Edit tour

Windows Analysis Report
MXIkmvGqgT.exe.com

Overview

General Information

Sample Name:	MXIkmvGqgT.exe.com
Analysis ID:	745520
MD5:	6987e4cd3f256462f422326a7ef115b9
SHA1:	71672a495b4603ecfec40a65254cb3ba8766bbe0
SHA256:	3e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0
Infos:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Submitted file has a suspicious file extension

Uses 32bit PE files

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Contains functionality to execute programs as a different user

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Contains functionality to launch a process as a different user

Contains functionality to communicate with device drivers

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Contains functionality to read the clipboard data

Contains functionality to simulate keystroke presses

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Searches for user specific document files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

OS version to string mapping found (often used in BOTs)

Contains functionality to read the PEB

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to launch a program with higher privileges

Potential key logger detected (key state polling based)

Contains functionality to retrieve information about pressed keystrokes

Found large amount of non-executed APIs

Contains functionality to simulate mouse events

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64

MXIkmvGqgT.exe.com (PID: 5568 cmdline: "C:\Users\user\Desktop\MXIkmvGqgT.exe.com" MD5: 6987E4CD3F256462F422326A7EF115B9)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: MXIkmvGqgT.exe.com

Virustotal: Detection: 14%

Perma Link

Source: MXIkmvGqgT.exe.com

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: MXIkmvGqgT.exe.com

Static PE information: certificate valid

Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	Code function: 0_2_0019E27D lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0019E27D
Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	Code function: 0_2_001AA37B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_001AA37B
Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	Code function: 0_2_001A64E7 FindFirstFileW,FindNextFileW,FindClose,	0_2_001A64E7
Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	Code function: 0_2_0016C522 FindFirstFileExW,	0_2_0016C522
Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	Code function: 0_2_001A713E FindFirstFileW,FindClose,	0_2_001A713E
Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	Code function: 0_2_001A71DF FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_001A71DF
Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	Code function: 0_2_0019D72C FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0019D72C
Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	Code function: 0_2_0019DA5F FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0019DA5F
Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	Code function: 0_2_001A9E92 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_001A9E92
Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	Code function: 0_2_001A9FED SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_001A9FED

Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Source: MXIkmvGqgT.exe.com	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: MXIkmvGqgT.exe.com	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: MXIkmvGqgT.exe.com	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: MXIkmvGqgT.exe.com	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: MXIkmvGqgT.exe.com	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: MXIkmvGqgT.exe.com	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: MXIkmvGqgT.exe.com	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: MXIkmvGqgT.exe.com	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: MXIkmvGqgT.exe.com	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: MXIkmvGqgT.exe.com	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: MXIkmvGqgT.exe.com	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: MXIkmvGqgT.exe.com	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: MXIkmvGqgT.exe.com	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: MXIkmvGqgT.exe.com	String found in binary or memory: https://www.globalsign.com/repository/0

Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com

Code function: 0_2_001AD694 InternetReadFile,SetEvent,GetLastError,SetEvent,

0_2_001AD694

Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com

Code function: 0_2_001AF358 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_001AF358

Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com

Code function: 0_2_001C9D97 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_001C9D97

Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com

Code function: 0_2_0019A321 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_0019A321

Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com

0_2_001AF358

System Summary

Submitted file has a suspicious file extension

Source: MXIkmvGqgT.exe.com

Initial sample: file extension

Source: MXIkmvGqgT.exe.com

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com

Code function: 0_2_0019F018 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_0019F018

Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	Code function: 0_2_0014C0BE	0_2_0014C0BE
Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	Code function: 0_2_0016A16E	0_2_0016A16E
Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	Code function: 0_2_001381B0	0_2_001381B0
Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	Code function: 0_2_001521B2	0_2_001521B2
Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	Code function: 0_2_0013C1F0	0_2_0013C1F0
Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	Code function: 0_2_0013E4A2	0_2_0013E4A2
Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	Code function: 0_2_001BC69D	0_2_001BC69D
Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	Code function: 0_2_0016E780	0_2_0016E780
Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	Code function: 0_2_001A2810	0_2_001A2810
Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	Code function: 0_2_00198936	0_2_00198936
Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	Code function: 0_2_001669EB	0_2_001669EB
Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	Code function: 0_2_0015CD20	0_2_0015CD20
Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	Code function: 0_2_0014CE15	0_2_0014CE15
Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	Code function: 0_2_00167059	0_2_00167059
Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	Code function: 0_2_0013D060	0_2_0013D060
Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	Code function: 0_2_001C50DA	0_2_001C50DA
Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	Code function: 0_2_00151614	0_2_00151614
Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	Code function: 0_2_00151986	0_2_00151986
Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	Code function: 0_2_00157A9B	0_2_00157A9B
Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	Code function: 0_2_00149B7D	0_2_00149B7D
Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	Code function: 0_2_0014DBDE	0_2_0014DBDE
Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	Code function: 0_2_00151C30	0_2_00151C30
Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	Code function: 0_2_00157CCA	0_2_00157CCA
Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	Code function: 0_2_00151EF7	0_2_00151EF7
Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	Code function: 0_2_00157F27	0_2_00157F27

Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	Code function: String function: 0014FC68 appears 40 times
Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	Code function: String function: 00150CB0 appears 46 times

Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com

Code function: 0_2_0019188B LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_0019188B

Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com

Code function: 0_2_001A456E: GetFullPathNameW,_wcslen,CreateDirectoryW,CreateFileW,RemoveDirectoryW,DeviceIoControl,CloseHandle,CloseHandle,

0_2_001A456E

Source: MXIkmvGqgT.exe.com, 00000000.00000000.299494271.0000000000205000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameAutoIt3.exeB vs MXIkmvGqgT.exe.com
Source: MXIkmvGqgT.exe.com	Binary or memory string: OriginalFilenameAutoIt3.exeB vs MXIkmvGqgT.exe.com

Source: MXIkmvGqgT.exe.com

Virustotal: Detection: 14%

Source: MXIkmvGqgT.exe.com

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{725F645B-EAED-4fc5-B1C5-D9AD0ACCBA5E}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	Code function: 0_2_00191749 AdjustTokenPrivileges,CloseHandle,		0_2_00191749
Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	Code function: 0_2_00191D4D LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00191D4D

Source: classification engine

Classification label: mal56.winCOM@1/0@0/0

Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com

Code function: 0_2_001A606E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_001A606E

Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com

Code function: 0_2_001A5A1D SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_001A5A1D

Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com

Code function: 0_2_001A4005 GetLastError,FormatMessageW,

0_2_001A4005

Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com

Code function: 0_2_001BAED5 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_001BAED5

Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com

Code function: 0_2_001A3819 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_001A3819

Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com

File opened: C:\Windows\SysWOW64\MsftEdit.dll

Jump to behavior

Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com

Window detected: Number of UI elements: 13

Source: MXIkmvGqgT.exe.com

Static PE information: certificate valid

Source: MXIkmvGqgT.exe.com	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: MXIkmvGqgT.exe.com	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: MXIkmvGqgT.exe.com	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: MXIkmvGqgT.exe.com	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: MXIkmvGqgT.exe.com	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: MXIkmvGqgT.exe.com	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: MXIkmvGqgT.exe.com

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: MXIkmvGqgT.exe.com	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: MXIkmvGqgT.exe.com	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: MXIkmvGqgT.exe.com	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: MXIkmvGqgT.exe.com	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: MXIkmvGqgT.exe.com	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	Code function: 0_2_00150CF6 push ecx; ret		0_2_00150D09
Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	Code function: 0_2_00138D79 push edi; retn 0000h		0_2_00138D7B

Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com

Code function: 0_2_00134E28 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00134E28

Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	Code function: 0_2_001C24A6 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_001C24A6
Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	Code function: 0_2_0014F2C0 GetForegroundWindow,FindWindowW,IsIconic,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,ShowWindow,		0_2_0014F2C0

Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com

Window / User API: foregroundWindowGot 567

Jump to behavior

Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com

API coverage: 1.5 %

Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com

Code function: 0_2_00134E28 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00134E28

Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	Code function: 0_2_0019E27D lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0019E27D
Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	Code function: 0_2_001AA37B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_001AA37B
Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	Code function: 0_2_001A64E7 FindFirstFileW,FindNextFileW,FindClose,	0_2_001A64E7
Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	Code function: 0_2_0016C522 FindFirstFileExW,	0_2_0016C522
Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	Code function: 0_2_001A713E FindFirstFileW,FindClose,	0_2_001A713E
Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	Code function: 0_2_001A71DF FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_001A71DF
Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	Code function: 0_2_0019D72C FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0019D72C
Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	Code function: 0_2_0019DA5F FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0019DA5F
Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	Code function: 0_2_001A9E92 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_001A9E92
Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	Code function: 0_2_001A9FED SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_001A9FED

Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Source: MXIkmvGqgT.exe.com, 00000000.00000003.307859722.0000000001059000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: istry\Machine\Software\Classes\SystemFileAssociations\.com3f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&
Source: MXIkmvGqgT.exe.com, 00000000.00000003.307773067.0000000001071000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}zer5{N

Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com

Code function: 0_2_001628A2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_001628A2

Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com

Code function: 0_2_00134E28 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00134E28

Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com

Code function: 0_2_001911EC GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_001911EC

Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com

Code function: 0_2_00154F68 mov eax, dword ptr fs:[00000030h]

0_2_00154F68

Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com

Code function: 0_2_001AF2FB BlockInput,

0_2_001AF2FB

Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	Code function: 0_2_00150C55 SetUnhandledExceptionFilter,	0_2_00150C55
Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	Code function: 0_2_001628A2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_001628A2
Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	Code function: 0_2_00150ABF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00150ABF
Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	Code function: 0_2_00150EA1 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00150EA1

Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com

0_2_0019188B

Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com

Code function: 0_2_0014F2C0 GetForegroundWindow,FindWindowW,IsIconic,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,ShowWindow,

0_2_0014F2C0

Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com

Code function: 0_2_00172C9D SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00172C9D

Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com

Code function: 0_2_0019EA77 mouse_event,

0_2_0019EA77

Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com

0_2_001911EC

Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com

Code function: 0_2_00191CED AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00191CED

Source: MXIkmvGqgT.exe.com	Binary or memory string: Shell_TrayWnd
Source: MXIkmvGqgT.exe.com	Binary or memory string: @EXITMETHOD@EXITCODEShell_TrayWnd%s-CALLGUICTRLREGISTERLISTVIEWSORTGUICTRLCREATELISTVIEWITEMGUICTRLCREATETREEVIEWITEMGUICTRLCREATECONTEXTMENUONAUTOITEXITUNREGISTERGUICTRLCREATELISTVIEWGUICTRLCREATEMENUITEMGUICTRLCREATECHECKBOXGUICTRLCREATEMONTHCALGUICTRLCREATEPROGRESSGUICTRLCREATETREEVIEWGUICTRLCREATEGRAPHICSTRINGFROMASCIIARRAYONAUTOITEXITREGISTERGUICTRLCREATETABITEMGUICTRLSETDEFBKCOLORINIREADSECTIONNAMESGUICTRLCREATEBUTTONDLLCALLBACKREGISTERGUICTRLCREATEUPDOWNGUICTRLCREATESLIDERSTRINGREGEXPREPLACEOBJCREATEINTERFACEGUICTRLSENDTODUMMYFILECREATESHORTCUTGUICTRLCREATEINPUTSOUNDSETWAVEVOLUMEFILECREATENTFSLINKGUISETACCELERATORSGUICTRLCREATECOMBOGUICTRLSETDEFCOLORPROCESSSETPRIORITYGUICTRLSETRESIZINGSTRINGTOASCIIARRAYDRIVEGETFILESYSTEMGUICTRLCREATEDUMMYTRAYITEMSETONEVENTGUICTRLCREATERADIOWINMINIMIZEALLUNDOGUICTRLCREATEGROUPGUICTRLCREATELABELAUTOITWINSETTITLEGUICTRLSETBKCOLORAUTOITWINGETTITLEGUICTRLSETGRAPHICGUICTRLCREATEDATEGUICTRLCREATEICONGUICTRLSETONEVENTCONSOLEWRITEERRORDLLCALLBACKGETPTRGUICTRLCREATELISTTRAYITEMGETHANDLEFILEFINDFIRSTFILEGUICTRLCREATEEDITGUICTRLCREATEMENUWINMENUSELECTITEMGUICTRLSETCURSORDLLSTRUCTGETDATASTATUSBARGETTEXTFILERECYCLEEMPTYFILESELECTFOLDERTRAYITEMSETSTATEDLLSTRUCTSETDATATRAYITEMGETSTATEWINGETCLIENTSIZEGUICTRLCREATEAVIHTTPSETUSERAGENTGUICTRLCREATEPICCONTROLGETHANDLEGUIGETCURSORINFOTRAYSETPAUSEICONFILEFINDNEXTFILEINIRENAMESECTIONDLLSTRUCTGETSIZESHELLEXECUTEWAITPROCESSWAITCLOSEGUICTRLCREATETABFILEGETSHORTNAMEWINWAITNOTACTIVEGUICTRLCREATEOBJGUICTRLGETHANDLESTRINGTRIMRIGHTGUICTRLSETLIMITGUICTRLSETIMAGEINIWRITESECTIONCONTROLTREEVIEWAUTOITSETOPTIONGUICTRLSETCOLORDLLSTRUCTGETPTRADLIBUNREGISTERDRIVESPACETOTALGUICTRLSETSTATEWINGETCLASSLISTGUICTRLGETSTATEFILEGETSHORTCUTDLLSTRUCTCREATEPROCESSGETSTATSCONTROLGETFOCUSDLLCALLBACKFREEGUICTRLSETSTYLEFILEREADTOARRAYTRAYITEMSETTEXTCONTROLLISTVIEWTRAYITEMGETTEXTFILEGETENCODINGFILEGETLONGNAMEGUICTRLSENDMSGSENDKEEPACTIVEDRIVESPACEFREEFILEOPENDIALOGGUICTRLRECVMSGCONTROLCOMMANDSTRINGTOBINARYWINMINIMIZEALLSTRINGISXDIGITTRAYSETONEVENTFILESAVEDIALOGDUMMYSPEEDTESTCONTROLGETTEXTMOUSECLICKDRAGGUICTRLSETFONTMOUSEGETCURSORWINGETCARETPOSCONTROLSETTEXTTRAYITEMDELETESTRINGTRIMLEFTDRIVEGETSERIALBINARYTOSTRINGGUICTRLSETDATAINIREADSECTIONUDPCLOSESOCKETCONTROLDISABLETRAYCREATEMENUTCPCLOSESOCKETDLLCALLADDRESSFILEGETVERSIONGUIREGISTERMSGTRAYSETTOOLTIPTRAYCREATEITEMDRIVEGETDRIVESTRINGISASCIISTRINGCOMPARESTRINGISALPHAPROCESSEXISTSSTRINGREVERSESTRINGSTRIPCRSPLASHIMAGEONGUICTRLSETTIPGUISTARTGROUPCONTROLGETPOSFILEGETATTRIBADLIBREGISTERDRIVESETLABELGUICTRLDELETEFILECHANGEDIRFILEWRITELINEPIXELCHECKSUMDRIVEGETLABELGUICTRLSETPOSGUISETBKCOLORPIXELGETCOLORSTRINGISDIGITSTRINGISFLOATWINWAITACTIVESTRINGISALNUMSTRINGISLOWERSTRINGISSPACEGUISETONEVENTSTRINGREPLACESTRINGSTRIPWSCONTROLENABLESTRINGISUPPERWINGETPROCESSFILESETATTRIBCONTROLFOCUSFILEREADLINEPROCESSCLOSEGUISETCURSORSPLASHTEXTONSTRINGFORMATTRAYSETSTATESTRINGREGEXPCONTROLCLICKSHELLEXECUTETRAYSETCLICKWINWAITCLOSEHTTPSETPROXYDRIVEGETTYPEWINGETHANDLECONSOLEWRITEGUIGETSTYLECONTR

Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com

Code function: 0_2_00150918 cpuid

0_2_00150918

Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com

Code function: 0_2_0018E2E8 GetLocalTime,

0_2_0018E2E8

Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com

Code function: 0_2_0016BBD2 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_0016BBD2

Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com

Code function: 0_2_00134E28 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00134E28

Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com

Code function: 0_2_0018E346 GetUserNameW,

0_2_0018E346

Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	Directory queried: C:\Users\user\Documents	Jump to behavior

Source: MXIkmvGqgT.exe.com	Binary or memory string: WIN_81
Source: MXIkmvGqgT.exe.com	Binary or memory string: WIN_XP
Source: MXIkmvGqgT.exe.com	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: MXIkmvGqgT.exe.com	Binary or memory string: WIN_XPe
Source: MXIkmvGqgT.exe.com	Binary or memory string: WIN_VISTA
Source: MXIkmvGqgT.exe.com	Binary or memory string: WIN_7
Source: MXIkmvGqgT.exe.com	Binary or memory string: WIN_8

Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	Code function: 0_2_001B205F socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_001B205F
Source: C:\Users\user\Desktop\MXIkmvGqgT.exe.com	Code function: 0_2_001B1A5D socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_001B1A5D

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
2 Valid Accounts	1 Native API	2 Valid Accounts	2 Valid Accounts	2 Valid Accounts	21 Input Capture	2 System Time Discovery	Remote Services	21 Input Capture	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	LSASS Memory	21 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	1 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	21 Access Token Manipulation	21 Access Token Manipulation	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	1 Data from Local System	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	1 Process Injection	1 Process Injection	NTDS	11 Application Window Discovery	Distributed Component Object Model	2 Clipboard Data	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Account Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	2 Obfuscated Files or Information	Cached Domain Credentials	1 System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	13 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	15 System Information Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
MXIkmvGqgT.exe.com	14%	Virustotal		Browse
MXIkmvGqgT.exe.com	4%	Metadefender		Browse

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.autoitscript.com/autoit3/J	MXIkmvGqgT.exe.com	false		high
https://www.autoitscript.com/autoit3/	MXIkmvGqgT.exe.com	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	745520
Start date and time:	2022-11-14 12:59:21 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 56s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	MXIkmvGqgT.exe.com
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal56.winCOM@1/0@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Failed
HCA Information:	Successful, ratio: 96% Number of executed functions: 10 Number of non-executed functions: 331
Cookbook Comments:	Found application associated with file extension: .com

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
13:00:14	API Interceptor	1x Sleep call for process: MXIkmvGqgT.exe.com modified

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.630605981477972
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	MXIkmvGqgT.exe.com
File size:	946776
MD5:	6987e4cd3f256462f422326a7ef115b9
SHA1:	71672a495b4603ecfec40a65254cb3ba8766bbe0
SHA256:	3e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0
SHA512:	4b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4
SSDEEP:	24576:LErOxpVnqgt5ExLh27RQlf7Yfq2WZz2a1BB69:L86pqeE74aB0Sdia1W9
TLSH:	A8158C0373918062FE97A5331F5FF7265A7C6D2A0323B52F13981E79BA701B1162E672
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........;...h...h...hX;1h...hX;3hq..hX;2h...hr..h...h...i...h...i...h...i...h..Ch...h..Sh...h...h...hI..i...hI..i...hI.?h...h..Wh...

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x4207f7
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x622405AB [Sun Mar 6 00:51:55 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	cb0b7e6e83da063fd7c111542603cca4

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=GlobalSign CodeSigning CA - SHA256 - G3, O=GlobalSign nv-sa, C=BE
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	5/4/2020 10:39:47 AM 8/4/2023 8:50:17 AM
Subject Chain	CN=AutoIt Consulting Ltd, O=AutoIt Consulting Ltd, L=Birmingham, C=GB
Version:	3
Thumbprint MD5:	4791A38AD0863471785EE69B4D789D68
Thumbprint SHA-1:	B64DDF46C16DEECAA165BB0EC1D640F51588CBEF
Thumbprint SHA-256:	D30934A4D918CE63DA30F7D19B2C35009807DFE69FDA8D6C87BB355596E4227E
Serial:	38F3486E1DD8A9103034A04A

Entrypoint Preview

Instruction
call 00007F7C2CB4BEB3h
jmp 00007F7C2CB4B7BFh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F7C2CB4B99Dh
mov dword ptr [esi], 004A0DD8h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 004A0DE0h
mov dword ptr [ecx], 004A0DD8h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F7C2CB4B96Ah
mov dword ptr [esi], 004A0DF4h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 004A0DFCh
mov dword ptr [ecx], 004A0DF4h
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 004A0DB8h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F7C2CB4E55Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 004A0DB8h
push eax
call 00007F7C2CB4E5A8h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 004A0DB8h
push eax
call 00007F7C2CB4E591h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc9e74	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd5000	0xd750	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xe4c00	0x2658	.reloc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xe3000	0x7658	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb1fd0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc43e0	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1ff0	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9d000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9b366	0x9b400	False	0.5650365463969405	data	6.674463921685011	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9d000	0x2fb92	0x2fc00	False	0.35282027159685864	data	5.691797314434004	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcd000	0x705c	0x4800	False	0.043402777777777776	DOS executable (block device driver @\273\)	0.5832791069750964	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd5000	0xd750	0xd800	False	0.4799262152777778	data	5.925934292221589	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xe3000	0x7658	0x7800	False	0.7486002604166667	data	6.756887814707976	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0xd7af0	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 0	English	Great Britain
RT_ICON	0xd8158	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain
RT_ICON	0xd8440	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain
RT_ICON	0xd8568	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain
RT_ICON	0xd9410	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain
RT_ICON	0xd9cb8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain
RT_ICON	0xda220	0x3f41	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	Great Britain
RT_ICON	0xde168	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain
RT_ICON	0xe0710	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain
RT_ICON	0xe17b8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain
RT_ICON	0xe1cb8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain
RT_ICON	0xe1df8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain
RT_ICON	0xe1f38	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain
RT_MENU	0xe2178	0x50	data	English	Great Britain
RT_DIALOG	0xe2078	0xfc	data	English	Great Britain
RT_STRING	0xd5970	0x594	data	English	Great Britain
RT_STRING	0xd6ff8	0x68a	data	English	Great Britain
RT_STRING	0xd6b68	0x490	data	English	Great Britain
RT_STRING	0xd6568	0x5fc	data	English	Great Britain
RT_STRING	0xd5f08	0x65c	data	English	Great Britain
RT_STRING	0xd7688	0x466	data	English	Great Britain
RT_STRING	0xe21c8	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain
RT_GROUP_ICON	0xe1c20	0x92	data	English	Great Britain
RT_GROUP_ICON	0xe1f20	0x14	data	English	Great Britain
RT_GROUP_ICON	0xe2060	0x14	data	English	Great Britain
RT_GROUP_ICON	0xe1de0	0x14	data	English	Great Britain
RT_VERSION	0xd5600	0x370	data	English	Great Britain
RT_MANIFEST	0xe2320	0x42c	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (1008), with CRLF line terminators	English	United States

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentThread, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, EnterCriticalSection, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, ClientToScreen, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, keybd_event, LockWindowUpdate, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, ReleaseDC, GetDC, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetCursorPos, GetMessageW, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SetWindowLongW, CreateWindowExW, SendMessageW, DispatchMessageW, SendInput, TranslateMessage, SendMessageTimeoutW
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain
English	United States

Target ID:	0
Start time:	13:00:12
Start date:	14/11/2022
Path:	C:\Users\user\Desktop\MXIkmvGqgT.exe.com
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\MXIkmvGqgT.exe.com"
Imagebase:	0x130000
File size:	946776 bytes
MD5 hash:	6987E4CD3F256462F422326A7EF115B9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Execution Graph

Execution Coverage:	0.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	7.1%
Total number of Nodes:	380
Total number of Limit Nodes:	30

Executed Functions

Function 00134E28 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00134E57

Part of subcall function 001373E7: _wcslen.LIBCMT ref: 001373FA

GetCurrentProcess.KERNEL32(?,001CDC40,00000000,?,?), ref: 00134F83
IsWow64Process.KERNEL32(00000000,?,?), ref: 00134F8A
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00134FB5
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00134FC7
GetNativeSystemInfo.KERNEL32(?,?,?), ref: 00134FD5
FreeLibrary.KERNEL32(00000000,?,?), ref: 00134FDC
GetSystemInfo.KERNEL32(?,?,?), ref: 00135001

Strings

GetNativeSystemInfo, xrefs: 00134FC1
|O, xrefs: 00174009
kernel32.dll, xrefs: 00134FB0

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 0d00083378cfc71327ab8ead941838c26a83b650ec833bff8f89140286edd6bf
Instruction ID: fdf63740fa8893330e218a2c4bd9b4f56ffe98ad95940addf54a00803f70de7a
Opcode Fuzzy Hash: 0d00083378cfc71327ab8ead941838c26a83b650ec833bff8f89140286edd6bf
Instruction Fuzzy Hash: 88A1722190A3C0CFC716DBAC7C4D5A57FB46B36344B28A8DBE58597263D32C558CCB26

Uniqueness

Uniqueness Score: -1.00%

Function 00150C55 Relevance: 1.5, APIs: 1, Instructions: 3
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00020C61,0015066E), ref: 00150C5A

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: db9f6bdb3856d19db89413cea354db67188af6f221b4d09f25c282b15323b0a2
Instruction ID: 6fe5a3d215ca37eeaf26279909ea7ddd5eae864e3661c6b1fadde2b76acb6c13
Opcode Fuzzy Hash: db9f6bdb3856d19db89413cea354db67188af6f221b4d09f25c282b15323b0a2
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00150346 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00150346

Part of subcall function 0015036D: InitializeCriticalSectionAndSpinCount.KERNEL32(0020170C,00000FA0,E3E39DA5,?,?,?,?,00172633,000000FF), ref: 0015039C
Part of subcall function 0015036D: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00172633,000000FF), ref: 001503A7
Part of subcall function 0015036D: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00172633,000000FF), ref: 001503B8
Part of subcall function 0015036D: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 001503CE
Part of subcall function 0015036D: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 001503DC
Part of subcall function 0015036D: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 001503EA
Part of subcall function 0015036D: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00150415
Part of subcall function 0015036D: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00150420

___scrt_fastfail.LIBCMT ref: 00150367

Part of subcall function 00150323: __onexit.LIBCMT ref: 00150329

Strings

kernel32.dll, xrefs: 001503B3
WakeAllConditionVariable, xrefs: 001503E2
InitializeConditionVariable, xrefs: 001503C8
api-ms-win-core-synch-l1-2-0.dll, xrefs: 001503A2
SleepConditionVariableCS, xrefs: 001503D4

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 6522cfa8a9f5ed2d55f8689b1d1c2c455e5ddc098c39b12620f231ec357eefb4
Instruction ID: 82952401a08af7c7fcc2a0d053c96170a68d59eb990da9583393283083835e55
Opcode Fuzzy Hash: 6522cfa8a9f5ed2d55f8689b1d1c2c455e5ddc098c39b12620f231ec357eefb4
Instruction Fuzzy Hash: 0521D432A44B11EFD7136BE4AC06F6A7BA5EB0CB62F040126FD159AAD1DB70DC448651

Uniqueness

Uniqueness Score: -1.00%

Function 001342DF Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 001345CC: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,?,?,00173BD6,?,?,00000100,00000000,00000000,CMDLINE,?,?,00000001,00000000), ref: 001345EA

Part of subcall function 00134270: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00134292

RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 001343FC
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00173C5D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00173C9E
RegCloseKey.ADVAPI32(?), ref: 00173CE0
_wcslen.LIBCMT ref: 00173D47
_wcslen.LIBCMT ref: 00173D56

Strings

Software\AutoIt v3\AutoIt, xrefs: 001343F2
\Include\, xrefs: 001343B9
Include, xrefs: 00173C54, 00173C95
\, xrefs: 00173D5C

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: e58522667d166e645fb55d7608b24ca997fd49da9710d5fbebad4b95e2c5402a
Instruction ID: a6e9368880197f73c510ff0aa5474736219bc705089f3d65933b4f6012f62cb9
Opcode Fuzzy Hash: e58522667d166e645fb55d7608b24ca997fd49da9710d5fbebad4b95e2c5402a
Instruction Fuzzy Hash: F4716C715083019EC314EF65E8859ABBBECFFA4740F80456EF459971A1EB70DA48CB92

Uniqueness

Uniqueness Score: -1.00%

Function 001316C8 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 153
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00132198: MapVirtualKeyW.USER32(0000005B,00000000), ref: 001321C9
Part of subcall function 00132198: MapVirtualKeyW.USER32(00000010,00000000), ref: 001321D1
Part of subcall function 00132198: MapVirtualKeyW.USER32(000000A0,00000000), ref: 001321DC
Part of subcall function 00132198: MapVirtualKeyW.USER32(000000A1,00000000), ref: 001321E7
Part of subcall function 00132198: MapVirtualKeyW.USER32(00000011,00000000), ref: 001321EF
Part of subcall function 00132198: MapVirtualKeyW.USER32(00000012,00000000), ref: 001321F7

Part of subcall function 0013211F: RegisterWindowMessageW.USER32(00000004,?,00131899), ref: 00132177

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0013193F
OleInitialize.OLE32 ref: 0013195D
CloseHandle.KERNEL32(00000000,00000000), ref: 0017299B

Strings

@( , xrefs: 00131899
(& , xrefs: 00131867
$ , xrefs: 0013173F
0$ , xrefs: 00131963

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID: (& $0$ $@( $$
API String ID: 1986988660-2324680831
Opcode ID: 7381bf603a2b7129a475bc990d49e8d9ede458addb95f2a77524b0ba08c103c6
Instruction ID: 8b9181ed07e6c67006b7bc2a99deea0984e21a6f3b876d3d1d4e1c0c78aea848
Opcode Fuzzy Hash: 7381bf603a2b7129a475bc990d49e8d9ede458addb95f2a77524b0ba08c103c6
Instruction Fuzzy Hash: 887166B4911300CEC788EF69BDAD6153EE5FB58304790822BE559D72A3EB30844D8F69

Uniqueness

Uniqueness Score: -1.00%

Function 001346A9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,0013469C,SwapMouseButtons,00000004,?), ref: 001346CD
RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,0013469C,SwapMouseButtons,00000004,?), ref: 001346EE
RegCloseKey.KERNEL32(00000000,?,?,?,80000001,80000001,?,0013469C,SwapMouseButtons,00000004,?), ref: 00134710

Strings

Control Panel\Mouse, xrefs: 001346CB

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: f30ce8ba0d5076932639c576081373a0e24f13821744c47417bc0a82167d7341
Instruction ID: bbc33d1b3fb3b6c965ed4145718d6102e0eba5045a6ae12f159030d90fd8a5d5
Opcode Fuzzy Hash: f30ce8ba0d5076932639c576081373a0e24f13821744c47417bc0a82167d7341
Instruction Fuzzy Hash: 87112775611208BFDB208FA8DC84EAEBBB8EF05744F10846AF805E7120E731AE519B60

Uniqueness

Uniqueness Score: -1.00%

Function 0016D0C1 Relevance: 4.5, APIs: 3, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0016D0C5
_free.LIBCMT ref: 0016D0FE
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0016D105

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: EnvironmentStrings$Free_free
String ID:
API String ID: 2716640707-0
Opcode ID: 407d14fabc51dff5ba7c79bbeb91a030a6ba678a1198d9b17c90d06ed72daa69
Instruction ID: da1a35799234281219743bd716b7f22cbc962b5e9642505dbd159ef1196fb0bd
Opcode Fuzzy Hash: 407d14fabc51dff5ba7c79bbeb91a030a6ba678a1198d9b17c90d06ed72daa69
Instruction Fuzzy Hash: 7AE09B77E0551567D22236397C89E6F2F1DDFD27B1B250165F84486142DF248D1740F1

Uniqueness

Uniqueness Score: -1.00%

Function 00132ACA Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetOpenFileNameW.COMDLG32(?), ref: 0017319B

Part of subcall function 0013462F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00134609,?,?,00173BD6,?,?,00000100,00000000,00000000,CMDLINE), ref: 0013464F

Part of subcall function 00132A8C: GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 00132AAB

Strings

X, xrefs: 00173169

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: fd6b3a254ad96a3313e8f7b6c1172e4c94da7e4bc6c00d8a1916d17c0c6962e3
Instruction ID: 268d4a5ab17e05d8bfaa5068643fe8e927e9997b2839898be64c4cf7a3296d5c
Opcode Fuzzy Hash: fd6b3a254ad96a3313e8f7b6c1172e4c94da7e4bc6c00d8a1916d17c0c6962e3
Instruction Fuzzy Hash: E721D571A002489BDB15EF94DC05BEE7BFCAF59304F008019E508B7281DBF49A898FA1

Uniqueness

Uniqueness Score: -1.00%

Function 00163AA0 Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,00156989,?,0000015D,?,?,?,?,001584C0,000000FF,00000000,?,?), ref: 00163AD2

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 4267680620d4fcb2425f6bc2f60adc88422407e929d71130815bdadfeb913076
Instruction ID: 880764cc3b0ae34f0de33f1b7b600d59f2b2b41cc02cf65ecb83e618783edf9f
Opcode Fuzzy Hash: 4267680620d4fcb2425f6bc2f60adc88422407e929d71130815bdadfeb913076
Instruction Fuzzy Hash: CAE02232200620D7E7202BF7AD08F5B7A59EF017E0F0A0121BCB4DB090DB20CE21A2E0

Uniqueness

Uniqueness Score: -1.00%

Function 00132282 Relevance: 1.5, APIs: 1, Instructions: 8
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SystemParametersInfoW.USER32 ref: 00132291

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 4c85cbba68840237183e223b7e9a37e1d8ef6170ac933f7bf0e4c2c12a6e4e13
Instruction ID: 886264c132a14199c16045a12f5eba5204249242f5dd4e2611a64b0d596905bc
Opcode Fuzzy Hash: 4c85cbba68840237183e223b7e9a37e1d8ef6170ac933f7bf0e4c2c12a6e4e13
Instruction Fuzzy Hash: BAC09232280304EFF210DB80BC4EF20BB68A30CB04F40C403BA0D599F383B69861EA10

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 001C9D97 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00149DA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00149DB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 001C9E3B
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 001C9E7C
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 001C9EC0
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 001C9EEA
SendMessageW.USER32 ref: 001C9F13
GetKeyState.USER32(00000011), ref: 001C9FAC
GetKeyState.USER32(00000009), ref: 001C9FB9
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 001C9FCF
GetKeyState.USER32(00000010), ref: 001C9FD9
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 001CA00A
SendMessageW.USER32 ref: 001CA031
SendMessageW.USER32(?,00001030,?,001C86B6), ref: 001CA139
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 001CA14F
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 001CA162
SetCapture.USER32(?), ref: 001CA16B
ClientToScreen.USER32(?,?), ref: 001CA1D0
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 001CA1DD
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 001CA1F7
ReleaseCapture.USER32(?,?,?), ref: 001CA202
GetCursorPos.USER32(?,?,00000001,?,?,?), ref: 001CA23A
ScreenToClient.USER32 ref: 001CA247
SendMessageW.USER32(?,00001012,00000000,?), ref: 001CA2A1
SendMessageW.USER32 ref: 001CA2CF
SendMessageW.USER32(?,00001111,00000000,?), ref: 001CA30C
SendMessageW.USER32 ref: 001CA33B
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 001CA35C
SendMessageW.USER32(?,0000110B,00000009,?), ref: 001CA36B
GetCursorPos.USER32(?), ref: 001CA389
ScreenToClient.USER32 ref: 001CA396
GetParent.USER32(?), ref: 001CA3B4
SendMessageW.USER32(?,00001012,00000000,?), ref: 001CA41B
SendMessageW.USER32 ref: 001CA44C
ClientToScreen.USER32(?,?), ref: 001CA4A5
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 001CA4D5
SendMessageW.USER32(?,00001111,00000000,?), ref: 001CA4FF
SendMessageW.USER32 ref: 001CA522
ClientToScreen.USER32(?,?), ref: 001CA56F
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 001CA5A3

Part of subcall function 00149B44: GetWindowLongW.USER32(?,000000EB), ref: 00149B52

GetWindowLongW.USER32(?,000000F0), ref: 001CA626

Strings

F, xrefs: 001CA528
@GUI_DRAGID, xrefs: 001CA19E
p3 , xrefs: 001CA1B1

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F$p3
API String ID: 3429851547-2594551572
Opcode ID: d90ed38408acf8860bc4434dfcd68e9e568c6f4cde11d56faad23f05fa10791d
Instruction ID: 3b0d8f7c099151a8143bbe384e378f0909efa08d7759fbbd1810800accd301e0
Opcode Fuzzy Hash: d90ed38408acf8860bc4434dfcd68e9e568c6f4cde11d56faad23f05fa10791d
Instruction Fuzzy Hash: C7427830204244AFD725CF28D888FAABBE5FFA8714F54462DF695872A1D731E894CF52

Uniqueness

Uniqueness Score: -1.00%

Function 001C50DA Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 001C515A
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 001C516F
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 001C518E
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 001C51B2
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 001C51C3
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 001C51E2
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 001C5215
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 001C523B
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 001C5276
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 001C52BD
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 001C52E5
IsMenu.USER32 ref: 001C52FE
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 001C5359
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 001C5387
GetWindowLongW.USER32(?,000000F0), ref: 001C53FB
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 001C544A
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 001C54E9
wsprintfW.USER32 ref: 001C5515
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 001C5530
GetWindowTextW.USER32 ref: 001C5558
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 001C557A
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 001C559A
GetWindowTextW.USER32 ref: 001C55C1

Strings

%d/%02d/%02d, xrefs: 001C550F

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 6b52e59a0aa2e1daec16a0eafeaaf1600c358ed7921743095cbf4d2ccadd82b1
Instruction ID: edd15045bab07053fc28bb99e1597f89a322587c536d7fcbd4d15bd65354f62e
Opcode Fuzzy Hash: 6b52e59a0aa2e1daec16a0eafeaaf1600c358ed7921743095cbf4d2ccadd82b1
Instruction Fuzzy Hash: 1612CB71500708ABEB258F64DC49FAE7BEAEF99310F144129F916EA2D1DB74E981CB10

Uniqueness

Uniqueness Score: -1.00%

Function 0014F2C0 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131threadkeyboardwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0014F2CA
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0014F2E7
IsIconic.USER32 ref: 0014F2F0
SetForegroundWindow.USER32(00000000), ref: 0014F302
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0014F318
GetCurrentThreadId.KERNEL32 ref: 0014F31F
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0014F32B
AttachThreadInput.USER32(?,00000000,00000001), ref: 0014F33C
AttachThreadInput.USER32(?,00000000,00000001), ref: 0014F344
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0014F34C
SetForegroundWindow.USER32(00000000), ref: 0014F34F
MapVirtualKeyW.USER32(00000012,00000000), ref: 0014F368
keybd_event.USER32 ref: 0014F373
MapVirtualKeyW.USER32(00000012,00000000), ref: 0014F37D
keybd_event.USER32 ref: 0014F382
MapVirtualKeyW.USER32(00000012,00000000), ref: 0014F38B
keybd_event.USER32 ref: 0014F390
MapVirtualKeyW.USER32(00000012,00000000), ref: 0014F39A
keybd_event.USER32 ref: 0014F39F
SetForegroundWindow.USER32(00000000), ref: 0014F3A2
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0014F3C0
AttachThreadInput.USER32(?,00000000,00000000), ref: 0014F3C8
AttachThreadInput.USER32(00000000,000000FF,00000000), ref: 0014F3D0

Strings

Shell_TrayWnd, xrefs: 0014F2E2

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: Thread$Window$AttachInput$ForegroundVirtualkeybd_event$Process$CurrentFindIconic
String ID: Shell_TrayWnd
API String ID: 1155518417-2988720461
Opcode ID: 0aeb4c499f609d97ab4e219b31ca21a8c67c3bccf3870c37205b81afe68889e6
Instruction ID: e3c2c80cbd148743a7ed37eeddcf4d7b64d52ebc0c6cb351f4ceed998ebc71c0
Opcode Fuzzy Hash: 0aeb4c499f609d97ab4e219b31ca21a8c67c3bccf3870c37205b81afe68889e6
Instruction Fuzzy Hash: BB316371A40318BBEB206BA56C4AF7F7E7CEB44B54F110039FA01E65D1D7B09D51EA60

Uniqueness

Uniqueness Score: -1.00%

Function 0019188B Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 00191D4D: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00191D97
Part of subcall function 00191D4D: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00191DC4
Part of subcall function 00191D4D: GetLastError.KERNEL32 ref: 00191DD4

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00191910
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00191932
CloseHandle.KERNEL32(?), ref: 00191943
OpenWindowStationW.USER32 ref: 0019195B
GetProcessWindowStation.USER32 ref: 00191974
SetProcessWindowStation.USER32(00000000), ref: 0019197E
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 0019199A

Part of subcall function 00191749: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00191886), ref: 0019175E
Part of subcall function 00191749: CloseHandle.KERNEL32(?,?,00191886), ref: 00191773

Strings

, xrefs: 001918E4
default, xrefs: 00191995
winsta0, xrefs: 00191956

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: 93bfc48d3f6cb186191064aa54e7bea8d38cc5cd2afe361d1b682b3e8443704c
Instruction ID: 1957f7de55ef8447a189e740b25752ac356ea322eb0c8125ddc42f75f2fe73aa
Opcode Fuzzy Hash: 93bfc48d3f6cb186191064aa54e7bea8d38cc5cd2afe361d1b682b3e8443704c
Instruction Fuzzy Hash: 948177B1A0024ABBDF119FA5DC49FEE7BB8EF08304F044129F915A72A0D770CA85CB60

Uniqueness

Uniqueness Score: -1.00%

Function 001911EC Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00191783: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 0019179E
Part of subcall function 00191783: GetLastError.KERNEL32(?,00000000,00000000,?,?,00191225,?,?,?), ref: 001917AA
Part of subcall function 00191783: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00191225,?,?,?), ref: 001917B9
Part of subcall function 00191783: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00191225,?,?,?), ref: 001917C0
Part of subcall function 00191783: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 001917D7

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00191256
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0019128A
GetLengthSid.ADVAPI32(?), ref: 001912A1
GetAce.ADVAPI32(?,00000000,?), ref: 001912DB
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 001912F7
GetLengthSid.ADVAPI32(?), ref: 0019130E
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00191316
HeapAlloc.KERNEL32(00000000), ref: 0019131D
GetLengthSid.ADVAPI32(?,00000008,?), ref: 0019133E
CopySid.ADVAPI32(00000000), ref: 00191345
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00191374
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00191396
SetUserObjectSecurity.USER32 ref: 001913A8
GetProcessHeap.KERNEL32(00000000,00000000), ref: 001913CF
HeapFree.KERNEL32(00000000), ref: 001913D6
GetProcessHeap.KERNEL32(00000000,00000000), ref: 001913DF
HeapFree.KERNEL32(00000000), ref: 001913E6
GetProcessHeap.KERNEL32(00000000,00000000), ref: 001913EF
HeapFree.KERNEL32(00000000), ref: 001913F6
GetProcessHeap.KERNEL32(00000000,?), ref: 00191402
HeapFree.KERNEL32(00000000), ref: 00191409

Part of subcall function 0019181D: GetProcessHeap.KERNEL32(00000008,0019123B,?,00000000,?,0019123B,?), ref: 0019182B
Part of subcall function 0019181D: HeapAlloc.KERNEL32(00000000,?,00000000,?,0019123B,?), ref: 00191832
Part of subcall function 0019181D: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,0019123B,?), ref: 00191841

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 09aef13e9ae3d6d6eacbb8fb28010caf27f2ae46f746e34778e587c357b0c703
Instruction ID: baccd0a6aa953b0b8111fea20c2a9ebebc98f02d359dd6406f79c1b76b2c0cab
Opcode Fuzzy Hash: 09aef13e9ae3d6d6eacbb8fb28010caf27f2ae46f746e34778e587c357b0c703
Instruction Fuzzy Hash: A7713E7290020ABBDF109FA5EC44FEEBBB8BF04311F154225F915A7590D731DA85CB60

Uniqueness

Uniqueness Score: -1.00%

Function 001AF358 Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(001CDCD0), ref: 001AF382
IsClipboardFormatAvailable.USER32(0000000D), ref: 001AF390
GetClipboardData.USER32 ref: 001AF39C
CloseClipboard.USER32 ref: 001AF3A8
GlobalLock.KERNEL32 ref: 001AF3E0
CloseClipboard.USER32 ref: 001AF3EA
GlobalUnlock.KERNEL32(00000000,00000000), ref: 001AF415
IsClipboardFormatAvailable.USER32(00000001), ref: 001AF422
GetClipboardData.USER32 ref: 001AF42A
GlobalLock.KERNEL32 ref: 001AF43B
GlobalUnlock.KERNEL32(00000000,?), ref: 001AF47B
IsClipboardFormatAvailable.USER32(0000000F), ref: 001AF491
GetClipboardData.USER32 ref: 001AF49D
GlobalLock.KERNEL32 ref: 001AF4AE
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 001AF4D0
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 001AF4ED
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 001AF52B
GlobalUnlock.KERNEL32(00000000,?,?), ref: 001AF54C
CountClipboardFormats.USER32 ref: 001AF56D
CloseClipboard.USER32 ref: 001AF5B2

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 8c2eb2539198a4956ffbc05bc9abb014a809541b75c64fe1ce6876e149b505a8
Instruction ID: a62405e86946a2752c34796e5bcbef6531391469955fe42415ce5eab9373ae97
Opcode Fuzzy Hash: 8c2eb2539198a4956ffbc05bc9abb014a809541b75c64fe1ce6876e149b505a8
Instruction Fuzzy Hash: 9D61E2352043019FD700EF60E884F2ABBE4AF95714F14452DF856876A1DB71DD8ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 001A71DF Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 001A720E
FindClose.KERNEL32(00000000), ref: 001A7262
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 001A729E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 001A72C5

Part of subcall function 0013A1B9: _wcslen.LIBCMT ref: 0013A1C3

FileTimeToSystemTime.KERNEL32(?,?), ref: 001A7302
FileTimeToSystemTime.KERNEL32(?,?), ref: 001A732F

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 001A73BA
%03d, xrefs: 001A75F2
%4d%02d%02d%02d%02d%02d%03d, xrefs: 001A7382
%4d, xrefs: 001A7401
%02d, xrefs: 001A7450, 001A745A, 001A74AA, 001A74FA, 001A754A, 001A759A

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: a8cbb9fdfd18072075e2e5236c25ea8e2530614eff43fa6a6b39e5295a097df7
Instruction ID: bf7f6b398d917b1e4ce4507a11eebc39c4ece8f492cd328601146aae8d1ca463
Opcode Fuzzy Hash: a8cbb9fdfd18072075e2e5236c25ea8e2530614eff43fa6a6b39e5295a097df7
Instruction Fuzzy Hash: 34D162B2508304AFC710EBA4CC85EABB7ECAF99704F04495DF589D7291EB74DA44CB62

Uniqueness

Uniqueness Score: -1.00%

Function 001A9E92 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,747161D0,?,00000000), ref: 001A9EB3
GetFileAttributesW.KERNEL32(?), ref: 001A9EF1
SetFileAttributesW.KERNEL32(?,?), ref: 001A9F0B
FindNextFileW.KERNEL32(00000000,?), ref: 001A9F23
FindClose.KERNEL32(00000000), ref: 001A9F2E
FindFirstFileW.KERNEL32(*.*,?), ref: 001A9F4A
SetCurrentDirectoryW.KERNEL32(?), ref: 001A9F9A
SetCurrentDirectoryW.KERNEL32(001F7B88), ref: 001A9FB8
FindNextFileW.KERNEL32(00000000,00000010), ref: 001A9FC2
FindClose.KERNEL32(00000000), ref: 001A9FCF
FindClose.KERNEL32(00000000), ref: 001A9FDF

Strings

*.*, xrefs: 001A9F45

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 0d1866b8e9f3cf8442ee6170c14e04a70949c18fdb826cf777ddfb8b2976a045
Instruction ID: 573c080c3cada5fd8a2a318fecc18c98f276f7786b808569120317d688337571
Opcode Fuzzy Hash: 0d1866b8e9f3cf8442ee6170c14e04a70949c18fdb826cf777ddfb8b2976a045
Instruction Fuzzy Hash: BF31C376505619AFDF10DFB4EC49EEEBBACAF06321F1041A5E914D2190EB30DDC48A54

Uniqueness

Uniqueness Score: -1.00%

Function 001A456E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 001A4590
_wcslen.LIBCMT ref: 001A45BD
CreateDirectoryW.KERNEL32(?,00000000), ref: 001A45ED
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 001A460E
RemoveDirectoryW.KERNEL32(?), ref: 001A461E
DeviceIoControl.KERNEL32 ref: 001A46A5
CloseHandle.KERNEL32(00000000), ref: 001A46B0
CloseHandle.KERNEL32(00000000), ref: 001A46BB

Strings

\??\%s, xrefs: 001A45AB
:, xrefs: 001A45D2
\, xrefs: 001A45C7

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 1ad9879855c7c75bcdda88b517e99efeeb132cfca6d495e2fb953c611f2f3506
Instruction ID: b6840bceaa47a53e939f9b8600abff8edf33688862614f6e6eca52f9e55f8fe7
Opcode Fuzzy Hash: 1ad9879855c7c75bcdda88b517e99efeeb132cfca6d495e2fb953c611f2f3506
Instruction Fuzzy Hash: 953170B5900109ABDB219BA0DC49FEB37BDEF8A701F1041B5F519D6160E7B4D6858B24

Uniqueness

Uniqueness Score: -1.00%

Function 001A9FED Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,747161D0,?,00000000), ref: 001AA00E
FindNextFileW.KERNEL32(00000000,?), ref: 001AA069
FindClose.KERNEL32(00000000), ref: 001AA074
FindFirstFileW.KERNEL32(*.*,?), ref: 001AA090
SetCurrentDirectoryW.KERNEL32(?), ref: 001AA0E0
SetCurrentDirectoryW.KERNEL32(001F7B88), ref: 001AA0FE
FindNextFileW.KERNEL32(00000000,00000010), ref: 001AA108
FindClose.KERNEL32(00000000), ref: 001AA115
FindClose.KERNEL32(00000000), ref: 001AA125

Part of subcall function 0019E1A4: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0019E1BF

Strings

*.*, xrefs: 001AA08B

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: a81f34dc8ba81409feda64c90eea9067206daaad8982a4d618f15bbf9df44abf
Instruction ID: 0e4a5e1fdf0d84149fb2cad1b27be7447ea0f0558db8b7df2a079c61f6e52913
Opcode Fuzzy Hash: a81f34dc8ba81409feda64c90eea9067206daaad8982a4d618f15bbf9df44abf
Instruction Fuzzy Hash: D631E1756016197FCF20ABA4EC49EEE77ACAF16320F5041A5F810A21A0EB74DE85CA65

Uniqueness

Uniqueness Score: -1.00%

Function 001BC69D Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 001BD1F1: CharUpperBuffW.USER32(?,?,?,?,?,?,?,001BBF07,?,?), ref: 001BD20E
Part of subcall function 001BD1F1: _wcslen.LIBCMT ref: 001BD24A
Part of subcall function 001BD1F1: _wcslen.LIBCMT ref: 001BD2C1
Part of subcall function 001BD1F1: _wcslen.LIBCMT ref: 001BD2F7

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 001BC797
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 001BC802
RegCloseKey.ADVAPI32(00000000), ref: 001BC826
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 001BC885
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 001BC940
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 001BC9AD
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 001BCA42
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 001BCA93
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 001BCB3C
RegCloseKey.ADVAPI32(?,?,00000000), ref: 001BCBDB
RegCloseKey.ADVAPI32(00000000), ref: 001BCBE8

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 847b4ef7e5fcd5708f62b28903bc8ee55abe1a8d5d6503858af77024f97ccf64
Instruction ID: ebfb0081eacf905615dd45ef33b1266028782027e782d9291e89ec3811f754c2
Opcode Fuzzy Hash: 847b4ef7e5fcd5708f62b28903bc8ee55abe1a8d5d6503858af77024f97ccf64
Instruction Fuzzy Hash: 88025371604200AFD714DF28C995E6ABBE5FF49318F18849DF84ACB2A2D731ED45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0019A321 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 0019A349
GetAsyncKeyState.USER32(000000A0), ref: 0019A3CA
GetKeyState.USER32(000000A0), ref: 0019A3E5
GetAsyncKeyState.USER32(000000A1), ref: 0019A3FF
GetKeyState.USER32(000000A1), ref: 0019A414
GetAsyncKeyState.USER32(00000011), ref: 0019A42C
GetKeyState.USER32(00000011), ref: 0019A43E
GetAsyncKeyState.USER32(00000012), ref: 0019A456
GetKeyState.USER32(00000012), ref: 0019A468
GetAsyncKeyState.USER32(0000005B), ref: 0019A480
GetKeyState.USER32(0000005B), ref: 0019A492

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 4c8914b37ff486c5e1ee7aa692a39d8df0bf8d50dfa28b61fe1dad5b1a885a28
Instruction ID: 785cf55a82ea6c989c226fd1166e102af2d2823528b9d64091de4c0b44868e98
Opcode Fuzzy Hash: 4c8914b37ff486c5e1ee7aa692a39d8df0bf8d50dfa28b61fe1dad5b1a885a28
Instruction Fuzzy Hash: 1741A4749047CA6DFF31866498187A9BEA0BF11354F88806DD5C64B5C2DBE49ACCC7E3

Uniqueness

Uniqueness Score: -1.00%

Function 0019D72C Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0013462F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00134609,?,?,00173BD6,?,?,00000100,00000000,00000000,CMDLINE), ref: 0013464F

Part of subcall function 0019E8BB: GetFileAttributesW.KERNEL32(?,0019D64B), ref: 0019E8BC

FindFirstFileW.KERNEL32(?,?), ref: 0019D7D8
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0019D893
MoveFileW.KERNEL32(?,?), ref: 0019D8A6
DeleteFileW.KERNEL32(?,?,?,?), ref: 0019D8C3
FindNextFileW.KERNEL32(00000000,00000010), ref: 0019D8ED

Part of subcall function 0019D952: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0019D8D2,?,?), ref: 0019D968

FindClose.KERNEL32(00000000,?,?,?), ref: 0019D909
FindClose.KERNEL32(00000000), ref: 0019D91A

Strings

\*.*, xrefs: 0019D783, 0019D78C, 0019D7A1

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 0eac8a1b71ad7a543cda18e3c6893997fcbd73104a7265762aeaf03db1f74776
Instruction ID: 63123300df707d6b33e35f1de919817222aab951e526b496b93771fd25a070c7
Opcode Fuzzy Hash: 0eac8a1b71ad7a543cda18e3c6893997fcbd73104a7265762aeaf03db1f74776
Instruction Fuzzy Hash: B8617D7180115DEFCF15EBE0EA929EDB7B9AF25304F2040A5E446771A2EB306F09CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0019F018 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00191D4D: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00191D97
Part of subcall function 00191D4D: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00191DC4
Part of subcall function 00191D4D: GetLastError.KERNEL32 ref: 00191DD4

ExitWindowsEx.USER32(?,00000000), ref: 0019F054

Strings

, xrefs: 0019F042
@, xrefs: 0019F047
, xrefs: 0019F07E
SeShutdownPrivilege, xrefs: 0019F024

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: d3aa335c277904ed0e0e7ce6eb02af422f6264afabebc4e7b9123435f12fcabc
Instruction ID: 74d9f6669d0ba039d5d4c44e5e89b7d6d1d514ed0f5b41d4841e09f032905524
Opcode Fuzzy Hash: d3aa335c277904ed0e0e7ce6eb02af422f6264afabebc4e7b9123435f12fcabc
Instruction Fuzzy Hash: 0001F972710211BBFF2866B8AC8AFBF776D9B18754F194539FD12E20D3DB619C4181A0

Uniqueness

Uniqueness Score: -1.00%

Function 001B1A5D Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 001B1ACF
WSAGetLastError.WSOCK32 ref: 001B1ADC
bind.WSOCK32(00000000,?,00000010), ref: 001B1B13
WSAGetLastError.WSOCK32 ref: 001B1B1E
closesocket.WSOCK32(00000000), ref: 001B1B4D
listen.WSOCK32(00000000,00000005), ref: 001B1B5C
WSAGetLastError.WSOCK32 ref: 001B1B66
closesocket.WSOCK32(00000000), ref: 001B1B95

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: ca20e06fe0ca9d7a47f67a528206aa51291ed70f52df1f8c2811c1cf7fe0f096
Instruction ID: 9c108d5a22ff135d7a1bf70cf46f0d64293b48aaf0e23607c3e7bccf4c65c56e
Opcode Fuzzy Hash: ca20e06fe0ca9d7a47f67a528206aa51291ed70f52df1f8c2811c1cf7fe0f096
Instruction Fuzzy Hash: 92417D30600140AFD710DF28D594B6ABBF6BF46318F598198E8569F2D2D771EC85CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 0016BBD2 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0016BC54
_free.LIBCMT ref: 0016BC78
_free.LIBCMT ref: 0016BDFF
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,001D46E0), ref: 0016BE11
WideCharToMultiByte.KERNEL32(00000000,00000000,0020221C,000000FF,00000000,0000003F,00000000,?,?), ref: 0016BE89
WideCharToMultiByte.KERNEL32(00000000,00000000,00202270,000000FF,?,0000003F,00000000,?), ref: 0016BEB6
_free.LIBCMT ref: 0016BFCB

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 0f63ce5deaa2324f07e28aaa7f577c0e78a38428a5386ea7db0ecffeddfd8334
Instruction ID: dc73bbd1ce28db90a6c8a316e67be7621ef91128ca37ce69f4ec8308109f3411
Opcode Fuzzy Hash: 0f63ce5deaa2324f07e28aaa7f577c0e78a38428a5386ea7db0ecffeddfd8334
Instruction Fuzzy Hash: 09C13A72908204AFDB249FB8DCC5BAA7BB9EF51310F14419AE855DB252EB308ED1CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0019DA5F Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0013462F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00134609,?,?,00173BD6,?,?,00000100,00000000,00000000,CMDLINE), ref: 0013464F

Part of subcall function 0019E8BB: GetFileAttributesW.KERNEL32(?,0019D64B), ref: 0019E8BC

FindFirstFileW.KERNEL32(?,?), ref: 0019DAD6
DeleteFileW.KERNEL32(?,?,?,?), ref: 0019DB26
FindNextFileW.KERNEL32(00000000,00000010), ref: 0019DB37
FindClose.KERNEL32(00000000), ref: 0019DB4E
FindClose.KERNEL32(00000000), ref: 0019DB57

Strings

\*.*, xrefs: 0019DAA8

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 6225e03f48bb28e26cdc981783cfdc17f58a09553f88e970e7d18abf9974a2bb
Instruction ID: ea2bdcf338a6b3aca09e5e3c2136f228e50c428f0c738ebcde5dd9853681a73e
Opcode Fuzzy Hash: 6225e03f48bb28e26cdc981783cfdc17f58a09553f88e970e7d18abf9974a2bb
Instruction Fuzzy Hash: 2C316131009385DBC705EF64E8918AFB7E8BEA5314F844E6DF4D693191DB20EA09D763

Uniqueness

Uniqueness Score: -1.00%

Function 001A3819 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,001744F9,?,?,00000000,00000000), ref: 001A3829
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,001744F9,?,?,00000000,00000000), ref: 001A3840
LoadResource.KERNEL32(?,00000000,?,?,001744F9,?,?,00000000,00000000,?,?,?,?,?,?,00135346), ref: 001A3850
SizeofResource.KERNEL32(?,00000000,?,?,001744F9,?,?,00000000,00000000,?,?,?,?,?,?,00135346), ref: 001A3861
LockResource.KERNEL32(001744F9,?,?,001744F9,?,?,00000000,00000000,?,?,?,?,?,?,00135346,?), ref: 001A3870

Strings

SCRIPT, xrefs: 001A3836

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 5b3ac8b137f1c3b50fba00825c00affd6438574ab07b160e229905ddcb92d0c3
Instruction ID: db17cf562debf972d8a346e35be5f85b29295a993ac7621826846c5b166e58cb
Opcode Fuzzy Hash: 5b3ac8b137f1c3b50fba00825c00affd6438574ab07b160e229905ddcb92d0c3
Instruction Fuzzy Hash: C3117974240701BFE7218B25EC48F277BBDEBC6B41F1442ACB416D76A0DB71E9008A20

Uniqueness

Uniqueness Score: -1.00%

Function 0016E780 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0016E8C6

Strings

1#INF, xrefs: 0016FAD3
1#SNAN, xrefs: 0016FAC5
1#IND, xrefs: 0016FABE
1#QNAN, xrefs: 0016FACC

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 5bf8ca0f39621d4482967fd8f8a02c43559033de2ed1ede0543a2bf15f51be3d
Instruction ID: 8c901025f2001aff7c1b4cc9c3c2dcb6de6b8e44971365438500bd5e2ab876d1
Opcode Fuzzy Hash: 5bf8ca0f39621d4482967fd8f8a02c43559033de2ed1ede0543a2bf15f51be3d
Instruction Fuzzy Hash: 05C25C72E086288FDB25CE28DD407EAB7F5EB54305F1542EAD80DE7240E775AE968F40

Uniqueness

Uniqueness Score: -1.00%

Function 001A606E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 0013462F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00134609,?,?,00173BD6,?,?,00000100,00000000,00000000,CMDLINE), ref: 0013464F

_wcslen.LIBCMT ref: 001A60CB
CoInitialize.OLE32(00000000), ref: 001A61E5
CoCreateInstance.OLE32(001D0CE0,00000000,00000001,001D0B50,?), ref: 001A61FE
CoUninitialize.OLE32 ref: 001A621C

Strings

.lnk, xrefs: 001A60C6, 001A6111, 001A61D5

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 0788718e59b1ad85ffe7e998bc3fe750d205a4e491639fd7f13167d03558ea7b
Instruction ID: 5f76ede3d1de470d60cada6cc162a64053a806aa87c50d9944475e8f53a499fe
Opcode Fuzzy Hash: 0788718e59b1ad85ffe7e998bc3fe750d205a4e491639fd7f13167d03558ea7b
Instruction Fuzzy Hash: B7D146796082019FCB14DF24C484A2ABBF5FF9A714F19485DF8899B361DB31EC45CB92

Uniqueness

Uniqueness Score: -1.00%

Function 001AA37B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 0013A1B9: _wcslen.LIBCMT ref: 0013A1C3

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 001AA3C8
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 001AA4DB

Part of subcall function 001A40C4: GetInputState.USER32 ref: 001A411B
Part of subcall function 001A40C4: PeekMessageW.USER32 ref: 001A41B6

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 001AA3F8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 001AA4C5

Strings

*.*, xrefs: 001AA3AD

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: b6dab403864c496d5507ff11ee3e3637430126c972d6c5563ba3a8e7b4ae0ce0
Instruction ID: eab8e7d8c25b392dc894c22856f7a38533ae767c38c17f812d9ee2c4941b1849
Opcode Fuzzy Hash: b6dab403864c496d5507ff11ee3e3637430126c972d6c5563ba3a8e7b4ae0ce0
Instruction Fuzzy Hash: FD41807590020ADFCF14DFA4C849AEEBBB4FF1A310F644069F815A7191EB749E89CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00172C9D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 62COMMON

Download Yara Rule

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 001323D5

Part of subcall function 001345CC: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,?,?,00173BD6,?,?,00000100,00000000,00000000,CMDLINE,?,?,00000001,00000000), ref: 001345EA

Part of subcall function 0013A1B9: _wcslen.LIBCMT ref: 0013A1C3

GetForegroundWindow.USER32(runas,?,?,?,?,?,001F3204), ref: 00172D08
ShellExecuteW.SHELL32(00000000,?,?,001F3204), ref: 00172D0F

Strings

runas, xrefs: 00172D03
0$ , xrefs: 001323AF

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: 0$ $runas
API String ID: 448630720-3470047527
Opcode ID: 1ac7fe5e4be3b1fb3ed89439d33a052665f433fb7a174c38203dfeead8dd76b2
Instruction ID: 7d6ef3c67e727db183006d7700603011e9748fa5185761a261080dd49be6e095
Opcode Fuzzy Hash: 1ac7fe5e4be3b1fb3ed89439d33a052665f433fb7a174c38203dfeead8dd76b2
Instruction Fuzzy Hash: 7D11D071508345EBDB14FB60EC55D7EBBA4AFB4708F00582EF286520A3CB34895EC712

Uniqueness

Uniqueness Score: -1.00%

Function 00149B7D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00149DA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00149DB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00149C4E
GetSysColor.USER32(0000000F), ref: 00149D23
SetBkColor.GDI32(?,00000000), ref: 00149D36

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: e80157ca61b8a8eb2986b0cd4d2afffe6a1786d52433f3c1c913b9dd13dc4cc3
Instruction ID: d632f0e442410d7f91ac8ddd586921ee87ec3c80fe88b0ab2dc3c8af0eed11e1
Opcode Fuzzy Hash: e80157ca61b8a8eb2986b0cd4d2afffe6a1786d52433f3c1c913b9dd13dc4cc3
Instruction Fuzzy Hash: 65A10770508554BEE72DAA789C8CE7B3A9DEF52310F26021AF502C66F2CB25DE01D772

Uniqueness

Uniqueness Score: -1.00%

Function 001B205F Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 001B38A7: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 001B38D3
Part of subcall function 001B38A7: _wcslen.LIBCMT ref: 001B38F4

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 001B20B6
WSAGetLastError.WSOCK32 ref: 001B20DD
bind.WSOCK32(00000000,?,00000010), ref: 001B2134
WSAGetLastError.WSOCK32 ref: 001B213F
closesocket.WSOCK32(00000000), ref: 001B216E

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 665c0ef98bf9741184976626c50d0694b21ba25a38b004186cc27cf22c107ded
Instruction ID: 21678ce8f90d5dfc41d6b6c4160201dcfb26a178cfa736924ee4431691754d09
Opcode Fuzzy Hash: 665c0ef98bf9741184976626c50d0694b21ba25a38b004186cc27cf22c107ded
Instruction Fuzzy Hash: 5451B175A00210AFD720AF28D886F6A77E5AB59718F048498F9059F3D3D771ED41CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 001C24A6 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 001C2525
IsWindowEnabled.USER32 ref: 001C2533
GetForegroundWindow.USER32(?,?,00000001,?), ref: 001C2540
IsIconic.USER32 ref: 001C254E
IsZoomed.USER32 ref: 001C255C

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 2315e3a714a9d063177f4a25223e6511bbba666809b6f7ec1a7bb3baddf817ed
Instruction ID: 6d6f4a9d91db02131244d8749b41aec3ec1777318d4b02f4119446ac817b14cb
Opcode Fuzzy Hash: 2315e3a714a9d063177f4a25223e6511bbba666809b6f7ec1a7bb3baddf817ed
Instruction Fuzzy Hash: 1021A1317042109FE7249F2AD854F9BBBA5AFA5314F19806CE84A8B251DB71ED42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 001BAED5 Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 001BAF05
Process32FirstW.KERNEL32(00000000,?), ref: 001BAF13

Part of subcall function 0013A1B9: _wcslen.LIBCMT ref: 0013A1C3

Process32NextW.KERNEL32(00000000,?), ref: 001BAFF5
CloseHandle.KERNEL32(00000000), ref: 001BB004

Part of subcall function 0014DE05: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00173DD3,?), ref: 0014DE2F

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 1d015caff776a16b1ca6a19fed04d997ecebd1714a2a43dab6b651a4acec1f72
Instruction ID: f9d30c143413d2d3a1abccfe8d9610980929612c4d53c9df001aba8bcfb438d5
Opcode Fuzzy Hash: 1d015caff776a16b1ca6a19fed04d997ecebd1714a2a43dab6b651a4acec1f72
Instruction Fuzzy Hash: 5A514AB1508310AFC710EF25D886A6FBBE8FF99714F40492DF995972A1EB70D904CB92

Uniqueness

Uniqueness Score: -1.00%

Function 001AD694 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 001AD6D9
GetLastError.KERNEL32(?,00000000), ref: 001AD73A
SetEvent.KERNEL32(?,?,00000000), ref: 001AD74E

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 0adf2a79b3a87e97ed460086b1fd9908a130a1b01f7556bf02e836e714ac1aa1
Instruction ID: 8eaf0beb73a58041e11dbf04041b58f1c9a7fa837cf5d1949cc9f3b6b6a6622f
Opcode Fuzzy Hash: 0adf2a79b3a87e97ed460086b1fd9908a130a1b01f7556bf02e836e714ac1aa1
Instruction Fuzzy Hash: D421CF79900B04EFE7349FA5E889FABB7FCEB41318F104429E65692951EB70EE44CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0019E27D Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,0017370C), ref: 0019E28D
GetFileAttributesW.KERNEL32(?), ref: 0019E29C
FindFirstFileW.KERNEL32(?,?), ref: 0019E2AD
FindClose.KERNEL32(00000000), ref: 0019E2B9

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 92571c85bc663e5a0825fc971b23c12b75b53a53920d5f0ef01e6b1de4457ecd
Instruction ID: f253fcd2b1af7b2200f1ee8b3c4750d7f0f0a8730f66c4dbe550e46baae15ae4
Opcode Fuzzy Hash: 92571c85bc663e5a0825fc971b23c12b75b53a53920d5f0ef01e6b1de4457ecd
Instruction Fuzzy Hash: A7F0ED30814920679624A7BCFC0DCAABBAD9F02334B108765F835C24F0EB70EDA58696

Uniqueness

Uniqueness Score: -1.00%

Function 0018E2E8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0018E2EC

Strings

X64, xrefs: 0018E374
%.3d, xrefs: 0018E2F7

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 3a29b3fcf3315db6a67e9760f1ae03aebf11793aa2ae10c29fedfa14e1413260
Instruction ID: 574954656b32150d74f13ddd7a5509ab06382d91f29f09fee15111c5f4043457
Opcode Fuzzy Hash: 3a29b3fcf3315db6a67e9760f1ae03aebf11793aa2ae10c29fedfa14e1413260
Instruction Fuzzy Hash: 87D01275C04108D5CB98A6909C45CB9B7BCBB18300F964462FD07D2050E730DA489F21

Uniqueness

Uniqueness Score: -1.00%

Function 00198936 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00198948

Strings

|, xrefs: 00198978
(, xrefs: 0019898E

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 092ca53b9f0a25c72927d6c4cecc405f482bfd69d5669d96252f523acd81228e
Instruction ID: db978a64d60cc1cfecb5a0f2a0d5c8fdb2d60b105e5ace33eeac0b8e9efa43b9
Opcode Fuzzy Hash: 092ca53b9f0a25c72927d6c4cecc405f482bfd69d5669d96252f523acd81228e
Instruction Fuzzy Hash: 05323675A007059FCB28CF59C481AAAB7F1FF48320B15C56EE59ADB7A1EB70E941CB40

Uniqueness

Uniqueness Score: -1.00%

Function 001A64E7 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 001A6511
FindNextFileW.KERNEL32(00000000,?), ref: 001A6567
FindClose.KERNEL32(?), ref: 001A65AF

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: b845ea8dfb22a35b0a260ea3fff7b5ac15c6fd2204e251ff07b0c4e82c9a13df
Instruction ID: e47a97c5ff28b82286624ab1c0285163e79ad6f10c2e339923816244db53f7cd
Opcode Fuzzy Hash: b845ea8dfb22a35b0a260ea3fff7b5ac15c6fd2204e251ff07b0c4e82c9a13df
Instruction Fuzzy Hash: 3D518A79A046019FC718CF28D490E9AB7E4FF4A314F18855DE9AA8B3A1DB30FD45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 001628A2 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,0000000A), ref: 0016299A
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,0000000A), ref: 001629A4
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,0000000A), ref: 001629B1

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 20840f850ab53f4916f5c9aef4e42e87d712e5d20d18de99d2441add9ae43b81
Instruction ID: 4641afec733812e062409d09294cfeb9d349b9897377ec685ca66faabf5495b1
Opcode Fuzzy Hash: 20840f850ab53f4916f5c9aef4e42e87d712e5d20d18de99d2441add9ae43b81
Instruction Fuzzy Hash: 5731C6759012289BCB21DF68DD8979CBBB8AF58310F5042EAE81CA7250E7709F858F55

Uniqueness

Uniqueness Score: -1.00%

Function 001A5A1D Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 001A5A2A
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 001A5A88
SetErrorMode.KERNEL32(00000000), ref: 001A5AF1

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 33ba9748614fb95dde0cbdf343dfa04c9e2a22bba2a322159a66d5473dc8385b
Instruction ID: 6f40b650da6e789c2093eac2fdc904630f3106e871d9ef1032c54963177414aa
Opcode Fuzzy Hash: 33ba9748614fb95dde0cbdf343dfa04c9e2a22bba2a322159a66d5473dc8385b
Instruction Fuzzy Hash: 4A312C75A00519AFDB00DF55D884EAEBBF5FF09318F058099E805AB392DB31EC55CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00191D4D Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0015005B: __CxxThrowException@8.LIBVCRUNTIME ref: 001508E8
Part of subcall function 0015005B: __CxxThrowException@8.LIBVCRUNTIME ref: 00150905

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00191D97
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00191DC4
GetLastError.KERNEL32 ref: 00191DD4

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: f81ec5f8d2f28e29c9abd5c074cd4d7366c7a849af051c0fb1fe4d8d5dcf0377
Instruction ID: e8c581d6ecde3c7452673943c3d7b7db13c5ff32ab3818ea84863985d3d8cc42
Opcode Fuzzy Hash: f81ec5f8d2f28e29c9abd5c074cd4d7366c7a849af051c0fb1fe4d8d5dcf0377
Instruction Fuzzy Hash: 6E1190B1400205BFD718AF94EC86E6BBBE8FB44750B20852EF45656681EB70F8818A64

Uniqueness

Uniqueness Score: -1.00%

Function 00191CED Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00191D16
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00191D2B
FreeSid.ADVAPI32(?), ref: 00191D3B

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 46ad09e76d6578a7ae3afb64444bd897e94d607989f6a3c6af045e90f5bf6fe4
Instruction ID: 8087546907919b1579ad7ae0601b6e19cba47a210e6ecef41fc7cd1c0166e5dc
Opcode Fuzzy Hash: 46ad09e76d6578a7ae3afb64444bd897e94d607989f6a3c6af045e90f5bf6fe4
Instruction Fuzzy Hash: 37F0F471950309BBDF00DBE4DC89EAEBBBCFB04600F504465A901E2181E774EA958A14

Uniqueness

Uniqueness Score: -1.00%

Function 00154F68 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,00154F3E,?,001F98C8,0000000C,00155095,?,00000002,00000000), ref: 00154F89
TerminateProcess.KERNEL32(00000000,?,00154F3E,?,001F98C8,0000000C,00155095,?,00000002,00000000), ref: 00154F90
ExitProcess.KERNEL32 ref: 00154FA2

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 968c57b590249ebe852fc2294b92339f8f8e424b6ef78399c7034988abe94d77
Instruction ID: 2aa969ff1f22dbcd3087bd16f1a568a0963cae7da7676320d77103d0003c92f5
Opcode Fuzzy Hash: 968c57b590249ebe852fc2294b92339f8f8e424b6ef78399c7034988abe94d77
Instruction Fuzzy Hash: 4BE0B635400288EFDF11AF58ED09E583F69EB5078AB044429FC198B922DB35DD96DA81

Uniqueness

Uniqueness Score: -1.00%

Function 0016C522 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 0016C5EC

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: abd064ea31eb634a2eaaa19158461bab87cc1b67cfa7bce4d20655c7b0b0f2ff
Instruction ID: 14fa63998f86d38dc8afb7a22a84359825446a55413fc2455a9cd837197fb75f
Opcode Fuzzy Hash: abd064ea31eb634a2eaaa19158461bab87cc1b67cfa7bce4d20655c7b0b0f2ff
Instruction Fuzzy Hash: EB416C76A002186FCB209FB8DC49EBB77B8EB84314F500169F946D7280E770EE91CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0018E346 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0018E358

Strings

X64, xrefs: 0018E374

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: f58bfea518047e0a45ab3dde466413c2e8f799cd84e34db563a2cb8893c6b092
Instruction ID: e1ff306a0fee9702a20aa925b4e010c5247f75a7b1d81bc61df5473e14172db2
Opcode Fuzzy Hash: f58bfea518047e0a45ab3dde466413c2e8f799cd84e34db563a2cb8893c6b092
Instruction Fuzzy Hash: 9DD0E9F581511DEACF94DBA0EC88DD977BCBB04304F124565F506E2150D77496499F10

Uniqueness

Uniqueness Score: -1.00%

Function 0015CD20 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3bfab06849260c4d5abcd28cd7d6503d14cf5a7ab6d977595b6d59e98588796
Instruction ID: 1bdeb27527ce707d3c57841db40345b005f499581ba80bd2b57b2c57a93b1441
Opcode Fuzzy Hash: b3bfab06849260c4d5abcd28cd7d6503d14cf5a7ab6d977595b6d59e98588796
Instruction Fuzzy Hash: D4021E71E00219DFDF24CFA9D8906ADBBF1EF88315F25416AE825EB384D731A945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0013D060 Relevance: 3.2, Strings: 2, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 001811C2
p3 , xrefs: 0013D4EF

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.$p3
API String ID: 0-545228212
Opcode ID: 12cd4ed4b1405e0684081bf772a76d9def6ebd871ec79849fd55b89a366dc248
Instruction ID: 47d5ef7be100ccbf44e83690ac03d072d95c7786521fc07b3797e0519f33a84b
Opcode Fuzzy Hash: 12cd4ed4b1405e0684081bf772a76d9def6ebd871ec79849fd55b89a366dc248
Instruction Fuzzy Hash: 2B32BF71904218EFCF14EF94E885AEDB7B9FF15304F244059E806AB292DB75AE4ACF50

Uniqueness

Uniqueness Score: -1.00%

Function 001A713E Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 001A7168
FindClose.KERNEL32(00000000), ref: 001A71B1

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 97d47df1ad9bd8e1e156258e17c07d7c7fb090e04931978201e7b2194695b728
Instruction ID: dfd285acc7fb666a4227caad0804ae8fe16a320c618bfd70864a458b830498db
Opcode Fuzzy Hash: 97d47df1ad9bd8e1e156258e17c07d7c7fb090e04931978201e7b2194695b728
Instruction Fuzzy Hash: 7F11E6756042009FC710DF29D884E16BBE1FF85328F05C5A9E8258F7A2CB30EC45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 001A4005 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,001B50EA,?,?,00000035,?), ref: 001A4034
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,001B50EA,?,?,00000035,?), ref: 001A4044

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: db035312236062ae528377d20d4c45fad33b732e587b5f0dde1c4fa9385df2f6
Instruction ID: 693a0d213c0ec506c348017e832fdf727f01d5490cf0bd94ac6e39f94a3145a0
Opcode Fuzzy Hash: db035312236062ae528377d20d4c45fad33b732e587b5f0dde1c4fa9385df2f6
Instruction Fuzzy Hash: 37F0E5752002286AE72026659D4DFEB7A6EFFC5761F000175F609D2281DBA0D841C6B1

Uniqueness

Uniqueness Score: -1.00%

Function 00191749 Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00191886), ref: 0019175E
CloseHandle.KERNEL32(?,?,00191886), ref: 00191773

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: e968d892f68b082180f4c9b050416d50736835704dd11533c825454e2a81ecf5
Instruction ID: d865f3d02b6a1cb4b299184db79ca753e0a93b35f55fad1316e0951b1edaf072
Opcode Fuzzy Hash: e968d892f68b082180f4c9b050416d50736835704dd11533c825454e2a81ecf5
Instruction Fuzzy Hash: B8E04F72004601EEEB262B60FC06F737BA9FB04351F14882EF9A5844B0DB62ACD1DB10

Uniqueness

Uniqueness Score: -1.00%

Function 0013C1F0 Relevance: 2.6, Strings: 1, Instructions: 1377COMMON

Download Yara Rule

Strings

p3 , xrefs: 00180C48

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: BuffCharInputStateUpper
String ID: p3
API String ID: 3481770908-1689646266
Opcode ID: 66e370475d2bb2b28c661120d640efbc268cd4ef28ad2563182f5c7d57311da6
Instruction ID: d9ff08867eb22e4edb542f514d1df4b2c180efbb6c3a200d5e737841518799e0
Opcode Fuzzy Hash: 66e370475d2bb2b28c661120d640efbc268cd4ef28ad2563182f5c7d57311da6
Instruction Fuzzy Hash: 3BC25474608341DFD725DF28C480B2ABBE1BF99304F15896DF89AAB351D731E949CB82

Uniqueness

Uniqueness Score: -1.00%

Function 0014CE15 Relevance: 2.3, Strings: 1, Instructions: 1067COMMON

Download Yara Rule

Strings

hW, xrefs: 0014CE53

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID:
String ID: hW
API String ID: 0-3155865956
Opcode ID: 978fec2682a47d6b7816c23aab3ea97e12b8737906ef7dfe4a79936596a085dd
Instruction ID: 369369ef337a4c10051348fde265e8c38598bdd82503f80022effa4b72cc2154
Opcode Fuzzy Hash: 978fec2682a47d6b7816c23aab3ea97e12b8737906ef7dfe4a79936596a085dd
Instruction Fuzzy Hash: 7F82B371E00219DBDF24DFA8C891BEDB7B1BF48310F25816AE915AB291E7749E41CF90

Uniqueness

Uniqueness Score: -1.00%

Function 001669EB Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,00000000,?,00000008,?,?,001669E6,00000000,?,00000008,?,?,0017017F,00000000), ref: 00166C18

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 33315ec07a2b1c8365e6a04806b59bb41be971b060081793ef83aa0a905825bc
Instruction ID: 8d41dba20a1bce700323ce9e1ed418a645087344a4f326cb17dcacf0e47fb2ac
Opcode Fuzzy Hash: 33315ec07a2b1c8365e6a04806b59bb41be971b060081793ef83aa0a905825bc
Instruction Fuzzy Hash: 1AB10A71610609DFD719CF28C88AB657BE0FF45364F298658E8DACF2A1C735E9A1CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0014C0BE Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 001895FC

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 411cc69d610295719010c548249f6ef7a32e939e730a924f4fa50c165f496ec4
Instruction ID: 2384efa727e81b414c444690b261e1a1845ecac86973963ff91e3aaa651117e0
Opcode Fuzzy Hash: 411cc69d610295719010c548249f6ef7a32e939e730a924f4fa50c165f496ec4
Instruction Fuzzy Hash: CF126D71A002299FCB64DF68C980AFEB7F5FF58310F15819AE809EB255D7309A81CF90

Uniqueness

Uniqueness Score: -1.00%

Function 001AF2FB Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 001AF316

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 5a42f3a2e16103c7052a4db37be5b956ff64513414fa4f79cd23d5cb8354baba
Instruction ID: 90fc128130c1917f275e5055b29e6f341bb3bd5431f0431daafd693e492a41a4
Opcode Fuzzy Hash: 5a42f3a2e16103c7052a4db37be5b956ff64513414fa4f79cd23d5cb8354baba
Instruction Fuzzy Hash: EFE048352002145FCB10AF9AE444D56F7E8EF95764F008429F949C7351D770E841CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0019EA77 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32 ref: 0019EAA0

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: 5d7b7afda5dbeef7440aa0bdbfac207f668ac3555aa29d48c32f970c20b75369
Instruction ID: eda304fbd121d9c63098748e32dbff49c01f0040e38826ec05f4afd07658c45c
Opcode Fuzzy Hash: 5d7b7afda5dbeef7440aa0bdbfac207f668ac3555aa29d48c32f970c20b75369
Instruction Fuzzy Hash: E4D05EBA5A030278FC2DDA3CDD2FF361EC8F712741F508249B005C79B5E7C199409121

Uniqueness

Uniqueness Score: -1.00%

Function 00157A9B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 00157C0B

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: f363c565f6e71970a576354dfea2c32f2310dd17613ad4ad2d06b32645f19f9d
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 3D51576020C60ADADB398928B8577BF679A9B12303F180919EC72DF2C2C715EE4DD356

Uniqueness

Uniqueness Score: -1.00%

Function 001A2810 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

6 , xrefs: 001A281D

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID:
String ID: 6
API String ID: 0-1971203663
Opcode ID: 5234eb735d80da15a242ca6e5135f46e2facc850918a2001537a4349233a2f03
Instruction ID: 36153f9c259bf71f6febbc94f21ac083272523002c8c030559d5ca7ca4183d98
Opcode Fuzzy Hash: 5234eb735d80da15a242ca6e5135f46e2facc850918a2001537a4349233a2f03
Instruction Fuzzy Hash: 6321E7327206118BD728CF79D81767A73E9A764310F15862EE4A7C37D1DE7AAA04CB80

Uniqueness

Uniqueness Score: -1.00%

Function 001381B0 Relevance: .8, Instructions: 838COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e48025c019442dbda73b2cf7887f98a64cf29b6d3f39c4c80cadec316e342648
Instruction ID: b0e1df62e6ca016847cd7bbabca10194ab4c32c072e09e88c1af52fbb520c80f
Opcode Fuzzy Hash: e48025c019442dbda73b2cf7887f98a64cf29b6d3f39c4c80cadec316e342648
Instruction Fuzzy Hash: 8A62AFB1E00609DFDF14DFA4C881BAEB7B5FF14310F108129F81AAB291EB71A955CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00167059 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cff846d433c1a5c9f487db8a00cdd4699e7f701bce38a4572c1f8347de99d36
Instruction ID: 2577eb94de39f20fcc2fb85ba7b821eb8d7fa9baed2c20a8342f037a21008306
Opcode Fuzzy Hash: 6cff846d433c1a5c9f487db8a00cdd4699e7f701bce38a4572c1f8347de99d36
Instruction Fuzzy Hash: BC320022D2AF014DD7239638DC26335A389AFB73C9F15D727E826B5DA9EB29C5C34101

Uniqueness

Uniqueness Score: -1.00%

Function 0014DBDE Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 630c1c31b36cb94bebbfeee4a7b07c6e5300ae6bd781855a545147b4fea4d40d
Instruction ID: 827f7d205b5d56cd1cf65e8b73058fcea215900c8d1d76ddd8a1fae4a1f63374
Opcode Fuzzy Hash: 630c1c31b36cb94bebbfeee4a7b07c6e5300ae6bd781855a545147b4fea4d40d
Instruction Fuzzy Hash: 06321371A043458BDF28EF68E4D467DB7A1EB46314F2A81AAD4568B1E1D770EF81CF40

Uniqueness

Uniqueness Score: -1.00%

Function 0016A16E Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8beb2e1b9d8d03b04ba56cb0b5936521b9b910f37c77555a22cd50e15eae7826
Instruction ID: 763f2e9bb869c06a06618dcccb83c761b3d33d5126e80c620ccb378f51233c26
Opcode Fuzzy Hash: 8beb2e1b9d8d03b04ba56cb0b5936521b9b910f37c77555a22cd50e15eae7826
Instruction Fuzzy Hash: 8EB1CB20D2AF614ED62396399821336B79CBFBB6D5B92D71BFC6670D22EB2185C34140

Uniqueness

Uniqueness Score: -1.00%

Function 00151EF7 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 53d78cb490dd38204399a444efa383719f41d516c9f8abf8e22d80daf64a9dd5
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 1E9156732090A38ADB6E4639857417EFFE15A523A371A079EE8F2CE1C1EF24D55CD620

Uniqueness

Uniqueness Score: -1.00%

Function 001521B2 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 02b4e02deb7e4fdb08d12aa89ea6263727c90add21670a2899257753ece32681
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: 8C914F732090A38ADB6E467A847403EFEE15A533A371A079DDCF2CE1C5EF349558A620

Uniqueness

Uniqueness Score: -1.00%

Function 00151C30 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 5534b3c025f481a4d21f82038f263ea44f83e3863e081773f5fe8601f4e03b3b
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 279167722080A39ADB6F467A847927DFFF19A523A331A079DDCF2CE1C1EF158558D620

Uniqueness

Uniqueness Score: -1.00%

Function 00157CCA Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85de17d73735bffd769f94e0a7c90c29a3c37fc02ea624522a2f49083c10a5b6
Instruction ID: 137b24d89a303223439ed7a8d8634a6e9392a781d13ddb41566354f19ebd5be2
Opcode Fuzzy Hash: 85de17d73735bffd769f94e0a7c90c29a3c37fc02ea624522a2f49083c10a5b6
Instruction Fuzzy Hash: C3618571208309D6DE389AA8B897BBE23B5EF51703F50095AEC72DF2C1DB11AD4E8255

Uniqueness

Uniqueness Score: -1.00%

Function 00157F27 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 905ea69e0eb59a603dc484108559e2796920393164ad5cf96c1288f0288a9a54
Instruction ID: dbb52be160f209454ee7df795cd0821587a3576a3a1d6cd56a53b23df2152f69
Opcode Fuzzy Hash: 905ea69e0eb59a603dc484108559e2796920393164ad5cf96c1288f0288a9a54
Instruction Fuzzy Hash: A8617671604609DAEB38DA28A896BBE6384AB51343F10091BFD72FF2C1DF11DD4E8355

Uniqueness

Uniqueness Score: -1.00%

Function 00151986 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: bc773814782d9ab0615795785971f4a2cc566ae53909bd3230f9aa8187bccd19
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 278132722090E39ADB2F4639853457EFFE15A523A331A079ED8F2CF1C1FB148958D620

Uniqueness

Uniqueness Score: -1.00%

Function 0013E4A2 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 133bf2e878b2256653524cb9029c4c08be3495f12065d775373e8204e553a454
Instruction ID: 561dd00b535bd13c9d997f83ac6df8d0c1f09e463b3fae4afa516c825331aebe
Opcode Fuzzy Hash: 133bf2e878b2256653524cb9029c4c08be3495f12065d775373e8204e553a454
Instruction Fuzzy Hash: D9218EA680F3C05FEB92877C88A55C37FF0DE1362078A14EBC5C18B563E505A60BDBA1

Uniqueness

Uniqueness Score: -1.00%

Function 001B3337 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 001B3389
DeleteObject.GDI32(00000000), ref: 001B339C
DestroyWindow.USER32 ref: 001B33AB
GetDesktopWindow.USER32 ref: 001B33C6
GetWindowRect.USER32 ref: 001B33CD
SetRect.USER32 ref: 001B34FC
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 001B350A
CreateWindowExW.USER32 ref: 001B3551
GetClientRect.USER32 ref: 001B355D
CreateWindowExW.USER32 ref: 001B3599
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001B35BB
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001B35CE
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001B35D9
GlobalLock.KERNEL32 ref: 001B35E2
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001B35F1
GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001B35FA
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001B3601
GlobalFree.KERNEL32 ref: 001B360C
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001B361E
OleLoadPicture.OLEAUT32(?,00000000,00000000,001D0C20,00000000), ref: 001B3634
GlobalFree.KERNEL32 ref: 001B3644
CopyImage.USER32 ref: 001B366A
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 001B3689
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001B36AB
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001B3898

Strings

DISPLAY, xrefs: 001B36FB
static, xrefs: 001B3593, 001B36EA
, xrefs: 001B381E
AutoIt v3, xrefs: 001B354B

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 9101ffa3bd4865909cb24461e732aeee08af45f9a56efc9ab3fb23029e5b3f3d
Instruction ID: 92d4ce8c76c11b53847b261d1daa35ac2806ace35fc510a0ff86072fc7ab4f32
Opcode Fuzzy Hash: 9101ffa3bd4865909cb24461e732aeee08af45f9a56efc9ab3fb23029e5b3f3d
Instruction Fuzzy Hash: 50026AB1900219EFDB14DF64DC89EAE7BB9FB48310F048158F915AB2A1DB74ED45CB60

Uniqueness

Uniqueness Score: -1.00%

Function 001C78D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 001C792F
GetSysColorBrush.USER32(0000000F), ref: 001C7960
GetSysColor.USER32(0000000F), ref: 001C796C
SetBkColor.GDI32(?,000000FF), ref: 001C7986
SelectObject.GDI32(?,?), ref: 001C7995
InflateRect.USER32(?,000000FF,000000FF), ref: 001C79C0
GetSysColor.USER32(00000010), ref: 001C79C8
CreateSolidBrush.GDI32(00000000), ref: 001C79CF
FrameRect.USER32 ref: 001C79DE
DeleteObject.GDI32(00000000), ref: 001C79E5
InflateRect.USER32(?,000000FE,000000FE), ref: 001C7A30
FillRect.USER32 ref: 001C7A62
GetWindowLongW.USER32(?,000000F0), ref: 001C7A84

Part of subcall function 001C7BE8: GetSysColor.USER32(00000012), ref: 001C7C21
Part of subcall function 001C7BE8: SetTextColor.GDI32(?,?), ref: 001C7C25
Part of subcall function 001C7BE8: GetSysColorBrush.USER32(0000000F), ref: 001C7C3B
Part of subcall function 001C7BE8: GetSysColor.USER32(0000000F), ref: 001C7C46
Part of subcall function 001C7BE8: GetSysColor.USER32(00000011), ref: 001C7C63
Part of subcall function 001C7BE8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 001C7C71
Part of subcall function 001C7BE8: SelectObject.GDI32(?,00000000), ref: 001C7C82
Part of subcall function 001C7BE8: SetBkColor.GDI32(?,00000000), ref: 001C7C8B
Part of subcall function 001C7BE8: SelectObject.GDI32(?,?), ref: 001C7C98
Part of subcall function 001C7BE8: InflateRect.USER32(?,000000FF,000000FF), ref: 001C7CB7
Part of subcall function 001C7BE8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 001C7CCE
Part of subcall function 001C7BE8: GetWindowLongW.USER32(00000000,000000F0), ref: 001C7CDB

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 922273c7c0f9bbd658fe1e060fd37c3c2c41525a29cd84d4450cf5d63d8867be
Instruction ID: 54e9b6bed28ee16c50bb993da140d9c9603d5e8ad861e4740a213c075f1fcaf2
Opcode Fuzzy Hash: 922273c7c0f9bbd658fe1e060fd37c3c2c41525a29cd84d4450cf5d63d8867be
Instruction Fuzzy Hash: 83A16C72008301AFD7119F64EC48F6BBBA9FB48325F140A2DFA62965E0D775D984CF52

Uniqueness

Uniqueness Score: -1.00%

Function 0014907A Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00149109
SendMessageW.USER32(?,00001308,?,00000000), ref: 00187157
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00187190
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 001875D5

Part of subcall function 00149257: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00148EDD,?,00000000,?,?,?,?,00148EAF,00000000,?), ref: 001492BA

SendMessageW.USER32(?,00001053), ref: 00187611
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00187628
ImageList_Destroy.COMCTL32(00000000,?), ref: 0018763E
ImageList_Destroy.COMCTL32(00000000,?), ref: 00187649

Strings

0, xrefs: 00187461

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: ae53e6443fadb3aa2ea530aeed148e3ce253c226f0684218ffe20c20702a61c4
Instruction ID: 64eb9788354b6182174c08f9a9555039ebe1b2c8c3d456a1801cea3e389d6c34
Opcode Fuzzy Hash: ae53e6443fadb3aa2ea530aeed148e3ce253c226f0684218ffe20c20702a61c4
Instruction Fuzzy Hash: DC12BF30608201EFD725EF14D888FAABBE5FB44714F24446AF4858BAA1C731E986DF91

Uniqueness

Uniqueness Score: -1.00%

Function 001B2F6A Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 001B2F97
SystemParametersInfoW.USER32 ref: 001B30C3
SetRect.USER32 ref: 001B3102
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 001B3112
CreateWindowExW.USER32 ref: 001B3159
GetClientRect.USER32 ref: 001B3165
CreateWindowExW.USER32 ref: 001B31AE
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 001B31BD
GetStockObject.GDI32(00000011), ref: 001B31CD
SelectObject.GDI32(00000000,00000000), ref: 001B31D1
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 001B31E1
GetDeviceCaps.GDI32(00000000,0000005A), ref: 001B31EA
DeleteDC.GDI32(00000000), ref: 001B31F3
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?,?,50000000), ref: 001B321F
SendMessageW.USER32(00000030,00000000,00000001), ref: 001B3236
CreateWindowExW.USER32 ref: 001B3276
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 001B328A
SendMessageW.USER32(00000404,00000001,00000000), ref: 001B329B
CreateWindowExW.USER32 ref: 001B32D0
GetStockObject.GDI32(00000011), ref: 001B32DB
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 001B32E6
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 001B32F0

Strings

DISPLAY, xrefs: 001B31B3
static, xrefs: 001B31A8, 001B32CA
msctls_progress32, xrefs: 001B326C
AutoIt v3, xrefs: 001B3151

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 935a03d4cd1a4f9917ca3399ba0190cb657682a88400f0e33c7c0b20bb106711
Instruction ID: 6b70c2e6be622b44787282a3d06de2f915d72ae45a2c977ca228f257b8acd2ed
Opcode Fuzzy Hash: 935a03d4cd1a4f9917ca3399ba0190cb657682a88400f0e33c7c0b20bb106711
Instruction Fuzzy Hash: 7EB12D71A00219AFDB24DFA8DC49FAEBBA9EF48710F004155FA15E7291D774ED40CB54

Uniqueness

Uniqueness Score: -1.00%

Function 001A532F Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 001A533D
GetDriveTypeW.KERNEL32(?,001CDC44,?,\\.\,001CDCD0), ref: 001A541A
SetErrorMode.KERNEL32(00000000,001CDC44,?,\\.\,001CDCD0), ref: 001A5586

Strings

USB, xrefs: 001A5504
SAS, xrefs: 001A5519
MMC, xrefs: 001A552E
RAMDisk, xrefs: 001A5444
SSA, xrefs: 001A54F6
Removable, xrefs: 001A5460, 001A5465
Fixed, xrefs: 001A5459
iSCSI, xrefs: 001A5512
SCSI, xrefs: 001A54DA
Fibre, xrefs: 001A54FD
\\.\, xrefs: 001A538F
Unknown, xrefs: 001A543D, 001A54D3
SSD, xrefs: 001A549A
PhysicalDrive, xrefs: 001A53C6
CDROM, xrefs: 001A544B
ATAPI, xrefs: 001A54E1
Virtual, xrefs: 001A5535
ATA, xrefs: 001A54E8
SATA, xrefs: 001A5520
Network, xrefs: 001A5452
RAID, xrefs: 001A550B
1394, xrefs: 001A54EF
FileBackedVirtual, xrefs: 001A553C

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 4bb271baca6e879902f7c8b8f8a44e0afdbb12ba778cb5d57b6077d3c9ce0933
Instruction ID: dd49e236f51662830aa44d936985ceaab7012172c173514650a7b4dfe4fa851d
Opcode Fuzzy Hash: 4bb271baca6e879902f7c8b8f8a44e0afdbb12ba778cb5d57b6077d3c9ce0933
Instruction Fuzzy Hash: 9A61D338F4C909EFCB08DF64C9829B97BB3AF5A700B648055E506AB2D2D771DE81CB51

Uniqueness

Uniqueness Score: -1.00%

Function 001C7BE8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 001C7C21
SetTextColor.GDI32(?,?), ref: 001C7C25
GetSysColorBrush.USER32(0000000F), ref: 001C7C3B
GetSysColor.USER32(0000000F), ref: 001C7C46
CreateSolidBrush.GDI32(?), ref: 001C7C4B
GetSysColor.USER32(00000011), ref: 001C7C63
CreatePen.GDI32(00000000,00000001,00743C00), ref: 001C7C71
SelectObject.GDI32(?,00000000), ref: 001C7C82
SetBkColor.GDI32(?,00000000), ref: 001C7C8B
SelectObject.GDI32(?,?), ref: 001C7C98
InflateRect.USER32(?,000000FF,000000FF), ref: 001C7CB7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 001C7CCE
GetWindowLongW.USER32(00000000,000000F0), ref: 001C7CDB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 001C7D2A
GetWindowTextW.USER32 ref: 001C7D54
InflateRect.USER32(?,000000FD,000000FD), ref: 001C7D72
DrawFocusRect.USER32 ref: 001C7D7D
GetSysColor.USER32(00000011), ref: 001C7D8E
SetTextColor.GDI32(?,00000000), ref: 001C7D96
DrawTextW.USER32(?,001C78F5,000000FF,?,00000000), ref: 001C7DA8
SelectObject.GDI32(?,?), ref: 001C7DBF
DeleteObject.GDI32(?), ref: 001C7DCA
SelectObject.GDI32(?,?), ref: 001C7DD0
DeleteObject.GDI32(?), ref: 001C7DD5
SetTextColor.GDI32(?,?), ref: 001C7DDB
SetBkColor.GDI32(?,?), ref: 001C7DE5

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 1f6b1717fe7d50a75722f3466c5c5ab64990645f37e971908a883ff8f7723148
Instruction ID: e982de320f0feba856729ec93794cf5ac600df5f2d30f56a1976d5ee751cb334
Opcode Fuzzy Hash: 1f6b1717fe7d50a75722f3466c5c5ab64990645f37e971908a883ff8f7723148
Instruction Fuzzy Hash: 8F613C72900219AFDB119FA4EC49EAEBF79EF08320F154525F915AB2A1D7B1D980CF90

Uniqueness

Uniqueness Score: -1.00%

Function 001C1858 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 001C198D
GetDesktopWindow.USER32 ref: 001C19A2
GetWindowRect.USER32 ref: 001C19A9
GetWindowLongW.USER32(?,000000F0), ref: 001C19FE
DestroyWindow.USER32(?), ref: 001C1A1E
CreateWindowExW.USER32 ref: 001C1A52
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 001C1A70
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 001C1A82
SendMessageW.USER32(00000000,00000421,?,?), ref: 001C1A97
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 001C1AAA
IsWindowVisible.USER32 ref: 001C1B06
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 001C1B21
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 001C1B35
GetWindowRect.USER32 ref: 001C1B4D
MonitorFromPoint.USER32(?,?,00000002), ref: 001C1B73
GetMonitorInfoW.USER32 ref: 001C1B8D
CopyRect.USER32 ref: 001C1BA4
SendMessageW.USER32(00000000,00000412,00000000), ref: 001C1C0F

Strings

0, xrefs: 001C1938
(, xrefs: 001C1B80
tooltips_class32, xrefs: 001C1A4B

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 23b7078667199a2154cc5af0f14eeb36490676f9752f830b0b7b7a564c9e9258
Instruction ID: 812319a08a639b26f808ee0cf16da3caa0b788d195130d3d9d058ea16b2a7e6e
Opcode Fuzzy Hash: 23b7078667199a2154cc5af0f14eeb36490676f9752f830b0b7b7a564c9e9258
Instruction Fuzzy Hash: DEB17971608351AFD714DF64C884F6ABBE4FF95314F00891CF99A9B2A2DB31E845CB92

Uniqueness

Uniqueness Score: -1.00%

Function 001C0AA6 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 001C0B4A
_wcslen.LIBCMT ref: 001C0B84
_wcslen.LIBCMT ref: 001C0BEE
_wcslen.LIBCMT ref: 001C0C56
_wcslen.LIBCMT ref: 001C0CDA
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 001C0D2A
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 001C0D69

Part of subcall function 0014FC68: _wcslen.LIBCMT ref: 0014FC73

Part of subcall function 001928C9: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 001928E2
Part of subcall function 001928C9: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00192914

Strings

SELECTINVERT, xrefs: 001C0DE3
ISSELECTED, xrefs: 001C0D42
GETSELECTED, xrefs: 001C0E46
GETSELECTEDCOUNT, xrefs: 001C0CD5, 001C0CF0
FINDITEM, xrefs: 001C0E8C
GETITEMCOUNT, xrefs: 001C0B7B, 001C0B9C
SELECTALL, xrefs: 001C0D7A
VIEWCHANGE, xrefs: 001C0EDA
SELECTCLEAR, xrefs: 001C0D92
DESELECT, xrefs: 001C0E01
GETTEXT, xrefs: 001C0C51, 001C0C6C
SELECT, xrefs: 001C0DAD
GETSUBITEMCOUNT, xrefs: 001C0BE9, 001C0C04

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: 22eea99104b4fc4343806cb20dab13bff898613c4845caa4df26113a7556a4cd
Instruction ID: fcc31e4dc1b82f7691bcd54856736bcd942ad573327ac2befa63310d9f029b91
Opcode Fuzzy Hash: 22eea99104b4fc4343806cb20dab13bff898613c4845caa4df26113a7556a4cd
Instruction Fuzzy Hash: 46E19C31208201CFCB15DF68C991E3AB7E5BFA8318F15496CF896AB2A1DB30ED45CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00131456 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32 ref: 0013152D
GetSystemMetrics.USER32 ref: 00131535
SystemParametersInfoW.USER32 ref: 00131560
GetSystemMetrics.USER32 ref: 00131568
GetSystemMetrics.USER32 ref: 0013158D
SetRect.USER32 ref: 001315AA
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 001315BA
CreateWindowExW.USER32 ref: 001315ED
SetWindowLongW.USER32 ref: 00131601
GetClientRect.USER32 ref: 0013161F
GetStockObject.GDI32(00000011), ref: 0013163B
SendMessageW.USER32(00000000,00000030,00000000), ref: 00131646

Part of subcall function 0013135A: GetCursorPos.USER32(?,?,00000000,00000000,?,00131659,00000000,000000FF,?,?,?), ref: 0013136E
Part of subcall function 0013135A: ScreenToClient.USER32 ref: 0013138B
Part of subcall function 0013135A: GetAsyncKeyState.USER32(00000001), ref: 001313C2
Part of subcall function 0013135A: GetAsyncKeyState.USER32(00000002), ref: 001313DC

SetTimer.USER32(00000000,00000000,00000028,001493F1), ref: 0013166D

Strings

AutoIt v3 GUI, xrefs: 001315E5

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 676380b6979ae6b97c53ed553210a888d06dedd9dcdda4066139ef8e5f8b5f5f
Instruction ID: a0cc06f2018848f90a7fa7d0bfb8976ae035e98b7e94877b4cc409909829e4fb
Opcode Fuzzy Hash: 676380b6979ae6b97c53ed553210a888d06dedd9dcdda4066139ef8e5f8b5f5f
Instruction Fuzzy Hash: 88B16B75A00209EFDB14DFA8DC49FAE7BB5FB48314F118129FA19A7290DB74D841CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00191415 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00191783: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 0019179E
Part of subcall function 00191783: GetLastError.KERNEL32(?,00000000,00000000,?,?,00191225,?,?,?), ref: 001917AA
Part of subcall function 00191783: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00191225,?,?,?), ref: 001917B9
Part of subcall function 00191783: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00191225,?,?,?), ref: 001917C0
Part of subcall function 00191783: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 001917D7

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0019147F
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 001914B3
GetLengthSid.ADVAPI32(?), ref: 001914CA
GetAce.ADVAPI32(?,00000000,?), ref: 00191504
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00191520
GetLengthSid.ADVAPI32(?), ref: 00191537
GetProcessHeap.KERNEL32(00000008,00000008), ref: 0019153F
HeapAlloc.KERNEL32(00000000), ref: 00191546
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00191567
CopySid.ADVAPI32(00000000), ref: 0019156E
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 0019159D
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 001915BF
SetUserObjectSecurity.USER32 ref: 001915D1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 001915F8
HeapFree.KERNEL32(00000000), ref: 001915FF
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00191608
HeapFree.KERNEL32(00000000), ref: 0019160F
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00191618
HeapFree.KERNEL32(00000000), ref: 0019161F
GetProcessHeap.KERNEL32(00000000,?), ref: 0019162B
HeapFree.KERNEL32(00000000), ref: 00191632

Part of subcall function 0019181D: GetProcessHeap.KERNEL32(00000008,0019123B,?,00000000,?,0019123B,?), ref: 0019182B
Part of subcall function 0019181D: HeapAlloc.KERNEL32(00000000,?,00000000,?,0019123B,?), ref: 00191832
Part of subcall function 0019181D: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,0019123B,?), ref: 00191841

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: c466141926738fc1e516f51236a0a1dc5195265de8e8eb00d832891cdc26bb0e
Instruction ID: 9b9545f57a63540eb7a4ed47a491530336c792e34ad541afa957918fd497b589
Opcode Fuzzy Hash: c466141926738fc1e516f51236a0a1dc5195265de8e8eb00d832891cdc26bb0e
Instruction Fuzzy Hash: 50712B7290020ABBDF119FA5EC48FEEBBB8BF45310F168125E915E7190D771DA85CB60

Uniqueness

Uniqueness Score: -1.00%

Function 001BCC10 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 001BCD16
RegCreateKeyExW.ADVAPI32(?,?,00000000,001CDCD0,00000000,?,00000000,?,?), ref: 001BCD9D
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 001BCDFD
_wcslen.LIBCMT ref: 001BCE4D
_wcslen.LIBCMT ref: 001BCEC8
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 001BCF0B
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 001BD01A
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 001BD0A6
RegCloseKey.ADVAPI32(?), ref: 001BD0DA
RegCloseKey.ADVAPI32(00000000), ref: 001BD0E7
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 001BD1B9

Strings

REG_SZ, xrefs: 001BCE9D
REG_BINARY, xrefs: 001BD16C
REG_QWORD, xrefs: 001BD11C
REG_MULTI_SZ, xrefs: 001BCF4E
REG_EXPAND_SZ, xrefs: 001BCE26
REG_DWORD, xrefs: 001BD05D

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: c5ee33fef50ba3dba7cec9739724f8ea7c749ef21e4fbe4b0297a42fea9c5802
Instruction ID: d1cc3f3033107c287ee064e48acbe1242f0f65d570584ba35605b6510bf22be4
Opcode Fuzzy Hash: c5ee33fef50ba3dba7cec9739724f8ea7c749ef21e4fbe4b0297a42fea9c5802
Instruction Fuzzy Hash: 65125B752042019FCB24EF14D881B6ABBE5FF99314F14849DF89A9B3A2DB31ED41CB81

Uniqueness

Uniqueness Score: -1.00%

Function 001C1183 Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 001C122B
_wcslen.LIBCMT ref: 001C1266
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 001C12B9
_wcslen.LIBCMT ref: 001C12EF
_wcslen.LIBCMT ref: 001C136B
_wcslen.LIBCMT ref: 001C13E6

Part of subcall function 0014FC68: _wcslen.LIBCMT ref: 0014FC73

Part of subcall function 00193274: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00193286

Strings

EXPAND, xrefs: 001C145D
UNCHECK, xrefs: 001C15A3
ISCHECKED, xrefs: 001C1546
CHECK, xrefs: 001C12EA, 001C1305
GETSELECTED, xrefs: 001C14B3
COLLAPSE, xrefs: 001C1366, 001C1381
EXISTS, xrefs: 001C13E1, 001C13FC
GETTEXT, xrefs: 001C14FC
GETTOTALCOUNT, xrefs: 001C1257, 001C127C
SELECT, xrefs: 001C1576
GETITEMCOUNT, xrefs: 001C1483

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 1a56a7ad423e58bba9864002d30fa1c08ed1bda5b599b4fde05ba921a0a04a30
Instruction ID: 7eaed08a6f76714c7f90ebfa8bf31437def04a58e9015d49b2dbf0140eb84848
Opcode Fuzzy Hash: 1a56a7ad423e58bba9864002d30fa1c08ed1bda5b599b4fde05ba921a0a04a30
Instruction Fuzzy Hash: 4EE1C075648301AFCB14EF24C490D2AB7E2BFA6314F14895CF8969B7A2DB30ED45CB81

Uniqueness

Uniqueness Score: -1.00%

Function 001BD1F1 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,001BBF07,?,?), ref: 001BD20E
_wcslen.LIBCMT ref: 001BD24A
_wcslen.LIBCMT ref: 001BD2C1
_wcslen.LIBCMT ref: 001BD2F7
_wcslen.LIBCMT ref: 001BD352
_wcslen.LIBCMT ref: 001BD388
_wcslen.LIBCMT ref: 001BD3D8

Strings

HKU, xrefs: 001BD449
HKCC, xrefs: 001BD405
HKCU, xrefs: 001BD427
HKEY_USERS, xrefs: 001BD438
HKLM, xrefs: 001BD2F1, 001BD2F6
HKEY_CURRENT_CONFIG, xrefs: 001BD3D2, 001BD3D7
HKCR, xrefs: 001BD382, 001BD387
HKEY_LOCAL_MACHINE, xrefs: 001BD2BB, 001BD2C0
HKEY_CLASSES_ROOT, xrefs: 001BD34C, 001BD351
HKEY_CURRENT_USER, xrefs: 001BD416

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: c3806c612b56ee3b1bc1630e890d03ff4ae578d8aa7001f4320d747632716423
Instruction ID: 55963818014ab9b4cc2545237ce164dcbea1ae63c76c94f96cbdd56a015f7fae
Opcode Fuzzy Hash: c3806c612b56ee3b1bc1630e890d03ff4ae578d8aa7001f4320d747632716423
Instruction Fuzzy Hash: 5D71277260016A8BCB289E78E941AFF33D1AF70354F210168FC65AB2A1FB35ED45C351

Uniqueness

Uniqueness Score: -1.00%

Function 001C8B5D Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 001C8B7B
_wcslen.LIBCMT ref: 001C8B8F
_wcslen.LIBCMT ref: 001C8BB2
_wcslen.LIBCMT ref: 001C8BD5
LoadImageW.USER32 ref: 001C8C13
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,001C6459), ref: 001C8C6F
LoadImageW.USER32 ref: 001C8CA8
LoadImageW.USER32 ref: 001C8CEB
LoadImageW.USER32 ref: 001C8D22
FreeLibrary.KERNEL32(?), ref: 001C8D2E
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 001C8D3E
DestroyIcon.USER32(?,?,?,?,?,001C6459), ref: 001C8D4D
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 001C8D6A
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 001C8D76

Strings

.icl, xrefs: 001C8B89
.dll, xrefs: 001C8BCC
.exe, xrefs: 001C8BA9

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 67dcf72d767d278b8e2e2ddebb9be51722734b4ae38c23efe0c761cbfe3bd62e
Instruction ID: d0de81bd3a04fb6773e6c220e449f62908b055c9a2823c519658a876aa6cbd32
Opcode Fuzzy Hash: 67dcf72d767d278b8e2e2ddebb9be51722734b4ae38c23efe0c761cbfe3bd62e
Instruction Fuzzy Hash: DD61BE71500219FEEB14DFA4DC81FFE7BA8AB28715F10411AF915DA1C1DBB4EA94CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00132EC6 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#include, xrefs: 00132F95
#cs, xrefs: 00132FC1, 00133013
#include-once, xrefs: 00132F7D
#comments-end, xrefs: 00133027
#pragma compile, xrefs: 00132F21
Cannot parse #include, xrefs: 00173763
#comments-start, xrefs: 00132FAD, 00132FFF
", xrefs: 0017363D
#requireadmin, xrefs: 00132F4D
#OnAutoItStartRegister, xrefs: 00132F65
#notrayicon, xrefs: 00132F35
', xrefs: 00173653
Unterminated group of comments, xrefs: 00173776
#ce, xrefs: 0013303B
Bad directive syntax error, xrefs: 00173684

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 43f55b1b6f767ca2bd240376dc047b4cc258c671754f8b6ae63b2a1773951879
Instruction ID: abdae85f5d0dad9773301c52db9ae5168440a442a52b7539bcfca5c8df9d1eaa
Opcode Fuzzy Hash: 43f55b1b6f767ca2bd240376dc047b4cc258c671754f8b6ae63b2a1773951879
Instruction Fuzzy Hash: D981B471600205FACB25BF64DC42FAA7768AF24704F048028FD19AF1D6EB70DA4AE795

Uniqueness

Uniqueness Score: -1.00%

Function 001A46C9 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 001A4748
_wcslen.LIBCMT ref: 001A4753
_wcslen.LIBCMT ref: 001A47AA
_wcslen.LIBCMT ref: 001A47E8
GetDriveTypeW.KERNEL32(?), ref: 001A4826
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 001A486E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 001A48A9
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 001A48D7

Strings

closed, xrefs: 001A4758, 001A477D, 001A4796, 001A47CE, 001A47E7
close, xrefs: 001A474E, 001A4768
wait, xrefs: 001A4894
open, xrefs: 001A47A4, 001A47A9
type cdaudio alias cd wait, xrefs: 001A4851
open , xrefs: 001A4835
set cd door , xrefs: 001A4878
close cd wait, xrefs: 001A48C2

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: 95f0574c87d5850a27bfe842ac4edfa1cf3c210822137d9364df7180215acfe7
Instruction ID: b33c0117aefd840df3ac40851b34b94dd9c5624e7fc90e4e842083588e78a033
Opcode Fuzzy Hash: 95f0574c87d5850a27bfe842ac4edfa1cf3c210822137d9364df7180215acfe7
Instruction Fuzzy Hash: FC7101765083169FC310EF24D88187BB7E4EFAA768F10492CF89697291EB70DD45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 001960B9 Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 001960CC
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 001960DE
SetWindowTextW.USER32(?,?), ref: 001960F5
GetDlgItem.USER32 ref: 0019610A
SetWindowTextW.USER32(00000000,?), ref: 00196110
GetDlgItem.USER32 ref: 00196120
SetWindowTextW.USER32(00000000,?), ref: 00196126
SendDlgItemMessageW.USER32 ref: 00196147
SendDlgItemMessageW.USER32 ref: 00196161
GetWindowRect.USER32 ref: 0019616A
_wcslen.LIBCMT ref: 001961D1
SetWindowTextW.USER32(?,?), ref: 0019620D
GetDesktopWindow.USER32 ref: 00196213
GetWindowRect.USER32 ref: 0019621A
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00196271
GetClientRect.USER32 ref: 0019627E
PostMessageW.USER32(?,00000005,00000000,?), ref: 001962A3
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 001962CD

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: ee99864df9ab7707578d0935412d9ab44351f3788959f117175b54171062edc8
Instruction ID: ba3bee3b9f4b0ea49c7489fdca3aeae2d2942c39abd0075f1817c5ddc621015a
Opcode Fuzzy Hash: ee99864df9ab7707578d0935412d9ab44351f3788959f117175b54171062edc8
Instruction Fuzzy Hash: 3C715C31900709AFDF20DFA8DE49EAEBBF5FF48704F104929E586A25A0D775E944CB20

Uniqueness

Uniqueness Score: -1.00%

Function 001B0667 Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 001B0680
LoadCursorW.USER32(00000000,00007F8A), ref: 001B068B
LoadCursorW.USER32(00000000,00007F00), ref: 001B0696
LoadCursorW.USER32(00000000,00007F03), ref: 001B06A1
LoadCursorW.USER32(00000000,00007F8B), ref: 001B06AC
LoadCursorW.USER32(00000000,00007F01), ref: 001B06B7
LoadCursorW.USER32(00000000,00007F81), ref: 001B06C2
LoadCursorW.USER32(00000000,00007F88), ref: 001B06CD
LoadCursorW.USER32(00000000,00007F80), ref: 001B06D8
LoadCursorW.USER32(00000000,00007F86), ref: 001B06E3
LoadCursorW.USER32(00000000,00007F83), ref: 001B06EE
LoadCursorW.USER32(00000000,00007F85), ref: 001B06F9
LoadCursorW.USER32(00000000,00007F82), ref: 001B0704
LoadCursorW.USER32(00000000,00007F84), ref: 001B070F
LoadCursorW.USER32(00000000,00007F04), ref: 001B071A
LoadCursorW.USER32(00000000,00007F02), ref: 001B0725
GetCursorInfo.USER32(?), ref: 001B0735
GetLastError.KERNEL32 ref: 001B0777

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: d0136e0e7d4a14b68a4436830155dad2c878096475c0427eb07a1563672e074f
Instruction ID: b8fa62e231a06f138f446b83c3b06d779aa4401fc292530ad51487c5c0650141
Opcode Fuzzy Hash: d0136e0e7d4a14b68a4436830155dad2c878096475c0427eb07a1563672e074f
Instruction Fuzzy Hash: FE4131B0D083196ADB109FBA9C89C5EBFE8BF08754B50452AE15DE7281DB78E901CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00193782 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00193818
_wcslen.LIBCMT ref: 00193883

Strings

NAME, xrefs: 001939C0, 001939D1
INSTANCE, xrefs: 00193ADE
CLASS, xrefs: 00193813, 00193830
CLASSNN, xrefs: 0019387E, 0019388F
REGEXPCLASS, xrefs: 001938E0, 001938F1
TEXT, xrefs: 00193B07

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: 451d9d7124444f6e97d025e70f7f8d1afe4d9a986b5e085a8af41e9ba43fd94f
Instruction ID: c465f7ec4f569af08b1c31b350877d4b791490fc2c97183b3f4000f28defb8d0
Opcode Fuzzy Hash: 451d9d7124444f6e97d025e70f7f8d1afe4d9a986b5e085a8af41e9ba43fd94f
Instruction Fuzzy Hash: E3E1B432A0051A9BCF189FA8C481BEDFBB5BF24714F55421AE876F7250DB30AE85C790

Uniqueness

Uniqueness Score: -1.00%

Function 001A4D10 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,001CDCD0), ref: 001A4D77
_wcslen.LIBCMT ref: 001A4D8B
_wcslen.LIBCMT ref: 001A4DE9
_wcslen.LIBCMT ref: 001A4E44
_wcslen.LIBCMT ref: 001A4E8F
_wcslen.LIBCMT ref: 001A4EF7

Part of subcall function 0014FC68: _wcslen.LIBCMT ref: 0014FC73

GetDriveTypeW.KERNEL32(?,001F7C00,00000061), ref: 001A4F93

Strings

removable, xrefs: 001A4E3A, 001A4E3F
network, xrefs: 001A4EED, 001A4EF2
unknown, xrefs: 001A4F58
all, xrefs: 001A4D81, 001A4D86
fixed, xrefs: 001A4E85, 001A4E8A
cdrom, xrefs: 001A4DDF, 001A4DE4
ramdisk, xrefs: 001A4F41

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 66f46375aec2b94e62e0ac16c2fb60e5c1a2a998adfedde425126ebf0008743b
Instruction ID: 9461b6637b4c2be923ab24a2cd2321b53bd45db839896fa8b3af57b8ef393251
Opcode Fuzzy Hash: 66f46375aec2b94e62e0ac16c2fb60e5c1a2a998adfedde425126ebf0008743b
Instruction Fuzzy Hash: E3B1BF396083029FC714DF28D890A7AB7E5BFE6724F10491DF5A6C7291D774D884CB92

Uniqueness

Uniqueness Score: -1.00%

Function 001C993F Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00149DA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00149DB2

DragQueryPoint.SHELL32(?,?), ref: 001C9968

Part of subcall function 001C7E74: ClientToScreen.USER32(?,?), ref: 001C7E9A
Part of subcall function 001C7E74: GetWindowRect.USER32 ref: 001C7F10
Part of subcall function 001C7E74: PtInRect.USER32(?,?,001C93AA), ref: 001C7F20

SendMessageW.USER32(?,000000B0,?,?), ref: 001C99D1
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 001C99DC
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 001C99FF
SendMessageW.USER32(?,000000C2,00000001,?), ref: 001C9A46
SendMessageW.USER32(?,000000B0,?,?), ref: 001C9A5F
SendMessageW.USER32(?,000000B1,?,?), ref: 001C9A76
SendMessageW.USER32(?,000000B1,?,?), ref: 001C9A98
DragFinish.SHELL32(?), ref: 001C9A9F
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 001C9B92

Strings

@GUI_DRAGID, xrefs: 001C9B0A
p3 , xrefs: 001C9ADC
@GUI_DRAGFILE, xrefs: 001C9B41
@GUI_DROPID, xrefs: 001C9ABF

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p3
API String ID: 221274066-31792836
Opcode ID: ad5e2a004cb2a1918be9a4a7ccde093533a1691939ca916a67bd0e5a6312f22f
Instruction ID: abf90e028585106c040458812c0699e7c1b3ad878a5f543d2f4135c1f38a0a26
Opcode Fuzzy Hash: ad5e2a004cb2a1918be9a4a7ccde093533a1691939ca916a67bd0e5a6312f22f
Instruction Fuzzy Hash: 81615971108305AFC701EF64EC89E9FBBE8EF98754F40092EF595921A1DB70DA49CB92

Uniqueness

Uniqueness Score: -1.00%

Function 001BB852 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 001BB9F1
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 001BBA09
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 001BBA2D
_wcslen.LIBCMT ref: 001BBA59
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 001BBA6D
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 001BBA8F
_wcslen.LIBCMT ref: 001BBB8B

Part of subcall function 001A0D59: GetStdHandle.KERNEL32(000000F6), ref: 001A0D78

_wcslen.LIBCMT ref: 001BBBA4
_wcslen.LIBCMT ref: 001BBBBF
CreateProcessW.KERNEL32 ref: 001BBC0F
GetLastError.KERNEL32(00000000), ref: 001BBC60
CloseHandle.KERNEL32(?), ref: 001BBC92
CloseHandle.KERNEL32(00000000), ref: 001BBCA3
CloseHandle.KERNEL32(00000000), ref: 001BBCB5
CloseHandle.KERNEL32(00000000), ref: 001BBCC7
CloseHandle.KERNEL32(?), ref: 001BBD3C

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 4cec8bec03e1b6d1b3f1e105c5c0ad38d672752d714ae25ca1dea178c6951caa
Instruction ID: 6567354a7b467d00e179b4bd13da400d0c689955eef93b2820911e4bea955680
Opcode Fuzzy Hash: 4cec8bec03e1b6d1b3f1e105c5c0ad38d672752d714ae25ca1dea178c6951caa
Instruction Fuzzy Hash: A2F1BE71508340DFC725EF24C891BAABBE1BF95314F18895DF8998B2A2DB70EC45CB52

Uniqueness

Uniqueness Score: -1.00%

Function 001B4842 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,001CDCD0), ref: 001B4914
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 001B4926
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,001CDCD0), ref: 001B494B
FreeLibrary.KERNEL32(00000000,?,001CDCD0), ref: 001B4997
StringFromGUID2.OLE32(?,?,00000028,?,001CDCD0), ref: 001B4A01
SysFreeString.OLEAUT32(00000009), ref: 001B4ABB
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 001B4B21
SysFreeString.OLEAUT32(?), ref: 001B4B4B

Strings

kernel32.dll, xrefs: 001B490F
GetModuleHandleExW, xrefs: 001B4920

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: 5add7ff09fb6a412f0a1d0791d2e18683c9d49511c067845d6ba06f23ed76f42
Instruction ID: 9e75915b9d6f59b7c1c820adec293cabfdaf15895acd6cde11b1f417ff2f8d83
Opcode Fuzzy Hash: 5add7ff09fb6a412f0a1d0791d2e18683c9d49511c067845d6ba06f23ed76f42
Instruction Fuzzy Hash: F3122A71A00119EFDB14DF94C884EAEBBB5FF49718F25C098E905AB252D731ED46CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00132728 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32 ref: 00172F14
GetMenuItemCount.USER32 ref: 00172FC4
GetCursorPos.USER32(?), ref: 00173008
SetForegroundWindow.USER32(00000000), ref: 00173011
TrackPopupMenuEx.USER32(00202990,00000000,?,00000000,00000000,00000000), ref: 00173024
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00173030

Strings

0, xrefs: 00132736

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 157ae91c6b920553bddecd301d817f5bb1ab75f9a577cdd6364e74fb01321af2
Instruction ID: 11f133fe03acafe87f4d5788f93f314154ad276860fb1b02be9f9ee4f303ebae
Opcode Fuzzy Hash: 157ae91c6b920553bddecd301d817f5bb1ab75f9a577cdd6364e74fb01321af2
Instruction Fuzzy Hash: 7A712831640215BFEB259F68DC49FAABF78FF15364F108216F5286A1E0C7B1AC50DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 001C74D9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 001C75EB

Part of subcall function 001373E7: _wcslen.LIBCMT ref: 001373FA

CreateWindowExW.USER32 ref: 001C765F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 001C7681
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 001C7694
DestroyWindow.USER32(?), ref: 001C76B5
CreateWindowExW.USER32 ref: 001C76E4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 001C76FD
GetDesktopWindow.USER32 ref: 001C7716
GetWindowRect.USER32 ref: 001C771D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 001C7735
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 001C774D

Part of subcall function 00149B44: GetWindowLongW.USER32(?,000000EB), ref: 00149B52

Strings

0, xrefs: 001C7598
tooltips_class32, xrefs: 001C7658, 001C76DD

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 0d7620032aad1f1368c8c6e8b72beca2842d4201cf41efdc430b2ff5bb3e8527
Instruction ID: 787f6ac8146fdf2b339d77e9d1111a4115c3848f011c1b18730cee00c877ef4d
Opcode Fuzzy Hash: 0d7620032aad1f1368c8c6e8b72beca2842d4201cf41efdc430b2ff5bb3e8527
Instruction Fuzzy Hash: F9716970108348AFDB25CF18D848FAABBE9FB99304F14085EF995872A1C7B0E959DF15

Uniqueness

Uniqueness Score: -1.00%

Function 001ACCC6 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 001ACD00
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 001ACD13
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 001ACD27
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 001ACD40
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 001ACD83
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 001ACD99
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 001ACDA4
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 001ACDD4
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 001ACE2C
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 001ACE40
InternetCloseHandle.WININET(00000000), ref: 001ACE4B

Strings

, xrefs: 001ACDC5

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 222a3ea1f47f4bf714c655ca6f1ad896005398d0f1043d3558078b7d9daa220f
Instruction ID: 6390c0859ea3aaf8d839e417afcfebef8a30c16e7324da55dd0308e8cf73688c
Opcode Fuzzy Hash: 222a3ea1f47f4bf714c655ca6f1ad896005398d0f1043d3558078b7d9daa220f
Instruction Fuzzy Hash: C85139B9500708BFEB219FA4D988AAB7FBCFF09754F004429F94696650E734D9449BA0

Uniqueness

Uniqueness Score: -1.00%

Function 001C8D90 Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,001C649E,?,?), ref: 001C8DB3
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,001C649E,?,?,00000000,?), ref: 001C8DC3
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,001C649E,?,?,00000000,?), ref: 001C8DCE
CloseHandle.KERNEL32(00000000,?,?,?,?,001C649E,?,?,00000000,?), ref: 001C8DDB
GlobalLock.KERNEL32 ref: 001C8DE9
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,001C649E,?,?,00000000,?), ref: 001C8DF8
GlobalUnlock.KERNEL32(00000000,?,?,?,?,001C649E,?,?,00000000,?), ref: 001C8E01
CloseHandle.KERNEL32(00000000,?,?,?,?,001C649E,?,?,00000000,?), ref: 001C8E08
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,001C649E,?,?,00000000,?), ref: 001C8E19
OleLoadPicture.OLEAUT32(?,00000000,00000000,001D0C20,?), ref: 001C8E32
GlobalFree.KERNEL32 ref: 001C8E42
GetObjectW.GDI32(00000000,00000018,?,?,?,?,?,001C649E,?,?,00000000,?), ref: 001C8E62
CopyImage.USER32 ref: 001C8E92
DeleteObject.GDI32(00000000), ref: 001C8EBA
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 001C8ED0

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 7a22071cf9b69c4d8785060560bae81721ff6fb4218a6fb652b0870301416ece
Instruction ID: e84ad5eb9efef9d232f39094054cfc113c62727fdedeb73ed37119fe86b524fd
Opcode Fuzzy Hash: 7a22071cf9b69c4d8785060560bae81721ff6fb4218a6fb652b0870301416ece
Instruction Fuzzy Hash: 8141F975600208AFDB119F65DC88EAEBBB8FF99711F144069F906D76A0DB30DD41CB60

Uniqueness

Uniqueness Score: -1.00%

Function 001A1C87 Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 001A1CCC
VariantCopy.OLEAUT32(?,?), ref: 001A1CD5
VariantClear.OLEAUT32(?), ref: 001A1CE1
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 001A1DC5
VarR8FromDec.OLEAUT32(?,?), ref: 001A1E21
VariantInit.OLEAUT32(?), ref: 001A1ED2
SysFreeString.OLEAUT32(?), ref: 001A1F56
VariantClear.OLEAUT32(?), ref: 001A1FA2
VariantClear.OLEAUT32(?), ref: 001A1FB1
VariantInit.OLEAUT32(00000000), ref: 001A1FED

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 001A1DEF
Default, xrefs: 001A1E79

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: d9f702c9361da1be1e5cf83144b3710bdfcb128349a56205087043ef9b72c08f
Instruction ID: 3fe973c64291bfb3d4042661e4e301326cc67a3f8a241c612885a75304225761
Opcode Fuzzy Hash: d9f702c9361da1be1e5cf83144b3710bdfcb128349a56205087043ef9b72c08f
Instruction Fuzzy Hash: D1D13479600215FFCB189FA5D888B79BBB4BF06711F218059F84AAB181DB34EC44DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 001BBE67 Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0013A1B9: _wcslen.LIBCMT ref: 0013A1C3

Part of subcall function 001BD1F1: CharUpperBuffW.USER32(?,?,?,?,?,?,?,001BBF07,?,?), ref: 001BD20E
Part of subcall function 001BD1F1: _wcslen.LIBCMT ref: 001BD24A
Part of subcall function 001BD1F1: _wcslen.LIBCMT ref: 001BD2C1
Part of subcall function 001BD1F1: _wcslen.LIBCMT ref: 001BD2F7

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 001BBF4D
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 001BBFCB
RegDeleteValueW.ADVAPI32(?,?), ref: 001BC063
RegCloseKey.ADVAPI32(?), ref: 001BC0D7
RegCloseKey.ADVAPI32(?), ref: 001BC0F5
LoadLibraryA.KERNEL32(advapi32.dll), ref: 001BC14B
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 001BC15D
RegDeleteKeyW.ADVAPI32(?,?), ref: 001BC17B
FreeLibrary.KERNEL32(00000000), ref: 001BC1DC
RegCloseKey.ADVAPI32(00000000), ref: 001BC1ED

Strings

RegDeleteKeyExW, xrefs: 001BC157
advapi32.dll, xrefs: 001BC146

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 1b973cecc5eead9a25744de35be74aaae8c5ce5a7af2ab91352cd22dadf28d15
Instruction ID: f9973c711f4d73bc1f7dd76ef184a6d6d4b6c824c29efc3cf743c8291eada363
Opcode Fuzzy Hash: 1b973cecc5eead9a25744de35be74aaae8c5ce5a7af2ab91352cd22dadf28d15
Instruction Fuzzy Hash: 2BC18E75208241EFD724DF28C895F6ABBE1BF44308F14849CF49A9B6A2CB71ED45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 001B2DB5 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 001B2E31
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 001B2E41
CreateCompatibleDC.GDI32(?), ref: 001B2E4D
SelectObject.GDI32(00000000,?), ref: 001B2E5A
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 001B2EC6
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 001B2F05
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 001B2F29
SelectObject.GDI32(?,?), ref: 001B2F31
DeleteObject.GDI32(?), ref: 001B2F3A
DeleteDC.GDI32(?), ref: 001B2F41
ReleaseDC.USER32 ref: 001B2F4C

Strings

(, xrefs: 001B2EE6

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: c0dd81061394ed2f6ee85dc74998f1b1ef44aa90716813c61b03f71cd401f7b1
Instruction ID: 3356febe1cfadc4db1ce203ca67d1c9721769f4eca19897d7bf7857b6f1d4e25
Opcode Fuzzy Hash: c0dd81061394ed2f6ee85dc74998f1b1ef44aa90716813c61b03f71cd401f7b1
Instruction Fuzzy Hash: 0861E2B5D00219EFCF14CFA8D884EAEBBB5FF58310F24852AE959A7250D770A951CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0016DCDE Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0016DD22

Part of subcall function 0016D8BD: _free.LIBCMT ref: 0016D8DA
Part of subcall function 0016D8BD: _free.LIBCMT ref: 0016D8EC
Part of subcall function 0016D8BD: _free.LIBCMT ref: 0016D8FE
Part of subcall function 0016D8BD: _free.LIBCMT ref: 0016D910
Part of subcall function 0016D8BD: _free.LIBCMT ref: 0016D922
Part of subcall function 0016D8BD: _free.LIBCMT ref: 0016D934
Part of subcall function 0016D8BD: _free.LIBCMT ref: 0016D946
Part of subcall function 0016D8BD: _free.LIBCMT ref: 0016D958
Part of subcall function 0016D8BD: _free.LIBCMT ref: 0016D96A
Part of subcall function 0016D8BD: _free.LIBCMT ref: 0016D97C
Part of subcall function 0016D8BD: _free.LIBCMT ref: 0016D98E
Part of subcall function 0016D8BD: _free.LIBCMT ref: 0016D9A0
Part of subcall function 0016D8BD: _free.LIBCMT ref: 0016D9B2

_free.LIBCMT ref: 0016DD17

Part of subcall function 00162C48: HeapFree.KERNEL32(00000000,00000000,?,0016DA52,00201DC4,00000000,00201DC4,00000000,?,0016DA79,00201DC4,00000007,00201DC4,?,0016DE76,00201DC4), ref: 00162C5E
Part of subcall function 00162C48: GetLastError.KERNEL32(00201DC4,?,0016DA52,00201DC4,00000000,00201DC4,00000000,?,0016DA79,00201DC4,00000007,00201DC4,?,0016DE76,00201DC4,00201DC4), ref: 00162C70

_free.LIBCMT ref: 0016DD39
_free.LIBCMT ref: 0016DD4E
_free.LIBCMT ref: 0016DD59
_free.LIBCMT ref: 0016DD7B
_free.LIBCMT ref: 0016DD8E
_free.LIBCMT ref: 0016DD9C
_free.LIBCMT ref: 0016DDA7
_free.LIBCMT ref: 0016DDDF
_free.LIBCMT ref: 0016DDE6
_free.LIBCMT ref: 0016DE03
_free.LIBCMT ref: 0016DE1B

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 53059808e2ff3496669a08c736317b5b4f49892a3c44caf22199e628736a053c
Instruction ID: 2a98b1ead1f3c5a7a26302dbf2780d0f8d4186b56d496cc30106bfab957a5b81
Opcode Fuzzy Hash: 53059808e2ff3496669a08c736317b5b4f49892a3c44caf22199e628736a053c
Instruction Fuzzy Hash: 64315A31B007049FEB25AA79ED45F6B73E9EF60391F144529E449DB1A1DF31ACA0CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00193CE6 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 268windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32 ref: 00193D27
_wcslen.LIBCMT ref: 00193D32
SendMessageTimeoutW.USER32 ref: 00193E22
GetClassNameW.USER32 ref: 00193E97
GetDlgCtrlID.USER32(?), ref: 00193EED
GetWindowRect.USER32 ref: 00193F12
GetParent.USER32(?), ref: 00193F30
ScreenToClient.USER32 ref: 00193F37
GetClassNameW.USER32 ref: 00193FB1
GetWindowTextW.USER32 ref: 00193FED

Strings

%s%u, xrefs: 00193DBF

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 4a09ad2f911dfa783792f450785be6dee0f391a19ba476c63dc9afabd9f97278
Instruction ID: 326773b1180ea3bfec41dc72957da5a8d99cfd57a53e3797fbf1c6b0c0c0b10d
Opcode Fuzzy Hash: 4a09ad2f911dfa783792f450785be6dee0f391a19ba476c63dc9afabd9f97278
Instruction Fuzzy Hash: 37A19F71604706AFDB18DF64C885FEAB7A8FF54354F008529FAA982190EB30EA45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00194FE4 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 255COMMON

Download Yara Rule

APIs

GetClassNameW.USER32 ref: 00195024
GetWindowTextW.USER32 ref: 0019506A
_wcslen.LIBCMT ref: 0019507B
CharUpperBuffW.USER32(?,00000000), ref: 00195087
_wcsstr.LIBVCRUNTIME ref: 001950BC
GetClassNameW.USER32 ref: 001950F4
GetWindowTextW.USER32 ref: 00195131
GetClassNameW.USER32 ref: 0019517F
GetClassNameW.USER32 ref: 001951B9
GetWindowRect.USER32 ref: 00195229

Strings

ThumbnailClass, xrefs: 001950FF, 0019518A

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: e976b6831c158b3de629d0955791a7623c18b3688194d4d223c1b7fb7aae81fe
Instruction ID: 0c17da8012f8c0f135466585efd60dd7f4f70ba5e6fa6c39d56507fc7440ed91
Opcode Fuzzy Hash: e976b6831c158b3de629d0955791a7623c18b3688194d4d223c1b7fb7aae81fe
Instruction Fuzzy Hash: 0C91BB71108705DFDF16CF14C881BAA7BAAFF54314F044469FD89AA186EB30ED85CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 001C952F Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00149DA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00149DB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 001C957B
GetFocus.USER32(?,?,?,?), ref: 001C958B
GetDlgCtrlID.USER32(00000000), ref: 001C9596
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 001C963E
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 001C96F0
GetMenuItemCount.USER32 ref: 001C970D
GetMenuItemID.USER32(?,00000000), ref: 001C971D
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 001C974F
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 001C9791
CheckMenuRadioItem.USER32 ref: 001C97C2

Strings

0, xrefs: 001C96C0

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: a779275953e932aabb4db2324b57e0c999e71375635faafa509308753bed7810
Instruction ID: 5ef898231680d5016844dad6cbdc8c02e0455016da4b3fc267d9b7b63111e805
Opcode Fuzzy Hash: a779275953e932aabb4db2324b57e0c999e71375635faafa509308753bed7810
Instruction Fuzzy Hash: BC819B71504311AFDB11CF24D989FAB7BE9FBA8714F10092EF98597291DB30D905CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0019C5E6 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00202990,000000FF,00000000,00000030), ref: 0019C662
SetMenuItemInfoW.USER32 ref: 0019C697
Sleep.KERNEL32(000001F4), ref: 0019C6A9
GetMenuItemCount.USER32 ref: 0019C6EF
GetMenuItemID.USER32(?,00000000), ref: 0019C70C
GetMenuItemID.USER32(?,-00000001), ref: 0019C738
GetMenuItemID.USER32(?,?), ref: 0019C77F
CheckMenuRadioItem.USER32 ref: 0019C7C5
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0019C7DA
SetMenuItemInfoW.USER32 ref: 0019C7FB

Strings

0, xrefs: 0019C5F3

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: d19a5d02a2c551b28a09a26fab952c039b279a144e0877199e695f5408245671
Instruction ID: 042e7943b1175051bcfaed0fd25243e5645101ff18cc0ac2d1e7fffb722b124d
Opcode Fuzzy Hash: d19a5d02a2c551b28a09a26fab952c039b279a144e0877199e695f5408245671
Instruction Fuzzy Hash: FA619C7090024AABDF19CFA8D988EEEBBB9FB05348F104055E891A3291D730ED45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0019E2CD Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 0019E2DF
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0019E305
_wcslen.LIBCMT ref: 0019E30F
_wcsstr.LIBVCRUNTIME ref: 0019E35F
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 0019E37B

Strings

StringFileInfo\, xrefs: 0019E34E
\VarFileInfo\Translation, xrefs: 0019E373
DefaultLangCodepage, xrefs: 0019E3DE
04090000, xrefs: 0019E3B1
%u.%u.%u.%u, xrefs: 0019E459

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 2e227ec7299c1abbc0cca30b08149e82e6f60295a91b23d4aa463c1ffdfd0ec2
Instruction ID: 4516081078daa9a0cc1db9863ae90fb9d326bda1222b1efd05b719a08a396556
Opcode Fuzzy Hash: 2e227ec7299c1abbc0cca30b08149e82e6f60295a91b23d4aa463c1ffdfd0ec2
Instruction Fuzzy Hash: 7C41F332504204BADB05E774EC07EBF3BACEF65751F100069FD14AB1C2EB78DA0186A1

Uniqueness

Uniqueness Score: -1.00%

Function 00132629 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 145windowtimeregistryCOMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00132623,?,?), ref: 00132691
KillTimer.USER32(?,00000001,?,?,?,?,?,00132623,?,?), ref: 001326BD
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 001326E0
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00132623,?,?), ref: 001326EB
CreatePopupMenu.USER32(?,?,?,?,?,00132623,?,?), ref: 001326FF
PostQuitMessage.USER32(00000000), ref: 00132720

Strings

0$ , xrefs: 00172D85
0$ , xrefs: 00172D37
TaskbarCreated, xrefs: 001326E6

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: 0$ $0$ $TaskbarCreated
API String ID: 129472671-3218616665
Opcode ID: c311a86c416098ff89f083e1954ba06087ab389ef45aa973c9f7bb6db0717fd8
Instruction ID: eeedda47a055406687b71bdaeeeff62ee3cffe32b01c21a6e3e781871849d179
Opcode Fuzzy Hash: c311a86c416098ff89f083e1954ba06087ab389ef45aa973c9f7bb6db0717fd8
Instruction Fuzzy Hash: 224128B0110309EBDB283B78EC0EB793A55FF14310F118126F906966E2CB759CD49761

Uniqueness

Uniqueness Score: -1.00%

Function 001BD48D Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 001BD4BD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 001BD4E6
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 001BD5A1

Part of subcall function 001BD48D: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 001BD503
Part of subcall function 001BD48D: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 001BD516
Part of subcall function 001BD48D: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 001BD528
Part of subcall function 001BD48D: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 001BD55E
Part of subcall function 001BD48D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 001BD581

RegDeleteKeyW.ADVAPI32(?,?), ref: 001BD54C

Strings

RegDeleteKeyExW, xrefs: 001BD522
advapi32.dll, xrefs: 001BD511

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 92de77adbffacb70bb66fdc625b888fef8fa207d036f0ae05dbfc073d53831bb
Instruction ID: 832b547971016c6754302e7b89daeb81cc3dd422c74dfdddbaaed2500da128ab
Opcode Fuzzy Hash: 92de77adbffacb70bb66fdc625b888fef8fa207d036f0ae05dbfc073d53831bb
Instruction Fuzzy Hash: BE316D71A01229BBDB249BA4EC88EFFBF7CEF45754F000165F905E2140EB749E85DAA0

Uniqueness

Uniqueness Score: -1.00%

Function 0019EDD2 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0019EDD6

Part of subcall function 0014ED9F: timeGetTime.WINMM ref: 0014EDA3

Sleep.KERNEL32(0000000A), ref: 0019EE03
EnumThreadWindows.USER32(?,Function_0006ED87,00000000), ref: 0019EE27
FindWindowExW.USER32(?,00000000,BUTTON,00000000), ref: 0019EE49
SetActiveWindow.USER32 ref: 0019EE68
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0019EE76
SendMessageW.USER32(00000010,00000000,00000000), ref: 0019EE95
Sleep.KERNEL32(000000FA), ref: 0019EEA0
IsWindow.USER32 ref: 0019EEAC
EndDialog.USER32(00000000), ref: 0019EEBD

Strings

BUTTON, xrefs: 0019EE3B

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 896a6c43ba8ecd0f0fa653aa69e157547df1a34136a982255185962a048df2ec
Instruction ID: a87d8f098a208349adc0c1659f5de21d96675c5b8d72f05bd9e3b9510679174d
Opcode Fuzzy Hash: 896a6c43ba8ecd0f0fa653aa69e157547df1a34136a982255185962a048df2ec
Instruction Fuzzy Hash: 62214D70600304BFEB01EF60FC8DE667FADFB45749F090425F515926A2CB729D908A69

Uniqueness

Uniqueness Score: -1.00%

Function 0019F11E Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 0013A1B9: _wcslen.LIBCMT ref: 0013A1C3

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0019F17F
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0019F195
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0019F1A6
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0019F1B8
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0019F1C9

Strings

alias PlayMe, xrefs: 0019F158
close PlayMe, xrefs: 0019F190, 0019F1BD
play PlayMe, xrefs: 0019F1C4
open , xrefs: 0019F12E
status PlayMe mode, xrefs: 0019F17A
play PlayMe wait, xrefs: 0019F1B3

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: a9a48a6503b994e99b340a473168a2a5624abdfb5f96cbbe44d18e053909386b
Instruction ID: 93c1fd9eae24864ca80d52c37b7afd1fe82e77e1531ab09c0ea392c8f7a7f118
Opcode Fuzzy Hash: a9a48a6503b994e99b340a473168a2a5624abdfb5f96cbbe44d18e053909386b
Instruction Fuzzy Hash: 7A11A371A5016DB9DB20E666DC4AEFF6A7CEBD1B14F400839B501E20D1DBA01946C5B0

Uniqueness

Uniqueness Score: -1.00%

Function 0013253E Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON

Download Yara Rule

APIs

GetSysColorBrush.USER32(0000000F), ref: 00132571
RegisterClassExW.USER32 ref: 0013259B
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 001325AC
InitCommonControlsEx.COMCTL32(?), ref: 001325C9
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 001325D9
LoadIconW.USER32(000000A9), ref: 001325EF
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 001325FE

Strings

+, xrefs: 0013255A
0, xrefs: 00132553
AutoIt v3 GUI, xrefs: 0013258D
TaskbarCreated, xrefs: 001325A1

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 8d04c8c0c93c359e512e34bd39e4261402702726e4c61f41fbafb470e39a1c6d
Instruction ID: 1db655e7dd08adcb680d31e1552502b31a345c22e5fb81e01b6a76db1947f26b
Opcode Fuzzy Hash: 8d04c8c0c93c359e512e34bd39e4261402702726e4c61f41fbafb470e39a1c6d
Instruction Fuzzy Hash: 7F21BFB5901358EFDB009FA4F88DB9DBBB8FB08704F10412AF611A62A0D7B595898F95

Uniqueness

Uniqueness Score: -1.00%

Function 0019A644 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 0019A6C5
SetKeyboardState.USER32(?), ref: 0019A730
GetAsyncKeyState.USER32(000000A0), ref: 0019A750
GetKeyState.USER32(000000A0), ref: 0019A767
GetAsyncKeyState.USER32(000000A1), ref: 0019A796
GetKeyState.USER32(000000A1), ref: 0019A7A7
GetAsyncKeyState.USER32(00000011), ref: 0019A7D3
GetKeyState.USER32(00000011), ref: 0019A7E1
GetAsyncKeyState.USER32(00000012), ref: 0019A80A
GetKeyState.USER32(00000012), ref: 0019A818
GetAsyncKeyState.USER32(0000005B), ref: 0019A841
GetKeyState.USER32(0000005B), ref: 0019A84F

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 15aaa9dcd9f961dac346714a82fc8607661a6f11fdb40bf6d420e4d02d6d9257
Instruction ID: 54abe22425083b7791ff8b4fae8148c9a2e431a2b455bfcf1310e4392d36dab6
Opcode Fuzzy Hash: 15aaa9dcd9f961dac346714a82fc8607661a6f11fdb40bf6d420e4d02d6d9257
Instruction Fuzzy Hash: 1D51D87090878829EF35DBB089517EABFB49F11380F88859DC5C25A5C2DB54AA8CC7E3

Uniqueness

Uniqueness Score: -1.00%

Function 00196364 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 00196380
GetWindowRect.USER32 ref: 00196399
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 001963F7
GetDlgItem.USER32 ref: 00196407
GetWindowRect.USER32 ref: 00196419
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 0019646D
GetDlgItem.USER32 ref: 0019647B
GetWindowRect.USER32 ref: 0019648D
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 001964CF
GetDlgItem.USER32 ref: 001964E2
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 001964F8
InvalidateRect.USER32(?,00000000,00000001), ref: 00196505

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: e302e7f07dd1d86b40d785eebe8b6624107db440316bb1766a1dd4cecab78f32
Instruction ID: 622c9f1a13703bf3819378391975a682e77d35694afac42e1449b3dc39230406
Opcode Fuzzy Hash: e302e7f07dd1d86b40d785eebe8b6624107db440316bb1766a1dd4cecab78f32
Instruction Fuzzy Hash: 9051FF71A00215AFDF08CFA8DD95AAEBBB5FB48314F108139F919E7690D770AE40CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00148EC2 Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00149257: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00148EDD,?,00000000,?,?,?,?,00148EAF,00000000,?), ref: 001492BA

DestroyWindow.USER32(?), ref: 00148F76
KillTimer.USER32(00000000,?,?,?,?,00148EAF,00000000,?), ref: 00149010
DestroyAcceleratorTable.USER32 ref: 00187005
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00148EAF,00000000,?), ref: 00187033
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00148EAF,00000000,?), ref: 0018704A
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00148EAF,00000000), ref: 00187066
DeleteObject.GDI32(00000000), ref: 00187078

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 7541566358b1967acfca951d28269c7403701ec0abc9187a57cd9795e0672bef
Instruction ID: 3d9159c616b5b6b61cb623b5d38a133450ddb29408152ba64943c57d178fe9ee
Opcode Fuzzy Hash: 7541566358b1967acfca951d28269c7403701ec0abc9187a57cd9795e0672bef
Instruction Fuzzy Hash: EF618E31104714DFCB25AF18E94CB2ABBB2FB51716F20452AF042979B1CB75E998DF90

Uniqueness

Uniqueness Score: -1.00%

Function 00149A38 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00149B44: GetWindowLongW.USER32(?,000000EB), ref: 00149B52

GetSysColor.USER32(0000000F), ref: 00149A62

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 03cab4603d318dcae9bf398b46fb4dc8ab4d8484ce7b7ab97894ab2c934c518e
Instruction ID: e9e0df510f5c4d55708d83b5bcffcfb8aeae5d595511e94913c61eac140286c6
Opcode Fuzzy Hash: 03cab4603d318dcae9bf398b46fb4dc8ab4d8484ce7b7ab97894ab2c934c518e
Instruction Fuzzy Hash: 5C41A231144644AFDB249F38AC48FBA7BA6EB46321F394655FAA28B1F1D731CD81DB10

Uniqueness

Uniqueness Score: -1.00%

Function 001708DC Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0017061B: CreateFileW.KERNEL32(00000000,00000000,?,00170985,?,?,00000000,?,00170985,00000000,0000000C), ref: 00170638

GetLastError.KERNEL32 ref: 001709F0
__dosmaperr.LIBCMT ref: 001709F7
GetFileType.KERNEL32(00000000), ref: 00170A03
GetLastError.KERNEL32 ref: 00170A0D
__dosmaperr.LIBCMT ref: 00170A16
CloseHandle.KERNEL32(00000000), ref: 00170A36
CloseHandle.KERNEL32(?), ref: 00170B80
GetLastError.KERNEL32 ref: 00170BB2
__dosmaperr.LIBCMT ref: 00170BB9

Strings

H, xrefs: 00170B3E

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: ad56223b0f1b8ce1561cc68792bd57bca63fa8666ade5e7aad5cd1215cbcd680
Instruction ID: 86ad06fb17fb9ab7a01a1deed1f7dace4ee09b40c553ae946c639cffc93c43e0
Opcode Fuzzy Hash: ad56223b0f1b8ce1561cc68792bd57bca63fa8666ade5e7aad5cd1215cbcd680
Instruction Fuzzy Hash: A6A13632A10348CFDF1AAF68DC55BAE7BB1AB0A324F14415DF819DB292DB308D12CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00199D48 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000000,00000001,?,?,0017FCA4,00000001,0000138C,00000001,?,00000001,?,?,?), ref: 00199D7D
LoadStringW.USER32(00000000,?,0017FCA4,00000001), ref: 00199D86

Part of subcall function 0013A1B9: _wcslen.LIBCMT ref: 0013A1C3

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0017FCA4,00000001,0000138C,00000001,?,00000001,?,?,?,00000000), ref: 00199DA8
LoadStringW.USER32(00000000,?,0017FCA4,00000001), ref: 00199DAB
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00199ECC

Strings

Error: , xrefs: 00199E83
Line %d:, xrefs: 00199E06
%s (%d) : ==> %s: %s %s, xrefs: 00199EB0
^ ERROR, xrefs: 00199E61
Line %d (File "%s"):, xrefs: 00199DF5

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 178888c3a45abcc1e7246509c83abec0f29ff3dd7b1d119c2064d13558ea1396
Instruction ID: df15d3b0bed4deed7733ed808a7e258c48261a44435011127c6ce0a828c039b5
Opcode Fuzzy Hash: 178888c3a45abcc1e7246509c83abec0f29ff3dd7b1d119c2064d13558ea1396
Instruction Fuzzy Hash: 6A414F72800119EACF15FBE4DD86EEEB778AF28304F500065F605760A2EB756F59CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00190D0D Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 001373E7: _wcslen.LIBCMT ref: 001373FA

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00190DD1
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00190DED
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00190E09
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00190E33
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 00190E5B
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00190E66
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00190E6B

Strings

SOFTWARE\Classes\, xrefs: 00190D3D
\CLSID, xrefs: 00190D53
\IPC$, xrefs: 00190DB3

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 10c8701eb7428ebb61f07441fb17ab461aab94ec221d84c6d89f2beb8117b601
Instruction ID: 719bd53cc0cc1701ee98fd17ab3e00fca861b0505b36f6df05c66c746517da9b
Opcode Fuzzy Hash: 10c8701eb7428ebb61f07441fb17ab461aab94ec221d84c6d89f2beb8117b601
Instruction Fuzzy Hash: A141F572C10229AFCF21EBA4EC95DEDB7B8BF18714F404529F915A71A0EB709E44CB90

Uniqueness

Uniqueness Score: -1.00%

Function 001C47FD Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 001C48A2
CreateCompatibleDC.GDI32(00000000), ref: 001C48A9
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 001C48BC
SelectObject.GDI32(00000000,00000000), ref: 001C48C4
GetPixel.GDI32(00000000,00000000,00000000), ref: 001C48CF
DeleteDC.GDI32(00000000), ref: 001C48D9
GetWindowLongW.USER32(?,000000EC), ref: 001C48E3
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 001C48F9
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 001C4905

Strings

static, xrefs: 001C483A

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: f470915ea959fd42f22bb67fba8d0e3138d70908c95806dc1f3389f0a80e5213
Instruction ID: 1dbe6ffa0fa3a108b34ad02bcd42c92bacd3e99fd272ad23451ec313b134397a
Opcode Fuzzy Hash: f470915ea959fd42f22bb67fba8d0e3138d70908c95806dc1f3389f0a80e5213
Instruction Fuzzy Hash: 84314D72100219ABDF129FA4EC49FDA3FA9FF1D724F110229FA15A61A0C775D860DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 001323ED Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63windowregistryCOMMON

Download Yara Rule

APIs

GetSysColorBrush.USER32(0000000F), ref: 001323F8
LoadCursorW.USER32(00000000,00007F00), ref: 00132407
LoadIconW.USER32(00000063), ref: 0013241D
LoadIconW.USER32(000000A4), ref: 0013242F
LoadIconW.USER32(000000A2), ref: 00132441
LoadImageW.USER32 ref: 00132459
RegisterClassExW.USER32 ref: 001324AA

Part of subcall function 0013253E: GetSysColorBrush.USER32(0000000F), ref: 00132571
Part of subcall function 0013253E: RegisterClassExW.USER32 ref: 0013259B
Part of subcall function 0013253E: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 001325AC
Part of subcall function 0013253E: InitCommonControlsEx.COMCTL32(?), ref: 001325C9
Part of subcall function 0013253E: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 001325D9
Part of subcall function 0013253E: LoadIconW.USER32(000000A9), ref: 001325EF
Part of subcall function 0013253E: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 001325FE

Strings

#, xrefs: 00132480
0, xrefs: 00132479
AutoIt v3, xrefs: 00132499

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 614f67cb0db70966b1445dcafd96bf82a7fa38888fbc554d862a185c7d42c1aa
Instruction ID: d2996ca7982e8b7b64be3088c2c40f7e68a6f2dceaeb7804b34ff06030f7163f
Opcode Fuzzy Hash: 614f67cb0db70966b1445dcafd96bf82a7fa38888fbc554d862a185c7d42c1aa
Instruction Fuzzy Hash: 58212C70D00358EBDB109FA5FC5DBA9BFB8FB48B54F00406BE604A72A1D7B945898F90

Uniqueness

Uniqueness Score: -1.00%

Function 001B4489 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 001B44B5
CoInitialize.OLE32(00000000), ref: 001B44E3
CoUninitialize.OLE32 ref: 001B44ED
_wcslen.LIBCMT ref: 001B4586
GetRunningObjectTable.OLE32(00000000,?), ref: 001B460A
SetErrorMode.KERNEL32(00000001,00000029), ref: 001B472E
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 001B4767
CoGetObject.OLE32(?,00000000,001D0B80,?), ref: 001B4786
SetErrorMode.KERNEL32(00000000), ref: 001B4799
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 001B481D
VariantClear.OLEAUT32(?), ref: 001B4831

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 8250b723bf254894df07988cf7a59f93332745f5fb0956b8892ad47a779cdff6
Instruction ID: d63393fc875d4abdc38b3272b070505907f6b2324f8121e88a36b45ef191a643
Opcode Fuzzy Hash: 8250b723bf254894df07988cf7a59f93332745f5fb0956b8892ad47a779cdff6
Instruction Fuzzy Hash: 5BC145716083059FC700DF68C8849ABBBE9FF89748F10892DF98A9B251DB31ED45CB52

Uniqueness

Uniqueness Score: -1.00%

Function 001A82E6 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 001A8343
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 001A83DF
SHGetDesktopFolder.SHELL32(?), ref: 001A83F3
CoCreateInstance.OLE32(001D0CF0,00000000,00000001,001F7E7C,?), ref: 001A843F
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 001A84C4
CoTaskMemFree.OLE32(?,?), ref: 001A851C
SHBrowseForFolderW.SHELL32(?), ref: 001A85A7
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 001A85CA
CoTaskMemFree.OLE32(00000000), ref: 001A85D1
CoTaskMemFree.OLE32(00000000), ref: 001A8626
CoUninitialize.OLE32 ref: 001A862C

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: f4d291852accddeff9d2438f9c97bb09e7af98c47c2fa15a7facd1506d1c6fa1
Instruction ID: ab77500404d2b0ab66d346e0a28decc22efc1d4c9fd4217c099ed14c4e9da82e
Opcode Fuzzy Hash: f4d291852accddeff9d2438f9c97bb09e7af98c47c2fa15a7facd1506d1c6fa1
Instruction Fuzzy Hash: FDC10A75A00209EFDB14DFA4C884DAEBBF5FF49304B1484A9E91ADB661DB30ED45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 001C5C84 Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 001C5D6B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 001C5D7C
CharNextW.USER32(00000158), ref: 001C5DAB
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 001C5DEC
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 001C5E02
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 001C5E13

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 80da4a2af4bf27fe770a4f148a53be32ae7ab50e64e7d7b773aa46acf5fbecce
Instruction ID: e5fda91f897023fd625e64f7beb892c29cb9d602993fb01ebf3c2c4256bbd151
Opcode Fuzzy Hash: 80da4a2af4bf27fe770a4f148a53be32ae7ab50e64e7d7b773aa46acf5fbecce
Instruction Fuzzy Hash: 5C617B70900309AFDF118F94DC88EFE7BB9EF69724F144119F922A6291C774EA81DB60

Uniqueness

Uniqueness Score: -1.00%

Function 001900B7 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 001900DE
SafeArrayAllocData.OLEAUT32(?), ref: 00190137
VariantInit.OLEAUT32(?), ref: 00190149
SafeArrayAccessData.OLEAUT32(?,?), ref: 00190169
VariantCopy.OLEAUT32(?,?), ref: 001901BC
SafeArrayUnaccessData.OLEAUT32(?), ref: 001901D0
VariantClear.OLEAUT32(?), ref: 001901E5
SafeArrayDestroyData.OLEAUT32(?), ref: 001901F2
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 001901FB
VariantClear.OLEAUT32(?), ref: 0019020D
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00190218

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 68aed0ef5cf81311944186f930651a36689aa6b9a88725748e67bb6fe70912cc
Instruction ID: a2eba1d033b0efe11ae9349598686616c3339c7958d2a721ceeda56d2c3aaf99
Opcode Fuzzy Hash: 68aed0ef5cf81311944186f930651a36689aa6b9a88725748e67bb6fe70912cc
Instruction Fuzzy Hash: 17416D75A00219EFCF05DFA8DC48DADBBB9FF58344F018069E945A7661DB30EA85CB90

Uniqueness

Uniqueness Score: -1.00%

Function 001B0DB4 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 001B0E15
inet_addr.WSOCK32(?), ref: 001B0E75
gethostbyname.WSOCK32(?), ref: 001B0E81
IcmpCreateFile.IPHLPAPI ref: 001B0E8F
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 001B0F1F
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 001B0F3E
IcmpCloseHandle.IPHLPAPI(?), ref: 001B1012
WSACleanup.WSOCK32 ref: 001B1018

Strings

Ping, xrefs: 001B0ECF

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 74513de6d321fc34d827588fcde2dc9b6067dba1a411290b2edf35002a73aa6b
Instruction ID: f8c1acb2cd7f98d0f48918662f905fab43db5a5c1174376360eefa919b039737
Opcode Fuzzy Hash: 74513de6d321fc34d827588fcde2dc9b6067dba1a411290b2edf35002a73aa6b
Instruction Fuzzy Hash: 60918031608201AFD721DF15D489F6BBBE0EF48318F1589ADF4698B6A2D731ED85CB81

Uniqueness

Uniqueness Score: -1.00%

Function 001B952C Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 001B954C

Part of subcall function 001994F2: _wcslen.LIBCMT ref: 00199515

_wcslen.LIBCMT ref: 001B95A7
_wcslen.LIBCMT ref: 001B95F5
_wcslen.LIBCMT ref: 001B9635
_wcslen.LIBCMT ref: 001B96C7

Strings

none, xrefs: 001B96BE, 001B96C3
winapi, xrefs: 001B95EF, 001B95F4
cdecl, xrefs: 001B95A1, 001B95A6
stdcall, xrefs: 001B962F, 001B9634

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 71fe03e218cc0466e890418351d8ffe4ca2f3aa26482ec513b7a73ffeeb0abe9
Instruction ID: d1347af0750c0812c0d144d024335bbb4eab5f8aef4d74ca75864c851f103e3b
Opcode Fuzzy Hash: 71fe03e218cc0466e890418351d8ffe4ca2f3aa26482ec513b7a73ffeeb0abe9
Instruction Fuzzy Hash: 1E51D771A041169BCF24DF6CC9909FDB7E5AF64324B61422AFA26E72C0EB31DD42C790

Uniqueness

Uniqueness Score: -1.00%

Function 001B3F85 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 001B3FCD
CoUninitialize.OLE32 ref: 001B3FD8
CoCreateInstance.OLE32(?,00000000,00000017,001D0B60,?), ref: 001B4032
IIDFromString.OLE32(?,?), ref: 001B40A5
VariantInit.OLEAUT32(?), ref: 001B413D
VariantClear.OLEAUT32(?), ref: 001B418F

Strings

Invalid parameter, xrefs: 001B40BE
NULL Pointer assignment, xrefs: 001B4077
Failed to create object, xrefs: 001B403D, 001B40F3

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: aa7277bfac1cbd8c755085ccbe2e1c4ae128b33d901238ce014d05f296dd3a57
Instruction ID: b8b1eb9edb98eb3271ad2668ef7e9b39be3ad2ab0f66ae713e0ce9ecd83d9d9f
Opcode Fuzzy Hash: aa7277bfac1cbd8c755085ccbe2e1c4ae128b33d901238ce014d05f296dd3a57
Instruction Fuzzy Hash: 59619271608711AFD710EF58D888FEABBE8AF59714F10481DF9859B292C770ED84CB92

Uniqueness

Uniqueness Score: -1.00%

Function 001A89E5 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 001A8AA7
SystemTimeToFileTime.KERNEL32(?,?), ref: 001A8AB7
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 001A8AC3
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 001A8B60
SetCurrentDirectoryW.KERNEL32(?), ref: 001A8B74
SetCurrentDirectoryW.KERNEL32(?), ref: 001A8BA6
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 001A8BDC
SetCurrentDirectoryW.KERNEL32(?), ref: 001A8BE5

Strings

*.*, xrefs: 001A8BEB

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: fda7ecf2deb2b6ef2e427a11beefd496229322bed19334c84ae0389f6569848c
Instruction ID: 24f72aba99617a49f94989fa39c7aca3dc59d0af14be5458a2a394a678fcc4a7
Opcode Fuzzy Hash: fda7ecf2deb2b6ef2e427a11beefd496229322bed19334c84ae0389f6569848c
Instruction Fuzzy Hash: B2617DB6508205AFCB10EF60D8409AEB7E8FF9A310F04482EF999C7251EB31E945CB52

Uniqueness

Uniqueness Score: -1.00%

Function 001C9323 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00149DA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00149DB2

Part of subcall function 0013135A: GetCursorPos.USER32(?,?,00000000,00000000,?,00131659,00000000,000000FF,?,?,?), ref: 0013136E
Part of subcall function 0013135A: ScreenToClient.USER32 ref: 0013138B
Part of subcall function 0013135A: GetAsyncKeyState.USER32(00000001), ref: 001313C2
Part of subcall function 0013135A: GetAsyncKeyState.USER32(00000002), ref: 001313DC

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 001C938C
ImageList_EndDrag.COMCTL32 ref: 001C9392
ReleaseCapture.USER32 ref: 001C9398
SetWindowTextW.USER32(?,00000000), ref: 001C9433
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 001C9446
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 001C9520

Strings

p3 , xrefs: 001C9492
@GUI_DRAGFILE, xrefs: 001C94BB
@GUI_DROPID, xrefs: 001C9472

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$p3
API String ID: 1924731296-220929716
Opcode ID: b91d954dcd9f43a4fd8242d7e715ff0d89607f7b1de0c9f68251058573eb58c6
Instruction ID: bc8ff686d54beade59a1d20eb4e08dfca4fc6740dc8f52f3ec33a41dc8b9f4e5
Opcode Fuzzy Hash: b91d954dcd9f43a4fd8242d7e715ff0d89607f7b1de0c9f68251058573eb58c6
Instruction Fuzzy Hash: 3D516871104304AFD704EF24D85AF6A7BE4FB98714F10092DF996962E2DB70E958CB92

Uniqueness

Uniqueness Score: -1.00%

Function 001A3BD8 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 001A3C1F

Part of subcall function 0013A1B9: _wcslen.LIBCMT ref: 0013A1C3

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 001A3C40

Strings

Error: , xrefs: 001A3D21
"%s" (%d) : ==> %s:, xrefs: 001A3D72
"%s" (%d) : ==> %s:%s%s, xrefs: 001A3D54
^ ERROR , xrefs: 001A3CEE
Line %d (File "%s"):, xrefs: 001A3C93, 001A3CAC
Incorrect parameters to object property !, xrefs: 001A3CFB

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 6fa0e215859e0331828db9d0a21251038508c7fc4326f35ee8a2bb38aad5e3c9
Instruction ID: 66975e5cf3b35fe489547cc330be2a71c4f47b7e83f171ad2c10b850260fafc4
Opcode Fuzzy Hash: 6fa0e215859e0331828db9d0a21251038508c7fc4326f35ee8a2bb38aad5e3c9
Instruction Fuzzy Hash: B551B07180021AEACF14EBE0DD46EEEB779AF28304F504065F519720A2DB356F5CDB61

Uniqueness

Uniqueness Score: -1.00%

Function 0019BC7E Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0019BCB2
_wcslen.LIBCMT ref: 0019BCBE
_wcslen.LIBCMT ref: 0019BD03
_wcslen.LIBCMT ref: 0019BD42
_wcslen.LIBCMT ref: 0019BD7D

Strings

KEYS, xrefs: 0019BCFD, 0019BD02
APPEND, xrefs: 0019BD77, 0019BD7C
REMOVE, xrefs: 0019BCB8, 0019BCBD
EXISTS, xrefs: 0019BD3C, 0019BD41

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 5d69bf032726416cfa41a9a4d5b3021f5d93dfd9f612c15a808bdd8de27caa68
Instruction ID: e8437e3a27c217a55dac2e599a3daa25e7ec5d2828a343456a7fdc06b42e0cc9
Opcode Fuzzy Hash: 5d69bf032726416cfa41a9a4d5b3021f5d93dfd9f612c15a808bdd8de27caa68
Instruction Fuzzy Hash: 6641D632A081269BCF105FBDDAD05BE77E5AFA176CB244229E425DB284E731CD81C790

Uniqueness

Uniqueness Score: -1.00%

Function 001A5BE3 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 001A5BF0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 001A5C66
GetLastError.KERNEL32 ref: 001A5C70
SetErrorMode.KERNEL32(00000000,READY), ref: 001A5CF7

Strings

INVALID, xrefs: 001A5CA9
READONLY, xrefs: 001A5CA2
NOTREADY, xrefs: 001A5C9B
READY, xrefs: 001A5CB0, 001A5CB8
UNKNOWN, xrefs: 001A5C94

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 641e639ea76bc014b8f1612ad598a4553eb43ed2a804dcd4288fa64954a5eeb0
Instruction ID: b68e5abc5d5d3b304c8d16bb141e6dbcd915ac53a46ec5c7753d3855107ed181
Opcode Fuzzy Hash: 641e639ea76bc014b8f1612ad598a4553eb43ed2a804dcd4288fa64954a5eeb0
Instruction Fuzzy Hash: D531D679A086049FC710DF68C984EAA7BFAFF16314F158065E506DB39AD731DD42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 001C44AB Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 001C44DE
SetMenu.USER32(?,00000000), ref: 001C44ED
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 001C4575
IsMenu.USER32 ref: 001C4589
CreatePopupMenu.USER32 ref: 001C4593
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 001C45C0
DrawMenuBar.USER32 ref: 001C45C8

Strings

F, xrefs: 001C45B3
0, xrefs: 001C44B9

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 64bd4bb786a14d5a53de548225b0d379b0e2c5aea458e6b92864bf93c1aacf54
Instruction ID: 49f37b451c818da1a57d8c4664fd76071223fb750f5bf7b4979f1253f59bc17e
Opcode Fuzzy Hash: 64bd4bb786a14d5a53de548225b0d379b0e2c5aea458e6b92864bf93c1aacf54
Instruction Fuzzy Hash: AA4164B8601209EFDB14CFA4E998FAA7BB5BF59304F14002CE955A7350DB30E915CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0019CF2A Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0019CFC9

Strings

info, xrefs: 0019CF6A
warning, xrefs: 0019CFB2
,+ 0+ , xrefs: 0019CFDA
stop, xrefs: 0019CF9A
question, xrefs: 0019CF82
blank, xrefs: 0019CF4B
,+ 0+ , xrefs: 0019CF5C

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: IconLoad
String ID: ,+ 0+ $,+ 0+ $blank$info$question$stop$warning
API String ID: 2457776203-678019176
Opcode ID: 1af61862f9f810aac4c1c4fe2f45af56f47a184afd6784b5d0d32c14f2605706
Instruction ID: 7a5e0b5b4ea1d12b5e2f71ff6695d8e108891dd403487983fd5dc3964b2fbe71
Opcode Fuzzy Hash: 1af61862f9f810aac4c1c4fe2f45af56f47a184afd6784b5d0d32c14f2605706
Instruction Fuzzy Hash: 47112C3278D30ABBEF049B55EC82DAE779DDF65765B21002AFA41EA1C1D7B0AD4045F0

Uniqueness

Uniqueness Score: -1.00%

Function 00192569 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0013A1B9: _wcslen.LIBCMT ref: 0013A1C3

Part of subcall function 00194337: GetClassNameW.USER32 ref: 0019435A

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 001925EE
GetDlgCtrlID.USER32 ref: 001925F9
GetParent.USER32 ref: 00192615
SendMessageW.USER32(00000000,?,00000111,?), ref: 00192618
GetDlgCtrlID.USER32(?), ref: 00192621
GetParent.USER32(?), ref: 00192635
SendMessageW.USER32(00000000,?,00000111,?), ref: 00192638

Strings

ListBox, xrefs: 001925AB
ComboBox, xrefs: 00192576

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: d4c051982f4fc1e68cfed4f45027adcc3a12916a3ee3065700eeff1e2c987992
Instruction ID: b1f135f8a8c6e54fb82c73689b250e7d88eae290bbaa75880ced2f901f108cc8
Opcode Fuzzy Hash: d4c051982f4fc1e68cfed4f45027adcc3a12916a3ee3065700eeff1e2c987992
Instruction Fuzzy Hash: E121D4B4900228BBCF05AFA0DC85EEEBFB9EF15310F104155F9A1A72A1DB748949DB60

Uniqueness

Uniqueness Score: -1.00%

Function 0019264A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0013A1B9: _wcslen.LIBCMT ref: 0013A1C3

Part of subcall function 00194337: GetClassNameW.USER32 ref: 0019435A

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 001926CD
GetDlgCtrlID.USER32 ref: 001926D8
GetParent.USER32 ref: 001926F4
SendMessageW.USER32(00000000,?,00000111,?), ref: 001926F7
GetDlgCtrlID.USER32(?), ref: 00192700
GetParent.USER32(?), ref: 00192714
SendMessageW.USER32(00000000,?,00000111,?), ref: 00192717

Strings

ListBox, xrefs: 0019268C
ComboBox, xrefs: 00192657

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: b2524957d9de845f44f3a0eec4bb04ec5827caa1b6271e250c675a8a020aeacd
Instruction ID: dd7b210e22a92b25979a8166cbae85e3522f071cbcd2a812a2f7fd4fa3f419c5
Opcode Fuzzy Hash: b2524957d9de845f44f3a0eec4bb04ec5827caa1b6271e250c675a8a020aeacd
Instruction Fuzzy Hash: 5921A1B5A00228BBCF15ABA0DC85EEEBFB8EF15340F104056FD51A72A1DB758949DB60

Uniqueness

Uniqueness Score: -1.00%

Function 001CA7A7 Relevance: 15.3, APIs: 10, Instructions: 271windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00149DA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00149DB2

GetSystemMetrics.USER32 ref: 001CA7E8
GetSystemMetrics.USER32 ref: 001CA7FF
GetSystemMetrics.USER32 ref: 001CA80B
GetSystemMetrics.USER32 ref: 001CA821
MoveWindow.USER32(00000003,?,?,00000001,?,00000000,?,00000000,?,00000000), ref: 001CAA6D
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 001CAA8B
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 001CAAAC
ShowWindow.USER32(00000003,00000000), ref: 001CAACB
InvalidateRect.USER32(?,00000000,00000001), ref: 001CAAED
DefDlgProcW.USER32(?,00000005,?), ref: 001CAB13

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: MetricsSystem$Window$MessageSend$InvalidateLongMoveProcRectShow
String ID:
API String ID: 3962739598-0
Opcode ID: f345ec1285a2ae8b9f202659a2258b3543a6de0b4186c65b8e68fcd172e21183
Instruction ID: 229c989876d5e564b8d96c0240abce305021dd3541b3019f6246ac9fb765fbca
Opcode Fuzzy Hash: f345ec1285a2ae8b9f202659a2258b3543a6de0b4186c65b8e68fcd172e21183
Instruction Fuzzy Hash: 84B19B31600219DFDF15CF68C985BAE7BB1FF54708F558069EC899B295D730E980CB62

Uniqueness

Uniqueness Score: -1.00%

Function 001C4288 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 001C4302
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 001C4305
GetWindowLongW.USER32(?,000000F0), ref: 001C432C
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 001C434F
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 001C43C7
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 001C4411
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 001C442C
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 001C4447
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 001C445B
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 001C4478

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: cf474aa1bc8ac73efdc5ea73bda6ccdc65f614717fa16035b95d38cc74ab0bf3
Instruction ID: 62a39ccef11a7463910db97154a2b5213b14755b7c16cb69f8b4fb81454e546b
Opcode Fuzzy Hash: cf474aa1bc8ac73efdc5ea73bda6ccdc65f614717fa16035b95d38cc74ab0bf3
Instruction Fuzzy Hash: A1618975900208AFDB15DFA8CC95FEE77B8EB59710F20405AFA14E72A2C770A945CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0019B7E5 Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0019B807
GetForegroundWindow.USER32(00000000,?,?,?,?,?,0019A894,?,00000001), ref: 0019B81B
GetWindowThreadProcessId.USER32(00000000), ref: 0019B822
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0019A894,?,00000001), ref: 0019B831
GetWindowThreadProcessId.USER32(?,00000000), ref: 0019B843
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0019A894,?,00000001), ref: 0019B85C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0019A894,?,00000001), ref: 0019B86E
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0019A894,?,00000001), ref: 0019B8B3
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0019A894,?,00000001), ref: 0019B8C8
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0019A894,?,00000001), ref: 0019B8D3

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 1d74c2ef689aeb9ffac7450e62bca54c8f02026309e036ee89a133c226dbfd22
Instruction ID: f2268b6897e2889ba4b64ea9c4263cef2465b634b7bb93bb8c669f542144f8af
Opcode Fuzzy Hash: 1d74c2ef689aeb9ffac7450e62bca54c8f02026309e036ee89a133c226dbfd22
Instruction Fuzzy Hash: 54318BB1904306AFDB14DB15FD8DFAA7BBDAF48325F114026F804D6591D7749980CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00162F00 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00162F14

Part of subcall function 00162C48: HeapFree.KERNEL32(00000000,00000000,?,0016DA52,00201DC4,00000000,00201DC4,00000000,?,0016DA79,00201DC4,00000007,00201DC4,?,0016DE76,00201DC4), ref: 00162C5E
Part of subcall function 00162C48: GetLastError.KERNEL32(00201DC4,?,0016DA52,00201DC4,00000000,00201DC4,00000000,?,0016DA79,00201DC4,00000007,00201DC4,?,0016DE76,00201DC4,00201DC4), ref: 00162C70

_free.LIBCMT ref: 00162F20
_free.LIBCMT ref: 00162F2B
_free.LIBCMT ref: 00162F36
_free.LIBCMT ref: 00162F41
_free.LIBCMT ref: 00162F4C
_free.LIBCMT ref: 00162F57
_free.LIBCMT ref: 00162F62
_free.LIBCMT ref: 00162F6D
_free.LIBCMT ref: 00162F7B

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 1b9479b9b0ddabfddf4e3379e99533e53025b32d736874023d7b5c0d2dba6e21
Instruction ID: 842647932ffab5b97af7472594562dc5b9556a87125309fbfc2b0053e963b08c
Opcode Fuzzy Hash: 1b9479b9b0ddabfddf4e3379e99533e53025b32d736874023d7b5c0d2dba6e21
Instruction Fuzzy Hash: DB114476511508AFCB46EF94CD42CDE3BA5EF25390B9142A5FA089B232DB31DA609B90

Uniqueness

Uniqueness Score: -1.00%

Function 001319E5 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00131A2E
OleUninitialize.OLE32(?,00000000), ref: 00131ACD
UnregisterHotKey.USER32(?), ref: 00131CB2
DestroyWindow.USER32(?), ref: 001729A9
FreeLibrary.KERNEL32(?), ref: 00172A0E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00172A3B

Strings

close all, xrefs: 00131A29

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 2d6ee38f76147360d17d3370409f00003c013bcf75ae9e10f54499f77c8193d2
Instruction ID: cc327075e08d12d10600c1367468a1ee3f28ab82b9fbd5f58ce171200378abb4
Opcode Fuzzy Hash: 2d6ee38f76147360d17d3370409f00003c013bcf75ae9e10f54499f77c8193d2
Instruction Fuzzy Hash: CFD12631601222DFCB29EF15C499B29F7B4BF15704F1582ADE94AAB251CB31AC53CF91

Uniqueness

Uniqueness Score: -1.00%

Function 001A8640 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 001A87FD
SetCurrentDirectoryW.KERNEL32(?), ref: 001A8811
GetFileAttributesW.KERNEL32(?), ref: 001A883B
SetFileAttributesW.KERNEL32(?,00000000), ref: 001A8855
SetCurrentDirectoryW.KERNEL32(?), ref: 001A8867
SetCurrentDirectoryW.KERNEL32(?), ref: 001A88B0
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 001A8900

Strings

*.*, xrefs: 001A88B6

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: dcfffa3c108f88d6595536b7c98b363300aa63a789231b56991c4d8ceeb64ff1
Instruction ID: f1d61dd1fed25dba37c0dd76c3485edb55396b26feafd4b06104fbcd7996fcda
Opcode Fuzzy Hash: dcfffa3c108f88d6595536b7c98b363300aa63a789231b56991c4d8ceeb64ff1
Instruction Fuzzy Hash: C581B0765043019BCB24EF54C485AAEB3E8FF96350F64482EF889D7251EF34E945CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00136227 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32 ref: 001362B7

Part of subcall function 00136347: GetClientRect.USER32 ref: 0013636D
Part of subcall function 00136347: GetWindowRect.USER32 ref: 001363AE
Part of subcall function 00136347: ScreenToClient.USER32 ref: 001363D6

GetDC.USER32 ref: 00175010
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00175023
SelectObject.GDI32(00000000,00000000), ref: 00175031
SelectObject.GDI32(00000000,00000000), ref: 00175046
ReleaseDC.USER32 ref: 0017504E
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 001750DF

Strings

U, xrefs: 00174FAE

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: b84d39f8e284ee3fc0f83ff4e888611202d83606a4d365f6af03bd68439b0b13
Instruction ID: 707dce5ddc08f8d604a4c775a95d3b7d0836c36a08d01a9814381257a2f2bdeb
Opcode Fuzzy Hash: b84d39f8e284ee3fc0f83ff4e888611202d83606a4d365f6af03bd68439b0b13
Instruction Fuzzy Hash: F571CE31500205EFCF258F68C884EAA7BB6FF49320F248269FD595A1A6D771DC81DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 001A3DEC Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 001A3E34

Part of subcall function 0013A1B9: _wcslen.LIBCMT ref: 0013A1C3

LoadStringW.USER32(00203390,?,00000FFF,?), ref: 001A3E5A

Strings

"%s" (%d) : ==> %s:, xrefs: 001A3F92
Error: , xrefs: 001A3F3F
^ ERROR, xrefs: 001A3F19
"%s" (%d) : ==> %s:%s%s, xrefs: 001A3F74
Line %d (File "%s"):, xrefs: 001A3EBB

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: d0ff9078f64df355084278f5f5bd2c72ba44bc5df9e3f4e9be09b970db76a149
Instruction ID: 6d9817a36601dae3413ac09ddbbf7293e6684aa1c88f1a89a6e62739a8db1f02
Opcode Fuzzy Hash: d0ff9078f64df355084278f5f5bd2c72ba44bc5df9e3f4e9be09b970db76a149
Instruction Fuzzy Hash: 28517E71C0021AEBCF15EBE0DC46EEEBB78AF24304F444165F515720A2EB306A99DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 001ACAA3 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 001ACAC2
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 001ACAEA
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 001ACB1A
GetLastError.KERNEL32 ref: 001ACB72
SetEvent.KERNEL32(?), ref: 001ACB86
InternetCloseHandle.WININET(00000000), ref: 001ACB91

Strings

, xrefs: 001ACB0B

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 0045ea5badb2d288bee2a6ba14772fe92b2d66777aa422cfdda417578236b222
Instruction ID: df417796a1dc73ebe1d7ae5c5ad90418d264986e48e13919c4ccf2f090b275d7
Opcode Fuzzy Hash: 0045ea5badb2d288bee2a6ba14772fe92b2d66777aa422cfdda417578236b222
Instruction Fuzzy Hash: 97318BB9500708AFD7219F64DC8AEAB7BFCEB46784B10452AF44A93600EB35DD449BB1

Uniqueness

Uniqueness Score: -1.00%

Function 00199F01 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00174402,?,?,Bad directive syntax error,001CDCD0,00000000,00000010,?,?), ref: 00199F22
LoadStringW.USER32(00000000,?,00174402,?), ref: 00199F29

Part of subcall function 0013A1B9: _wcslen.LIBCMT ref: 0013A1C3

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00199FED

Strings

., xrefs: 00199FD3
Error: , xrefs: 00199FBB
Line %d:, xrefs: 00199F78
Line %d (File "%s"):, xrefs: 00199F93
%s (%d) : ==> %s.: %s %s, xrefs: 00199F57

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: f035dd1a11ac50f2706b2d8609e37150efd5d55a61a4619c1914705753009ca0
Instruction ID: 036ebba54f341a16449a68f03709475a75b212e6b411aa4983859f50b5542e24
Opcode Fuzzy Hash: f035dd1a11ac50f2706b2d8609e37150efd5d55a61a4619c1914705753009ca0
Instruction Fuzzy Hash: 8E21607180421EEBCF12AF90CC46EEE7B79BF28708F044469F619660E1DB719668DB51

Uniqueness

Uniqueness Score: -1.00%

Function 00192729 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00192735
GetClassNameW.USER32 ref: 0019274A
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 001927D7

Strings

SHELLDLL_DefView, xrefs: 00192756
list, xrefs: 001927B9
details, xrefs: 00192785
largeicons, xrefs: 0019276B
smallicons, xrefs: 0019279F

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 02c1110c1de31fe99d6093e61feee8aacafb6451ed32b9e02221a106000a81b0
Instruction ID: d2571b48e3d08c9fb7332b9661368808a6a3b37c2a0ec9d2d05eb802b08373a9
Opcode Fuzzy Hash: 02c1110c1de31fe99d6093e61feee8aacafb6451ed32b9e02221a106000a81b0
Instruction Fuzzy Hash: CC11C67734830ABBFF082761AC47DA677AC9B71725B210026FE04F54D1FBB1A8818620

Uniqueness

Uniqueness Score: -1.00%

Function 00168FC5 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43d17bd5ca5c553307eb2524dc15f8cc6062e294c23c25a38a05d65dd619a285
Instruction ID: a5942aefb69cedf812c426b1b0657e480216f38fdcfe222b5bc1e105308e4670
Opcode Fuzzy Hash: 43d17bd5ca5c553307eb2524dc15f8cc6062e294c23c25a38a05d65dd619a285
Instruction Fuzzy Hash: 37C1D0B0A04349AFCF11DFA8DC55BADBBB8BF19310F184199F814AB392C7349965CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00136347 Relevance: 13.8, APIs: 9, Instructions: 291COMMON

Download Yara Rule

APIs

GetClientRect.USER32 ref: 0013636D
GetWindowRect.USER32 ref: 001363AE
ScreenToClient.USER32 ref: 001363D6
GetClientRect.USER32 ref: 0013651A
GetWindowRect.USER32 ref: 0013653B

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: f3ba0af5aad6fcd712df68b4c925ab3d881f676b3db3d748d92037cd91f541d3
Instruction ID: 61f577efdb2548e8e30c658e08c601a7d8327834bb86e1372fc3687b35a99b67
Opcode Fuzzy Hash: f3ba0af5aad6fcd712df68b4c925ab3d881f676b3db3d748d92037cd91f541d3
Instruction Fuzzy Hash: 2AC13A7990065AEFDB14CFA8C580BEEBBF1FF18310F14C41AE899A7250DB74A951DB60

Uniqueness

Uniqueness Score: -1.00%

Function 0016D111 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0016D138
_free.LIBCMT ref: 0016D1A3
_free.LIBCMT ref: 0016D1C9
_free.LIBCMT ref: 0016D1F2
_free.LIBCMT ref: 0016D22A
_free.LIBCMT ref: 0016D25B
_free.LIBCMT ref: 0016D29C
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0016D31D
_free.LIBCMT ref: 0016D336

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 9eb06b29885420d3680a106f6264e925349c5b77db00554b6182c1dc883c3158
Instruction ID: 0d66b7fba4579d10eb340137b072d9f8ebfc3bf320a1ad9b0c66994d0f3c7f19
Opcode Fuzzy Hash: 9eb06b29885420d3680a106f6264e925349c5b77db00554b6182c1dc883c3158
Instruction Fuzzy Hash: 3E6116B1F04701AFDB25AF78FC45B6E7BA4AF12710F04016DF9549B282EB758C608791

Uniqueness

Uniqueness Score: -1.00%

Function 001C593B Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 001C59ED
ShowWindow.USER32(?,00000000), ref: 001C5A2E
ShowWindow.USER32(?,00000005,?,00000000), ref: 001C5A34
SetFocus.USER32(?,?,00000005,?,00000000), ref: 001C5A38

Part of subcall function 001C77BA: DeleteObject.GDI32(00000000), ref: 001C77E6

GetWindowLongW.USER32(?,000000F0), ref: 001C5A74
SetWindowLongW.USER32 ref: 001C5A81
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 001C5AB4
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 001C5AEE
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 001C5AFD

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 820d0ec90ff6010d45cdae956acc2ce296e87b57b27bfac52ed8d01750a48951
Instruction ID: 9d569389162348df9ebca7dac33ae7be38b0f01a23f53bea1c5dac04eaa00e9d
Opcode Fuzzy Hash: 820d0ec90ff6010d45cdae956acc2ce296e87b57b27bfac52ed8d01750a48951
Instruction Fuzzy Hash: 70518930A40A08FFEF249F25CC89F993B66EB24368F14415AFA14961E1C771F9C0DB41

Uniqueness

Uniqueness Score: -1.00%

Function 00148DFB Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32 ref: 00186F22
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00186F3B
LoadImageW.USER32 ref: 00186F4B
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00186F63
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00186F84
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00148DDE,00000000,00000000,00000000,000000FF,00000000), ref: 00186F93
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00186FB0
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00148DDE,00000000,00000000,00000000,000000FF,00000000), ref: 00186FBF

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 6e9da1091d327a6f3b5bb5b522dd2200f566620a0494fa969622e7a52f6e0904
Instruction ID: 54f9ad5441e57f4c48a0a8576c0f7d8ed85bd5b1d5e811be0d2693a07ce9197b
Opcode Fuzzy Hash: 6e9da1091d327a6f3b5bb5b522dd2200f566620a0494fa969622e7a52f6e0904
Instruction Fuzzy Hash: 5F517770600209EFDB24EF29DC45FAE7BB5AB58714F104529FA06A76A0DB70EA90DB50

Uniqueness

Uniqueness Score: -1.00%

Function 001AF5C3 Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 001AF5EA
EmptyClipboard.USER32 ref: 001AF5F0
GlobalAlloc.KERNEL32(00000002,?), ref: 001AF605
CloseClipboard.USER32 ref: 001AF6FC

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 3117f4ab4e24cca6e6e5df22c580090b6e6880588c945f5352fe5f20a0577b18
Instruction ID: 04d0087b2e7906a9b86a170a79258d5ab8ab581fb1d97d3010209f7840b9609c
Opcode Fuzzy Hash: 3117f4ab4e24cca6e6e5df22c580090b6e6880588c945f5352fe5f20a0577b18
Instruction Fuzzy Hash: 69418B39204611AFD714CF65E888F19BBE0EF45318F15C4ADE4698BA72C735EC82CB90

Uniqueness

Uniqueness Score: -1.00%

Function 001AC993 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 001AC9D2
GetLastError.KERNEL32 ref: 001AC9E5
SetEvent.KERNEL32(?), ref: 001AC9F9

Part of subcall function 001ACAA3: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 001ACAC2
Part of subcall function 001ACAA3: GetLastError.KERNEL32 ref: 001ACB72
Part of subcall function 001ACAA3: SetEvent.KERNEL32(?), ref: 001ACB86
Part of subcall function 001ACAA3: InternetCloseHandle.WININET(00000000), ref: 001ACB91

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 38d4f47b82b0561e69fca77e38cf0a39b8612321a76d80a41d8d8cda11417101
Instruction ID: 377cc41ce80acb8968122678e75313920d8aac866cc8620eb3e46f8e67cbd1ae
Opcode Fuzzy Hash: 38d4f47b82b0561e69fca77e38cf0a39b8612321a76d80a41d8d8cda11417101
Instruction Fuzzy Hash: 8D316B79200B09AFDB21DFB59C44A77BBE8FF46304B00452DF95AC3A10E731E850ABA0

Uniqueness

Uniqueness Score: -1.00%

Function 00192C2C Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 001940CD: GetWindowThreadProcessId.USER32(?,00000000), ref: 001940E7
Part of subcall function 001940CD: GetCurrentThreadId.KERNEL32 ref: 001940EE
Part of subcall function 001940CD: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00192C3D), ref: 001940F5

MapVirtualKeyW.USER32(00000025,00000000), ref: 00192C47
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00192C65
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00192C69
MapVirtualKeyW.USER32(00000025,00000000), ref: 00192C73
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00192C8B
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00192C8F
MapVirtualKeyW.USER32(00000025,00000000), ref: 00192C99
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00192CAD
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00192CB1

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 0342b5b20dc8db48f4a6b33986bc5bff8f8b772b2834bcdeb123d74ed1616c66
Instruction ID: 210eb524ec737985b42d6fe12dce2015984429e806358043c12fdb89b9cc18aa
Opcode Fuzzy Hash: 0342b5b20dc8db48f4a6b33986bc5bff8f8b772b2834bcdeb123d74ed1616c66
Instruction Fuzzy Hash: 3301D830790310BBFB2067699C8AF593F59DF59B52F120015F318AF1E0CAF25444CA69

Uniqueness

Uniqueness Score: -1.00%

Function 00191E8D Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00191AD3,?,?,00000000), ref: 00191E96
HeapAlloc.KERNEL32(00000000,?,00191AD3,?,?,00000000), ref: 00191E9D
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00191AD3,?,?,00000000), ref: 00191EB2
GetCurrentProcess.KERNEL32(?,00000000,?,00191AD3,?,?,00000000), ref: 00191EBA
DuplicateHandle.KERNEL32(00000000,?,00191AD3,?,?,00000000), ref: 00191EBD
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00191AD3,?,?,00000000), ref: 00191ECD
GetCurrentProcess.KERNEL32(00191AD3,00000000,?,00191AD3,?,?,00000000), ref: 00191ED5
DuplicateHandle.KERNEL32(00000000,?,00191AD3,?,?,00000000), ref: 00191ED8
CreateThread.KERNEL32 ref: 00191EF2

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 00edb1559f00fe3724dc69672920b4e563cd910324387c91053a5cd35ee2f53d
Instruction ID: 24c438f334f978439009fd454e0283618f403fb11e42c979e5c7274048363882
Opcode Fuzzy Hash: 00edb1559f00fe3724dc69672920b4e563cd910324387c91053a5cd35ee2f53d
Instruction Fuzzy Hash: FC01BBB5240348BFE710ABA5EC4DF6B7FACEB88711F454425FA05DB6A1CA70D840CB20

Uniqueness

Uniqueness Score: -1.00%

Function 001BA93B Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0019DB92: CreateToolhelp32Snapshot.KERNEL32 ref: 0019DBB7
Part of subcall function 0019DB92: Process32FirstW.KERNEL32(00000000,?), ref: 0019DBC5
Part of subcall function 0019DB92: CloseHandle.KERNEL32(00000000), ref: 0019DC92

OpenProcess.KERNEL32(00000001,00000000,?), ref: 001BA9C6
GetLastError.KERNEL32 ref: 001BA9D9
OpenProcess.KERNEL32(00000001,00000000,?), ref: 001BAA0C
TerminateProcess.KERNEL32(00000000,00000000), ref: 001BAAC1
GetLastError.KERNEL32(00000000), ref: 001BAACC
CloseHandle.KERNEL32(00000000), ref: 001BAB1D

Strings

SeDebugPrivilege, xrefs: 001BA9E8

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 2c19b1b02b6ba8026db7f9309d8700d4cc2609f221ef1a4d3de402cb738c549c
Instruction ID: b20709d84bc8c5b9bb07e02736d2d0d57cab2ee9ca5a0e61ee2827044794f496
Opcode Fuzzy Hash: 2c19b1b02b6ba8026db7f9309d8700d4cc2609f221ef1a4d3de402cb738c549c
Instruction Fuzzy Hash: DD61EE70204202AFD720DF29D594F69BBE1AF54308F59849CE4668FBA3C771EC85CB92

Uniqueness

Uniqueness Score: -1.00%

Function 001C40EB Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 001C418A
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 001C419F
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 001C41B9
_wcslen.LIBCMT ref: 001C41FE
SendMessageW.USER32(?,00001057,00000000,?), ref: 001C422B
SendMessageW.USER32(?,00001061,?,0000000F), ref: 001C4259

Strings

SysListView32, xrefs: 001C415C

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 6358fd2b4e7f01c3bd7754de8aa53a192318e2fcb5f3f348cd5bb7d32f58ce4e
Instruction ID: 0df25193ef15df2cbc2c59c241de9f7f3129c2d79c5f99d2e47e381f0f78994f
Opcode Fuzzy Hash: 6358fd2b4e7f01c3bd7754de8aa53a192318e2fcb5f3f348cd5bb7d32f58ce4e
Instruction Fuzzy Hash: 6641B171A04318ABDB219F64DC49FEA7BA9EF68350F14052AF958E7281D770E980CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0019C314 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0019C3B3
IsMenu.USER32 ref: 0019C3D3
CreatePopupMenu.USER32(00202990,00000000,775E33D0), ref: 0019C409
GetMenuItemCount.USER32 ref: 0019C45A
InsertMenuItemW.USER32(00E89158,?,00000001,00000030), ref: 0019C482

Strings

2, xrefs: 0019C3ED
0, xrefs: 0019C35E

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 5eec55901624d02afe57d9552d08b47ee4fe1a648cb6989f0af83b04f26be9ca
Instruction ID: 114d2a5fb899612fe8a2daa60a63dbcd2402c35ee14b48e700155546739640da
Opcode Fuzzy Hash: 5eec55901624d02afe57d9552d08b47ee4fe1a648cb6989f0af83b04f26be9ca
Instruction Fuzzy Hash: B651D3707003059BDF20CF68D994BBEBBF9BF55318F148229E495DB291D3709940CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0019E549 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 0019E564
gethostname.WSOCK32(?,00000100), ref: 0019E57E
gethostbyname.WSOCK32(?), ref: 0019E58B
inet_ntoa.WSOCK32(?), ref: 0019E5CD
_strcat.LIBCMT ref: 0019E5DB
WSACleanup.WSOCK32 ref: 0019E600

Strings

0.0.0.0, xrefs: 0019E5A9

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: c87e100f28cad1daadbdf5ba5850abaa620f3b4d2ca2d28106c8d8ee5709c44e
Instruction ID: a2724efbc29ae31db4bf73780959c38164ccc86fc4b3b59f38564dab85af3b21
Opcode Fuzzy Hash: c87e100f28cad1daadbdf5ba5850abaa620f3b4d2ca2d28106c8d8ee5709c44e
Instruction Fuzzy Hash: 9211E471904214BBDF24EB70EC0AEDE7BBCDB65315F110079F51596091EF70DAC58A54

Uniqueness

Uniqueness Score: -1.00%

Function 0019F242 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0019F252
SendMessageTimeoutW.USER32 ref: 0019F268
GetWindowThreadProcessId.USER32(?,?), ref: 0019F277
OpenProcess.KERNEL32(________________________________________________________________________________________________abccccccccdeefghijklmnopqrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstyzzzzzzzzzzzzzzzz{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0019F286
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0019F290
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0019F297

Strings

________________________________________________________________________________________________abccccccccdeefghijklmnopqrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstyzzzzzzzzzzzzzzzz{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{, xrefs: 0019F281

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID: ________________________________________________________________________________________________abccccccccdeefghijklmnopqrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstyzzzzzzzzzzzzzzzz{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{
API String ID: 839392675-186485552
Opcode ID: 1e46091a62f0379ee7185c5cd8da91b4f3ac1645cef6df30346123f615bc3403
Instruction ID: afb423dee513377635e94143cdf12bd78cd82bccb593623ad1eaaee5102704d1
Opcode Fuzzy Hash: 1e46091a62f0379ee7185c5cd8da91b4f3ac1645cef6df30346123f615bc3403
Instruction Fuzzy Hash: B4F05472241198BBE7215752AC0EEEF7F7CEFC6B11F040069F601D1590D7A09A82D6B5

Uniqueness

Uniqueness Score: -1.00%

Function 0019F43B Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0019F44C
_wcslen.LIBCMT ref: 0019F45D
_wcslen.LIBCMT ref: 0019F49B
_wcslen.LIBCMT ref: 0019F4D1
_wcslen.LIBCMT ref: 0019F501
_wcslen.LIBCMT ref: 0019F511
_wcslen.LIBCMT ref: 0019F54D
_wcslen.LIBCMT ref: 0019F57C

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: b52d08e1d842df61a916427db91fbb42558698995cec6d9c4999a022fc146184
Instruction ID: b842227735a49f7ff4b4a7dceeda0026021662ad5e37e95fc89a6ce3628200c1
Opcode Fuzzy Hash: b52d08e1d842df61a916427db91fbb42558698995cec6d9c4999a022fc146184
Instruction Fuzzy Hash: 8941C276C10108B6DF21EBB4984AADEB7B8AF15301F418526E924E7121FB34E359C7E5

Uniqueness

Uniqueness Score: -1.00%

Function 0014F20A Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00172970,00000004,00000000,00000000), ref: 0014F285
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,00172970,00000004,00000000,00000000), ref: 0018F7D6
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00172970,00000004,00000000,00000000), ref: 0018F859

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: c7b46e8b5bb25c725994fa2089a30fa4424483d218a800221cd8f9c8950ffff3
Instruction ID: 1987fc9ccbc2d495139071c0518bd4a7564adef53dce732209867570e91e5dcb
Opcode Fuzzy Hash: c7b46e8b5bb25c725994fa2089a30fa4424483d218a800221cd8f9c8950ffff3
Instruction Fuzzy Hash: 0E412839A04280DADB3D9B28D88CF2A7FA1AF56314F55443DE04756B71C7B1E986CF11

Uniqueness

Uniqueness Score: -1.00%

Function 001C3568 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 001C3580
GetDC.USER32(00000000), ref: 001C3588
GetDeviceCaps.GDI32(00000000,0000005A), ref: 001C3593
ReleaseDC.USER32 ref: 001C359F
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 001C35DB
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 001C35EC
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,001C62CC,?,?,000000FF,00000000,?,000000FF,?), ref: 001C3627
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 001C3646

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 3c033b558f9ce36c16c5cc31623bfd13675f727eeeb2c3c16b79fedb17638e61
Instruction ID: beee59afa175d8476f6ba2ec905c81642f0c3c4a56df07f8b8d242bcdc313d69
Opcode Fuzzy Hash: 3c033b558f9ce36c16c5cc31623bfd13675f727eeeb2c3c16b79fedb17638e61
Instruction Fuzzy Hash: 9231BC72201224BFEB218F10DC89FEB3FA9EF59715F044029FE089A291C675DD91CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00195CC0 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00195CD5
_memcmp.LIBVCRUNTIME ref: 00195CF7
_memcmp.LIBVCRUNTIME ref: 00195D0F
_memcmp.LIBVCRUNTIME ref: 00195D22
_memcmp.LIBVCRUNTIME ref: 00195D3C
_memcmp.LIBVCRUNTIME ref: 00195D4F
_memcmp.LIBVCRUNTIME ref: 00195D67
_memcmp.LIBVCRUNTIME ref: 00195D82

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 0594ba6d32d41e368b4d366b676f08a296751024faccfa04f3aeafab1cc9ef75
Instruction ID: 9a9ec822612f5d8aebf75dc7e0f374edcbd54c585a0283604273d6d471d4d92e
Opcode Fuzzy Hash: 0594ba6d32d41e368b4d366b676f08a296751024faccfa04f3aeafab1cc9ef75
Instruction Fuzzy Hash: FE21D571741A05BBEB4B56219D86FBF339EAE25394F180022FD05BB241E750EE14D3B5

Uniqueness

Uniqueness Score: -1.00%

Function 001B5807 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 001B5887, 001B5BDC
Not an Object type, xrefs: 001B5860

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 5e2979a8e8791f998cea9201a70c96c5f7ebf5fbc50bbeed80f7fbaa14800519
Instruction ID: feda276d629ff502cbbe4b6b70df24746f59657522dc3a158fbbd2010c6480be
Opcode Fuzzy Hash: 5e2979a8e8791f998cea9201a70c96c5f7ebf5fbc50bbeed80f7fbaa14800519
Instruction Fuzzy Hash: 93D1AD75A0060A9FDF14DFA8C881FEEB7B6BF48314F148569E915AB280E770ED45CB60

Uniqueness

Uniqueness Score: -1.00%

Function 001717A2 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,00171A7B,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 0017184E
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00171A7B,00000000,00000000,?,00000000,?,?,?,?), ref: 001718D1
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00171A7B,?,00171A7B,00000000,00000000,?,00000000,?,?,?,?), ref: 00171964
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00171A7B,00000000,00000000,?,00000000,?,?,?,?), ref: 0017197B

Part of subcall function 00163AA0: RtlAllocateHeap.NTDLL(00000000,?,?,?,00156989,?,0000015D,?,?,?,?,001584C0,000000FF,00000000,?,?), ref: 00163AD2

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00171A7B,00000000,00000000,?,00000000,?,?,?,?), ref: 001719F7
__freea.LIBCMT ref: 00171A22
__freea.LIBCMT ref: 00171A2E

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: fe0405bd8bd5bbf50638024104987288ee7ed02b39d7563cf8ae5f6981c6b3a3
Instruction ID: 7b475a31c8111efe6792cd833a4d344e33b54d9b0211cae59cce2413a028f2d4
Opcode Fuzzy Hash: fe0405bd8bd5bbf50638024104987288ee7ed02b39d7563cf8ae5f6981c6b3a3
Instruction Fuzzy Hash: 4291D472E00256BADB248EACCC81EEE7BB5AF59310F198229E909E7141EB34DD41C761

Uniqueness

Uniqueness Score: -1.00%

Function 001B4D7C Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 001B4EA1
VariantInit.OLEAUT32(?), ref: 001B4FA2
VariantClear.OLEAUT32(?), ref: 001B4FAC
VariantClear.OLEAUT32(?), ref: 001B5009

Strings

Incorrect Object type in FOR..IN loop, xrefs: 001B4F85
Null Object assignment in FOR..IN loop, xrefs: 001B4E31, 001B4F5F, 001B5017

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 5e318c210c44a44d34cdce58b6bc808900f69ba12529be783e13d2ca3413422a
Instruction ID: 3cbebc515f09c9f3928b81b604d1f0e3fbb72056f8b316872c2b585974525b82
Opcode Fuzzy Hash: 5e318c210c44a44d34cdce58b6bc808900f69ba12529be783e13d2ca3413422a
Instruction Fuzzy Hash: 03919B71A00219AFDF24DFA9C844FEEBBB8FF45714F10811AF515AB281D7749945CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00149690 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: eb1489077b686b4c07568365629feb8627ed3e5b2eb4ba32df81cb9db04db536
Instruction ID: 636fe84e759eb73dae013e68d99fd46e1c5836af5b8136b21d258ff7ea9a40f7
Opcode Fuzzy Hash: eb1489077b686b4c07568365629feb8627ed3e5b2eb4ba32df81cb9db04db536
Instruction Fuzzy Hash: 32915A71D00219AFCB14CFA9CC88AEEBBB9FF49320F244559E515B7261D378AA41CF60

Uniqueness

Uniqueness Score: -1.00%

Function 001A1951 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 001A1A26
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 001A1A4E
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 001A1A72
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 001A1AA2
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 001A1B29
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 001A1B8E
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 001A1BFA

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 5527c2c31246dcc20d6ac471b62908f032a078eddb49650f168dc0ab7ea3f07c
Instruction ID: 7a7677b0ff458f534e708c77fba3d94b81dc31fa256dcbf329125f8570450042
Opcode Fuzzy Hash: 5527c2c31246dcc20d6ac471b62908f032a078eddb49650f168dc0ab7ea3f07c
Instruction Fuzzy Hash: CC91E27A900219BFDB01DFA8D884BBEB7B5FF06321F114029E911EB291E774E945CB60

Uniqueness

Uniqueness Score: -1.00%

Function 001B41A0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 001B41C4
CharUpperBuffW.USER32(?,?), ref: 001B42D3
_wcslen.LIBCMT ref: 001B42E3
VariantClear.OLEAUT32(?), ref: 001B4478

Part of subcall function 001A14A9: VariantInit.OLEAUT32(00000000), ref: 001A14E9
Part of subcall function 001A14A9: VariantCopy.OLEAUT32(?,?), ref: 001A14F2
Part of subcall function 001A14A9: VariantClear.OLEAUT32(?), ref: 001A14FE

Strings

AUTOIT.ERROR, xrefs: 001B42D9, 001B42DE
Incorrect Parameter format, xrefs: 001B41FF, 001B43FA

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: ca1a63eef2efed0edec314e50eae1491a3942fa40915295cacfb663eff16d106
Instruction ID: f80c1fa122ee9d6501a1ef7f30b264a62d6243a908a3fbb142e6a48c8a131677
Opcode Fuzzy Hash: ca1a63eef2efed0edec314e50eae1491a3942fa40915295cacfb663eff16d106
Instruction Fuzzy Hash: 21918B746083019FC714EF68D4809AAB7E5FF98314F14886DF88A8B352DB31ED06CB92

Uniqueness

Uniqueness Score: -1.00%

Function 001B5406 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0019063D: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00190570,80070057,?,?,?,0019098D), ref: 0019065A
Part of subcall function 0019063D: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00190570,80070057,?,?), ref: 00190675
Part of subcall function 0019063D: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00190570,80070057,?,?), ref: 00190683
Part of subcall function 0019063D: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00190570,80070057,?), ref: 00190693

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 001B54AA
_wcslen.LIBCMT ref: 001B55B2
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 001B5628
CoTaskMemFree.OLE32(?), ref: 001B5633

Strings

NULL Pointer assignment, xrefs: 001B567C, 001B56AB

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 1d353fc32775f463bd4b0217b6d37a036625223ed65571a1fd26fe6643f63c4b
Instruction ID: acb7955d9f00c809b027e74e506312b13db74b6003ef78807311132efff93b2b
Opcode Fuzzy Hash: 1d353fc32775f463bd4b0217b6d37a036625223ed65571a1fd26fe6643f63c4b
Instruction Fuzzy Hash: 849107B1D00219AFDF15DFA4DC81EEEB7B9BF18310F50416AE915A7291EB709A44CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 001C2962 Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 001C29E8
GetMenuItemCount.USER32 ref: 001C2A1A
GetMenuStringW.USER32 ref: 001C2A42
_wcslen.LIBCMT ref: 001C2A78
GetMenuItemID.USER32(?,?), ref: 001C2AB2
GetSubMenu.USER32 ref: 001C2AC0

Part of subcall function 001940CD: GetWindowThreadProcessId.USER32(?,00000000), ref: 001940E7
Part of subcall function 001940CD: GetCurrentThreadId.KERNEL32 ref: 001940EE
Part of subcall function 001940CD: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00192C3D), ref: 001940F5

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 001C2B48

Part of subcall function 0019F09D: Sleep.KERNEL32 ref: 0019F115

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 0afcb281d1bf5caf00bad9cebc53e741df8459a6a47af287e692540fcb259e56
Instruction ID: 1bc8be407efe6413786067eea428f6205d9b4cd7a52fdb8ef78bb2cd8a741b36
Opcode Fuzzy Hash: 0afcb281d1bf5caf00bad9cebc53e741df8459a6a47af287e692540fcb259e56
Instruction Fuzzy Hash: FF718B75A00205AFCB14DFA4C885FAEBBB1EF68314F14846DE816AB241DB34ED41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 001C86BF Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00E890E0), ref: 001C8758
IsWindowEnabled.USER32(00E890E0), ref: 001C8764
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 001C883F
SendMessageW.USER32(00E890E0,000000B0,?,?), ref: 001C8872
IsDlgButtonChecked.USER32(?,?), ref: 001C88AA
GetWindowLongW.USER32(00E890E0,000000EC), ref: 001C88CC
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 001C88E4

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 355a8a139b0cc6118ae681a15222b2423099a07f494cbe28e41c682a274a1153
Instruction ID: 76e06a731a5836fbf1e71d6c2fe90dc37262dbe3b59efce53ea12385c496d4df
Opcode Fuzzy Hash: 355a8a139b0cc6118ae681a15222b2423099a07f494cbe28e41c682a274a1153
Instruction Fuzzy Hash: 9F719B34600304AFEF259F94C8D4FAABBB9EF69300F64406EE955972A1DB31E990DF11

Uniqueness

Uniqueness Score: -1.00%

Function 0019B570 Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0019B5AF
GetKeyboardState.USER32(?), ref: 0019B5C4
SetKeyboardState.USER32(?), ref: 0019B625
PostMessageW.USER32(?,00000101,00000010,?), ref: 0019B653
PostMessageW.USER32(?,00000101,00000011,?), ref: 0019B672
PostMessageW.USER32(?,00000101,00000012,?), ref: 0019B6B3
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0019B6D6

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: bc56e35df9edbc2bdd15e7139265ab456fc66405df2d0ecf787ec17798630820
Instruction ID: c58d4a1254fe5b78bf9c4cc0ce233e840eccd25bdfbe8a7916e62fba022fad59
Opcode Fuzzy Hash: bc56e35df9edbc2bdd15e7139265ab456fc66405df2d0ecf787ec17798630820
Instruction Fuzzy Hash: ED51C1A060C7D53DFF364234AD89BBABEA95B46304F088589E1D9968C2D7D8ECC4DB50

Uniqueness

Uniqueness Score: -1.00%

Function 0019B390 Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0019B3CF
GetKeyboardState.USER32(?), ref: 0019B3E4
SetKeyboardState.USER32(?), ref: 0019B445
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0019B471
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0019B48E
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0019B4CD
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0019B4EE

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: eff891185daf1f73bb1a920f69802782051d7f5bb5ddf05622ff694c118bdfad
Instruction ID: 23122e5eeb82fa466bdd46f7523d28e631e3448f9f88bdd4f5e03730d1bb40ea
Opcode Fuzzy Hash: eff891185daf1f73bb1a920f69802782051d7f5bb5ddf05622ff694c118bdfad
Instruction Fuzzy Hash: 7851E6A094C7D57DFF368364AD85B7A7EA96F05300F088489E1DA478C3D794ED84E750

Uniqueness

Uniqueness Score: -1.00%

Function 001656AE Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00174486,?,?,?,?,?,?,?,?,00165E23,?,?,00174486,?,?), ref: 001656F0
__fassign.LIBCMT ref: 0016576B
__fassign.LIBCMT ref: 00165786
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00174486,00000005,00000000,00000000), ref: 001657AC
WriteFile.KERNEL32(?,00174486,00000000,00165E23,00000000,?,?,?,?,?,?,?,?,?,00165E23,?), ref: 001657CB
WriteFile.KERNEL32(?,?,00000001,00165E23,00000000,?,?,?,?,?,?,?,?,?,00165E23,?), ref: 00165804

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: fd61196e31da06496f82d0b88e70e1e67b12293dd1432deadceb93f742e09b8b
Instruction ID: 891ef8832e6019d15bb8cdb2674481eefb0df4bd182d0e9f74d5c04480fc159f
Opcode Fuzzy Hash: fd61196e31da06496f82d0b88e70e1e67b12293dd1432deadceb93f742e09b8b
Instruction Fuzzy Hash: E651B170A006499FCB10CFA9DC85AEEBBF9EF09300F14412EE955E7691E730EA51CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00152FA0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00152FCB
___except_validate_context_record.LIBVCRUNTIME ref: 00152FD3
_ValidateLocalCookies.LIBCMT ref: 00153061
__IsNonwritableInCurrentImage.LIBCMT ref: 0015308C
_ValidateLocalCookies.LIBCMT ref: 001530E1

Strings

csm, xrefs: 00153076

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: f79ff3c616163589df61ba56dbe00c4cd6ae44996402b87ee6957e741b831ae9
Instruction ID: 2af4023472d56c00650140c8e8675245f34ce30e60ffa8c7597261c32825088f
Opcode Fuzzy Hash: f79ff3c616163589df61ba56dbe00c4cd6ae44996402b87ee6957e741b831ae9
Instruction Fuzzy Hash: B6418C34A00208EBCF10DF68C894AAEBBA5AF45365F148156FD359F292D731EA49CB91

Uniqueness

Uniqueness Score: -1.00%

Function 001B1911 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 001B38A7: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 001B38D3
Part of subcall function 001B38A7: _wcslen.LIBCMT ref: 001B38F4

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 001B196B
WSAGetLastError.WSOCK32 ref: 001B197A
WSAGetLastError.WSOCK32 ref: 001B1A22
closesocket.WSOCK32(00000000), ref: 001B1A52

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 8b18189cf896a566e6b2378b34a230cfd23b45f2e3345c6c4ecb20fbfdfe4464
Instruction ID: 10e5524fc96c09c7680581380bae73dcbc421badef71eed7e8fcdb99a0c1a495
Opcode Fuzzy Hash: 8b18189cf896a566e6b2378b34a230cfd23b45f2e3345c6c4ecb20fbfdfe4464
Instruction Fuzzy Hash: 4D411531600204AFDB10DF64D894BE9BBE9FF45328F158129F805AB291D770ED81CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 0019D5B6 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0019E502: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0019D5D8,?), ref: 0019E51F

Part of subcall function 0019E502: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0019D5D8,?), ref: 0019E538

lstrcmpiW.KERNEL32(?,?), ref: 0019D5FB
MoveFileW.KERNEL32(?,?), ref: 0019D635
_wcslen.LIBCMT ref: 0019D6BB
_wcslen.LIBCMT ref: 0019D6D1
SHFileOperationW.SHELL32(?), ref: 0019D717

Strings

\*.*, xrefs: 0019D6A9

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: d5e4b422bae2e255967d4fed3e0c5982b6e77fa4563958a660009bc021161c0b
Instruction ID: 58945f8d75253d1783531dc0ba4f1efc1065c1607f9be74cbc44d295813305a7
Opcode Fuzzy Hash: d5e4b422bae2e255967d4fed3e0c5982b6e77fa4563958a660009bc021161c0b
Instruction Fuzzy Hash: 354140759052189EDF16EBA4D981EDE77F8AF18380F4000EAE509EB152EB34A788CB50

Uniqueness

Uniqueness Score: -1.00%

Function 001C3662 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 001C3681
GetWindowLongW.USER32(?,000000F0), ref: 001C36B4
GetWindowLongW.USER32(?,000000F0), ref: 001C36E9
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 001C371B
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 001C3745
GetWindowLongW.USER32(?,000000F0), ref: 001C3756
SetWindowLongW.USER32 ref: 001C3770

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: cdc7d92e90ab6445dd92e35ec01065964539ca651ade2a3b7e6192cbdf1cc615
Instruction ID: 243bb8c16d4fff5ecb76d92ce12e20eab55a5b82c1dfec5b2b95a4487eb48955
Opcode Fuzzy Hash: cdc7d92e90ab6445dd92e35ec01065964539ca651ade2a3b7e6192cbdf1cc615
Instruction Fuzzy Hash: 0031F674604264AFDB228F18EC89F6537E1EB5A714F155169F5208B2B2CB71EA84DF01

Uniqueness

Uniqueness Score: -1.00%

Function 00197DC4 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00197E07
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00197E2D
SysAllocString.OLEAUT32(00000000), ref: 00197E30
SysAllocString.OLEAUT32(?), ref: 00197E4E
SysFreeString.OLEAUT32(?), ref: 00197E57
StringFromGUID2.OLE32(?,?,00000028), ref: 00197E7C
SysAllocString.OLEAUT32(?), ref: 00197E8A

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 4445cc822d0168ee8af54fdd762143b1d239b062089e48ed3e608484a2d385ab
Instruction ID: 14133b8f249505f082d6098acaa9251c4f76bd7f7167a19d33365ff43ecfb1f0
Opcode Fuzzy Hash: 4445cc822d0168ee8af54fdd762143b1d239b062089e48ed3e608484a2d385ab
Instruction Fuzzy Hash: 05219076604219AF9F14EFA8DC88DBB77ACEF08360B048425FA15DB190E770EC828760

Uniqueness

Uniqueness Score: -1.00%

Function 00197E9B Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00197EE0
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00197F06
SysAllocString.OLEAUT32(00000000), ref: 00197F09
SysAllocString.OLEAUT32 ref: 00197F2A
SysFreeString.OLEAUT32 ref: 00197F33
StringFromGUID2.OLE32(?,?,00000028), ref: 00197F4D
SysAllocString.OLEAUT32(?), ref: 00197F5B

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 4b0a7c3e9b279a4dcb4ad5d60bf53116965ba03d9640a43473fd1d8f6dcf6f51
Instruction ID: 1d56826bb76c9c7277fe6758099a36d451e4c4eaf2299361df7cf7d8d0243f4a
Opcode Fuzzy Hash: 4b0a7c3e9b279a4dcb4ad5d60bf53116965ba03d9640a43473fd1d8f6dcf6f51
Instruction Fuzzy Hash: 74214475614208AFDF149BB8DC89DAA77ECEF093607048125FA15DB2E0D774EC868764

Uniqueness

Uniqueness Score: -1.00%

Function 001A0C84 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 001A0CA4
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 001A0CE0

Strings

nul, xrefs: 001A0D19

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 984a92ae9af46511e16464da3f000376df76905b8a09871fe4eac85cb02f8296
Instruction ID: 04c80d1e072879c50f41668172adb338327899340e44e5be2ce69f0d11639396
Opcode Fuzzy Hash: 984a92ae9af46511e16464da3f000376df76905b8a09871fe4eac85cb02f8296
Instruction Fuzzy Hash: 9D218E79500305AFDB219FA4DC04A9A7BA8FF5A724F204A29FCA5D72E0D771E950CB50

Uniqueness

Uniqueness Score: -1.00%

Function 001A0D59 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 001A0D78
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 001A0DB3

Strings

nul, xrefs: 001A0DEB

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 2a93c19da392a9cfb5c121ad160f0a6ab24552acf0089ed034be3a4c12807a88
Instruction ID: 30357361fae27553ef7b12bafdaa7b76e318f339ec2a8c741e0d5dbda83a6352
Opcode Fuzzy Hash: 2a93c19da392a9cfb5c121ad160f0a6ab24552acf0089ed034be3a4c12807a88
Instruction Fuzzy Hash: 8B216079500306AFDB229FA89C04E9A7BA8FF5E724F200E19F8A1E72D0D770D951DB50

Uniqueness

Uniqueness Score: -1.00%

Function 001C4914 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00136653: CreateWindowExW.USER32 ref: 00136691
Part of subcall function 00136653: GetStockObject.GDI32(00000011), ref: 001366A5
Part of subcall function 00136653: SendMessageW.USER32(00000000,00000030,00000000), ref: 001366AF

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 001C4979
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 001C4986
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 001C4991
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 001C49A0
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 001C49AC

Strings

Msctls_Progress32, xrefs: 001C494A

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 088b071caa34cfba42a6a9143618dc3195e095c3e72337cef944ec2d366fb47c
Instruction ID: a02dd55dff2c6dc87161a492c2792e7e862ce68551fb65962c20a3ab57d8b5ce
Opcode Fuzzy Hash: 088b071caa34cfba42a6a9143618dc3195e095c3e72337cef944ec2d366fb47c
Instruction Fuzzy Hash: 7B1160B214421DBEEF119F64DC86EE77FADEF18798F018111BA18A6050C772DC619BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0016DA60 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0016DA24: _free.LIBCMT ref: 0016DA4D

_free.LIBCMT ref: 0016DAAE

Part of subcall function 00162C48: HeapFree.KERNEL32(00000000,00000000,?,0016DA52,00201DC4,00000000,00201DC4,00000000,?,0016DA79,00201DC4,00000007,00201DC4,?,0016DE76,00201DC4), ref: 00162C5E
Part of subcall function 00162C48: GetLastError.KERNEL32(00201DC4,?,0016DA52,00201DC4,00000000,00201DC4,00000000,?,0016DA79,00201DC4,00000007,00201DC4,?,0016DE76,00201DC4,00201DC4), ref: 00162C70

_free.LIBCMT ref: 0016DAB9
_free.LIBCMT ref: 0016DAC4
_free.LIBCMT ref: 0016DB18
_free.LIBCMT ref: 0016DB23
_free.LIBCMT ref: 0016DB2E
_free.LIBCMT ref: 0016DB39

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 5bed66935a953271b091b4d9d44be1d81363ccd6ac0d0396f486d9816b5a5bca
Instruction ID: 28e44e75c98c910d60d2ff23bceb2576008718a45cb267b5f430b4846e2ec762
Opcode Fuzzy Hash: 5bed66935a953271b091b4d9d44be1d81363ccd6ac0d0396f486d9816b5a5bca
Instruction Fuzzy Hash: BB118171A59B14BAD620B7B1DC07FCB77DC9F38701F488814B2AD67062DBB4B5244690

Uniqueness

Uniqueness Score: -1.00%

Function 0019E119 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0019E133
LoadStringW.USER32(00000000), ref: 0019E13A
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0019E150
LoadStringW.USER32(00000000), ref: 0019E157
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0019E19B

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0019E178

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: c1b9af53ed789dce3169adb630f6e4644894146ba46b4e542090ac29c8469c62
Instruction ID: b8df53afcd2514eb1b76baab41f6324fe7b6f4c729937cd9c024f9600341ebba
Opcode Fuzzy Hash: c1b9af53ed789dce3169adb630f6e4644894146ba46b4e542090ac29c8469c62
Instruction Fuzzy Hash: 4B016DF69002187FEB50ABA4ED89EEA7B6CDB08304F4045A5B706E2441EA74DEC48B75

Uniqueness

Uniqueness Score: -1.00%

Function 001324CD Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32 ref: 001324FB
CreateWindowExW.USER32 ref: 0013251C
ShowWindow.USER32(00000000,?,?,?,?,?,?,00132282,?), ref: 00132530
ShowWindow.USER32(00000000,?,?,?,?,?,?,00132282,?), ref: 00132539

Strings

edit, xrefs: 00132516
AutoIt v3, xrefs: 001324F3, 001324F8, 001324F9

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: c28aacb0f17a5f585ec4b6034d02f528ba68f01130f166c06b5cf9e2fcf157a0
Instruction ID: 4ed184e5bc47a44c4fffed6553554e36b97fe493a2e6f9d6a20099f1ba7414fd
Opcode Fuzzy Hash: c28aacb0f17a5f585ec4b6034d02f528ba68f01130f166c06b5cf9e2fcf157a0
Instruction Fuzzy Hash: A2F0B771640394BAE72157177C0CE373EBDD7C6F54B00006FB904A7561D6695899DAB0

Uniqueness

Uniqueness Score: -1.00%

Function 001A111D Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(00E81A68,00E81A68), ref: 001A112D
EnterCriticalSection.KERNEL32(00E81A48,00000000), ref: 001A113F
TerminateThread.KERNEL32(?,000001F6), ref: 001A114D
WaitForSingleObject.KERNEL32(?,000003E8), ref: 001A115B
CloseHandle.KERNEL32(?), ref: 001A116A
InterlockedExchange.KERNEL32(00E81A68,000001F6), ref: 001A117A
LeaveCriticalSection.KERNEL32(00E81A48), ref: 001A1181

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 9b5706406017846687e4e0855b56ba4f77035d4420923e6cd4a67cc4417ec626
Instruction ID: 8959afee4edc0e14739563772a25e37a39b9e8d6f95c0143c0756c39e3fa3509
Opcode Fuzzy Hash: 9b5706406017846687e4e0855b56ba4f77035d4420923e6cd4a67cc4417ec626
Instruction Fuzzy Hash: 82F0E772042612BBD7421B64FE89FDABF39FF45302F402121F20292CA08B74E4A2CF90

Uniqueness

Uniqueness Score: -1.00%

Function 001B24B9 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 001B2619
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 001B263A
WSAGetLastError.WSOCK32 ref: 001B264B
htons.WSOCK32(?,?,?,?,?), ref: 001B2734
inet_ntoa.WSOCK32(?), ref: 001B26E5

Part of subcall function 00194078: _strlen.LIBCMT ref: 00194082

Part of subcall function 001B3A7D: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,001AF465), ref: 001B3A99

_strlen.LIBCMT ref: 001B278E

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 2eae9b236e184acaec7ce50f22538538de0ddaf236348268f01a87ba02d8be34
Instruction ID: 684d8189bdca98b9630e8d773b545d933037cdf30a482e742b9f87a1ba95f5d6
Opcode Fuzzy Hash: 2eae9b236e184acaec7ce50f22538538de0ddaf236348268f01a87ba02d8be34
Instruction Fuzzy Hash: F1B1F135604300AFC324DF24C895EAA7BE5AF94318F54895CF8664F2E2DB31ED4ACB91

Uniqueness

Uniqueness Score: -1.00%

Function 00160437 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 0016033A
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00160356
__allrem.LIBCMT ref: 0016036D
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0016038B
__allrem.LIBCMT ref: 001603A2
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 001603C0

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 7794ddc9098fe77f3733ab1245891f553eea11cfbf5a92b17688c756196ab9a4
Instruction ID: 72e94a8eec2036b0452debca74bedf573b7394fcaf630ad1396f3de648ba93ba
Opcode Fuzzy Hash: 7794ddc9098fe77f3733ab1245891f553eea11cfbf5a92b17688c756196ab9a4
Instruction Fuzzy Hash: 55812672A007069FE726AE68CC95B6B73E9EF68320F24822EF511D7281E7B0DD508750

Uniqueness

Uniqueness Score: -1.00%

Function 0016647E Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00158559,00158559,?,?,?,001666CF,00000001,00000001,8BE85006), ref: 001664D8
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,001666CF,00000001,00000001,8BE85006,?,?,?), ref: 0016655E
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00166658
__freea.LIBCMT ref: 00166665

Part of subcall function 00163AA0: RtlAllocateHeap.NTDLL(00000000,?,?,?,00156989,?,0000015D,?,?,?,?,001584C0,000000FF,00000000,?,?), ref: 00163AD2

__freea.LIBCMT ref: 0016666E
__freea.LIBCMT ref: 00166693

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: eb22b9f469a959c5250e953c9e58ff3a3da3aae9095237dc6f5fdc1a62dca908
Instruction ID: 8ebcb222bcc10b8daeedfa7150abacd95efc94e807431ea000c6abf520fee473
Opcode Fuzzy Hash: eb22b9f469a959c5250e953c9e58ff3a3da3aae9095237dc6f5fdc1a62dca908
Instruction Fuzzy Hash: A751D372600216AFDB258F64EC82EBF7BAAEF54750F158629FD05D7140EB34DC60C661

Uniqueness

Uniqueness Score: -1.00%

Function 001BC434 Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0013A1B9: _wcslen.LIBCMT ref: 0013A1C3

Part of subcall function 001BD1F1: CharUpperBuffW.USER32(?,?,?,?,?,?,?,001BBF07,?,?), ref: 001BD20E
Part of subcall function 001BD1F1: _wcslen.LIBCMT ref: 001BD24A
Part of subcall function 001BD1F1: _wcslen.LIBCMT ref: 001BD2C1
Part of subcall function 001BD1F1: _wcslen.LIBCMT ref: 001BD2F7

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 001BC523
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 001BC57E
RegCloseKey.ADVAPI32(00000000), ref: 001BC5C3
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 001BC5F2
RegCloseKey.ADVAPI32(?,?,00000000), ref: 001BC64C
RegCloseKey.ADVAPI32(?), ref: 001BC658

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: ba7ef82a352c96df1858deececb6b8ab57622f7f7257462f54476309edfd6abe
Instruction ID: 95041a8ddc3fe83f727d135101b4dff60da4e5a35a59db0e772aede395567778
Opcode Fuzzy Hash: ba7ef82a352c96df1858deececb6b8ab57622f7f7257462f54476309edfd6abe
Instruction Fuzzy Hash: 80819270208241EFD714DF24C895E6ABBE5FF94308F14855DF4968B292DB31ED45CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0018FDDC Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0018FDE8
SysAllocString.OLEAUT32(00000001), ref: 0018FE8F
VariantCopy.OLEAUT32(00190093,00000000), ref: 0018FEB8
VariantClear.OLEAUT32(00190093), ref: 0018FEDC
VariantCopy.OLEAUT32(00190093,00000000), ref: 0018FEE0
VariantClear.OLEAUT32(?), ref: 0018FEEA

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 43bdb0cc99084a3beae56bf8cbb9fe194ca46b8e020f89c476449d62e5a9086a
Instruction ID: e7c8f17b66edbe0e3e7ef412c5dd8759af4295b594115d7ddd12105d3ee2c94d
Opcode Fuzzy Hash: 43bdb0cc99084a3beae56bf8cbb9fe194ca46b8e020f89c476449d62e5a9086a
Instruction Fuzzy Hash: 7E51E632604310EADF24BF649895B29B3A8EF56310F15446BFA06DF2D2DB709D42CF56

Uniqueness

Uniqueness Score: -1.00%

Function 001A995C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00133205: _wcslen.LIBCMT ref: 0013320A

Part of subcall function 001373E7: _wcslen.LIBCMT ref: 001373FA

GetOpenFileNameW.COMDLG32(00000058), ref: 001A9D35
_wcslen.LIBCMT ref: 001A9D56
_wcslen.LIBCMT ref: 001A9D7D
GetSaveFileNameW.COMDLG32(00000058), ref: 001A9DD5

Strings

X, xrefs: 001A9C62

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: c7d4c6d9c0e58aa88d97d0cad42c15e98ea21265cfa43bc9c1b5e242e8afa14e
Instruction ID: ff41d92dc59c424b06e3069e5853d5e01c1bd79ad44aca31feb3e942afb08483
Opcode Fuzzy Hash: c7d4c6d9c0e58aa88d97d0cad42c15e98ea21265cfa43bc9c1b5e242e8afa14e
Instruction Fuzzy Hash: 47E1B075508350CFC724EF24C881B6AB7E1BF95314F14896DF8999B2A2DB30DD85CB92

Uniqueness

Uniqueness Score: -1.00%

Function 001A6CDE Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 001A6D2C
CoInitialize.OLE32(00000000), ref: 001A6E89
CoCreateInstance.OLE32(001D0CE0,00000000,00000001,001D0B50,?), ref: 001A6EA0
CoUninitialize.OLE32 ref: 001A7124

Strings

.lnk, xrefs: 001A6D0A, 001A6D74, 001A6E30

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 51b86dbc1b34a79a0090f990382e76e2bbf741a8ec0680e43966a54099b2c116
Instruction ID: 4f6c37e96008745dbf5b65b643966286a2f4a176de224b888e54ffe65f71af66
Opcode Fuzzy Hash: 51b86dbc1b34a79a0090f990382e76e2bbf741a8ec0680e43966a54099b2c116
Instruction Fuzzy Hash: 7CD148B5508201AFC314DF24C881E6BB7E9FF99708F14496DF5958B2A2EB30ED05CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00149412 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00149DA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00149DB2

BeginPaint.USER32(?,?,?), ref: 00149447
GetWindowRect.USER32 ref: 001494AB
ScreenToClient.USER32 ref: 001494C8
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 001494D9
EndPaint.USER32(?,?,?,?,?), ref: 00149527
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 001877E6

Part of subcall function 0014953F: BeginPath.GDI32(00000000), ref: 0014955D

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: fa4d4ee39ee9e242eb54edda704e701e5ed51a03cfd7c5d17804602fe24d662d
Instruction ID: e4ce266ec4c34f94fefad56d0a0c5556799beebea2907276d70d98e4fd8277e4
Opcode Fuzzy Hash: fa4d4ee39ee9e242eb54edda704e701e5ed51a03cfd7c5d17804602fe24d662d
Instruction Fuzzy Hash: B141B0711053009FD721DF24EC88FBB7BA8EB59724F24066AF9948B2B2C731D949DB61

Uniqueness

Uniqueness Score: -1.00%

Function 001A0FA1 Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 001A0FBE
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 001A0FF9
EnterCriticalSection.KERNEL32(?), ref: 001A1015
LeaveCriticalSection.KERNEL32(?), ref: 001A108E
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 001A10A5
InterlockedExchange.KERNEL32(?,000001F6), ref: 001A10D3

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 8b7413fde509d409a2f25e7a74dc99bc7c272457af6fc28ae5ace7f0ac5b7a4e
Instruction ID: d8b0a272c2d2ecd179cf1aaac8c4b2580fe2e41ffcdbb41ad622ff170e8e7b6f
Opcode Fuzzy Hash: 8b7413fde509d409a2f25e7a74dc99bc7c272457af6fc28ae5ace7f0ac5b7a4e
Instruction Fuzzy Hash: 38416A75900204EFDF05AF54DC85AAABBB8FF04311F1440A5FD009E296D730EE95CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 001C89FC Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0018F7B0,00000000,?,?,00000000,?,00172970,00000004,00000000,00000000), ref: 001C8A6D
EnableWindow.USER32(?,00000000), ref: 001C8A93
ShowWindow.USER32(FFFFFFFF,00000000), ref: 001C8AF2
ShowWindow.USER32(?,00000004), ref: 001C8B06
EnableWindow.USER32(?,00000001), ref: 001C8B2C
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 001C8B50

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 3714111e96255c5d59939c451046c967173e9f99c6ff70a2305040be0324800c
Instruction ID: 0347da7a3cb53e08fa4bfee247fb5b3693b05d90e04b11902dd17f62dfcd5ab4
Opcode Fuzzy Hash: 3714111e96255c5d59939c451046c967173e9f99c6ff70a2305040be0324800c
Instruction Fuzzy Hash: AD416F74601244EFDB26CF14D8D9FA47BE1FB59705F1841AEEA484B2A2CB31EC45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 001B2B33 Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 001B2B41

Part of subcall function 001AED3E: GetWindowRect.USER32 ref: 001AED56

GetDesktopWindow.USER32 ref: 001B2B6B
GetWindowRect.USER32 ref: 001B2B72
mouse_event.USER32 ref: 001B2BAE
GetCursorPos.USER32(?,?,?,?,?,00000000), ref: 001B2BDA
mouse_event.USER32 ref: 001B2C38

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: bcde7ddcf3e5d515fbd2aa9b2e4e7e753c272b98e4522ffa9b1e740380b1c20a
Instruction ID: 6c7e1c2a1a2d3b8c9d8f1b10e9d75b0a1cf35e82b9969eae5ab48f778792faf6
Opcode Fuzzy Hash: bcde7ddcf3e5d515fbd2aa9b2e4e7e753c272b98e4522ffa9b1e740380b1c20a
Instruction Fuzzy Hash: 3531C072505315AFC720DF14D849F9BBBE9FF98314F000929F98997191DB30E949CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0019531B Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00195333
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00195350
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00195388
_wcslen.LIBCMT ref: 001953A6
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 001953AE
_wcsstr.LIBVCRUNTIME ref: 001953B8

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: ca6fbffd24f2ab1b99ea24fedb9f1f32d13db8db8e130c3c9773df0f7f04e83f
Instruction ID: e374d0cb30ed0a9980c6a7917832812c219c5fd1c6d7c62f1b614a3a322ab82f
Opcode Fuzzy Hash: ca6fbffd24f2ab1b99ea24fedb9f1f32d13db8db8e130c3c9773df0f7f04e83f
Instruction Fuzzy Hash: A021C232204604BBEF265B759C49E7B7FAAEF49790F104029FC05DA091EBB0D9419760

Uniqueness

Uniqueness Score: -1.00%

Function 001C84C2 Relevance: 9.1, APIs: 6, Instructions: 82COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 001C8506
SetWindowLongW.USER32 ref: 001C852B
SetWindowLongW.USER32 ref: 001C8543
GetSystemMetrics.USER32 ref: 001C856C
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,001ABFFD,00000000), ref: 001C858C

Part of subcall function 00149DA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00149DB2

GetSystemMetrics.USER32 ref: 001C8577

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 927825b07d376d454e5d618548e535b8ed59b88d26e552b37b88cb66c5138182
Instruction ID: 01677ff2b52fd68296e160af558dacdcff9489920a8d5c9204b085109098f8df
Opcode Fuzzy Hash: 927825b07d376d454e5d618548e535b8ed59b88d26e552b37b88cb66c5138182
Instruction Fuzzy Hash: 0C21A171610251DFCB149F38EC48F6A3BA4EB95324F15462EF922C21E0EB70D951CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00191DE7 Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0019163E: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00191654
Part of subcall function 0019163E: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00191660
Part of subcall function 0019163E: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 0019166F
Part of subcall function 0019163E: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00191676
Part of subcall function 0019163E: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0019168C

GetLengthSid.ADVAPI32(?,00000000,001919BF), ref: 00191E38
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00191E44
HeapAlloc.KERNEL32(00000000), ref: 00191E4B
CopySid.ADVAPI32(00000000,00000000,?), ref: 00191E64
GetProcessHeap.KERNEL32(00000000,00000000,001919BF), ref: 00191E78
HeapFree.KERNEL32(00000000), ref: 00191E7F

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: c946920958bbc68e817201b33aac8f7f7297a1b713681f9a81b91202ed6ec720
Instruction ID: 09809203002b3bf18c4a3380287a68b202a0b215d1091e4e7f351f0691cc2a87
Opcode Fuzzy Hash: c946920958bbc68e817201b33aac8f7f7297a1b713681f9a81b91202ed6ec720
Instruction Fuzzy Hash: B311A972600206FFEF119BA4DC09FAF7BA9EB41355F154028E84297220D731AD81CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00191B58 Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00191B89
OpenProcessToken.ADVAPI32(00000000), ref: 00191B90
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00191B9F
CloseHandle.KERNEL32(00000004), ref: 00191BAA
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00191BD9
DestroyEnvironmentBlock.USERENV(00000000), ref: 00191BED

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: b6abf8f16565deb8d5297f217ddec496e5be37907af74bd421a44a558756ab73
Instruction ID: e62d8742060fb0a9dc77e09e0a87557d22689e960c3c001993a384d34c987c8b
Opcode Fuzzy Hash: b6abf8f16565deb8d5297f217ddec496e5be37907af74bd421a44a558756ab73
Instruction Fuzzy Hash: 1E1117B250024ABBDF018FA8ED49FDA7BB9FB48348F044025BA05A2160D375CDA1DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00153602 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,001535F9,00153265), ref: 00153610
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0015361E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00153637
SetLastError.KERNEL32(00000000,?,001535F9,00153265), ref: 00153689

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 720ec87b7383620d8421eaf3285080a421b2e56bac3170c26fca606ff51aee8e
Instruction ID: 00d85539a50f3d8510485a1739b0530f159078d61586780748f3e5844d61ac32
Opcode Fuzzy Hash: 720ec87b7383620d8421eaf3285080a421b2e56bac3170c26fca606ff51aee8e
Instruction Fuzzy Hash: 07012DB260E711FE96142674BC859361695E7247F7721032DFC304F1F0EF514F49A144

Uniqueness

Uniqueness Score: -1.00%

Function 00162FF4 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,00154C63,00000000,?,?,001567F2,?,?,00000000), ref: 00162FF8
_free.LIBCMT ref: 0016302B
_free.LIBCMT ref: 00163053
SetLastError.KERNEL32(00000000,?,00000000), ref: 00163060
SetLastError.KERNEL32(00000000,?,00000000), ref: 0016306C
_abort.LIBCMT ref: 00163072

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 52e8e95e35d7a9a041ad16a7a03798158652bce71075bf8bfe30652194e6001f
Instruction ID: bed2a361c1ea36ef4765146fe6dbfcba5edb3b1df57469eb26fb98ed0783c720
Opcode Fuzzy Hash: 52e8e95e35d7a9a041ad16a7a03798158652bce71075bf8bfe30652194e6001f
Instruction Fuzzy Hash: 4AF04672504E0167C3363738BC0AE2F2A5AEFD27B1B320524F834922E2EF34CA759161

Uniqueness

Uniqueness Score: -1.00%

Function 001C9245 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 0014983F: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00149899
Part of subcall function 0014983F: SelectObject.GDI32(?,00000000), ref: 001498A8
Part of subcall function 0014983F: BeginPath.GDI32(?), ref: 001498BF
Part of subcall function 0014983F: SelectObject.GDI32(?,00000000), ref: 001498E8

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 001C926F
LineTo.GDI32(?,00000003,00000000), ref: 001C9283
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 001C9291
LineTo.GDI32(?,00000000,00000003), ref: 001C92A1
EndPath.GDI32(?), ref: 001C92B1
StrokePath.GDI32(?), ref: 001C92C1

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 9361af84d5f1b8a531bd54e7c929dc029454b94190ef76e7e274a73be335ccbc
Instruction ID: 0f31fd2e243ffaf511d0d1e072c63ae3db12f5fadf0667900e0f914edcca5807
Opcode Fuzzy Hash: 9361af84d5f1b8a531bd54e7c929dc029454b94190ef76e7e274a73be335ccbc
Instruction Fuzzy Hash: 4311DB7200014DBFEF129F94EC8CEAA7FADEB08354F048026BE555A561C771EDA5DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0019589B Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 001958B6
GetDeviceCaps.GDI32(00000000,00000058), ref: 001958C7
GetDeviceCaps.GDI32(00000000,0000005A), ref: 001958CE
ReleaseDC.USER32 ref: 001958D6
MulDiv.KERNEL32(000009EC,?,00000000), ref: 001958ED
MulDiv.KERNEL32(000009EC,00000001,?), ref: 001958FF

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 1d9bb83ae448f3f35460cc8509f1542c7e0a4f6a56e495fc090f0f260cd232c7
Instruction ID: 3f658c3e89889a7708813602eda4c1fb155186153ff09de7895a21be49e3d968
Opcode Fuzzy Hash: 1d9bb83ae448f3f35460cc8509f1542c7e0a4f6a56e495fc090f0f260cd232c7
Instruction Fuzzy Hash: 660144B5A00719BBEF119BA59C49E5EBF79EB48751F044065FA04A7280D770D811CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00132198 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 001321C9
MapVirtualKeyW.USER32(00000010,00000000), ref: 001321D1
MapVirtualKeyW.USER32(000000A0,00000000), ref: 001321DC
MapVirtualKeyW.USER32(000000A1,00000000), ref: 001321E7
MapVirtualKeyW.USER32(00000011,00000000), ref: 001321EF
MapVirtualKeyW.USER32(00000012,00000000), ref: 001321F7

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 68184e1d36aff828deaffbd81cb1b3e5d11036714d1eae508608369e3a0a049a
Instruction ID: 6d52ff4edc4ed0a29df4b9a5cece6c43bbfdaaee5f04f0fdcbf0b893e5904d12
Opcode Fuzzy Hash: 68184e1d36aff828deaffbd81cb1b3e5d11036714d1eae508608369e3a0a049a
Instruction Fuzzy Hash: 930167B0902B5ABDE3008F6A8C85B52FFA8FF19354F00411BA15C4BA42C7F5A864CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 00187A35 Relevance: 9.0, APIs: 6, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32 ref: 00187A4E
SendMessageW.USER32(?,00001328,00000000,?), ref: 00187A65
GetWindowDC.USER32(?), ref: 00187A71
GetPixel.GDI32(00000000,?,?), ref: 00187A80
ReleaseDC.USER32 ref: 00187A92
GetSysColor.USER32(00000005), ref: 00187AAC

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: b9b91a848f8b1ad512839bc8cda3c39d7cea6721ed5970419806f2496ea1a240
Instruction ID: ad0f111c34a53ef31c406f3ebdf8af9898ccefdfee8c6a966dd5784c8e108cd7
Opcode Fuzzy Hash: b9b91a848f8b1ad512839bc8cda3c39d7cea6721ed5970419806f2496ea1a240
Instruction Fuzzy Hash: 35010831504215EFDB55AB60EC48FAEBBB5FB04311F250165F916A61A1CB319E91AF10

Uniqueness

Uniqueness Score: -1.00%

Function 00191EFE Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00191F09
UnloadUserProfile.USERENV(?,?), ref: 00191F15
CloseHandle.KERNEL32(?), ref: 00191F1E
CloseHandle.KERNEL32(?), ref: 00191F26
GetProcessHeap.KERNEL32(00000000,?), ref: 00191F2F
HeapFree.KERNEL32(00000000), ref: 00191F36

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 847a29b899a74e27c5508417b4dd8e28f67029415444ec7043164e43cc80a087
Instruction ID: f44bc7030d1c96e691dd24db9c5bdca857b572fb1a871721353a8b2b3cbcaa67
Opcode Fuzzy Hash: 847a29b899a74e27c5508417b4dd8e28f67029415444ec7043164e43cc80a087
Instruction Fuzzy Hash: BDE075B6104505BBDB011FA6FC0DD4ABF79FF49722B554635F22582870CB32D4A2DB51

Uniqueness

Uniqueness Score: -1.00%

Function 0013BDF0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0013C0C3

Strings

D5 D5 , xrefs: 0013BEB5
D5 , xrefs: 0013BEB2
D5 , xrefs: 0013C0AA
D5 , xrefs: 0013BFFD, 0013BFA1, 0013BF2B

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: Init_thread_footer
String ID: D5 $D5 $D5 $D5 D5
API String ID: 1385522511-3763750037
Opcode ID: 31bc211403d3ee51d68606efca0329b013337f1448e6a833ce1a18dde809a171
Instruction ID: c2439b20b4c89dc7b096f09a6bd6bf47ad0417b45c1235567e7647965ca735da
Opcode Fuzzy Hash: 31bc211403d3ee51d68606efca0329b013337f1448e6a833ce1a18dde809a171
Instruction Fuzzy Hash: B1914C75A04206CFCB18CF9DC4906AABBF5FF58314F248569EA45AB351E731AE81CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0019CC86 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00133205: _wcslen.LIBCMT ref: 0013320A

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0019CDA4
_wcslen.LIBCMT ref: 0019CDEB
SetMenuItemInfoW.USER32 ref: 0019CE52
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0019CE80

Strings

0, xrefs: 0019CD65

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 29f9937498936e06b39029d82096f8dff7fe67f6ebfe680bf7c9f8427db8c867
Instruction ID: e1e337a81e50df32ce1869c748b85d17d85d543ef8f0fda8d58a4d675d4c5150
Opcode Fuzzy Hash: 29f9937498936e06b39029d82096f8dff7fe67f6ebfe680bf7c9f8427db8c867
Instruction Fuzzy Hash: 4751CD716043009BDB159F68C884B6BBBE8AF59354F040A2AF8D6D71D1EB70CD448BD2

Uniqueness

Uniqueness Score: -1.00%

Function 001BB5BD Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 001BB6FC

Part of subcall function 00133205: _wcslen.LIBCMT ref: 0013320A

GetProcessId.KERNEL32(00000000), ref: 001BB791
CloseHandle.KERNEL32(00000000), ref: 001BB7C0

Strings

@, xrefs: 001BB6CB
<, xrefs: 001BB6C4

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 1b38b2da6a1c4cd251bddf13534bc6f92afa7db0008afa5fbeccb8c01901f991
Instruction ID: 21d0db8796744831f8b983591ef0ab0ab43babedb316379dbef6685bdd68f784
Opcode Fuzzy Hash: 1b38b2da6a1c4cd251bddf13534bc6f92afa7db0008afa5fbeccb8c01901f991
Instruction Fuzzy Hash: A9718975A04219DFCB14DFA4D494A9EBBF1FF08310F048499E856AB7A2CBB4ED45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0019783C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 001978A4
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 001978DA
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 001978EB
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 0019796D

Strings

DllGetClassObject, xrefs: 001978E0

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 02fc22f9af0059c3f94ba6ecfcc58d7d7872fe6171930ffa0656b48dd7b4992f
Instruction ID: dc73626f66526739510281b3eea4ee203f9ccb3978441c87fc6be5f986e91f39
Opcode Fuzzy Hash: 02fc22f9af0059c3f94ba6ecfcc58d7d7872fe6171930ffa0656b48dd7b4992f
Instruction Fuzzy Hash: 81418F71614204EFDF05CF54C884BAABBB9EF49728F1480A9AD099F285D7B1DD44CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 001C45E1 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 001C469A
IsMenu.USER32 ref: 001C46AF
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 001C46F7
DrawMenuBar.USER32 ref: 001C470A

Strings

0, xrefs: 001C45EE

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: b24b0edad2790b134bb299e13a0fd016340dc7c6354c39865d1fd26caa9e6631
Instruction ID: 67c423697742a1887c2e5457db05ec1aec60234ecf33abd0762670bf22b3844b
Opcode Fuzzy Hash: b24b0edad2790b134bb299e13a0fd016340dc7c6354c39865d1fd26caa9e6631
Instruction Fuzzy Hash: 9F411675A05209EFDF10CFA4E894EAABBB9FF16314F044129E905AB250D730ED54CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0019246C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0013A1B9: _wcslen.LIBCMT ref: 0013A1C3

Part of subcall function 00194337: GetClassNameW.USER32 ref: 0019435A

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 001924F0
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00192503
SendMessageW.USER32(?,00000189,?,00000000), ref: 00192533

Part of subcall function 001373E7: _wcslen.LIBCMT ref: 001373FA

Strings

ListBox, xrefs: 001924AF
ComboBox, xrefs: 0019247A

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: bc01473cf42f16330b8a4f5cb9d1eb9400ce47c98c4fb35a933a859acb474df5
Instruction ID: 848e2a3839de573157527f969f26f9075a67362a471706283ede40fdfde0ee15
Opcode Fuzzy Hash: bc01473cf42f16330b8a4f5cb9d1eb9400ce47c98c4fb35a933a859acb474df5
Instruction Fuzzy Hash: A921F775A00108BFDF24AB74DC46DFEBBB8EF55360F114129F921A71E1DB34894A9620

Uniqueness

Uniqueness Score: -1.00%

Function 001C377C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 001C37F2
LoadLibraryW.KERNEL32(?), ref: 001C37F9
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 001C380E
DestroyWindow.USER32(?), ref: 001C3816

Strings

SysAnimate32, xrefs: 001C37CD

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: fa00bdb7adeec61697408aa68e67da9db3e41375cab07b1d6105b0e8f8320905
Instruction ID: c45e54518e36b3c831895e418645d9fe77a3f45a55de2115ac84fd104157d57a
Opcode Fuzzy Hash: fa00bdb7adeec61697408aa68e67da9db3e41375cab07b1d6105b0e8f8320905
Instruction Fuzzy Hash: 0F21AEB1600205ABEF105FA4EC85FBB77A9EB68764F10C22CFA20A2190D731CD919760

Uniqueness

Uniqueness Score: -1.00%

Function 00154FED Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00154F9E,?,?,00154F3E,?,001F98C8,0000000C,00155095,?,00000002), ref: 0015500D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00155020
FreeLibrary.KERNEL32(00000000,?,?,?,00154F9E,?,?,00154F3E,?,001F98C8,0000000C,00155095,?,00000002,00000000), ref: 00155043

Strings

mscoree.dll, xrefs: 00155006
CorExitProcess, xrefs: 00155018

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 639fc7433c7fad106be09bc93ea3053291736686c983984732c945399a148dc9
Instruction ID: 9062d770dcd17c6e5f1c8d239537ea63d8f33984d204860dd959089c4e79c220
Opcode Fuzzy Hash: 639fc7433c7fad106be09bc93ea3053291736686c983984732c945399a148dc9
Instruction Fuzzy Hash: 39F04F31A00218FBDB159F94EC59FAEBFB5EF44752F040069F809A66A0DB309984CA91

Uniqueness

Uniqueness Score: -1.00%

Function 0018E46C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 0018E479
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0018E48B
FreeLibrary.KERNEL32(00000000), ref: 0018E4B1

Strings

X64, xrefs: 0018E374
GetSystemWow64DirectoryW, xrefs: 0018E485

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 145871493-2590602151
Opcode ID: be02d52f53bd78941b598dff541063904e0d0a2bc2ca099e1129bbc59afba302
Instruction ID: 3add2398a2f4b088275b7aae39c17cfbe819c07ac9b2a603ce347f4b4849970a
Opcode Fuzzy Hash: be02d52f53bd78941b598dff541063904e0d0a2bc2ca099e1129bbc59afba302
Instruction Fuzzy Hash: 0FE068718026619FD73537205C4CEAA7BA4BF00B00B1A0569FE0AF7160DB30CF8A8F91

Uniqueness

Uniqueness Score: -1.00%

Function 001352B6 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00135303,?,?,0013502E,?,00000001,?,?,00000000), ref: 001352C2
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 001352D4
FreeLibrary.KERNEL32(00000000,?,?,00135303,?,?,0013502E,?,00000001,?,?,00000000), ref: 001352E6

Strings

kernel32.dll, xrefs: 001352BA
Wow64DisableWow64FsRedirection, xrefs: 001352CE

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 0d81493dc1de096e0cbaa30e1e4a73ebe7dea3a69c41503a9c3a4846223666ee
Instruction ID: 1bd341bbfc8a6192b2368e7afea1aa45f85085af97772f505c387a0b4fadb166
Opcode Fuzzy Hash: 0d81493dc1de096e0cbaa30e1e4a73ebe7dea3a69c41503a9c3a4846223666ee
Instruction Fuzzy Hash: A5E01D35601A2157D31137557C09F6FAD599F81F12B090035F90DF2154DB54CD4195E5

Uniqueness

Uniqueness Score: -1.00%

Function 0013527F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,0017448E,?,?,0013502E,?,00000001,?,?,00000000), ref: 00135288
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 0013529A
FreeLibrary.KERNEL32(00000000,?,?,0017448E,?,?,0013502E,?,00000001,?,?,00000000), ref: 001352AD

Strings

kernel32.dll, xrefs: 00135281
Wow64RevertWow64FsRedirection, xrefs: 00135294

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 5989fef9a016b2fa5cff44e644291676f720d818b49a9b50bd89942e6af28d1b
Instruction ID: a57a6ca53b216ee185cc9335600a5c36450b2c7f0459f613d9d14f5be16abfcc
Opcode Fuzzy Hash: 5989fef9a016b2fa5cff44e644291676f720d818b49a9b50bd89942e6af28d1b
Instruction Fuzzy Hash: BBD012319029219BD3222725BC09D9F6E559F91F123090135BD04A2114CF60CD418595

Uniqueness

Uniqueness Score: -1.00%

Function 001A3111 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 001A33CF
DeleteFileW.KERNEL32(?), ref: 001A3451
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 001A3467
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 001A3478
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 001A348A

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 8160e1d22c2db0d42c19cf3756acc722a0b6828cff4673913c3acc29735fc69f
Instruction ID: e3b28120ab19bf1e840b0647a99e05c525f665f6d7d43447f9d68c58bb995a78
Opcode Fuzzy Hash: 8160e1d22c2db0d42c19cf3756acc722a0b6828cff4673913c3acc29735fc69f
Instruction Fuzzy Hash: 92B15D76901118ABDF15DBA4CC85EDEBBBDEF59311F0040AAF919E6141EB349B448B60

Uniqueness

Uniqueness Score: -1.00%

Function 001BABE0 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 001BAC80
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 001BAC8E
GetProcessIoCounters.KERNEL32 ref: 001BACC1
CloseHandle.KERNEL32(?), ref: 001BAE96

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 1a2b3a60048a7e555366e9403a0397446c582bb04984c1247eeb0c9dcd5d1463
Instruction ID: d3ba4c96e2560e34b9248c2bfd0331a55a591d1fa442ed4a668b6b755ff5a5e0
Opcode Fuzzy Hash: 1a2b3a60048a7e555366e9403a0397446c582bb04984c1247eeb0c9dcd5d1463
Instruction Fuzzy Hash: 56A1AEB1604300AFD720DF29D882F2ABBE5AF58714F14881DF5999B2D2D7B1EC408B92

Uniqueness

Uniqueness Score: -1.00%

Function 0016BDA7 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,001D46E0), ref: 0016BE11
WideCharToMultiByte.KERNEL32(00000000,00000000,0020221C,000000FF,00000000,0000003F,00000000,?,?), ref: 0016BE89
WideCharToMultiByte.KERNEL32(00000000,00000000,00202270,000000FF,?,0000003F,00000000,?), ref: 0016BEB6
_free.LIBCMT ref: 0016BDFF

Part of subcall function 00162C48: HeapFree.KERNEL32(00000000,00000000,?,0016DA52,00201DC4,00000000,00201DC4,00000000,?,0016DA79,00201DC4,00000007,00201DC4,?,0016DE76,00201DC4), ref: 00162C5E
Part of subcall function 00162C48: GetLastError.KERNEL32(00201DC4,?,0016DA52,00201DC4,00000000,00201DC4,00000000,?,0016DA79,00201DC4,00000007,00201DC4,?,0016DE76,00201DC4,00201DC4), ref: 00162C70

_free.LIBCMT ref: 0016BFCB

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 4de055fb84aa7e3f8736cabe99622396b74343b97792e25a5f408b99838e2a93
Instruction ID: 27687ca4ea8c88eb6b0a541a428c12a752945804a36cf3f590e1f32e6bbdf558
Opcode Fuzzy Hash: 4de055fb84aa7e3f8736cabe99622396b74343b97792e25a5f408b99838e2a93
Instruction Fuzzy Hash: 2351F871908319EFCB10EFA9ECC59AE77BCEF50310B10026AE910D71A1E7709ED58B50

Uniqueness

Uniqueness Score: -1.00%

Function 001BC222 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0013A1B9: _wcslen.LIBCMT ref: 0013A1C3

Part of subcall function 001BD1F1: CharUpperBuffW.USER32(?,?,?,?,?,?,?,001BBF07,?,?), ref: 001BD20E
Part of subcall function 001BD1F1: _wcslen.LIBCMT ref: 001BD24A
Part of subcall function 001BD1F1: _wcslen.LIBCMT ref: 001BD2C1
Part of subcall function 001BD1F1: _wcslen.LIBCMT ref: 001BD2F7

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 001BC2FE
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 001BC359
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 001BC3BC
RegCloseKey.ADVAPI32(?,?), ref: 001BC3FF
RegCloseKey.ADVAPI32(00000000), ref: 001BC40C

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 8b11e10756756995af4ba6e6d14b5e928fcd923ab18e080269bddb814fb28b13
Instruction ID: 58c0e1b45c10ee41b50246be44a93562bf3643ee932c93c4ad4a0f5d410baf74
Opcode Fuzzy Hash: 8b11e10756756995af4ba6e6d14b5e928fcd923ab18e080269bddb814fb28b13
Instruction Fuzzy Hash: 00618571208241EFD714DF54C490E6ABBE5FF84308F5485ADF4968B2A2DB31ED46CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0019EB1D Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0019E502: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0019D5D8,?), ref: 0019E51F

Part of subcall function 0019E502: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0019D5D8,?), ref: 0019E538

Part of subcall function 0019E8BB: GetFileAttributesW.KERNEL32(?,0019D64B), ref: 0019E8BC

lstrcmpiW.KERNEL32(?,?), ref: 0019EB95
MoveFileW.KERNEL32(?,?), ref: 0019EBCE
_wcslen.LIBCMT ref: 0019ED0D
_wcslen.LIBCMT ref: 0019ED25
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0019ED72

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 0f203aca504803feccf7e41e4ea8b829b6d36892fef27df26de4aeb7b33827f4
Instruction ID: dd06a83a7b57ed511f5d94b8ed6204ca902da72959a15ea25a8d1457477b447c
Opcode Fuzzy Hash: 0f203aca504803feccf7e41e4ea8b829b6d36892fef27df26de4aeb7b33827f4
Instruction Fuzzy Hash: D45163B24083859BDB24EB94DC81DDBB3ECAF94350F00492EF589D3151EF75E6888B56

Uniqueness

Uniqueness Score: -1.00%

Function 0019924E Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0019926B
VariantClear.OLEAUT32 ref: 001992DC
VariantClear.OLEAUT32 ref: 0019933B
VariantClear.OLEAUT32(?), ref: 001993AE
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 001993D9

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 346fc2067a26ca09c7bb6186116d76ecee900adb2dad59ab7f554bfd4e04ada6
Instruction ID: b560a46f867109dda49b0f5142318c0ec0e34933adb7e483b5384ecb807ca683
Opcode Fuzzy Hash: 346fc2067a26ca09c7bb6186116d76ecee900adb2dad59ab7f554bfd4e04ada6
Instruction Fuzzy Hash: CD516AB5A10219EFCB14CF68C894AAABBF9FF89310B018169F905DB354D734EA11CB90

Uniqueness

Uniqueness Score: -1.00%

Function 001A934B Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32 ref: 001A93FE
GetPrivateProfileSectionW.KERNEL32 ref: 001A942A
WritePrivateProfileSectionW.KERNEL32 ref: 001A9482
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 001A94A7
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 001A94AF

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 9e02f034a5b14a7dc0f1af5915d755bf22aa4b39055855054c301ee0a8ef89b1
Instruction ID: 04d2d4e5ff3735d8a0cb3dbf40088f7e103e1322d06a8edc10d8bd9651fe6631
Opcode Fuzzy Hash: 9e02f034a5b14a7dc0f1af5915d755bf22aa4b39055855054c301ee0a8ef89b1
Instruction Fuzzy Hash: 95511775A00219EFCB15DF64D881A6EBBF5FF49314F048058E909AB3A2CB35ED46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 001B973D Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 001B9799
GetProcAddress.KERNEL32(00000000,?), ref: 001B9829
GetProcAddress.KERNEL32(00000000,00000000), ref: 001B9845
GetProcAddress.KERNEL32(00000000,?), ref: 001B988B
FreeLibrary.KERNEL32(00000000), ref: 001B98AB

Part of subcall function 0014FABB: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,001A180D,?,777DCF00), ref: 0014FAD8
Part of subcall function 0014FABB: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00190093,00000000,00000000,?,?,001A180D,?,777DCF00,?,00190093), ref: 0014FAFF

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 00125862436add2b366bbc27530145edf71befbdc3e3f17415df96ba2b80f5dc
Instruction ID: 2af0066a0653c20d6f344b926c841730fc47115508f3a8dc3860be7f9d587817
Opcode Fuzzy Hash: 00125862436add2b366bbc27530145edf71befbdc3e3f17415df96ba2b80f5dc
Instruction Fuzzy Hash: 97513875A04249DFCB11DF58C494CA9BBF0FF19314B1580A8E90AAB762DB31ED86CF91

Uniqueness

Uniqueness Score: -1.00%

Function 001C7376 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32 ref: 001C7433
SetWindowLongW.USER32 ref: 001C744A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 001C7473
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,001AB3C9,00000000,00000000), ref: 001C7498
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 001C74C7

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: d6c06d9d604df923da949b42bf62fbc279923c2aa5f2a9bbe3d041de62a5b324
Instruction ID: 85800b81c033dc38f4f1bcd46bc6162465b36a1205be65a41f9983a5ed27b06c
Opcode Fuzzy Hash: d6c06d9d604df923da949b42bf62fbc279923c2aa5f2a9bbe3d041de62a5b324
Instruction Fuzzy Hash: C141D235A08214AFD729DF28DC89FA97FA5FB59360F150228F855A72E0C7B0ED41DE90

Uniqueness

Uniqueness Score: -1.00%

Function 001622D1 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00162343
_free.LIBCMT ref: 00162363

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 775863e1286cbc67bc666c6893b6fd703eb7028259c9c7f3cd31676c0c79613d
Instruction ID: 424111e2995bfa7c3be7d16c266b061efc6fb1e926c3edc73b2560bcafb162b9
Opcode Fuzzy Hash: 775863e1286cbc67bc666c6893b6fd703eb7028259c9c7f3cd31676c0c79613d
Instruction Fuzzy Hash: B241BF72A006009FCB24DF78CC81A6EB7A6FF99314F1545A9E915EB391DB35ED11CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0013135A Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?,?,00000000,00000000,?,00131659,00000000,000000FF,?,?,?), ref: 0013136E
ScreenToClient.USER32 ref: 0013138B
GetAsyncKeyState.USER32(00000001), ref: 001313C2
GetAsyncKeyState.USER32(00000002), ref: 001313DC

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 00a2bd0c0f30f1752dda942820134257eec8ba5d35beaa95664e1f98cf02eab3
Instruction ID: 9114e6abbe37ef4f7fc8d8f6d748fb33a5cc0959d97ff7eee358786bf1f17c22
Opcode Fuzzy Hash: 00a2bd0c0f30f1752dda942820134257eec8ba5d35beaa95664e1f98cf02eab3
Instruction Fuzzy Hash: 84418071A0411AFBDF099F68D844BEEB774FB19324F25832AE439A7290D7306991CB51

Uniqueness

Uniqueness Score: -1.00%

Function 001A40C4 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 001A411B
TranslateAcceleratorW.USER32(?,00000000,?), ref: 001A4172
TranslateMessage.USER32(?), ref: 001A419B
DispatchMessageW.USER32 ref: 001A41A5
PeekMessageW.USER32 ref: 001A41B6

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 540ac026c1318c8dc9df49dab029032734ffe0216f7958aff54893e0aea6ed00
Instruction ID: 22358e5b4a002e2adb0f728ce9c4eb2621c70b3ab47622724c0077a4d3175891
Opcode Fuzzy Hash: 540ac026c1318c8dc9df49dab029032734ffe0216f7958aff54893e0aea6ed00
Instruction Fuzzy Hash: 61319578544341DFEB25CB64AC4DFB63BE8EB56305F04456EE562821A1E3F4A8C9CB21

Uniqueness

Uniqueness Score: -1.00%

Function 001AD76A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 001AD788
InternetReadFile.WININET(?,00000000,?,?), ref: 001AD7BF
GetLastError.KERNEL32(?,00000000,?,?,?,001ACA6E,00000000), ref: 001AD804
SetEvent.KERNEL32(?,?,00000000,?,?,?,001ACA6E,00000000), ref: 001AD818
SetEvent.KERNEL32(?,?,00000000,?,?,?,001ACA6E,00000000), ref: 001AD842

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: fb486646eba6649abda25f1bbba348992e750824cbfb6dd142dac1b325b3336b
Instruction ID: 553a69294c568e43019b0285eb165080655ab96c7a956777dcb39b2d33383a87
Opcode Fuzzy Hash: fb486646eba6649abda25f1bbba348992e750824cbfb6dd142dac1b325b3336b
Instruction Fuzzy Hash: E7319C79900A04EFDB24DFA5E884EABBBF8EB15354B10442EF407D2941DB34EE41DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00191F8B Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32 ref: 00191F9F
PostMessageW.USER32(00000001,00000201,00000001), ref: 0019204B
Sleep.KERNEL32(00000000,?,?,?), ref: 00192053
PostMessageW.USER32(00000001,00000202,00000000), ref: 00192064
Sleep.KERNEL32(00000000,?,?,?,?), ref: 0019206C

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 755be65aacfd605ff60959d4cbf5891e6e0ff1e3f9d4906a244140f826a9de92
Instruction ID: 915072877edc17cd07d3a7dd427f9ba2f4374c1951fcf405aa41f62e5f7cc8d4
Opcode Fuzzy Hash: 755be65aacfd605ff60959d4cbf5891e6e0ff1e3f9d4906a244140f826a9de92
Instruction Fuzzy Hash: 0B31BF71900219EFDF14CFA8DD89ADE7BB5EB04315F154229F925A72E0C370E944DB90

Uniqueness

Uniqueness Score: -1.00%

Function 001C5F6D Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 001C5FAC
SendMessageW.USER32(?,00001074,?,00000001), ref: 001C6004
_wcslen.LIBCMT ref: 001C6016
_wcslen.LIBCMT ref: 001C6021
SendMessageW.USER32(?,00001002,00000000,?), ref: 001C607D

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 45ff8f732cd1ae69ce7d016adf9f3c9b5177d8cdc33bb91d14e63115bd699ac2
Instruction ID: 35d7bb512dee645cbf1ebc4635229f4fa33671d4d1f74bb8268d4feea66b48fd
Opcode Fuzzy Hash: 45ff8f732cd1ae69ce7d016adf9f3c9b5177d8cdc33bb91d14e63115bd699ac2
Instruction Fuzzy Hash: E0219175904208EADB208FA4DC84FEDBBB8EF64324F10821AF925EA181D770D5C5CF50

Uniqueness

Uniqueness Score: -1.00%

Function 001B1189 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 001B11AA
GetForegroundWindow.USER32 ref: 001B11C1
GetDC.USER32(00000000), ref: 001B11FD
GetPixel.GDI32(00000000,?,00000003), ref: 001B1209
ReleaseDC.USER32 ref: 001B1241

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: accf0316f26742697b31fa2e89bacf1e392cb74510a689dbd6628a90066043dd
Instruction ID: 8216e80428070c6ec5582942873ab47e349f73528023a82d844c839c68823253
Opcode Fuzzy Hash: accf0316f26742697b31fa2e89bacf1e392cb74510a689dbd6628a90066043dd
Instruction Fuzzy Hash: 12218E79600214AFD704EF69DC94E9ABBF5EF88300F058439E94A97751DB70EC44CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0016D03E Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0016D047
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0016D06A

Part of subcall function 00163AA0: RtlAllocateHeap.NTDLL(00000000,?,?,?,00156989,?,0000015D,?,?,?,?,001584C0,000000FF,00000000,?,?), ref: 00163AD2

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0016D090
_free.LIBCMT ref: 0016D0A3
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0016D0B2

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: e64cda779353cb497acd46dec603fec62998b18fb39d5da0c23a0ad3d968b140
Instruction ID: f2eb95961e5cf683c9756fcdfced17e4029791f297371950f423a0ff54b63564
Opcode Fuzzy Hash: e64cda779353cb497acd46dec603fec62998b18fb39d5da0c23a0ad3d968b140
Instruction Fuzzy Hash: 89018F72B016197F63216ABB7C89C7F6E6DDEC2BA17190229FD04C2201EF658C1281B2

Uniqueness

Uniqueness Score: -1.00%

Function 0014983F Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00149899
SelectObject.GDI32(?,00000000), ref: 001498A8
BeginPath.GDI32(?), ref: 001498BF
SelectObject.GDI32(?,00000000), ref: 001498E8

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 2f081e9f25dc096022146d5708f0fb6dc948fb2be99966fd5aa0eaf3e411213e
Instruction ID: 8d0d09b3dde04e48215f573778429468969364451cd67acc77f1e9784f6943c3
Opcode Fuzzy Hash: 2f081e9f25dc096022146d5708f0fb6dc948fb2be99966fd5aa0eaf3e411213e
Instruction Fuzzy Hash: 3321507080534EEFDB119F28FC0CB6A7BB5BB51325F204626F411A61B2D3719999DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00195DAF Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00195DC4
_memcmp.LIBVCRUNTIME ref: 00195DE2
_memcmp.LIBVCRUNTIME ref: 00195DF5
_memcmp.LIBVCRUNTIME ref: 00195E0D
_memcmp.LIBVCRUNTIME ref: 00195E25

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 05e8438de9bbd183090887c126fc1840bb6857d12ef617c9ad9e35706244eb74
Instruction ID: 307bce277dc64b3a0ec948e7540af88d84801f150d3ae027a75c5ea48c0be8e6
Opcode Fuzzy Hash: 05e8438de9bbd183090887c126fc1840bb6857d12ef617c9ad9e35706244eb74
Instruction Fuzzy Hash: 3C012472640909BBEB1752109C46FAFB38D9E35394F244022FD04AB741F7A1EE24C3B8

Uniqueness

Uniqueness Score: -1.00%

Function 00163078 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(0000000A,?,?,0015F55E,0015536F,0000000A,?,00000000,00000000,?,00000000,?,?,?,0000000A,00000000), ref: 0016307D
_free.LIBCMT ref: 001630B2
_free.LIBCMT ref: 001630D9
SetLastError.KERNEL32(00000000,?,00000000,?,?,?,0000000A,00000000), ref: 001630E6
SetLastError.KERNEL32(00000000,?,00000000,?,?,?,0000000A,00000000), ref: 001630EF

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: b134048793594a6e099235d7af26b6d9f2532d931016baa8161358ba3ab1dcec
Instruction ID: d98335bea113931a389631b05b687ef96bd2d645bc9a00393d2258003115c6f5
Opcode Fuzzy Hash: b134048793594a6e099235d7af26b6d9f2532d931016baa8161358ba3ab1dcec
Instruction Fuzzy Hash: 06012876244A0067C33627356C4AD3B165EAFD17B07220128F835D22D2EF76CE798061

Uniqueness

Uniqueness Score: -1.00%

Function 0019063D Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00190570,80070057,?,?,?,0019098D), ref: 0019065A
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00190570,80070057,?,?), ref: 00190675
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00190570,80070057,?,?), ref: 00190683
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00190570,80070057,?), ref: 00190693
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00190570,80070057,?,?), ref: 0019069F

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 27b7e7dc979dd542c0a063bb5a424e4a861d67f74deb6416ba2d749e9ba6a687
Instruction ID: 9b4dc4f49bcef038f9d8d9c1cb5c00b67373d42ea8d5f316260f405f99e57c15
Opcode Fuzzy Hash: 27b7e7dc979dd542c0a063bb5a424e4a861d67f74deb6416ba2d749e9ba6a687
Instruction Fuzzy Hash: 2A014B76600218AFDB125F55EC48FAA7EADEF887A2F144028F945E6210E771DD909BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0019F09D Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0019F0B9
QueryPerformanceFrequency.KERNEL32(?), ref: 0019F0C7
Sleep.KERNEL32(00000000), ref: 0019F0CF
QueryPerformanceCounter.KERNEL32(?), ref: 0019F0D9
Sleep.KERNEL32 ref: 0019F115

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 2cda655d420c9ae7c6bbc04d8d298e10faaae76d394381dd40dec3227f522925
Instruction ID: e8a75676481fb5a8a334e0d0a39b344ea37c022342f666425726ef0db631c5bc
Opcode Fuzzy Hash: 2cda655d420c9ae7c6bbc04d8d298e10faaae76d394381dd40dec3227f522925
Instruction Fuzzy Hash: E6016971D00619EBCF00AFA4EC49AEDBB78FB09701F060079E511F2640CB3095958BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00191783 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 0019179E
GetLastError.KERNEL32(?,00000000,00000000,?,?,00191225,?,?,?), ref: 001917AA
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00191225,?,?,?), ref: 001917B9
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00191225,?,?,?), ref: 001917C0
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 001917D7

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: ebb68a3378c6c80a35019c3e57c4a54a6e6e66a09e622b9fda4b6fa7521752de
Instruction ID: a3543b057ea09faa566ba05739dfdf11cca032790d7c071c047db2ac47a2f646
Opcode Fuzzy Hash: ebb68a3378c6c80a35019c3e57c4a54a6e6e66a09e622b9fda4b6fa7521752de
Instruction Fuzzy Hash: 690181B5100606BFDB154FA5EC49E6A3F6EEF84360B210464F845C3760DB31DC80CA60

Uniqueness

Uniqueness Score: -1.00%

Function 0019163E Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00191654
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00191660
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 0019166F
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00191676
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0019168C

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 159dbaf6f6d9bb113c03c606f5140c2e5107294118dc9c178d75afda4119fae2
Instruction ID: 2c61142a6a21d4c9de5950608a660168fe5ec0265e39a670d61f5a3b9494f9fd
Opcode Fuzzy Hash: 159dbaf6f6d9bb113c03c606f5140c2e5107294118dc9c178d75afda4119fae2
Instruction Fuzzy Hash: 1DF06276100301BBDB110F65EC4DF963F6EEF89760F150424F945C7250CB74DC918A60

Uniqueness

Uniqueness Score: -1.00%

Function 0019169E Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 001916B4
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 001916C0
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 001916CF
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 001916D6
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 001916EC

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: e69a25e82db95c5c3a33d9c64ecbbbeef48d851ec7c497d3cefbd1c69d4b4654
Instruction ID: 6ae66fa5eee617f25abb0a41b1a41c5cc68d35a10d84c4a7e9a61bc07f51cd28
Opcode Fuzzy Hash: e69a25e82db95c5c3a33d9c64ecbbbeef48d851ec7c497d3cefbd1c69d4b4654
Instruction Fuzzy Hash: ADF04F76100302BBDB120F65EC49F563F6DEF89760F550424F945C7650CAB0D8918A60

Uniqueness

Uniqueness Score: -1.00%

Function 001A0AC1 Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,001A092F,?,001A3B4C,?,00000001,00172A82,?), ref: 001A0AD6
CloseHandle.KERNEL32(?,?,?,?,001A092F,?,001A3B4C,?,00000001,00172A82,?), ref: 001A0AE3
CloseHandle.KERNEL32(?,?,?,?,001A092F,?,001A3B4C,?,00000001,00172A82,?), ref: 001A0AF0
CloseHandle.KERNEL32(?,?,?,?,001A092F,?,001A3B4C,?,00000001,00172A82,?), ref: 001A0AFD
CloseHandle.KERNEL32(?,?,?,?,001A092F,?,001A3B4C,?,00000001,00172A82,?), ref: 001A0B0A
CloseHandle.KERNEL32(?,?,?,?,001A092F,?,001A3B4C,?,00000001,00172A82,?), ref: 001A0B17

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 35ef6480d229fbd28aee7e8a84549fc2df13391e3279d702881990038d0a2ccf
Instruction ID: 94f0e97e9bdf92cd360d4dbd719260fc3f402530ecd97bc63fc9aff27df20969
Opcode Fuzzy Hash: 35ef6480d229fbd28aee7e8a84549fc2df13391e3279d702881990038d0a2ccf
Instruction Fuzzy Hash: 6001EE7A800B15CFCB31AF66D880802FBF9BF603153008A3FD19252931C3B0A888CF90

Uniqueness

Uniqueness Score: -1.00%

Function 001962E2 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 001962F6
GetWindowTextW.USER32 ref: 0019630D
MessageBeep.USER32(00000000), ref: 00196325
KillTimer.USER32(?,0000040A), ref: 00196341
EndDialog.USER32(?,00000001), ref: 0019635B

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 91e832593429e1183bd6b78c61f04f12768c9ac9d8ce8ae8719293801f80411c
Instruction ID: 2d3aafd1c90666cfba988281dc4991d2d1fc3158d71c82f1101eeac8fe6a2107
Opcode Fuzzy Hash: 91e832593429e1183bd6b78c61f04f12768c9ac9d8ce8ae8719293801f80411c
Instruction Fuzzy Hash: 1D018170500714ABEF255B64ED4EF967BB8FB00B05F000569F58AA18E0DBF0EA84CAA0

Uniqueness

Uniqueness Score: -1.00%

Function 0016D9BB Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0016D9D3

Part of subcall function 00162C48: HeapFree.KERNEL32(00000000,00000000,?,0016DA52,00201DC4,00000000,00201DC4,00000000,?,0016DA79,00201DC4,00000007,00201DC4,?,0016DE76,00201DC4), ref: 00162C5E
Part of subcall function 00162C48: GetLastError.KERNEL32(00201DC4,?,0016DA52,00201DC4,00000000,00201DC4,00000000,?,0016DA79,00201DC4,00000007,00201DC4,?,0016DE76,00201DC4,00201DC4), ref: 00162C70

_free.LIBCMT ref: 0016D9E5
_free.LIBCMT ref: 0016D9F7
_free.LIBCMT ref: 0016DA09
_free.LIBCMT ref: 0016DA1B

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 4200d453e0818649acf60cc793c47d3290bbfa7bfd4481ed2d1c696956a97bfb
Instruction ID: b1936804a5a444df3ff1ea0918139aa26e9ec3098e8515e3934ee40fa062da86
Opcode Fuzzy Hash: 4200d453e0818649acf60cc793c47d3290bbfa7bfd4481ed2d1c696956a97bfb
Instruction Fuzzy Hash: BBF03632A49614ABC724EB99FD82C3B73EEBB147557940905F008D7910CB30FCD0C694

Uniqueness

Uniqueness Score: -1.00%

Function 00162520 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0016253E

Part of subcall function 00162C48: HeapFree.KERNEL32(00000000,00000000,?,0016DA52,00201DC4,00000000,00201DC4,00000000,?,0016DA79,00201DC4,00000007,00201DC4,?,0016DE76,00201DC4), ref: 00162C5E
Part of subcall function 00162C48: GetLastError.KERNEL32(00201DC4,?,0016DA52,00201DC4,00000000,00201DC4,00000000,?,0016DA79,00201DC4,00000007,00201DC4,?,0016DE76,00201DC4,00201DC4), ref: 00162C70

_free.LIBCMT ref: 00162550
_free.LIBCMT ref: 00162563
_free.LIBCMT ref: 00162574
_free.LIBCMT ref: 00162585

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: c42e9f820dc62525041fdd1f27a285c7eed7a9902547df4d1c3e0a5a8f38f02f
Instruction ID: 316f4759d1add67dc0fa6a76a27d71249ad28c9f897edc7212b17cdc13ff1fa2
Opcode Fuzzy Hash: c42e9f820dc62525041fdd1f27a285c7eed7a9902547df4d1c3e0a5a8f38f02f
Instruction Fuzzy Hash: 01F05E70902B218FCB55AF94BD0DC6D3BA5F7247A2300021BF81492676CB300961EFC1

Uniqueness

Uniqueness Score: -1.00%

Function 001497CB Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 001497DA
StrokeAndFillPath.GDI32(?,?,001877F3,00000000,?,?,?), ref: 001497F6
SelectObject.GDI32(?,00000000), ref: 00149809
DeleteObject.GDI32 ref: 0014981C
StrokePath.GDI32(?), ref: 00149837

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 0afcb9e00c2633281da8f6142aaefb7bf6f1aa2b58964f271a6be11b1152d996
Instruction ID: ee7123e3e04dfbcdb29ca34e211313281d2a65d18fc4648047e6cc9af01e1839
Opcode Fuzzy Hash: 0afcb9e00c2633281da8f6142aaefb7bf6f1aa2b58964f271a6be11b1152d996
Instruction Fuzzy Hash: C8F0E730006349EBDB255F68FD0CB693FA5BB41322F288226F465654F2C73189AADF11

Uniqueness

Uniqueness Score: -1.00%

Function 001611C7 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 00161379
__freea.LIBCMT ref: 00161397

Part of subcall function 001617B7: _free.LIBCMT ref: 001617CF

Strings

am/pm, xrefs: 001613FA
a/p, xrefs: 0016145E

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 5dd23f495aa5750f2036705a5ca8db4f4804f2c628e6fe9146221e366a7d9426
Instruction ID: f2a579f936360f7720c583d7c7d8ecebb769f8f56c9317eec6e89d19b62dcfd6
Opcode Fuzzy Hash: 5dd23f495aa5750f2036705a5ca8db4f4804f2c628e6fe9146221e366a7d9426
Instruction Fuzzy Hash: 7FD11235900206EFCB288F68CC557BAB7B1FF56310F2D4159E913AB650D7758DA1CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 001B6A29 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

Part of subcall function 001504C2: EnterCriticalSection.KERNEL32(0020170C,00202884,?,?,00141FEB,00203518,?,?,?,001318CE,00000000), ref: 001504CD
Part of subcall function 001504C2: LeaveCriticalSection.KERNEL32(0020170C,?,00141FEB,00203518,?,?,?,001318CE,00000000), ref: 0015050A

Part of subcall function 00150323: __onexit.LIBCMT ref: 00150329

__Init_thread_footer.LIBCMT ref: 001B6A91

Part of subcall function 00150478: EnterCriticalSection.KERNEL32(0020170C,?,?,00148DA7,00203514), ref: 00150482
Part of subcall function 00150478: LeaveCriticalSection.KERNEL32(0020170C,?,00148DA7,00203514), ref: 001504B5

Part of subcall function 001A3DEC: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 001A3E34
Part of subcall function 001A3DEC: LoadStringW.USER32(00203390,?,00000FFF,?), ref: 001A3E5A

Strings

x3 , xrefs: 001B6BAC
x3 , xrefs: 001B6BC8
x3 , xrefs: 001B6B93

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
String ID: x3 $x3 $x3
API String ID: 1072379062-1970296156
Opcode ID: 39df831d2f578282798581bd224d369fb326cae72c858969001c707ce6f48b33
Instruction ID: 37c051a1fe92c360411ca1adb5bcec3e0a5305114c5a515b067acf1551ac8b97
Opcode Fuzzy Hash: 39df831d2f578282798581bd224d369fb326cae72c858969001c707ce6f48b33
Instruction Fuzzy Hash: DEC14C71A00209AFCB14DF98C891EFAB7B9FF68300F158069F955AB291DB74ED45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 001B83D7 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 001504C2: EnterCriticalSection.KERNEL32(0020170C,00202884,?,?,00141FEB,00203518,?,?,?,001318CE,00000000), ref: 001504CD
Part of subcall function 001504C2: LeaveCriticalSection.KERNEL32(0020170C,?,00141FEB,00203518,?,?,?,001318CE,00000000), ref: 0015050A

Part of subcall function 0013A1B9: _wcslen.LIBCMT ref: 0013A1C3

Part of subcall function 00150323: __onexit.LIBCMT ref: 00150329

__Init_thread_footer.LIBCMT ref: 001B8454

Part of subcall function 00150478: EnterCriticalSection.KERNEL32(0020170C,?,?,00148DA7,00203514), ref: 00150482
Part of subcall function 00150478: LeaveCriticalSection.KERNEL32(0020170C,?,00148DA7,00203514), ref: 001504B5

Strings

5, xrefs: 001B84D1
Variable must be of type 'Object'., xrefs: 001B8493
G, xrefs: 001B84D8

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: 956c49cca477a4c62c34ed49e926af9bdbc80b48a5a2b89db382dc9ee57c596f
Instruction ID: ced0098e6894aeaabc083e9fe242f92a9f6153525dfe2c789c423c4123612b21
Opcode Fuzzy Hash: 956c49cca477a4c62c34ed49e926af9bdbc80b48a5a2b89db382dc9ee57c596f
Instruction Fuzzy Hash: 6A917870A00208EFCB14EF94D891AEDB7BABF58704F508059F906AB292DB71EE41CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00132960 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0017308B

Part of subcall function 001373E7: _wcslen.LIBCMT ref: 001373FA

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00132A50

Strings

Line %d: , xrefs: 00173109
AutoIt - , xrefs: 001329C4

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line %d: $AutoIt -
API String ID: 2289894680-4094128768
Opcode ID: e67298853ceae2e3378fc6cf6f1f36c550a0c58659dec5d0a09ecec0e1abd564
Instruction ID: d51fc6b37c6c06cff84e2471740beda2d2a5b7d42fec406595dab7d657928525
Opcode Fuzzy Hash: e67298853ceae2e3378fc6cf6f1f36c550a0c58659dec5d0a09ecec0e1abd564
Instruction Fuzzy Hash: A4418371408310ABC325EB60DC4ABDF77E8AF65724F00492AF599930A1EB74D64DC796

Uniqueness

Uniqueness Score: -1.00%

Function 00192DA0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0019BAB9: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,0019285A,?,?,00000034,00000800,?,00000034), ref: 0019BAE3

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00192DEA

Part of subcall function 0019BA84: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00192889,?,?,00000800,?,00001073,00000000,?,?), ref: 0019BAAE

Part of subcall function 0019B9E0: GetWindowThreadProcessId.USER32(?,?), ref: 0019BA0B
Part of subcall function 0019B9E0: OpenProcess.KERNEL32(00000438,00000000,?,?,?,0019281E,00000034,?,?,00001004,00000000,00000000), ref: 0019BA1B
Part of subcall function 0019B9E0: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,0019281E,00000034,?,?,00001004,00000000,00000000), ref: 0019BA31

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00192E57
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00192EA4

Strings

@, xrefs: 00192EBC

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 6c407f9c129806a36d46fdd383f119904dfdcb2ef695161ce0962eb40e6dae44
Instruction ID: 3cfabbd7004f36155cb99b283df779914d55198a3bfdb2fb0ac7e1b25e049a6b
Opcode Fuzzy Hash: 6c407f9c129806a36d46fdd383f119904dfdcb2ef695161ce0962eb40e6dae44
Instruction Fuzzy Hash: C5415B7290021CBFCF10DBA4DD86ADEBBB8EB09700F004095FA45B7181CB70AE85CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 001619AE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\MXIkmvGqgT.exe.com,00000104), ref: 001619E9
_free.LIBCMT ref: 00161AB4
_free.LIBCMT ref: 00161ABE

Strings

C:\Users\user\Desktop\MXIkmvGqgT.exe.com, xrefs: 001619E0, 001619E7, 00161A16, 00161A4E

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\MXIkmvGqgT.exe.com
API String ID: 2506810119-3781217359
Opcode ID: cae034918a4156dd22bbaefb6613dd863dd3c30f890debc098a70baa4b424734
Instruction ID: 19e705b352707d41507acef97ac864ccd146e956efb03a96972b5eb4fcecc520
Opcode Fuzzy Hash: cae034918a4156dd22bbaefb6613dd863dd3c30f890debc098a70baa4b424734
Instruction Fuzzy Hash: DA315D71A01258FFCB25DFD99C89D9EBBFCEB95310B18416AF80497211D7708E54DB90

Uniqueness

Uniqueness Score: -1.00%

Function 0019C933 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,?,00000000,?), ref: 0019C9BC
DeleteMenu.USER32(?,00000007,00000000), ref: 0019CA02
DeleteMenu.USER32(?,?,00000000,?,00000000,00000000,00202990,00E89158), ref: 0019CA4B

Strings

0, xrefs: 0019C995

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 67f3431609807457d838b821e5458a2b36482f072a4838a9cf97a2e27076eacd
Instruction ID: 859ac3257d3765b7fab7e72e2605499d9ba07a02616d98b8050e2533ea3f7857
Opcode Fuzzy Hash: 67f3431609807457d838b821e5458a2b36482f072a4838a9cf97a2e27076eacd
Instruction Fuzzy Hash: B041B1302043459FDB24DF28C855F6ABBE4FF85314F04461DF9A697292EB30E804CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 001C4C7D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,001CDCD0,00000000,?,?,?,?), ref: 001C4D11
GetWindowLongW.USER32 ref: 001C4D2E
SetWindowLongW.USER32 ref: 001C4D3E

Strings

SysTreeView32, xrefs: 001C4CE3

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 2f6b59fd1b091328ebd3a7e1fbb6b87b4c6a424f290987810aa87cc575a51fb7
Instruction ID: a0ea9d912b0474f234c0335775eecbdd905fcd5104278797e8b468ca5acba281
Opcode Fuzzy Hash: 2f6b59fd1b091328ebd3a7e1fbb6b87b4c6a424f290987810aa87cc575a51fb7
Instruction Fuzzy Hash: 1931C031204205AFDB119F78DC55FEA7BA9EB28334F204729F979921E0D770EC508B54

Uniqueness

Uniqueness Score: -1.00%

Function 001B38A7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 001B3BB4: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,001B38D0,?,?), ref: 001B3BD1

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 001B38D3
_wcslen.LIBCMT ref: 001B38F4
htons.WSOCK32(00000000,?,?,00000000), ref: 001B395F

Strings

255.255.255.255, xrefs: 001B38EE, 001B38F3

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 7f0148cfab5bdfc857b0dfcbf371fa63270d97ed1c1b35773d1e3ac5b0533736
Instruction ID: 7189b2e7a94db1300e1f9af4b9e5a937c2414d20c10a8fb7ebcc2e477a5437d2
Opcode Fuzzy Hash: 7f0148cfab5bdfc857b0dfcbf371fa63270d97ed1c1b35773d1e3ac5b0533736
Instruction Fuzzy Hash: CB31D579200205DFCB20CF28C585EA9B7E0EF54318F258159E8669F7A2D7B1EF55CB60

Uniqueness

Uniqueness Score: -1.00%

Function 001C471D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 001C47A5
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 001C47B9
SendMessageW.USER32(?,00001002,00000000,?), ref: 001C47DD

Strings

SysMonthCal32, xrefs: 001C4770

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: ee3fe8a772d368ca12794125f66f7bbaba348d249e27843623602fe473e8346c
Instruction ID: 62af0a937677ee12f9a97d0d620474a197254cb302026894007c379435d12a82
Opcode Fuzzy Hash: ee3fe8a772d368ca12794125f66f7bbaba348d249e27843623602fe473e8346c
Instruction Fuzzy Hash: C6219F72500219BBEF158FA4CC46FEA3B69EB59714F110218FA15AB190D7B1E8958BA0

Uniqueness

Uniqueness Score: -1.00%

Function 001C4EBA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 001C4F6C
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 001C4F7A
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 001C4F81

Strings

msctls_updown32, xrefs: 001C4EEB

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 81944d73fd04704c3e99fdbcc4b5914170e5d7cebe8da0c08ec3e4b9667a3496
Instruction ID: d70c5d889a4524da0f111b9541803e383774136b40995cd2d395e7e2b3691b94
Opcode Fuzzy Hash: 81944d73fd04704c3e99fdbcc4b5914170e5d7cebe8da0c08ec3e4b9667a3496
Instruction Fuzzy Hash: 8B2171B5604219AFEB11DF18DC95EB737ADEF6A358B11015DFA009B291CB30EC518BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00199C13 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00199C83

Strings

#requireadmin, xrefs: 00199C3F
#OnAutoItStartRegister, xrefs: 00199C59
#notrayicon, xrefs: 00199C1D

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 34e90c60614603299c6f65ffd8e68af12f53895cb229d816214c88a985d445a1
Instruction ID: 3ac2f9240b5055265cced84da27011f731d6ceb96992740b8abeda58bff997a4
Opcode Fuzzy Hash: 34e90c60614603299c6f65ffd8e68af12f53895cb229d816214c88a985d445a1
Instruction Fuzzy Hash: DC213632204211A6DB31B72CDC02FBBB3DCDFA5314F14442EF9569B185EB61AE86D396

Uniqueness

Uniqueness Score: -1.00%

Function 001C401C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 001C40A5
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 001C40B5
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 001C40DB

Strings

Listbox, xrefs: 001C4074

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: c08203da92f0906e00d2aafdb68ed5696769c33bbb3e07f9d05c76ec341ba369
Instruction ID: 5157c4b5581fe166947d307e5640577dee4da1beeaabcc6911c213f243b4c111
Opcode Fuzzy Hash: c08203da92f0906e00d2aafdb68ed5696769c33bbb3e07f9d05c76ec341ba369
Instruction Fuzzy Hash: 8E21B032644218BBEF128F54DC85FFB3B6EEB99754F108128FA149B190CB71DC6187A0

Uniqueness

Uniqueness Score: -1.00%

Function 001A5244 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 001A5258
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 001A52AC
SetErrorMode.KERNEL32(00000000,?,?,001CDCD0), ref: 001A5320

Strings

%lu, xrefs: 001A52BF

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 0ba4d36a63bdd6fc275f0c6a38bc0aa7d99b8cbcd2cdd8a01e7b9a6378cf33df
Instruction ID: 2c35614810476c1a22a5bdd857c868427230cd586c32ed4539a0a6a3f88ac818
Opcode Fuzzy Hash: 0ba4d36a63bdd6fc275f0c6a38bc0aa7d99b8cbcd2cdd8a01e7b9a6378cf33df
Instruction Fuzzy Hash: 1C317174A00108AFDB10DF64D885EAABBF9EF09308F1440A9F909DB262D771EE45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 001C4A52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 001C4AB6
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 001C4ACB
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 001C4AD8

Strings

msctls_trackbar32, xrefs: 001C4A8D

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 177dbcc07ad5a6cffc713f30e62700a9012685b4010b606ff165c6ecfe86d655
Instruction ID: e72ee143d50554cd22493f01f52d827e42a38098699e3fdba72bac50be358eb4
Opcode Fuzzy Hash: 177dbcc07ad5a6cffc713f30e62700a9012685b4010b606ff165c6ecfe86d655
Instruction Fuzzy Hash: 0011E732244208BFEF215F24CC06FA737A8EF95B54F114518FA55E3090D771D8618B24

Uniqueness

Uniqueness Score: -1.00%

Function 001935DD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001373E7: _wcslen.LIBCMT ref: 001373FA

Part of subcall function 00193433: SendMessageTimeoutW.USER32 ref: 00193451
Part of subcall function 00193433: GetWindowThreadProcessId.USER32(?,00000000), ref: 00193462
Part of subcall function 00193433: GetCurrentThreadId.KERNEL32 ref: 00193469
Part of subcall function 00193433: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00193470

GetFocus.USER32(001CDCD0), ref: 00193603

Part of subcall function 0019347A: GetParent.USER32(00000000), ref: 00193485

GetClassNameW.USER32 ref: 0019364E
EnumChildWindows.USER32 ref: 00193676

Strings

%s%d, xrefs: 0019368A

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 7c9257508b5372affea4e4915d658a35461b674b1e9d0a2a04395daf42b58f82
Instruction ID: 13d8916063504b172785f2dc43e46b45c10028ae920577fb13a1a8c9cb055257
Opcode Fuzzy Hash: 7c9257508b5372affea4e4915d658a35461b674b1e9d0a2a04395daf42b58f82
Instruction Fuzzy Hash: 171172B16002096BCF157F609D86FED3769AFA4304F054079BE199B292DF709A4ADB60

Uniqueness

Uniqueness Score: -1.00%

Function 0016892E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,00000000,?,?,0016884C,?,001F9CD8,0000000C), ref: 00168984
GetLastError.KERNEL32(?,0016884C,?,001F9CD8,0000000C), ref: 0016898E
__dosmaperr.LIBCMT ref: 001689B9

Strings

x, xrefs: 00168948

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID: x
API String ID: 2583163307-2890206012
Opcode ID: cd0940b0c1bae7756821fd255caea8aa8eb08ed7f67ff4161d481030d4e87796
Instruction ID: 246423418e0307a921968fe3ff5fdc9fa813e1c334d1106e9f4ed3c75a6705f2
Opcode Fuzzy Hash: cd0940b0c1bae7756821fd255caea8aa8eb08ed7f67ff4161d481030d4e87796
Instruction Fuzzy Hash: B90149336066601AD7252634AC4AB7E6B8B5BE273CF290319F9149B1C2DF61CCA1C593

Uniqueness

Uniqueness Score: -1.00%

Function 001C60E9 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 001C6128
SetMenuItemInfoW.USER32 ref: 001C6155
DrawMenuBar.USER32(?,?,00000030,?,00000030), ref: 001C6164

Strings

0, xrefs: 001C60F6

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: b8a0dd80fadbe625da2cfc3d7d80de6a8b3f72186a395fbf7418e5e894810ef6
Instruction ID: 41fcd11cd19de3c3d3c603961572d28f3edfd0aabbc75671cd4f8a7b07f0629e
Opcode Fuzzy Hash: b8a0dd80fadbe625da2cfc3d7d80de6a8b3f72186a395fbf7418e5e894810ef6
Instruction Fuzzy Hash: 71015731500218EEDB219F50EC44FAABBB9FB58396F1480A9F9499A151DB34CA85EF21

Uniqueness

Uniqueness Score: -1.00%

Function 001906AE Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad7367a1aeb0cc08802cf8dfd45b0ee3fc189e0b36f18b3b371a3fb7fc8bda2c
Instruction ID: 355882ab9b59c18501568007122560af6c46522495d6c206693bcb922976aa88
Opcode Fuzzy Hash: ad7367a1aeb0cc08802cf8dfd45b0ee3fc189e0b36f18b3b371a3fb7fc8bda2c
Instruction Fuzzy Hash: E1C15C75A00216EFDB09CFA8C884EAEB7B5FF48714F118599E509EB251D731EE81CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00164100 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 0016418B
__alldvrm.LIBCMT ref: 0016438C
__alldvrm.LIBCMT ref: 001643AE

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: bf40b941d52d67784f8096f33b81488653f8cae213e42cf770fb29e72a4dd410
Instruction ID: 25f7e46d56e26a01327067b60ae6ff3764057a70c5863e3fa26c6d7f5face671
Opcode Fuzzy Hash: bf40b941d52d67784f8096f33b81488653f8cae213e42cf770fb29e72a4dd410
Instruction Fuzzy Hash: 3BA167329043969FDB25DF28CCA17AEBBE5FF62310F28416DE8859B381C3389991C750

Uniqueness

Uniqueness Score: -1.00%

Function 001B3C87 Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 001B3CB2
CoUninitialize.OLE32 ref: 001B3CBC
VariantInit.OLEAUT32(?), ref: 001B3CC7
VariantClear.OLEAUT32(?), ref: 001B3F74

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 02d9ccebcbc55759b0348bd72a27bd83774588aa34742d8b6b887cbe082677b9
Instruction ID: 24f3a1c36bd50f9b0f4314c610d936350a45d303e7af5191b1462007306a4228
Opcode Fuzzy Hash: 02d9ccebcbc55759b0348bd72a27bd83774588aa34742d8b6b887cbe082677b9
Instruction Fuzzy Hash: AFA159756043019FCB10EF68D485A6AB7E5FF89710F05845DF99A9B3A1CB30ED01CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00190A65 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,001D0BF0,?), ref: 00190C1F
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,001D0BF0,?), ref: 00190C37
CLSIDFromProgID.OLE32(?,?,00000000,001CDCE0,000000FF,?,00000000,00000800,00000000,?,001D0BF0,?), ref: 00190C5C
_memcmp.LIBVCRUNTIME ref: 00190C7D

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 498362e1a4a4286527c26b7a03cfdf084a48bbb6c3e49a64be7fba5246d3c75e
Instruction ID: f7a714c9d26691434b315c5cfbf671735df8b3327163a699b30de3121fe0325f
Opcode Fuzzy Hash: 498362e1a4a4286527c26b7a03cfdf084a48bbb6c3e49a64be7fba5246d3c75e
Instruction Fuzzy Hash: 37811975A00209EFCF05DF94C994EEEB7B9FF89315F204198E506AB250DB71AE46CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00171611 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00171740

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: d9042fc03d3791762e3e9dbe4a4a608bb9b7f6de60b081edf916600a6188296f
Instruction ID: dba9278c2631ad7c33b2342cf9f0b0f4e0b026874839095e8b43091733437f02
Opcode Fuzzy Hash: d9042fc03d3791762e3e9dbe4a4a608bb9b7f6de60b081edf916600a6188296f
Instruction Fuzzy Hash: 5A415031A00200BBDB287FBD9C46BBE3AB9EF61770F188225F82CD7191E77489554762

Uniqueness

Uniqueness Score: -1.00%

Function 001B232F Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 001B2356
WSAGetLastError.WSOCK32 ref: 001B2364
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 001B23E3
WSAGetLastError.WSOCK32 ref: 001B23ED

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 7a758522a517ea86206c36149dcb2c4470a24377f0942f1a154fa26492f276b9
Instruction ID: 3fce0ea1cb43472fbf0c98a75d7223d1dfb9182cd359394aec87dc7dab17776e
Opcode Fuzzy Hash: 7a758522a517ea86206c36149dcb2c4470a24377f0942f1a154fa26492f276b9
Instruction Fuzzy Hash: 8E41C174600300AFE720AF25D886F6A7BE5AB18718F14C45CFA599F6D2D772ED428B90

Uniqueness

Uniqueness Score: -1.00%

Function 001C6A78 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32 ref: 001C6AE2
ScreenToClient.USER32 ref: 001C6B15
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 001C6B82

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: d84fc71ce728a55b31aaf0f149bce09534aa78720e1fc2f7262b86f47fed2543
Instruction ID: 3ff386a742dcf35ccb4540c0a9b44a7ac5d518acb079417494764e16b03c9356
Opcode Fuzzy Hash: d84fc71ce728a55b31aaf0f149bce09534aa78720e1fc2f7262b86f47fed2543
Instruction Fuzzy Hash: 24511774A00209EFCB14DF68D885EAE7BB6EB64364F20816DF815DB2A0D731ED81CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0016B69F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db942831c3d750e9f36d7846e0867dc3f051dfd00f312102571f8bfd344f8770
Instruction ID: 48e21de99a1ecabe1340ae8ca2fb0cb3693e135df18bb8be604dabbef87e1140
Opcode Fuzzy Hash: db942831c3d750e9f36d7846e0867dc3f051dfd00f312102571f8bfd344f8770
Instruction Fuzzy Hash: 7B412971A04704AFD7249F38CC81B6ABBE9EFD8710F20822EF111DB6C1D37199518B90

Uniqueness

Uniqueness Score: -1.00%

Function 0016DB44 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00156FF1,00000000,00000000,00158559,?,00158559,?,00000001,00156FF1,8BE85006,00000001,00158559,00158559), ref: 0016DB91
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0016DC1A
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0016DC2C
__freea.LIBCMT ref: 0016DC35

Part of subcall function 00163AA0: RtlAllocateHeap.NTDLL(00000000,?,?,?,00156989,?,0000015D,?,?,?,?,001584C0,000000FF,00000000,?,?), ref: 00163AD2

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 442ad4993c3d55cb0086457aa7468af455a058fcfd5bd68696bd897c16907e70
Instruction ID: fde57aa92f11ad74502976da43442523b98311c920314709b135179da82d8fad
Opcode Fuzzy Hash: 442ad4993c3d55cb0086457aa7468af455a058fcfd5bd68696bd897c16907e70
Instruction Fuzzy Hash: 2D31C172A0020AABDF25DF64EC41DAE7BB5EB55310F064168FC15DB150EB35DDA1CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 001A5F29 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 001A5FD3
GetLastError.KERNEL32(?,00000000), ref: 001A5FF9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 001A601E
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 001A604A

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 6d07e692724db1f3a9e21072ff8f44909e56f13193b17e2f0478bdcec0070da3
Instruction ID: 7d1547cdba8b186e84f6b83856f8b790b56361bf1e9958c57d02fb8337e0f57d
Opcode Fuzzy Hash: 6d07e692724db1f3a9e21072ff8f44909e56f13193b17e2f0478bdcec0070da3
Instruction Fuzzy Hash: 81414C39600611DFCB21EF55D544A1EBBF2EF9A710F198488E94A9B3A2CB30FC41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0019B10D Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0019B162
SetKeyboardState.USER32(00000080), ref: 0019B17E
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0019B1EC
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0019B23E

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 123eb223ad55bbf98d7b9ee73cb83ecd9e85c7d1e1949e0b824a6f9b0480b302
Instruction ID: 7cf2551afc197d492cd8120d6f306bcffb8a2a936af080f47d08ace2ae065663
Opcode Fuzzy Hash: 123eb223ad55bbf98d7b9ee73cb83ecd9e85c7d1e1949e0b824a6f9b0480b302
Instruction Fuzzy Hash: CD316B30A48218AEFF348B25BD98BFE7BB5EF98310F04422EE490521D0C7749A85C795

Uniqueness

Uniqueness Score: -1.00%

Function 001C5B28 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 001C5BB9
GetWindowLongW.USER32(?,000000F0), ref: 001C5BDC
SetWindowLongW.USER32 ref: 001C5BE9
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 001C5C0F

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: f7c1d95b019b7c15c40d8bff973d4ead539460e17d566c7e1a9221e73c3c8a85
Instruction ID: 07a5faa733b96877875069092a88a53aabd7a0cca24dd4ca6342f05caf6c5d88
Opcode Fuzzy Hash: f7c1d95b019b7c15c40d8bff973d4ead539460e17d566c7e1a9221e73c3c8a85
Instruction Fuzzy Hash: AB31AF34A92A0CAEEB249E14CC0AFE83B67EB25310F58401AB611962E1C770FDC0DB45

Uniqueness

Uniqueness Score: -1.00%

Function 0019B252 Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,775E73F0,?,00008000), ref: 0019B2A7
SetKeyboardState.USER32(00000080,?,00008000), ref: 0019B2C3
PostMessageW.USER32(00000000,00000101,00000000), ref: 0019B32A
SendInput.USER32(00000001,?,0000001C,775E73F0,?,00008000), ref: 0019B37C

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 993aabe0b05cd8bc50faf682bdffdafb08262a31f8aa07c9a9a9a3770a037354
Instruction ID: a9fb9aee1a03a85a3c04b4e8b3b14cfabd4bf563003bc4d45c3a8b4d51cc09ad
Opcode Fuzzy Hash: 993aabe0b05cd8bc50faf682bdffdafb08262a31f8aa07c9a9a9a3770a037354
Instruction Fuzzy Hash: 85314830A48258AEFF34CB65AD58BFE7BB5FF55310F48421AE485921D0C7349B858B92

Uniqueness

Uniqueness Score: -1.00%

Function 001C7E74 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 001C7E9A
GetWindowRect.USER32 ref: 001C7F10
PtInRect.USER32(?,?,001C93AA), ref: 001C7F20
MessageBeep.USER32(00000000), ref: 001C7F8C

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: eda1504ba78c53ca8240a541e2a7e81ea2ee07df1c5906c13d6ea1d0de11c082
Instruction ID: 1fcb09de7cc8c29f1367657954351ab642461bb933d1fefc78064653d76ea9d0
Opcode Fuzzy Hash: eda1504ba78c53ca8240a541e2a7e81ea2ee07df1c5906c13d6ea1d0de11c082
Instruction Fuzzy Hash: 57414C30605219DFCB05CF58D8C8FA9BBF5BB69314F1541ADE8289B2A1C7B0E945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 001C1F3F Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 001C1F50

Part of subcall function 001940CD: GetWindowThreadProcessId.USER32(?,00000000), ref: 001940E7
Part of subcall function 001940CD: GetCurrentThreadId.KERNEL32 ref: 001940EE
Part of subcall function 001940CD: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00192C3D), ref: 001940F5

GetCaretPos.USER32(?), ref: 001C1F64
ClientToScreen.USER32(00000000,?), ref: 001C1FB1
GetForegroundWindow.USER32 ref: 001C1FB7

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 008ed7adc64ed60abcfb027fdee03322d9f2e001ae79bdb9d97049b5e795356e
Instruction ID: 6803672f2dceb411e4e945861412a7caeaba76a95eb1c4f5cbac305fde584172
Opcode Fuzzy Hash: 008ed7adc64ed60abcfb027fdee03322d9f2e001ae79bdb9d97049b5e795356e
Instruction Fuzzy Hash: 4B313071D00209AFDB14DFA9D881DAEBBF9EF58308B148469E415E7252E731DE45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0019E6B7 Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00133205: _wcslen.LIBCMT ref: 0013320A

_wcslen.LIBCMT ref: 0019E6ED
_wcslen.LIBCMT ref: 0019E704
_wcslen.LIBCMT ref: 0019E72F
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 0019E73A

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: d581422e349c66e0f067891d82bb51d1fd8df3ef06d9d82e37f397d000a5286d
Instruction ID: d86ea8182574b2492360d6e59e499d0a18e26d00072644bdc1403cb374df57c8
Opcode Fuzzy Hash: d581422e349c66e0f067891d82bb51d1fd8df3ef06d9d82e37f397d000a5286d
Instruction Fuzzy Hash: F121BF75900214EFCB25DFA8D982BAEB7F8EF55750F104064E814AF281E7709E41CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 0019DB92 Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0019DBB7
Process32FirstW.KERNEL32(00000000,?), ref: 0019DBC5
Process32NextW.KERNEL32(00000000,?), ref: 0019DBE5
CloseHandle.KERNEL32(00000000), ref: 0019DC92

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 96923b5f1d5ab23d7f82e56fe87f195569ae39bdbd97f6d76eecba25f0c96079
Instruction ID: 759182f3a1d76528a0beb71746e9f13cb33f9bf3c363bd5d96a168f3e4be54b5
Opcode Fuzzy Hash: 96923b5f1d5ab23d7f82e56fe87f195569ae39bdbd97f6d76eecba25f0c96079
Instruction Fuzzy Hash: 233180B11083009FD711EF54EC85EAFBBE8AFA9350F44092DF585831A1EB71D949CB92

Uniqueness

Uniqueness Score: -1.00%

Function 001C97EA Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00149DA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00149DB2

GetCursorPos.USER32(?,?,?,?,?,?,?,?,00187D0D,?,?,?,?,?), ref: 001C9822
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00187D0D,?,?,?,?,?), ref: 001C9837
GetCursorPos.USER32(?,?,?,?,?,?,?,?,?,00187D0D,?,?,?,?,?), ref: 001C987F
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00187D0D,?,?,?), ref: 001C98B5

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 7abba728e55043576b1d405fada3064f1e7a2330d87e768a2eb3bced0f63fdfc
Instruction ID: 4d5bd3bf426ada2ae8e11854a72d7510d5ce3f48a928d70fc9e2c249d80bd0d0
Opcode Fuzzy Hash: 7abba728e55043576b1d405fada3064f1e7a2330d87e768a2eb3bced0f63fdfc
Instruction Fuzzy Hash: F9218B35500118EFDB168F94D85DEEA7BB9FF4A710F144069F9058B1A1C736DAA0DB60

Uniqueness

Uniqueness Score: -1.00%

Function 0019D977 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,001CDC44), ref: 0019D9B1
GetLastError.KERNEL32 ref: 0019D9C0
CreateDirectoryW.KERNEL32(?,00000000), ref: 0019D9CF
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,001CDC44), ref: 0019DA2C

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 8440c51fba0f375b937c3081d703cae6dd9dd345ad40df18d4d5fdb9f22e9d57
Instruction ID: a0047ae9e8d1c8bfc49ae680d2651e3c3d4e1893024b8db8d7b1785c112793f3
Opcode Fuzzy Hash: 8440c51fba0f375b937c3081d703cae6dd9dd345ad40df18d4d5fdb9f22e9d57
Instruction Fuzzy Hash: 8A2165745082019FCB10DF28E88186ABBE4BF65768F104A2DF499C72A1DB30DD55CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00191BFB Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0019169E: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 001916B4
Part of subcall function 0019169E: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 001916C0
Part of subcall function 0019169E: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 001916CF
Part of subcall function 0019169E: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 001916D6
Part of subcall function 0019169E: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 001916EC

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00191C48
_memcmp.LIBVCRUNTIME ref: 00191C6B
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00191CA1
HeapFree.KERNEL32(00000000), ref: 00191CA8

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 12456a963878123842aec7f6394bb892e5a269a17c48948c75e9fa52bdf17943
Instruction ID: f262149149f22d5989c4d609ca7efef2fde5c345c80b2ef0f2f0a639027918a0
Opcode Fuzzy Hash: 12456a963878123842aec7f6394bb892e5a269a17c48948c75e9fa52bdf17943
Instruction Fuzzy Hash: BF219A72E8020AFFDF10DFA4C955BEEB7B9EF40301F1A8459E440AB240D770AA85CB60

Uniqueness

Uniqueness Score: -1.00%

Function 001C2FE7 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 001C306F
SetWindowLongW.USER32 ref: 001C3089
SetWindowLongW.USER32 ref: 001C3097
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 001C30A5

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 01ddaa7cd3d02f6bfa88a8c857e8593ed537adf32a8b3f709214e5f9bf5e10e8
Instruction ID: e4b58331b2e6c01f09eee5e142f0b062e41aad63fbadc0f033ed10cc85d37ebf
Opcode Fuzzy Hash: 01ddaa7cd3d02f6bfa88a8c857e8593ed537adf32a8b3f709214e5f9bf5e10e8
Instruction Fuzzy Hash: B221D332204650AFD7149B24D855FAA7BA5EFA5328F14C25CF4368B6D2CB71ED82CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00197F93 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0019941B: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00197FA8,?,000000FF,?,00198DF2,00000000,?,0000001C,?,?), ref: 0019942A
Part of subcall function 0019941B: lstrcpyW.KERNEL32 ref: 00199450
Part of subcall function 0019941B: lstrcmpiW.KERNEL32(00000000,?,00197FA8,?,000000FF,?,00198DF2,00000000,?,0000001C,?,?), ref: 00199481

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00198DF2,00000000,?,0000001C,?,?,00000000), ref: 00197FC1
lstrcpyW.KERNEL32 ref: 00197FE7
lstrcmpiW.KERNEL32(00000002,cdecl,?,00198DF2,00000000,?,0000001C,?,?,00000000), ref: 00198022

Strings

cdecl, xrefs: 00198019

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: cc9876b51ef1e2bab4c2c8c862107276e2ff3e7ced6e9706ceaa3f3f87d284d9
Instruction ID: fa8dfc0e694727cc71496c0fde19fce8f817ab10eb1e7afabec4afec6cf0c06c
Opcode Fuzzy Hash: cc9876b51ef1e2bab4c2c8c862107276e2ff3e7ced6e9706ceaa3f3f87d284d9
Instruction Fuzzy Hash: 5E11D37A200341ABCF259F38D845E7A77A9FF5A790B54402AF902CB294EF31D846D751

Uniqueness

Uniqueness Score: -1.00%

Function 001C5EC7 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 001C5F22
_wcslen.LIBCMT ref: 001C5F34
_wcslen.LIBCMT ref: 001C5F3F
SendMessageW.USER32(?,00001002,00000000,?), ref: 001C607D

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 7fd0ef93cf7c55d01ab9800aff8b81de7f57e9cbeea5bdbb9e13bf4a8bc520c9
Instruction ID: 721109152a1345bfe84b7a6317c1533ef9366663a860ad5b0b0d606718b5dc47
Opcode Fuzzy Hash: 7fd0ef93cf7c55d01ab9800aff8b81de7f57e9cbeea5bdbb9e13bf4a8bc520c9
Instruction Fuzzy Hash: 0711BE75600208AADF20DF649C84FEE7BACEF61758F14422EF911D6082EBB0D984CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00161F89 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84b52a4d25805376d0c00ddee13ffa4d31814ffb123984a9d19ef524aa9923f0
Instruction ID: 2624bfd7745c8594745b0da0af52ca1e012f41a3f21f9a472ee6555e141e0482
Opcode Fuzzy Hash: 84b52a4d25805376d0c00ddee13ffa4d31814ffb123984a9d19ef524aa9923f0
Instruction Fuzzy Hash: B201FDB22096263EFB202A7C7CC1F2B260DDF917B8B390365F521611D1DFB0CC2481A0

Uniqueness

Uniqueness Score: -1.00%

Function 001920B1 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 001920D1
SendMessageW.USER32(?,000000C9,?,00000000), ref: 001920E3
SendMessageW.USER32(?,000000C9,?,00000000), ref: 001920F9
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00192114

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 411f02106f4262a589c82be1a6476deb1e7018c4a4ea6ff5708606c9e5bd16d5
Instruction ID: a1f2409c9a44c52a46e3f0d5db9037c553b9d497dec51f931b8a1093d63f7944
Opcode Fuzzy Hash: 411f02106f4262a589c82be1a6476deb1e7018c4a4ea6ff5708606c9e5bd16d5
Instruction Fuzzy Hash: A011F77A900218BFEF119BA4CD85F9DBB78FB08750F2000A1EA00B7290D771AE50DB94

Uniqueness

Uniqueness Score: -1.00%

Function 001CA714 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00149DA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00149DB2

GetClientRect.USER32 ref: 001CA752
GetCursorPos.USER32(?), ref: 001CA75C
ScreenToClient.USER32 ref: 001CA767
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 001CA79B

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 9d60ad86181580ae02f06c5529f4ec9e7d14e6861ac52326e96e6b40ac264482
Instruction ID: 5a723f17a73ba1e66966acea51be416da985bda70757352dc56ab04aa70cf540
Opcode Fuzzy Hash: 9d60ad86181580ae02f06c5529f4ec9e7d14e6861ac52326e96e6b40ac264482
Instruction Fuzzy Hash: B6114C7590021DEBDB01DF94D889EEE7BB8FF14305F510459E902E3141D335EA91CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0019E8F8 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0019E91F
MessageBoxW.USER32(?,?,?,?), ref: 0019E952
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0019E968
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0019E96F

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 4699182d05e02337de7cc4129172794c6618cc5ed0f2b0831caaef5b9d969715
Instruction ID: 62f1ccab10735ad3279a0f5fb9f5484766058bf2609d79894713fd7a7e084262
Opcode Fuzzy Hash: 4699182d05e02337de7cc4129172794c6618cc5ed0f2b0831caaef5b9d969715
Instruction Fuzzy Hash: A311C876900258FBCB01DBA8EC0DA9E7FEDAB46324F044266F815E3291D775C94887A1

Uniqueness

Uniqueness Score: -1.00%

Function 0015D44C Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32 ref: 0015D498
GetLastError.KERNEL32 ref: 0015D4A4
__dosmaperr.LIBCMT ref: 0015D4AB
ResumeThread.KERNEL32(00000000), ref: 0015D4C9

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: a9e7bf72fe65781bb19652ef915f69eed54754d5181e83426dcf4afc86bd766e
Instruction ID: 4513dfec62ce635df6f2030da16c64f427f9fd704140185e00f67e2aae51ddbf
Opcode Fuzzy Hash: a9e7bf72fe65781bb19652ef915f69eed54754d5181e83426dcf4afc86bd766e
Instruction Fuzzy Hash: 16010872401514FBCB306FA5FC09A6E7A69EF81332F100228FD388A5D0DB709949C791

Uniqueness

Uniqueness Score: -1.00%

Function 00136653 Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32 ref: 00136691
GetStockObject.GDI32(00000011), ref: 001366A5
SendMessageW.USER32(00000000,00000030,00000000), ref: 001366AF

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 0f0514685d70493cf505b7c4a926cd56d453e7a274bd96f48f9ff0bb63ca8738
Instruction ID: a0870d1b5d2175ab431fcfe95dd15b528d0f9879e085fc66a764e10fc54653a4
Opcode Fuzzy Hash: 0f0514685d70493cf505b7c4a926cd56d453e7a274bd96f48f9ff0bb63ca8738
Instruction Fuzzy Hash: 741180B2501A4DBFDF164F90AC55EEABF69FF083A8F044115FA0452160DB71DCA0EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00153DBC Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00153DD6

Part of subcall function 00153D23: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00153D52
Part of subcall function 00153D23: ___AdjustPointer.LIBCMT ref: 00153D6D

_UnwindNestedFrames.LIBCMT ref: 00153DEB
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00153DFC
CallCatchBlock.LIBVCRUNTIME ref: 00153E24

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 4b0a81d4783def632cd74d78270cf4578128185686d2db8db3b00f14f9a291eb
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 63011B32100148FBCF125E95CC41DEB3B79EF58795F044004FE289A121C336E965DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 001632F3 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000364,00000000,00000000,?,0016329A,00000364,00000000,00000000,00000000,?,0016350B,00000006,FlsSetValue), ref: 00163325
GetLastError.KERNEL32(?,0016329A,00000364,00000000,00000000,00000000,?,0016350B,00000006,FlsSetValue,001D3270,FlsSetValue,00000000,00000364,?,001630C6), ref: 00163331
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0016329A,00000364,00000000,00000000,00000000,?,0016350B,00000006,FlsSetValue,001D3270,FlsSetValue,00000000), ref: 0016333F

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: ca64080727657ea7b345cae448fc08e9ed6584d804a724a395bf9993a3e5ec24
Instruction ID: 8c2b141d133ed49d83872b405563dbac826f14274b25e088ff490c205d15a9df
Opcode Fuzzy Hash: ca64080727657ea7b345cae448fc08e9ed6584d804a724a395bf9993a3e5ec24
Instruction Fuzzy Hash: 2401F736712732ABCB214B7DAC44D567BA8BF05BA17160620F926D7380CF20D951C6E0

Uniqueness

Uniqueness Score: -1.00%

Function 00197B02 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 00197B1D
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00197B35
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00197B4A
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00197B68

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 499331ee18206e348fc5a5d420d742716595eca9fd1162b0e3184e3fb2e93a49
Instruction ID: 77207fd7e502df3731f0032954d39200ae7cd38ea3dcbc5d288924297cdfad4d
Opcode Fuzzy Hash: 499331ee18206e348fc5a5d420d742716595eca9fd1162b0e3184e3fb2e93a49
Instruction Fuzzy Hash: 4A11ADB1215300AFEB208F14EC09FD6BBFCEF00B04F108529A66BD6490E7B0E944DB51

Uniqueness

Uniqueness Score: -1.00%

Function 0019B75E Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0019B389,?,00008000), ref: 0019B77A
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0019B389,?,00008000), ref: 0019B79F
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0019B389,?,00008000), ref: 0019B7A9
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0019B389,?,00008000), ref: 0019B7DC

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 3a689b34e800e9a1324375b99c99f307418d51935540fe373d0e30544a41a699
Instruction ID: ef3f22300bca73dc212c0bbb8640c6a85921ae1ac5af59a5d689be790fa5a153
Opcode Fuzzy Hash: 3a689b34e800e9a1324375b99c99f307418d51935540fe373d0e30544a41a699
Instruction Fuzzy Hash: F9110C71D08519E7CF089FE4EA98AEDBB78FF89711F124195D941B2690CB3096508B91

Uniqueness

Uniqueness Score: -1.00%

Function 001C8635 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32 ref: 001C8654
ScreenToClient.USER32 ref: 001C866C
ScreenToClient.USER32 ref: 001C8690
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 001C86AB

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 3a0931513b1565392ed87e1406fcf7447f0d00014ff8dbc8c77e2895eaf188b5
Instruction ID: df5c97815daabd86bcd9ec8b761f9b8563e031fb8e0a87f5fb76cbc26c1a7cc4
Opcode Fuzzy Hash: 3a0931513b1565392ed87e1406fcf7447f0d00014ff8dbc8c77e2895eaf188b5
Instruction Fuzzy Hash: E11143B9D00219AFDB41CF98D484AEEBBB5FB08314F104166E915E2610D735AAA4CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00193433 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32 ref: 00193451
GetWindowThreadProcessId.USER32(?,00000000), ref: 00193462
GetCurrentThreadId.KERNEL32 ref: 00193469
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00193470

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: b2e81fc5204de66e208bb502d9b1bb8a8c3f726975e38caf92d65ef106733d1c
Instruction ID: 99d30f89006b96cd728814a885ee84ecda33615ef604b01a9a6b8ea76f78a010
Opcode Fuzzy Hash: b2e81fc5204de66e208bb502d9b1bb8a8c3f726975e38caf92d65ef106733d1c
Instruction Fuzzy Hash: F3E09271601234BBDB211B62AC0EFEB7F6CDF42BA5F410025F205D24809BB4C981D2B1

Uniqueness

Uniqueness Score: -1.00%

Function 001C9084 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 0014983F: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00149899
Part of subcall function 0014983F: SelectObject.GDI32(?,00000000), ref: 001498A8
Part of subcall function 0014983F: BeginPath.GDI32(?), ref: 001498BF
Part of subcall function 0014983F: SelectObject.GDI32(?,00000000), ref: 001498E8

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 001C90A8
LineTo.GDI32(?,?,?), ref: 001C90B5
EndPath.GDI32(?), ref: 001C90C5
StrokePath.GDI32(?), ref: 001C90D3

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: ee18d88f3d1f7672fa9201fa3b091fbc3bd5766460411435bcf21d38aec2210d
Instruction ID: 7f7b2488fa89c1053580ce434d24e20d4f31c2e2b3a98436d90a0e2bd0668536
Opcode Fuzzy Hash: ee18d88f3d1f7672fa9201fa3b091fbc3bd5766460411435bcf21d38aec2210d
Instruction Fuzzy Hash: 35F05E32001259BADB225F58BC0EFCE3F59AF16310F148015FA51214E287759561CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 00149AB0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00149ACC
SetTextColor.GDI32(?,?), ref: 00149AD6
SetBkMode.GDI32(?,00000001), ref: 00149AE9
GetStockObject.GDI32(00000005), ref: 00149AF1

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 091a2879b7e05a12d3f89c091d0e3f713cbe2fd5e5bb12bfb5c88d7fdff039f0
Instruction ID: 65e66eaa1db8c139a9629ff79ef5df1d12106301bf070d34d2cb1508afe0eb00
Opcode Fuzzy Hash: 091a2879b7e05a12d3f89c091d0e3f713cbe2fd5e5bb12bfb5c88d7fdff039f0
Instruction Fuzzy Hash: 85E0E531244640AEDB216B74BC09FE97F61AB51736F188625F6B5944E4C771C680DF11

Uniqueness

Uniqueness Score: -1.00%

Function 00191CB5 Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00191CBE
OpenThreadToken.ADVAPI32(00000000,?,?,?,00191863), ref: 00191CC5
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00191863), ref: 00191CD2
OpenProcessToken.ADVAPI32(00000000,?,?,?,00191863), ref: 00191CD9

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 53e82facf8b217cdad3a90029abc357993a03ba484cd6e4c1c2fa461161304d6
Instruction ID: fcd9be8bb23106b98e3abe8d09527b6dd755e072d5f96623fdbfa5a280f1f809
Opcode Fuzzy Hash: 53e82facf8b217cdad3a90029abc357993a03ba484cd6e4c1c2fa461161304d6
Instruction Fuzzy Hash: DDE04F75641211ABDA201BA4AD0CF467F68AF40791F104428B246C9090EB64D4C1C750

Uniqueness

Uniqueness Score: -1.00%

Function 0018E924 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0018E924
GetDC.USER32(00000000), ref: 0018E92E
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0018E94E
ReleaseDC.USER32 ref: 0018E96F

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: c5b10a72010cff376493850f71f86bdd74161be359ae6468008f99bbc1285109
Instruction ID: e5f8992c6f3eb7d66d7aab6ddb49ab9eb92618a7bf73d96604b42a7d549e3e2e
Opcode Fuzzy Hash: c5b10a72010cff376493850f71f86bdd74161be359ae6468008f99bbc1285109
Instruction Fuzzy Hash: D9E01AB1800214DFCF409FA4A808E5DBFB1FB18311F108429F84AE3650D7789A92DF00

Uniqueness

Uniqueness Score: -1.00%

Function 0018E938 Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0018E938
GetDC.USER32(00000000), ref: 0018E942
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0018E94E
ReleaseDC.USER32 ref: 0018E96F

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 3ec4fe96e1443e5e9e8d2696a6696862f5a7c106cf841011d16cbeeb8a6d9524
Instruction ID: 27618bb9872636301355e8c05395de9458adc9e04dcff815b3d26ab27bd4b395
Opcode Fuzzy Hash: 3ec4fe96e1443e5e9e8d2696a6696862f5a7c106cf841011d16cbeeb8a6d9524
Instruction Fuzzy Hash: 1CE012B1800214EFCF509FB4A808A5DBFB1BB08310F108429F84AE3660CB38AA92DF00

Uniqueness

Uniqueness Score: -1.00%

Function 001A55D7 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00133205: _wcslen.LIBCMT ref: 0013320A

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 001A5724

Strings

LPT, xrefs: 001A564B
*, xrefs: 001A5660

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: ef0f6585e1fd56bd2b2c8d1dd01bc71dbf1b06145720219e9c6f969d0c2dde67
Instruction ID: d70887d6668a2ec31d0b81dbc59ea1ab7d3fad587d08b33a2bb85d1f49ed3fd6
Opcode Fuzzy Hash: ef0f6585e1fd56bd2b2c8d1dd01bc71dbf1b06145720219e9c6f969d0c2dde67
Instruction Fuzzy Hash: D591A379A04604DFCB14DF95C484EAABBF6AF45304F198099E80A9F3A2D735ED85CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0019543D Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 223comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 001955E9

Strings

Container, xrefs: 00195558
0$ , xrefs: 0019568C

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: ContainedObject
String ID: 0$ $Container
API String ID: 3565006973-1883905345
Opcode ID: af1b3aff7273ba1c99cb86f34aff31c9f31944e823270daa6b31acded88b8c05
Instruction ID: 863837f271924a65ca99741757b892427115fbf6229c6c5434f28682708787c4
Opcode Fuzzy Hash: af1b3aff7273ba1c99cb86f34aff31c9f31944e823270daa6b31acded88b8c05
Instruction Fuzzy Hash: 898116B0600601AFDB15DF54C984B6ABBF9FF48704F10856EF94ADB291EBB1A845CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0015E4FD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0015E58D

Strings

pow, xrefs: 0015E565, 0015E582

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: d540599f16f9ce3e103e9d192deb9ff5783f0151fc7fd8b144666facb4b9245c
Instruction ID: 76f7fa42918266ad2222c8b60d12a7e780f42fb4e5f78a68c0c4ad89f973aede
Opcode Fuzzy Hash: d540599f16f9ce3e103e9d192deb9ff5783f0151fc7fd8b144666facb4b9245c
Instruction Fuzzy Hash: 34519D75E19101D6CB097714CD0137A2BE0AB10746F208E59F8F6892E9FF358EED9A47

Uniqueness

Uniqueness Score: -1.00%

Function 0014A77A Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0014A7A4

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 9390a5189233a3724f9a0acfbbbd181b4579e9781748db62ae5154186186da7c
Instruction ID: b7f38e8eccd1385742aee4d515b10f747906b200ad9245a8b12632437b40918d
Opcode Fuzzy Hash: 9390a5189233a3724f9a0acfbbbd181b4579e9781748db62ae5154186186da7c
Instruction Fuzzy Hash: 4B514435505246DFCB19EF28C450ABA7BA4FF26710FA54069EC919B2E0DB30EE42CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0014F683 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0014F694
GlobalMemoryStatusEx.KERNEL32(?), ref: 0014F6AD

Strings

@, xrefs: 0014F6A1

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: d8bd897fe66de054febf90e4a04a9e144925d00354a93521f27fee992e542e72
Instruction ID: 3730c5f0055d294f69f6ae8fe37254c4fbdf258529eb43622285875ce4f6b69f
Opcode Fuzzy Hash: d8bd897fe66de054febf90e4a04a9e144925d00354a93521f27fee992e542e72
Instruction Fuzzy Hash: 275159724187489BE320AF54E886BAFBBF8FF94314F42885DF1D8411A1EB708569CB56

Uniqueness

Uniqueness Score: -1.00%

Function 001B5F9E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,00000000,?,0013492D,001CDCEC,00000000), ref: 001B6039
_wcslen.LIBCMT ref: 001B6045

Strings

CALLARGARRAY, xrefs: 001B603F, 001B6044

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 454d8fafb3151e645ebe215e4c4a1800329772a0af1d81b941af4ffbc2a508b7
Instruction ID: 7a8e1b9191b5d69314e7ad19d79512d402f102eb60668f3ca8b42022fba50aa3
Opcode Fuzzy Hash: 454d8fafb3151e645ebe215e4c4a1800329772a0af1d81b941af4ffbc2a508b7
Instruction Fuzzy Hash: 9041CD71A002199FCB04EFA9C8819FEBBB4FF78324F104169F515A7291EB349D81CB90

Uniqueness

Uniqueness Score: -1.00%

Function 001AD944 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 001AD980
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 001AD98A

Strings

|, xrefs: 001AD95B

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 89152bfa2194587eb8a96eba313bc3c242a88541fa32ce3bdf5627365d59241d
Instruction ID: 526d394967677860120c0b6b8d276b5653cd3fafffd185971460d08b0ca6c2cd
Opcode Fuzzy Hash: 89152bfa2194587eb8a96eba313bc3c242a88541fa32ce3bdf5627365d59241d
Instruction Fuzzy Hash: 43314BB5C04119ABCF15EFA4DC85EEEBFB9FF15304F000019F915A61A2EB319A56CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 001C3DD1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 001C3E86
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 001C3EC1

Strings

static, xrefs: 001C3E21

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 54a942004164aba44324806aeade5cdd6bf483d5140cf81a4f0e5d53bc7b45bb
Instruction ID: 37c89e50876c9a32629fa0fbc22b0e4324b027eb7dc1c1c99c969a7da7b4abce
Opcode Fuzzy Hash: 54a942004164aba44324806aeade5cdd6bf483d5140cf81a4f0e5d53bc7b45bb
Instruction Fuzzy Hash: E6315671100604AADB149F68D881FFB77A9FFA8724F10861DF9A997190DB30ED91DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 001C4D9E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 001C4E86
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 001C4E9B

Strings

', xrefs: 001C4DF5

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 3f9e3d03eff700b1f59fc7d02c588bd8925bcf685469bc3ac4080f31e1e2f424
Instruction ID: 017755a8a1fff68331ea4e224db90b6fd9f1dfd111f6308a62d774d3f32c0ef1
Opcode Fuzzy Hash: 3f9e3d03eff700b1f59fc7d02c588bd8925bcf685469bc3ac4080f31e1e2f424
Instruction Fuzzy Hash: 4B311274A0430A9FDB14CFA9C890FEABBB5FB18300F11006AE915AB392D730E941CF90

Uniqueness

Uniqueness Score: -1.00%

Function 001C3A54 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 001C3AE1
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 001C3AEC

Strings

Combobox, xrefs: 001C3AAE

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: f11ccdd4a0e311540922b8663039a91aceb7487c586f3971314f29abdde87556
Instruction ID: 6537268a1e5bda1f3a8c4d816e647965bd86ba3bef6479226ea9264e23108d8f
Opcode Fuzzy Hash: f11ccdd4a0e311540922b8663039a91aceb7487c586f3971314f29abdde87556
Instruction Fuzzy Hash: A21193713002096FEF119F54DC81FBB7B6AEBA43A4F108129F568D7290D731DD6087A0

Uniqueness

Uniqueness Score: -1.00%

Function 001C3F75 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00136653: CreateWindowExW.USER32 ref: 00136691
Part of subcall function 00136653: GetStockObject.GDI32(00000011), ref: 001366A5
Part of subcall function 00136653: SendMessageW.USER32(00000000,00000030,00000000), ref: 001366AF

GetWindowRect.USER32 ref: 001C3FDF
GetSysColor.USER32(00000012), ref: 001C3FF9

Strings

static, xrefs: 001C3FBC

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 39aa0607984b24123caf32ffff93083659291ecc8daa2b0cc76ebaa67cb0ae17
Instruction ID: e90ba7922c3af794d9ff51bfad8a9116aae165b9aa612f453ea76e52964b48be
Opcode Fuzzy Hash: 39aa0607984b24123caf32ffff93083659291ecc8daa2b0cc76ebaa67cb0ae17
Instruction Fuzzy Hash: 6C112972610209AFDB01DFA8CC46EFA7BB8EB18314F014928F965E2250D775E860DB60

Uniqueness

Uniqueness Score: -1.00%

Function 001AD56E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 001AD5CD
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 001AD5F6

Strings

<local>, xrefs: 001AD5B6

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: b8d7587d1e9107815f8bf66d7c90a44663e65448d53b7f52fd14226baab2b347
Instruction ID: ad77f79dd2eb2259a11746f962462b8f5b0a642d1c24441a08d4b733921c1879
Opcode Fuzzy Hash: b8d7587d1e9107815f8bf66d7c90a44663e65448d53b7f52fd14226baab2b347
Instruction Fuzzy Hash: 8111EC75505A367AD7384B66AC49EF7BE6CEF137ACF004226B14A93480D7709940D6F0

Uniqueness

Uniqueness Score: -1.00%

Function 001C3C8E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 001C3D10
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 001C3D1F

Strings

edit, xrefs: 001C3CF4

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: f167e193b31367f164ff39eb8327f176877fd6c254e8fec0668bfc98b77e2ea3
Instruction ID: 62f20be6609bb46c24bb118bc3f2ea00e4d27b8d3914ae23add1381b532a4d95
Opcode Fuzzy Hash: f167e193b31367f164ff39eb8327f176877fd6c254e8fec0668bfc98b77e2ea3
Instruction Fuzzy Hash: 8E118C71500208ABEB118F64EC45FFB3BA9EB24368F508729F975A31D0C771DC91ABA0

Uniqueness

Uniqueness Score: -1.00%

Function 00197324 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 0013A1B9: _wcslen.LIBCMT ref: 0013A1C3

CharUpperBuffW.USER32(?,?,?), ref: 00197354
_wcslen.LIBCMT ref: 00197360

Strings

STOP, xrefs: 0019735A, 0019735F

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: ce58f34fe7eaf91dfbe2d7ce69a308ae44d96fc49d1d06728d3b97fa30f96769
Instruction ID: 83ec284835473426ef13b697e704aa71ef3d16c5d831e091563768694ed4d22f
Opcode Fuzzy Hash: ce58f34fe7eaf91dfbe2d7ce69a308ae44d96fc49d1d06728d3b97fa30f96769
Instruction Fuzzy Hash: D8018032A281278BCF24AEFDDC419BF77A5BFA0714B500524E861A71D1EB30DA44E690

Uniqueness

Uniqueness Score: -1.00%

Function 00192368 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0013A1B9: _wcslen.LIBCMT ref: 0013A1C3

Part of subcall function 00194337: GetClassNameW.USER32 ref: 0019435A

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 001923D6

Strings

ListBox, xrefs: 001923A0
ComboBox, xrefs: 00192375

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 46928021d2abe4064e6910d8ac5ed2b0322cdfe7634a3da552339c80ce96d663
Instruction ID: 81f7311ade2973a1a700a493eb35c720a73873237d98452f2313eeb72dd2667c
Opcode Fuzzy Hash: 46928021d2abe4064e6910d8ac5ed2b0322cdfe7634a3da552339c80ce96d663
Instruction Fuzzy Hash: D5017575601228BBCF14EB64CC55DFE77A8FF55310B400519F972573D1DB34990D9660

Uniqueness

Uniqueness Score: -1.00%

Function 00192262 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0013A1B9: _wcslen.LIBCMT ref: 0013A1C3

Part of subcall function 00194337: GetClassNameW.USER32 ref: 0019435A

SendMessageW.USER32(?,00000180,00000000,?), ref: 001922D0

Strings

ListBox, xrefs: 0019229A
ComboBox, xrefs: 0019226F

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: a228570fbd3bfafcc092e41bd20589b89d35e1cc377c6a6e6f5d0997c9078199
Instruction ID: 63d9302723003e44b7df85937f813d8b0b7516846a739440de8db8b745acb37b
Opcode Fuzzy Hash: a228570fbd3bfafcc092e41bd20589b89d35e1cc377c6a6e6f5d0997c9078199
Instruction Fuzzy Hash: C501A2B5B402187BCF14EBA0CD52EFE77A89F25340F100029A9127B2C5EB209E099671

Uniqueness

Uniqueness Score: -1.00%

Function 001922E6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0013A1B9: _wcslen.LIBCMT ref: 0013A1C3

Part of subcall function 00194337: GetClassNameW.USER32 ref: 0019435A

SendMessageW.USER32(?,00000182,?,00000000), ref: 00192352

Strings

ListBox, xrefs: 0019231E
ComboBox, xrefs: 001922F3

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 9ddaff0b5e86882088bdaf86cb1526bac76d8a1690156980ec0d7cd62fba760e
Instruction ID: 24b408e36b6671810e30fcc91a93d8c8e21c63dbeb3db288cbe7c46049f550b0
Opcode Fuzzy Hash: 9ddaff0b5e86882088bdaf86cb1526bac76d8a1690156980ec0d7cd62fba760e
Instruction Fuzzy Hash: C801A2B564011877CF14E7A0C942EFF77ECBB25740F540025B902B7282DB248F099671

Uniqueness

Uniqueness Score: -1.00%

Function 001923F2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0013A1B9: _wcslen.LIBCMT ref: 0013A1C3

Part of subcall function 00194337: GetClassNameW.USER32 ref: 0019435A

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 0019245D

Strings

ListBox, xrefs: 0019242A
ComboBox, xrefs: 001923FF

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 3f5197decb368741d615eaebf0213aca0952502fc7b4a953a91f0938816e6cad
Instruction ID: 0f705e8354b8f2c000529d609e6004a07b5f034a5bf01fd12164ee855ffa4dff
Opcode Fuzzy Hash: 3f5197decb368741d615eaebf0213aca0952502fc7b4a953a91f0938816e6cad
Instruction Fuzzy Hash: 9CF0C8B1B40228B7CF14E7A48C51FFE77ACAF11350F400925F962A72C1EF70990D8660

Uniqueness

Uniqueness Score: -1.00%

Function 0015005B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 001508E8

Part of subcall function 00153524: RaiseException.KERNEL32(?,?,?,0015090A,?,00000000,?,?,?,?,?,?,0015090A,00000000,001F9748,00000000), ref: 00153584

__CxxThrowException@8.LIBVCRUNTIME ref: 00150905

Strings

Unknown exception, xrefs: 00150912

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 46905dd4e117e623aca38ec7a08c8140b29ed35fb5bbf591e31c14f891c6fc3d
Instruction ID: 6b9e0075ef537024b0cdda6c914b7d42892aa5d9349882dcee8ddc5dc57cf1b7
Opcode Fuzzy Hash: 46905dd4e117e623aca38ec7a08c8140b29ed35fb5bbf591e31c14f891c6fc3d
Instruction Fuzzy Hash: 33F0AF2490020DF6CB16BAE4D846E9E77AC5E18792B604125BD349E4D2FB60EA1E85C0

Uniqueness

Uniqueness Score: -1.00%

Function 001C8993 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32 ref: 001C89E0
CloseHandle.KERNEL32 ref: 001C89F2

Strings

L@ , xrefs: 001C89AB

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: L@
API String ID: 3712363035-1305920123
Opcode ID: 1187dddf8e6c373de66aa3a7ba517dee6748dcf3942e7d068dcde16e6399ad08
Instruction ID: 0294b6a0f1e74ee8e2397b94a3c35742247d015d9c9d5afae0c7971f8548c657
Opcode Fuzzy Hash: 1187dddf8e6c373de66aa3a7ba517dee6748dcf3942e7d068dcde16e6399ad08
Instruction Fuzzy Hash: BFF03AF2551304BAE3143760BC89FB73E5DEB15355F018020BB08FA192E675981486B9

Uniqueness

Uniqueness Score: -1.00%

Function 001B7CD7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 001B7CEC
_wcslen.LIBCMT ref: 001B7D12

Strings

3, 3, 16, 0, xrefs: 001B7CDC

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 0
API String ID: 176396367-3261555341
Opcode ID: 5c7dedfdc8dcfcb64f0c500319e747b418c558fe9a546f41ab43fbfde190c5a4
Instruction ID: 7a436231409de066a4511837fc6cfe005be7b684046aaa1aaf42f0e9ebc7f350
Opcode Fuzzy Hash: 5c7dedfdc8dcfcb64f0c500319e747b418c558fe9a546f41ab43fbfde190c5a4
Instruction Fuzzy Hash: 6EE02B15204260558331227A9C81AFF66D8DFD97D1760282BF995C62E6EB70CCE18390

Uniqueness

Uniqueness Score: -1.00%

Function 0019119F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 001911AD

Strings

Error allocating memory., xrefs: 001911A6
AutoIt, xrefs: 001911A1

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 435c390e6f85d9fe004317a591436369655cabcb82f90599c3512925074dcf85
Instruction ID: c4b74517d43651448405bcbc4c14d18e3ea1053eff8e8b43710b6246bea735af
Opcode Fuzzy Hash: 435c390e6f85d9fe004317a591436369655cabcb82f90599c3512925074dcf85
Instruction Fuzzy Hash: CDE04F3224871976D62527E47C07F897A888F28B56F11442EFB58694C28BE2A89042AD

Uniqueness

Uniqueness Score: -1.00%

Function 00150FC2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0014FBBB: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00150FF1,?,?,?,0013100A), ref: 0014FBC0

IsDebuggerPresent.KERNEL32(?,?,?,0013100A), ref: 00150FF5
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0013100A), ref: 00151004

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00150FFF

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 7ec938c7cfcb88547bf85e88279ed5768b4db4048f97e773bf9bd24f36510923
Instruction ID: 54959496d3904aebd2cd66bd50c94ac4c2aabb2c6a8afd31ad081b5e11fba256
Opcode Fuzzy Hash: 7ec938c7cfcb88547bf85e88279ed5768b4db4048f97e773bf9bd24f36510923
Instruction Fuzzy Hash: 9FE06D70200750CFC3769F78E948742BBE0EB14302F00896DF892C7791DBB4E4888B91

Uniqueness

Uniqueness Score: -1.00%

Function 0014EBE6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0014EC23

Strings

05 , xrefs: 0014EC03
85 , xrefs: 0014EC18

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: Init_thread_footer
String ID: 05 $85
API String ID: 1385522511-1007594761
Opcode ID: 6948b67b0fcabb1a835715b10daa1aea9ba28adef8112ff84c8369389984a28b
Instruction ID: 75db837ececd22fce5c25e3e197c3b0ff0bd5c3d1b5d5ac90ecbb65b3f26c019
Opcode Fuzzy Hash: 6948b67b0fcabb1a835715b10daa1aea9ba28adef8112ff84c8369389984a28b
Instruction Fuzzy Hash: 0FE08631510BA0DBC609E768FDC99983BD9FB1D320B9041A9F5568B1F39B212A458654

Uniqueness

Uniqueness Score: -1.00%

Function 001A37E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 001A37FB
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 001A3810

Strings

aut, xrefs: 001A3804

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: a6cca0c9e5f2f1f8b0447ba0401b7a8fe8b176c18461d02d03ea206c7908edb2
Instruction ID: 5d1eccaf67bc45fa6eca5801f89ac64ac4c0cc904320b394a80fda579f1e3b23
Opcode Fuzzy Hash: a6cca0c9e5f2f1f8b0447ba0401b7a8fe8b176c18461d02d03ea206c7908edb2
Instruction Fuzzy Hash: A3D05E7650032867DA20A760AC0EFDB7E7CDB44710F0006A1BA55920D1DAB0DA85CB90

Uniqueness

Uniqueness Score: -1.00%

Function 001C2B87 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 001C2B91
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 001C2BA4

Part of subcall function 0019F09D: Sleep.KERNEL32 ref: 0019F115

Strings

Shell_TrayWnd, xrefs: 001C2B8A

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: bb3d088f55e3120fb03083aca76b98cca7f3aa87282c1f5c514e4e4cbad40d7c
Instruction ID: 6ee3c6a7ad4c3964b3485b6b447618fdbbc8d11b67847dc24ee0c187828be081
Opcode Fuzzy Hash: bb3d088f55e3120fb03083aca76b98cca7f3aa87282c1f5c514e4e4cbad40d7c
Instruction Fuzzy Hash: B0D012313D436077F6647770EC4FFCA6E54AB60B10F0448297359AA5D1CAF4E890C754

Uniqueness

Uniqueness Score: -1.00%

Function 001C2BBB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 001C2BD1
PostMessageW.USER32(00000000), ref: 001C2BD8

Part of subcall function 0019F09D: Sleep.KERNEL32 ref: 0019F115

Strings

Shell_TrayWnd, xrefs: 001C2BCA

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: cca7fbfb7cc08bf6c9f3aa4b76bda708fb2f2360df34a0e8741d1e45a34b113c
Instruction ID: f238aa84252224507c4f09c7a10dcf4a65fc4597a0c3e674650cac0bd19cc231
Opcode Fuzzy Hash: cca7fbfb7cc08bf6c9f3aa4b76bda708fb2f2360df34a0e8741d1e45a34b113c
Instruction Fuzzy Hash: B9D0C9313C13607AF6647770AC4FFCA6A54AB65B10F0448297255AA5D1CAB4A890C658

Uniqueness

Uniqueness Score: -1.00%

Function 0016C07D Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0016C113
GetLastError.KERNEL32 ref: 0016C121
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0016C17C

Memory Dump Source

Source File: 00000000.00000002.566904128.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true

Associated: 00000000.00000002.566895835.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.566999254.00000000001CD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567022495.00000000001F3000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567032174.00000000001FD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.567039987.0000000000205000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_130000_MXIkmvGqgT.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 4824044cea8f47b0cda4f9c4c67ad888ed284be034970dd46adc5e2d7492e27b
Instruction ID: ac1f329708eee1503d6c6ca7fd094af817bb2845e36cb073772bbfed3d1e5479
Opcode Fuzzy Hash: 4824044cea8f47b0cda4f9c4c67ad888ed284be034970dd46adc5e2d7492e27b
Instruction Fuzzy Hash: 21411731600215EFCF25AF69CC44ABA7BB5EF42350F154169FCA99B192EB309D11CBE0

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	AWS CloudTrail logs, Authentication logs, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to collect elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Application logs, Process monitoring, Windows Error Reporting
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report MXIkmvGqgT.exe.com

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: MXIkmvGqgT.exe.comPID: 5568, Parent PID: 3528

General

Chronological Activities

Disassembly

Windows Analysis Report
MXIkmvGqgT.exe.com

Function 00134E28 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Function 00150C55 Relevance: 1.5, APIs: 1, Instructions: 3
COMMON

Function 00150346 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81
COMMON

Function 001342DF Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 001316C8 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 153
comCOMMON

Function 001346A9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Function 0016D0C1 Relevance: 4.5, APIs: 3, Instructions: 37
COMMON

Function 00132ACA Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64
COMMON

Function 00163AA0 Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMONLIBRARYCODE

Function 00132282 Relevance: 1.5, APIs: 1, Instructions: 8
COMMON