddf093b7358ec2606bacaafa7b76c78f8db18744e299eb40dc7d61eff2f
Instruction ID: 2eec6eaa970b9849daa678b8df1578cc44da05f970c8b6940f3a6d65c8be83f4
Opcode Fuzzy Hash: 9c272ddf093b7358ec2606bacaafa7b76c78f8db18744e299eb40dc7d61eff2f
Instruction Fuzzy Hash: 83B1D171D0428A9BCF18EF96C4859EDBFB5FF643C0F544026E992A7191EB309E82CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0065B1B7 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 313COMMON

Download Yara Rule

APIs

__itow_s.LIBCMT ref: 0065B2C3

Strings

xrj, xrefs: 0065B2F9
xrj, xrefs: 0065B325

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: __itow_s
String ID: xrj$xrj
API String ID: 3653519197-308220071
Opcode ID: 9c1a435f923c201cf83c9ade8c64cdadef79c1d180241f9bbbec6f92ec4d5e10
Instruction ID: cda8f94264d4dd6e2deda1fd2ef3dae935d16650d431424be3f854f25b8b0119
Opcode Fuzzy Hash: 9c1a435f923c201cf83c9ade8c64cdadef79c1d180241f9bbbec6f92ec4d5e10
Instruction Fuzzy Hash: 4CB18F70A00109AFCB24DF55C884EFABBBAFF58301F149459FD459B292EB30EA45CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0064B217 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 005FFEC6: _wcscpy.LIBCMT ref: 005FFEE9

Part of subcall function 005E9997: __itow.LIBCMT ref: 005E99C2
Part of subcall function 005E9997: __swprintf.LIBCMT ref: 005E9A0C

__wcsnicmp.LIBCMT ref: 0064B298
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0064B361

Strings

LPT, xrefs: 0064B292

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: 45f8b5d752492ef8968fe6489cd931a615c9f18099f87b2d9cf3c12d9e679b91
Instruction ID: 33a9849f802f1d5c5beddd1320d872cd2b8fd6a4936ed9fe020731add264df3c
Opcode Fuzzy Hash: 45f8b5d752492ef8968fe6489cd931a615c9f18099f87b2d9cf3c12d9e679b91
Instruction Fuzzy Hash: EC618275A00215AFCB19DF95C885EEEB7B9BF48310F115059F546AB391DB70EE40CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00628A77 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00628B1E
_memmove.LIBCMT ref: 00628B78

Strings

Oa_, xrefs: 00628BF2, 0062E39A, 0062E3B6

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: _memmove
String ID: Oa_
API String ID: 4104443479-62195052
Opcode ID: 0e8fb625b6ddc45725cf2f38ff0b390372a353e6651bb6cb606adee44998cab3
Instruction ID: f16cc7ae040252c35fa232e10d36c3b6e6c33c71d1f33c7a55ea8d2626f58cff
Opcode Fuzzy Hash: 0e8fb625b6ddc45725cf2f38ff0b390372a353e6651bb6cb606adee44998cab3
Instruction Fuzzy Hash: D0515E70A01A19DFCF24CF68D880AAEBBB2FF44305F14852AE85AD7340EB31A955CF51

Uniqueness

Uniqueness Score: -1.00%

Function 005F2AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 005F2AC8
GlobalMemoryStatusEx.KERNEL32(?), ref: 005F2AE1

Strings

@, xrefs: 005F2AD5

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 9080fbe9f3723da0b5758dc5c4645e4f98ea2be44fdedd38bedfd10d50ed81e8
Instruction ID: 4ef58ac80e2837c2503aa2a344bbc966a05590d2003b7fc9e2d40a9b1e880125
Opcode Fuzzy Hash: 9080fbe9f3723da0b5758dc5c4645e4f98ea2be44fdedd38bedfd10d50ed81e8
Instruction Fuzzy Hash: 065149B14187869BD320AF11DC8ABAFBBE8FFC4310F82485DF1D9411A1DB708969CB16

Uniqueness

Uniqueness Score: -1.00%

Function 006499BE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 005E506B: __fread_nolock.LIBCMT ref: 005E5089

_wcscmp.LIBCMT ref: 00649AAE
_wcscmp.LIBCMT ref: 00649AC1

Strings

FILE, xrefs: 006499FA

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: bcad7dad895cdeb3396bab60aa2b8cb738e86150283fdaa89386df5f23165251
Instruction ID: ce6b3cf41e050e8c4f44d0d62b1980bcbbc10e11a3456ea897235c0c17f216ef
Opcode Fuzzy Hash: bcad7dad895cdeb3396bab60aa2b8cb738e86150283fdaa89386df5f23165251
Instruction Fuzzy Hash: A4410971A4061ABADF259FA1CC49FEFBBBEEF45714F000069F900A7281DA759A0487B5

Uniqueness

Uniqueness Score: -1.00%

Function 0062099E Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 006209A9

Strings

Dtj, xrefs: 005EA2B1
Dtj, xrefs: 005EA477

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: ClearVariant
String ID: Dtj$Dtj
API String ID: 1473721057-3505293294
Opcode ID: f7a7d6efa8a96829872264f980fba5ea8764817c01b2c4ac2460908af388cc71
Instruction ID: fa98af46786bda82adadbc32a1e4e0c1567859cb153e5ec1a595f8a089ce1e50
Opcode Fuzzy Hash: f7a7d6efa8a96829872264f980fba5ea8764817c01b2c4ac2460908af388cc71
Instruction Fuzzy Hash: 1D51B4786083828FD758DF2AC484A1ABFE2BB99354F54585DF9858B361D731EC81CF82

Uniqueness

Uniqueness Score: -1.00%

Function 00652882 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00652892
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 006528C8

Strings

|, xrefs: 00652899

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: a7d300561aa57a0d1d906fd37532f500e3b6771ab75187d89ec4d3c379d0364c
Instruction ID: b549e9d3091b45431c1c076974e16fd8cc08b01d895657ef72f21fe99f7edd63
Opcode Fuzzy Hash: a7d300561aa57a0d1d906fd37532f500e3b6771ab75187d89ec4d3c379d0364c
Instruction Fuzzy Hash: 86313A71C0011AAFCF459FA1CC99EEEBFB9FF19300F100069F815A6265DA315A16DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00666CD2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00666D86
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00666DC2

Strings

static, xrefs: 00666D22

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 7de578cd5c762bc481f697b775fa54c73875e7eb81460ad8fc8c63d9092066f4
Instruction ID: 534bb26a0d496f87b8368491e711973cedde63a1ba2764d082e901fa3a8ad70c
Opcode Fuzzy Hash: 7de578cd5c762bc481f697b775fa54c73875e7eb81460ad8fc8c63d9092066f4
Instruction Fuzzy Hash: 7131AF71200604AEDB109F64DC80AFB77BAFF88720F10961DF8A6C7290CA71AC91CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00642D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00642E00
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00642E3B

Strings

0, xrefs: 00642DF9

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: cbfecaf9aa26164c3142971f093cfd8f48d856cad6d0b6c3b5256d79b02eff54
Instruction ID: 1ff0fd81d9d487fea60f7f8d67eb6389e0ab8a5738d1ce251248252bed786e51
Opcode Fuzzy Hash: cbfecaf9aa26164c3142971f093cfd8f48d856cad6d0b6c3b5256d79b02eff54
Instruction Fuzzy Hash: 3A31E331A0030AEBEB249F48C885BEEBBBBEF05340F64006DF985972A0E7709940CB14

Uniqueness

Uniqueness Score: -1.00%

Function 00666943 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 006669D0
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 006669DB

Strings

Combobox, xrefs: 0066699D

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 7e695c7fb50605d99ac00380f301d54bc67f0d7fe5f5a8194a683357f11a97ef
Instruction ID: 03349e9c01779b8daf1b10b6725ff4cf2471e25aa7afd1fa82250d11b0348eb1
Opcode Fuzzy Hash: 7e695c7fb50605d99ac00380f301d54bc67f0d7fe5f5a8194a683357f11a97ef
Instruction Fuzzy Hash: 5A11B67160020A7FEF159F24EC80EEB3B6BEB853A4F110228FD5897391D6719C518BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00666E76 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 005E1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 005E1D73
Part of subcall function 005E1D35: GetStockObject.GDI32(00000011), ref: 005E1D87
Part of subcall function 005E1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 005E1D91

GetWindowRect.USER32(00000000,?), ref: 00666EE0
GetSysColor.USER32(00000012), ref: 00666EFA

Strings

static, xrefs: 00666EBD

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 939c479ad96ba58c3c13f1122e233b9f92b4745f2098523b369fbd87ef1d1ac9
Instruction ID: 280f80bb0b46f36befe0e7a2517c9615d541e4e7f8e233b536704bd37d4f2b36
Opcode Fuzzy Hash: 939c479ad96ba58c3c13f1122e233b9f92b4745f2098523b369fbd87ef1d1ac9
Instruction Fuzzy Hash: D921677261020AAFDB04DFA8ED45AFA7BBAFB08314F005628FD55D3250E775E861DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00666B8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00666C11
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00666C20

Strings

edit, xrefs: 00666BF5

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 2ae881729d3b7f434a3180ea638035497fb6eaa64c909ffa82768de04cadd167
Instruction ID: 6375ed6a6f329099e1ea1540e96fa4cb137424c3ca2731325084e0af7937d7e1
Opcode Fuzzy Hash: 2ae881729d3b7f434a3180ea638035497fb6eaa64c909ffa82768de04cadd167
Instruction Fuzzy Hash: 3F118C71500208ABEB109F64EC45AEB3B6BEB15378F204724F961D72E0C775ECA19B60

Uniqueness

Uniqueness Score: -1.00%

Function 00642E9E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00642F11
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00642F30

Strings

0, xrefs: 00642F07

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: fd43670f335cdefe9cd7741bf559e32d1204abce6bc4e156e62922488772e342
Instruction ID: 9298c4e3db0fe7a7c953927c24772a135f9f1bc94efe9ae9edd029595e225e65
Opcode Fuzzy Hash: fd43670f335cdefe9cd7741bf559e32d1204abce6bc4e156e62922488772e342
Instruction Fuzzy Hash: AA110831941116ABCB60EF98DD14BD977BBEB11314FA800B5F855A73A0DBB0ED08CB95

Uniqueness

Uniqueness Score: -1.00%

Function 006524CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00652520
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00652549

Strings

<local>, xrefs: 00652511

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 2f70f5fab7eaead67c3b7e7c0286a31c8b60a60c0b55c56c02e29bac3da70240
Instruction ID: 86f38921d2a2b93be230f2d3f08b022509ca722db4946e71716e7342562e6878
Opcode Fuzzy Hash: 2f70f5fab7eaead67c3b7e7c0286a31c8b60a60c0b55c56c02e29bac3da70240
Instruction Fuzzy Hash: D911E370100226BADB248F51CCA4EFBFFAEFB07352F10812AFD4542140E2705989D6E0

Uniqueness

Uniqueness Score: -1.00%

Function 006580A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0065830B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,006580C8,?,00000000,?,?), ref: 00658322

inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 006580CB
htons.WSOCK32(00000000,?,00000000), ref: 00658108

Strings

255.255.255.255, xrefs: 006580E3

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: ByteCharMultiWidehtonsinet_addr
String ID: 255.255.255.255
API String ID: 2496851823-2422070025
Opcode ID: b825ae6e2bec331903d89a028348bce3fdf09cdae304bca5944c28c5abe255ad
Instruction ID: b3c8cd9027f9635a8a94b2fa9ddc13087bf6e6482c93d031949d4558369d5262
Opcode Fuzzy Hash: b825ae6e2bec331903d89a028348bce3fdf09cdae304bca5944c28c5abe255ad
Instruction Fuzzy Hash: 3D11CE34200246ABDB20AFA4DC86BFDB766FF14321F10852AED11A7691DA72A8098795

Uniqueness

Uniqueness Score: -1.00%

Function 005F0A8D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,005E3C26,006A62F8,?,?,?), ref: 005F0ACE

Part of subcall function 005E7D2C: _memmove.LIBCMT ref: 005E7D66

_wcscat.LIBCMT ref: 006250E1

Strings

cj, xrefs: 005F0B0E

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: FullNamePath_memmove_wcscat
String ID: cj
API String ID: 257928180-126231742
Opcode ID: 00da8c508cd8c4ef650dcaa6fd359b635ba85422a0d89950fe553a29aebfecde
Instruction ID: 5679d8921baa55d020071e7f89f4aeab3f493a185df4721a368447e5731f0a7a
Opcode Fuzzy Hash: 00da8c508cd8c4ef650dcaa6fd359b635ba85422a0d89950fe553a29aebfecde
Instruction Fuzzy Hash: BB11083090420D9BCB41FBA0DD05EED7BF9FF48340B0424A5BA89D7281EA74EB888B10

Uniqueness

Uniqueness Score: -1.00%

Function 006392E7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 005E7F41: _memmove.LIBCMT ref: 005E7F82

Part of subcall function 0063B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0063B0E7

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00639355

Strings

ComboBox, xrefs: 006392F4
ListBox, xrefs: 0063931F

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: dd256262b58a7ee2f74917a4364012ee760a57efd8a9678670476b3dc2f8a5ec
Instruction ID: ba6b38149dd24ef61c82e83bfa401663a003b2d0691ec0fc2b6deca86941560b
Opcode Fuzzy Hash: dd256262b58a7ee2f74917a4364012ee760a57efd8a9678670476b3dc2f8a5ec
Instruction Fuzzy Hash: 4901D271A05219AB9B08EB64CC958FE776ABF46320B100619F972572D1EB71580CCAA0

Uniqueness

Uniqueness Score: -1.00%

Function 006391DF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 005E7F41: _memmove.LIBCMT ref: 005E7F82

Part of subcall function 0063B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0063B0E7

SendMessageW.USER32(?,00000180,00000000,?), ref: 0063924D

Strings

ComboBox, xrefs: 006391EC
ListBox, xrefs: 00639217

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 9246c5377df76799076684875efc45aca3680adf950622b78cee1a6b2a4cd19b
Instruction ID: 96b58bb03f3ee309bde7ccb3854ca0cfd1f2a217ff2baa9ef0d13bb907e9247a
Opcode Fuzzy Hash: 9246c5377df76799076684875efc45aca3680adf950622b78cee1a6b2a4cd19b
Instruction Fuzzy Hash: D601A771E411097BCF08EBA4C996DFF77AEAF45300F15002DB95267291EB515F0C96B1

Uniqueness

Uniqueness Score: -1.00%

Function 00639264 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 005E7F41: _memmove.LIBCMT ref: 005E7F82

Part of subcall function 0063B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0063B0E7

SendMessageW.USER32(?,00000182,?,00000000), ref: 006392D0

Strings

ComboBox, xrefs: 00639271
ListBox, xrefs: 0063929C

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 6bf6d6a01c16bbb87dd319026e7099c6ef157eb580162e4c251dee8200d25567
Instruction ID: 217f7af0e68ff829702d1f4f5b9c7c150ee45ef465365deddc96b4de97d310e0
Opcode Fuzzy Hash: 6bf6d6a01c16bbb87dd319026e7099c6ef157eb580162e4c251dee8200d25567
Instruction Fuzzy Hash: 0701F971E4110977CF08EBA4C986EFF77AEAF15300F250129B962672C2EB615F0C96B5

Uniqueness

Uniqueness Score: -1.00%

Function 00606DAE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 00606DD0
__calloc_crt.LIBCMT ref: 00606DE9

Strings

@Rj, xrefs: 00606E00

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: __calloc_crt
String ID: @Rj
API String ID: 3494438863-2855396162
Opcode ID: 8e8580b8cccdf3e6b383cb88e1af9d5eeb343bce18671ac6c612e09bbff1e502
Instruction ID: 525aeaa3c3c0b83028f579fab3be2e2d515c1f147a14d39eb7f90e3a689dcacf
Opcode Fuzzy Hash: 8e8580b8cccdf3e6b383cb88e1af9d5eeb343bce18671ac6c612e09bbff1e502
Instruction Fuzzy Hash: 6FF04F717887169BFB6CEF18FD157A3279BEB42730B14042AF105CB6D0EBB099918A84

Uniqueness

Uniqueness Score: -1.00%

Function 006451CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 006451E8
_wcscmp.LIBCMT ref: 006451FA

Strings

#32770, xrefs: 006451F4

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: 9848e385a284f5127ff074e422a9c3e272434819fa1d3ab0884330cadd05033c
Instruction ID: 3775d124f3f8089a3044a9bfbfbe5b059222e7eb5fada60a0d5afa9e7d6a24f1
Opcode Fuzzy Hash: 9848e385a284f5127ff074e422a9c3e272434819fa1d3ab0884330cadd05033c
Instruction Fuzzy Hash: 3AE0613290422C27D710AB95AC05F97F7EDEB41731F00005BFD10D3140D5A09A048BE0

Uniqueness

Uniqueness Score: -1.00%

Function 006381BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 006381CA

Part of subcall function 00603598: _doexit.LIBCMT ref: 006035A2

Strings

AutoIt, xrefs: 006381BE
Error allocating memory., xrefs: 006381C3

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: 0a0f9bf4269d1e6d6ca8269abd70175ea478963e78aa5acc824dbc1343e2bc75
Instruction ID: 64bd65e373e59a5fcbaca6a0f9649e6c44b70ea783a123aed3f35e3158048b17
Opcode Fuzzy Hash: 0a0f9bf4269d1e6d6ca8269abd70175ea478963e78aa5acc824dbc1343e2bc75
Instruction Fuzzy Hash: 9AD02B323C431932D21933F96C0BFC63A8E4B06F12F00402AFB48995D38DD154C142EC

Uniqueness

Uniqueness Score: -1.00%

Function 0061B511 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0061B564: _memset.LIBCMT ref: 0061B571

Part of subcall function 00600B84: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,0061B540,?,?,?,005E100A), ref: 00600B89

IsDebuggerPresent.KERNEL32(?,?,?,005E100A), ref: 0061B544
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,005E100A), ref: 0061B553

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0061B54E

Memory Dump Source

Source File: 00000000.00000002.2025573097.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.2025559566.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.000000000066F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025611656.0000000000695000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025645464.000000000069F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2025659657.00000000006A8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_file4232024.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: 4752193b6f14a1264df5bce909dae5f374d6b8c7740a87ec8b2d1eb481268330
Instruction ID: b2d9d5f7c1ea833cafd113b7946554369f5251a1bf4504f7f5ac814d991bda33
Opcode Fuzzy Hash: 4752193b6f14a1264df5bce909dae5f374d6b8c7740a87ec8b2d1eb481268330
Instruction Fuzzy Hash: 98E06DB02003528BD360EF68E4083827BE7AB04704F089A2CE486C2750E7F4E584CBA1

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file4232024.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\aut25DE.tmp

C:\Users\user\AppData\Local\Temp\aut264C.tmp

C:\Users\user\AppData\Local\Temp\ghauts

C:\Users\user\AppData\Local\Temp\hypopygidium

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\LogfireblendeuGDOCADegvvshJYgdfgGWltXxnlOnThLThggfsEYSRpalmitic

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\user-PC-user\WebData

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Windows Analysis Report
file4232024.exe

Function 005E3B4C Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Function 005E4FE9 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 62
COMMON

Function 005E4AFE Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 006493DF Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Function 005E3015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 75
windowregistryCOMMON

Function 005E3041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Function 005E71EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 005E3633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowtimeregistryCOMMON

Function 005E3A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Function 005E3778 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267
COMMON

Function 005EF8CF Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168
comCOMMON

Function 01FD2610 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 005E39E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 01FD2410 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133
fileCOMMON

Function 005E410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre