Edit tour

Windows Analysis Report
POv5Nk1dlu.exe

Overview

General Information

Sample Name:	POv5Nk1dlu.exe
Analysis ID:	756107
MD5:	14e2d1b23a073724d63ce5c9c89091cd
SHA1:	000e55014fd09600275f5b394c5be51c2bf4dad9
SHA256:	cd64bfd3940f7aabd6a74ca47beba4ef1d19f6605dee0f64e5932765a3142fba
Tags:	exe
Infos:

Detection

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Sigma detected: Drops script at startup location

Binary is likely a compiled AutoIt script file

Found API chain indicative of debugger detection

Uses schtasks.exe or at.exe to add and modify task schedules

Uses 32bit PE files

Yara signature match

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Contains functionality to execute programs as a different user

PE file contains sections with non-standard names

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Contains functionality to launch a process as a different user

Stores files to the Windows start menu directory

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to call native functions

Contains functionality to communicate with device drivers

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Contains functionality to read the clipboard data

Contains functionality to simulate keystroke presses

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Sample file is different than original file name gathered from version info

OS version to string mapping found (often used in BOTs)

Extensive use of GetProcAddress (often used to hide API calls)

Drops PE files

Tries to load missing DLLs

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to launch a program with higher privileges

Creates a start menu entry (Start Menu\Programs\Startup)

Potential key logger detected (key state polling based)

Contains functionality to retrieve information about pressed keystrokes

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Contains functionality to simulate mouse events

Found WSH timer for Javascript or VBS script (likely evasive script)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64

POv5Nk1dlu.exe (PID: 1408 cmdline: C:\Users\user\Desktop\POv5Nk1dlu.exe MD5: 14E2D1B23A073724D63CE5C9C89091CD)

wscript.exe (PID: 4716 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\RDVGHelper\runas.vbs" MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)

at.exe (PID: 2848 cmdline: "C:\Users\user\RDVGHelper\at.exe" MD5: 8B5794337FDF61005D3F079A792B0AA1)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runas.url	Methodology_Suspicious_Shortcut_Local_URL	Detects local script usage for .URL persistence	@itsreallynick (Nick Carr), @QW5kcmV3 (Andrew Thompson)	0x13:$file: URL=file:/// 0x56:$file: URL=file:/// 0x0:$url_explicit: [InternetShortcut] 0x43:$url_explicit: [InternetShortcut]

Sigma Signatures

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\POv5Nk1dlu.exe, ProcessId: 1408, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runas.url

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: POv5Nk1dlu.exe	ReversingLabs: Detection: 76%
Source: POv5Nk1dlu.exe	Virustotal: Detection: 73%			Perma Link

Antivirus / Scanner detection for submitted sample

Source: POv5Nk1dlu.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\RDVGHelper\at.exe

Avira: detection malicious, Label: HEUR/AGEN.1245473

Source: POv5Nk1dlu.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE, DEBUG_STRIPPED

Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009BF200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_009BF200
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009B4696 GetFileAttributesW,FindFirstFileW,FindClose,	2_2_009B4696
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009BC9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	2_2_009BC9C7
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009BC93C FindFirstFileW,FindClose,	2_2_009BC93C
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009BF35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_009BF35D
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009BF65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	2_2_009BF65E
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009B3A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_009B3A2B

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer	Jump to behavior

Source: at.exe, 00000002.00000002.358917443.00000000017B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://bot.whatismyipaddress.com
Source: POv5Nk1dlu.exe, 00000000.00000002.316065070.0000000000DEF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://bot.whatismyipaddress.com6
Source: POv5Nk1dlu.exe, 00000000.00000002.316065070.0000000000DEF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.orgmTime
Source: at.exe, 00000002.00000002.358917443.00000000017B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.orgmTimed
Source: at.exe, 00000002.00000002.358917443.00000000017B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.myexternalip.com/raw
Source: POv5Nk1dlu.exe, 00000000.00000002.316065070.0000000000DEF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.myexternalip.com/raw/
Source: POv5Nk1dlu.exe, 00000000.00000002.316017878.0000000000DAD000.00000004.00000020.00020000.00000000.sdmp, at.exe, 00000002.00000002.358917443.00000000017B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org

Source: C:\Users\user\RDVGHelper\at.exe

Code function: 2_2_009C25E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

2_2_009C25E2

Source: C:\Users\user\RDVGHelper\at.exe

Code function: 2_2_009C425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalFix,CloseClipboard,GlobalUnWire,IsClipboardFormatAvailable,GetClipboardData,GlobalFix,GlobalUnWire,IsClipboardFormatAvailable,GetClipboardData,GlobalFix,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnWire,CountClipboardFormats,CloseClipboard,

2_2_009C425A

Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00FDCDAC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,6F83BC60,6F83AF40,SetCapture,ClientToScreen,6F83B190,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		0_2_00FDCDAC
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009DCDAC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,6F83BC60,6F83AF40,SetCapture,ClientToScreen,6F83B190,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		2_2_009DCDAC

Source: C:\Users\user\Desktop\POv5Nk1dlu.exe

Code function: 0_2_00F52344 GetCursorPos,ScreenToClient,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetWindowLongW,

0_2_00F52344

Source: C:\Users\user\RDVGHelper\at.exe

2_2_009C425A

System Summary

Binary is likely a compiled AutoIt script file

Source: POv5Nk1dlu.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: POv5Nk1dlu.exe, 00000000.00000003.304290006.0000000003598000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: POv5Nk1dlu.exe, 00000000.00000003.304290006.0000000003598000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
Source: POv5Nk1dlu.exe, 00000000.00000002.316438570.0000000001005000.00000080.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: POv5Nk1dlu.exe, 00000000.00000002.316438570.0000000001005000.00000080.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
Source: C:\Users\user\RDVGHelper\at.exe	Code function: This is a third-party compiled AutoIt script.	2_2_00953B4C
Source: at.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: at.exe, 00000002.00000000.346969623.0000000000A05000.00000080.00000001.01000000.00000007.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: at.exe, 00000002.00000000.346969623.0000000000A05000.00000080.00000001.01000000.00000007.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
Source: at.exe, 00000002.00000003.350512567.0000000003CE0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: at.exe, 00000002.00000003.350512567.0000000003CE0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
Source: POv5Nk1dlu.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: POv5Nk1dlu.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
Source: at.exe.0.dr	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: at.exe.0.dr	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer

Source: POv5Nk1dlu.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE, DEBUG_STRIPPED

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runas.url, type: DROPPED

Matched rule: Methodology_Suspicious_Shortcut_Local_URL author = @itsreallynick (Nick Carr), @QW5kcmV3 (Andrew Thompson), description = Detects local script usage for .URL persistence, score = 27.09.2019, reference = https://twitter.com/cglyer/status/1176184798248919044

Source: C:\Users\user\RDVGHelper\at.exe

Code function: 2_2_009B545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

2_2_009B545F

Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00F5E060	0_2_00F5E060
Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00F5E800	0_2_00F5E800
Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00F5FE40	0_2_00F5FE40
Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00F66843	0_2_00F66843
Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00FD804A	0_2_00FD804A
Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00F87006	0_2_00F87006
Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00F86522	0_2_00F86522
Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00F6710E	0_2_00F6710E
Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00F716C4	0_2_00F716C4
Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00F51287	0_2_00F51287
Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00F68A0E	0_2_00F68A0E
Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00F7BFE6	0_2_00F7BFE6
Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00F7DBB5	0_2_00F7DBB5
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_0095E060	2_2_0095E060
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_0095E800	2_2_0095E800
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_0095FE40	2_2_0095FE40
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009D804A	2_2_009D804A
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_00964140	2_2_00964140
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_00972405	2_2_00972405
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_00986522	2_2_00986522
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_0098267E	2_2_0098267E
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009D0665	2_2_009D0665
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_0097283A	2_2_0097283A
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_00966843	2_2_00966843
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009889DF	2_2_009889DF
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_00986A94	2_2_00986A94
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009D0AE2	2_2_009D0AE2
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_00968A0E	2_2_00968A0E
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009B8B13	2_2_009B8B13
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009AEB07	2_2_009AEB07
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_0097CD61	2_2_0097CD61
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_00987006	2_2_00987006
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_00963190	2_2_00963190
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_0096710E	2_2_0096710E
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_00951287	2_2_00951287
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009733C7	2_2_009733C7
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_0097F419	2_2_0097F419
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_00965680	2_2_00965680
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009716C4	2_2_009716C4
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009778D3	2_2_009778D3
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009658C0	2_2_009658C0
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_0097DBB5	2_2_0097DBB5
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_00971BB8	2_2_00971BB8

Source: C:\Users\user\RDVGHelper\at.exe	Code function: String function: 00957F41 appears 33 times
Source: C:\Users\user\RDVGHelper\at.exe	Code function: String function: 00970D27 appears 65 times
Source: C:\Users\user\RDVGHelper\at.exe	Code function: String function: 00978B40 appears 36 times

Source: C:\Users\user\RDVGHelper\at.exe

Code function: 2_2_009A8858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,731F6290,731F7BC0,CreateProcessAsUserW,731F5000,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,731F7C20,

2_2_009A8858

Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00F53633 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,	0_2_00F53633
Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00FDC8EE DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,	0_2_00FDC8EE
Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00FDC49C PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,	0_2_00FDC49C
Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00F5189B NtdllDialogWndProc_W,	0_2_00F5189B
Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00FDC86D SendMessageW,NtdllDialogWndProc_W,	0_2_00FDC86D
Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00FDCC2E ClientToScreen,6F83B270,NtdllDialogWndProc_W,	0_2_00FDCC2E
Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00FDCDAC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,6F83BC60,6F83AF40,SetCapture,ClientToScreen,6F83B190,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,	0_2_00FDCDAC
Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00FDCD6C GetWindowLongW,NtdllDialogWndProc_W,	0_2_00FDCD6C
Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00F516DE GetParent,NtdllDialogWndProc_W,	0_2_00F516DE
Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00FDD6C6 NtdllDialogWndProc_W,	0_2_00FDD6C6
Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00F516B5 NtdllDialogWndProc_W,	0_2_00F516B5
Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00F51290 NtdllDialogWndProc_W,GetClientRect,GetCursorPos,ScreenToClient,	0_2_00F51290
Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00FDDA9A NtdllDialogWndProc_W,	0_2_00FDDA9A
Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00F51287 NtdllDialogWndProc_W,GetSysColor,SetBkColor,73324310,NtdllDialogWndProc_W,	0_2_00F51287
Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00FDC27C 6F83B200,6F83B5E0,ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,	0_2_00FDC27C
Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00F5167D NtdllDialogWndProc_W,	0_2_00F5167D
Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00FDC220 NtdllDialogWndProc_W,	0_2_00FDC220
Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00FDCBF9 NtdllDialogWndProc_W,	0_2_00FDCBF9
Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00FDCBAE NtdllDialogWndProc_W,	0_2_00FDCBAE
Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00FDC788 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,	0_2_00FDC788
Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00FDCB7F NtdllDialogWndProc_W,	0_2_00FDCB7F
Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00FDCB50 NtdllDialogWndProc_W,	0_2_00FDCB50
Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00FDD74C GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageW,SendMessageW,ShowWindow,InvalidateRect,NtdllDialogWndProc_W,	0_2_00FDD74C
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_00953633 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,	2_2_00953633
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009DC220 NtdllDialogWndProc_W,	2_2_009DC220
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009DC27C 6F83B200,6F83B5E0,ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,	2_2_009DC27C
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009DC49C PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,	2_2_009DC49C
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009DC788 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,	2_2_009DC788
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009DC8EE DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,	2_2_009DC8EE
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009DC86D SendMessageW,NtdllDialogWndProc_W,	2_2_009DC86D
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009DCBAE NtdllDialogWndProc_W,	2_2_009DCBAE
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009DCBF9 NtdllDialogWndProc_W,	2_2_009DCBF9
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009DCB50 NtdllDialogWndProc_W,	2_2_009DCB50
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009DCB7F NtdllDialogWndProc_W,	2_2_009DCB7F
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009DCC2E ClientToScreen,6F83B270,NtdllDialogWndProc_W,	2_2_009DCC2E
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009DCDAC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,6F83BC60,6F83AF40,SetCapture,ClientToScreen,6F83B190,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,	2_2_009DCDAC
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009DCD6C GetWindowLongW,NtdllDialogWndProc_W,	2_2_009DCD6C
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_00951290 NtdllDialogWndProc_W,GetClientRect,GetCursorPos,ScreenToClient,	2_2_00951290
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_00951287 NtdllDialogWndProc_W,GetSysColor,SetBkColor,73324310,NtdllDialogWndProc_W,	2_2_00951287
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009516B5 NtdllDialogWndProc_W,	2_2_009516B5
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009516DE GetParent,NtdllDialogWndProc_W,	2_2_009516DE
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009DD6C6 NtdllDialogWndProc_W,	2_2_009DD6C6
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_0095167D NtdllDialogWndProc_W,	2_2_0095167D
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009DD74C GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageW,SendMessageW,ShowWindow,InvalidateRect,NtdllDialogWndProc_W,	2_2_009DD74C
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_0095189B NtdllDialogWndProc_W,	2_2_0095189B
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009DDA9A NtdllDialogWndProc_W,	2_2_009DDA9A

Source: C:\Users\user\RDVGHelper\at.exe

Code function: 2_2_009B40B1: CreateFileW,_memset,DeviceIoControl,CloseHandle,

2_2_009B40B1

Source: POv5Nk1dlu.exe, 00000000.00000003.305755579.00000000034A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewinresume2 vs POv5Nk1dlu.exe
Source: POv5Nk1dlu.exe, 00000000.00000003.303502621.00000000034A9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewinresume2 vs POv5Nk1dlu.exe
Source: POv5Nk1dlu.exe, 00000000.00000002.315183078.0000000000B90000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FV_ORIGINALFILENAME1 vs POv5Nk1dlu.exe
Source: POv5Nk1dlu.exe, 00000000.00000002.315295636.0000000000C16000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FV_ORIGINALFILENAME vs POv5Nk1dlu.exe
Source: POv5Nk1dlu.exe, 00000000.00000002.315295636.0000000000C16000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs POv5Nk1dlu.exe
Source: POv5Nk1dlu.exe, 00000000.00000000.301657715.000000000106B000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamewinresume2 vs POv5Nk1dlu.exe
Source: POv5Nk1dlu.exe, 00000000.00000002.315224332.0000000000BBF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewinresume2 vs POv5Nk1dlu.exe
Source: POv5Nk1dlu.exe, 00000000.00000003.302533451.0000000000C16000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FV_ORIGINALFILENAME vs POv5Nk1dlu.exe
Source: POv5Nk1dlu.exe, 00000000.00000003.302533451.0000000000C16000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs POv5Nk1dlu.exe
Source: POv5Nk1dlu.exe, 00000000.00000003.302345223.0000000000B9E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FV_ORIGINALFILENAME vs POv5Nk1dlu.exe
Source: POv5Nk1dlu.exe, 00000000.00000003.302345223.0000000000B9E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs POv5Nk1dlu.exe
Source: POv5Nk1dlu.exe	Binary or memory string: OriginalFilenamewinresume2 vs POv5Nk1dlu.exe

Source: C:\Windows\System32\wscript.exe

Section loaded: sfc.dll

Jump to behavior

Source: POv5Nk1dlu.exe	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: at.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: POv5Nk1dlu.exe	ReversingLabs: Detection: 76%
Source: POv5Nk1dlu.exe	Virustotal: Detection: 73%

Source: C:\Users\user\Desktop\POv5Nk1dlu.exe

File read: C:\Users\user\Desktop\POv5Nk1dlu.exe

Jump to behavior

Source: C:\Users\user\Desktop\POv5Nk1dlu.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\POv5Nk1dlu.exe C:\Users\user\Desktop\POv5Nk1dlu.exe
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\RDVGHelper\runas.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\RDVGHelper\at.exe "C:\Users\user\RDVGHelper\at.exe"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\RDVGHelper\at.exe "C:\Users\user\RDVGHelper\at.exe"	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009A8713 AdjustTokenPrivileges,CloseHandle,		2_2_009A8713
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009A8CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		2_2_009A8CC3

Source: C:\Users\user\Desktop\POv5Nk1dlu.exe

File created: C:\Users\user\RDVGHelper

Jump to behavior

Source: classification engine

Classification label: mal84.expl.evad.winEXE@4/3@0/0

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\RDVGHelper\at.exe

Code function: 2_2_009BB59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

2_2_009BB59E

Source: C:\Users\user\Desktop\POv5Nk1dlu.exe

Code function: 0_2_00FBA2D5 GetLastError,FormatMessageW,

0_2_00FBA2D5

Source: C:\Users\user\Desktop\POv5Nk1dlu.exe

Code function: 0_2_00FB3E91 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00FB3E91

Source: C:\Users\user\RDVGHelper\at.exe

Code function: 2_2_00954FE9 76DCC0F0,FindResourceExW,LoadResource,SizeofResource,LockResource,

2_2_00954FE9

Source: unknown

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\RDVGHelper\runas.vbs"

Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Automated click: OK
Source: C:\Users\user\RDVGHelper\at.exe	Automated click: OK

Source: POv5Nk1dlu.exe

Static file information: File size 1348104 > 1048576

Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00F78B85 push ecx; ret		0_2_00F78B98
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_00978B85 push ecx; ret		2_2_00978B98

Source: POv5Nk1dlu.exe	Static PE information: section name: .imports
Source: at.exe.0.dr	Static PE information: section name: .imports

Source: C:\Users\user\Desktop\POv5Nk1dlu.exe

Code function: 0_2_00F54D61 LoadLibraryA,GetProcAddress,

0_2_00F54D61

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Source: C:\Users\user\Desktop\POv5Nk1dlu.exe

File created: C:\Users\user\RDVGHelper\at.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\System32\wscript.exe

Process created: C:\Users\user\RDVGHelper\at.exe "C:\Users\user\RDVGHelper\at.exe"

Source: C:\Users\user\Desktop\POv5Nk1dlu.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runas.url

Jump to behavior

Source: C:\Users\user\Desktop\POv5Nk1dlu.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runas.url

Jump to behavior

Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00F54A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	0_2_00F54A35
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_00954A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	2_2_00954A35
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009D55FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	2_2_009D55FD

Source: C:\Users\user\RDVGHelper\at.exe

Code function: 2_2_009733C7 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

2_2_009733C7

Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\RDVGHelper\at.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\RDVGHelper\at.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	API coverage: 6.2 %
Source: C:\Users\user\RDVGHelper\at.exe	API coverage: 5.6 %

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Users\user\RDVGHelper\at.exe

Code function: 2_2_00954AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

2_2_00954AFE

Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009BF200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_009BF200
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009B4696 GetFileAttributesW,FindFirstFileW,FindClose,	2_2_009B4696
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009BC9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	2_2_009BC9C7
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009BC93C FindFirstFileW,FindClose,	2_2_009BC93C
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009BF35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_009BF35D
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009BF65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	2_2_009BF65E
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009B3A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_009B3A2B

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer	Jump to behavior

Anti Debugging

Found API chain indicative of debugger detection

Source: C:\Users\user\Desktop\POv5Nk1dlu.exe

Debugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleep

Source: C:\Users\user\Desktop\POv5Nk1dlu.exe

Code function: 0_2_00F85CCC RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,MessageBoxW,

0_2_00F85CCC

Source: C:\Users\user\Desktop\POv5Nk1dlu.exe

0_2_00F85CCC

Source: C:\Users\user\Desktop\POv5Nk1dlu.exe

Code function: 0_2_00F54D61 LoadLibraryA,GetProcAddress,

0_2_00F54D61

Source: C:\Users\user\RDVGHelper\at.exe

Code function: 2_2_009A81F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,RtlAllocateHeap,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

2_2_009A81F7

Source: C:\Users\user\RDVGHelper\at.exe

Code function: 2_2_009C41FD BlockInput,

2_2_009C41FD

Source: C:\Users\user\Desktop\POv5Nk1dlu.exe	Code function: 0_2_00F7A395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00F7A395
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_0097A395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_0097A395
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_0097A364 SetUnhandledExceptionFilter,	2_2_0097A364

Source: C:\Users\user\RDVGHelper\at.exe

Code function: 2_2_009A8C93 LogonUserW,

2_2_009A8C93

Source: C:\Users\user\Desktop\POv5Nk1dlu.exe

Code function: 0_2_00F54A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_00F54A35

Source: C:\Users\user\RDVGHelper\at.exe

Code function: 2_2_00953B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

2_2_00953B4C

Source: C:\Windows\System32\wscript.exe

Process created: C:\Users\user\RDVGHelper\at.exe "C:\Users\user\RDVGHelper\at.exe"

Jump to behavior

Source: C:\Users\user\RDVGHelper\at.exe

Code function: 2_2_009B4EC9 mouse_event,

2_2_009B4EC9

Source: C:\Users\user\RDVGHelper\at.exe

2_2_009A81F7

Source: C:\Users\user\RDVGHelper\at.exe

Code function: 2_2_009B4C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

2_2_009B4C03

Source: POv5Nk1dlu.exe, at.exe.0.dr	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: POv5Nk1dlu.exe, at.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\RDVGHelper\at.exe

Code function: 2_2_0097886B cpuid

2_2_0097886B

Source: C:\Users\user\Desktop\POv5Nk1dlu.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\POv5Nk1dlu.exe

Code function: 0_2_00F850D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00F850D7

Source: C:\Users\user\RDVGHelper\at.exe

Code function: 2_2_0098418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

2_2_0098418A

Source: C:\Users\user\RDVGHelper\at.exe

Code function: 2_2_00954AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

2_2_00954AFE

Source: C:\Users\user\RDVGHelper\at.exe

Code function: 2_2_00992230 GetUserNameW,

2_2_00992230

Source: at.exe	Binary or memory string: WIN_81
Source: at.exe	Binary or memory string: WIN_XP
Source: at.exe, 00000002.00000002.358422252.0000000001607000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WIN_XP&
Source: at.exe	Binary or memory string: WIN_XPe
Source: at.exe	Binary or memory string: WIN_VISTA
Source: POv5Nk1dlu.exe, 00000000.00000003.302345223.0000000000B9E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WIN_XP3r\
Source: at.exe	Binary or memory string: WIN_7
Source: at.exe	Binary or memory string: WIN_8
Source: at.exe.0.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009C6596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		2_2_009C6596
Source: C:\Users\user\RDVGHelper\at.exe	Code function: 2_2_009C6A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		2_2_009C6A5A

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
2 Valid Accounts	11 Scripting	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	Exfiltration Over Bluetooth	1 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	2 Valid Accounts	11 Scripting	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	2 Clipboard Data	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	2 Registry Run Keys / Startup Folder	21 Access Token Manipulation	21 Obfuscated Files or Information	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	12 Process Injection	1 Software Packing	LSA Secrets	13 Security Software Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	1 Scheduled Task/Job	1 DLL Side-Loading	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	2 Registry Run Keys / Startup Folder	1 Masquerading	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	2 Valid Accounts	Proc Filesystem	1 Application Window Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	1 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	21 Access Token Manipulation	Network Sniffing	Process Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	12 Process Injection	Input Capture	Permission Groups Discovery	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
POv5Nk1dlu.exe	77%	ReversingLabs	Win32.Backdoor.NanoCore
POv5Nk1dlu.exe	73%	Virustotal		Browse
POv5Nk1dlu.exe	100%	Avira	HEUR/AGEN.1245473

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\RDVGHelper\at.exe	100%	Avira	HEUR/AGEN.1245473

Unpacked PE Files

Source	Detection	Scanner	Label	Download
0.0.POv5Nk1dlu.exe.f50000.0.unpack	100%	Avira	HEUR/AGEN.1245473	Download File
2.0.at.exe.950000.0.unpack	100%	Avira	HEUR/AGEN.1245473	Download File
2.2.at.exe.950000.0.unpack	100%	Avira	HEUR/AGEN.1220844	Download File
0.2.POv5Nk1dlu.exe.f50000.0.unpack	100%	Avira	HEUR/AGEN.1220844	Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://checkip.dyndns.orgmTimed	0%	Avira URL Cloud	safe
http://bot.whatismyipaddress.com6	0%	Avira URL Cloud	safe
http://checkip.dyndns.orgmTime	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.ipify.org	POv5Nk1dlu.exe, 00000000.00000002.316017878.0000000000DAD000.00000004.00000020.00020000.00000000.sdmp, at.exe, 00000002.00000002.358917443.00000000017B4000.00000004.00000020.00020000.00000000.sdmp	false		high
http://checkip.dyndns.orgmTimed	at.exe, 00000002.00000002.358917443.00000000017B4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://bot.whatismyipaddress.com	at.exe, 00000002.00000002.358917443.00000000017B4000.00000004.00000020.00020000.00000000.sdmp	false		high
http://bot.whatismyipaddress.com6	POv5Nk1dlu.exe, 00000000.00000002.316065070.0000000000DEF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.myexternalip.com/raw	at.exe, 00000002.00000002.358917443.00000000017B4000.00000004.00000020.00020000.00000000.sdmp	false		high
http://checkip.dyndns.orgmTime	POv5Nk1dlu.exe, 00000000.00000002.316065070.0000000000DEF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.myexternalip.com/raw/	POv5Nk1dlu.exe, 00000000.00000002.316065070.0000000000DEF000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	756107
Start date and time:	2022-11-29 16:40:49 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 36s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	POv5Nk1dlu.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal84.expl.evad.winEXE@4/3@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 0.9% (good quality ratio 0.9%) Quality average: 78.5% Quality standard deviation: 11.3%
HCA Information:	Successful, ratio: 64% Number of executed functions: 96 Number of non-executed functions: 251
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, conhost.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ctldl.windowsupdate.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
16:41:51	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runas.url

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runas.url

Download File

Process:	C:\Users\user\Desktop\POv5Nk1dlu.exe
File Type:	Generic INItialization configuration [InternetShortcut]
Category:	modified
Size (bytes):	134
Entropy (8bit):	4.778942459748406
Encrypted:	false
SSDEEP:	3:HRAbABGQVuOUVifX5XQw0ylyLABGQVuOUVifX5XQw0W:HRYF5OLX5XQw08YF5OLX5XQw0W
MD5:	A84D228A61B08792024FF4337CC606F6
SHA1:	92DD57483FFF604A9848EDF1B060EB9BD11D6C42
SHA-256:	8CA3F2A55F27D106D5521C66C109B98CF9A13EAD480A46AA8F3906E1DD645F9B
SHA-512:	13663A0862CD250CBB2AAF238A77A97F4528A5E0E200C79C3B16AF30076290F2338F4C5D14B7B7E390DC4B8D39A5C0BBA77C648D86F9023722EFEB9E15CF2F77
Malicious:	true
Yara Hits:	Rule: Methodology_Suspicious_Shortcut_Local_URL, Description: Detects local script usage for .URL persistence, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runas.url, Author: @itsreallynick (Nick Carr), @QW5kcmV3 (Andrew Thompson)
Reputation:	low
Preview:	[InternetShortcut].URL=file:///C:\Users\user\RDVGHelper\runas.vbs[InternetShortcut].URL=file:///C:\Users\user\RDVGHelper\runas.vbs

C:\Users\user\RDVGHelper\at.exe

Download File

Process:	C:\Users\user\Desktop\POv5Nk1dlu.exe
File Type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed
Category:	dropped
Size (bytes):	1348112
Entropy (8bit):	5.849778682930291
Encrypted:	false
SSDEEP:	24576:4AHnh+eWsN3skA4RV1Hom2KXDuFLLJiEzeyG75B:/h+ZkldoPKT4L4Ez3G9B
MD5:	8B5794337FDF61005D3F079A792B0AA1
SHA1:	61FAEBE8AB40D8C124AC8A5D060964EB9AF877A8
SHA-256:	184491C39AC7E31E86978E965583BEB6D692885B27C91003EF497A53CED6D70C
SHA-512:	6515FF218949A2F2DA753430F9469B40A887906955D31905C730F5340480780673367CFEC7E72DFE09AE34EF045366C8A5F5A22C32ABE5E13ABABBD7DC2EC3AB
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r...........#.S..._@'.S...R.k.S....".S...RichR...................PE..L...H..\.........."......`...P...P.......`........@.......................................@...@.......@.........................\|........D...................@..4q..................................t...H...........................................UPX0.....P.......P......................UPX1.....`...`...\...T..............@....rsrc....P.......J..................@....imports.0.......$..................@....reloc.......@...r..................@...........................................................................................................................................................................................................................................................................................

C:\Users\user\RDVGHelper\runas.vbs

Download File

Process:	C:\Users\user\Desktop\POv5Nk1dlu.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	106
Entropy (8bit):	4.736102681477269
Encrypted:	false
SSDEEP:	3:jaPcYonh3QBHoUVifX5EtACHn:jk+h8ILX5G1
MD5:	2372F2EE2222AB931284A8D08A10C318
SHA1:	C5DED8E64290FE4C74BC5FBADCCDF0BCAA5C6C7F
SHA-256:	E791FD8D094533E9CCA63CF23B8BEB8AB8F0E2F447BE2FDF1EE1B3B5A1DFD988
SHA-512:	B6EC56F1EC2ECE19C3370B8F53A92251D82D811AFEE9C202535AC565247236B76040D22A9EB7DDD77A2988E2C8BC4C42EE4A010558379D2A96B74BE109C4606D
Malicious:	false
Reputation:	low
Preview:	Set WshShell = WScript.CreateObject("WScript.Shell")..WshShell.Run """C:\Users\user\RDVGHelper\at.exe"""

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed
Entropy (8bit):	5.8497727328429265
TrID:	Win32 Executable (generic) a (10002005/4) 99.39% UPX compressed Win32 Executable (30571/9) 0.30% Win32 EXE Yoda's Crypter (26571/9) 0.26% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	POv5Nk1dlu.exe
File size:	1348104
MD5:	14e2d1b23a073724d63ce5c9c89091cd
SHA1:	000e55014fd09600275f5b394c5be51c2bf4dad9
SHA256:	cd64bfd3940f7aabd6a74ca47beba4ef1d19f6605dee0f64e5932765a3142fba
SHA512:	882164c258e762be8129ff85f1fcffe5c37df46931a2fcf7275673d0f982fbb6e2c0a7008ea6ddec5983e78162a2085f21f2d3f95f95e5f9e0b32462e7913a25
SSDEEP:	24576:4AHnh+eWsN3skA4RV1Hom2KXDuFLLJiEzeyG75Z:/h+ZkldoPKT4L4Ez3G9Z
TLSH:	4A558D02B3928035FEAE91739B59B20156BCFD64013385FF1298DD79BA701A11F2E66F
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

File Icon


Icon Hash:	868c661b1d9cc4e6

Static PE Info

General

Entrypoint:	0x42800a
Entrypoint Section:	UPX0
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE, DEBUG_STRIPPED
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x5CCFBA48 [Mon May 6 04:38:32 2019 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	bd3825b6e0410966f0c31f64b6c7644a

Entrypoint Preview

Instruction
call 00007F55550BFA3Dh
jmp 00007F55550B27F4h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F55550B297Ah
cmp edi, eax
jc 00007F55550B2CDEh
bt dword ptr [004C41FCh], 01h
jnc 00007F55550B2979h
rep movsb
jmp 00007F55550B2C8Ch
cmp ecx, 00000080h
jc 00007F55550B2B44h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F55550B2980h
bt dword ptr [004BF324h], 01h
jc 00007F55550B2E50h
bt dword ptr [004C41FCh], 00000000h
jnc 00007F55550B2B1Dh
test edi, 00000003h
jne 00007F55550B2B2Eh
test esi, 00000003h
jne 00007F55550B2B0Dh
bt edi, 02h
jnc 00007F55550B297Fh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F55550B2983h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F55550B29D5h
bt esi, 03h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD5 build 40629
[RES] VS2013 build 21005
[LNK] VS2013 UPD5 build 40629

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x141000	0x17c	.imports
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x10c000	0x34414	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x144000	0x7134	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x10ba74	0x48	UPX1
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
UPX0	0x1000	0xb5000	0xb5000	False	0.5158192334254144	data	6.647020934312938	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
UPX1	0xb6000	0x56000	0x55c00	False	0.07822749635568513	data	1.3367400085274173	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x10c000	0x35000	0x34a00	False	0.6905943809382423	data	6.924446867745964	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.imports	0x141000	0x3000	0x2400	False	0.3615451388888889	data	4.6777086279249716	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x144000	0x8000	0x7200	False	0.7617530153508771	data	6.783955557128661	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x10c4e4	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain
RT_ICON	0x10c610	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain
RT_ICON	0x10c73c	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain
RT_ICON	0x10c868	0xeac8	Device independent bitmap graphic, 300 x 600 x 4, image size 57600	English	Great Britain
RT_MENU	0x11b334	0x50	data	English	Great Britain
RT_STRING	0x11b388	0x48b8	data
RT_STRING	0x11fc44	0x48b8	data
RT_STRING	0x124500	0x594	data	English	Great Britain
RT_STRING	0x124a98	0x68a	data	English	Great Britain
RT_STRING	0x125128	0x490	data	English	Great Britain
RT_STRING	0x1255bc	0x5fc	data	English	Great Britain
RT_STRING	0x125bbc	0x65c	data	English	Great Britain
RT_STRING	0x12621c	0x466	data	English	Great Britain
RT_STRING	0x126688	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain
RT_RCDATA	0x1267e4	0x19560	data
RT_GROUP_ICON	0x13fd48	0x14	data	English	Great Britain
RT_GROUP_ICON	0x13fd60	0x14	data	English	Great Britain
RT_GROUP_ICON	0x13fd78	0x14	data	English	Great Britain
RT_GROUP_ICON	0x13fd90	0x14	data	English	Great Britain
RT_VERSION	0x13fda8	0x278	data	English	United States
RT_MANIFEST	0x140024	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain

Imports

DLL	Import
KERNEL32.DLL	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit
PSAPI.DLL	GetProcessMemoryInfo
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain
English	United States

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: POv5Nk1dlu.exePID: 1408, Parent PID: 3324

General

Target ID:	0
Start time:	16:41:46
Start date:	29/11/2022
Path:	C:\Users\user\Desktop\POv5Nk1dlu.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\POv5Nk1dlu.exe
Imagebase:	0xf50000
File size:	1348104 bytes
MD5 hash:	14E2D1B23A073724D63CE5C9C89091CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: wscript.exePID: 4716, Parent PID: 3324

General

Target ID:	1
Start time:	16:41:59
Start date:	29/11/2022
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\RDVGHelper\runas.vbs"
Imagebase:	0x7ff6caef0000
File size:	163840 bytes
MD5 hash:	9A68ADD12EB50DDE7586782C3EB9FF9C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: at.exePID: 2848, Parent PID: 4716

General

Target ID:	2
Start time:	16:42:07
Start date:	29/11/2022
Path:	C:\Users\user\RDVGHelper\at.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\RDVGHelper\at.exe"
Imagebase:	0x950000
File size:	1348112 bytes
MD5 hash:	8B5794337FDF61005D3F079A792B0AA1
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira
Reputation:	low

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: POv5Nk1dlu.exePID: 1408, Parent PID: 3324COMMON

Executed Functions

Function 00F53633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
timewindowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtdllDefWindowProc_W.USER32(?,?,?,?), ref: 00F536D2
KillTimer.USER32(?,00000001), ref: 00F536FC
SetTimer.USER32 ref: 00F5371F
RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00F5372A
CreatePopupMenu.USER32 ref: 00F5373E
PostQuitMessage.USER32(00000000), ref: 00F5375F

Strings

TaskbarCreated, xrefs: 00F53725

Memory Dump Source

Source File: 00000000.00000002.316268130.0000000000F51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.316260119.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316369334.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316375172.0000000000FE0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316438570.0000000001005000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316460548.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316503289.0000000001055000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316514363.000000000105C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316525512.000000000106B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316568333.0000000001091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316573795.0000000001094000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_POv5Nk1dlu.jbxd

Similarity

API ID: Timer$ClipboardCreateFormatKillMenuMessageNtdllPopupPostProc_QuitRegisterWindow
String ID: TaskbarCreated
API String ID: 157504867-2362178303
Opcode ID: 11fe8763805a90cb782c562901e9a1bd3d25d44e0badefd5b1a7383d498f7194
Instruction ID: 291aaf47dc0140466583962fd3d3e1a36c2ac2bff1a568e62487993914340467
Opcode Fuzzy Hash: 11fe8763805a90cb782c562901e9a1bd3d25d44e0badefd5b1a7383d498f7194
Instruction Fuzzy Hash: 2C412CB2A041096BDB206F7CEC09FB93755EB04392F140129FF42C6295CAAE9E4DB761

Uniqueness

Uniqueness Score: -1.00%

Function 00F5FE40 Relevance: 5.5, APIs: 3, Instructions: 1040COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.316268130.0000000000F51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.316260119.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316369334.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316375172.0000000000FE0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316438570.0000000001005000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316460548.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316503289.0000000001055000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316514363.000000000105C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316525512.000000000106B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316568333.0000000001091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316573795.0000000001094000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_POv5Nk1dlu.jbxd

Similarity

API ID: BuffCharUpper
String ID:
API String ID: 3964851224-0
Opcode ID: 797312c99761c56f5e7c77f6795e28029a171114e8969526789f4428938876b6
Instruction ID: ede84fe269064cafd7248ceecdeea744c985b109a898278a05498bcff3ae1644
Opcode Fuzzy Hash: 797312c99761c56f5e7c77f6795e28029a171114e8969526789f4428938876b6
Instruction Fuzzy Hash: E8926875A083418FDB24DF14C480B2BB7E1BF85314F24896DE98A8B352DB75EC45EB92

Uniqueness

Uniqueness Score: -1.00%

Function 00F5E060 Relevance: 3.5, APIs: 2, Instructions: 539
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.316268130.0000000000F51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.316260119.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316369334.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316375172.0000000000FE0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316438570.0000000001005000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316460548.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316503289.0000000001055000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316514363.000000000105C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316525512.000000000106B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316568333.0000000001091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316573795.0000000001094000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_POv5Nk1dlu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff8f961d0fc3cead9b1a604f3f4ecfe02d4f7c5bc299403e27741419e14b2802
Instruction ID: cf75fb6daf5e6f16e02bf750a0883077774afe54fdc86872cc974db65a896e7e
Opcode Fuzzy Hash: ff8f961d0fc3cead9b1a604f3f4ecfe02d4f7c5bc299403e27741419e14b2802
Instruction Fuzzy Hash: 3B228D75E00215CFDB28DF54C880BAABBB1FF04311F148469EE569B341E774AA89EB91

Uniqueness

Uniqueness Score: -1.00%

Function 00F5E800 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 00F9428C

Memory Dump Source

Source File: 00000000.00000002.316268130.0000000000F51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.316260119.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316369334.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316375172.0000000000FE0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316438570.0000000001005000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316460548.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316503289.0000000001055000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316514363.000000000105C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316525512.000000000106B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316568333.0000000001091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316573795.0000000001094000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_POv5Nk1dlu.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: 939c50ce164ac9c65c8fb0df06bb9bf09595ac01e6db8a419543e5c688ed0abe
Instruction ID: a17eddf9c97b7bb5019ec15fb3672768c8100e5f4ba8544f7694f61a23cdb384
Opcode Fuzzy Hash: 939c50ce164ac9c65c8fb0df06bb9bf09595ac01e6db8a419543e5c688ed0abe
Instruction Fuzzy Hash: 3BA28D75E00205CFDB28CF58C480AA9B7B1FF58311F248059EE56AB355D739EE4AEB81

Uniqueness

Uniqueness Score: -1.00%

Function 00F60B30 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300
windowsleeptimeCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00F60B30(void* __ebx, void* __ecx, void* __fp0, signed int _a4, void* _a1912631230, struct HWND__* _a1912631242, signed int _a1912631254, intOrPtr _a1912631258, void* _a1912631262, struct HWND__* _a1912631266, void* _a1912631270, int _a1912631274, intOrPtr _a1912631282, char _a1912631294, intOrPtr _a1912631298, struct HWND__* _a1912631302, struct HWND__* _a1912631310, int _a1912631314, signed int _a1912631330, char _a1912631350, char _a1912631406, char _a1912631458) {
				struct tagMSG _v32;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v68;
				char _v72;
				char _v96;
				char _v100;
				char _v104;
				char _v108;
				char _v112;
				char _v120;
				char _v124;
				char _v128;
				int _v136;
				struct HWND__* _v140;
				struct HWND__* _v148;
				int _v152;
				struct HWND__* _v156;
				struct HWND__* _v164;
				signed int _v168;
				char _v172;
				char _v176;
				char _v180;
				int* _v192;
				struct tagMSG _v216;
				int _v224;
				intOrPtr _v228;
				int _v232;
				struct HWND__* _v236;
				signed int _v240;
				struct HWND__* _v244;
				struct HWND__* _v248;
				signed int _v256;
				char _v257;
				void* _v260;
				struct HWND__* _v264;
				intOrPtr _v268;
				int _v272;
				struct HWND__* _v276;
				char _v280;
				char _v284;
				signed int _v288;
				long _v292;
				void* _v296;
				long _v300;
				void* _v304;
				int _v312;
				struct HWND__* _v316;
				void* _v320;
				struct HWND__* _v324;
				signed int _v328;
				signed int _v332;
				char _v333;
				intOrPtr _v336;
				void* _v340;
				signed int _v344;
				intOrPtr _v352;
				long _v356;
				struct HWND__* _v364;
				void* __edi;
				intOrPtr _t473;
				signed int _t475;
				intOrPtr _t476;
				void* _t477;
				intOrPtr _t478;
				void* _t484;
				void* _t490;
				signed int _t492;
				int _t494;
				long _t495;
				void* _t498;
				void* _t520;
				int _t536;
				short* _t541;
				int* _t542;
				void** _t543;
				void* _t549;
				intOrPtr _t577;
				void _t578;
				void* _t587;
				intOrPtr _t594;
				void _t595;
				int _t598;
				void* _t599;
				void* _t600;
				void* _t602;
				signed int _t608;
				int _t609;
				signed int _t613;
				intOrPtr _t620;
				signed int _t622;
				void* _t631;
				void* _t637;
				int _t645;
				intOrPtr _t648;
				intOrPtr _t649;
				intOrPtr _t650;
				intOrPtr _t651;
				intOrPtr _t653;
				signed int _t656;
				intOrPtr* _t657;
				intOrPtr _t659;
				intOrPtr _t660;
				int _t675;
				signed int _t676;
				void* _t690;
				int _t691;
				long _t692;
				void* _t704;
				void* _t705;
				long _t708;
				short _t709;
				void* _t710;
				void* _t713;
				void* _t734;
				void* _t741;
				void* _t742;
				void* _t748;
				signed int _t765;
				void* _t770;
				signed int _t779;
				void* _t796;
				signed int _t799;
				void* _t800;
				void* _t803;
				intOrPtr _t806;
				void* _t807;
				signed int _t839;
				void* _t840;
				void* _t844;
				void* _t847;
				long _t849;
				void* _t850;
				intOrPtr _t851;
				intOrPtr _t852;
				long _t853;
				signed int _t858;
				void* _t864;
				signed int _t865;
				void* _t867;
				intOrPtr* _t868;
				void* _t869;
				int* _t870;
				void* _t871;
				signed int _t874;
				signed int _t875;
				signed int _t877;
				signed int _t878;
				intOrPtr* _t880;
				intOrPtr _t882;
				signed int _t883;
				void* _t885;
				void* _t922;

				_t932 = __fp0;
				_t748 = __ebx;
				_t885 = (_t883 & 0xfffffff8) - 0x160;
				_t847 = __ecx;
				_v296 = __ecx;
				_t473 =  *((intOrPtr*)(__ecx + 0xec));
				if(_t473 >= 0xed8) {
					 *0x1016280 = 0;
					_t475 = E00FBA0B5(__ecx, __fp0, 0x9a, 0xffffffff) | 0xffffffff;
					L56:
					return _t475;
				}
				_t476 = _t473 + 1;
				 *((intOrPtr*)(__ecx + 0xec)) = _t476;
				if(_t476 == 1) {
					L90:
					_t477 =  *(__ecx + 0x11c);
					_v300 = _t477;
					while(1) {
						__eflags = _t477;
						if(__eflags == 0) {
							goto L2;
						}
						_t742 = E00F59FBD(_t847,  *_t477);
						__eflags = _t742;
						if(_t742 != 0) {
							__eflags =  *((intOrPtr*)(_t742 + 0x10)) + 1;
							E00FA68BF(_t847, _t838, _t932,  *((intOrPtr*)(_t742 + 0x10)) + 1, 1);
						}
						_t753 =  &_v300;
						E00FA6CEA(_t753,  &_v292);
						_t477 = _v304;
					}
				}
				L2:
				 *((char*)(_t847 + 0x144)) = 0;
				if( *((char*)(_t847 + 0xfc)) != 0) {
					L53:
					_t478 =  *((intOrPtr*)(_t847 + 0xec));
					 *((char*)(_t847 + 0x144)) = 0;
					if(_t478 == 1) {
						E00F611D0(_t847);
						__eflags =  *((char*)(_t847 + 0xfc)) - 1;
						if(__eflags == 0) {
							L55:
							_t475 = 0;
							goto L56;
						}
						E00F611F3(_t847, _t838, __eflags, _t932);
						LockWindowUpdate(0);
						DestroyWindow( *0x10162ac);
						_t484 = GetMessageW( &_v32, 0, 0, 0);
						__eflags = _t484;
						if(_t484 <= 0) {
							goto L55;
						}
						do {
							TranslateMessage( &_v32);
							DispatchMessageW( &_v32);
							_t490 = GetMessageW( &_v32, 0, 0, 0);
							__eflags = _t490;
						} while (_t490 > 0);
						goto L55;
					}
					 *((intOrPtr*)(_t847 + 0xec)) = _t478 - 1;
					goto L55;
				} else {
					while(1) {
						_t838 = 2;
						if( *((char*)(_t847 + 0x144)) != 0) {
							goto L53;
						}
						if( *0x1016281 != 0) {
							__eflags =  *((char*)(_t847 + 0x145));
							if(__eflags == 0) {
								L11:
								if( *0x10174a8 != 0) {
									_t492 =  *0x10174ac; // 0x0
									_t858 =  *(_t492 + 4);
									_v356 =  *_t492;
									L00F7106C(_t492);
									 *0x10174a8 =  *0x10174a8 - 1;
									_t885 = _t885 + 4;
									 *0x10174ac = _t858;
									asm("sbb esi, esi");
									_t753 = 0;
									 *0x10174b0 =  *0x10174b0 &  ~_t858;
									_t838 =  *(_t847 + 0x1c8);
									_v340 = 0;
									__eflags = _t838;
									if(_t838 == 0) {
										L125:
										__eflags = _t753 - _t838;
										if(__eflags == 0) {
											_t838 = 2;
											goto L12;
										}
										_t734 = E00F59FBD(_t847,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t847 + 0x1c4)) + _t753 * 4)))) + 8);
										E00F581A7(_t847 + 0x14c,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t847 + 0x1c4)) + _v344 * 4)))) + 0x18);
										_t753 = _t847;
										E00F5B89C(_t753, _t838, _t932,  *((intOrPtr*)(_t734 + 0x10)) + 1, 1, 0);
										L51:
										L52:
										if( *((char*)(_t847 + 0xfc)) == 0) {
											continue;
										}
										goto L53;
									}
									_t882 =  *((intOrPtr*)(_t847 + 0x1c4));
									_t853 = _v356;
									do {
										_t741 =  *( *(_t882 + _t753 * 4));
										__eflags = _t741;
										if(_t741 == 0) {
											goto L123;
										}
										__eflags =  *_t741 - _t853;
										if( *_t741 == _t853) {
											break;
										}
										L123:
										_t753 = _t753 + 1;
										__eflags = _t753 - _t838;
									} while (_t753 < _t838);
									_t847 = _v296;
									_v340 = _t753;
									goto L125;
								}
								L12:
								if( *0x1016287 == 1) {
									__eflags =  *0x1016281;
									if(__eflags != 0) {
										goto L13;
									}
									Sleep(0xa);
									goto L52;
								}
								L13:
								if( *((intOrPtr*)(_t847 + 0x454)) == 0 ||  *0x101741c != 0) {
									L22:
									if( *0x10167bc == 0 ||  *((char*)(_t847 + 0x458)) == 1) {
										L32:
										if( *((intOrPtr*)(_t847 + 0x184)) != 0) {
											__eflags =  *((char*)(_t847 + 0x484)) - 1;
											if(__eflags == 0) {
												goto L33;
											}
											 *((char*)(_t847 + 0x484)) = 1;
											_v264 = 0;
											_v180 = 0xfdfb84;
											_v344 = 0;
											_v176 = 0;
											_v172 = 0;
											_v168 = 0;
											E00FB9C9F( &_v128, _t847,  *((intOrPtr*)(_t847 + 0x188)));
											E00FAD9E3(_t847 + 0x184);
											_t872 = _v128;
											_v232 = 0;
											E00F59997(E00F59AC0(_t748,  &_v240,  *_v128), _t748,  *((intOrPtr*)(_t872 + 4)));
											_t838 = E00F59FBD(_t847,  *((intOrPtr*)( *((intOrPtr*)(_t872 + 4)) + 8)));
											_v344 = _t838;
											_t765 =  *(_t838 + 0x10);
											_t520 = E00F571C8(_t765);
											 *(_t847 + 0xf4) = _t765;
											_t874 = 3;
											__eflags =  *(_t838 + 0x14);
											_v320 = _t520;
											if( *(_t838 + 0x14) <= 0) {
												L174:
												E00F58561(_t838,  *(_t838 + 0x10));
												_t875 = 3;
												_v292 = 3;
												_v344 = 1;
												__eflags =  *((intOrPtr*)(_v336 + 0x14)) - 1;
												if(__eflags < 0) {
													L215:
													E00F57F41(_t748,  &_v48, __eflags, L"@COM_EVENTOBJ");
													__eflags = _v228 - 6;
													E00F58620(_t847,  &_v52, (0 | _v228 != 0x00000006) - 0x00000001 & _v240, 0, 1);
													E00F55A64( &_v68);
													E00F5B89C(_t847, _t838, _t932,  *((intOrPtr*)(_v352 + 0x10)) + 1, 0, 0);
													E00F5843F(_t748, 0x1017280);
													_t770 = _v260;
													__eflags = _t770;
													if(_t770 != 0) {
														E00F57B3D(_t770, _t770);
														_v232 = 0;
													}
													_t536 = _v224;
													__eflags = _t536 - 5;
													if(__eflags < 0) {
														L253:
														_v224 = 1;
														_v236 = 0;
														E00FA66F4( &_v128);
														_t753 =  &_v180;
														E00FA66F4(_t753);
														 *((char*)(_t847 + 0x484)) = 0;
														goto L51;
													} else {
														_t608 = _t536 + 0xfffffffb;
														__eflags = _t608 - 0xa;
														if(__eflags > 0) {
															goto L253;
														}
														switch( *((intOrPtr*)(_t608 * 4 +  &M00F960E5))) {
															case 0:
																__eflags = __esi;
																if(__eflags != 0) {
																	__ecx = __esi;
																	__eax = E00F58E34(__ecx, __edi, __eflags, __ecx);
																}
																goto L253;
															case 1:
																goto L253;
															case 2:
																__eflags = __esi;
																if(__eflags == 0) {
																	goto L253;
																}
																_push(__esi);
																__eax =  *0xfdf45c();
																goto L252;
															case 3:
																__eflags = __esi;
																if(__eflags == 0) {
																	goto L253;
																}
																__ecx = __esi + 8;
																goto L251;
															case 4:
																__eax = L00F7106C( *((intOrPtr*)(__esi + 4)));
																goto L252;
															case 5:
																__eflags = __esi;
																if(__eflags != 0) {
																	__ecx = __esi;
																	__eax = E00FA73F0(__ecx, __ecx);
																}
																goto L253;
															case 6:
																__eflags = __esi;
																if(__eflags == 0) {
																	goto L253;
																}
																__ecx = __esi;
																L251:
																__eax = E00F55A64(__ecx);
																L252:
																__eax = L00F7106C(__esi);
																goto L253;
															case 7:
																__eflags = __esi;
																if(__eflags != 0) {
																	__ecx = __esi;
																	__eax = E00FA7405(__ebx, __ecx, __edi, __ecx);
																}
																goto L253;
														}
													}
												} else {
													goto L175;
												}
												do {
													L175:
													_t839 = 0;
													_v256 = 0;
													_t799 =  *(_v304 + 4);
													_v356 = _t799;
													_t620 =  *((intOrPtr*)(_t799 + _t875 * 4));
													__eflags =  *(_t620 + 8);
													if( *(_t620 + 8) != 0) {
														L182:
														_t849 = _v356;
														_t840 = 4 + _t875 * 4;
														_v328 = 1;
														_t800 = 0;
														__eflags = 0;
														_t877 = _v328;
														while(1) {
															_t622 =  *( *((intOrPtr*)(_t840 + _t849)) + 8) & 0x0000ffff;
															__eflags = _t622 - 0x47;
															if(_t622 != 0x47) {
																goto L185;
															}
															L184:
															_t800 = _t800 + 1;
															L196:
															_t877 = _t877 + 1;
															_t840 = _t840 + 4;
															_t622 =  *( *((intOrPtr*)(_t840 + _t849)) + 8) & 0x0000ffff;
															__eflags = _t622 - 0x47;
															if(_t622 != 0x47) {
																goto L185;
															}
															goto L184;
															L185:
															__eflags = _t622 - 0x48;
															if(_t622 != 0x48) {
																__eflags = _t622 - 0x40;
																if(_t622 != 0x40) {
																	goto L196;
																}
																__eflags = _t800;
																if(_t800 == 0) {
																	L187:
																	_t847 = _v296;
																	_t838 = _v256;
																	_v328 = _t877;
																	_t877 = _v288;
																	__eflags = _v340 - _v264;
																	if(_v340 <= _v264) {
																		__eflags = _t838;
																		E00F58620(_t847,  *((intOrPtr*)( *((intOrPtr*)(_v356 + _t877 * 4)))),  *_v344, _t838, 1);
																		goto L214;
																	}
																	_v324 = 0;
																	_v356 = _t877 + 2;
																	_v316 = 0;
																	_push(_v328 + _t877);
																	_v312 = 1;
																	_push( &_v324);
																	_push( &_v356);
																	_push(_v304);
																	_t637 = E00F5A000(_t748, _t847, _t932);
																	__eflags = _t637;
																	if(_t637 < 0) {
																		_t796 = _a1912631270;
																		__eflags = _t796;
																		if(_t796 != 0) {
																			E00F57B3D(_t796, _t796);
																			_a1912631266 = 0;
																		}
																		_t609 = _a1912631274;
																		__eflags = _t609 - 5;
																		if(_t609 < 5) {
																			L171:
																			_a1912631274 = 1;
																			_a1912631262 = 0;
																			L172:
																			E00F59DF0(_t748,  &_a1912631350);
																			E00FA66F4( &_a1912631458);
																			_t753 =  &_a1912631406;
																			E00FA66F4(_t753);
																			 *((char*)(_t847 + 0x484)) = 0;
																			goto L33;
																		} else {
																			_t613 = _t609 + 0xfffffffb;
																			__eflags = _t613 - 0xa;
																			if(_t613 > 0xa) {
																				goto L171;
																			}
																			switch( *((intOrPtr*)(_t613 * 4 +  &M00F96111))) {
																				case 0:
																					__ecx = _a1912631262;
																					__eflags = __ecx;
																					if(__eflags != 0) {
																						__eax = E00F58E34(__ecx, __edi, __eflags, __ecx);
																					}
																					goto L171;
																				case 1:
																					goto L171;
																				case 2:
																					_t614 = _a1912631262;
																					__eflags = _t614;
																					if(_t614 == 0) {
																						goto L171;
																					}
																					_push(_t614);
																					 *0xfdf45c();
																					_push(_a1912631258);
																					goto L170;
																				case 3:
																					__esi = _a1912631262;
																					__eflags = __esi;
																					if(__esi == 0) {
																						goto L171;
																					}
																					_t353 = __esi + 8; // 0x8
																					__ecx = _t353;
																					goto L169;
																				case 4:
																					_a1912631262 = L00F7106C( *((intOrPtr*)(_a1912631262 + 4)));
																					_push(_a1912631262);
																					goto L170;
																				case 5:
																					__ecx = _a1912631262;
																					__eflags = __ecx;
																					if(__ecx != 0) {
																						__eax = E00FA73F0(__ecx, __ecx);
																					}
																					goto L171;
																				case 6:
																					__esi = _a1912631262;
																					__eflags = __esi;
																					if(__esi == 0) {
																						goto L171;
																					}
																					__ecx = __esi;
																					L169:
																					__eax = E00F55A64(__ecx);
																					_push(__esi);
																					L170:
																					L00F7106C();
																					_t885 = _t885 + 4;
																					goto L171;
																				case 7:
																					__ecx = _a1912631262;
																					__eflags = __ecx;
																					if(__ecx != 0) {
																						__eax = E00FA7405(__ebx, __ecx, __edi, __ecx);
																					}
																					goto L171;
																			}
																		}
																	}
																	E00F58620(_t847,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_a1912631282 + 4)) + _t877 * 4)))),  &_a1912631262, _a1912631330 | 0x00000200, 1);
																	_t800 = _a1912631254;
																	__eflags = _t800;
																	if(_t800 != 0) {
																		E00F57B3D(_t800, _t800);
																		_a1912631266 = 0;
																	}
																	_t645 = _a1912631274;
																	__eflags = _t645 - 5;
																	if(_t645 < 5) {
																		L212:
																		_a1912631274 = 1;
																		_a1912631262 = 0;
																		goto L214;
																	} else {
																		_t622 = _t645 + 0xfffffffb;
																		__eflags = _t622 - 0xa;
																		if(_t622 > 0xa) {
																			goto L212;
																		}
																		switch( *((intOrPtr*)(_t622 * 4 +  &M00F960B9))) {
																			case 0:
																				__ecx = _a1912631262;
																				__eflags = __ecx;
																				if(__eflags != 0) {
																					__eax = E00F58E34(__ecx, __edi, __eflags, __ecx);
																				}
																				goto L212;
																			case 1:
																				goto L212;
																			case 2:
																				__eax = _a1912631262;
																				__eflags = __eax;
																				if(__eax == 0) {
																					goto L212;
																				}
																				_push(__eax);
																				__eax =  *0xfdf45c();
																				_push(_a1912631258);
																				goto L211;
																			case 3:
																				__eax = _a1912631262;
																				_a1912631230 = __eax;
																				__eflags = __eax;
																				if(__eax == 0) {
																					goto L212;
																				}
																				_t307 = __eax + 8; // 0x8
																				__ecx = _t307;
																				goto L210;
																			case 4:
																				_a1912631262 = L00F7106C( *((intOrPtr*)(_a1912631262 + 4)));
																				_push(_a1912631262);
																				goto L211;
																			case 5:
																				__ecx = _a1912631262;
																				__eflags = __ecx;
																				if(__ecx != 0) {
																					__eax = E00FA73F0(__ecx, __ecx);
																				}
																				goto L212;
																			case 6:
																				__eax = _a1912631262;
																				_a1912631230 = __eax;
																				__eflags = __eax;
																				if(__eax == 0) {
																					goto L212;
																				}
																				__ecx = __eax;
																				L210:
																				__eax = E00F55A64(__ecx);
																				_push(_a1912631230);
																				L211:
																				__eax = L00F7106C();
																				__esp = __esp + 4;
																				goto L212;
																			case 7:
																				__ecx = _a1912631262;
																				__eflags = __ecx;
																				if(__ecx != 0) {
																					__eax = E00FA7405(__ebx, __ecx, __edi, __ecx);
																				}
																				goto L212;
																		}
																	}
																}
																goto L196;
															}
															_t800 = _t800 - 1;
															__eflags = _t800;
															if(_t800 >= 0) {
																goto L196;
															}
															goto L187;
														}
													} else {
														goto L176;
													}
													do {
														L176:
														_t648 =  *((intOrPtr*)( *((intOrPtr*)(_t799 + _t875 * 4))));
														__eflags = _t648 - 0x24;
														if(_t648 == 0x24) {
															L179:
															_t875 = _t875 + 1;
															__eflags = _t875;
															goto L180;
														}
														__eflags = _t648 - 0x1e;
														if(_t648 != 0x1e) {
															goto L180;
														}
														_t839 = 0x100;
														goto L179;
														L180:
														_t649 =  *((intOrPtr*)(_t799 + _t875 * 4));
														__eflags =  *((short*)(_t649 + 8));
													} while ( *((short*)(_t649 + 8)) == 0);
													_v256 = _t839;
													_v288 = _t875;
													goto L182;
													L214:
													_v344 = _v344 + 4;
													_t875 = _t877 + _v328 + 1;
													_t631 = _v340 + 1;
													_v288 = _t875;
													_v340 = _t631;
													__eflags = _t631 -  *((intOrPtr*)(_v332 + 0x14));
												} while (__eflags <= 0);
												goto L215;
											}
											_t842 = _v124 + 8;
											__eflags = _t842;
											_v328 = _t842;
											while(1) {
												_t803 =  *((intOrPtr*)(_t520 + 4));
												_v340 = _t803;
												_t650 =  *((intOrPtr*)(_t803 + _t874 * 4));
												__eflags =  *((short*)(_t650 + 8));
												if( *((short*)(_t650 + 8)) != 0) {
													goto L155;
												}
												L147:
												_t838 =  *(_v304 + 4);
												do {
													_t657 =  *((intOrPtr*)(_t838 + 4 + _t874 * 4));
													__eflags =  *((short*)(_t657 + 8)) - 0x33;
													if( *((short*)(_t657 + 8)) == 0x33) {
														L151:
														_t659 =  *((intOrPtr*)( *((intOrPtr*)(_t838 + _t874 * 4))));
														__eflags = _t659 - 0x24;
														if(_t659 == 0x24) {
															goto L153;
														}
														__eflags = _t659 - 0x1e;
														if(_t659 != 0x1e) {
															L167:
															E00FBA0B5(_t847, _t932, 0x91,  *((short*)( *((intOrPtr*)( *(_v304 + 4) + 4 + _t874 * 4)) + 0xa)));
															goto L172;
														}
														goto L153;
													}
													__eflags =  *((intOrPtr*)( *((intOrPtr*)(_t838 + _t874 * 4)))) -  *_t657;
													if( *((intOrPtr*)( *((intOrPtr*)(_t838 + _t874 * 4)))) ==  *_t657) {
														goto L167;
													}
													_t803 = _v340;
													goto L151;
													L153:
													_t660 =  *((intOrPtr*)(_t803 + 4 + _t874 * 4));
													_t874 = _t874 + 1;
													__eflags =  *((short*)(_t660 + 8));
												} while ( *((short*)(_t660 + 8)) == 0);
												_t842 = _v328;
												L155:
												_t651 =  *((intOrPtr*)(_t803 + 4 + _t874 * 4));
												_t878 = _t874 + 1;
												__eflags =  *((short*)(_t651 + 8)) - 0x41;
												if( *((short*)(_t651 + 8)) != 0x41) {
													L162:
													E00FA6665(_t748,  &_v180,  *_t842);
													_t874 = _t878 + 1;
													_t653 = _v336;
													_t806 = _v268 + 1;
													_t842 = _v332 + 4;
													_v268 = _t806;
													_v332 = _v332 + 4;
													__eflags = _t806 -  *((intOrPtr*)(_t653 + 0x14));
													if(_t806 >=  *((intOrPtr*)(_t653 + 0x14))) {
														_t838 = _v332;
														_v344 = _v176;
														goto L174;
													}
													_t520 = _v304;
													_t803 =  *((intOrPtr*)(_t520 + 4));
													_v340 = _t803;
													_t650 =  *((intOrPtr*)(_t803 + _t874 * 4));
													__eflags =  *((short*)(_t650 + 8));
													if( *((short*)(_t650 + 8)) != 0) {
														goto L155;
													}
													goto L147;
												}
												_t844 = _v340;
												_t878 = _t878 + 1;
												_t807 = 0;
												__eflags = 0;
												while(1) {
													_t656 =  *( *((intOrPtr*)(_t844 + _t878 * 4)) + 8) & 0x0000ffff;
													__eflags = _t656 - 0x47;
													if(_t656 != 0x47) {
														goto L159;
													}
													L158:
													_t807 = _t807 + 1;
													L166:
													_t878 = _t878 + 1;
													_t656 =  *( *((intOrPtr*)(_t844 + _t878 * 4)) + 8) & 0x0000ffff;
													__eflags = _t656 - 0x47;
													if(_t656 != 0x47) {
														goto L159;
													}
													goto L158;
													L159:
													__eflags = _t656 - 0x48;
													if(_t656 != 0x48) {
														__eflags = _t656 - 0x40;
														if(_t656 != 0x40) {
															goto L166;
														}
														__eflags = _t807;
														if(_t807 == 0) {
															L161:
															_t842 = _v328;
															goto L162;
														}
														goto L166;
													}
													_t807 = _t807 - 1;
													__eflags = _t807;
													if(_t807 >= 0) {
														goto L166;
													}
													goto L161;
												}
											}
										}
										L33:
										if( *0x1016930 != 0) {
											__eflags =  *((char*)(_t847 + 0x459)) - 1;
											if(__eflags == 0) {
												goto L34;
											}
											E00F577C7( &(_v216.message), __eflags);
											while(1) {
												_t498 = E00FB28F7(0x1016890,  &_v216);
												__eflags = _t498;
												if(_t498 == 0) {
													break;
												}
												__eflags = _v216.wParam;
												if(_v216.wParam == 0) {
													continue;
												}
												_t871 = E00F59FBD(_t847,  &(_v216.message));
												__eflags = _t871;
												if(_t871 == 0) {
													continue;
												}
												_v148 = 0;
												_v140 = 0;
												_v136 = 1;
												E00F59A20(_t748,  &_v148);
												_v136 = 1;
												_v148 = _v216.hwnd;
												E00F57F41(_t748,  &_v96, __eflags, L"@TRAY_ID");
												E00F58B13(0x1017270, _t838, _t847, __eflags,  &_v100,  &_v152, 1);
												E00F55A64( &_v112);
												 *((char*)(_t847 + 0x459)) = 1;
												E00F5B89C(_t847, _t838, _t932,  *((intOrPtr*)(_t871 + 0x10)) + 1, 1, 0);
												 *((char*)(_t847 + 0x459)) = 0;
												E00F59A20(_t748,  &_v176);
												_t753 =  &_v240;
												E00F55A64(_t753);
												goto L51;
											}
											_t753 =  &(_v216.message);
											E00F55A64(_t753);
										}
										L34:
										_t494 =  *(_t847 + 0xf8);
										if(_t494 == 7) {
											_t495 = WaitForSingleObject( *(_t847 + 0x444), 0xa);
											_v292 = _t495;
											__eflags = _t495 - 0x102;
											if(__eflags == 0) {
												goto L51;
											}
											GetExitCodeProcess( *(_t847 + 0x444),  &_v292);
											CloseHandle( *(_t847 + 0x444));
											_v356 = _v292;
											L265:
											_push(_t753);
											_t753 =  *((intOrPtr*)( *_t847 + 4)) + _t847;
											E00F6FF13(_t753,  &_v356);
											L97:
											 *((char*)(_t847 + 0x144)) = 1;
											 *(_t847 + 0xf8) = 0;
											goto L51;
										}
										if(_t494 == 2) {
											L84:
											Sleep(0xa);
											__eflags =  *(_t847 + 0x2f0);
											if( *(_t847 + 0x2f0) == 0) {
												L88:
												_t675 =  *(_t847 + 0xf8);
												__eflags = _t675 - 3;
												if(__eflags < 0) {
													goto L51;
												}
												_t676 = _t675 - 3;
												__eflags = _t676 - 3;
												if(__eflags > 0) {
													goto L51;
												} else {
													switch( *((intOrPtr*)(_t676 * 4 +  &M00F9613D))) {
														case 0:
															__ecx = __edi;
															__eax = E00F5B93D(__ecx, __edx, __eflags, __fp0, 1);
															goto L297;
														case 1:
															__ecx = __edi;
															__eax = E00F5B93D(__ecx, __edx, __eflags, __fp0, 1);
															goto L293;
														case 2:
															_t753 = _t847;
															_t677 = E00FD61AC(_t753, _t838, __eflags, _t932);
															L297:
															_t862 = _t677;
															__eflags = _t862;
															if(__eflags >= 0) {
																goto L299;
															}
															goto L298;
														case 3:
															__ecx = __edi;
															__eax = E00FD61AC(__ecx, __edx, __eflags, __fp0);
															L293:
															__esi = __eax;
															__eflags = __esi;
															if(__eflags < 0) {
																L298:
																_t828 =  *((intOrPtr*)( *_t847 + 4)) + _t847;
																E00FA6AA3(_t828,  ~_t862, 0);
																_push(_t828);
																_v364 = 0;
																_t753 =  *((intOrPtr*)( *_t847 + 4)) + _t847;
																_t677 = E00F6FF13(_t753,  &_v364);
																__eflags = _t862;
																L299:
																if(__eflags == 0) {
																	goto L51;
																}
																__eflags = _t862;
																if(_t862 <= 0) {
																	L304:
																	_t753 =  *(_t847 + 0x2f4);
																	 *((char*)(_t847 + 0x144)) = 1;
																	 *(_t847 + 0xf8) = 0;
																	E00FB54E6(_t677, _t753, _t932);
																	goto L51;
																}
																L301:
																_t677 =  *(_t847 + 0xf8);
																__eflags = _t677 - 5;
																if(_t677 == 5) {
																	L303:
																	_v164 = 0;
																	_v156 = 0;
																	_v152 = 1;
																	E00F59A20(_t748,  &_v164);
																	_v152 = 7;
																	_v164 =  *( *(_t847 + 0x1f0));
																	__eflags =  *((intOrPtr*)( *_t847 + 4)) + _t847;
																	E00FA6A50( *((intOrPtr*)( *_t847 + 4)) + _t847, _t847,  &_v164, 0);
																	_t677 = E00F59A20(_t748,  &_v172);
																	goto L304;
																}
																__eflags = _t677 - 3;
																if(_t677 != 3) {
																	goto L304;
																}
																goto L303;
															}
															if(__eflags > 0) {
																goto L51;
															}
															goto L301;
													}
												}
												goto L90;
											}
											_t753 =  *(_t847 + 0x2f8);
											_t690 = E00F70719(_t753);
											__eflags = _t838;
											if(__eflags < 0) {
												goto L88;
											}
											if(__eflags > 0) {
												L96:
												__eflags =  *(_t847 + 0xf8) - 2;
												if(__eflags != 0) {
													_v356 = 0;
													goto L265;
												}
												goto L97;
											}
											__eflags = _t690 -  *(_t847 + 0x2f0);
											if(_t690 >=  *(_t847 + 0x2f0)) {
												goto L96;
											}
											goto L88;
										}
										if(_t494 == 8 || _t494 == 9) {
											Sleep(0xa);
											__eflags =  *(_t847 + 0x43c);
											if( *(_t847 + 0x43c) == 0) {
												L311:
												_t691 =  *(_t847 + 0xf8);
												_t864 = 0;
												_v333 = 0;
												_v356 = 0;
												__eflags = _t691 - 8;
												if(_t691 != 8) {
													__eflags = _t691 - 9;
													if(__eflags != 0) {
														goto L51;
													}
													L315:
													_t753 =  *(_t847 + 0x448);
													_t692 = 0xcccccccc;
													_v300 = 0xcccccccc;
													__eflags = _t753;
													if(_t753 == 0) {
														L319:
														__eflags =  *(_t847 + 0xf8) - 8;
														if( *(_t847 + 0xf8) != 8) {
															_t753 =  *((intOrPtr*)( *_t847 + 4)) + _t847;
															__eflags = _t753;
															E00F6FF61(_t748, _t753, _t692, 0);
														} else {
															_v356 = _t864;
															asm("fild dword [esp+0x8]");
															__eflags = _t864;
															if(__eflags < 0) {
																_t932 = _t932 +  *0x100bac8;
															}
															_push(_t753);
															_v356 = _t932;
															_t753 =  *((intOrPtr*)( *_t847 + 4)) + _t847;
															E00FCCC41(_t748, _t753,  &_v356);
														}
														 *((char*)(_t847 + 0x144)) = 1;
														 *(_t847 + 0xf8) = 0;
														Sleep( *(_t847 + 0x2f4));
														goto L51;
													}
													GetExitCodeProcess(_t753,  &_v300);
													__eflags = _v300 - 0x103;
													if(_v300 != 0x103) {
														L318:
														CloseHandle( *(_t847 + 0x448));
														_t692 = _v300;
														 *(_t847 + 0x448) = 0;
														goto L319;
													}
													__eflags = WaitForSingleObject( *(_t847 + 0x448), 0);
													if(__eflags != 0) {
														goto L51;
													}
													goto L318;
												}
												_t753 = _t847 + 0x42c;
												_t838 =  &_v356;
												E00FB3E91(_t753,  &_v356, _t932,  &_v333);
												_t885 = _t885 + 4;
												__eflags = _v333 - 1;
												if(__eflags != 0) {
													goto L51;
												}
												_t864 = _v356;
												goto L315;
											}
											_t753 =  *(_t847 + 0x440);
											_t704 = E00F70719(_t753);
											__eflags = _t838;
											if(__eflags < 0) {
												goto L311;
											}
											if(__eflags > 0) {
												L309:
												_t705 =  *(_t847 + 0x448);
												__eflags = _t705;
												if(__eflags != 0) {
													 *0xfdf35c(_t705);
													 *(_t847 + 0x448) = 0;
												}
												_v356 = 0;
												goto L265;
											}
											__eflags = _t704 -  *(_t847 + 0x43c);
											if(_t704 <  *(_t847 + 0x43c)) {
												goto L311;
											}
											goto L309;
										} else {
											if(_t494 == 3 || _t494 == 4 || _t494 == 5 || _t494 == 6) {
												goto L84;
											} else {
												_t865 = _a4;
												_a4 = _a4 + 1;
												 *(_t847 + 0xf4) = _t865;
												_t922 = _t865 -  *0x10172a0; // 0x1399
												if(_t922 > 0 || _t865 <= 0) {
													L287:
													 *(_t847 + 0xf8) = 1;
													goto L51;
												} else {
													_t867 = (_t865 << 4) +  *0x10172dc;
													if(_t867 == 0) {
														goto L287;
													}
													_t838 = 0;
													_v284 = 0;
													_v276 = 0;
													_v272 = 1;
													_t708 =  *((intOrPtr*)( *((intOrPtr*)(_t867 + 4))));
													_v356 = _t708;
													_v344 = 0;
													_v332 = 0;
													_t709 =  *((short*)(_t708 + 8));
													if(_t709 != 0) {
														__eflags = _t709 - 0x33;
														if(_t709 != 0x33) {
															_t710 = _t709 - 1;
															__eflags = _t710 - 0x7e;
															if(__eflags > 0) {
																L269:
																_push(0xffffffff);
																_push( &_v284);
																_push( &_v332);
																_push(_t867);
																_t713 = E00F5A000(_t748, _t847, _t932);
																L72:
																__eflags = _t713;
																if(__eflags < 0) {
																	L47:
																	_t868 = _a1912631310;
																	if(_t868 != 0) {
																		 *( *(_t868 + 0xc)) =  *( *(_t868 + 0xc)) - 1;
																		__eflags =  *( *(_t868 + 0xc));
																		if( *( *(_t868 + 0xc)) == 0) {
																			L00F7106C( *_t868);
																			L00F7106C( *(_t868 + 0xc));
																			_t885 = _t885 + 8;
																		}
																		L00F7106C(_t868);
																		_t885 = _t885 + 4;
																		_a1912631310 = 0;
																	}
																	_t838 = _a1912631302;
																	_t753 = _a1912631314;
																	_a1912631242 = _a1912631302;
																	L49:
																	if(_t753 >= 5) {
																		_t753 = _t753 + 0xfffffffb;
																		__eflags = _t753 - 0xa;
																		if(__eflags > 0) {
																			goto L50;
																		}
																		switch( *((intOrPtr*)(_t753 * 4 +  &M00F611A4))) {
																			case 0:
																				__eflags = __edx;
																				if(__eflags != 0) {
																					__ecx = __edx;
																					__eax = E00F58E34(__ecx, __edi, __eflags, __ecx);
																				}
																				goto L50;
																			case 1:
																				goto L50;
																			case 2:
																				__eflags = __edx;
																				if(__eflags == 0) {
																					goto L50;
																				}
																				_push(__edx);
																				__eax =  *0xfdf45c();
																				_push(_a1912631298);
																				goto L286;
																			case 3:
																				__eflags = __edx;
																				if(__eflags == 0) {
																					goto L50;
																				}
																				__ecx = __edx + 8;
																				goto L285;
																			case 4:
																				__eax = L00F7106C( *((intOrPtr*)(__edx + 4)));
																				_push(_a1912631302);
																				goto L286;
																			case 5:
																				__eflags = __edx;
																				if(__eflags != 0) {
																					__ecx = __edx;
																					__eax = E00FA73F0(__ecx, __ecx);
																				}
																				goto L50;
																			case 6:
																				__eflags = __edx;
																				if(__eflags == 0) {
																					goto L50;
																				}
																				__ecx = __edx;
																				L285:
																				__eax = E00F55A64(__ecx);
																				_push(_a1912631242);
																				L286:
																				__eax = L00F7106C();
																				__esp = __esp + 4;
																				goto L50;
																			case 7:
																				__eflags = __edx;
																				if(__eflags != 0) {
																					__ecx = __edx;
																					__eax = E00FA7405(__ebx, __ecx, __edi, __ecx);
																				}
																				goto L50;
																		}
																	}
																	L50:
																	_a1912631314 = 1;
																	_a1912631302 = 0;
																	goto L51;
																}
																_t720 =  *((intOrPtr*)( *((intOrPtr*)(_t867 + 4)) + _a1912631254 * 4));
																__eflags =  *((short*)( *((intOrPtr*)( *((intOrPtr*)(_t867 + 4)) + _a1912631254 * 4)) + 8)) - 0x7f;
																if(__eflags == 0) {
																	goto L47;
																}
																E00FBA0B5(_t847, _t932, 0x72,  *((short*)(_t720 + 0xa)));
																_t753 =  &_a1912631294;
																E00F59DF0(_t748, _t753);
																goto L51;
															}
															_t63 = _t710 + 0xf61124; // 0x4040000
															switch( *((intOrPtr*)(( *_t63 & 0x000000ff) * 4 +  &M00F61110))) {
																case 0:
																	_t713 = E00F5F5C0(_t748, _t847, _t932, 0, _t867,  &_v332,  &_v284); // executed
																	goto L72;
																case 1:
																	__eax =  &_v257;
																	__ecx = __edi;
																	_push( &_v257);
																	__eax =  &_v284;
																	_push( &_v284);
																	__eax =  &_v332;
																	_push( &_v332);
																	_push(__esi);
																	_push(0); // executed
																	__eax = E00F5FE40(__ecx, __fp0); // executed
																	goto L72;
																case 2:
																	__ecx = __edi + 0x168;
																	__ecx = E00FCC2F7(__edi + 0x168);
																	__eax = E00FA6543(__eax);
																	__eflags = __al;
																	if(__al != 0) {
																		__ecx = __edi + 0x168;
																		_push(E00FCC2F7(__edi + 0x168));
																		__eax =  &_v332;
																		__ecx = __edi;
																		_push( &_v332);
																		_push(__esi);
																		__eax = E00FCB851(__ecx, __edx, __fp0);
																		goto L72;
																	}
																	__eax = _v356;
																	__ecx = __edi;
																	 *((short*)(_v356 + 0xa)) = E00FBA0B5(__edi, __fp0, 0xa7,  *((short*)(_v356 + 0xa)));
																	__ecx =  &_v292;
																	__eax = E00F59DF0(__ebx, __ecx);
																	goto L51;
																case 3:
																	goto L49;
																case 4:
																	goto L269;
															}
														}
														E00F5E800(_t847, _t932, _t867); // executed
														goto L47;
													}
													E00F5E580(_t847, _t932, _t867,  &_a4); // executed
													goto L47;
												}
											}
										}
									} else {
										_t907 =  *0x10167e8 - 1;
										if( *0x10167e8 != 1) {
											_v216.wParam = 0;
											_v216.lParam = 8;
											_t22 = 8 * _t838;
											_t838 = 8 * _t838 >> 0x20;
											_t541 = E00F70FF6(_t748, _t847, _t907,  ~(0 | _t907 > 0x00000000) | _t22);
											_v216.message = _t541;
											_t753 = 0;
											 *_t541 = 0;
											_t542 = E00F70FF6(_t748, _t847, _t907, 4);
											_t885 = _t885 + 8;
											if(_t542 == 0) {
												_t542 = 0;
											} else {
												 *_t542 = 1;
											}
											_v192 = _t542;
											while( *0x10167dc != 0) {
												_t543 =  *0x10167e0; // 0x0
												_t869 =  *_t543;
												E00FD629F( &(_v216.wParam), _t869);
												_t753 = 0x10167dc;
												E00F5467D(0x10167dc);
												__eflags = _t869;
												if(_t869 != 0) {
													_t753 = _t869;
													E00F54665(_t753, 0x10167dc);
												}
												__eflags = _v216.time;
												 *0x1017420 = 0;
												if(__eflags == 0) {
													continue;
												} else {
													_t753 = _t847;
													_t549 = E00F59FBD(_t753,  &(_v216.lParam));
													_t879 = _t549;
													__eflags = _t549;
													if(__eflags == 0) {
														continue;
													}
													_v244 = 0;
													_v236 = 0;
													_v232 = 1;
													E00F59A20(_t748,  &_v244);
													_v232 = 1;
													_v244 = _v216.wParam;
													E00F57F41(_t748,  &_v56, __eflags, L"@GUI_CTRLID");
													E00F58B13(0x1017270, _t838, _t847, __eflags,  &_v60,  &_v248, 1);
													E00F55A64( &_v72);
													E00F59A20(_t748,  &_v260);
													_v248 = 7;
													_v260 = _v216.lParam;
													E00F57F41(_t748,  &_v120, __eflags, L"@GUI_WINHANDLE");
													E00F58B13(0x1017270, _t838, _t847, __eflags,  &_v124,  &_v264, 1);
													E00F55A64( &_v136);
													E00F59A20(_t748,  &_v276);
													_v264 = 7;
													_v276 = _v216.hwnd;
													E00F57F41(_t748,  &_v104, __eflags, L"@GUI_CTRLHANDLE");
													E00F58B13(0x1017270, _t838, _t847, __eflags,  &_v108,  &_v280, 1);
													E00F55A64( &_v120);
													 *((char*)(_t847 + 0x458)) = 1;
													E00F5B89C(_t847, _t838, _t932,  *((intOrPtr*)(_t879 + 0x10)) + 1, 1, 0);
													 *((char*)(_t847 + 0x458)) = 0;
													E00F59A20(_t748,  &_v304);
													_t753 =  &_v264;
													E00F55A64(_t753);
													goto L51;
												}
											}
											if( *0x10167bc == 0) {
												__eflags =  *0x101691c;
												if(__eflags != 0) {
													L141:
													Sleep(0xa);
													L142:
													goto L30;
												}
												__eflags =  *0x1017420 - 0x64;
												if(__eflags >= 0) {
													goto L141;
												}
												 *0x1017420 =  &( *0x1017420->i);
												Sleep(0);
												goto L142;
											}
											L30:
											_t870 = _v192;
											 *_t870 =  *_t870 - 1;
											if( *_t870 == 0) {
												L00F7106C(_v216.lParam);
												L00F7106C(_t870);
												_t885 = _t885 + 8;
											}
										}
										goto L32;
									}
								} else {
									_t880 =  *((intOrPtr*)(_t847 + 0x44c));
									 *0x101741c = 1;
									_v344 = 0;
									_v356 = _t847 + 0x44c;
									L16:
									L16:
									if(_t880 != 0) {
										goto L57;
									} else {
										_t850 = _v356;
										goto L18;
									}
									while(1) {
										L18:
										_t578 =  *_t850;
										while(1) {
											L19:
											_v340 = _t578;
											if(_t578 == 0) {
												break;
											}
											_t753 =  *_t578;
											__eflags =  *((char*)(_t753 + 0x11));
											if(__eflags != 0) {
												_t753 = _t850;
												E00FBA3F3(_t753,  &_v340);
												L18:
												_t578 =  *_t850;
												continue;
											}
											_t578 =  *(_t578 + 4);
										}
										_t847 = _v296;
										 *0x101741c = _t578;
										if(_v344 > _t578) {
											goto L51;
										} else {
											_t18 = _t578 + 2; // 0x2
											_t838 = _t18;
											goto L22;
										}
									}
									L57:
									_t577 =  *_t880;
									__eflags =  *((char*)(_t577 + 0x11));
									if(__eflags != 0) {
										L64:
										_t880 =  *((intOrPtr*)(_t880 + 4));
										goto L16;
									}
									_t851 =  *((intOrPtr*)(_t577 + 0x14));
									_t599 = timeGetTime();
									_t753 = _t599;
									_t838 = 0;
									_t600 = _t599 - _t851;
									__eflags = _t851 - 0x7fffffff;
									if(_t851 > 0x7fffffff) {
										__eflags = _t753 - 0x7fffffff;
										if(_t753 <= 0x7fffffff) {
											L61:
											_t852 =  *_t880;
											__eflags = _t838;
											if(__eflags < 0) {
												goto L64;
											}
											if(__eflags > 0) {
												L98:
												_v344 =  &(_v344->i);
												 *((intOrPtr*)(_t852 + 0x14)) = timeGetTime();
												_t602 = E00F59FBD(_v296,  *_t880);
												 *((char*)( *_t880 + 0x10)) = 1;
												_t753 = _v300;
												E00F5B89C(_t753, _t838, _t932,  *((intOrPtr*)(_t602 + 0x10)) + 1, 1, 0);
												 *((char*)( *_t880 + 0x10)) = 0;
												goto L64;
											}
											__eflags = _t600 -  *((intOrPtr*)(_t852 + 0x18));
											if(__eflags >= 0) {
												goto L98;
											}
											goto L64;
										}
										L60:
										asm("cdq");
										goto L61;
									}
									__eflags = _t753 - 0x7fffffff;
									if(_t753 > 0x7fffffff) {
										goto L61;
									}
									goto L60;
								}
							}
						}
						if( *0x10167e8 != 0) {
							__eflags =  *(_t847 + 0xf8);
							if(__eflags == 0) {
								goto L11;
							}
						}
						if(PeekMessageW( &_v216, 0, 0, 0, 1) != 0) {
							while(1) {
								__eflags = _v216.message - 0x12;
								if(__eflags == 0) {
									break;
								}
								_t779 =  *0x10167d8; // 0xffffffff
								__eflags = _t779 - 0xffffffff;
								if(_t779 != 0xffffffff) {
									__eflags = _t779 -  *0x1016814; // 0x0
									if(__eflags >= 0) {
										L116:
										 *0x10167d8 = 0xffffffff;
										goto L80;
									}
									_t594 =  *0x1016810; // 0x0
									_t753 =  *(_t594 + _t779 * 4);
									_t595 =  *_t753;
									__eflags = _t595;
									if(_t595 == 0) {
										goto L116;
									}
									__eflags =  *(_t595 + 0x18);
									if( *(_t595 + 0x18) == 0) {
										goto L116;
									}
									_t598 = TranslateAcceleratorW( *( *_t753),  *( *_t753 + 0x18),  &_v216);
									__eflags = _t598;
									if(_t598 != 0) {
										L81:
										__eflags = PeekMessageW( &_v216, 0, 0, 0, 1);
										if(__eflags == 0) {
											goto L8;
										}
										continue;
									}
								}
								L80:
								_t753 = 0x10167b0;
								_t587 = E00F531CE(0x10167b0,  &_v216);
								__eflags = _t587;
								if(_t587 == 0) {
									TranslateMessage( &_v216);
									DispatchMessageW( &_v216); // executed
								}
								goto L81;
							}
							 *((char*)(_t847 + 0xfc)) = 1;
							 *(_t847 + 0xf8) = 1;
						}
						L8:
						if( *0x1016282 == 1) {
							 *0x1016287 = 0;
							 *0x1016282 = 0;
							 *(_t847 + 0xf8) = 1;
						}
						if( *(_t847 + 0xf8) == 1) {
							_push(_t753);
							_v292 = 0;
							E00F6FF13( *((intOrPtr*)( *_t847 + 4)) + _t847,  &_v292);
							goto L53;
						} else {
							_t838 = 2;
							goto L11;
						}
					}
					goto L53;
				}
			}

0x00f60b30
0x00f60b30
0x00f60b36
0x00f60b3e
0x00f60b40
0x00f60b44
0x00f60b4f
0x00f950f4
0x00f95100
0x00f60e63
0x00f60e68
0x00f60e68
0x00f60b55
0x00f60b56
0x00f60b5f
0x00f61023
0x00f61023
0x00f61029
0x00f61030
0x00f61030
0x00f61032
0x00000000
0x00000000
0x00f9510c
0x00f95111
0x00f95113
0x00f9511c
0x00f9511e
0x00f9511e
0x00f95128
0x00f9512c
0x00f95131
0x00f95131
0x00f61030
0x00f60b65
0x00f60b6c
0x00f60b73
0x00f60e44
0x00f60e44
0x00f60e4a
0x00f60e54
0x00f6103f
0x00f61044
0x00f6104b
0x00f60e61
0x00f60e61
0x00000000
0x00f60e61
0x00f61053
0x00f6105a
0x00f61066
0x00f61080
0x00f61082
0x00f61084
0x00000000
0x00000000
0x00f96082
0x00f9608a
0x00f96098
0x00f960ac
0x00f960ae
0x00f960ae
0x00000000
0x00f960b2
0x00f60e5b
0x00000000
0x00f60b79
0x00f60b7f
0x00f60b86
0x00f60b8b
0x00000000
0x00000000
0x00f60b98
0x00f9513a
0x00f95141
0x00f60be4
0x00f60beb
0x00f951de
0x00f951e6
0x00f951e9
0x00f951ed
0x00f951f2
0x00f951f8
0x00f951fb
0x00f95203
0x00f95205
0x00f95207
0x00f9520d
0x00f95213
0x00f95217
0x00f95219
0x00f9523f
0x00f9523f
0x00f95241
0x00f95294
0x00000000
0x00f95294
0x00f95254
0x00f95274
0x00f9527c
0x00f95284
0x00f60e31
0x00f60e37
0x00f60e3e
0x00000000
0x00000000
0x00000000
0x00f60e3e
0x00f9521b
0x00f95221
0x00f95225
0x00f95228
0x00f9522a
0x00f9522c
0x00000000
0x00000000
0x00f9522e
0x00f95230
0x00000000
0x00000000
0x00f95232
0x00f95232
0x00f95233
0x00f95233
0x00f95237
0x00f9523b
0x00000000
0x00f9523b
0x00f60bf1
0x00f60bf8
0x00f9529e
0x00f952a5
0x00000000
0x00000000
0x00f952ad
0x00000000
0x00f952ad
0x00f60bfe
0x00f60c05
0x00f60c64
0x00f60c6b
0x00f60d2d
0x00f60d34
0x00f954ad
0x00f954b4
0x00000000
0x00000000
0x00f954bc
0x00f954d0
0x00f954d8
0x00f954e3
0x00f954e7
0x00f954ee
0x00f954f5
0x00f954fc
0x00f95507
0x00f9550c
0x00f9551a
0x00f95531
0x00f95540
0x00f95542
0x00f95546
0x00f9554a
0x00f9554f
0x00f95555
0x00f9555a
0x00f9555e
0x00f95562
0x00f956c2
0x00f956c5
0x00f956ce
0x00f956d3
0x00f956d7
0x00f956df
0x00f956e3
0x00f9591a
0x00f95926
0x00f95934
0x00f9594f
0x00f9595b
0x00f9596f
0x00f95979
0x00f9597e
0x00f95985
0x00f95987
0x00f9598a
0x00f9598f
0x00f9598f
0x00f9599a
0x00f959a1
0x00f959a4
0x00f95af2
0x00f95af9
0x00f95b04
0x00f95b0f
0x00f95b14
0x00f95b1b
0x00f95b20
0x00000000
0x00f959aa
0x00f959aa
0x00f959ad
0x00f959b0
0x00000000
0x00000000
0x00f959b6
0x00000000
0x00f95aa7
0x00f95aa9
0x00f95aac
0x00f95aae
0x00f95aae
0x00000000
0x00000000
0x00000000
0x00000000
0x00f95a91
0x00f95a93
0x00000000
0x00000000
0x00f95a95
0x00f95a96
0x00000000
0x00000000
0x00f95a9e
0x00f95aa0
0x00000000
0x00000000
0x00f95aa2
0x00000000
0x00000000
0x00f95ab8
0x00000000
0x00000000
0x00f95ac2
0x00f95ac4
0x00f95ac7
0x00f95ac9
0x00f95ac9
0x00000000
0x00000000
0x00f95ade
0x00f95ae0
0x00000000
0x00000000
0x00f95ae2
0x00f95ae4
0x00f95ae4
0x00f95ae9
0x00f95aea
0x00000000
0x00000000
0x00f95ad0
0x00f95ad2
0x00f95ad5
0x00f95ad7
0x00f95ad7
0x00000000
0x00000000
0x00f959b6
0x00000000
0x00000000
0x00000000
0x00f956e9
0x00f956e9
0x00f956ed
0x00f956ef
0x00f956f3
0x00f956f6
0x00f956fa
0x00f956fd
0x00f95701
0x00f9572a
0x00f9572a
0x00f9572e
0x00f95735
0x00f9573d
0x00f9573d
0x00f9573f
0x00f95743
0x00f95746
0x00f9574a
0x00f9574e
0x00000000
0x00000000
0x00f95750
0x00f95750
0x00f9582e
0x00f9582e
0x00f9582f
0x00f95746
0x00f9574a
0x00f9574e
0x00000000
0x00000000
0x00000000
0x00f95756
0x00f95756
0x00f9575a
0x00f95820
0x00f95824
0x00000000
0x00000000
0x00f95826
0x00f95828
0x00f95767
0x00f9576b
0x00f9576f
0x00f95773
0x00f95777
0x00f9577b
0x00f9577f
0x00f958db
0x00f958ef
0x00000000
0x00f958ef
0x00f95788
0x00f95790
0x00f9579c
0x00f957a4
0x00f957a9
0x00f957b1
0x00f957b6
0x00f957b7
0x00f957bb
0x00f957c0
0x00f957c2
0x00f959bd
0x00f959c1
0x00f959c3
0x00f959c6
0x00f959cb
0x00f959cb
0x00f959d3
0x00f959d7
0x00f959da
0x00f95673
0x00f95673
0x00f9567b
0x00f95683
0x00f9568a
0x00f95696
0x00f9569b
0x00f956a2
0x00f956a7
0x00000000
0x00f959e0
0x00f959e0
0x00f959e3
0x00f959e6
0x00000000
0x00000000
0x00f959ec
0x00000000
0x00f95a23
0x00f95a27
0x00f95a29
0x00f95a30
0x00f95a30
0x00000000
0x00000000
0x00000000
0x00000000
0x00f959f3
0x00f959f7
0x00f959f9
0x00000000
0x00000000
0x00f959ff
0x00f95a00
0x00f95a06
0x00000000
0x00000000
0x00f95a0f
0x00f95a13
0x00f95a15
0x00000000
0x00000000
0x00f95a1b
0x00f95a1b
0x00000000
0x00000000
0x00f95a41
0x00f95a49
0x00000000
0x00000000
0x00f95a52
0x00f95a56
0x00f95a58
0x00f95a5f
0x00f95a5f
0x00000000
0x00000000
0x00f95a80
0x00f95a84
0x00f95a86
0x00000000
0x00000000
0x00f95663
0x00f95665
0x00f95665
0x00f9566a
0x00f9566b
0x00f9566b
0x00f95670
0x00000000
0x00000000
0x00f95a69
0x00f95a6d
0x00f95a6f
0x00f95a76
0x00f95a76
0x00000000
0x00000000
0x00f959ec
0x00f959da
0x00f957e5
0x00f957ea
0x00f957ee
0x00f957f0
0x00f957f3
0x00f957f8
0x00f957f8
0x00f95800
0x00f95804
0x00f95807
0x00f958c5
0x00f958c5
0x00f958cd
0x00000000
0x00f9580d
0x00f9580d
0x00f95810
0x00f95813
0x00000000
0x00000000
0x00f95819
0x00000000
0x00f95861
0x00f95865
0x00f95867
0x00f9586a
0x00f9586a
0x00000000
0x00000000
0x00000000
0x00000000
0x00f95837
0x00f9583b
0x00f9583d
0x00000000
0x00000000
0x00f95843
0x00f95844
0x00f9584a
0x00000000
0x00000000
0x00f95850
0x00f95854
0x00f95858
0x00f9585a
0x00000000
0x00000000
0x00f9585c
0x00f9585c
0x00000000
0x00000000
0x00f95878
0x00f95880
0x00000000
0x00000000
0x00f95886
0x00f9588a
0x00f9588c
0x00f9588f
0x00f9588f
0x00000000
0x00000000
0x00f958a6
0x00f958aa
0x00f958ae
0x00f958b0
0x00000000
0x00000000
0x00f958b2
0x00f958b4
0x00f958b4
0x00f958b9
0x00f958bd
0x00f958bd
0x00f958c2
0x00000000
0x00000000
0x00f95896
0x00f9589a
0x00f9589c
0x00f9589f
0x00f9589f
0x00000000
0x00000000
0x00f95819
0x00f95807
0x00000000
0x00f95828
0x00f95760
0x00f95760
0x00f95761
0x00000000
0x00000000
0x00000000
0x00f95761
0x00000000
0x00000000
0x00000000
0x00f95703
0x00f95703
0x00f95706
0x00f95708
0x00f9570b
0x00f95717
0x00f95717
0x00f95717
0x00000000
0x00f95717
0x00f9570d
0x00f95710
0x00000000
0x00000000
0x00f95712
0x00000000
0x00f95718
0x00f95718
0x00f9571b
0x00f9571b
0x00f95722
0x00f95726
0x00000000
0x00f958f4
0x00f958fd
0x00f95902
0x00f95908
0x00f95909
0x00f9590d
0x00f95911
0x00f95911
0x00000000
0x00f956e9
0x00f9556f
0x00f9556f
0x00f95572
0x00f95576
0x00f95576
0x00f95579
0x00f9557d
0x00f95580
0x00f95585
0x00000000
0x00000000
0x00f95587
0x00f9558b
0x00f9558e
0x00f9558e
0x00f95592
0x00f95597
0x00f955ac
0x00f955af
0x00f955b1
0x00f955b4
0x00000000
0x00000000
0x00f955b6
0x00f955b9
0x00f95645
0x00f9565c
0x00000000
0x00f9565c
0x00000000
0x00f955b9
0x00f955a0
0x00f955a2
0x00000000
0x00000000
0x00f955a8
0x00000000
0x00f955bf
0x00f955bf
0x00f955c3
0x00f955c4
0x00f955c4
0x00f955cb
0x00f955cf
0x00f955cf
0x00f955d3
0x00f955d4
0x00f955d9
0x00f955ff
0x00f95608
0x00f95611
0x00f95612
0x00f95616
0x00f9561b
0x00f9561e
0x00f95622
0x00f95626
0x00f95629
0x00f956ba
0x00f956be
0x00000000
0x00f956be
0x00f9562f
0x00f95576
0x00f95579
0x00f9557d
0x00f95580
0x00f95585
0x00000000
0x00000000
0x00000000
0x00f95585
0x00f955db
0x00f955df
0x00f955e0
0x00f955e0
0x00f955e2
0x00f955e5
0x00f955e9
0x00f955ed
0x00000000
0x00000000
0x00f955ef
0x00f955ef
0x00f95642
0x00f95642
0x00f955e5
0x00f955e9
0x00f955ed
0x00000000
0x00000000
0x00000000
0x00f955f2
0x00f955f2
0x00f955f6
0x00f95638
0x00f9563c
0x00000000
0x00000000
0x00f9563e
0x00f95640
0x00f955fb
0x00f955fb
0x00000000
0x00f955fb
0x00000000
0x00f95640
0x00f955f8
0x00f955f8
0x00f955f9
0x00000000
0x00000000
0x00000000
0x00f955f9
0x00f955e2
0x00f95576
0x00f60d3a
0x00f60d41
0x00f95b2c
0x00f95b33
0x00000000
0x00000000
0x00f95b40
0x00f95b45
0x00f95b52
0x00f95b57
0x00f95b59
0x00000000
0x00000000
0x00f95b5f
0x00f95b67
0x00000000
0x00000000
0x00f95b78
0x00f95b7a
0x00f95b7c
0x00000000
0x00000000
0x00f95b85
0x00f95b90
0x00f95b9b
0x00f95ba6
0x00f95bbe
0x00f95bc9
0x00f95bd0
0x00f95bec
0x00f95bf8
0x00f95bfd
0x00f95c0f
0x00f95c1b
0x00f95c22
0x00f95c27
0x00f95c2e
0x00000000
0x00f95c2e
0x00f95c38
0x00f95c3f
0x00f95c3f
0x00f60d47
0x00f60d47
0x00f60d50
0x00f95c51
0x00f95c57
0x00f95c5b
0x00f95c60
0x00000000
0x00000000
0x00f95c71
0x00f95c7d
0x00f95c87
0x00f95ca6
0x00f95ca6
0x00f95cb1
0x00f95cb3
0x00f61098
0x00f61098
0x00f6109f
0x00000000
0x00f6109f
0x00f60d59
0x00f60fdd
0x00f60fdf
0x00f60fe5
0x00f60fec
0x00f6100f
0x00f6100f
0x00f61015
0x00f61018
0x00000000
0x00000000
0x00f95e04
0x00f95e07
0x00f95e0a
0x00000000
0x00f95e10
0x00f95e10
0x00000000
0x00f95e42
0x00f95e44
0x00000000
0x00000000
0x00f95e2b
0x00f95e2d
0x00000000
0x00000000
0x00f95e17
0x00f95e19
0x00f95e49
0x00f95e49
0x00f95e4b
0x00f95e4d
0x00000000
0x00000000
0x00000000
0x00000000
0x00f95e20
0x00f95e22
0x00f95e32
0x00f95e32
0x00f95e34
0x00f95e36
0x00f95e4f
0x00f95e5b
0x00f95e5d
0x00f95e62
0x00f95e67
0x00f95e75
0x00f95e77
0x00f95e7c
0x00f95e7e
0x00f95e7e
0x00000000
0x00000000
0x00f95e84
0x00f95e86
0x00f95f01
0x00f95f01
0x00f95f07
0x00f95f0e
0x00f95f18
0x00000000
0x00f95f18
0x00f95e88
0x00f95e88
0x00f95e8e
0x00f95e91
0x00f95e98
0x00f95ea5
0x00f95eb0
0x00f95ebb
0x00f95ec8
0x00f95ed6
0x00f95ee4
0x00f95eee
0x00f95ef0
0x00f95efc
0x00000000
0x00f95efc
0x00f95e93
0x00f95e96
0x00000000
0x00000000
0x00000000
0x00f95e96
0x00f95e38
0x00000000
0x00000000
0x00000000
0x00000000
0x00f95e10
0x00000000
0x00f95e0a
0x00f60fee
0x00f60ff4
0x00f60ff9
0x00f60ffb
0x00000000
0x00000000
0x00f60ffd
0x00f6108f
0x00f6108f
0x00f61096
0x00f61103
0x00000000
0x00f61103
0x00000000
0x00f61096
0x00f61003
0x00f61009
0x00000000
0x00000000
0x00000000
0x00f61009
0x00f60d62
0x00f95f24
0x00f95f2a
0x00f95f31
0x00f95f5f
0x00f95f5f
0x00f95f65
0x00f95f67
0x00f95f6c
0x00f95f70
0x00f95f73
0x00f95f9d
0x00f95fa0
0x00000000
0x00000000
0x00f95fa6
0x00f95fa6
0x00f95fac
0x00f95fb1
0x00f95fb5
0x00f95fb7
0x00f95fff
0x00f95fff
0x00f96006
0x00f9603a
0x00f9603a
0x00f9603c
0x00f96008
0x00f96008
0x00f9600c
0x00f96010
0x00f96012
0x00f96014
0x00f96014
0x00f9601a
0x00f96022
0x00f96029
0x00f9602b
0x00f9602b
0x00f96047
0x00f9604e
0x00f96058
0x00000000
0x00f96058
0x00f95fbf
0x00f95fc5
0x00f95fcd
0x00f95fe5
0x00f95feb
0x00f95ff1
0x00f95ff5
0x00000000
0x00f95ff5
0x00f95fdd
0x00f95fdf
0x00000000
0x00000000
0x00000000
0x00f95fdf
0x00f95f7a
0x00f95f80
0x00f95f84
0x00f95f89
0x00f95f8c
0x00f95f91
0x00000000
0x00000000
0x00f95f97
0x00000000
0x00f95f97
0x00f95f33
0x00f95f39
0x00f95f3e
0x00f95f40
0x00000000
0x00000000
0x00f95f42
0x00f95f4c
0x00f95f4c
0x00f95f52
0x00f95f54
0x00f95c8e
0x00f95c94
0x00f95c94
0x00f95c9e
0x00000000
0x00f95c9e
0x00f95f44
0x00f95f4a
0x00000000
0x00000000
0x00000000
0x00f60d71
0x00f60d74
0x00000000
0x00f60d95
0x00f60d95
0x00f60d98
0x00f60d9b
0x00f60da1
0x00f60da7
0x00f95df5
0x00f95df5
0x00000000
0x00f60db5
0x00f60db8
0x00f60dbe
0x00000000
0x00000000
0x00f60dc7
0x00f60dce
0x00f60dd2
0x00f60dd6
0x00f60dda
0x00f60ddc
0x00f60de0
0x00f60de4
0x00f60de8
0x00f60dee
0x00f60ec8
0x00f60ecb
0x00f60eda
0x00f60edb
0x00f60ede
0x00f95d14
0x00f95d14
0x00f95d1c
0x00f95d21
0x00f95d22
0x00f95d23
0x00f60f06
0x00f60f06
0x00f60f08
0x00f60e00
0x00f60e00
0x00f60e06
0x00f60f46
0x00f60f4b
0x00f60f4e
0x00f95d4b
0x00f95d56
0x00f95d5b
0x00f95d5b
0x00f60f55
0x00f60f5a
0x00f60f5d
0x00f60f5d
0x00f60e0c
0x00f60e10
0x00f60e14
0x00f60e18
0x00f60e1b
0x00f610e9
0x00f610ec
0x00f610ef
0x00000000
0x00000000
0x00f610f5
0x00000000
0x00f95d85
0x00f95d87
0x00f95d8e
0x00f95d90
0x00f95d90
0x00000000
0x00000000
0x00000000
0x00000000
0x00f95d63
0x00f95d65
0x00000000
0x00000000
0x00f95d6b
0x00f95d6c
0x00f95d72
0x00000000
0x00000000
0x00f95d78
0x00f95d7a
0x00000000
0x00000000
0x00f95d80
0x00000000
0x00000000
0x00f95d9d
0x00f95da5
0x00000000
0x00000000
0x00f95dab
0x00f95dad
0x00f95db4
0x00f95db6
0x00f95db6
0x00000000
0x00000000
0x00f95dd5
0x00f95dd7
0x00000000
0x00000000
0x00f95ddd
0x00f95ddf
0x00f95ddf
0x00f95de4
0x00f95de8
0x00f95de8
0x00f95ded
0x00000000
0x00000000
0x00f95dc0
0x00f95dc2
0x00f95dc9
0x00f95dcb
0x00f95dcb
0x00000000
0x00000000
0x00f610f5
0x00f60e21
0x00f60e21
0x00f60e29
0x00000000
0x00f60e29
0x00f60f15
0x00f60f18
0x00f60f1d
0x00000000
0x00000000
0x00f95d36
0x00f95d3b
0x00f95d3f
0x00000000
0x00f95d3f
0x00f60ee4
0x00f60eeb
0x00000000
0x00f60f01
0x00000000
0x00000000
0x00f60f28
0x00f60f2c
0x00f60f2e
0x00f60f2f
0x00f60f33
0x00f60f34
0x00f60f38
0x00f60f39
0x00f60f3a
0x00f60f3c
0x00000000
0x00000000
0x00f95cbd
0x00f95cc8
0x00f95cca
0x00f95ccf
0x00f95cd1
0x00f95cf6
0x00f95d01
0x00f95d02
0x00f95d06
0x00f95d08
0x00f95d09
0x00f95d0a
0x00000000
0x00f95d0a
0x00f95cd3
0x00f95cd7
0x00f95ce3
0x00f95ce8
0x00f95cec
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00f60eeb
0x00f60ed0
0x00000000
0x00f60ed0
0x00f60dfb
0x00000000
0x00f60dfb
0x00f60da7
0x00f60d74
0x00f60c7e
0x00f60c7e
0x00f60c85
0x00f60c8d
0x00f60c9d
0x00f60ca8
0x00f60ca8
0x00f60cb2
0x00f60cba
0x00f60cc1
0x00f60cc3
0x00f60cc8
0x00f60ccd
0x00f60cd2
0x00f610fc
0x00f60cd8
0x00f60cd8
0x00f60cd8
0x00f60cde
0x00f60cf0
0x00f952da
0x00f952e6
0x00f952e9
0x00f952ee
0x00f952f3
0x00f952f8
0x00f952fa
0x00f952fd
0x00f952ff
0x00f952ff
0x00f95304
0x00f9530c
0x00f95316
0x00000000
0x00f9531c
0x00f95323
0x00f95326
0x00f9532b
0x00f9532d
0x00f9532f
0x00000000
0x00000000
0x00f95339
0x00f95341
0x00f95349
0x00f95351
0x00f95369
0x00f95374
0x00f95378
0x00f95391
0x00f9539d
0x00f953a6
0x00f953be
0x00f953c9
0x00f953cd
0x00f953e6
0x00f953f2
0x00f953fb
0x00f95413
0x00f9541e
0x00f95422
0x00f9543b
0x00f95447
0x00f9544c
0x00f9545e
0x00f95467
0x00f9546e
0x00f95473
0x00f9547a
0x00000000
0x00f9547a
0x00f95316
0x00f60d04
0x00f95484
0x00f9548b
0x00f954a0
0x00f954a2
0x00f954a2
0x00000000
0x00f954a2
0x00f9548d
0x00f95494
0x00000000
0x00000000
0x00f95496
0x00f954a2
0x00000000
0x00f954a2
0x00f60d0a
0x00f60d0a
0x00f60d11
0x00f60d13
0x00f60d1c
0x00f60d25
0x00f60d2a
0x00f60d2a
0x00f60d13
0x00000000
0x00f60c85
0x00f60c10
0x00f60c10
0x00f60c1c
0x00f60c23
0x00f60c2b
0x00000000
0x00f60c30
0x00f60c32
0x00000000
0x00f60c38
0x00f60c38
0x00f60c38
0x00f60c38
0x00f60c40
0x00f60c40
0x00f60c40
0x00f60c42
0x00f60c42
0x00f60c42
0x00f60c48
0x00000000
0x00000000
0x00f60eb4
0x00f60eb6
0x00f60eba
0x00f952cd
0x00f952d0
0x00f60c40
0x00f60c40
0x00000000
0x00f60c40
0x00f60ec0
0x00f60ec0
0x00f60c4e
0x00f60c52
0x00f60c5b
0x00000000
0x00f60c61
0x00f60c61
0x00f60c61
0x00000000
0x00f60c61
0x00f60c5b
0x00f60e6b
0x00f60e6b
0x00f60e6d
0x00f60e71
0x00f60eac
0x00f60eac
0x00000000
0x00f60eac
0x00f60e73
0x00f60e76
0x00f60e7c
0x00f60e7e
0x00f60e80
0x00f60e82
0x00f60e88
0x00f952b8
0x00f952be
0x00f60e97
0x00f60e97
0x00f60e99
0x00f60e9b
0x00000000
0x00000000
0x00f60e9d
0x00f610ae
0x00f610ae
0x00f610bc
0x00f610c1
0x00f610cc
0x00f610d3
0x00f610d9
0x00f610e0
0x00000000
0x00f610e0
0x00f60ea3
0x00f60ea6
0x00000000
0x00000000
0x00000000
0x00f60ea6
0x00f60e96
0x00f60e96
0x00000000
0x00f60e96
0x00f60e8e
0x00f60e94
0x00000000
0x00000000
0x00000000
0x00f60e94
0x00f60c05
0x00f95147
0x00f60ba5
0x00f9514c
0x00f95153
0x00000000
0x00000000
0x00f95159
0x00f60bbf
0x00f60f70
0x00f60f70
0x00f60f78
0x00000000
0x00000000
0x00f60f7e
0x00f60f84
0x00f60f87
0x00f9515e
0x00f95164
0x00f9519c
0x00f9519c
0x00000000
0x00f9519c
0x00f95166
0x00f9516b
0x00f9516e
0x00f95170
0x00f95172
0x00000000
0x00000000
0x00f95174
0x00f95178
0x00000000
0x00000000
0x00f95189
0x00f9518f
0x00f95191
0x00f60fa3
0x00f60fb5
0x00f60fb7
0x00000000
0x00000000
0x00000000
0x00f60fbd
0x00f95197
0x00f60f8d
0x00f60f94
0x00f60f9a
0x00f60f9f
0x00f60fa1
0x00f60fc7
0x00f60fd5
0x00f60fd5
0x00000000
0x00f60fa1
0x00f951ab
0x00f951b2
0x00f951b2
0x00f60bc5
0x00f60bcc
0x00f951c1
0x00f951c8
0x00f951cf
0x00f951cf
0x00f60bd9
0x00f96063
0x00f96068
0x00f96078
0x00000000
0x00f60bdf
0x00f60bdf
0x00000000
0x00f60bdf
0x00f60bd9
0x00000000
0x00f60b7f

APIs

PeekMessageW.USER32 ref: 00F60BBB
timeGetTime.WINMM ref: 00F60E76
PeekMessageW.USER32 ref: 00F60FB3
TranslateMessage.USER32(?), ref: 00F60FC7
DispatchMessageW.USER32 ref: 00F60FD5
Sleep.KERNEL32(0000000A), ref: 00F60FDF
LockWindowUpdate.USER32(00000000,?,?), ref: 00F6105A
DestroyWindow.USER32 ref: 00F61066
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00F61080
Sleep.KERNEL32(0000000A,?,?), ref: 00F952AD
TranslateMessage.USER32(?), ref: 00F9608A
DispatchMessageW.USER32 ref: 00F96098
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00F960AC

Strings

@GUI_WINHANDLE, xrefs: 00F953B9
@COM_EVENTOBJ, xrefs: 00F9591A
@GUI_CTRLHANDLE, xrefs: 00F9540E
@GUI_CTRLID, xrefs: 00F95364
@TRAY_ID, xrefs: 00F95BB9

Memory Dump Source

Source File: 00000000.00000002.316268130.0000000000F51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.316260119.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316369334.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316375172.0000000000FE0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316438570.0000000001005000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316460548.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316503289.0000000001055000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316514363.000000000105C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316525512.000000000106B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316568333.0000000001091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316573795.0000000001094000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_POv5Nk1dlu.jbxd

Similarity

API ID: Message$DispatchPeekSleepTranslateWindow$DestroyLockTimeUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 4003667617-3242690629
Opcode ID: 1fa945b0d82bd4cb950e2c87a7cff0eb3ea3972eeedc1f43c4252711e9f077d1
Instruction ID: e13eadbd5815d395ff341ebe209c4ea7e97b6b903734f7243d98ce7aafb020a4
Opcode Fuzzy Hash: 1fa945b0d82bd4cb950e2c87a7cff0eb3ea3972eeedc1f43c4252711e9f077d1
Instruction Fuzzy Hash: 8AB22870A08741DFEB25DF24C884BAAB7E5FF84714F14491DF58A87291CB79E848EB42

Uniqueness

Uniqueness Score: -1.00%

Function 00F53041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
registrywindowclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00F53074
RegisterClassExW.USER32 ref: 00F5309E
RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00F530AF
6F7E8420.COMCTL32(?), ref: 00F530CC
6F7E7CB0.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00F530DC
LoadIconW.USER32(000000A9), ref: 00F530F2
6F7E0620.COMCTL32(000000FF,00000000), ref: 00F53101

Strings

TaskbarCreated, xrefs: 00F530A4
+, xrefs: 00F5305D
AutoIt v3 GUI, xrefs: 00F53090
0, xrefs: 00F53056

Memory Dump Source

Source File: 00000000.00000002.316268130.0000000000F51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.316260119.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316369334.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316375172.0000000000FE0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316438570.0000000001005000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316460548.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316503289.0000000001055000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316514363.000000000105C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316525512.000000000106B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316568333.0000000001091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316573795.0000000001094000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_POv5Nk1dlu.jbxd

Similarity

API ID: Register$BrushClassClipboardColorE0620E8420FormatIconLoad
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 3748824598-1005189915
Opcode ID: 267618aa540de1ae024f71d3a34ccd0ca63954107b294529e768653e4047906c
Instruction ID: 8b1d7464a4a94eedb15fba7d84509400592ce36b1984115410cfdf97679f87f7
Opcode Fuzzy Hash: 267618aa540de1ae024f71d3a34ccd0ca63954107b294529e768653e4047906c
Instruction Fuzzy Hash: 5421C7B1D11218AFDB10DFA4EC49BDDBBF5FB08700F04822AF952A6294D7BA4548DF91

Uniqueness

Uniqueness Score: -1.00%

Function 00F59997 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__itow.LIBCMT ref: 00F599C2
__swprintf.LIBCMT ref: 00F59A0C
__i64tow.LIBCMT ref: 00F8FA0F

Strings

%.15g, xrefs: 00F59A06
0x%p, xrefs: 00F8F9F1
True, xrefs: 00F8F9D0
False, xrefs: 00F8F9D7

Memory Dump Source

Source File: 00000000.00000002.316268130.0000000000F51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.316260119.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316369334.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316375172.0000000000FE0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316438570.0000000001005000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316460548.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316503289.0000000001055000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316514363.000000000105C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316525512.000000000106B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316568333.0000000001091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316573795.0000000001094000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_POv5Nk1dlu.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: 37a433604f83a24f3c74589f2df8f47435c4be1d3f16431fc6bd8a54a78d125c
Instruction ID: c4f5ec0b8098148631ac4f66910c0d8f7c394cc07a000841b946dcf11e860dfe
Opcode Fuzzy Hash: 37a433604f83a24f3c74589f2df8f47435c4be1d3f16431fc6bd8a54a78d125c
Instruction Fuzzy Hash: CB41B872A14205EEDB24EF34DC41FB673E8EB44310F20446EEA49D7191EE759949B712

Uniqueness

Uniqueness Score: -1.00%

Function 00F5410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00F8D5EC

Part of subcall function 00F57D2C: _memmove.LIBCMT ref: 00F57D66

_memset.LIBCMT ref: 00F5418D
_wcscpy.LIBCMT ref: 00F541E1
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00F541F1

Strings

Line: , xrefs: 00F8D615

Memory Dump Source

Source File: 00000000.00000002.316268130.0000000000F51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.316260119.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316369334.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316375172.0000000000FE0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316438570.0000000001005000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316460548.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316503289.0000000001055000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316514363.000000000105C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316525512.000000000106B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316568333.0000000001091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316573795.0000000001094000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_POv5Nk1dlu.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: dbda711c7e450739b5a8e60486317f530c5b22f804c2d2b09c3d6aaddb176a59
Instruction ID: e4193cee4ef59002e1e8b5cd04de3033a8a332cc886ad2b3694ce53f23603044
Opcode Fuzzy Hash: dbda711c7e450739b5a8e60486317f530c5b22f804c2d2b09c3d6aaddb176a59
Instruction Fuzzy Hash: 7231EF31408704AAD321FB60EC46FDB77E8AF44315F10451EFA8593091EBBDA68CE796

Uniqueness

Uniqueness Score: -1.00%

Function 00F535B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00F535A1,SwapMouseButtons,00000004,?), ref: 00F535D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00F535A1,SwapMouseButtons,00000004,?,?,?,?,00F52754), ref: 00F535F5
RegCloseKey.KERNELBASE(00000000,?,?,00F535A1,SwapMouseButtons,00000004,?,?,?,?,00F52754), ref: 00F53617

Strings

Control Panel\Mouse, xrefs: 00F535D2

Memory Dump Source

Source File: 00000000.00000002.316268130.0000000000F51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.316260119.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316369334.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316375172.0000000000FE0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316438570.0000000001005000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316460548.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316503289.0000000001055000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316514363.000000000105C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316525512.000000000106B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316568333.0000000001091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316573795.0000000001094000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_POv5Nk1dlu.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 021d0c17ddf178fc4009540550c6601897e191ff72f58fb9a6121f7bd7d83623
Instruction ID: 8d1a7077d0d2d7656ffc98a441214e54905282dc3ced6a7244c512b960ddd7de
Opcode Fuzzy Hash: 021d0c17ddf178fc4009540550c6601897e191ff72f58fb9a6121f7bd7d83623
Instruction Fuzzy Hash: 2D115A71911208BFDB208F68DC44EAEBBB9EF04791F00846AF905D7210D2719F58A760

Uniqueness

Uniqueness Score: -1.00%

Function 00F70FF6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_malloc.LIBCMT ref: 00F7100E

Part of subcall function 00F7594C: __FF_MSGBANNER.LIBCMT ref: 00F75963
Part of subcall function 00F7594C: __NMSG_WRITE.LIBCMT ref: 00F7596A
Part of subcall function 00F7594C: RtlAllocateHeap.NTDLL(00B50000,00000000,00000001,00000000,?,?,?,00F71013,?), ref: 00F7598F

std::exception::exception.LIBCMT ref: 00F7102C
__CxxThrowException@8.LIBCMT ref: 00F71041

Part of subcall function 00F787DB: RaiseException.KERNEL32(?,?,?,0100BAF8,00000000,?,?,?,?,00F71046,?,0100BAF8,?,00000001), ref: 00F78830

Part of subcall function 00F78711: _free.LIBCMT ref: 00F787BE

Strings

bad allocation, xrefs: 00F71021

Memory Dump Source

Source File: 00000000.00000002.316268130.0000000000F51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.316260119.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316369334.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316375172.0000000000FE0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316438570.0000000001005000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316460548.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316503289.0000000001055000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316514363.000000000105C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316525512.000000000106B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316568333.0000000001091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316573795.0000000001094000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_POv5Nk1dlu.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrow_free_mallocstd::exception::exception
String ID: bad allocation
API String ID: 3712093317-2104205924
Opcode ID: 6f9a0acf02e6aeaaa3f4aa33b9ada5305ffc8d687b2e2e7a48bf74dbb904956f
Instruction ID: c903a8244daed48125cec724e25af01c8c00d924506281adec4d9441c18c014f
Opcode Fuzzy Hash: 6f9a0acf02e6aeaaa3f4aa33b9ada5305ffc8d687b2e2e7a48bf74dbb904956f
Instruction Fuzzy Hash: B3F02D3554024DB6CB30BA59EC059DF77ACAF00360F108027F90C95152EFF48A85B2E2

Uniqueness

Uniqueness Score: -1.00%

Function 00F54531 Relevance: 6.1, APIs: 4, Instructions: 66
timewindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 00F54560

Part of subcall function 00F5410D: _memset.LIBCMT ref: 00F5418D
Part of subcall function 00F5410D: _wcscpy.LIBCMT ref: 00F541E1
Part of subcall function 00F5410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00F541F1

KillTimer.USER32(?,00000001,?,?), ref: 00F545B5
SetTimer.USER32 ref: 00F545C4
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00F8D6CE

Memory Dump Source

Source File: 00000000.00000002.316268130.0000000000F51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.316260119.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316369334.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316375172.0000000000FE0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316438570.0000000001005000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316460548.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316503289.0000000001055000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316514363.000000000105C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316525512.000000000106B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316568333.0000000001091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316573795.0000000001094000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_POv5Nk1dlu.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: 43c071e4b1745b88538dc3e2d9caabb6b76d614394123728eab90720a89520c4
Instruction ID: 7395d64d6f7a23b9902e36698dfd6e71931181fe68fcdc5007c770fe255b83b3
Opcode Fuzzy Hash: 43c071e4b1745b88538dc3e2d9caabb6b76d614394123728eab90720a89520c4
Instruction Fuzzy Hash: BE21F871904788AFE7329B24DC45BE7BBEC9F01319F04009EE79E56181D7B42A88AB51

Uniqueness

Uniqueness Score: -1.00%

Function 00F543DB Relevance: 4.6, APIs: 3, Instructions: 77
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 00F54401
Shell_NotifyIconW.SHELL32(00000000,?), ref: 00F544A6
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00F544C3

Memory Dump Source

Source File: 00000000.00000002.316268130.0000000000F51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.316260119.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316369334.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316375172.0000000000FE0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316438570.0000000001005000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316460548.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316503289.0000000001055000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316514363.000000000105C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316525512.000000000106B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316568333.0000000001091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316573795.0000000001094000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_POv5Nk1dlu.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: 87351eb715abdbc727b2d3c164aab6de39a98f5aa08b568ca14b8ff51377de0c
Instruction ID: 25a24ff780ed7405fc6e884f43e2cd31a8c816babafe9fb82a7f169442c585b6
Opcode Fuzzy Hash: 87351eb715abdbc727b2d3c164aab6de39a98f5aa08b568ca14b8ff51377de0c
Instruction Fuzzy Hash: 773161719057019FD721DF34D88479BBBF8FB49319F00092EEA9A83241D7BA6988DB52

Uniqueness

Uniqueness Score: -1.00%

Function 00F732F5 Relevance: 4.5, APIs: 3, Instructions: 15
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__FF_MSGBANNER.LIBCMT ref: 00F732F8

Part of subcall function 00F7A3AB: __NMSG_WRITE.LIBCMT ref: 00F7A3D2
Part of subcall function 00F7A3AB: __NMSG_WRITE.LIBCMT ref: 00F7A3DC

__NMSG_WRITE.LIBCMT ref: 00F73300

Part of subcall function 00F7A408: GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\POv5Nk1dlu.exeR6002- floating point support not loaded,00000104,?,00000001,00000000), ref: 00F7A49A
Part of subcall function 00F7A408: ___crtMessageBoxW.LIBCMT ref: 00F7A548

Part of subcall function 00F733B3: _doexit.LIBCMT ref: 00F733BD

_doexit.LIBCMT ref: 00F73317

Part of subcall function 00F73469: __lock.LIBCMT ref: 00F73477
Part of subcall function 00F73469: RtlDecodePointer.KERNEL32(0100BB70,0000001C,00F733C2,00000000,00000001,00000000,?,00F73310,000000FF,?,00F79E6E,00000011,00000000,?,00F79CBC,0000000D), ref: 00F734B6
Part of subcall function 00F73469: RtlDecodePointer.KERNEL32(?,00F73310,000000FF,?,00F79E6E,00000011,00000000,?,00F79CBC,0000000D), ref: 00F734C7
Part of subcall function 00F73469: RtlEncodePointer.KERNEL32(00000000,?,00F73310,000000FF,?,00F79E6E,00000011,00000000,?,00F79CBC,0000000D), ref: 00F734E0
Part of subcall function 00F73469: RtlDecodePointer.KERNEL32(-00000004,?,00F73310,000000FF,?,00F79E6E,00000011,00000000,?,00F79CBC,0000000D), ref: 00F734F0
Part of subcall function 00F73469: RtlEncodePointer.KERNEL32(00000000,?,00F73310,000000FF,?,00F79E6E,00000011,00000000,?,00F79CBC,0000000D), ref: 00F734F6
Part of subcall function 00F73469: RtlDecodePointer.KERNEL32(?,00F73310,000000FF,?,00F79E6E,00000011,00000000,?,00F79CBC,0000000D), ref: 00F7350C
Part of subcall function 00F73469: RtlDecodePointer.KERNEL32(?,00F73310,000000FF,?,00F79E6E,00000011,00000000,?,00F79CBC,0000000D), ref: 00F73517
Part of subcall function 00F73469: __initterm.LIBCMT ref: 00F7353F
Part of subcall function 00F73469: __initterm.LIBCMT ref: 00F73550

Memory Dump Source

Source File: 00000000.00000002.316268130.0000000000F51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.316260119.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316369334.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316375172.0000000000FE0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316438570.0000000001005000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316460548.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316503289.0000000001055000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316514363.000000000105C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316525512.000000000106B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316568333.0000000001091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316573795.0000000001094000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_POv5Nk1dlu.jbxd

Similarity

API ID: Pointer$Decode$Encode__initterm_doexit$FileMessageModuleName___crt__lock
String ID:
API String ID: 2447380256-0
Opcode ID: 67333b68c7239f9b04537942177a38b3ca01b66391c852a3bc32a183d2f1842d
Instruction ID: e573951096a33db4dde4a6e54a693c6dec021fef42b35c4d7c8bf0547d9e1005
Opcode Fuzzy Hash: 67333b68c7239f9b04537942177a38b3ca01b66391c852a3bc32a183d2f1842d
Instruction Fuzzy Hash: 6DC0122019431875E8A47E509C07F6C31064B40B00F8080627A0C184D3ADCF16943053

Uniqueness

Uniqueness Score: -1.00%

Function 00F57BB1 Relevance: 3.1, APIs: 2, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memmove.LIBCMT ref: 00F57C0B
_memmove.LIBCMT ref: 00F57C76

Memory Dump Source

Source File: 00000000.00000002.316268130.0000000000F51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.316260119.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316369334.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316375172.0000000000FE0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316438570.0000000001005000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316460548.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316503289.0000000001055000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316514363.000000000105C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316525512.000000000106B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316568333.0000000001091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316573795.0000000001094000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_POv5Nk1dlu.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: a49f6a72ca7f77b6d270d55d2c108f2dba7a3da5ef38cfb0801bcd6913d24b62
Instruction ID: 602e4eef2d766e79a998f2d0c8228291195e457fddd931893b6446eb4392d0af
Opcode Fuzzy Hash: a49f6a72ca7f77b6d270d55d2c108f2dba7a3da5ef38cfb0801bcd6913d24b62
Instruction Fuzzy Hash: 05319AB2604606AFC714EF68D8D1E69F3A9FF483207158629E919CB391DB70E854DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00F544CB Relevance: 3.0, APIs: 2, Instructions: 25
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 00F544F7
Shell_NotifyIconW.SHELL32(00000002,?), ref: 00F54527

Memory Dump Source

Source File: 00000000.00000002.316268130.0000000000F51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.316260119.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316369334.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316375172.0000000000FE0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316438570.0000000001005000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316460548.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316503289.0000000001055000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316514363.000000000105C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316525512.000000000106B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316568333.0000000001091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316573795.0000000001094000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_POv5Nk1dlu.jbxd

Similarity

API ID: IconNotifyShell__memset
String ID:
API String ID: 928536360-0
Opcode ID: 24091c36e90532da48bf0cc9e9d646e66d45a6ccf5aa3963d6ae22f908fb535e
Instruction ID: 4330f8c8a92d320340c20b9ac9ae100c0ab37c7a1bc8128e2afb18f1e0f036dc
Opcode Fuzzy Hash: 24091c36e90532da48bf0cc9e9d646e66d45a6ccf5aa3963d6ae22f908fb535e
Instruction Fuzzy Hash: 02F082709043089BD7628B64EC457D57BAC970130CF0001EAEA4897246D7BA0B88CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00F732DF Relevance: 3.0, APIs: 2, Instructions: 7
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___crtCorExitProcess.LIBCMT ref: 00F732E5

Part of subcall function 00F732AB: GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,?,?,?,00F732EA,00000000,?,00F79EFE,000000FF,0000001E,0100BE28,00000008,00F79E62,00000000,00000000), ref: 00F732BA
Part of subcall function 00F732AB: GetProcAddress.KERNEL32(?,CorExitProcess), ref: 00F732CC

ExitProcess.KERNEL32 ref: 00F732EE

Memory Dump Source

Source File: 00000000.00000002.316268130.0000000000F51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.316260119.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316369334.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316375172.0000000000FE0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316438570.0000000001005000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316460548.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316503289.0000000001055000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316514363.000000000105C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316525512.000000000106B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316568333.0000000001091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316573795.0000000001094000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_POv5Nk1dlu.jbxd

Similarity

API ID: ExitProcess$AddressHandleModuleProc___crt
String ID:
API String ID: 2427264223-0
Opcode ID: eec1776fcfacc8a11ae78b00ed92251de6287caaae5b9f9c596f7af8a8b7982b
Instruction ID: 10cf104f0bea3965c95a87c9f41ae7bc733fabdc2e43a3428fd02936553be93b
Opcode Fuzzy Hash: eec1776fcfacc8a11ae78b00ed92251de6287caaae5b9f9c596f7af8a8b7982b
Instruction Fuzzy Hash: ABB0923000020CBBDB012F21DC0AC483F2AFF00A90B008022F80908032DB72AA92FA81

Uniqueness

Uniqueness Score: -1.00%

Function 00F5F3F0 Relevance: 1.7, APIs: 1, Instructions: 185
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.316268130.0000000000F51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.316260119.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316369334.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316375172.0000000000FE0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316438570.0000000001005000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316460548.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316503289.0000000001055000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316514363.000000000105C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316525512.000000000106B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316568333.0000000001091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316573795.0000000001094000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_POv5Nk1dlu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c627dd97aa7260b9e6ac5e60659635a937a69051d5d8bc71650c6311fbe0e57
Instruction ID: c833000cd215090ff67307cc93261bf33ec0871d9890b65edb4800aafb936628
Opcode Fuzzy Hash: 8c627dd97aa7260b9e6ac5e60659635a937a69051d5d8bc71650c6311fbe0e57
Instruction Fuzzy Hash: 5761BA71A0020ADFDB14DF64C980BABB7E5EF04311F1881B9EE068B281E774ED59EB51

Uniqueness

Uniqueness Score: -1.00%

Function 00F5766F Relevance: 1.6, APIs: 1, Instructions: 103COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00F5774A

Memory Dump Source

Source File: 00000000.00000002.316268130.0000000000F51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.316260119.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316369334.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316375172.0000000000FE0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316438570.0000000001005000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316460548.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316503289.0000000001055000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316514363.000000000105C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316525512.000000000106B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316568333.0000000001091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316573795.0000000001094000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_POv5Nk1dlu.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 0ec6e7cf9431d8cc9df0e09840c08398beeb5e992528ed2317a90bd0f0b2501b
Instruction ID: ba9385483279cc1ce1a084bafba122337bab204b466b191c9250a72ac7e47179
Opcode Fuzzy Hash: 0ec6e7cf9431d8cc9df0e09840c08398beeb5e992528ed2317a90bd0f0b2501b
Instruction Fuzzy Hash: B5318779608B02DFC724AF18F490A21F7E4FF08321714C56AEE598B755E730E855EB54

Uniqueness

Uniqueness Score: -1.00%

Function 00F57CB3 Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00F57D13

Memory Dump Source

Source File: 00000000.00000002.316268130.0000000000F51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.316260119.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316369334.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316375172.0000000000FE0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316438570.0000000001005000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316460548.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316503289.0000000001055000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316514363.000000000105C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316525512.000000000106B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316568333.0000000001091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316573795.0000000001094000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_POv5Nk1dlu.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 0da9abc12ca2c74dfd152865f60887a422d10e924b62dd00f0d82844917cef5d
Instruction ID: e4a9a9442105cd752209ad1b3bb4aea7c44f9a86c9b1889efcdb7cde18c33772
Opcode Fuzzy Hash: 0da9abc12ca2c74dfd152865f60887a422d10e924b62dd00f0d82844917cef5d
Instruction Fuzzy Hash: 28213672A08609EFDB206F10FC417B97BB8FF10351F21847EE886C5081EB3580E8A701

Uniqueness

Uniqueness Score: -1.00%

Function 00F580D7 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00F58109

Memory Dump Source

Source File: 00000000.00000002.316268130.0000000000F51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.316260119.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316369334.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316375172.0000000000FE0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316438570.0000000001005000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316460548.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316503289.0000000001055000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316514363.000000000105C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316525512.000000000106B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316568333.0000000001091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316573795.0000000001094000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_POv5Nk1dlu.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 2b0bd783e241425ebc19a865285f950026f1c681f6244a2c88cfa1967ad52543
Instruction ID: ef4d01668bf9eba9269ff39473875e1d8f73964b6fab7540456689e0f522e99b
Opcode Fuzzy Hash: 2b0bd783e241425ebc19a865285f950026f1c681f6244a2c88cfa1967ad52543
Instruction Fuzzy Hash: 91115E76604605DFC724CF28D881A16B7E9FF48354720C82EE98EDB761DB32E846DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00F57F41 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00F57F82

Memory Dump Source

Source File: 00000000.00000002.316268130.0000000000F51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.316260119.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316369334.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316375172.0000000000FE0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316438570.0000000001005000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316460548.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316503289.0000000001055000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316514363.000000000105C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316525512.000000000106B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316568333.0000000001091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316573795.0000000001094000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_POv5Nk1dlu.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 282cde0e7519496ebeb9a313f9179f25e65d441fcca71cf3baea6695a0529a18
Instruction ID: bd1dadef41c003922dfe76e90dd613714f89e12a65bfba494792e0048fec9d8b
Opcode Fuzzy Hash: 282cde0e7519496ebeb9a313f9179f25e65d441fcca71cf3baea6695a0529a18
Instruction Fuzzy Hash: B801D672204701AED720AF28DC02F67BBD8EF447A0F10852EFA5ACA191EA35E444A790

Uniqueness

Uniqueness Score: -1.00%

Function 00FB794E Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 00F70FF6: _malloc.LIBCMT ref: 00F7100E

Part of subcall function 00F70FF6: std::exception::exception.LIBCMT ref: 00F7102C
Part of subcall function 00F70FF6: __CxxThrowException@8.LIBCMT ref: 00F71041

_memset.LIBCMT ref: 00FB7983

Memory Dump Source

Source File: 00000000.00000002.316268130.0000000000F51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.316260119.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316369334.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316375172.0000000000FE0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316438570.0000000001005000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316460548.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316503289.0000000001055000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316514363.000000000105C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316525512.000000000106B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316568333.0000000001091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316573795.0000000001094000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_POv5Nk1dlu.jbxd

Similarity

API ID: Exception@8Throw_malloc_memsetstd::exception::exception
String ID:
API String ID: 4117793777-0
Opcode ID: 92f3e5bf25a9325dbfa36bd2a9d28331a96c638114c69703f502504059365eb8
Instruction ID: cc36c4f3d874528fcc762f7e359f65f4f2e18602e6906814c37de4bceeb0bd37
Opcode Fuzzy Hash: 92f3e5bf25a9325dbfa36bd2a9d28331a96c638114c69703f502504059365eb8
Instruction Fuzzy Hash: 2D01E475204200EFD324EF5CD841B46BBE1EF59310F24C45AF9888B392DB76A800AF92

Uniqueness

Uniqueness Score: -1.00%

Function 00F72E84 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

Part of subcall function 00F73457: __lock.LIBCMT ref: 00F73459

__onexit_nolock.LIBCMT ref: 00F72EA0

Part of subcall function 00F72EC8: RtlDecodePointer.NTDLL(?,00000000,00000000,?,?,00F72EA5,00F8B80A,0100BB50), ref: 00F72EDB
Part of subcall function 00F72EC8: RtlDecodePointer.KERNEL32(?,?,00F72EA5,00F8B80A,0100BB50), ref: 00F72EE6
Part of subcall function 00F72EC8: __realloc_crt.LIBCMT ref: 00F72F27
Part of subcall function 00F72EC8: __realloc_crt.LIBCMT ref: 00F72F3B
Part of subcall function 00F72EC8: RtlEncodePointer.KERNEL32(00000000,?,?,00F72EA5,00F8B80A,0100BB50), ref: 00F72F4D
Part of subcall function 00F72EC8: RtlEncodePointer.KERNEL32(00F8B80A,?,?,00F72EA5,00F8B80A,0100BB50), ref: 00F72F5B
Part of subcall function 00F72EC8: RtlEncodePointer.KERNEL32(00000004,?,?,00F72EA5,00F8B80A,0100BB50), ref: 00F72F67

Memory Dump Source

Source File: 00000000.00000002.316268130.0000000000F51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.316260119.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316369334.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316375172.0000000000FE0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316438570.0000000001005000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316460548.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316503289.0000000001055000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316514363.000000000105C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316525512.000000000106B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316568333.0000000001091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316573795.0000000001094000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_POv5Nk1dlu.jbxd

Similarity

API ID: Pointer$Encode$Decode__realloc_crt$__lock__onexit_nolock
String ID:
API String ID: 3536590627-0
Opcode ID: e7e9e9e40d2df20dcfeff481ff6b6f885a7201712e0b4e353f1c49f360c63a9a
Instruction ID: cfb56d75eb5e6ff0a000597f02d5de415e08e5f12e579eefbf5a8d4219061f3c
Opcode Fuzzy Hash: e7e9e9e40d2df20dcfeff481ff6b6f885a7201712e0b4e353f1c49f360c63a9a
Instruction Fuzzy Hash: 31D01271D40609ABDB51FBE98D0675D7A606F44762F50C146F01CA61C2CBBC07427B93

Uniqueness

Uniqueness Score: -1.00%

Function 00F733B3 Relevance: 1.5, APIs: 1, Instructions: 9COMMONLIBRARYCODE

Download Yara Rule

APIs

_doexit.LIBCMT ref: 00F733BD

Part of subcall function 00F73469: __lock.LIBCMT ref: 00F73477
Part of subcall function 00F73469: RtlDecodePointer.KERNEL32(0100BB70,0000001C,00F733C2,00000000,00000001,00000000,?,00F73310,000000FF,?,00F79E6E,00000011,00000000,?,00F79CBC,0000000D), ref: 00F734B6
Part of subcall function 00F73469: RtlDecodePointer.KERNEL32(?,00F73310,000000FF,?,00F79E6E,00000011,00000000,?,00F79CBC,0000000D), ref: 00F734C7
Part of subcall function 00F73469: RtlEncodePointer.KERNEL32(00000000,?,00F73310,000000FF,?,00F79E6E,00000011,00000000,?,00F79CBC,0000000D), ref: 00F734E0
Part of subcall function 00F73469: RtlDecodePointer.KERNEL32(-00000004,?,00F73310,000000FF,?,00F79E6E,00000011,00000000,?,00F79CBC,0000000D), ref: 00F734F0
Part of subcall function 00F73469: RtlEncodePointer.KERNEL32(00000000,?,00F73310,000000FF,?,00F79E6E,00000011,00000000,?,00F79CBC,0000000D), ref: 00F734F6
Part of subcall function 00F73469: RtlDecodePointer.KERNEL32(?,00F73310,000000FF,?,00F79E6E,00000011,00000000,?,00F79CBC,0000000D), ref: 00F7350C
Part of subcall function 00F73469: RtlDecodePointer.KERNEL32(?,00F73310,000000FF,?,00F79E6E,00000011,00000000,?,00F79CBC,0000000D), ref: 00F73517
Part of subcall function 00F73469: __initterm.LIBCMT ref: 00F7353F
Part of subcall function 00F73469: __initterm.LIBCMT ref: 00F73550

Memory Dump Source

Source File: 00000000.00000002.316268130.0000000000F51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.316260119.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316369334.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316375172.0000000000FE0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316438570.0000000001005000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316460548.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316503289.0000000001055000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316514363.000000000105C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316525512.000000000106B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316568333.0000000001091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316573795.0000000001094000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_POv5Nk1dlu.jbxd

Similarity

API ID: Pointer$Decode$Encode__initterm$__lock_doexit
String ID:
API String ID: 3712619029-0
Opcode ID: b4e928c0e26b8b31f7bbd767efdfabfe1f62d1646d37685f8d7537e28665a351
Instruction ID: 45eed72d30fdd157aa4630bfd987bd7863c98f0e0adeaaf57a2a177056ea1ff5
Opcode Fuzzy Hash: b4e928c0e26b8b31f7bbd767efdfabfe1f62d1646d37685f8d7537e28665a351
Instruction Fuzzy Hash: 5EB0123158030CB3DD112D45EC03F553B0E4740B50F004061FA0C5C1E1E5D366A060C6

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00FDCDAC Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 637
windowkeyboardnativeCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E00FDCDAC(void* __ebx, struct HWND__* _a4, signed int _a8, struct HWND__** _a12) {
				intOrPtr _v24;
				long _v52;
				void* _v56;
				intOrPtr _v60;
				intOrPtr _v84;
				long _v92;
				void* _v96;
				signed int _v108;
				int _v112;
				void* _v116;
				struct HWND__** _v120;
				signed int _v124;
				long _v128;
				signed int _v132;
				int _v136;
				void* _v140;
				char _v144;
				struct HWND__* _v148;
				struct tagPOINT _v156;
				struct tagPOINT _v164;
				signed int _v165;
				signed int _v168;
				signed int _v172;
				long _v176;
				char _v200;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t221;
				signed int _t223;
				int _t224;
				intOrPtr _t226;
				signed int _t228;
				signed int _t229;
				signed int _t232;
				intOrPtr _t233;
				signed int _t236;
				struct HWND__* _t239;
				struct HWND__* _t242;
				intOrPtr _t244;
				intOrPtr _t251;
				intOrPtr _t254;
				signed int _t258;
				intOrPtr _t261;
				signed int _t271;
				intOrPtr _t273;
				intOrPtr _t275;
				long _t279;
				intOrPtr _t282;
				signed int _t288;
				signed int _t291;
				intOrPtr _t293;
				signed int _t295;
				signed int _t303;
				intOrPtr _t306;
				signed int _t310;
				long _t318;
				signed int _t341;
				intOrPtr _t342;
				intOrPtr _t347;
				intOrPtr _t352;
				signed int _t357;
				signed int _t359;
				short _t362;
				short _t363;
				short _t365;
				signed int _t367;
				struct HWND__* _t374;
				signed int _t375;
				long _t376;
				intOrPtr _t383;
				struct HWND__* _t385;
				intOrPtr _t387;
				intOrPtr _t388;
				intOrPtr _t390;
				long _t393;
				struct HMENU__* _t395;
				signed int _t397;
				struct HMENU__* _t399;
				signed int _t401;
				intOrPtr _t405;
				signed int _t417;
				void* _t418;
				intOrPtr _t419;
				intOrPtr _t420;
				struct HWND__** _t422;
				signed int _t426;
				signed int _t429;
				struct tagPOINT* _t438;
				struct HWND__* _t439;
				long _t441;
				intOrPtr _t442;
				void* _t447;
				void* _t448;

				_t381 = __ebx;
				_t221 = E00F52612(0x10167b0, _a4);
				_t383 =  *0x1016810; // 0x0
				_t422 = _a12;
				_v148 = _t221;
				_t426 =  *( *(_t383 + _t221 * 4));
				_t385 = _t422[2];
				_v124 = _t426;
				_t447 = _t385 - 0xfffffe6e;
				if(_t447 > 0) {
					__eflags = _t385 - 0xfffffff0;
					if(__eflags > 0) {
						__eflags = _t385 - 0xfffffff4;
						if(_t385 == 0xfffffff4) {
							_t223 = E00F525DB(0x10167b0,  *_t422);
							_v168 = _t223;
							__eflags = _t223 - 0xffffffff;
							if(_t223 == 0xffffffff) {
								L12:
								_t224 =  *0xfdf584(_a4, 0x4e, _a8, _t422);
								L13:
								return _t224;
							}
							_t387 =  *0x1016824; // 0xb69510
							_t388 =  *((intOrPtr*)( *((intOrPtr*)(_t387 + _t223 * 4))));
							_t226 =  *((intOrPtr*)(_t388 + 0x90));
							__eflags = _t226 - 0x10;
							if(_t226 == 0x10) {
								L101:
								_t228 = _t422[3] - 1;
								__eflags = _t228;
								if(_t228 == 0) {
									_t224 = 0x20;
									goto L13;
								}
								_t229 = _t228 - 0x10000;
								__eflags = _t229;
								if(_t229 != 0) {
									goto L12;
								}
								__eflags =  *((intOrPtr*)(_t388 + 0x48)) - 0xfe000000;
								_v165 = _t229;
								if( *((intOrPtr*)(_t388 + 0x48)) == 0xfe000000) {
									_v165 = 1;
								}
								_t232 = E00F52402(0x10167b0, _t422[0xb],  &_v144,  &_v164);
								__eflags = _t232;
								if(_t232 != 0) {
									_t233 =  *0x1016824; // 0xb69510
									_t429 = _v164.x;
									_t236 = GetWindowLongW( *( *((intOrPtr*)( *((intOrPtr*)(_t233 + _t429 * 4)))) + 0x34), 0xfffffff0);
									__eflags = _t236 & 0x08000000;
									if((_t236 & 0x08000000) != 0) {
										goto L106;
									}
									__eflags = _t422[0xa] & 0x00000011;
									_t390 =  *0x1016824; // 0xb69510
									if((_t422[0xa] & 0x00000011) == 0) {
										L110:
										_t239 =  *( *((intOrPtr*)( *((intOrPtr*)(_t390 + _t429 * 4)))) + 0x4c);
										__eflags = _t239 - 0xffffffff;
										if(_t239 != 0xffffffff) {
											_t422[0xc] = _t239;
											_t390 =  *0x1016824; // 0xb69510
										}
										_t242 =  *( *((intOrPtr*)( *((intOrPtr*)(_t390 + _t429 * 4)))) + 0x48);
										__eflags = _t242;
										if(_t242 < 0) {
											goto L106;
										} else {
											__eflags = _v165;
											if(_v165 == 0) {
												L115:
												_t422[0xd] = _t242;
												goto L106;
											}
											__eflags = _t422[9] & 0x00000001;
											if((_t422[9] & 0x00000001) == 0) {
												goto L106;
											}
											goto L115;
										}
									}
									_t244 =  *((intOrPtr*)( *((intOrPtr*)(_t390 + _t429 * 4))));
									__eflags =  *((char*)(_t244 + 0x90)) - 0x14;
									if( *((char*)(_t244 + 0x90)) != 0x14) {
										goto L12;
									}
									goto L110;
								} else {
									L106:
									_t224 = 0;
									goto L13;
								}
							}
							__eflags = _t226 - 0x13;
							if(_t226 != 0x13) {
								goto L12;
							}
							goto L101;
						}
						__eflags = _t385 - 0xfffffffb;
						if(_t385 == 0xfffffffb) {
							_v165 = 0;
							E00F52344(0x10167b0, _t426, 1);
							GetCursorPos( &_v164);
							ScreenToClient( *_t422,  &_v164);
							_t393 = E00F525DB(0x10167b0,  *_t422);
							_v172 = _t393;
							_v176 = _t393;
							__eflags = _t393 - 0xffffffff;
							if(_t393 != 0xffffffff) {
								L79:
								_t251 =  *0x1016824; // 0xb69510
								_v148 = _t393;
								_t254 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t251 + _t393 * 4)))) + 0x90));
								__eflags = _t254 - 0x10;
								if(_t254 == 0x10) {
									_v140 = _v156.x;
									_v136 = _v156.y;
									_t258 = SendMessageW( *_t422, 0x1111, 0,  &_v140);
									__eflags = _t258;
									if(_t258 == 0) {
										L96:
										ClientToScreen( *_t422,  &_v156);
										_t261 =  *0x1016824; // 0xb69510
										_t395 =  *( *((intOrPtr*)( *((intOrPtr*)(_t261 + _v164.y * 4)))) + 0xc);
										__eflags = _t395;
										if(_t395 == 0) {
											goto L12;
										}
										TrackPopupMenuEx(_t395, 0x80, _v156.x, _v156.y,  *_v120, 0);
										L37:
										_t224 = 1;
										goto L13;
									}
									_v92 = _t258;
									_v96 = 4;
									SendMessageW( *_t422, 0x113e, 0,  &_v96);
									__eflags = _v132 & 0x00000046;
									if((_v132 & 0x00000046) == 0) {
										goto L96;
									}
									_t271 = E00F52402(0x10167b0, _v60,  &_v144,  &_v164);
									__eflags = _t271;
									if(_t271 == 0) {
										L95:
										_v164.y = _v148;
										goto L96;
									}
									_t397 = _v164.x;
									_t273 =  *0x1016824; // 0xb69510
									_v164.y = _t397;
									_t275 =  *((intOrPtr*)( *((intOrPtr*)(_t273 + _t397 * 4))));
									__eflags =  *(_t275 + 0xc);
									if( *(_t275 + 0xc) != 0) {
										goto L96;
									}
									goto L95;
								}
								__eflags = _t254 - 0x13;
								if(_t254 != 0x13) {
									goto L12;
								}
								_v116 = _v156.x;
								_v112 = _v156.y;
								_t279 = SendMessageW( *_t422, 0x1012, 0,  &_v116);
								__eflags = _t279 - 0xffffffff;
								if(_t279 <= 0xffffffff) {
									L89:
									ClientToScreen( *_t422,  &_v156);
									_t282 =  *0x1016824; // 0xb69510
									_t399 =  *( *((intOrPtr*)( *((intOrPtr*)(_t282 + _v164.y * 4)))) + 0xc);
									__eflags = _t399;
									if(_t399 != 0) {
										TrackPopupMenuEx(_t399, 0, _v156.x, _v156.y,  *_v120, 0);
									}
									goto L12;
								}
								__eflags = _v165;
								if(_v165 != 0) {
									goto L89;
								}
								_v52 = _t279;
								_v56 = 4;
								_t288 = SendMessageW( *_t422, 0x104b, 0,  &_v56);
								__eflags = _t288;
								if(_t288 == 0) {
									goto L12;
								}
								__eflags = _v108 & 0x0000000e;
								if((_v108 & 0x0000000e) == 0) {
									goto L89;
								}
								_t291 = E00F52402(0x10167b0, _v24,  &_v144,  &_v164);
								__eflags = _t291;
								if(_t291 == 0) {
									L88:
									_v164.y = _v148;
									goto L89;
								}
								_t401 = _v164.x;
								_t293 =  *0x1016824; // 0xb69510
								_v164.y = _t401;
								_t295 =  *( *(_t293 + _t401 * 4));
								__eflags = _t295;
								if(_t295 == 0) {
									goto L88;
								}
								__eflags =  *(_t295 + 0xc);
								if( *(_t295 + 0xc) != 0) {
									goto L89;
								}
								goto L88;
							}
							_t393 = E00F525DB(0x10167b0, GetParent( *_t422));
							_v164.x = _t393;
							_v168 = _t393;
							__eflags = _t393 - 0xffffffff;
							if(_t393 == 0xffffffff) {
								goto L12;
							}
							_v165 = 1;
							goto L79;
						}
						__eflags = _t385 - 0xfffffffe;
						if(_t385 != 0xfffffffe) {
							goto L12;
						}
						E00F52344(0x10167b0, _t426, 1);
						GetCursorPos( &_v164);
						ScreenToClient( *_t422,  &_v164);
						_t303 = E00F525DB(0x10167b0,  *_t422);
						__eflags = _t303 - 0xffffffff;
						if(_t303 == 0xffffffff) {
							goto L12;
						}
						_t405 =  *0x1016824; // 0xb69510
						_t306 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t405 + _t303 * 4)))) + 0x90));
						__eflags = _t306 - 0x10;
						if(_t306 < 0x10) {
							goto L12;
						}
						__eflags = _t306 - 0x11;
						if(_t306 <= 0x11) {
							_v140 = _v156.x;
							_v136 = _v156.y;
							_t310 = SendMessageW( *_t422, 0x1111, 0,  &_v140);
							__eflags = _t310;
							if(_t310 != 0) {
								_v92 = _t310;
								_v96 = 0xc;
								_v84 = 0xf000;
								SendMessageW( *_t422, 0x113e, 0,  &_v96);
								__eflags = _v132 & 0x00000046;
								if((_v132 & 0x00000046) != 0) {
									SendMessageW( *_t422, 0x110b, 9, 0);
									SendMessageW( *_t422, 0x110b, 9, _v128);
								}
							}
							goto L12;
						}
						__eflags = _t306 - 0x13;
						if(_t306 != 0x13) {
							goto L12;
						}
						_t426 = 0;
						_v116 = _v156;
						_v112 = _v156.y;
						_t318 = SendMessageW( *_t422, 0x1012, 0,  &_v116);
						__eflags = _t318 - 0xffffffff;
						if(_t318 == 0xffffffff) {
							goto L12;
						}
						_v52 = _t318;
						_v56 = 4;
						SendMessageW( *_t422, 0x104b, 0,  &_v56);
						__eflags = _v108 & 0x0000000e;
						if((_v108 & 0x0000000e) == 0) {
							goto L12;
						}
						_push(0);
						_push(_v24);
						L45:
						E00FDB60B(_t381, _t422, _t426);
						goto L12;
					}
					if(__eflags == 0) {
						ReleaseCapture();
						goto L12;
					}
					__eflags = _t385 - 0xfffffec0;
					if(_t385 == 0xfffffec0) {
						L61:
						InvalidateRect( *_t422, 0, 1);
						goto L12;
					}
					__eflags = _t385 - 0xfffffed4;
					if(_t385 == 0xfffffed4) {
						goto L61;
					}
					__eflags = _t385 - 0xffffff93;
					if(_t385 == 0xffffff93) {
						 *0xfdf094( *0x101685c, 0, 0, 0);
						 *0xfdf098( *0x101685c, 0, 0xfffffff8, 0xfffffff0);
						SetCapture(_a4);
						 *0x1016860 = _a8;
						_v172 = 0;
						_v164.x = 0;
						_v164.y = 1;
						E00F59A20(__ebx,  &_v172);
						_v172 = _a8;
						_v164.y = 1;
						E00F57F41(__ebx,  &_v148, __eflags, L"@GUI_DRAGID");
						E00F58B13(0x1017270, _t418, _t422, __eflags,  &(_v156.y),  &_v176, 1);
						E00F55A64( &_v164);
						_t438 =  &(_t422[8]);
						ClientToScreen( *_t422, _t438);
						 *0xfdf09c(0, _t438->x, _t422[9]);
						E00F59A20(__ebx,  &_v200);
					} else {
						__eflags = _t385 - 0xffffff94;
						if(_t385 == 0xffffff94) {
							_t439 = _t422[1];
							_t341 = E00F52402(0x10167b0, _t439,  &_v144,  &_v164);
							__eflags = _t341;
							if(_t341 != 0) {
								_t342 =  *0x1016824; // 0xb69510
								_push(0);
								 *((short*)( *((intOrPtr*)( *((intOrPtr*)(_t342 + _v164.x * 4)))) + 0x96)) = _t422[4];
								_push(_t422[1]);
								E00FDB60B(__ebx, _t422, _t439);
								_t419 =  *0x1016824; // 0xb69510
								_t414 = _v172;
								_t347 =  *((intOrPtr*)( *((intOrPtr*)(_t419 + _v172 * 4))));
								__eflags =  *(_t347 + 0x28);
								if( *(_t347 + 0x28) > 0) {
									 *0x10167ec = _t439;
									E00F581A7(0x10167f0,  *((intOrPtr*)( *((intOrPtr*)(_t419 + _t414 * 4)))) + 0x24);
									_t352 =  *0x1016824; // 0xb69510
									 *0x1016800 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t352 + _v165 * 4)))) + 0x98));
									SendMessageW( *_t422, 0x1030, _t422[4], 0xfdb602);
								}
							}
						}
					}
					goto L12;
				}
				if(_t447 == 0) {
					L46:
					_t426 = 0;
					_t357 = SendMessageW( *_t422, 0x110a, 9, 0);
					__eflags = _t357;
					if(_t357 == 0) {
						goto L12;
					}
					_v92 = _t357;
					_v96 = 4;
					_t359 = SendMessageW( *_t422, 0x113e, 0,  &_v96);
					__eflags = _t359;
					if(_t359 == 0) {
						goto L12;
					}
					__eflags = _t422[0xd] - _t422[0x17];
					if(_t422[0xd] == _t422[0x17]) {
						goto L12;
					}
					__eflags = _t422[3] - 0x1000;
					if(_t422[3] == 0x1000) {
						goto L12;
					}
					__eflags = _t422[3] - 1;
					L26:
					if(__eflags == 0) {
						goto L12;
					}
					_push(_t426);
					_push(_v60);
					goto L45;
				}
				_t448 = _t385 - 0xfffffdd9;
				if(_t448 > 0) {
					__eflags = _t385 - 0xfffffdda;
					if(_t385 == 0xfffffdda) {
						_t362 = GetKeyState(0x11);
						__eflags = _t362;
						if(_t362 >= 0) {
							goto L12;
						}
						_t363 = GetKeyState(9);
						__eflags = _t363;
						if(_t363 >= 0) {
							goto L12;
						}
						_t441 = SendMessageW( *_t422, 0x130b, 0, 0);
						_t365 = GetKeyState(0x10);
						__eflags = _t365;
						if(_t365 >= 0) {
							_t426 = _t441 + 1;
							__eflags = _t426;
						} else {
							_t426 = _t441 - 1;
						}
						_push(_t426);
						L44:
						_push(_t422[1]);
						goto L45;
					}
					__eflags = _t385 - 0xfffffdee;
					if(_t385 == 0xfffffdee) {
						__eflags =  *(_t426 + 0x188);
						if( *(_t426 + 0x188) == 0) {
							goto L12;
						}
						_t420 =  *0x1016834; // 0x2
						_t417 = 3;
						__eflags = _t420 - _t417;
						if(_t420 < _t417) {
							goto L12;
						}
						_t442 =  *0x1016824; // 0xb69510
						do {
							_t367 =  *( *(_t442 + _t417 * 4));
							__eflags = _t367;
							if(_t367 == 0) {
								goto L34;
							}
							__eflags =  *((intOrPtr*)(_t367 + 4)) - _v144;
							_t422 = _a12;
							if( *((intOrPtr*)(_t367 + 4)) != _v144) {
								goto L34;
							}
							__eflags = ( *(_t367 + 0x93) & 0x000000ff) - _t422[1];
							if(( *(_t367 + 0x93) & 0x000000ff) == _t422[1]) {
								break;
							}
							L34:
							_t417 = _t417 + 1;
							__eflags = _t417 - _t420;
						} while (_t417 <= _t420);
						__eflags = _t417 - _t420;
						if(_t417 > _t420) {
							goto L12;
						}
						E00F742EE( &(_t422[4]),  *((intOrPtr*)( *( *(_t442 + _t417 * 4)) + 0x54)), 0x4f);
						__eflags = 0;
						_t422[0x2b] = 0;
						goto L37;
					}
					__eflags = _t385 - 0xfffffe3d;
					if(_t385 == 0xfffffe3d) {
						goto L46;
					}
					__eflags = _t385 - 0xfffffe64;
					if(_t385 != 0xfffffe64) {
						goto L12;
					}
					_t374 =  *_t422;
					_v148 = _t374;
					_t375 = GetWindowLongW(_t374, 0xfffffff0);
					__eflags = _t375 & 0x00000100;
					if((_t375 & 0x00000100) == 0) {
						goto L12;
					}
					__eflags = _t422[3] - 0x20;
					if(_t422[3] != 0x20) {
						goto L12;
					}
					_t426 = 0;
					_t376 = SendMessageW(_v148, 0x110a, 9, 0);
					__eflags = _t376;
					if(_t376 == 0) {
						goto L12;
					}
					_v92 = _t376;
					_v96 = 4;
					__eflags = SendMessageW(_v148, 0x113e, 0,  &_v96);
					goto L26;
				}
				if(_t448 == 0) {
					_push(SendMessageW( *_t422, 0x130b, 0, 0));
					goto L44;
				}
				if(_t385 == 0xfffffd09) {
					__eflags =  *((char*)(_t426 + 0x199));
					 *((char*)(_t426 + 0x19a)) = 1;
					if( *((char*)(_t426 + 0x199)) != 0) {
						goto L12;
					} else {
						 *((char*)(_t426 + 0x19a)) = 0;
						_push(_t422[2]);
						goto L44;
					}
				}
				if(_t385 == 0xfffffd0e) {
					 *((char*)(_t426 + 0x199)) = 1;
					goto L12;
				}
				if(_t385 == 0xfffffd0f) {
					__eflags =  *((char*)(_t426 + 0x19a)) - 1;
					if( *((char*)(_t426 + 0x19a)) == 1) {
						_push(_t385);
						_push(_t422[1]);
						E00FDB60B(__ebx, _t422, _t426);
					}
					 *((short*)(_t426 + 0x199)) = 0;
					goto L12;
				}
				if(_t385 != 0xfffffd16) {
					goto L12;
				} else {
					_push(_t385);
					goto L44;
				}
			}

0x00fdcdac
0x00fdcdc2
0x00fdcdc7
0x00fdcdcd
0x00fdcdd0
0x00fdcddc
0x00fdcdde
0x00fdcde1
0x00fdcde5
0x00fdcde7
0x00fdd06f
0x00fdd072
0x00fdd219
0x00fdd21c
0x00fdd5d7
0x00fdd5dc
0x00fdd5e0
0x00fdd5e3
0x00fdce47
0x00fdce50
0x00fdce56
0x00fdce5b
0x00fdce5b
0x00fdd5e9
0x00fdd5f2
0x00fdd5f4
0x00fdd5fa
0x00fdd5fc
0x00fdd606
0x00fdd609
0x00fdd609
0x00fdd60a
0x00fdd6c0
0x00000000
0x00fdd6c0
0x00fdd610
0x00fdd610
0x00fdd615
0x00000000
0x00000000
0x00fdd61b
0x00fdd622
0x00fdd626
0x00fdd628
0x00fdd628
0x00fdd63c
0x00fdd641
0x00fdd643
0x00fdd64c
0x00fdd651
0x00fdd65f
0x00fdd665
0x00fdd66a
0x00000000
0x00000000
0x00fdd66c
0x00fdd670
0x00fdd676
0x00fdd68a
0x00fdd68f
0x00fdd692
0x00fdd695
0x00fdd697
0x00fdd69a
0x00fdd69a
0x00fdd6a5
0x00fdd6a8
0x00fdd6aa
0x00000000
0x00fdd6ac
0x00fdd6ac
0x00fdd6b1
0x00fdd6b9
0x00fdd6b9
0x00000000
0x00fdd6b9
0x00fdd6b3
0x00fdd6b7
0x00000000
0x00000000
0x00000000
0x00fdd6b7
0x00fdd6aa
0x00fdd67b
0x00fdd67d
0x00fdd684
0x00000000
0x00000000
0x00000000
0x00fdd645
0x00fdd645
0x00fdd645
0x00000000
0x00fdd645
0x00fdd643
0x00fdd5fe
0x00fdd600
0x00000000
0x00000000
0x00000000
0x00fdd600
0x00fdd222
0x00fdd225
0x00fdd38a
0x00fdd391
0x00fdd39b
0x00fdd3a8
0x00fdd3b7
0x00fdd3b9
0x00fdd3bd
0x00fdd3c1
0x00fdd3c4
0x00fdd3ee
0x00fdd3ee
0x00fdd3f3
0x00fdd3fc
0x00fdd402
0x00fdd404
0x00fdd501
0x00fdd509
0x00fdd51a
0x00fdd520
0x00fdd522
0x00fdd588
0x00fdd58f
0x00fdd599
0x00fdd5a3
0x00fdd5a6
0x00fdd5a8
0x00000000
0x00000000
0x00fdd5c3
0x00fdcfb2
0x00fdcfb4
0x00000000
0x00fdcfb4
0x00fdd524
0x00fdd535
0x00fdd53d
0x00fdd543
0x00fdd548
0x00000000
0x00000000
0x00fdd560
0x00fdd565
0x00fdd567
0x00fdd580
0x00fdd584
0x00000000
0x00fdd584
0x00fdd569
0x00fdd56d
0x00fdd572
0x00fdd579
0x00fdd57b
0x00fdd57e
0x00000000
0x00000000
0x00000000
0x00fdd57e
0x00fdd40a
0x00fdd40c
0x00000000
0x00000000
0x00fdd418
0x00fdd420
0x00fdd431
0x00fdd437
0x00fdd43a
0x00fdd4b9
0x00fdd4c0
0x00fdd4ca
0x00fdd4d4
0x00fdd4d7
0x00fdd4d9
0x00fdd4f0
0x00fdd4f0
0x00000000
0x00fdd4d9
0x00fdd43c
0x00fdd441
0x00000000
0x00000000
0x00fdd443
0x00fdd457
0x00fdd462
0x00fdd468
0x00fdd46a
0x00000000
0x00000000
0x00fdd470
0x00fdd475
0x00000000
0x00000000
0x00fdd48d
0x00fdd492
0x00fdd494
0x00fdd4b1
0x00fdd4b5
0x00000000
0x00fdd4b5
0x00fdd496
0x00fdd49a
0x00fdd49f
0x00fdd4a6
0x00fdd4a8
0x00fdd4aa
0x00000000
0x00000000
0x00fdd4ac
0x00fdd4af
0x00000000
0x00000000
0x00000000
0x00fdd4af
0x00fdd3d6
0x00fdd3d8
0x00fdd3dc
0x00fdd3e0
0x00fdd3e3
0x00000000
0x00000000
0x00fdd3e9
0x00000000
0x00fdd3e9
0x00fdd22b
0x00fdd22e
0x00000000
0x00000000
0x00fdd23e
0x00fdd248
0x00fdd255
0x00fdd25f
0x00fdd264
0x00fdd267
0x00000000
0x00000000
0x00fdd26d
0x00fdd278
0x00fdd27e
0x00fdd280
0x00000000
0x00000000
0x00fdd286
0x00fdd288
0x00fdd303
0x00fdd30b
0x00fdd31c
0x00fdd322
0x00fdd324
0x00fdd32a
0x00fdd33b
0x00fdd343
0x00fdd34b
0x00fdd351
0x00fdd356
0x00fdd36c
0x00fdd37b
0x00fdd37b
0x00fdd356
0x00000000
0x00fdd324
0x00fdd28a
0x00fdd28c
0x00000000
0x00000000
0x00fdd296
0x00fdd298
0x00fdd2a0
0x00fdd2b1
0x00fdd2b7
0x00fdd2ba
0x00000000
0x00000000
0x00fdd2c0
0x00fdd2d4
0x00fdd2df
0x00fdd2e5
0x00fdd2ea
0x00000000
0x00000000
0x00fdd2f0
0x00fdd2f1
0x00fdd002
0x00fdd002
0x00000000
0x00fdd002
0x00fdd078
0x00fdd20e
0x00000000
0x00fdd20e
0x00fdd07e
0x00fdd084
0x00fdd1fd
0x00fdd203
0x00000000
0x00fdd203
0x00fdd08a
0x00fdd090
0x00000000
0x00000000
0x00fdd096
0x00fdd099
0x00fdd15b
0x00fdd16e
0x00fdd177
0x00fdd184
0x00fdd189
0x00fdd18d
0x00fdd191
0x00fdd199
0x00fdd1a6
0x00fdd1af
0x00fdd1b3
0x00fdd1c8
0x00fdd1d1
0x00fdd1d6
0x00fdd1dc
0x00fdd1e9
0x00fdd1f3
0x00fdd09f
0x00fdd09f
0x00fdd0a2
0x00fdd0a8
0x00fdd0bb
0x00fdd0c0
0x00fdd0c2
0x00fdd0c8
0x00fdd0d1
0x00fdd0dc
0x00fdd0e3
0x00fdd0e6
0x00fdd0eb
0x00fdd0f1
0x00fdd0f8
0x00fdd0fa
0x00fdd0fe
0x00fdd104
0x00fdd118
0x00fdd11d
0x00fdd136
0x00fdd145
0x00fdd145
0x00fdd0fe
0x00fdd0c2
0x00fdd0a2
0x00000000
0x00fdd099
0x00fdcded
0x00fdd00c
0x00fdd00c
0x00fdd018
0x00fdd01e
0x00fdd020
0x00000000
0x00000000
0x00fdd026
0x00fdd037
0x00fdd03f
0x00fdd045
0x00fdd047
0x00000000
0x00000000
0x00fdd050
0x00fdd053
0x00000000
0x00000000
0x00fdd059
0x00fdd060
0x00000000
0x00000000
0x00fdd066
0x00fdcf31
0x00fdcf31
0x00000000
0x00000000
0x00fdcf37
0x00fdcf38
0x00000000
0x00fdcf38
0x00fdcdf8
0x00fdcdfa
0x00fdce9d
0x00fdcea3
0x00fdcfc2
0x00fdcfc4
0x00fdcfc7
0x00000000
0x00000000
0x00fdcfcf
0x00fdcfd1
0x00fdcfd4
0x00000000
0x00000000
0x00fdcfed
0x00fdcfef
0x00fdcff5
0x00fdcff8
0x00fdcffd
0x00fdcffd
0x00fdcffa
0x00fdcffa
0x00fdcffa
0x00fdcffe
0x00fdcfff
0x00fdcfff
0x00000000
0x00fdcfff
0x00fdcea9
0x00fdceaf
0x00fdcf41
0x00fdcf48
0x00000000
0x00000000
0x00fdcf4e
0x00fdcf56
0x00fdcf57
0x00fdcf59
0x00000000
0x00000000
0x00fdcf5f
0x00fdcf65
0x00fdcf68
0x00fdcf6a
0x00fdcf6c
0x00000000
0x00000000
0x00fdcf72
0x00fdcf75
0x00fdcf78
0x00000000
0x00000000
0x00fdcf81
0x00fdcf84
0x00000000
0x00000000
0x00fdcf86
0x00fdcf86
0x00fdcf87
0x00fdcf87
0x00fdcf8b
0x00fdcf8d
0x00000000
0x00000000
0x00fdcfa1
0x00fdcfa9
0x00fdcfab
0x00000000
0x00fdcfab
0x00fdceb5
0x00fdcebb
0x00000000
0x00000000
0x00fdcec1
0x00fdcec7
0x00000000
0x00000000
0x00fdcecd
0x00fdced2
0x00fdced6
0x00fdcedc
0x00fdcee1
0x00000000
0x00000000
0x00fdcee7
0x00fdceec
0x00000000
0x00000000
0x00fdcef2
0x00fdcf00
0x00fdcf06
0x00fdcf08
0x00000000
0x00000000
0x00fdcf0e
0x00fdcf21
0x00fdcf2f
0x00000000
0x00fdcf2f
0x00fdce00
0x00fdce97
0x00000000
0x00fdce97
0x00fdce0c
0x00fdce67
0x00fdce6e
0x00fdce75
0x00000000
0x00fdce77
0x00fdce77
0x00fdce7e
0x00000000
0x00fdce7e
0x00fdce75
0x00fdce14
0x00fdce5e
0x00000000
0x00fdce5e
0x00fdce1c
0x00fdce2c
0x00fdce33
0x00fdce35
0x00fdce36
0x00fdce39
0x00fdce39
0x00fdce3e
0x00000000
0x00fdce3e
0x00fdce24
0x00000000
0x00fdce26
0x00fdce26
0x00000000
0x00fdce26

APIs

Part of subcall function 00F52612: GetWindowLongW.USER32(?,000000EB), ref: 00F52623

NtdllDialogWndProc_W.USER32(?,0000004E,?,?,?,?,?,?), ref: 00FDCE50
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00FDCE91
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00FDCED6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00FDCF00
SendMessageW.USER32 ref: 00FDCF29
_wcsncpy.LIBCMT ref: 00FDCFA1
GetKeyState.USER32(00000011), ref: 00FDCFC2
GetKeyState.USER32(00000009), ref: 00FDCFCF
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00FDCFE5
GetKeyState.USER32(00000010), ref: 00FDCFEF
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00FDD018
SendMessageW.USER32 ref: 00FDD03F
SendMessageW.USER32(?,00001030,?,00FDB602), ref: 00FDD145
6F83BC60.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00FDD15B
6F83AF40.COMCTL32(00000000,000000F8,000000F0), ref: 00FDD16E
SetCapture.USER32(?), ref: 00FDD177
ClientToScreen.USER32(?,?), ref: 00FDD1DC
6F83B190.COMCTL32(00000000,?,?), ref: 00FDD1E9
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00FDD203
ReleaseCapture.USER32(?,?,?), ref: 00FDD20E
GetCursorPos.USER32(?,?,00000001,?,?,?), ref: 00FDD248
ScreenToClient.USER32 ref: 00FDD255
SendMessageW.USER32(?,00001012,00000000,?), ref: 00FDD2B1
SendMessageW.USER32 ref: 00FDD2DF
SendMessageW.USER32(?,00001111,00000000,?), ref: 00FDD31C
SendMessageW.USER32 ref: 00FDD34B
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00FDD36C
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00FDD37B
GetCursorPos.USER32(?), ref: 00FDD39B
ScreenToClient.USER32 ref: 00FDD3A8
GetParent.USER32(?), ref: 00FDD3C8
SendMessageW.USER32(?,00001012,00000000,?), ref: 00FDD431
SendMessageW.USER32 ref: 00FDD462
ClientToScreen.USER32(?,?), ref: 00FDD4C0
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00FDD4F0
SendMessageW.USER32(?,00001111,00000000,?), ref: 00FDD51A
SendMessageW.USER32 ref: 00FDD53D
ClientToScreen.USER32(?,?), ref: 00FDD58F
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00FDD5C3

Part of subcall function 00F525DB: GetWindowLongW.USER32(?,000000EB), ref: 00F525EC

GetWindowLongW.USER32(?,000000F0), ref: 00FDD65F

Strings

F, xrefs: 00FDD543
@GUI_DRAGID, xrefs: 00FDD1AA

Memory Dump Source

Source File: 00000000.00000002.316268130.0000000000F51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.316260119.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316369334.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316375172.0000000000FE0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316438570.0000000001005000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316460548.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316503289.0000000001055000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316514363.000000000105C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316525512.000000000106B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316568333.0000000001091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316573795.0000000001094000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_POv5Nk1dlu.jbxd

Similarity

API ID: MessageSend$ClientScreen$LongWindow$State$CaptureCursorMenuPopupTrack$B190DialogInvalidateNtdllParentProc_RectRelease_wcsncpy
String ID: @GUI_DRAGID$F
API String ID: 4215511855-4164748364
Opcode ID: 7188df318f52ea931bb59c839cb6d06dd2772aa45524a72838fcbbd73b467cb0
Instruction ID: b6b57e4af39eaf833a0716b7443e6adddab93134182a1a081d587e543ab99beb
Opcode Fuzzy Hash: 7188df318f52ea931bb59c839cb6d06dd2772aa45524a72838fcbbd73b467cb0
Instruction Fuzzy Hash: C9428E705092429FD725CF28C844FAABBE6FF49324F18061AF696873A0D775D844EF92

Uniqueness

Uniqueness Score: -1.00%

Function 00FD804A Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 571
windowCOMMONCrypto

Download Yara Rule

C-Code - Quality: 68%

			E00FD804A(signed int _a4, long _a8, WCHAR* _a12) {
				signed int _v12;
				signed int _v16;
				intOrPtr _v32;
				WCHAR* _v36;
				intOrPtr _v40;
				signed char _v44;
				long _v48;
				void* _v52;
				signed int _v72;
				intOrPtr _v80;
				WCHAR* _v84;
				intOrPtr _v88;
				unsigned int _v92;
				intOrPtr _v96;
				long _v100;
				void* _v104;
				signed short _v114;
				signed short _v118;
				void* _v120;
				char _v124;
				signed int _v128;
				signed int _v140;
				void* _v148;
				void* _v152;
				intOrPtr _v160;
				intOrPtr _v164;
				signed int _v188;
				intOrPtr _v196;
				char _v200;
				void* __ebx;
				void* __edi;
				intOrPtr _t167;
				signed int _t169;
				signed int _t170;
				signed int _t177;
				long _t184;
				signed int _t186;
				void* _t189;
				short _t192;
				WCHAR* _t194;
				signed int _t198;
				long _t214;
				signed int _t220;
				long _t221;
				WCHAR* _t224;
				signed int _t225;
				long _t233;
				signed int _t235;
				signed int _t241;
				signed int _t244;
				long _t246;
				signed int _t248;
				signed int _t255;
				int _t256;
				long _t258;
				long _t260;
				int _t263;
				signed int _t265;
				long _t267;
				signed int _t272;
				long _t274;
				int _t280;
				WCHAR* _t281;
				struct HWND__** _t285;
				WCHAR* _t292;
				signed char _t321;
				signed int _t325;
				WCHAR* _t338;
				signed int _t339;
				signed int _t343;
				signed int _t345;
				signed int _t348;
				signed int _t350;
				void* _t356;
				int _t357;
				long _t361;
				struct HWND__* _t368;
				signed int _t370;
				WCHAR* _t372;
				int _t373;
				signed int _t376;

				if(E00F52402(0x10167b0, _a4,  &_v124,  &_v12) != 0) {
					_t167 =  *0x1016824; // 0xb69510
					_t280 = _a8;
					 *_t280 =  *_t280 | 0xffffffff;
					_t285 =  *( *(_t167 + _v12 * 4));
					_v12 = _t285;
					_t169 = _t285[0x24] & 0x000000ff;
					_t368 =  *_t285;
					_a8 = _t368;
					__eflags = _t169 - 0x11;
					if(__eflags > 0) {
						__eflags = _t169 - 0x12;
						if(_t169 == 0x12) {
							__eflags = 0;
							_push(0);
							_push(0);
							_push(0x400);
							L88:
							_t170 = SendMessageW(_t368, ??, ??, ??);
							L89:
							 *_t280 = _t170;
							goto L90;
						}
						__eflags = _t169 - 0x13;
						if(_t169 == 0x13) {
							 *_t280 = SendMessageW(_t368, 0x100c, 0xffffffff, 2);
							E00F73020( &_v104, 0, 0x34);
							_v100 =  *_t280;
							_v104 = 4;
							_t177 = SendMessageW(_a8, 0x104b, 0,  &_v104);
							asm("sbb eax, eax");
							_t170 =  ~_t177 & _v72;
							goto L89;
						}
						__eflags = _t169 - 0x14;
						if(_t169 == 0x14) {
							 *_t280 =  *_t280 | 0xffffffff;
							_a8 = GetWindowLongW(_t285[0xd], 0xffffffec);
							E00F73020( &_v104, 0, 0x34);
							_t370 = _v12;
							_v140 = _a4;
							_v148 = 1;
							_t184 = SendMessageW( *(_t370 + 0x34), 0x1053, 0xffffffff,  &_v148);
							_v100 = _t184;
							__eflags = _t184 - 0xffffffff;
							if(_t184 == 0xffffffff) {
								goto L90;
							}
							__eflags = _a8 & 0x00000004;
							if(__eflags == 0) {
								L81:
								_t281 = E00F70FF6(_t280, 0, __eflags, 0x2000);
								_v104 = 1;
								_t338 = _t281;
								_v80 = 0xfff;
								_a12 = _t338;
								__eflags = 0 -  *((intOrPtr*)(_t370 + 0x94));
								_t186 = 0;
								while(1) {
									_a4 = _t186;
									_v96 = _t186;
									_push( &_v104);
									_push(0);
									_push(0x104b);
									_push( *(_t370 + 0x34));
									_v84 = _t338;
									if(__eflags >= 0) {
										break;
									}
									SendMessageW();
									_t189 = E00F72E3C(_a12);
									_v80 = 0xffe;
									__eflags = 0xffe - _t189;
									if(0xffe - _t189 <= 0) {
										L26:
										return _t281;
									}
									_t292 =  &(_t281[E00F72E3C(_t281)]);
									_t192 =  *0x10167c4; // 0x7c
									 *_t292 = _t192;
									_t292[1] = 0;
									_t194 = CharNextW(_t292);
									_t338 = _t194;
									_a12 = _t194;
									_t186 = _a4 + 1;
									__eflags = _t186 -  *((short*)(_t370 + 0x94));
								}
								SendMessageW();
								goto L26;
							}
							__eflags = _a12;
							if(__eflags == 0) {
								goto L81;
							}
							_v104 = 8;
							_v88 = 0xf000;
							_t198 = SendMessageW( *(_t370 + 0x34), 0x104b, 0,  &_v104);
							__eflags = _t198;
							if(_t198 == 0) {
								goto L90;
							}
							asm("sbb eax, eax");
							_t170 = ( ~((_v92 >> 0xc) - 1) & 0xfffffffd) + 4;
							goto L89;
						}
						__eflags = _t169 - 0x15;
						if(_t169 == 0x15) {
							__eflags = _t285[0x1f] - 4;
							if(_t285[0x1f] != 4) {
								_t170 = E00F59C9C( &(_t285[0x1c]));
								goto L89;
							}
							_t282 =  &(_t285[0x1c]);
							E00F59997(_t169,  &(_t285[0x1c]),  &(_t285[0x1c]));
							_t339 = 2;
							_t356 = E00F70FF6(_t282, 0, __eflags,  ~(0 | __eflags > 0x00000000) | ( *((intOrPtr*)(_t282[2] + 4)) + 0x00000001) * _t339);
							E00F59997(E00F59997(_t209, _t282, _t282), _t282, _t282);
							E00F5463E(_t356,  *(_t282[2]),  *((intOrPtr*)(_t282[2] + 4)) + 1);
							return _t356;
						}
						__eflags = _t169 - 0x18;
						if(__eflags <= 0) {
							L72:
							_t214 = SendMessageW(_t368, 0xe, 0, 0);
							_t343 = 2;
							_t100 = _t214 + 1; // 0x1
							_t357 = _t100;
							_t372 = E00F70FF6(_t280, _t357, __eflags,  ~(0 | __eflags > 0x00000000) | _t357 * _t343);
							GetWindowTextW(_a8, _t372, _t357);
							L13:
							return _t372;
						}
						__eflags = _t169 - 0x1a;
						if(_t169 <= 0x1a) {
							__eflags = _a12;
							_push(0);
							_push(0);
							if(__eflags == 0) {
								_t220 = SendMessageW(_t368, 0xf0, ??, ??);
								 *_t280 = _t220;
								__eflags = _t220;
								if(_t220 == 0) {
									 *_t280 = 4;
								}
								goto L90;
							}
							_t221 = SendMessageW(_t368, 0xe, ??, ??);
							_t345 = 2;
							_t89 = _t221 + 1; // 0x1
							_t373 = _t89;
							_t224 = E00F70FF6(_t280, 0, __eflags,  ~(0 | __eflags > 0x00000000) | _t373 * _t345);
							_a12 = _t224;
							_t225 = GetWindowTextW(_a8, _t224, _t373);
							__eflags = _t225;
							if(_t225 != 0) {
								return _a12;
							}
							_push(_a12);
							 *_t280 = 0;
							L28:
							L00F7106C();
							goto L90;
						}
						__eflags = _t169 - 0x1c;
						if(__eflags != 0) {
							goto L72;
						}
						__eflags = SendMessageW(_t368, 0x1001, 0,  &_v120);
						if(__eflags == 0) {
							 *_t280 = 0;
							goto L90;
						}
						_t372 = E00F70FF6(_t280, 0, __eflags, 0x16);
						wsprintfW(_t372, L"%d/%02d/%02d", _v120 & 0x0000ffff, _v118 & 0x0000ffff, _v114 & 0x0000ffff);
						goto L13;
					}
					if(__eflags == 0) {
						_v48 = _t285[4];
						 *_t280 = 0;
						_t233 = GetWindowLongW(_t285[0xd], 0xfffffff0);
						__eflags = _a12;
						_a4 = _t233;
						_v52 = 8;
						_v40 = 0xf000;
						if(__eflags == 0) {
							_t235 = SendMessageW( *(_v12 + 0x34), 0x113e, 0,  &_v52);
							__eflags = _t235;
							if(_t235 != 0) {
								_t321 = _v44;
								__eflags = _a4 & 0x00000100;
								if((_a4 & 0x00000100) != 0) {
									asm("sbb eax, eax");
									_t241 = ( ~((_t321 >> 0xc) - 1) & 0xfffffffd) + 4;
									__eflags = _t241;
									 *_t280 = _t241;
								}
								__eflags = _t321 & 0x00000002;
								if((_t321 & 0x00000002) != 0) {
									 *_t280 =  *_t280 | 0x00000100;
									__eflags =  *_t280;
								}
								__eflags = _t321 & 0x00000020;
								if((_t321 & 0x00000020) != 0) {
									 *_t280 =  *_t280 | 0x00000400;
									__eflags =  *_t280;
								}
								__eflags = _t321 & 0x00000010;
								if((_t321 & 0x00000010) != 0) {
									 *_t280 =  *_t280 | 0x00000200;
								}
							}
							goto L90;
						}
						_t281 = E00F70FF6(_t280, 0, __eflags, 0x2000);
						_push( &_v52);
						_push(0);
						_push(0x113e);
						_push( *(_v12 + 0x34));
						L25:
						_v32 = 0xfff;
						_v36 = _t281;
						_v52 = 1;
						_t244 = SendMessageW(??, ??, ??, ??);
						__eflags = _t244;
						if(_t244 == 0) {
							_push(_t281);
							goto L28;
						}
						goto L26;
					}
					__eflags = _t169 - 0xa;
					if(__eflags > 0) {
						__eflags = _t169 - 0xc;
						if(_t169 == 0xc) {
							 *_t280 =  *_t280 & 0;
							goto L90;
						}
						__eflags = _t169 - 0xd;
						if(__eflags <= 0) {
							goto L72;
						}
						__eflags = _t169 - 0xf;
						if(_t169 <= 0xf) {
							__eflags = IsMenu(_t285[3]);
							if(__eflags == 0) {
								goto L90;
							}
							_t246 = E00F70FF6(_t280, 0, __eflags, 0x208);
							__eflags = _a12;
							_t361 = _t246;
							_t376 = _v12;
							_a8 = _t361;
							_v200 = 0x30;
							_push( &_v200);
							if(_a12 == 0) {
								_v196 = 1;
								_t248 = GetMenuItemInfoW( *(_t376 + 0xc), _a4, 0, ??);
								_push(_t361);
								__eflags = _t248;
								if(_t248 == 0) {
									goto L28;
								}
								L00F7106C();
								_t325 = _v188;
								 *_t280 = _t325;
								asm("sbb eax, eax");
								_t255 = ( ~(_t325 & 0x00000003) & 0x00000040) + 0x40;
								__eflags = _t325 & 0x00008080;
								if((_t325 & 0x00008080) != 0) {
									_t255 = _t255 | 0x00000100;
									__eflags = _t255;
								}
								__eflags = _t325 & 0x00000008;
								if((_t325 & 0x00000008) == 0) {
									_t170 = _t255 | 0x00000004;
									__eflags = _t170;
								} else {
									_t170 = _t255 | 0x00000001;
								}
								__eflags = _t325 & 0x00001000;
								if((_t325 & 0x00001000) != 0) {
									_t170 = _t170 | 0x00000200;
								}
								goto L89;
							}
							_v164 = _t361;
							_v196 = 0x10;
							_v160 = 0x104;
							_t256 = GetMenuItemInfoW( *(_t376 + 0xc), _a4, 0, ??);
							__eflags = _t256;
							if(_t256 != 0) {
								return _a8;
							}
							_push(_a8);
							 *_t280 = 0;
							goto L28;
						}
						__eflags = _t169 - 0x10;
						if(__eflags != 0) {
							goto L72;
						}
						 *_t280 = 0;
						_t258 = SendMessageW(_t368, 0x110a, 9, 0);
						__eflags = _t258;
						if(_t258 == 0) {
							goto L90;
						}
						__eflags = _a12;
						_v48 = _t258;
						_v52 = 4;
						if(__eflags == 0) {
							_t260 = SendMessageW(_t368, 0x113e, 0,  &_v52);
							__eflags = _t260;
							if(_t260 == 0) {
								goto L90;
							}
							_t170 = _v16;
							goto L89;
						}
						_t281 = E00F70FF6(_t280, 0, __eflags, 0x2000);
						_push( &_v52);
						_push(0);
						_push(0x113e);
						_push(_t368);
						goto L25;
					}
					if(__eflags == 0) {
						_t263 = SendMessageW(_t368, 0x130b, 0, 0);
						__eflags = _a12;
						 *_t280 = _t263;
						if(_a12 == 0) {
							goto L90;
						}
						_v152 = 8;
						SendMessageW(_t368, 0x133c, _t263,  &_v152);
						_t170 = _v128;
						goto L89;
					}
					_t265 = _t169;
					__eflags = _t265;
					if(_t265 == 0) {
						_t280 = SendMessageW(_t368, 0x147, 0, 0);
						__eflags = _t280 - 0xffffffff;
						if(__eflags == 0) {
							goto L72;
						}
						_t267 = SendMessageW(_t368, 0x149, _t280, 0);
						_t348 = 2;
						_t372 = E00F70FF6(_t280,  *0xfdf688, __eflags,  ~(0 | __eflags > 0x00000000) | (_t267 + 0x00000001) * _t348);
						_push(_t372);
						_push(_t280);
						_push(0x148);
						L12:
						SendMessageW(_a8, ??, ??, ??);
						goto L13;
					}
					_t272 = _t265 - 1;
					__eflags = _t272;
					if(_t272 == 0) {
						_t280 = SendMessageW(_t368, 0x188, 0, 0);
						__eflags = _t280 - 0xffffffff;
						if(__eflags == 0) {
							goto L72;
						} else {
							_t274 = SendMessageW(_t368, 0x18a, _t280, 0);
							_t350 = 2;
							_t336 =  ~(__eflags > 0) | (_t274 + 0x00000001) * _t350;
							_t372 = E00F70FF6(_t280,  *0xfdf688,  ~(__eflags > 0) | (_t274 + 0x00000001) * _t350, _t336);
							_push(_t372);
							_push(_t280);
							_push(0x189);
							goto L12;
						}
					}
					__eflags = _t272 - 7;
					if(__eflags != 0) {
						goto L72;
					} else {
						_push(0);
						_push(0);
						_push(0x408);
						goto L88;
					}
				} else {
					 *_a8 =  *_a8 & 0x00000000;
					L90:
					return 0;
				}
			}

0x00fd806d
0x00fd807f
0x00fd8084
0x00fd808a
0x00fd808d
0x00fd808f
0x00fd8092
0x00fd8099
0x00fd809b
0x00fd809e
0x00fd80a1
0x00fd840e
0x00fd8411
0x00fd8735
0x00fd8737
0x00fd8738
0x00fd8739
0x00fd873e
0x00fd873f
0x00fd8745
0x00fd8745
0x00000000
0x00fd8745
0x00fd8417
0x00fd841a
0x00fd8700
0x00fd8709
0x00fd8713
0x00fd8719
0x00fd872a
0x00fd872e
0x00fd8730
0x00000000
0x00fd8730
0x00fd8420
0x00fd8423
0x00fd85a3
0x00fd85b3
0x00fd85bd
0x00fd85c8
0x00fd85cb
0x00fd85d7
0x00fd85ec
0x00fd85f2
0x00fd85f5
0x00fd85f8
0x00000000
0x00000000
0x00fd85fe
0x00fd8602
0x00fd8649
0x00fd8653
0x00fd8655
0x00fd865d
0x00fd865f
0x00fd8668
0x00fd866b
0x00fd8672
0x00fd86c9
0x00fd86c9
0x00fd86cc
0x00fd86d2
0x00fd86d3
0x00fd86d4
0x00fd86d9
0x00fd86dc
0x00fd86df
0x00000000
0x00000000
0x00fd8676
0x00fd867f
0x00fd868c
0x00fd868f
0x00fd8691
0x00fd8238
0x00000000
0x00fd8238
0x00fd869e
0x00fd86a1
0x00fd86a7
0x00fd86ad
0x00fd86b1
0x00fd86be
0x00fd86c0
0x00fd86c6
0x00fd86c7
0x00fd86c7
0x00fd86e1
0x00000000
0x00fd86e1
0x00fd8604
0x00fd8608
0x00000000
0x00000000
0x00fd860d
0x00fd861e
0x00fd8625
0x00fd862b
0x00fd862d
0x00000000
0x00000000
0x00fd863c
0x00fd8641
0x00000000
0x00fd8641
0x00fd8429
0x00fd842c
0x00fd853c
0x00fd8540
0x00fd8599
0x00000000
0x00fd8599
0x00fd8542
0x00fd8547
0x00fd8553
0x00fd856a
0x00fd8579
0x00fd8589
0x00000000
0x00fd858f
0x00fd8432
0x00fd8435
0x00fd8505
0x00fd850a
0x00fd8514
0x00fd8515
0x00fd8515
0x00fd852b
0x00fd8531
0x00fd8125
0x00000000
0x00fd8125
0x00fd843b
0x00fd843e
0x00fd8495
0x00fd8499
0x00fd849a
0x00fd849b
0x00fd84ea
0x00fd84f0
0x00fd84f2
0x00fd84f4
0x00fd84fa
0x00fd84fa
0x00000000
0x00fd84f4
0x00fd84a0
0x00fd84aa
0x00fd84ab
0x00fd84ab
0x00fd84ba
0x00fd84c5
0x00fd84c8
0x00fd84ce
0x00fd84d0
0x00000000
0x00fd84dc
0x00fd84d2
0x00fd84d5
0x00fd8240
0x00fd8240
0x00000000
0x00fd8245
0x00fd8440
0x00fd8443
0x00000000
0x00000000
0x00fd845c
0x00fd845e
0x00fd848c
0x00000000
0x00fd848c
0x00fd846b
0x00fd847e
0x00000000
0x00fd8484
0x00fd80a7
0x00fd8367
0x00fd836a
0x00fd836c
0x00fd8372
0x00fd8376
0x00fd8379
0x00fd8380
0x00fd8387
0x00fd83bb
0x00fd83c1
0x00fd83c3
0x00fd83c9
0x00fd83d1
0x00fd83d4
0x00fd83de
0x00fd83e3
0x00fd83e3
0x00fd83e6
0x00fd83e6
0x00fd83e8
0x00fd83eb
0x00fd83ed
0x00fd83ed
0x00fd83ed
0x00fd83ef
0x00fd83f2
0x00fd83f4
0x00fd83f4
0x00fd83f4
0x00fd83fa
0x00fd83fd
0x00fd8403
0x00fd8403
0x00fd83fd
0x00000000
0x00fd83c3
0x00fd8396
0x00fd839c
0x00fd839d
0x00fd839e
0x00fd83a3
0x00fd821d
0x00fd821d
0x00fd8224
0x00fd8227
0x00fd822e
0x00fd8234
0x00fd8236
0x00fd823f
0x00000000
0x00fd823f
0x00000000
0x00fd8236
0x00fd80ad
0x00fd80b0
0x00fd81b6
0x00fd81b9
0x00fd8356
0x00000000
0x00fd8356
0x00fd81bf
0x00fd81c2
0x00000000
0x00000000
0x00fd81c8
0x00fd81cb
0x00fd8275
0x00fd8277
0x00000000
0x00000000
0x00fd8282
0x00fd8287
0x00fd828b
0x00fd828d
0x00fd8297
0x00fd829a
0x00fd82a4
0x00fd82a5
0x00fd82eb
0x00fd82f8
0x00fd82fe
0x00fd82ff
0x00fd8301
0x00000000
0x00000000
0x00fd8307
0x00fd830d
0x00fd8317
0x00fd831e
0x00fd8323
0x00fd8326
0x00fd832c
0x00fd832e
0x00fd832e
0x00fd832e
0x00fd8333
0x00fd8336
0x00fd833d
0x00fd833d
0x00fd8338
0x00fd8338
0x00fd8338
0x00fd8340
0x00fd8346
0x00fd834c
0x00fd834c
0x00000000
0x00fd8346
0x00fd82a7
0x00fd82b3
0x00fd82c0
0x00fd82ca
0x00fd82d0
0x00fd82d2
0x00000000
0x00fd82de
0x00fd82d4
0x00fd82d7
0x00000000
0x00fd82d7
0x00fd81d1
0x00fd81d4
0x00000000
0x00000000
0x00fd81e5
0x00fd81e7
0x00fd81ed
0x00fd81ef
0x00000000
0x00000000
0x00fd81f5
0x00fd81f9
0x00fd81fc
0x00fd8203
0x00fd8256
0x00fd825c
0x00fd825e
0x00000000
0x00000000
0x00fd8264
0x00000000
0x00fd8264
0x00fd8210
0x00fd8215
0x00fd8216
0x00fd8217
0x00fd821c
0x00000000
0x00fd821c
0x00fd80b6
0x00fd8186
0x00fd8188
0x00fd818c
0x00fd818e
0x00000000
0x00000000
0x00fd819a
0x00fd81ac
0x00fd81ae
0x00000000
0x00fd81ae
0x00fd80bc
0x00fd80bc
0x00fd80be
0x00fd813a
0x00fd813c
0x00fd813f
0x00000000
0x00000000
0x00fd8153
0x00fd815a
0x00fd816b
0x00fd816d
0x00fd816e
0x00fd816f
0x00fd8120
0x00fd8123
0x00000000
0x00fd8123
0x00fd80c0
0x00fd80c0
0x00fd80c1
0x00fd80e6
0x00fd80e8
0x00fd80eb
0x00000000
0x00fd80f1
0x00fd80ff
0x00fd8106
0x00fd810e
0x00fd8117
0x00fd8119
0x00fd811a
0x00fd811b
0x00000000
0x00fd811b
0x00fd80eb
0x00fd80c3
0x00fd80c6
0x00000000
0x00fd80cc
0x00fd80cc
0x00fd80cd
0x00fd80ce
0x00000000
0x00fd80ce
0x00fd806f
0x00fd8072
0x00fd8747
0x00000000
0x00fd8747

APIs

SendMessageW.USER32(?,00000400,00000000,00000000), ref: 00FD873F

Strings

%d/%02d/%02d, xrefs: 00FD8478

Memory Dump Source

Source File: 00000000.00000002.316268130.0000000000F51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.316260119.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316369334.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316375172.0000000000FE0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316438570.0000000001005000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316460548.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316503289.0000000001055000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316514363.000000000105C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316525512.000000000106B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316568333.0000000001091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316573795.0000000001094000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_POv5Nk1dlu.jbxd

Similarity

API ID: MessageSend
String ID: %d/%02d/%02d
API String ID: 3850602802-328681919
Opcode ID: ea734ecccc3516be6df56554376a2c8515a8cee5ded747001f008742ceba1efe
Instruction ID: 0696f24dda93cd4ebfb13848d371657ab7fe6dc841e2c3f7585950bc8cd01b9f
Opcode Fuzzy Hash: ea734ecccc3516be6df56554376a2c8515a8cee5ded747001f008742ceba1efe
Instruction Fuzzy Hash: 7C12F671500208ABEB259F38CC49FAE7BB6EF45360F18412AF516DB2E1DF749946EB10

Uniqueness

Uniqueness Score: -1.00%

Function 00F6710E Relevance: 48.8, APIs: 19, Strings: 6, Instructions: 5093COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00F675C2
_memset.LIBCMT ref: 00F676B1
_memmove.LIBCMT ref: 00F67C4B
_memmove.LIBCMT ref: 00F67E4F

Strings

Q\E, xrefs: 00F681C1
\b(?=\w), xrefs: 00FA3C34
DEFINE, xrefs: 00FA25AF
[:<:]], xrefs: 00F675F1
\b(?<=\w), xrefs: 00FA3C41
[:>:]], xrefs: 00F6760A

Memory Dump Source

Source File: 00000000.00000002.316268130.0000000000F51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.316260119.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316369334.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316375172.0000000000FE0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316438570.0000000001005000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316460548.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316503289.0000000001055000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316514363.000000000105C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316525512.000000000106B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316568333.0000000001091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316573795.0000000001094000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_POv5Nk1dlu.jbxd

Similarity

API ID: _memmove$_memset
String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
API String ID: 1357608183-1798697756
Opcode ID: 625c5f9591451bfc500e6f113ab55ee24ff54cde2cf5a201147a02d4df01381c
Instruction ID: b9b40c2ee4eb7e2462f942894512ce2ea3fa08277cb98862022b8b8c5230c31b
Opcode Fuzzy Hash: 625c5f9591451bfc500e6f113ab55ee24ff54cde2cf5a201147a02d4df01381c
Instruction Fuzzy Hash: 1E93A2B1E04215DFDB24CF58C881BADB7B1FF49324F25816AE945AB380E7749E81EB50

Uniqueness

Uniqueness Score: -1.00%

Function 00F54A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 00F54A3D
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00F8DA8E
IsIconic.USER32(?), ref: 00F8DA97
ShowWindow.USER32(?,00000009), ref: 00F8DAA4
SetForegroundWindow.USER32(?), ref: 00F8DAAE
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00F8DAC4
GetCurrentThreadId.KERNEL32 ref: 00F8DACB
GetWindowThreadProcessId.USER32(?,00000000), ref: 00F8DAD7
AttachThreadInput.USER32(?,00000000,00000001), ref: 00F8DAE8
AttachThreadInput.USER32(?,00000000,00000001), ref: 00F8DAF0
AttachThreadInput.USER32(00000000,?,00000001), ref: 00F8DAF8
SetForegroundWindow.USER32(?), ref: 00F8DAFB
MapVirtualKeyW.USER32(00000012,00000000), ref: 00F8DB10
keybd_event.USER32 ref: 00F8DB1B
MapVirtualKeyW.USER32(00000012,00000000), ref: 00F8DB25
keybd_event.USER32 ref: 00F8DB2A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00F8DB33
keybd_event.USER32 ref: 00F8DB38
MapVirtualKeyW.USER32(00000012,00000000), ref: 00F8DB42
keybd_event.USER32 ref: 00F8DB47
SetForegroundWindow.USER32(?), ref: 00F8DB4A
AttachThreadInput.USER32(?,?,00000000), ref: 00F8DB71

Strings

Shell_TrayWnd, xrefs: 00F8DA89

Memory Dump Source

Source File: 00000000.00000002.316268130.0000000000F51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.316260119.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316369334.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316375172.0000000000FE0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316438570.0000000001005000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316460548.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316503289.0000000001055000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316514363.000000000105C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316525512.000000000106B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316568333.0000000001091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316573795.0000000001094000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_POv5Nk1dlu.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 375c1ab4432114a002c3c58de36754033fc9a4c06b0d0d1c78d971dde97a9ae9
Instruction ID: ecb063d2b482f2aa64ef049a9d0f88b06b563572d9b29c150a37967bb3df8199
Opcode Fuzzy Hash: 375c1ab4432114a002c3c58de36754033fc9a4c06b0d0d1c78d971dde97a9ae9
Instruction Fuzzy Hash: 0F314171A4131CBAEB216F719C49FBE3F6DEF44B60F154066FA05AB1D1C6B05901BBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FDC8EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfilenativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00F52612: GetWindowLongW.USER32(?,000000EB), ref: 00F52623

DragQueryPoint.SHELL32(?,?), ref: 00FDC917

Part of subcall function 00FDADF1: ClientToScreen.USER32(?,?), ref: 00FDAE1A
Part of subcall function 00FDADF1: GetWindowRect.USER32 ref: 00FDAE90
Part of subcall function 00FDADF1: PtInRect.USER32(?,?,00FDC304), ref: 00FDAEA0

SendMessageW.USER32(?,000000B0,?,?), ref: 00FDC980
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00FDC98B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00FDC9AE
_wcscat.LIBCMT ref: 00FDC9DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00FDC9F5
SendMessageW.USER32(?,000000B0,?,?), ref: 00FDCA0E
SendMessageW.USER32(?,000000B1,?,?), ref: 00FDCA25
SendMessageW.USER32(?,000000B1,?,?), ref: 00FDCA47
DragFinish.SHELL32(?), ref: 00FDCA4E
NtdllDialogWndProc_W.USER32(?,00000233,?,00000000,?,?,?), ref: 00FDCB41

Strings

@GUI_DROPID, xrefs: 00FDCA6E
@GUI_DRAGFILE, xrefs: 00FDCAF0
@GUI_DRAGID, xrefs: 00FDCAB9

Memory Dump Source

Source File: 00000000.00000002.316268130.0000000000F51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.316260119.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316369334.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316375172.0000000000FE0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316438570.0000000001005000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316460548.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316503289.0000000001055000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316514363.000000000105C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316525512.000000000106B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316568333.0000000001091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316573795.0000000001094000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_POv5Nk1dlu.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientDialogFinishLongNtdllPointProc_Screen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 2166380349-3440237614
Opcode ID: 55a42eb756c5066d4dbfa7efe19e3752da3c36caf8b9cccc643b97d6afad9927
Instruction ID: 584f128c7ca77c29bd0ee0c1ac46144e4ca0afbf4080dc37430e70b9344698ca
Opcode Fuzzy Hash: 55a42eb756c5066d4dbfa7efe19e3752da3c36caf8b9cccc643b97d6afad9927
Instruction Fuzzy Hash: AB619D71508301AFC701EF60CC85D9FBBE9EF89710F040A1EF692972A1DB749A09DB92

Uniqueness

Uniqueness Score: -1.00%

Function 00FDC49C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windownativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00F52612: GetWindowLongW.USER32(?,000000EB), ref: 00F52623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00FDC4EC
GetFocus.USER32 ref: 00FDC4FC
GetDlgCtrlID.USER32 ref: 00FDC507
_memset.LIBCMT ref: 00FDC632
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00FDC65D
GetMenuItemCount.USER32 ref: 00FDC67D
GetMenuItemID.USER32(?,00000000), ref: 00FDC690
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00FDC6C4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00FDC70C
CheckMenuRadioItem.USER32 ref: 00FDC744
NtdllDialogWndProc_W.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00FDC779

Strings

0, xrefs: 00FDC62A

Memory Dump Source

Source File: 00000000.00000002.316268130.0000000000F51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.316260119.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316369334.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316375172.0000000000FE0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316438570.0000000001005000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316460548.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316503289.0000000001055000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316514363.000000000105C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316525512.000000000106B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316568333.0000000001091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316573795.0000000001094000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_POv5Nk1dlu.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlDialogFocusLongMessageNtdllPostProc_RadioWindow_memset
String ID: 0
API String ID: 3616455698-4108050209
Opcode ID: 557fe5c4f46c2e4a68e1ede5af34ac949a9fdbcc493d2bc9ea33684c7edd16c8
Instruction ID: 591d1fa12c095ec945238c261535f4d6728ba828ca6a6a65e2a0a6440463c5ba
Opcode Fuzzy Hash: 557fe5c4f46c2e4a68e1ede5af34ac949a9fdbcc493d2bc9ea33684c7edd16c8
Instruction Fuzzy Hash: DA818D715083069FD710CF24D884A6BBBEAFF88324F08452EF99597391D771D905EB92

Uniqueness

Uniqueness Score: -1.00%

Function 00F66843 Relevance: 19.6, Strings: 15, Instructions: 883COMMON

Download Yara Rule

Strings

ANYCRLF), xrefs: 00FA1734
UTF), xrefs: 00FA1533
BSR_UNICODE), xrefs: 00FA1771
CR), xrefs: 00FA16C0
LIMIT_MATCH=, xrefs: 00FA15A9
NO_START_OPT), xrefs: 00FA1588
NO_AUTO_POSSESS), xrefs: 00FA1567
LIMIT_RECURSION=, xrefs: 00FA1635
BSR_ANYCRLF), xrefs: 00FA1757
CRLF), xrefs: 00FA16FA
UCP), xrefs: 00FA1546
ANY), xrefs: 00FA1717
rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr, xrefs: 00FA1782
UTF16), xrefs: 00FA1508
LF), xrefs: 00FA16DD

Memory Dump Source

Source File: 00000000.00000002.316268130.0000000000F51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.316260119.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316369334.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316375172.0000000000FE0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316438570.0000000001005000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316460548.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316503289.0000000001055000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316514363.000000000105C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316525512.000000000106B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316568333.0000000001091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316573795.0000000001094000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_POv5Nk1dlu.jbxd

Similarity

API ID:
String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
API String ID: 0-4138394922
Opcode ID: 8c7f1946a648e5874292319de3cb8b9fc42c19ef28c67c4b33312d35b696d8a7
Instruction ID: 1f53a5c16264b661fbc6af84de6c0d19e44b3e999d8e267e0683a7cad75aafa4
Opcode Fuzzy Hash: 8c7f1946a648e5874292319de3cb8b9fc42c19ef28c67c4b33312d35b696d8a7
Instruction Fuzzy Hash: 327261B5E002199BDF24CF58C8807AEB7B5FF49720F15816AE845EB390EB749D41EB90

Uniqueness

Uniqueness Score: -1.00%

Function 00FDC27C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149nativewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F52612: GetWindowLongW.USER32(?,000000EB), ref: 00F52623

Part of subcall function 00F52344: GetCursorPos.USER32(?,?,010167B0,?,010167B0,010167B0,?,00FDC247,00000000,00000001,?,?,?,00F8BC4F,?,?), ref: 00F52357
Part of subcall function 00F52344: ScreenToClient.USER32 ref: 00F52374
Part of subcall function 00F52344: GetAsyncKeyState.USER32(00000001), ref: 00F52399
Part of subcall function 00F52344: GetAsyncKeyState.USER32(00000002), ref: 00F523A7

6F83B200.COMCTL32(00000000,00000000,00000001,?,?), ref: 00FDC2E4
6F83B5E0.COMCTL32 ref: 00FDC2EA
ReleaseCapture.USER32 ref: 00FDC2F0
SetWindowTextW.USER32(?,00000000), ref: 00FDC39A
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00FDC3AD
NtdllDialogWndProc_W.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 00FDC48F

Strings

@GUI_DROPID, xrefs: 00FDC3E1
@GUI_DRAGFILE, xrefs: 00FDC424

Memory Dump Source

Source File: 00000000.00000002.316268130.0000000000F51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.316260119.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316369334.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316375172.0000000000FE0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316438570.0000000001005000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316460548.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316503289.0000000001055000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316514363.000000000105C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316525512.000000000106B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316568333.0000000001091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316573795.0000000001094000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_POv5Nk1dlu.jbxd

Similarity

API ID: AsyncStateWindow$B200CaptureClientCursorDialogLongMessageNtdllProc_ReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 2232639836-2107944366
Opcode ID: f00c11fe4da4aef0b827020f065e7320cf1284909540f7a4c1118ce5520f4cf5
Instruction ID: 675c519a55876caaf5baa56e1e85abe50fdff51734349904089b484362051ca5
Opcode Fuzzy Hash: f00c11fe4da4aef0b827020f065e7320cf1284909540f7a4c1118ce5520f4cf5
Instruction Fuzzy Hash: E451CF70604305AFD714EF24CC55F6A3BE2FB88310F04461EF9928B2E1CB799949EB92

Uniqueness

Uniqueness Score: -1.00%

Function 00FDD74C Relevance: 12.3, APIs: 8, Instructions: 257windownativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00F52612: GetWindowLongW.USER32(?,000000EB), ref: 00F52623

GetSystemMetrics.USER32 ref: 00FDD78A
GetSystemMetrics.USER32 ref: 00FDD7AA
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00FDD9E5
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00FDDA03
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00FDDA24
ShowWindow.USER32(00000003,00000000), ref: 00FDDA43
InvalidateRect.USER32(?,00000000,00000001), ref: 00FDDA68
NtdllDialogWndProc_W.USER32(?,00000005,?,?), ref: 00FDDA8B

Memory Dump Source

Source File: 00000000.00000002.316268130.0000000000F51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.316260119.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316369334.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316375172.0000000000FE0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316438570.0000000001005000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316460548.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316503289.0000000001055000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316514363.000000000105C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316525512.000000000106B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316568333.0000000001091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316573795.0000000001094000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_POv5Nk1dlu.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$DialogInvalidateLongMoveNtdllProc_RectShow
String ID:
API String ID: 830902736-0
Opcode ID: 6551a24e3beb46f7dfee2c2bdfecdc517c1c7cb20f49910357563ba01a9da392
Instruction ID: 261575f35f6dd1f149030a6420fa46566391b3359fb6e7163406fb602019a518
Opcode Fuzzy Hash: 6551a24e3beb46f7dfee2c2bdfecdc517c1c7cb20f49910357563ba01a9da392
Instruction Fuzzy Hash: 79B1BA71A00219EFDF14CF68C985BBD7BB2BF04710F08C06AEC489B295D735A950EB50

Uniqueness

Uniqueness Score: -1.00%

Function 00F52344 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?,?,010167B0,?,010167B0,010167B0,?,00FDC247,00000000,00000001,?,?,?,00F8BC4F,?,?), ref: 00F52357
ScreenToClient.USER32 ref: 00F52374
GetAsyncKeyState.USER32(00000001), ref: 00F52399
GetAsyncKeyState.USER32(00000002), ref: 00F523A7

Strings

rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr, xrefs: 00F8C249

Memory Dump Source

Source File: 00000000.00000002.316268130.0000000000F51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.316260119.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316369334.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316375172.0000000000FE0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316438570.0000000001005000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316460548.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316503289.0000000001055000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316514363.000000000105C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316525512.000000000106B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316568333.0000000001091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316573795.0000000001094000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_POv5Nk1dlu.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID: rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
API String ID: 4210589936-2575693504
Opcode ID: a11c817441ef55dafe157682e7e42a3ea92aab88da5eb4789788e3dcfa891f40
Instruction ID: 843797cc258630cdd7a5879e93be4fa82092fdfe58c5c3630b10b79142667293
Opcode Fuzzy Hash: a11c817441ef55dafe157682e7e42a3ea92aab88da5eb4789788e3dcfa891f40
Instruction Fuzzy Hash: B0418E31904119FBDF559FA8CC44AEDBB75FB06321F20436AF92992290C7349958EFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F51287 Relevance: 7.9, APIs: 5, Instructions: 379nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00F52612: GetWindowLongW.USER32(?,000000EB), ref: 00F52623

NtdllDialogWndProc_W.USER32(?,?,?,?,?), ref: 00F519FA
GetSysColor.USER32(0000000F), ref: 00F51A4E
SetBkColor.GDI32(?,00000000), ref: 00F51A61

Part of subcall function 00F51290: NtdllDialogWndProc_W.USER32(?,00000020,?), ref: 00F512D8

Memory Dump Source

Source File: 00000000.00000002.316268130.0000000000F51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.316260119.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316369334.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316375172.0000000000FE0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316438570.0000000001005000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316460548.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316503289.0000000001055000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316514363.000000000105C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316525512.000000000106B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316568333.0000000001091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316573795.0000000001094000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_POv5Nk1dlu.jbxd

Similarity

API ID: ColorDialogNtdllProc_$LongWindow
String ID:
API String ID: 591255283-0
Opcode ID: 5eb8c6547491865a2c0094c829786c4766b60304bca0038441a74ad5a7de634b
Instruction ID: c2d9ba33b662bba5872edd3bababfd67fb9d8a25a688e9700744c610f3598ed8
Opcode Fuzzy Hash: 5eb8c6547491865a2c0094c829786c4766b60304bca0038441a74ad5a7de634b
Instruction Fuzzy Hash: C9A15E76505586BAD635BA284C44FBF3A5DFB82363B14020AFE02D6185DA1DAD09F3B1

Uniqueness

Uniqueness Score: -1.00%

Function 00F54D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00F54D2E,?,00F54F4F,?,010162F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00F54D6F
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00F54D81

Strings

kernel32.dll, xrefs: 00F54D6A
Wow64DisableWow64FsRedirection, xrefs: 00F54D7B

Memory Dump Source

Source File: 00000000.00000002.316268130.0000000000F51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.316260119.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316369334.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316375172.0000000000FE0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316438570.0000000001005000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316460548.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316503289.0000000001055000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316514363.000000000105C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316525512.000000000106B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316568333.0000000001091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316573795.0000000001094000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_POv5Nk1dlu.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 02f7237a41b90ba0cf118f249bfb816cdac0fbfdef96406335901ef4ad763143
Instruction ID: 44e9ec48e89e77a65d06518d55c4640d189bafe0a893e50fb10d6853c768bf9e
Opcode Fuzzy Hash: 02f7237a41b90ba0cf118f249bfb816cdac0fbfdef96406335901ef4ad763143
Instruction Fuzzy Hash: F6D0E232910713CFD7209F31D808A1676E9AF1526AB16893BA897D6250E678E888AA50

Uniqueness

Uniqueness Score: -1.00%

Function 00FB3E91 Relevance: 6.1, APIs: 4, Instructions: 85processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00FB3EB6
Process32FirstW.KERNEL32(00000000,?), ref: 00FB3EC4
Process32NextW.KERNEL32(00000000,?), ref: 00FB3EE4
CloseHandle.KERNEL32(00000000), ref: 00FB3F8E

Memory Dump Source

Source File: 00000000.00000002.316268130.0000000000F51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.316260119.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316369334.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316375172.0000000000FE0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316438570.0000000001005000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316460548.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316503289.0000000001055000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316514363.000000000105C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316525512.000000000106B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316568333.0000000001091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316573795.0000000001094000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_POv5Nk1dlu.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: cb5cadf6f6dd4e06f96b43cc0c87dab02e55fb6d8cb6d7fbc8cd3191e1e169f5
Instruction ID: a11bae1c2c8353bdafbfa7fb99c2aeb32e9512a8de078ad970cf3270de663f7c
Opcode Fuzzy Hash: cb5cadf6f6dd4e06f96b43cc0c87dab02e55fb6d8cb6d7fbc8cd3191e1e169f5
Instruction Fuzzy Hash: DC318F315083059FC304EF65DC85AAFBBF8AF95750F14052DF982821A1EB74AA4CEB92

Uniqueness

Uniqueness Score: -1.00%

Function 00FDC788 Relevance: 6.1, APIs: 4, Instructions: 83nativewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F52612: GetWindowLongW.USER32(?,000000EB), ref: 00F52623

GetCursorPos.USER32(?,?,?,?,?,?,?,?,00F8BBFB,?,?,?,?,?), ref: 00FDC7C2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00F8BBFB,?,?,?,?,?), ref: 00FDC7D7
GetCursorPos.USER32(?,?,?,?,?,?,?,?,?,00F8BBFB,?,?,?,?,?), ref: 00FDC824
NtdllDialogWndProc_W.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00F8BBFB,?,?,?), ref: 00FDC85E

Memory Dump Source

Source File: 00000000.00000002.316268130.0000000000F51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.316260119.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316369334.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316375172.0000000000FE0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316438570.0000000001005000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316460548.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316503289.0000000001055000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316514363.000000000105C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316525512.000000000106B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316568333.0000000001091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316573795.0000000001094000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_POv5Nk1dlu.jbxd

Similarity

API ID: Cursor$DialogLongMenuNtdllPopupProc_TrackWindow
String ID:
API String ID: 1423138444-0
Opcode ID: 8a9af8391b794a4cacc62eb6705dc9423b4781b32bd4770ae84434a7b7c8bcfb
Instruction ID: d7fc210b0351a93a7feb79312268855b27ebd9448343f5b647dc4e772d2ac980
Opcode Fuzzy Hash: 8a9af8391b794a4cacc62eb6705dc9423b4781b32bd4770ae84434a7b7c8bcfb
Instruction Fuzzy Hash: 6C319635600018AFCB15CF98DC98EEA7BB7EB49320F48416AF94687261C7355D51FFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F51290 Relevance: 6.1, APIs: 4, Instructions: 59nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00F52612: GetWindowLongW.USER32(?,000000EB), ref: 00F52623

NtdllDialogWndProc_W.USER32(?,00000020,?), ref: 00F512D8
GetClientRect.USER32 ref: 00F8B84B
GetCursorPos.USER32(?), ref: 00F8B855
ScreenToClient.USER32 ref: 00F8B860

Memory Dump Source

Source File: 00000000.00000002.316268130.0000000000F51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.316260119.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316369334.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316375172.0000000000FE0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316438570.0000000001005000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316460548.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316503289.0000000001055000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316514363.000000000105C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316525512.000000000106B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316568333.0000000001091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316573795.0000000001094000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_POv5Nk1dlu.jbxd

Similarity

API ID: Client$CursorDialogLongNtdllProc_RectScreenWindow
String ID:
API String ID: 1010295502-0
Opcode ID: 381a186c72be9f941515e138dc0162264ade27448f4595d0505fb2ee6ce1e9ee
Instruction ID: d999e0e80f21be392ef70eb6c232c07f717d578b782119b5b2d89fd102c72ea5
Opcode Fuzzy Hash: 381a186c72be9f941515e138dc0162264ade27448f4595d0505fb2ee6ce1e9ee
Instruction Fuzzy Hash: A5111935901019BBCB10EFA4D885AAE77B9FB05301F004556EA41E7140C734BA5AEBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00FDCC2E Relevance: 4.5, APIs: 3, Instructions: 33nativeCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00FDCC51
6F83B270.COMCTL32(?,?,?,00F8BC66,?,?,?,?,?), ref: 00FDCC5D
NtdllDialogWndProc_W.USER32(?,00000200,?,?,?,?,?,?,?,00F8BC66,?,?,?,?,?), ref: 00FDCC7A

Memory Dump Source

Source File: 00000000.00000002.316268130.0000000000F51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.316260119.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316369334.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316375172.0000000000FE0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316438570.0000000001005000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316460548.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316503289.0000000001055000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316514363.000000000105C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316525512.000000000106B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316568333.0000000001091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316573795.0000000001094000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_POv5Nk1dlu.jbxd

Similarity

API ID: B270ClientDialogNtdllProc_Screen
String ID:
API String ID: 2667593787-0
Opcode ID: cbe245ecd56c24615e4298e9992bffade70a692f67d93a6a2b05f5f4bec09a24
Instruction ID: d3cc9a76da1432f04aa96ccbab30450867fb6d843dcf090539f3d2c1c58ac4b6
Opcode Fuzzy Hash: cbe245ecd56c24615e4298e9992bffade70a692f67d93a6a2b05f5f4bec09a24
Instruction Fuzzy Hash: 3FF0307241011CFFDF058F55DC09DAE7BB9FB48311F04415AF94652161D3726A54EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F516DE Relevance: 3.1, APIs: 2, Instructions: 83nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00F52612: GetWindowLongW.USER32(?,000000EB), ref: 00F52623

Part of subcall function 00F525DB: GetWindowLongW.USER32(?,000000EB), ref: 00F525EC

GetParent.USER32(?), ref: 00F8BA0A
NtdllDialogWndProc_W.USER32(?,00000133,?,?,?,?,?,?,?,?,00F519B3,?,?,?,00000006,?), ref: 00F8BA84

Memory Dump Source

Source File: 00000000.00000002.316268130.0000000000F51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.316260119.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316369334.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316375172.0000000000FE0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316438570.0000000001005000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316460548.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316503289.0000000001055000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316514363.000000000105C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316525512.000000000106B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316568333.0000000001091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316573795.0000000001094000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_POv5Nk1dlu.jbxd

Similarity

API ID: LongWindow$DialogNtdllParentProc_
String ID:
API String ID: 314495775-0
Opcode ID: a8f42308bfb644b94e5122349177f1296f6cde9110e7c02e079681198691ece6
Instruction ID: 6c18f7641ee06e4dea3a161df31225bef228685b244f854ee01d3e1572ea47ab
Opcode Fuzzy Hash: a8f42308bfb644b94e5122349177f1296f6cde9110e7c02e079681198691ece6
Instruction Fuzzy Hash: 07219134A01104AFCB249B2CDC84EA93BA6BB0A331F184254FE655B2A1D775AE15FB50

Uniqueness

Uniqueness Score: -1.00%

Function 00FDC86D Relevance: 3.0, APIs: 2, Instructions: 46nativewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F52612: GetWindowLongW.USER32(?,000000EB), ref: 00F52623

NtdllDialogWndProc_W.USER32(?,0000002B,?,?,?,?,?,?,?,00F8BB8A,?,?,?), ref: 00FDC8E1

Part of subcall function 00F525DB: GetWindowLongW.USER32(?,000000EB), ref: 00F525EC

SendMessageW.USER32(?,00000401,00000000,00000000), ref: 00FDC8C7

Memory Dump Source

Source File: 00000000.00000002.316268130.0000000000F51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.316260119.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316369334.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316375172.0000000000FE0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316438570.0000000001005000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316460548.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316503289.0000000001055000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316514363.000000000105C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316525512.000000000106B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316568333.0000000001091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316573795.0000000001094000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_POv5Nk1dlu.jbxd

Similarity

API ID: LongWindow$DialogMessageNtdllProc_Send
String ID:
API String ID: 1273190321-0
Opcode ID: d6a3837a2239988ef9adca53d314c7bbb3f0910af3d8f8ad96f9a3d0df5fbc18
Instruction ID: f67f9fbee0f050db43ed18b7606db23a94ea3a94f62a4355df49993379b33914
Opcode Fuzzy Hash: d6a3837a2239988ef9adca53d314c7bbb3f0910af3d8f8ad96f9a3d0df5fbc18
Instruction Fuzzy Hash: 6601B131201204ABCB215F14DC44F6A3BA7FB89320F18012AF9520B3E0CB77A806FB91

Uniqueness

Uniqueness Score: -1.00%

Function 00FBA2D5 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00FC977D,?,00FDFB84,?), ref: 00FBA302
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00FC977D,?,00FDFB84,?), ref: 00FBA314

Memory Dump Source

Source File: 00000000.00000002.316268130.0000000000F51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.316260119.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316369334.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316375172.0000000000FE0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316438570.0000000001005000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316460548.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316503289.0000000001055000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316514363.000000000105C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316525512.000000000106B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316568333.0000000001091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316573795.0000000001094000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_POv5Nk1dlu.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 1d6737e43d5305bd8a9d778690d09f026e46ba679db2501edc90fa81f3da0f11
Instruction ID: c1793e2a0421b1294beb968e07075c0241afbdab43b38e36452cb7ac954a8508
Opcode Fuzzy Hash: 1d6737e43d5305bd8a9d778690d09f026e46ba679db2501edc90fa81f3da0f11
Instruction Fuzzy Hash: 34F0E23150522DABDB20AFA4CC48FEA73AEBF08361F004266B909D2180D6309904DBE1

Uniqueness

Uniqueness Score: -1.00%

Function 00FDCD6C Relevance: 3.0, APIs: 2, Instructions: 23nativeCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00FDCD74
NtdllDialogWndProc_W.USER32(?,00000084,00000000,?,?,00F8BBE5,?,?,?,?), ref: 00FDCDA2

Memory Dump Source

Source File: 00000000.00000002.316268130.0000000000F51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.316260119.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316369334.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316375172.0000000000FE0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316438570.0000000001005000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316460548.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316503289.0000000001055000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316514363.000000000105C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316525512.000000000106B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316568333.0000000001091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316573795.0000000001094000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_POv5Nk1dlu.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: 43520b8035c3d99835a3c8141f431f26fe037b268a1370efd519d64cccc3bc87
Instruction ID: b5a205ed05fe43dd786206fc3f6ab155d3d652515457f644a1c5bcc0575cc3e7
Opcode Fuzzy Hash: 43520b8035c3d99835a3c8141f431f26fe037b268a1370efd519d64cccc3bc87
Instruction Fuzzy Hash: E9E08670100259BFEB155F29DC09FBA3B56EB04760F508226F957DA2E1C770D850E760

Uniqueness

Uniqueness Score: -1.00%

Function 00F7A395 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00F78F97,?,?,?,00000001), ref: 00F7A39A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00F7A3A3

Memory Dump Source

Source File: 00000000.00000002.316268130.0000000000F51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.316260119.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316369334.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316375172.0000000000FE0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316438570.0000000001005000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316460548.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316503289.0000000001055000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316514363.000000000105C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316525512.000000000106B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316568333.0000000001091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316573795.0000000001094000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_POv5Nk1dlu.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: e4c236976a73036ea2fa7fd9c35f9f6f6086068a17334d1ef7e281bfe733e23c
Instruction ID: 95c28c70508bbd9b1bfd29cb6cf8a523057104d1d82fb60620d76c13044cb355
Opcode Fuzzy Hash: e4c236976a73036ea2fa7fd9c35f9f6f6086068a17334d1ef7e281bfe733e23c
Instruction Fuzzy Hash: 25B0923105520CABCA002BA5EC09F883F6AEB44AA2F418022F60E84060CB625454AA91

Uniqueness

Uniqueness Score: -1.00%

Function 00FDDA9A Relevance: 1.6, APIs: 1, Instructions: 66nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00F52612: GetWindowLongW.USER32(?,000000EB), ref: 00F52623

NtdllDialogWndProc_W.USER32(?,00000112,?,00000000), ref: 00FDDB46

Memory Dump Source

Source File: 00000000.00000002.316268130.0000000000F51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.316260119.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316369334.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316375172.0000000000FE0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316438570.0000000001005000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316460548.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316503289.0000000001055000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316514363.000000000105C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316525512.000000000106B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316568333.0000000001091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316573795.0000000001094000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_POv5Nk1dlu.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: 92f94ced6b02465989f9999df8b8de3ad77ab530585377d2735fa5886b8c3d11
Instruction ID: 9352862c4222f4d0800a10826a1c96a37cdfee195dcac10e9e9933665be0eea7
Opcode Fuzzy Hash: 92f94ced6b02465989f9999df8b8de3ad77ab530585377d2735fa5886b8c3d11
Instruction Fuzzy Hash: DA11E772204125BAEB249E2CCC05F7A3B16E786B34F288317F9519B3D2CBA99D00B355

Uniqueness

Uniqueness Score: -1.00%

Function 00FDD6C6 Relevance: 1.5, APIs: 1, Instructions: 47nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00F525DB: GetWindowLongW.USER32(?,000000EB), ref: 00F525EC

NtdllDialogWndProc_W.USER32(?,00000115,?,?,?,?,?,?,00F8BBA2,?,?,?,?,00000000,?), ref: 00FDD740

Memory Dump Source

Source File: 00000000.00000002.316268130.0000000000F51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.316260119.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316369334.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316375172.0000000000FE0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316438570.0000000001005000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316460548.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316503289.0000000001055000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316514363.000000000105C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316525512.000000000106B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316568333.0000000001091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316573795.0000000001094000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_POv5Nk1dlu.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: 8fa4006e01fafa1d5f468ddfec3240dbe71517ef1c1b1a067e320eb0c02dfef1
Instruction ID: c296401ee965e4bf095807a041714ddf7a41b701986dbfa9446c731cfa5781aa
Opcode Fuzzy Hash: 8fa4006e01fafa1d5f468ddfec3240dbe71517ef1c1b1a067e320eb0c02dfef1
Instruction Fuzzy Hash: 2001B536A00118ABDB149F29D885AF93BA7EB45335F0C4297F9565B291C335AC21F7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00FDC220 Relevance: 1.5, APIs: 1, Instructions: 31nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00F52612: GetWindowLongW.USER32(?,000000EB), ref: 00F52623

Part of subcall function 00F52344: GetCursorPos.USER32(?,?,010167B0,?,010167B0,010167B0,?,00FDC247,00000000,00000001,?,?,?,00F8BC4F,?,?), ref: 00F52357
Part of subcall function 00F52344: ScreenToClient.USER32 ref: 00F52374
Part of subcall function 00F52344: GetAsyncKeyState.USER32(00000001), ref: 00F52399
Part of subcall function 00F52344: GetAsyncKeyState.USER32(00000002), ref: 00F523A7

NtdllDialogWndProc_W.USER32(?,00000204,?,?,00000001,?,?,?,00F8BC4F,?,?,?,?,?,00000001,?), ref: 00FDC272

Memory Dump Source

Source File: 00000000.00000002.316268130.0000000000F51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.316260119.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316369334.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316375172.0000000000FE0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316438570.0000000001005000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316460548.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316503289.0000000001055000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316514363.000000000105C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316525512.000000000106B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316568333.0000000001091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316573795.0000000001094000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_POv5Nk1dlu.jbxd

Similarity

API ID: AsyncState$ClientCursorDialogLongNtdllProc_ScreenWindow
String ID:
API String ID: 2356834413-0
Opcode ID: ba31fb83045ad04751f98412d528e3cdefb92f60eb565664c93ae690c7a532bd
Instruction ID: bc74013207b53a2355d3c6d567f16cb7ac2da9863d829749f0ea4f6ca9f04a2a
Opcode Fuzzy Hash: ba31fb83045ad04751f98412d528e3cdefb92f60eb565664c93ae690c7a532bd
Instruction Fuzzy Hash: 72F08230200229AFDF14AF49DC09EAA3B92FB05751F004015FD865B291CB7AA965EBE0

Uniqueness

Uniqueness Score: -1.00%

Function 00F5189B Relevance: 1.5, APIs: 1, Instructions: 29nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00F52612: GetWindowLongW.USER32(?,000000EB), ref: 00F52623

NtdllDialogWndProc_W.USER32(?,00000006,00000000,?,?,?,00F51B04,?,?,?,?,?), ref: 00F518E2

Memory Dump Source

Source File: 00000000.00000002.316268130.0000000000F51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.316260119.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316369334.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316375172.0000000000FE0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316438570.0000000001005000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316460548.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316503289.0000000001055000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316514363.000000000105C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316525512.000000000106B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316568333.0000000001091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316573795.0000000001094000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_POv5Nk1dlu.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: 63f1d157be926f7dbd7c43cf92cccfeb7f3043f4ab93782d33475bfd9b2502a0
Instruction ID: b5bd40b050188fdd6ad8268b6a029cdafe26ba57cf7d4d205d3de867135a7b90
Opcode Fuzzy Hash: 63f1d157be926f7dbd7c43cf92cccfeb7f3043f4ab93782d33475bfd9b2502a0
Instruction Fuzzy Hash: 8CF05E346002199FDB28DF54D850A6637A2FB44362F104629FE924B2A1DB7AED54EB50

Uniqueness

Uniqueness Score: -1.00%

Function 00FDCBAE Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.USER32(?,00000232,?,?), ref: 00FDCBEE

Memory Dump Source

Source File: 00000000.00000002.316268130.0000000000F51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.316260119.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316369334.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316375172.0000000000FE0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316438570.0000000001005000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316460548.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316503289.0000000001055000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316514363.000000000105C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316525512.000000000106B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316568333.0000000001091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316573795.0000000001094000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_POv5Nk1dlu.jbxd

Similarity

API ID: DialogNtdllProc_
String ID:
API String ID: 3239928679-0
Opcode ID: 58f7efc0e47b7d6d94df79ff335053bbbc89fe5898fb85bf9488ecc6aa5635da
Instruction ID: 3884b4cf7af94b0a12187f5f742d0420a50daaaaaeb29d8bcf825ace9a735cc7
Opcode Fuzzy Hash: 58f7efc0e47b7d6d94df79ff335053bbbc89fe5898fb85bf9488ecc6aa5635da
Instruction Fuzzy Hash: 65F09231640259BFDB21DF58DC05FC63B96EB0A720F08400AFA52673E1CBB57920EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F5167D Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00F52612: GetWindowLongW.USER32(?,000000EB), ref: 00F52623

NtdllDialogWndProc_W.USER32(?,00000007,?,00000000,00000000,?,?,?,00F51AEE,?,?,?), ref: 00F516AB

Memory Dump Source

Source File: 00000000.00000002.316268130.0000000000F51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.316260119.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316369334.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316375172.0000000000FE0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316438570.0000000001005000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316460548.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316503289.0000000001055000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316514363.000000000105C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316525512.000000000106B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316568333.0000000001091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316573795.0000000001094000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_POv5Nk1dlu.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: 41c208eb7b47d5df1b6cd0fbc7645706fa58213887bf027248a6f30049b16bac
Instruction ID: 066d53ab9c70ab48f75381c13b856ec0a631e9366e66690fb380e19028a7e5e5
Opcode Fuzzy Hash: 41c208eb7b47d5df1b6cd0fbc7645706fa58213887bf027248a6f30049b16bac
Instruction Fuzzy Hash: CDE0EC35200208BBCF55AF90DC11E643B26FB49311F108418FA850A2A1CB7BA526EB50

Uniqueness

Uniqueness Score: -1.00%

Function 00FDCBF9 Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.USER32(?,00000053,?,?,?,00F8BC0C,?,?,?,?,?,?), ref: 00FDCC24

Part of subcall function 00FDB8EF: _memset.LIBCMT ref: 00FDB8FE
Part of subcall function 00FDB8EF: _memset.LIBCMT ref: 00FDB90D
Part of subcall function 00FDB8EF: CreateProcessW.KERNEL32 ref: 00FDB93C
Part of subcall function 00FDB8EF: CloseHandle.KERNEL32 ref: 00FDB94E

Memory Dump Source

Source File: 00000000.00000002.316268130.0000000000F51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.316260119.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316369334.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316375172.0000000000FE0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316438570.0000000001005000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316460548.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316503289.0000000001055000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316514363.000000000105C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316525512.000000000106B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316568333.0000000001091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316573795.0000000001094000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_POv5Nk1dlu.jbxd

Similarity

API ID: _memset$CloseCreateDialogHandleNtdllProc_Process
String ID:
API String ID: 2364484715-0
Opcode ID: 0901763410696abba0b65760bd344d0baec79cb72c652e4db3f019ad66ce602f
Instruction ID: 3175e55ba8b0abaae93cbb4cfee7a393b9733f98c60dbc98a8f8492f4c22b0d8
Opcode Fuzzy Hash: 0901763410696abba0b65760bd344d0baec79cb72c652e4db3f019ad66ce602f
Instruction Fuzzy Hash: ACE04632210209EFCB01AF04ED00E8537A6FB0C310F054012FA06073B2CB32A961FF90

Uniqueness

Uniqueness Score: -1.00%

Function 00F516B5 Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00F52612: GetWindowLongW.USER32(?,000000EB), ref: 00F52623

Part of subcall function 00F5201B: DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00F520D3
Part of subcall function 00F5201B: KillTimer.USER32(-00000001,?,?,?,?,00F516CB,00000000,?,?,00F51AE2,?,?), ref: 00F5216E

NtdllDialogWndProc_W.USER32(?,00000002,00000000,00000000,00000000,?,?,00F51AE2,?,?), ref: 00F516D4

Memory Dump Source

Source File: 00000000.00000002.316268130.0000000000F51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.316260119.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316369334.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316375172.0000000000FE0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316438570.0000000001005000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316460548.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316503289.0000000001055000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316514363.000000000105C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316525512.000000000106B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316568333.0000000001091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316573795.0000000001094000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_POv5Nk1dlu.jbxd

Similarity

API ID: Window$DestroyDialogKillLongNtdllProc_Timer
String ID:
API String ID: 2797419724-0
Opcode ID: 2246c3cef4c137c0850521009707a2391ab40aead82bf9eca53a587ceecdaa17
Instruction ID: a2627d8b0e657f027d2e3cf41925fcb140315e95bc6568c4c9ef7b7741b8d681
Opcode Fuzzy Hash: 2246c3cef4c137c0850521009707a2391ab40aead82bf9eca53a587ceecdaa17
Instruction Fuzzy Hash: 38D0123014030877DA113B60DC17F493A19AB59751F408011BF05291D3CAB66915B558

Uniqueness

Uniqueness Score: -1.00%

Function 00FDCB7F Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.USER32 ref: 00FDCBA4

Memory Dump Source

Source File: 00000000.00000002.316268130.0000000000F51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.316260119.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316369334.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316375172.0000000000FE0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316438570.0000000001005000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316460548.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316503289.0000000001055000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316514363.000000000105C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316525512.000000000106B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316568333.0000000001091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316573795.0000000001094000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_POv5Nk1dlu.jbxd

Similarity

API ID: DialogNtdllProc_
String ID:
API String ID: 3239928679-0
Opcode ID: ea863bcfd084b9ba8fb4b449bee66f1839182cb84443970252a1964211704be4
Instruction ID: c19b6ce6161df66486fec8c746b969d3cc32c344e194626f421388df10c11a43
Opcode Fuzzy Hash: ea863bcfd084b9ba8fb4b449bee66f1839182cb84443970252a1964211704be4
Instruction Fuzzy Hash: DAE0E27520020CEFCB01DF88E844E863BA5AB1D300F004054FE0547262CB72A820EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00FDCB50 Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.USER32 ref: 00FDCB75

Memory Dump Source

Source File: 00000000.00000002.316268130.0000000000F51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.316260119.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316369334.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316375172.0000000000FE0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316438570.0000000001005000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316460548.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316503289.0000000001055000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316514363.000000000105C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316525512.000000000106B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316568333.0000000001091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316573795.0000000001094000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_POv5Nk1dlu.jbxd

Similarity

API ID: DialogNtdllProc_
String ID:
API String ID: 3239928679-0
Opcode ID: e8174efa0bb8d808c36cdbb53d6ed634c145d6669136a45702122c51b7bdcb1e
Instruction ID: 71ad683edb9caa01ffa42eebb1c14f85f56f5aa6b0b4fb13e1194a86683e705e
Opcode Fuzzy Hash: e8174efa0bb8d808c36cdbb53d6ed634c145d6669136a45702122c51b7bdcb1e
Instruction Fuzzy Hash: 23E0E27520020CAFCB01DF88E884E863BA5AB1D300F004054FE0547262CB72A820EB61

Uniqueness

Uniqueness Score: -1.00%

Function 00F68A0E Relevance: .6, Instructions: 608COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.316268130.0000000000F51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.316260119.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316369334.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316375172.0000000000FE0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316438570.0000000001005000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316460548.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316503289.0000000001055000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316514363.000000000105C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316525512.000000000106B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316568333.0000000001091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316573795.0000000001094000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_POv5Nk1dlu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e2a7169213711c4ece9e0d10a48a8ccccc25b332bfe89018bf7469a84ec7a23
Instruction ID: cc237671b2a8775c3e28b9094aaf23b327a602784b5ed2ebb70c4f64f4d4bcd6
Opcode Fuzzy Hash: 9e2a7169213711c4ece9e0d10a48a8ccccc25b332bfe89018bf7469a84ec7a23
Instruction Fuzzy Hash: E8223771D01616CBDF288F14C49477D77B1EF427A4F28866ED8829B291DB34AD82FB60

Uniqueness

Uniqueness Score: -1.00%

Function 00FDA849 Relevance: 49.8, APIs: 33, Instructions: 274
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E00FDA849(intOrPtr _a4, struct HWND__** _a8) {
				int _v32;
				struct tagRECT _v48;
				struct tagRECT _v64;
				int _v68;
				void* _v72;
				int _v76;
				WCHAR* _v80;
				WCHAR* _v84;
				void* _v96;
				int _v100;
				void* __ebx;
				void* __edi;
				signed int _t90;
				intOrPtr* _t92;
				long _t93;
				long _t95;
				void* _t97;
				void* _t105;
				long _t109;
				WCHAR* _t112;
				int _t123;
				signed int _t136;
				struct HDC__* _t151;
				int _t156;
				signed int _t157;
				signed int _t165;
				struct HWND__** _t168;
				intOrPtr _t176;
				int _t179;
				struct HWND__** _t180;
				int _t181;
				void* _t184;
				void* _t186;

				if( *0x10162b0 == 0) {
					_t176 = _a4;
					_t90 =  *(_t176 + 0x10);
					_t151 =  *(_t176 + 0x18);
					_v48.left = _t90 & 0x00000010;
					_t156 = _t90 & 0x00000006;
					_v48.right = _t90 & 0x00000001;
					_t92 =  *0xfdf528;
					_v32 = _t156;
					__eflags = _t156;
					if(_t156 == 0) {
						_t168 = _a8;
						__eflags =  *((intOrPtr*)(_t168 + 0x4c)) - 0xffffffff;
						if( *((intOrPtr*)(_t168 + 0x4c)) != 0xffffffff) {
							_push( *((intOrPtr*)(_t168 + 0x4c)));
						} else {
							_push( *_t92(0x12));
						}
						_t93 = SetTextColor(_t151, ??);
					} else {
						_t93 = SetTextColor(_t151,  *_t92(0xe));
						_t168 = _a8;
					}
					__eflags =  *(_t168 + 0x48) - 0xffffffff;
					_v48.top = _t93;
					if( *(_t168 + 0x48) != 0xffffffff) {
						_v64.left = CreateSolidBrush( *(_t168 + 0x48));
						_t95 =  *(_t168 + 0x48);
					} else {
						_v64.top.left = GetSysColorBrush(0xf);
						_t95 = GetSysColor(0xf);
					}
					_v48.top = SetBkColor(_t151, _t95);
					_t97 = SelectObject(_t151, _v72);
					__eflags = _v68;
					_v64.right = _t97;
					_v72 = _t176 + 0x1c;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					if(_v68 == 0) {
						__eflags = _v76;
						if(_v76 != 0) {
							InflateRect( &_v48, 0xffffffff, 0xffffffff);
						}
						DrawFrameControl(_t151,  &_v48, 4, 0x10);
					} else {
						InflateRect( &_v48, 0xffffffff, 0xffffffff);
						_t186 = CreateSolidBrush(GetSysColor(0x10));
						FrameRect(_t151,  &(_v64.bottom), _t186);
						DeleteObject(_t186);
					}
					_t101 =  &_v48;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t179 = _v68;
					__eflags = _t179;
					if(_t179 == 0) {
						__eflags = _v76;
						if(_v76 == 0) {
							_push(0xfffffffe);
							_push(0xfffffffe);
						} else {
							_push(0xfffffffd);
							_push(0xfffffffd);
						}
						InflateRect(_t101, ??, ??);
						_v48.left = _v48.left - 1;
						_t38 =  &(_v48.top);
						 *_t38 = _v48.top - 1;
						__eflags =  *_t38;
					} else {
						InflateRect( &_v48, 0xfffffffe, 0xfffffffe);
					}
					FillRect(_t151,  &_v48, _v80);
					_t105 = 2;
					__eflags = _t179;
					if(_t179 != 0) {
						L24:
						_v64.top.left = _v64.top.left + _t105;
						_t45 =  &(_v64.right);
						 *_t45 = _v64.right + _t105;
						__eflags =  *_t45;
					} else {
						__eflags = _v72 - _t179;
						if(_v72 != _t179) {
							goto L24;
						}
					}
					_t180 = _a8;
					_t171 = 0x104;
					_v96 = 0x104;
					_t157 = GetWindowLongW( *_t180, 0xfffffff0);
					__eflags = _t157 & 0x00002000;
					if((_t157 & 0x00002000) == 0) {
						_t171 = 0x124;
						__eflags = 0x104;
						_v96 = 0x104;
					}
					__eflags = (_t157 & 0x00000300) - 0x300;
					if((_t157 & 0x00000300) == 0x300) {
						_t171 = _t171 | 0x00000001;
						__eflags = _t171;
						_v96 = _t171;
					}
					__eflags = _t157 & 0x00000200;
					if(__eflags == 0) {
						__eflags = _t157 & 0x00000100;
						if(__eflags == 0) {
							_t171 = _t171 | 0x00000001;
							__eflags = _t171;
							goto L33;
						}
					} else {
						_t136 = 2;
						_t171 = _t171 | _t136;
						L33:
						_v96 = _t171;
					}
					_t109 = SendMessageW( *_t180, 0xe, 0, 0);
					_t165 = 2;
					_t58 = _t109 + 1; // 0x1
					_t181 = _t58;
					_t112 = E00F70FF6(_t151, _t171, __eflags,  ~(0 | __eflags > 0x00000000) | _t181 * _t165);
					_v80 = _t112;
					GetWindowTextW( *_a8, _t112, _t181);
					DrawTextW(_t151, _v80, 0xffffffff,  &(_v64.top), _t171);
					__eflags = _v72;
					if(_v72 != 0) {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_v64.right = _v64.right + 1;
						_t74 =  &(_v64.bottom);
						 *_t74 = _v64.bottom.left + 1;
						__eflags =  *_t74;
						SetTextColor(_t151, GetSysColor(0x11));
						DrawTextW(_t151, _v84, 0xffffffff,  &_v64, _v100);
					}
					__eflags = _v84;
					if(_v84 != 0) {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t184 = CreateSolidBrush(0);
						FrameRect(_t151,  &(_v64.top), _t184);
						DeleteObject(_t184);
						InflateRect( &_v64, 0xfffffffc, 0xfffffffc);
						DrawFocusRect(_t151,  &_v64);
					}
					L00F7106C(_v76);
					SelectObject(_t151, _v64);
					DeleteObject(_v96);
					SetTextColor(_t151, _v84);
					SetBkColor(_t151, _v80);
					_t123 = 1;
					__eflags = 1;
				} else {
					_t123 = E00FDAB60(_a4, _a8);
				}
				return _t123;
			}

0x00fda85c
0x00fda86e
0x00fda871
0x00fda876
0x00fda87c
0x00fda885
0x00fda888
0x00fda88c
0x00fda891
0x00fda895
0x00fda897
0x00fda8aa
0x00fda8ad
0x00fda8b1
0x00fda8ba
0x00fda8b3
0x00fda8b7
0x00fda8b7
0x00fda8be
0x00fda899
0x00fda89f
0x00fda8a5
0x00fda8a5
0x00fda8c4
0x00fda8c8
0x00fda8cc
0x00fda8ed
0x00fda8f1
0x00fda8ce
0x00fda8d8
0x00fda8dc
0x00fda8dc
0x00fda900
0x00fda905
0x00fda90b
0x00fda914
0x00fda91d
0x00fda921
0x00fda922
0x00fda923
0x00fda924
0x00fda925
0x00fda95d
0x00fda962
0x00fda96d
0x00fda96d
0x00fda97d
0x00fda927
0x00fda930
0x00fda945
0x00fda94e
0x00fda955
0x00fda955
0x00fda98b
0x00fda98f
0x00fda990
0x00fda991
0x00fda992
0x00fda993
0x00fda997
0x00fda999
0x00fda9a8
0x00fda9ad
0x00fda9b5
0x00fda9b7
0x00fda9af
0x00fda9af
0x00fda9b1
0x00fda9b1
0x00fda9ba
0x00fda9c0
0x00fda9c4
0x00fda9c4
0x00fda9c4
0x00fda99b
0x00fda9a0
0x00fda9a0
0x00fda9d2
0x00fda9da
0x00fda9db
0x00fda9dd
0x00fda9e5
0x00fda9e5
0x00fda9e9
0x00fda9e9
0x00fda9e9
0x00fda9df
0x00fda9df
0x00fda9e3
0x00000000
0x00000000
0x00fda9e3
0x00fda9ed
0x00fda9f0
0x00fda9f7
0x00fdaa03
0x00fdaa05
0x00fdaa0b
0x00fdaa0d
0x00fdaa0d
0x00fdaa10
0x00fdaa10
0x00fdaa1d
0x00fdaa1f
0x00fdaa21
0x00fdaa21
0x00fdaa24
0x00fdaa24
0x00fdaa28
0x00fdaa2e
0x00fdaa37
0x00fdaa3d
0x00fdaa3f
0x00fdaa3f
0x00000000
0x00fdaa3f
0x00fdaa30
0x00fdaa32
0x00fdaa33
0x00fdaa42
0x00fdaa42
0x00fdaa42
0x00fdaa4e
0x00fdaa58
0x00fdaa59
0x00fdaa59
0x00fdaa68
0x00fdaa70
0x00fdaa79
0x00fdaa8c
0x00fdaa92
0x00fdaa97
0x00fdaaa3
0x00fdaaa4
0x00fdaaa5
0x00fdaaa6
0x00fdaaa7
0x00fdaaab
0x00fdaaab
0x00fdaaab
0x00fdaab7
0x00fdaacd
0x00fdaacd
0x00fdaad3
0x00fdaad8
0x00fdaae4
0x00fdaae5
0x00fdaae6
0x00fdaae7
0x00fdaaee
0x00fdaaf7
0x00fdaafe
0x00fdab0d
0x00fdab19
0x00fdab19
0x00fdab23
0x00fdab2e
0x00fdab38
0x00fdab43
0x00fdab4e
0x00fdab56
0x00fdab56
0x00fda85e
0x00fda864
0x00fda864
0x00fdab5d

APIs

SetTextColor.GDI32(?,00000000), ref: 00FDA89F
GetSysColorBrush.USER32(0000000F), ref: 00FDA8D0
GetSysColor.USER32(0000000F), ref: 00FDA8DC
SetBkColor.GDI32(?,000000FF), ref: 00FDA8F6
SelectObject.GDI32(?,?), ref: 00FDA905
InflateRect.USER32(?,000000FF,000000FF), ref: 00FDA930
GetSysColor.USER32(00000010), ref: 00FDA938
CreateSolidBrush.GDI32(00000000), ref: 00FDA93F
FrameRect.USER32 ref: 00FDA94E
DeleteObject.GDI32(00000000), ref: 00FDA955
InflateRect.USER32(?,000000FE,000000FE), ref: 00FDA9A0
FillRect.USER32 ref: 00FDA9D2
GetWindowLongW.USER32(?,000000F0), ref: 00FDA9FD

Part of subcall function 00FDAB60: GetSysColor.USER32(00000012), ref: 00FDAB99
Part of subcall function 00FDAB60: SetTextColor.GDI32(?,?), ref: 00FDAB9D
Part of subcall function 00FDAB60: GetSysColorBrush.USER32(0000000F), ref: 00FDABB3
Part of subcall function 00FDAB60: GetSysColor.USER32(0000000F), ref: 00FDABBE
Part of subcall function 00FDAB60: GetSysColor.USER32(00000011), ref: 00FDABDB
Part of subcall function 00FDAB60: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00FDABE9
Part of subcall function 00FDAB60: SelectObject.GDI32(?,00000000), ref: 00FDABFA
Part of subcall function 00FDAB60: SetBkColor.GDI32(?,00000000), ref: 00FDAC03
Part of subcall function 00FDAB60: SelectObject.GDI32(?,?), ref: 00FDAC10
Part of subcall function 00FDAB60: InflateRect.USER32(?,000000FF,000000FF), ref: 00FDAC2F
Part of subcall function 00FDAB60: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00FDAC46
Part of subcall function 00FDAB60: GetWindowLongW.USER32(00000000,000000F0), ref: 00FDAC5B

Memory Dump Source

Source File: 00000000.00000002.316268130.0000000000F51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.316260119.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316369334.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316375172.0000000000FE0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316438570.0000000001005000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316460548.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316503289.0000000001055000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316514363.000000000105C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316525512.000000000106B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316568333.0000000001091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316573795.0000000001094000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_POv5Nk1dlu.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: ae63c97c8ce96dacf1733657264f6586a9a1a1f6f4256e7f0b7043277f26fcd8
Instruction ID: 748560fea818d26f2840785af30ef9e39b04c11db2302a7e4762bd86de3e7546
Opcode Fuzzy Hash: ae63c97c8ce96dacf1733657264f6586a9a1a1f6f4256e7f0b7043277f26fcd8
Instruction Fuzzy Hash: 4EA19172409305EFD7109F64DC08E5B7BAAFF88331F184A2AF962D61A0D735D948EB52

Uniqueness

Uniqueness Score: -1.00%

Function 00F52C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486
windowCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00F52C18(void* __ecx, int _a4) {
				struct HWND__* _v32;
				char _v48;
				void* _v52;
				int _v68;
				void* _v76;
				struct HWND__** _v80;
				struct HWND__* _v84;
				signed int _v88;
				signed int _v92;
				struct HWND__** _v96;
				struct HWND__* _v100;
				char _t193;
				signed int _t198;
				int _t208;
				struct HMENU__* _t209;
				struct HMENU__* _t211;
				struct HWND__* _t218;
				struct HWND__* _t221;
				struct HMENU__* _t228;
				intOrPtr _t234;
				struct HWND__* _t236;
				signed int _t237;
				struct HWND__* _t243;
				struct HWND__* _t259;
				signed int _t262;
				struct HWND__* _t263;
				struct HWND__* _t273;
				signed int _t275;
				void* _t278;
				void* _t286;
				int _t288;
				void* _t291;
				void* _t303;
				void* _t309;
				struct HWND__** _t313;
				struct HWND__* _t316;
				struct HWND__* _t318;
				struct HWND__* _t320;
				struct HWND__* _t325;
				struct HWND__* _t326;
				struct HWND__* _t328;
				signed int _t329;
				intOrPtr _t330;
				struct HWND__** _t332;
				signed char _t337;
				signed int _t338;
				struct HWND__* _t339;
				struct HWND__* _t340;
				struct HWND__* _t341;
				struct HWND__* _t342;
				struct HWND__** _t345;
				signed int _t346;
				int _t348;
				struct HWND__** _t350;
				signed int _t351;
				signed int _t352;
				signed int _t353;
				signed int _t354;
				intOrPtr* _t355;
				signed int _t356;
				signed int _t358;

				_t348 = _a4;
				_t309 = __ecx;
				if(E00F52402(__ecx, _t348,  &_v92,  &_v88) == 0) {
					L16:
					_t193 = 0;
					L15:
					return _t193;
				}
				_v92 = _v92 | 0xffffffff;
				_t313 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__ecx + 0x60)) + _v92 * 4))));
				_v96 = _t313;
				_t345 =  *( *( *((intOrPtr*)(__ecx + 0x74)) + _v88 * 4));
				_v80 = _t345;
				_t337 = _t345[0x24];
				_t198 = _t337 & 0x000000ff;
				if(_t198 <= 0x11) {
					if(__eflags == 0) {
						SendMessageW(_t345[0xd], 0x1101, 0, _t345[4]);
						L8:
						_t350 = _v96;
						L9:
						if(_t345[0x11] != 0) {
							DeleteObject(_t345[0x11]);
						}
						if(_t345[0x19] != 0) {
							DeleteObject(_t345[0x19]);
						}
						if(_t345[0x1a] != 0) {
							DestroyCursor(_t345[0x1a]);
						}
						if(_t345[0x14] != 0) {
							DestroyWindow(_t345[0x14]);
						}
						_t204 = _v96;
						if(_v96 == _t350[7]) {
							_t350[7] = _v100;
						}
						E00F5246D(_t309, _t204);
						_t193 = 1;
						goto L15;
					}
					__eflags = _t198 - 0xc;
					if(__eflags > 0) {
						__eflags = _t198 - 0xe;
						if(_t198 < 0xe) {
							L7:
							DestroyWindow( *_t345);
							goto L8;
						}
						__eflags = _t198 - 0xf;
						if(_t198 <= 0xf) {
							__eflags = _t337 - 0xe;
							if(_t337 != 0xe) {
								L99:
								_t208 = DeleteMenu(_t345[3], _t348, 0);
								__eflags = _t208;
								if(_t208 != 0) {
									_t350 = _v96;
								} else {
									_t350 = _v96;
									DeleteMenu(_t350[0x67], _t348, _t208);
								}
								_t209 = _t350[0x67];
								__eflags = _t209;
								if(_t209 != 0) {
									_t211 = GetMenuItemCount(_t209);
									__eflags = _t211;
									if(_t211 == 0) {
										SetMenu( *_t350, _t211);
										DestroyMenu(_t350[0x67]);
										_t149 =  &(_t350[0x67]);
										 *_t149 = _t350[0x67] & 0x00000000;
										__eflags =  *_t149;
									}
								}
								DrawMenuBar( *_t350);
								goto L9;
							}
							_v52 = 0x30;
							E00F73020( &_v48, 0, 0x2c);
							_v48 = 4;
							_t218 = GetMenuItemInfoW(_t345[3], _t348, 0,  &_v52);
							__eflags = _t218;
							if(_t218 == 0) {
								goto L99;
							}
							_t316 = _v32;
							_v80 = _t316;
							__eflags = _t316;
							if(_t316 == 0) {
								goto L99;
							}
							_t351 = 3;
							__eflags =  *((intOrPtr*)(_t309 + 0x84)) - _t351;
							if( *((intOrPtr*)(_t309 + 0x84)) < _t351) {
								L98:
								_t348 = _a4;
								goto L99;
							} else {
								goto L93;
							}
							do {
								L93:
								_t221 =  *( *( *((intOrPtr*)(_t309 + 0x74)) + _t351 * 4));
								__eflags = _t221;
								if(_t221 != 0) {
									__eflags =  *((intOrPtr*)(_t221 + 0xc)) - _t316;
									if( *((intOrPtr*)(_t221 + 0xc)) == _t316) {
										__eflags =  *((char*)(_t221 + 0x90)) - 0xf;
										if( *((char*)(_t221 + 0x90)) == 0xf) {
											E00F5246D(_t309, _t351);
											_t316 = _v84;
										}
									}
								}
								_t351 = _t351 + 1;
								__eflags = _t351 -  *((intOrPtr*)(_t309 + 0x84));
							} while (_t351 <=  *((intOrPtr*)(_t309 + 0x84)));
							goto L98;
						}
						__eflags = _t198 - 0x10;
						if(_t198 != 0x10) {
							goto L7;
						}
						__eflags = _t345[0x10];
						if(_t345[0x10] != 0) {
							 *0xfdf08c(_t345[0x10]);
						}
						_t352 = 3;
						__eflags =  *((intOrPtr*)(_t309 + 0x84)) - _t352;
						if( *((intOrPtr*)(_t309 + 0x84)) >= _t352) {
							do {
								_t318 =  *( *( *((intOrPtr*)(_t309 + 0x74)) + _t352 * 4));
								__eflags = _t318;
								if(_t318 != 0) {
									__eflags =  *((intOrPtr*)(_t318 + 0x34)) -  *_t345;
									if( *((intOrPtr*)(_t318 + 0x34)) ==  *_t345) {
										__eflags =  *((char*)(_t318 + 0x90)) - 0x11;
										if( *((char*)(_t318 + 0x90)) == 0x11) {
											E00F5246D(_t309, _t352);
										}
									}
								}
								_t352 = _t352 + 1;
								__eflags = _t352 -  *((intOrPtr*)(_t309 + 0x84));
							} while (_t352 <=  *((intOrPtr*)(_t309 + 0x84)));
						}
						goto L7;
					}
					if(__eflags == 0) {
						_t353 = 3;
						__eflags =  *(__ecx + 0x84) - _t353;
						if( *(__ecx + 0x84) < _t353) {
							L74:
							_t228 =  *(_t313 + 0x1a0);
							__eflags = _t345[3] - _t228;
							if(_t345[3] != _t228) {
								DestroyMenu(_t345[3]);
								goto L8;
							}
							DestroyMenu(_t228);
							_t350 = _v96;
							_t350[0x68] = _t350[0x68] & 0x00000000;
							goto L9;
						} else {
							goto L66;
						}
						do {
							L66:
							_t320 =  *( *( *((intOrPtr*)(_t309 + 0x74)) + _t353 * 4));
							__eflags = _t320;
							if(_t320 == 0) {
								goto L72;
							}
							__eflags =  *(_t320 + 0xc) - _t345[3];
							if( *(_t320 + 0xc) != _t345[3]) {
								goto L72;
							}
							_t234 =  *((intOrPtr*)(_t320 + 0x90));
							__eflags = _t234 - 0xf;
							if(_t234 == 0xf) {
								L71:
								E00F5246D(_t309, _t353);
								goto L72;
							}
							__eflags = _t234 - 0xe;
							if(_t234 == 0xe) {
								goto L71;
							}
							 *(_t320 + 0xc) =  *(_t320 + 0xc) & 0x00000000;
							L72:
							_t353 = _t353 + 1;
							__eflags = _t353 -  *((intOrPtr*)(_t309 + 0x84));
						} while (_t353 <=  *((intOrPtr*)(_t309 + 0x84)));
						_t313 = _v96;
						goto L74;
					}
					__eflags = _t198 - 2;
					if(_t198 < 2) {
						goto L7;
					}
					_t354 = 3;
					__eflags = _t198 - _t354;
					if(_t198 <= _t354) {
						_t236 =  *(_t313 + 0x1c4);
						__eflags = _t236;
						if(_t236 > 0) {
							__eflags = _a4 - _t236;
							if(_a4 == _t236) {
								 *(_t313 + 0x1c4) =  *(_t313 + 0x1c4) & 0x00000000;
							}
						}
						goto L7;
					}
					__eflags = _t198 - 0xa;
					if(_t198 == 0xa) {
						_t237 =  *(__ecx + 0x84);
						__eflags = _t237 - _t354;
						if(_t237 < _t354) {
							L60:
							_t338 = _v92;
							 *(_t313 + 0x188) = 0;
							 *((intOrPtr*)(_t313 + 0x18c)) = _t338;
							 *((intOrPtr*)(_t313 + 0x190)) = _t338;
							 *((intOrPtr*)(_t313 + 0x194)) = 0;
							 *((char*)(_t313 + 0x198)) = 0;
							DestroyWindow( *_t345);
							__eflags = _t345[0x10];
							if(_t345[0x10] != 0) {
								 *0xfdf08c(_t345[0x10]);
							}
							goto L8;
						}
						_t346 = _t237;
						do {
							_t243 =  *( *( *((intOrPtr*)(_t309 + 0x74)) + _t346 * 4));
							__eflags = _t243;
							if(_t243 != 0) {
								__eflags =  *((char*)(_t243 + 0x90)) - 0xb;
								if( *((char*)(_t243 + 0x90)) == 0xb) {
									E00F52C18(_t309, _t346);
								}
							}
							_t346 = _t346 - 1;
							__eflags = _t346 - _t354;
						} while (_t346 >= _t354);
						_t345 = _v80;
						_t313 = _v96;
						goto L60;
					}
					__eflags = _t198 - 0xb;
					if(_t198 != 0xb) {
						goto L7;
					} else {
						_v84 =  *((intOrPtr*)(_t313 + 0x190));
						SendMessageW( *(_t313 + 0x188), 0x1308, _t345[0x24] & 0x000000ff, 0);
						_t325 =  *( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t309 + 0x74)) + E00F525DB(_t309, _v96[0x62]) * 4)))) + 0x40);
						__eflags = _t325;
						if(_t325 != 0) {
							_t275 = _t345[0x22] & 0x0000ffff;
							__eflags = _t275 - _v92;
							if(_t275 != _v92) {
								 *0xfdf090(_t325, _t275);
							}
						}
						__eflags =  *((intOrPtr*)(_t309 + 0x84)) - _t354;
						if( *((intOrPtr*)(_t309 + 0x84)) < _t354) {
							L47:
							_t326 = _v84;
							_t350 = _v96;
							__eflags = (_t345[0x24] & 0x000000ff) - _t326;
							if((_t345[0x24] & 0x000000ff) != _t326) {
								_t350[0x64] = _v92;
								__eflags = _t326 - (_t345[0x24] & 0x000000ff);
								if(_t326 <= (_t345[0x24] & 0x000000ff)) {
									L52:
									_t345[0x24] = 0xff;
									E00FDB958(_t309, _t350, _t326);
									_t350[0x63] = _t350[0x63] - 1;
									_t350[0x65] = _t350[0x65] & 0x00000000;
									goto L9;
								}
								L51:
								__eflags = _t326;
								goto L52;
							}
							__eflags = _t326 - _t350[0x63];
							if(_t326 == _t350[0x63]) {
								goto L51;
							} else {
								goto L52;
							}
						} else {
							goto L33;
						}
						do {
							L33:
							_t328 =  *( *( *((intOrPtr*)(_t309 + 0x74)) + _t354 * 4));
							__eflags = _t328;
							if(_t328 == 0) {
								goto L46;
							}
							_t259 =  *(_t328 + 0x93);
							__eflags = _t259 - 0xff;
							if(_t259 == 0xff) {
								goto L46;
							}
							_t339 = _t345[0x24];
							__eflags = _t259 - _t339;
							if(__eflags != 0) {
								L39:
								if(__eflags > 0) {
									_t273 = _t259 - 1;
									__eflags = _t273;
									 *(_t328 + 0x93) = _t273;
								}
								_t340 =  *( *( *((intOrPtr*)(_t309 + 0x74)) + _t354 * 4));
								__eflags =  *((char*)(_t340 + 0x90)) - 0xb;
								if( *((char*)(_t340 + 0x90)) == 0xb) {
									_t329 = _t345[0x22] & 0x0000ffff;
									__eflags = _t329;
									if(_t329 >= 0) {
										_t262 =  *(_t340 + 0x88) & 0x0000ffff;
										__eflags = _t262;
										if(_t262 >= 0) {
											__eflags = _t262 - _t329;
											if(_t262 > _t329) {
												_t263 = _t262 - 1;
												__eflags = _t263;
												_v52 = 2;
												 *(_t340 + 0x88) = _t263;
												_t330 =  *((intOrPtr*)(_t309 + 0x74));
												_v32 =  *((short*)( *((intOrPtr*)( *((intOrPtr*)(_t330 + _t354 * 4)))) + 0x88));
												SendMessageW(_v96[0x62], 0x133d,  *( *((intOrPtr*)( *((intOrPtr*)(_t330 + _t354 * 4)))) + 0x93) & 0x000000ff,  &_v52);
											}
										}
									}
								}
								goto L46;
							}
							__eflags =  *((char*)(_t328 + 0x90)) - 0xb;
							if( *((char*)(_t328 + 0x90)) == 0xb) {
								__eflags = _t259 - _t339;
								goto L39;
							} else {
								E00F52C18(_t309, _t354);
							}
							L46:
							_t354 = _t354 + 1;
							__eflags = _t354 -  *((intOrPtr*)(_t309 + 0x84));
						} while (_t354 <=  *((intOrPtr*)(_t309 + 0x84)));
						goto L47;
					}
				}
				_t278 = _t198 - 0x13;
				if(_t278 == 0) {
					__eflags = _t345[0xe];
					_t355 =  *0xfdf08c;
					if(_t345[0xe] != 0) {
						 *_t355(_t345[0xe]);
					}
					__eflags = _t345[0xf];
					if(_t345[0xf] != 0) {
						 *_t355(_t345[0xf]);
					}
					_t356 = 3;
					__eflags =  *((intOrPtr*)(_t309 + 0x84)) - _t356;
					if( *((intOrPtr*)(_t309 + 0x84)) >= _t356) {
						do {
							_t341 =  *( *( *((intOrPtr*)(_t309 + 0x74)) + _t356 * 4));
							__eflags = _t341;
							if(_t341 != 0) {
								_t332 = _v96;
								__eflags =  *((intOrPtr*)(_t341 + 4)) - _t332[1];
								if( *((intOrPtr*)(_t341 + 4)) == _t332[1]) {
									__eflags =  *((char*)(_t341 + 0x90)) - 0x14;
									if( *((char*)(_t341 + 0x90)) == 0x14) {
										__eflags =  *((intOrPtr*)(_t341 + 0x34)) -  *_t345;
										if( *((intOrPtr*)(_t341 + 0x34)) ==  *_t345) {
											E00F52C18(_t309, _t356);
										}
									}
								}
							}
							_t356 = _t356 + 1;
							__eflags = _t356 -  *((intOrPtr*)(_t309 + 0x84));
						} while (_t356 <=  *((intOrPtr*)(_t309 + 0x84)));
					}
					goto L7;
				}
				_t286 = _t278 - 1;
				if(_t286 == 0) {
					_v68 = _t348;
					_v76 = 1;
					_t288 = SendMessageW(_t345[0xd], 0x1053, _v92,  &_v76);
					__eflags = _t288 - _v92;
					if(_t288 == _v92) {
						goto L16;
					}
					SendMessageW(_t345[0xd], 0x1008, _t288, 0);
					goto L8;
				}
				_t291 = _t286;
				if(_t291 == 0) {
					_t358 = 3;
					__eflags =  *(__ecx + 0x84) - _t358;
					if( *(__ecx + 0x84) < _t358) {
						goto L7;
					} else {
						goto L110;
					}
					while(1) {
						L110:
						_t342 =  *( *( *((intOrPtr*)(_t309 + 0x74)) + _t358 * 4));
						__eflags = _t342;
						if(_t342 == 0) {
							goto L115;
						}
						__eflags =  *((intOrPtr*)(_t342 + 4)) -  *((intOrPtr*)(_t313 + 4));
						if( *((intOrPtr*)(_t342 + 4)) !=  *((intOrPtr*)(_t313 + 4))) {
							goto L115;
						}
						__eflags =  *((char*)(_t342 + 0x90)) - 3;
						if( *((char*)(_t342 + 0x90)) != 3) {
							goto L115;
						}
						__eflags = _t342->i - _t345[0xd];
						if(_t342->i != _t345[0xd]) {
							goto L115;
						}
						MoveWindow( *( *( *( *((intOrPtr*)(_t309 + 0x74)) + _t358 * 4))), ( *( *( *((intOrPtr*)(_t309 + 0x74)) + _t358 * 4)))[0x22], ( *( *( *((intOrPtr*)(_t309 + 0x74)) + _t358 * 4)))[0x22],  *(_t334 + 0x8c),  *(_t334 + 0x8e), 0);
						goto L7;
						L115:
						_t358 = _t358 + 1;
						__eflags = _t358 -  *((intOrPtr*)(_t309 + 0x84));
						if(_t358 >  *((intOrPtr*)(_t309 + 0x84))) {
							goto L7;
						}
					}
				}
				_t303 = _t291 - 5;
				if(_t303 != 0) {
					__eflags = _t303 != 0;
					if(_t303 != 0) {
						goto L7;
					}
					E00FDA6C4(__ecx, _t345, _t313);
					goto L8;
				} else {
					E00F51B41(_t313, _t345);
					goto L7;
				}
			}

0x00f52c27
0x00f52c2a
0x00f52c3b
0x00f52ce1
0x00f52ce1
0x00f52cd8
0x00f52cde
0x00f52cde
0x00f52c4c
0x00f52c54
0x00f52c59
0x00f52c60
0x00f52c62
0x00f52c66
0x00f52c6c
0x00f52c72
0x00f8c631
0x00f8ca6d
0x00f52ca8
0x00f52ca8
0x00f52cac
0x00f52cb0
0x00f52ce8
0x00f52ce8
0x00f52cb6
0x00f52cf3
0x00f52cf3
0x00f52cbc
0x00f52cfe
0x00f52cfe
0x00f52cc2
0x00f52d09
0x00f52d09
0x00f52cc4
0x00f52ccb
0x00f52d15
0x00f52d15
0x00f52cd0
0x00f52cd7
0x00000000
0x00f52cd7
0x00f8c637
0x00f8c63a
0x00f8c90f
0x00f8c912
0x00f52ca0
0x00f52ca2
0x00000000
0x00f52ca2
0x00f8c918
0x00f8c91b
0x00f8c976
0x00f8c979
0x00f8c9fa
0x00f8ca00
0x00f8ca06
0x00f8ca08
0x00f8ca1e
0x00f8ca0a
0x00f8ca0c
0x00f8ca16
0x00f8ca16
0x00f8ca22
0x00f8ca28
0x00f8ca2a
0x00f8ca2d
0x00f8ca33
0x00f8ca35
0x00f8ca3a
0x00f8ca46
0x00f8ca4c
0x00f8ca4c
0x00f8ca4c
0x00f8ca4c
0x00f8ca35
0x00f8ca55
0x00000000
0x00f8ca55
0x00f8c981
0x00f8c98c
0x00f8c994
0x00f8c9a7
0x00f8c9ad
0x00f8c9af
0x00000000
0x00000000
0x00f8c9b1
0x00f8c9b5
0x00f8c9b9
0x00f8c9bb
0x00000000
0x00000000
0x00f8c9bf
0x00f8c9c0
0x00f8c9c6
0x00f8c9f7
0x00f8c9f7
0x00000000
0x00000000
0x00000000
0x00000000
0x00f8c9c8
0x00f8c9c8
0x00f8c9ce
0x00f8c9d0
0x00f8c9d2
0x00f8c9d4
0x00f8c9d7
0x00f8c9d9
0x00f8c9e0
0x00f8c9e5
0x00f8c9ea
0x00f8c9ea
0x00f8c9e0
0x00f8c9d7
0x00f8c9ee
0x00f8c9ef
0x00f8c9ef
0x00000000
0x00f8c9c8
0x00f8c91d
0x00f8c920
0x00000000
0x00000000
0x00f8c926
0x00f8c92a
0x00f8c92f
0x00f8c92f
0x00f8c937
0x00f8c938
0x00f8c93e
0x00f8c944
0x00f8c94a
0x00f8c94c
0x00f8c94e
0x00f8c953
0x00f8c955
0x00f8c957
0x00f8c95e
0x00f8c963
0x00f8c963
0x00f8c95e
0x00f8c955
0x00f8c968
0x00f8c969
0x00f8c969
0x00f8c971
0x00000000
0x00f8c93e
0x00f8c640
0x00f8c899
0x00f8c89a
0x00f8c8a0
0x00f8c8df
0x00f8c8df
0x00f8c8e5
0x00f8c8e8
0x00f8c904
0x00000000
0x00f8c904
0x00f8c8eb
0x00f8c8f1
0x00f8c8f5
0x00000000
0x00000000
0x00000000
0x00000000
0x00f8c8a2
0x00f8c8a2
0x00f8c8a8
0x00f8c8aa
0x00f8c8ac
0x00000000
0x00000000
0x00f8c8b1
0x00f8c8b4
0x00000000
0x00000000
0x00f8c8b6
0x00f8c8bc
0x00f8c8be
0x00f8c8ca
0x00f8c8cd
0x00000000
0x00f8c8cd
0x00f8c8c0
0x00f8c8c2
0x00000000
0x00000000
0x00f8c8c4
0x00f8c8d2
0x00f8c8d2
0x00f8c8d3
0x00f8c8d3
0x00f8c8db
0x00000000
0x00f8c8db
0x00f8c646
0x00f8c649
0x00000000
0x00000000
0x00f8c651
0x00f8c652
0x00f8c654
0x00f8c874
0x00f8c87a
0x00f8c87c
0x00f8c882
0x00f8c885
0x00f8c88b
0x00f8c88b
0x00f8c885
0x00000000
0x00f8c87c
0x00f8c65a
0x00f8c65d
0x00f8c7fa
0x00f8c800
0x00f8c802
0x00f8c830
0x00f8c830
0x00f8c836
0x00f8c83c
0x00f8c842
0x00f8c848
0x00f8c84e
0x00f8c856
0x00f8c85c
0x00f8c860
0x00f8c869
0x00f8c869
0x00000000
0x00f8c860
0x00f8c804
0x00f8c806
0x00f8c80c
0x00f8c80e
0x00f8c810
0x00f8c812
0x00f8c819
0x00f8c81e
0x00f8c81e
0x00f8c819
0x00f8c823
0x00f8c824
0x00f8c824
0x00f8c828
0x00f8c82c
0x00000000
0x00f8c82c
0x00f8c663
0x00f8c666
0x00000000
0x00f8c66c
0x00f8c674
0x00f8c68b
0x00f8c6ac
0x00f8c6af
0x00f8c6b1
0x00f8c6b3
0x00f8c6ba
0x00f8c6bf
0x00f8c6c4
0x00f8c6c4
0x00f8c6bf
0x00f8c6ca
0x00f8c6d0
0x00f8c7a5
0x00f8c7ac
0x00f8c7b0
0x00f8c7b4
0x00f8c7b6
0x00f8c7c6
0x00f8c7d3
0x00f8c7d5
0x00f8c7d8
0x00f8c7dc
0x00f8c7e3
0x00f8c7e8
0x00f8c7ee
0x00000000
0x00f8c7ee
0x00f8c7d7
0x00f8c7d7
0x00000000
0x00f8c7d7
0x00f8c7b8
0x00f8c7be
0x00000000
0x00f8c7c0
0x00000000
0x00f8c7c0
0x00000000
0x00000000
0x00000000
0x00f8c6d6
0x00f8c6d6
0x00f8c6dc
0x00f8c6de
0x00f8c6e0
0x00000000
0x00000000
0x00f8c6e6
0x00f8c6ec
0x00f8c6ee
0x00000000
0x00000000
0x00f8c6f4
0x00f8c6fa
0x00f8c6fc
0x00f8c716
0x00f8c716
0x00f8c718
0x00f8c718
0x00f8c71a
0x00f8c71a
0x00f8c726
0x00f8c728
0x00f8c72f
0x00f8c731
0x00f8c738
0x00f8c73b
0x00f8c73d
0x00f8c744
0x00f8c747
0x00f8c749
0x00f8c74c
0x00f8c74e
0x00f8c74e
0x00f8c74f
0x00f8c757
0x00f8c75e
0x00f8c76d
0x00f8c792
0x00f8c792
0x00f8c74c
0x00f8c747
0x00f8c73b
0x00000000
0x00f8c72f
0x00f8c6fe
0x00f8c705
0x00f8c714
0x00000000
0x00f8c707
0x00f8c70a
0x00f8c70a
0x00f8c798
0x00f8c798
0x00f8c799
0x00f8c799
0x00000000
0x00f8c6d6
0x00f8c666
0x00f52c78
0x00f52c7b
0x00f8cb48
0x00f8cb4c
0x00f8cb52
0x00f8cb57
0x00f8cb57
0x00f8cb59
0x00f8cb5d
0x00f8cb62
0x00f8cb62
0x00f8cb66
0x00f8cb67
0x00f8cb6d
0x00f8cb73
0x00f8cb79
0x00f8cb7b
0x00f8cb7d
0x00f8cb7f
0x00f8cb86
0x00f8cb89
0x00f8cb8b
0x00f8cb92
0x00f8cb97
0x00f8cb99
0x00f8cb9e
0x00f8cb9e
0x00f8cb99
0x00f8cb92
0x00f8cb89
0x00f8cba3
0x00f8cba4
0x00f8cba4
0x00f8cbac
0x00000000
0x00f8cb6d
0x00f52c81
0x00f52c82
0x00f8cb0b
0x00f8cb1a
0x00f8cb2a
0x00f8cb2c
0x00f8cb30
0x00000000
0x00000000
0x00f8cb41
0x00000000
0x00f8cb41
0x00f52c89
0x00f52c8a
0x00f8ca90
0x00f8ca91
0x00f8ca97
0x00000000
0x00000000
0x00000000
0x00000000
0x00f8ca9d
0x00f8ca9d
0x00f8caa3
0x00f8caa5
0x00f8caa7
0x00000000
0x00000000
0x00f8caac
0x00f8caaf
0x00000000
0x00000000
0x00f8cab1
0x00f8cab8
0x00000000
0x00000000
0x00f8cabc
0x00f8cabf
0x00000000
0x00000000
0x00f8caed
0x00000000
0x00f8caf8
0x00f8caf8
0x00f8caf9
0x00f8caff
0x00000000
0x00000000
0x00f8cb05
0x00f8ca9d
0x00f52c90
0x00f52c93
0x00f8ca79
0x00f8ca7a
0x00000000
0x00000000
0x00f8ca84
0x00000000
0x00f52c99
0x00f52c9b
0x00000000
0x00f52c9b

APIs

DestroyWindow.USER32(?,?,?), ref: 00F52CA2
DeleteObject.GDI32(00000000), ref: 00F52CE8
DeleteObject.GDI32(00000000), ref: 00F52CF3
DestroyCursor.USER32(00000000), ref: 00F52CFE
DestroyWindow.USER32(00000000,?,?,?), ref: 00F52D09
SendMessageW.USER32(?,00001308,?,00000000), ref: 00F8C68B
6F83B9D0.COMCTL32(?,000000FF,?), ref: 00F8C6C4
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00F8CAED

Part of subcall function 00F51B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00F52036,?,00000000,?,?,?,?,00F516CB,00000000,?), ref: 00F51B9A

SendMessageW.USER32(?,00001053), ref: 00F8CB2A
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00F8CB41
6F7E7D50.COMCTL32(00000000,?,?), ref: 00F8CB57
6F7E7D50.COMCTL32(00000000,?,?), ref: 00F8CB62

Strings

0, xrefs: 00F8C981

Memory Dump Source

Source File: 00000000.00000002.316268130.0000000000F51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.316260119.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316369334.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316375172.0000000000FE0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316438570.0000000001005000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316460548.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316503289.0000000001055000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316514363.000000000105C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316525512.000000000106B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316568333.0000000001091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316573795.0000000001094000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_POv5Nk1dlu.jbxd

Similarity

API ID: DestroyMessageSendWindow$DeleteObject$CursorInvalidateMoveRect
String ID: 0
API String ID: 485803963-4108050209
Opcode ID: fd17401e170867b3cd2ccaa28eb378c99b7f727de7f253ffb5e508c846aa2981
Instruction ID: cce444d930c8ffce9b39c3ed7277d52cac9d3190e72b8eb937a68d3aa39c4886
Opcode Fuzzy Hash: fd17401e170867b3cd2ccaa28eb378c99b7f727de7f253ffb5e508c846aa2981
Instruction Fuzzy Hash: B312B430900201EFDB14EF24C888BA9BBE5FF45321F544669F996DB662C731EC45EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00FDAB60 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00FDAB99
SetTextColor.GDI32(?,?), ref: 00FDAB9D
GetSysColorBrush.USER32(0000000F), ref: 00FDABB3
GetSysColor.USER32(0000000F), ref: 00FDABBE
CreateSolidBrush.GDI32(?), ref: 00FDABC3
GetSysColor.USER32(00000011), ref: 00FDABDB
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00FDABE9
SelectObject.GDI32(?,00000000), ref: 00FDABFA
SetBkColor.GDI32(?,00000000), ref: 00FDAC03
SelectObject.GDI32(?,?), ref: 00FDAC10
InflateRect.USER32(?,000000FF,000000FF), ref: 00FDAC2F
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00FDAC46
GetWindowLongW.USER32(00000000,000000F0), ref: 00FDAC5B
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00FDACA7
GetWindowTextW.USER32 ref: 00FDACCE
InflateRect.USER32(?,000000FD,000000FD), ref: 00FDACEC
DrawFocusRect.USER32 ref: 00FDACF7
GetSysColor.USER32(00000011), ref: 00FDAD05
SetTextColor.GDI32(?,00000000), ref: 00FDAD0D
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00FDAD21
SelectObject.GDI32(?,00FDA869), ref: 00FDAD38
DeleteObject.GDI32(?), ref: 00FDAD43
SelectObject.GDI32(?,?), ref: 00FDAD49
DeleteObject.GDI32(?), ref: 00FDAD4E
SetTextColor.GDI32(?,?), ref: 00FDAD54
SetBkColor.GDI32(?,?), ref: 00FDAD5E

Memory Dump Source

Source File: 00000000.00000002.316268130.0000000000F51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.316260119.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316369334.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316375172.0000000000FE0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316438570.0000000001005000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316460548.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316503289.0000000001055000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316514363.000000000105C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316525512.000000000106B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316568333.0000000001091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316573795.0000000001094000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_POv5Nk1dlu.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 9b6989f696d80f5ffbc013bcf4c8709e27b401faa49539dd88928f441691bca4
Instruction ID: ddf82db2b10afed01542a6f37c97856d1aa5bab59014a2b063467d9cf3e753b6
Opcode Fuzzy Hash: 9b6989f696d80f5ffbc013bcf4c8709e27b401faa49539dd88928f441691bca4
Instruction Fuzzy Hash: 0B614F71901218EFDF119FA4DC48EAE7B7AEB08320F148126F916AB2A1D6759D44EB90

Uniqueness

Uniqueness Score: -1.00%

Function 00F527D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

Part of subcall function 00F70FF6: _malloc.LIBCMT ref: 00F7100E

SystemParametersInfoW.USER32 ref: 00F528BC
GetSystemMetrics.USER32 ref: 00F528C4
SystemParametersInfoW.USER32 ref: 00F528EF
GetSystemMetrics.USER32 ref: 00F528F7
GetSystemMetrics.USER32 ref: 00F5291C
SetRect.USER32 ref: 00F52939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00F52949
CreateWindowExW.USER32 ref: 00F5297C
SetWindowLongW.USER32 ref: 00F52990
GetClientRect.USER32 ref: 00F529AE
GetStockObject.GDI32(00000011), ref: 00F529CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 00F529D5

Part of subcall function 00F52344: GetCursorPos.USER32(?,?,010167B0,?,010167B0,010167B0,?,00FDC247,00000000,00000001,?,?,?,00F8BC4F,?,?), ref: 00F52357
Part of subcall function 00F52344: ScreenToClient.USER32 ref: 00F52374
Part of subcall function 00F52344: GetAsyncKeyState.USER32(00000001), ref: 00F52399
Part of subcall function 00F52344: GetAsyncKeyState.USER32(00000002), ref: 00F523A7

SetTimer.USER32 ref: 00F529FC

Strings

AutoIt v3 GUI, xrefs: 00F52974

Memory Dump Source

Source File: 00000000.00000002.316268130.0000000000F51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.316260119.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316369334.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316375172.0000000000FE0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316438570.0000000001005000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316460548.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316503289.0000000001055000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316514363.000000000105C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316525512.000000000106B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316568333.0000000001091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316573795.0000000001094000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_POv5Nk1dlu.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer_malloc
String ID: AutoIt v3 GUI
API String ID: 1557154100-248962490
Opcode ID: e47136e60fd7f5966e522bbdf8c85d51fb7c8c7a4b450b5670678aeb29cca02e
Instruction ID: 33146ffae8374332254bbd06d08dbc39715b3b289e58027bb9fe34ae47ede372
Opcode Fuzzy Hash: e47136e60fd7f5966e522bbdf8c85d51fb7c8c7a4b450b5670678aeb29cca02e
Instruction Fuzzy Hash: 7EB16F71A0020A9FDB14DFA8DC45BED7BB5FB09311F10822AFE16E6290DB799845EB50

Uniqueness

Uniqueness Score: -1.00%

Function 00F65F88 Relevance: 30.1, APIs: 8, Strings: 9, Instructions: 349COMMON

Download Yara Rule

APIs

Part of subcall function 00F57D2C: _memmove.LIBCMT ref: 00F57D66

GetForegroundWindow.USER32(00FDF910,?,?,?,?,?), ref: 00F66042
IsWindow.USER32(?), ref: 00FA0FFA

Strings

REGEXPCLASS, xrefs: 00FA0E45
REGEXPTITLE, xrefs: 00FA0DF3
ACTIVE, xrefs: 00FA0DC7
LAST, xrefs: 00FA0DB1
ALL, xrefs: 00FA0F61
HANDLE, xrefs: 00FA0DDD
INSTANCE, xrefs: 00FA0F39
TITLE, xrefs: 00FA0F8F
CLASS, xrefs: 00FA0E24

Memory Dump Source

Source File: 00000000.00000002.316268130.0000000000F51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.316260119.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316369334.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316375172.0000000000FE0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316438570.0000000001005000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316460548.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316503289.0000000001055000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316514363.000000000105C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316525512.000000000106B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316568333.0000000001091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316573795.0000000001094000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_POv5Nk1dlu.jbxd

Similarity

API ID: Window$Foreground_memmove
String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
API String ID: 3828923867-1919597938
Opcode ID: e4b7d4b7b79949a4993fb70572540254fa5b2cebb66e4478fdfca261c605a4db
Instruction ID: 0ac5ad00ce7581f49c5b2fedb2c85acfd838a8324e2840dde5de0bc8b6926967
Opcode Fuzzy Hash: e4b7d4b7b79949a4993fb70572540254fa5b2cebb66e4478fdfca261c605a4db
Instruction Fuzzy Hash: 16D11A71504702EFCB14EF20DC80A99BBA5FF55354F008919F49A935A2CF34E959FB92

Uniqueness

Uniqueness Score: -1.00%

Function 00FAB1E0 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00FAB23F

Strings

[ALL, xrefs: 00FAB2E5
ACTIVE, xrefs: 00FAB21A
[CLASS:, xrefs: 00FAB28F
[ACTIVE, xrefs: 00FAB22C
HANDLE=, xrefs: 00FAB238
LAST, xrefs: 00FAB204
REGEXP=, xrefs: 00FAB254
[LAST, xrefs: 00FAB2EC
ALL, xrefs: 00FAB2D3
CLASSNAME=, xrefs: 00FAB27C
[HANDLE:, xrefs: 00FAB24B
[REGEXPTITLE:, xrefs: 00FAB267

Memory Dump Source

Source File: 00000000.00000002.316268130.0000000000F51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.316260119.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316369334.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316375172.0000000000FE0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316438570.0000000001005000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316460548.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316503289.0000000001055000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316514363.000000000105C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316525512.000000000106B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316568333.0000000001091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316573795.0000000001094000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_POv5Nk1dlu.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: e46c9dcb4c0c78261c460b7de7d29b51d6f31580f67afca55694b9f676f75d6a
Instruction ID: 88f40356e286deef4e1b9959397d9ab87f132aa04042fbc3b20c15c584fd47cf
Opcode Fuzzy Hash: e46c9dcb4c0c78261c460b7de7d29b51d6f31580f67afca55694b9f676f75d6a
Instruction Fuzzy Hash: F8313372A04305A6EB02FA61DC43FEE77A8AF15751F60002EB989750D3EF696E08F551

Uniqueness

Uniqueness Score: -1.00%

Function 00FB7FA4 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 378timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00FB7FE9
VariantCopy.OLEAUT32(00000000,?), ref: 00FB7FF2
VariantClear.OLEAUT32(00000000), ref: 00FB7FFE
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00FB80EC
__swprintf.LIBCMT ref: 00FB811C
VarR8FromDec.OLEAUT32(?,?), ref: 00FB8148
VariantInit.OLEAUT32(?), ref: 00FB81F9
SysFreeString.OLEAUT32(00000016), ref: 00FB828D
VariantClear.OLEAUT32(?), ref: 00FB82E7
VariantClear.OLEAUT32(?), ref: 00FB82F6
VariantInit.OLEAUT32(00000000), ref: 00FB8334

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00FB8116
Default, xrefs: 00FB81A9

Memory Dump Source

Source File: 00000000.00000002.316268130.0000000000F51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.316260119.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316369334.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316375172.0000000000FE0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316438570.0000000001005000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316460548.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316503289.0000000001055000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316514363.000000000105C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316525512.000000000106B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316568333.0000000001091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316573795.0000000001094000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_POv5Nk1dlu.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 3730832054-3931177956
Opcode ID: 7a0a65b644fab8a999ed6519222f0fb43e88874ce95a8cc11bfb6bf2fe90bf36
Instruction ID: 42863d2f05ed6bb4690a27253ab29765798f29aa2a3ae0b9a0c70a42bd95d22f
Opcode Fuzzy Hash: 7a0a65b644fab8a999ed6519222f0fb43e88874ce95a8cc11bfb6bf2fe90bf36
Instruction Fuzzy Hash: 98D1D531A04519DBDB10AF66C844BEAB7B8FF847D0F148056E9059B281CF359C4AFFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00FB9EA3 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 00FB9EEA

Part of subcall function 00F57F41: _memmove.LIBCMT ref: 00F57F82

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00FB9F0B
__swprintf.LIBCMT ref: 00FB9F64
__swprintf.LIBCMT ref: 00FB9F7D
_wprintf.LIBCMT ref: 00FBA024
_wprintf.LIBCMT ref: 00FBA042

Strings

Incorrect parameters to object property !, xrefs: 00FB9FC6
"%s" (%d) : ==> %s:, xrefs: 00FBA03D
Line %d (File "%s"):, xrefs: 00FB9F5E, 00FB9F77
"%s" (%d) : ==> %s:%s%s, xrefs: 00FBA01F
^ ERROR , xrefs: 00FB9FB9
Error: , xrefs: 00FB9FEC

Memory Dump Source

Source File: 00000000.00000002.316268130.0000000000F51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.316260119.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316369334.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316375172.0000000000FE0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316438570.0000000001005000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316460548.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316503289.0000000001055000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316514363.000000000105C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316525512.000000000106B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316568333.0000000001091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316573795.0000000001094000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_POv5Nk1dlu.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-3080491070
Opcode ID: 2780a7c407b11a654d7d03e503a9e57fcad36e6fc53f26da556dc8a4ac41f0ff
Instruction ID: 7732fecde72f76d8c2e71bf0d9ec813ac2ddc87e3d8ffbc3aca36966c93fd2db
Opcode Fuzzy Hash: 2780a7c407b11a654d7d03e503a9e57fcad36e6fc53f26da556dc8a4ac41f0ff
Instruction Fuzzy Hash: 46517F72904609AADF15FBE1DD82EEEB779AF08701F100165FA0572091EB792F4CEB61

Uniqueness

Uniqueness Score: -1.00%

Function 00FAFDBA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,00F8E452,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 00FAFDEF
LoadStringW.USER32(00000000,?,00F8E452,00000001), ref: 00FAFDF8

Part of subcall function 00F57F41: _memmove.LIBCMT ref: 00F57F82

GetModuleHandleW.KERNEL32(00000000,01016310,?,00000FFF,?,?,00F8E452,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 00FAFE1A
LoadStringW.USER32(00000000,?,00F8E452,00000001), ref: 00FAFE1D
__swprintf.LIBCMT ref: 00FAFE6D
__swprintf.LIBCMT ref: 00FAFE7E
_wprintf.LIBCMT ref: 00FAFF27
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00FAFF3E

Strings

Line %d (File "%s"):, xrefs: 00FAFE67
^ ERROR, xrefs: 00FAFED3
%s (%d) : ==> %s: %s %s, xrefs: 00FAFF22
Line %d:, xrefs: 00FAFE78
Error: , xrefs: 00FAFEF5

Memory Dump Source

Source File: 00000000.00000002.316268130.0000000000F51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.316260119.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316369334.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316375172.0000000000FE0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316438570.0000000001005000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316460548.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316503289.0000000001055000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316514363.000000000105C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316525512.000000000106B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316568333.0000000001091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316573795.0000000001094000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_POv5Nk1dlu.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 984253442-2268648507
Opcode ID: 3884f7041b8310644f116460c0a02f13b21475f6331f1dd799567db928b757e9
Instruction ID: 8247c951ef00fe203b4a192d9b518ee831066f3540f6ff5aad920c3900d03a15
Opcode Fuzzy Hash: 3884f7041b8310644f116460c0a02f13b21475f6331f1dd799567db928b757e9
Instruction Fuzzy Hash: 45415272804209ABCF15FBE0DD86DEEB779AF15701F100165FA0676092EA396F0DEB61

Uniqueness

Uniqueness Score: -1.00%

Function 00FBA0B5 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 156COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00FDFB78), ref: 00FBA0FC

Part of subcall function 00F57F41: _memmove.LIBCMT ref: 00F57F82

LoadStringW.USER32(?,?,00000FFF,?), ref: 00FBA11E
__swprintf.LIBCMT ref: 00FBA177
__swprintf.LIBCMT ref: 00FBA190
_wprintf.LIBCMT ref: 00FBA246
_wprintf.LIBCMT ref: 00FBA264

Strings

"%s" (%d) : ==> %s:, xrefs: 00FBA25F
Line %d (File "%s"):, xrefs: 00FBA171, 00FBA18A
^ ERROR, xrefs: 00FBA1E8
"%s" (%d) : ==> %s:%s%s, xrefs: 00FBA241
Error: , xrefs: 00FBA20E

Memory Dump Source

Source File: 00000000.00000002.316268130.0000000000F51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.316260119.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316369334.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316375172.0000000000FE0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316438570.0000000001005000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316460548.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316503289.0000000001055000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316514363.000000000105C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316525512.000000000106B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316568333.0000000001091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316573795.0000000001094000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_POv5Nk1dlu.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-2391861430
Opcode ID: 535ecb3e2ad121309471c0ba064a208e204cf996bfb95297ad8cb71e31dd06dd
Instruction ID: 63a6e92ba8b5843ffdb8bbe98561238a81f516521e36cd314ab06af12b130dbc
Opcode Fuzzy Hash: 535ecb3e2ad121309471c0ba064a208e204cf996bfb95297ad8cb71e31dd06dd
Instruction Fuzzy Hash: 87516B72900609AACF15FBE1DD86EEEB779AF04301F100165FA0562091EB3A6F58EB61

Uniqueness

Uniqueness Score: -1.00%

Function 00F545DF Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F545F9
GetMenuItemCount.USER32 ref: 00F8D7CD
GetMenuItemCount.USER32 ref: 00F8D87D
GetCursorPos.USER32(?), ref: 00F8D8C1
SetForegroundWindow.USER32(00000000), ref: 00F8D8CA
TrackPopupMenuEx.USER32(01016890,00000000,?,00000000,00000000,00000000), ref: 00F8D8DD
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00F8D8E9

Memory Dump Source

Source File: 00000000.00000002.316268130.0000000000F51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.316260119.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316369334.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316375172.0000000000FE0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316438570.0000000001005000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316460548.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316503289.0000000001055000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316514363.000000000105C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316525512.000000000106B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316568333.0000000001091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316573795.0000000001094000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_POv5Nk1dlu.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 2751501086-0
Opcode ID: dd671c1b06ee938f0365e054b902cb5c951b02af43a0c6a7ddbbf20643458250
Instruction ID: 038df8a5949fc5514a354fd11a410234a4f285141758561b90dd40b76b799873
Opcode Fuzzy Hash: dd671c1b06ee938f0365e054b902cb5c951b02af43a0c6a7ddbbf20643458250
Instruction Fuzzy Hash: 6A712631A41209BEEB209F24DC49FEAFF65FF05368F240216FA15A61D0C7B56854FB90

Uniqueness

Uniqueness Score: -1.00%

Function 00F5201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00F51B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00F52036,?,00000000,?,?,?,?,00F516CB,00000000,?), ref: 00F51B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00F520D3
KillTimer.USER32(-00000001,?,?,?,?,00F516CB,00000000,?,?,00F51AE2,?,?), ref: 00F5216E
DestroyAcceleratorTable.USER32 ref: 00F8BEF6
6F7E7D50.COMCTL32(00000000,?,00000000,?,?,?,?,00F516CB,00000000,?,?,00F51AE2,?,?), ref: 00F8BF27
6F7E7D50.COMCTL32(00000000,?,00000000,?,?,?,?,00F516CB,00000000,?,?,00F51AE2,?,?), ref: 00F8BF3E
6F7E7D50.COMCTL32(00000000,?,00000000,?,?,?,?,00F516CB,00000000,?,?,00F51AE2,?,?), ref: 00F8BF5A
DeleteObject.GDI32(00000000), ref: 00F8BF6C

Memory Dump Source

Source File: 00000000.00000002.316268130.0000000000F51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.316260119.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316369334.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316375172.0000000000FE0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316438570.0000000001005000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316460548.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316503289.0000000001055000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316514363.000000000105C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316525512.000000000106B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316568333.0000000001091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316573795.0000000001094000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_POv5Nk1dlu.jbxd

Similarity

API ID: Destroy$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 2402799130-0
Opcode ID: 9de2db281b938f421d382b6de4cd899a05e6fb769088e2e7072aecb807679984
Instruction ID: 77d3349c23539d3daad345628570d22503c746171cd842660b1ece25c0d57b95
Opcode Fuzzy Hash: 9de2db281b938f421d382b6de4cd899a05e6fb769088e2e7072aecb807679984
Instruction Fuzzy Hash: E961B431501610DFCB75AF54DD48B6A77F2FF41322F104629EA82479A4C77AA889FF40

Uniqueness

Uniqueness Score: -1.00%

Function 00F521A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 00F525DB: GetWindowLongW.USER32(?,000000EB), ref: 00F525EC

GetSysColor.USER32(0000000F), ref: 00F521D3

Memory Dump Source

Source File: 00000000.00000002.316268130.0000000000F51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.316260119.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316369334.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316375172.0000000000FE0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316438570.0000000001005000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316460548.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316503289.0000000001055000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316514363.000000000105C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316525512.000000000106B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316568333.0000000001091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316573795.0000000001094000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_POv5Nk1dlu.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 43beaccca3570ead4f349bd17d50ad3779e5171469f32451b50f18192ae631e7
Instruction ID: 5edf76ffad1f648515bddbf92d115fbf2c7d4fe0e6d325f4b9e99cc23f36efb2
Opcode Fuzzy Hash: 43beaccca3570ead4f349bd17d50ad3779e5171469f32451b50f18192ae631e7
Instruction Fuzzy Hash: 6C41C4354005049BEB215F38DC88BB93766EB07332F184366FE668A1E6C7318C46FB61

Uniqueness

Uniqueness Score: -1.00%

Function 00FB2A16 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FB2A31
GetMenuItemInfoW.USER32(01016890,000000FF,00000000,00000030), ref: 00FB2A92
SetMenuItemInfoW.USER32 ref: 00FB2AC8
Sleep.KERNEL32(000001F4), ref: 00FB2ADA
GetMenuItemCount.USER32 ref: 00FB2B1E
GetMenuItemID.USER32(?,00000000), ref: 00FB2B3A
GetMenuItemID.USER32(?,-00000001), ref: 00FB2B64
GetMenuItemID.USER32(?,?), ref: 00FB2BA9
CheckMenuRadioItem.USER32 ref: 00FB2BEF
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00FB2C03
SetMenuItemInfoW.USER32 ref: 00FB2C24

Memory Dump Source

Source File: 00000000.00000002.316268130.0000000000F51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.316260119.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316369334.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316375172.0000000000FE0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316438570.0000000001005000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316460548.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316503289.0000000001055000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316514363.000000000105C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316525512.000000000106B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316568333.0000000001091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316573795.0000000001094000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_POv5Nk1dlu.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 84cf1244f4fd737da9e0861838437f585ad397df17a9cfba39bfd528eb95bb77
Instruction ID: 49fdaf748345f1bedfb4ee7dee1682f78df59967ba3ec496b81f04eb9356d1e5
Opcode Fuzzy Hash: 84cf1244f4fd737da9e0861838437f585ad397df17a9cfba39bfd528eb95bb77
Instruction Fuzzy Hash: 5E61FFB0900249AFDB61CF65DC88EFEBBB9EB41324F144559E842A3251DB39AD05FF21

Uniqueness

Uniqueness Score: -1.00%

Function 00FA710E Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00FA7135
SafeArrayAllocData.OLEAUT32(?), ref: 00FA718E
VariantInit.OLEAUT32(?), ref: 00FA71A0
SafeArrayAccessData.OLEAUT32(?,?), ref: 00FA71C0
VariantCopy.OLEAUT32(?,?), ref: 00FA7213
SafeArrayUnaccessData.OLEAUT32(?), ref: 00FA7227
VariantClear.OLEAUT32(?), ref: 00FA723C
SafeArrayDestroyData.OLEAUT32(?), ref: 00FA7249
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00FA7252
VariantClear.OLEAUT32(?), ref: 00FA7264
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00FA726F

Memory Dump Source

Source File: 00000000.00000002.316268130.0000000000F51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.316260119.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316369334.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316375172.0000000000FE0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316438570.0000000001005000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316460548.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316503289.0000000001055000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316514363.000000000105C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316525512.000000000106B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316568333.0000000001091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316573795.0000000001094000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_POv5Nk1dlu.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 76d64401909df4faeeda2b609d055c46aa3595bb256f7df40af70dfe561fb884
Instruction ID: 491942ba6bc05708528c73bbb9f8158eceb156e2c14bda85d184d23cc03a7e45
Opcode Fuzzy Hash: 76d64401909df4faeeda2b609d055c46aa3595bb256f7df40af70dfe561fb884
Instruction Fuzzy Hash: 6D414F75904219AFCF04EF64DC44EAEBBB9EF49354F008069F916E7261CB34A949DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00F662F2 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 143COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F663A8
_memmove.LIBCMT ref: 00F66446
_memset.LIBCMT ref: 00F6646A

Strings

internal error: opcode not recognized, xrefs: 00F6647D
argument is not a compiled regular expression, xrefs: 00FA1160
ERCP, xrefs: 00F66313
internal error: missing capturing bracket, xrefs: 00FA1158
failed to get memory, xrefs: 00F66488
argument not compiled in 16 bit mode, xrefs: 00FA1150

Memory Dump Source

Source File: 00000000.00000002.316268130.0000000000F51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.316260119.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316369334.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316375172.0000000000FE0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316438570.0000000001005000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316460548.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316503289.0000000001055000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316514363.000000000105C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316525512.000000000106B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316568333.0000000001091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316573795.0000000001094000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_POv5Nk1dlu.jbxd

Similarity

API ID: _memset$_memmove
String ID: ERCP$argument is not a compiled regular expression$argument not compiled in 16 bit mode$failed to get memory$internal error: missing capturing bracket$internal error: opcode not recognized
API String ID: 2532777613-264027815
Opcode ID: 566db4a4f32b20225d62de4f7c4e6aafa4a59593441d46c0155badc3883fcc53
Instruction ID: 46118bed5018468028a1d022fe0e3ca37e9a5cb77ab187786dc3bf4753f871fa
Opcode Fuzzy Hash: 566db4a4f32b20225d62de4f7c4e6aafa4a59593441d46c0155badc3883fcc53
Instruction Fuzzy Hash: 7F5182B1D00709DBDB24CF65C8817AABBF8FF04724F20856EE55ACB241EB359684DB51

Uniqueness

Uniqueness Score: -1.00%

Function 00FB7C1A Relevance: 15.3, APIs: 10, Instructions: 292COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00FB7CF6

Memory Dump Source

Source File: 00000000.00000002.316268130.0000000000F51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.316260119.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316369334.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316375172.0000000000FE0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316438570.0000000001005000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316460548.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316503289.0000000001055000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316514363.000000000105C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316525512.000000000106B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316568333.0000000001091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316573795.0000000001094000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_POv5Nk1dlu.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: 3168735ca1f2cbf2b547a71ea747a809cb4cf1eac52cc41853a1f19ae32c1f4f
Instruction ID: fb80698f984a7bebda0cb1581a8bcf44798ce169af2cd8c862df3140aca7ce0c
Opcode Fuzzy Hash: 3168735ca1f2cbf2b547a71ea747a809cb4cf1eac52cc41853a1f19ae32c1f4f
Instruction Fuzzy Hash: DFB18E7190821A9FDB10EFA5C884BFEB7B5EF89321F204069E905E7281D734E945EF91

Uniqueness

Uniqueness Score: -1.00%

Function 00F52B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32 ref: 00F8C547
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00F8C569
LoadImageW.USER32 ref: 00F8C581
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00F8C59F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00F8C5C0
DestroyCursor.USER32(00000000), ref: 00F8C5CF
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00F8C5EC
DestroyCursor.USER32(?), ref: 00F8C5FB

Part of subcall function 00FDA71E: DeleteObject.GDI32(00000000), ref: 00FDA757

Memory Dump Source

Source File: 00000000.00000002.316268130.0000000000F51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.316260119.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316369334.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316375172.0000000000FE0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316438570.0000000001005000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316460548.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316503289.0000000001055000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316514363.000000000105C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316525512.000000000106B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316568333.0000000001091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316573795.0000000001094000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_POv5Nk1dlu.jbxd

Similarity

API ID: CursorDestroyExtractIconImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2975913752-0
Opcode ID: 6eb3a5aa8aecd2125d81755189cd329fb37a767a6d1e7621db1725cebed0e3c5
Instruction ID: 355150328e2dd8a97bc6fafe13d601dc436d2fa58e402f19a0fa97a40b56fed4
Opcode Fuzzy Hash: 6eb3a5aa8aecd2125d81755189cd329fb37a767a6d1e7621db1725cebed0e3c5
Instruction Fuzzy Hash: 4B517C71A00209AFDF24DF24CC45FAA3BB5FB45321F104629FA4297290DB75ED85EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FC9E38 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 00FC9EB9, 00FCA1DD
Not an Object type, xrefs: 00FC9E90

Memory Dump Source

Source File: 00000000.00000002.316268130.0000000000F51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.316260119.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316369334.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316375172.0000000000FE0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316438570.0000000001005000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316460548.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316503289.0000000001055000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316514363.000000000105C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316525512.000000000106B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316568333.0000000001091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316573795.0000000001094000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_POv5Nk1dlu.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 015ddc630269e6e4d06d4cb58ee163875c76b3a04792973264163244b2545059
Instruction ID: f5d5997dab9ab2bd2e2b2095d8d0ca1d369154a8e5827b0cbd153da8c8d8ec0b
Opcode Fuzzy Hash: 015ddc630269e6e4d06d4cb58ee163875c76b3a04792973264163244b2545059
Instruction Fuzzy Hash: 62C19F71E0020A9FDF10CFA8C986FAEB7B5BB48314F14846DE905AB280E774AD45EB51

Uniqueness

Uniqueness Score: -1.00%

Function 00FB3226 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00FB32C5

Strings

info, xrefs: 00FB3266
warning, xrefs: 00FB32AE
question, xrefs: 00FB327E
stop, xrefs: 00FB3296
blank, xrefs: 00FB3247

Memory Dump Source

Source File: 00000000.00000002.316268130.0000000000F51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.316260119.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316369334.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316375172.0000000000FE0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316438570.0000000001005000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316460548.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316503289.0000000001055000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316514363.000000000105C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316525512.000000000106B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316568333.0000000001091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316573795.0000000001094000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_POv5Nk1dlu.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: e53f0a1eed6ba270b6faa686e48fb22e9c93aa193c4419cf949742758d177a28
Instruction ID: 4bfa054cbb92f015dc83903bb8ce778d99e4cd631d2f0186719024195446ced4
Opcode Fuzzy Hash: e53f0a1eed6ba270b6faa686e48fb22e9c93aa193c4419cf949742758d177a28
Instruction Fuzzy Hash: 5111E732B88356FAB7015A56DC42EEAB39CDF19370F20402EF904AA181E6B55B407EA5

Uniqueness

Uniqueness Score: -1.00%

Function 00F52A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00F8C417,00000004,00000000,00000000,00000000), ref: 00F52ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00F8C417,00000004,00000000,00000000,00000000,000000FF), ref: 00F52B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00F8C417,00000004,00000000,00000000,00000000), ref: 00F8C46A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00F8C417,00000004,00000000,00000000,00000000), ref: 00F8C4D6

Memory Dump Source

Source File: 00000000.00000002.316268130.0000000000F51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.316260119.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316369334.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316375172.0000000000FE0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316438570.0000000001005000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316460548.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316503289.0000000001055000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316514363.000000000105C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316525512.000000000106B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316568333.0000000001091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316573795.0000000001094000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_POv5Nk1dlu.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: beb0365873c8a1f0ddd730f0e3bd69a24a4688a7f8a8d6b9e0616ed41f91ffa1
Instruction ID: e1b5b5301dabfd7044891e5d695fb012ae9543c27778aa07215b7d7616e6588a
Opcode Fuzzy Hash: beb0365873c8a1f0ddd730f0e3bd69a24a4688a7f8a8d6b9e0616ed41f91ffa1
Instruction Fuzzy Hash: 88412431A046809EC7B5DB38CC9CBB77B92AB87321F14C61EEA4746560C67D988DF750

Uniqueness

Uniqueness Score: -1.00%

Function 00F51424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.316268130.0000000000F51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.316260119.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316369334.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316375172.0000000000FE0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316438570.0000000001005000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316460548.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316503289.0000000001055000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316514363.000000000105C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316525512.000000000106B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316568333.0000000001091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316573795.0000000001094000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_POv5Nk1dlu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b852bca12840f3a72edb24520ce1a2ccbafb00ba95cde8c36231d3975359905
Instruction ID: f9a4ea809e9ae5191ac0d08a1b895be17c036601f7e71663f894d1c0cd713940
Opcode Fuzzy Hash: 0b852bca12840f3a72edb24520ce1a2ccbafb00ba95cde8c36231d3975359905
Instruction Fuzzy Hash: 91715D31900109EFCB14DF58CC49FBEBB79FF86321F248159FA15AA251C734AA55EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FDB60B Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00B69510), ref: 00FDB6A5
IsWindowEnabled.USER32(00B69510), ref: 00FDB6B1
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 00FDB795
SendMessageW.USER32(00B69510,000000B0,?,?), ref: 00FDB7CC
IsDlgButtonChecked.USER32(?,?), ref: 00FDB809
GetWindowLongW.USER32(00B69510,000000EC), ref: 00FDB82B
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00FDB843

Memory Dump Source

Source File: 00000000.00000002.316268130.0000000000F51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.316260119.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316369334.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316375172.0000000000FE0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316438570.0000000001005000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316460548.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316503289.0000000001055000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316514363.000000000105C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316525512.000000000106B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316568333.0000000001091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316573795.0000000001094000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_POv5Nk1dlu.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: d6d5b1ee627e3937b7158f2464870962dee3a42c00cc32bb274d81c81df39641
Instruction ID: 17de535b3b4543b3938b979fc78991973235ec7c96ce9f68b917ae6b0e8feb34
Opcode Fuzzy Hash: d6d5b1ee627e3937b7158f2464870962dee3a42c00cc32bb274d81c81df39641
Instruction Fuzzy Hash: 6D719334A01204EFDB219F64CC94FAA7BBBFF49310F1A409AE945973A1C736E941EB50

Uniqueness

Uniqueness Score: -1.00%

Function 00F51DB3 Relevance: 9.3, APIs: 6, Instructions: 254COMMON

Download Yara Rule

APIs

GetClientRect.USER32 ref: 00F51DDC
GetWindowRect.USER32 ref: 00F51E1D
ScreenToClient.USER32 ref: 00F51E45
GetClientRect.USER32 ref: 00F51F74
GetWindowRect.USER32 ref: 00F51F8D

Memory Dump Source

Source File: 00000000.00000002.316268130.0000000000F51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.316260119.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316369334.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316375172.0000000000FE0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316438570.0000000001005000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316460548.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316503289.0000000001055000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316514363.000000000105C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316525512.000000000106B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316568333.0000000001091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316573795.0000000001094000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_POv5Nk1dlu.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: e54c24ab4cba45b83f373011bba16f609cd8d650696fb45f694fa92c8d682e86
Instruction ID: 610e8d16b1fceebe310403805b01793682cd84e3ecfc7fe1fb03c4fabdac9970
Opcode Fuzzy Hash: e54c24ab4cba45b83f373011bba16f609cd8d650696fb45f694fa92c8d682e86
Instruction Fuzzy Hash: 32B14A7A90024AEBDF10CFA8C5807EEB7F1FF08311F149529ED599B251DB30AA54EB54

Uniqueness

Uniqueness Score: -1.00%

Function 00FB675A Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00FB68AD
_memmove.LIBCMT ref: 00FB67E8

Part of subcall function 00F59997: __itow.LIBCMT ref: 00F599C2
Part of subcall function 00F59997: __swprintf.LIBCMT ref: 00F59A0C

Part of subcall function 00F70FF6: _malloc.LIBCMT ref: 00F7100E

_memmove.LIBCMT ref: 00FB685B
_memmove.LIBCMT ref: 00FB6942
_memmove.LIBCMT ref: 00FB695B
_memmove.LIBCMT ref: 00FB6977

Memory Dump Source

Source File: 00000000.00000002.316268130.0000000000F51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.316260119.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316369334.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316375172.0000000000FE0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316438570.0000000001005000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316460548.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316503289.0000000001055000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316514363.000000000105C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316525512.000000000106B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316568333.0000000001091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316573795.0000000001094000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_POv5Nk1dlu.jbxd

Similarity

API ID: _memmove$__itow__swprintf_malloc
String ID:
API String ID: 83262069-0
Opcode ID: 4cea048d2e0fe7dac9681694968bdcdc8c7bbd42abde626fc161ce788b262cef
Instruction ID: 2c8883dad0e378f2adbaa678d58606a90712b401a7cc43effe5204b5916a6b8f
Opcode Fuzzy Hash: 4cea048d2e0fe7dac9681694968bdcdc8c7bbd42abde626fc161ce788b262cef
Instruction Fuzzy Hash: B261CD3050424AABDF15EF25CC81EFE37A4AF45308F044519FD599B192DB3CA909EB51

Uniqueness

Uniqueness Score: -1.00%

Function 00FB26F9 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FB2747
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00FB2792
IsMenu.USER32 ref: 00FB27B2
CreatePopupMenu.USER32(01016890,00000000,762D33D0), ref: 00FB27E6
GetMenuItemCount.USER32 ref: 00FB2844
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00FB2875

Memory Dump Source

Source File: 00000000.00000002.316268130.0000000000F51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.316260119.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316369334.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316375172.0000000000FE0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316438570.0000000001005000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316460548.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316503289.0000000001055000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316514363.000000000105C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316525512.000000000106B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316568333.0000000001091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316573795.0000000001094000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_POv5Nk1dlu.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: a0224fa381c3ef50227370b9499d195507a16561f06489992f8c94ff2799142e
Instruction ID: 19a6dde81de39f8bdbe4280ea128aa0504ba8f828b440ff78a79722069eea4d3
Opcode Fuzzy Hash: a0224fa381c3ef50227370b9499d195507a16561f06489992f8c94ff2799142e
Instruction Fuzzy Hash: B251AE70A00249EBDF65CF6AD888BEEBBF5BF44324F14426AE8159B290D770C904EF51

Uniqueness

Uniqueness Score: -1.00%

Function 00F51765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00F52612: GetWindowLongW.USER32(?,000000EB), ref: 00F52623

BeginPaint.USER32(?,?,?,?,?,?), ref: 00F5179A
GetWindowRect.USER32 ref: 00F517FE
ScreenToClient.USER32 ref: 00F5181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00F5182C
EndPaint.USER32(?,?), ref: 00F51876

Memory Dump Source

Source File: 00000000.00000002.316268130.0000000000F51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.316260119.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316369334.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316375172.0000000000FE0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316438570.0000000001005000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316460548.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316503289.0000000001055000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316514363.000000000105C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316525512.000000000106B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316568333.0000000001091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316573795.0000000001094000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_POv5Nk1dlu.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: 2676d5c7ef1d5e2e5db1a6444e85e6922eda99e1e532731a4fc4351d59d1ac6c
Instruction ID: 899f2a584d85d479b29f77ca64ddfb56ad9fa56b1f54b73205748cdd28c6ebb8
Opcode Fuzzy Hash: 2676d5c7ef1d5e2e5db1a6444e85e6922eda99e1e532731a4fc4351d59d1ac6c
Instruction Fuzzy Hash: B741D271500300AFC720DF24CC84FB67BE9FB49725F140629FE95872A1C77AA849EB61

Uniqueness

Uniqueness Score: -1.00%

Function 00FDB958 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(010167B0,00000000,00B69510,?,?,010167B0,?,00FDB862,?,?), ref: 00FDB9CC
EnableWindow.USER32(?,00000000), ref: 00FDB9F0
ShowWindow.USER32(010167B0,00000000,00B69510,?,?,010167B0,?,00FDB862,?,?), ref: 00FDBA50
ShowWindow.USER32(?,00000004,?,00FDB862,?,?), ref: 00FDBA62
EnableWindow.USER32(?,00000001), ref: 00FDBA86
SendMessageW.USER32(?,0000130C,?,00000000), ref: 00FDBAA9

Memory Dump Source

Source File: 00000000.00000002.316268130.0000000000F51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.316260119.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316369334.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316375172.0000000000FE0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316438570.0000000001005000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316460548.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316503289.0000000001055000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316514363.000000000105C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316525512.000000000106B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316568333.0000000001091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316573795.0000000001094000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_POv5Nk1dlu.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 535e734e3b7d15cdb863dac21b756fb51798d27477ebe29810cd07ba2e120dda
Instruction ID: e4aeb84e718d9878c73027d83c668073f0a204645537e0c20079eb1f008fc468
Opcode Fuzzy Hash: 535e734e3b7d15cdb863dac21b756fb51798d27477ebe29810cd07ba2e120dda
Instruction Fuzzy Hash: 19417234A00145EFDB21CF24C499B957BE2BB09321F1E42ABEE498F7A2C7359845EB51

Uniqueness

Uniqueness Score: -1.00%

Function 00FDC19A Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00F512F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00F5134D
Part of subcall function 00F512F3: SelectObject.GDI32(?,00000000), ref: 00F5135C
Part of subcall function 00F512F3: BeginPath.GDI32(?), ref: 00F51373
Part of subcall function 00F512F3: SelectObject.GDI32(?,00000000), ref: 00F5139C

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 00FDC1C4
LineTo.GDI32(00000000,00000003,?), ref: 00FDC1D8
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00FDC1E6
LineTo.GDI32(00000000,00000000,?), ref: 00FDC1F6
EndPath.GDI32(00000000), ref: 00FDC206
StrokePath.GDI32(00000000), ref: 00FDC216

Memory Dump Source

Source File: 00000000.00000002.316268130.0000000000F51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.316260119.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316369334.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316375172.0000000000FE0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316438570.0000000001005000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316460548.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316503289.0000000001055000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316514363.000000000105C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316525512.000000000106B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316568333.0000000001091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316573795.0000000001094000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_POv5Nk1dlu.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 352f3d7a36200537bee7e8da584c8a7beb4ade861a3011f4da98d5eb8736e6a7
Instruction ID: 91b9ff97aa283c8712534fd163fa61ebfa9fdefbb0137f6711065bad53504d54
Opcode Fuzzy Hash: 352f3d7a36200537bee7e8da584c8a7beb4ade861a3011f4da98d5eb8736e6a7
Instruction Fuzzy Hash: 32111E7640010DBFDF119F90DC48F9A7FADEF04364F048022BE1986161C7729E59EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FB74D2 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00FB74E5
RtlEnterCriticalSection.KERNEL32(?,?,00F61044,?,?), ref: 00FB74F6
TerminateThread.KERNEL32(00000000,000001F6,?,00F61044,?,?), ref: 00FB7503
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00F61044,?,?), ref: 00FB7510

Part of subcall function 00FB6ED7: CloseHandle.KERNEL32(00000000,?,00FB751D,?,00F61044,?,?), ref: 00FB6EE1

InterlockedExchange.KERNEL32(?,000001F6), ref: 00FB7523
RtlLeaveCriticalSection.KERNEL32(?,?,00F61044,?,?), ref: 00FB752A

Memory Dump Source

Source File: 00000000.00000002.316268130.0000000000F51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.316260119.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316369334.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316375172.0000000000FE0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316438570.0000000001005000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316460548.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316503289.0000000001055000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316514363.000000000105C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316525512.000000000106B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316568333.0000000001091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316573795.0000000001094000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_POv5Nk1dlu.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: ca4ece7717943227fda67afa8e87acd8eae2fa0e510f505f760c0a18aed26613
Instruction ID: 178c32bd8bd1652fd82b5078644c1cc17e0d994e3afb50748d1d0539c238ecc6
Opcode Fuzzy Hash: ca4ece7717943227fda67afa8e87acd8eae2fa0e510f505f760c0a18aed26613
Instruction Fuzzy Hash: 4FF03A3A542616ABDB112B74EC88EEA772AAF45313B050532F243A10A0CB755905EB60

Uniqueness

Uniqueness Score: -1.00%

Function 00FB2C42 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FB2CAF
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00FB2CCB
DeleteMenu.USER32(?,00000007,00000000), ref: 00FB2D11
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,01016890,00000000), ref: 00FB2D5A

Strings

0, xrefs: 00FB2CA4

Memory Dump Source

Source File: 00000000.00000002.316268130.0000000000F51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.316260119.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316369334.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316375172.0000000000FE0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316438570.0000000001005000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316460548.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316503289.0000000001055000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316514363.000000000105C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316525512.000000000106B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316568333.0000000001091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316573795.0000000001094000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_POv5Nk1dlu.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 9577de8f6ea2b1d44a8bf39ec35971232eaa1a7ec7a0dccffd22c2457028ae35
Instruction ID: b216bc868eac2a0eabcce4958cf2295f13519dc4a8f4b2336e24409ba5b51130
Opcode Fuzzy Hash: 9577de8f6ea2b1d44a8bf39ec35971232eaa1a7ec7a0dccffd22c2457028ae35
Instruction Fuzzy Hash: AE41C0316053019FD720DF25DC45B9ABBE8EF89320F04461EF9669B291D770E904DF92

Uniqueness

Uniqueness Score: -1.00%

Function 00F512F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00F5134D
SelectObject.GDI32(?,00000000), ref: 00F5135C
BeginPath.GDI32(?), ref: 00F51373
SelectObject.GDI32(?,00000000), ref: 00F5139C

Memory Dump Source

Source File: 00000000.00000002.316268130.0000000000F51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.316260119.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316369334.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316375172.0000000000FE0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316438570.0000000001005000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316460548.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316503289.0000000001055000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316514363.000000000105C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316525512.000000000106B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316568333.0000000001091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316573795.0000000001094000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_POv5Nk1dlu.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 55fa30c8bdca71cea65a9f4fe7f1ffee9b73745f4a920720a61412e319f18a54
Instruction ID: daabf6444332691727915643b238f1d1438ae3cc87ff7b2ceda541f5dc1ca492
Opcode Fuzzy Hash: 55fa30c8bdca71cea65a9f4fe7f1ffee9b73745f4a920720a61412e319f18a54
Instruction Fuzzy Hash: 752158B1C01308EFDB219F25DC087597BB9FB00322F148316FD5196594D7BBA999EB50

Uniqueness

Uniqueness Score: -1.00%

Function 00F85332 Relevance: 7.6, APIs: 5, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00F8533E

Part of subcall function 00F7594C: __FF_MSGBANNER.LIBCMT ref: 00F75963
Part of subcall function 00F7594C: __NMSG_WRITE.LIBCMT ref: 00F7596A
Part of subcall function 00F7594C: RtlAllocateHeap.NTDLL(00B50000,00000000,00000001,00000000,?,?,?,00F71013,?), ref: 00F7598F

_free.LIBCMT ref: 00F85351

Memory Dump Source

Source File: 00000000.00000002.316268130.0000000000F51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.316260119.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316369334.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316375172.0000000000FE0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316438570.0000000001005000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316460548.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316503289.0000000001055000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316514363.000000000105C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316525512.000000000106B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316568333.0000000001091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316573795.0000000001094000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_POv5Nk1dlu.jbxd

Similarity

API ID: AllocateHeap_free_malloc
String ID:
API String ID: 1020059152-0
Opcode ID: 455a05c980fab7279466c0fc59982ac93d993cf4b40de35f0032eba5d0418c61
Instruction ID: 57d2d30c9990c974f569bea404385466092c5f5704487ea917de3b8bca2d642f
Opcode Fuzzy Hash: 455a05c980fab7279466c0fc59982ac93d993cf4b40de35f0032eba5d0418c61
Instruction Fuzzy Hash: A411E332905A15AFCB313FB0EC0569D379B9F14BF0B14842BF949DA190DFB98941B791

Uniqueness

Uniqueness Score: -1.00%

Function 00FA7631 Relevance: 7.6, APIs: 5, Instructions: 60stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00FA810E: RaiseException.KERNEL32(8007000E,?,00000000,00000000,?,00FA7651,-C0000018,00000001,?,00FA758C,80070057,?,?,?,00FA799D), ref: 00FA811B

76DABC30.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00FA758C,80070057,?,?,?,00FA799D), ref: 00FA766F
76E68640.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00FA758C,80070057,?,?), ref: 00FA768A
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00FA758C,80070057,?,?), ref: 00FA7698
76E3A680.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00FA758C,80070057,?), ref: 00FA76A8
76E37540.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00FA758C,80070057,?,?), ref: 00FA76B4

Memory Dump Source

Source File: 00000000.00000002.316268130.0000000000F51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.316260119.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316369334.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316375172.0000000000FE0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316438570.0000000001005000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316460548.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316503289.0000000001055000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316514363.000000000105C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316525512.000000000106B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316568333.0000000001091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316573795.0000000001094000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_POv5Nk1dlu.jbxd

Similarity

API ID: A680E37540E68640ExceptionRaiselstrcmpi
String ID:
API String ID: 2195636648-0
Opcode ID: c1cf73e115326312246e386eb84a4aba08b21226e12dc500b64244fbefd6cf3e
Instruction ID: 3b09a399b767d2db6b49663a64364dd6aaad6a72cfcd285fb3c58312b9656542
Opcode Fuzzy Hash: c1cf73e115326312246e386eb84a4aba08b21226e12dc500b64244fbefd6cf3e
Instruction Fuzzy Hash: 23118EB3605708ABEB106F68DC08F9A7BEDEB497A1F144029FD09D6211E775DE40B6A0

Uniqueness

Uniqueness Score: -1.00%

Function 00FB54E6 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00FB5502
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00FB5510
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00FB5518
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00FB5522
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00FB555E

Memory Dump Source

Source File: 00000000.00000002.316268130.0000000000F51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.316260119.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316369334.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316375172.0000000000FE0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316438570.0000000001005000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316460548.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316503289.0000000001055000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316514363.000000000105C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316525512.000000000106B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316568333.0000000001091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316573795.0000000001094000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_POv5Nk1dlu.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: cfd16863455d0673c1c110a9b6a25f38c1ec076278314e3f774c4ee6b0a110e4
Instruction ID: ffd9974992473402a87d129ea178bd35e8bdab414f4cd9100ba61b7c7b1c2262
Opcode Fuzzy Hash: cfd16863455d0673c1c110a9b6a25f38c1ec076278314e3f774c4ee6b0a110e4
Instruction Fuzzy Hash: C3015B36C01A1DDBCF10EFE9EC48BEDBB79BB09B16F440056E902B2140DB349554EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F513B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00F513BF
StrokeAndFillPath.GDI32(?,?,00F8BAD8,00000000,?), ref: 00F513DB
SelectObject.GDI32(?,00000000), ref: 00F513EE
DeleteObject.GDI32 ref: 00F51401
StrokePath.GDI32(?), ref: 00F5141C

Memory Dump Source

Source File: 00000000.00000002.316268130.0000000000F51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.316260119.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316369334.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316375172.0000000000FE0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316438570.0000000001005000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316460548.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316503289.0000000001055000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316514363.000000000105C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316525512.000000000106B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316568333.0000000001091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316573795.0000000001094000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_POv5Nk1dlu.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: aed273d3f8a8cf58640855f345b705e2cba604075d9cd2bb9149065bc645c6b4
Instruction ID: eaf3bcd0bc39805d55444035be4fdf643286fca44cf1915c0a81bc35b31887a8
Opcode Fuzzy Hash: aed273d3f8a8cf58640855f345b705e2cba604075d9cd2bb9149065bc645c6b4
Instruction Fuzzy Hash: 24F0CD70405208DBDB215F2AEC0CB583BA5BB01326F14C325ED6A454F5C77B5599EF50

Uniqueness

Uniqueness Score: -1.00%

Function 00FA76C5 Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.316268130.0000000000F51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.316260119.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316369334.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316375172.0000000000FE0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316438570.0000000001005000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316460548.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316503289.0000000001055000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316514363.000000000105C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316525512.000000000106B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316568333.0000000001091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316573795.0000000001094000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_POv5Nk1dlu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc0a3bb1d976e2c80852e6e4e60896cc3b1adfdc6c9ef951d6b51c7229a28a29
Instruction ID: ce6098fc09582995a31118b0c949bac8fbe77518bc84a62d3910d36eb8a556d2
Opcode Fuzzy Hash: cc0a3bb1d976e2c80852e6e4e60896cc3b1adfdc6c9ef951d6b51c7229a28a29
Instruction Fuzzy Hash: 4BC16DB5A04216EFCB14DF94CC84EAEB7B5FF49710B218599E805EB251D730ED81EB90

Uniqueness

Uniqueness Score: -1.00%

Function 00FA6DF3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00FA6E04
SysAllocString.OLEAUT32(00000000), ref: 00FA6EAD
VariantCopy.OLEAUT32 ref: 00FA6EDC
VariantClear.OLEAUT32(?), ref: 00FA6F03

Memory Dump Source

Source File: 00000000.00000002.316268130.0000000000F51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.316260119.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316369334.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316375172.0000000000FE0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316438570.0000000001005000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316460548.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316503289.0000000001055000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316514363.000000000105C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316525512.000000000106B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316568333.0000000001091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316573795.0000000001094000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_POv5Nk1dlu.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 11a0415054d75553a7983ced938d77c8a4b363f7fd23502902cd0b9ec6fbbf9b
Instruction ID: 40ad44b0e5ac5c30cb1d6bc270f622b1a29411210d03d09741946ba11aa48f03
Opcode Fuzzy Hash: 11a0415054d75553a7983ced938d77c8a4b363f7fd23502902cd0b9ec6fbbf9b
Instruction Fuzzy Hash: BE51E8B1608301DEDB24AF65DC95F6AB3E5AF4A310F24C81FE556CB291EB749844BB01

Uniqueness

Uniqueness Score: -1.00%

Function 00FDADF1 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00FDAE1A
GetWindowRect.USER32 ref: 00FDAE90
PtInRect.USER32(?,?,00FDC304), ref: 00FDAEA0
MessageBeep.USER32(00000000), ref: 00FDAF11

Memory Dump Source

Source File: 00000000.00000002.316268130.0000000000F51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.316260119.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316369334.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316375172.0000000000FE0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316438570.0000000001005000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316460548.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316503289.0000000001055000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316514363.000000000105C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316525512.000000000106B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316568333.0000000001091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316573795.0000000001094000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_POv5Nk1dlu.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 103b3bebfed11acf0f07b984279634a5b6ed9fdc2675b95dd716ef7b579e2723
Instruction ID: 415a6ac6cbe8692cdd852bbb96e36bc1be3003dade2c97d7efc296c3e606abad
Opcode Fuzzy Hash: 103b3bebfed11acf0f07b984279634a5b6ed9fdc2675b95dd716ef7b579e2723
Instruction Fuzzy Hash: 19419D71A00109DFCB11CF59C884B697BF6FB49310F1881AAE8158B355C736E902EB96

Uniqueness

Uniqueness Score: -1.00%

Function 00F86415 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00F8644B
__isleadbyte_l.LIBCMT ref: 00F86479
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00F864A7
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00F864DD

Memory Dump Source

Source File: 00000000.00000002.316268130.0000000000F51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.316260119.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316369334.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316375172.0000000000FE0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316438570.0000000001005000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316460548.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316503289.0000000001055000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316514363.000000000105C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316525512.000000000106B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316568333.0000000001091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316573795.0000000001094000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_POv5Nk1dlu.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 42d9f51cf3c88fb5133a5554603958e4bd0936e484a04f79c195cb014e83b680
Instruction ID: b1d98960ab1d99744eb302ff3327168cd07b02c1cd0e93a652be0ad478163a60
Opcode Fuzzy Hash: 42d9f51cf3c88fb5133a5554603958e4bd0936e484a04f79c195cb014e83b680
Instruction Fuzzy Hash: 6731AD31A0025AAFDB21EF65CC45BEE7BA5FF44320F154029E855C71A1EB31D851EB90

Uniqueness

Uniqueness Score: -1.00%

Function 00F51D35 Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32 ref: 00F51D73
GetStockObject.GDI32(00000011), ref: 00F51D87
SendMessageW.USER32(00000000,00000030,00000000), ref: 00F51D91

Memory Dump Source

Source File: 00000000.00000002.316268130.0000000000F51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.316260119.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316369334.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316375172.0000000000FE0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316438570.0000000001005000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316460548.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316503289.0000000001055000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316514363.000000000105C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316525512.000000000106B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316568333.0000000001091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316573795.0000000001094000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_POv5Nk1dlu.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 21d25dc9a1a7a38872d44fe9e01cfb85b836e1cf7dd87c33ad1e756e6c367a56
Instruction ID: 32dd874996dd7bb47737fefdcaeb0853a8d63e08cc7bc3bf02eae191e5e5eeb7
Opcode Fuzzy Hash: 21d25dc9a1a7a38872d44fe9e01cfb85b836e1cf7dd87c33ad1e756e6c367a56
Instruction Fuzzy Hash: 65113C72902519BFDB119FA4DC44FEA7B6AFF09365F040216FE0552110C775AC64ABA0

Uniqueness

Uniqueness Score: -1.00%

Function 00FDB8EF Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FDB8FE
_memset.LIBCMT ref: 00FDB90D
CreateProcessW.KERNEL32 ref: 00FDB93C
CloseHandle.KERNEL32 ref: 00FDB94E

Memory Dump Source

Source File: 00000000.00000002.316268130.0000000000F51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.316260119.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316369334.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316375172.0000000000FE0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316438570.0000000001005000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316460548.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316503289.0000000001055000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316514363.000000000105C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316525512.000000000106B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316568333.0000000001091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316573795.0000000001094000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_POv5Nk1dlu.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: 2000123f914ed6c7e9790214019dba4e4df021692a126faf38d78b7aa61fcb82
Instruction ID: 5b65297f00760f0d5612ea239d3c78af0e3353f96ff2fdcbb115ff2957862af1
Opcode Fuzzy Hash: 2000123f914ed6c7e9790214019dba4e4df021692a126faf38d78b7aa61fcb82
Instruction Fuzzy Hash: 78F082B2540304BBF2202B75AC05FBB3B9EEB08758F004026BB49D5286D77E8D00A7A9

Uniqueness

Uniqueness Score: -1.00%

Function 00FDC00C Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00F512F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00F5134D
Part of subcall function 00F512F3: SelectObject.GDI32(?,00000000), ref: 00F5135C
Part of subcall function 00F512F3: BeginPath.GDI32(?), ref: 00F51373
Part of subcall function 00F512F3: SelectObject.GDI32(?,00000000), ref: 00F5139C

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00FDC030
LineTo.GDI32(00000000,?,?), ref: 00FDC03D
EndPath.GDI32(00000000), ref: 00FDC04D
StrokePath.GDI32(00000000), ref: 00FDC05B

Memory Dump Source

Source File: 00000000.00000002.316268130.0000000000F51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.316260119.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316369334.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316375172.0000000000FE0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316438570.0000000001005000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316460548.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316503289.0000000001055000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316514363.000000000105C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316525512.000000000106B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316568333.0000000001091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316573795.0000000001094000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_POv5Nk1dlu.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 18c4b2b079b47193b3db303f54150c945b6e6d66b8bcffadd56a78d29768117b
Instruction ID: 1cf5a9eeafb9e6371520d33b0c8652018a5559a334e04cd3f284db0b8984f96d
Opcode Fuzzy Hash: 18c4b2b079b47193b3db303f54150c945b6e6d66b8bcffadd56a78d29768117b
Instruction Fuzzy Hash: 3DF0B43100121DB7DB221F60EC0DFCE3F566F05321F084101FA12620D1C7BA1554EBD5

Uniqueness

Uniqueness Score: -1.00%

Function 00FC3CDD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 00FC3D5A

Part of subcall function 00F57F41: _memmove.LIBCMT ref: 00F57F82

Strings

, $, xrefs: 00FC3D9A
AUTOITCALLVARIABLE%d, xrefs: 00FC3D4C

Memory Dump Source

Source File: 00000000.00000002.316268130.0000000000F51000.00000080.00000001.01000000.00000003.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000000.00000002.316260119.0000000000F50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316369334.0000000000FDF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316375172.0000000000FE0000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316438570.0000000001005000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316460548.000000000100F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316503289.0000000001055000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316514363.000000000105C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316525512.000000000106B000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316568333.0000000001091000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.316573795.0000000001094000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_POv5Nk1dlu.jbxd

Similarity

API ID: __snwprintf_memmove
String ID: , $$AUTOITCALLVARIABLE%d
API String ID: 3506404897-2584243854
Opcode ID: 027680996b13ef2da9d6338631254f7a2b04d9beffe44a518b5845b75481b88e
Instruction ID: 538d9ad6f18325d9ad928a70893011b40cdca9a27a3e47b659b8b3fe2baa2cb5
Opcode Fuzzy Hash: 027680996b13ef2da9d6338631254f7a2b04d9beffe44a518b5845b75481b88e
Instruction Fuzzy Hash: C3218131700319ABCF15EF64CC82FAD77A5BF44740F004499F946AB282DB38AE45EBA1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: at.exePID: 2848, Parent PID: 4716COMMON

Executed Functions

Function 009BF200 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(?,?,766861D0,?,00000000), ref: 009BF221
_wcscmp.LIBCMT ref: 009BF236
_wcscmp.LIBCMT ref: 009BF24D
GetFileAttributesW.KERNELBASE(?), ref: 009BF25F
SetFileAttributesW.KERNELBASE(?,?), ref: 009BF279
FindNextFileW.KERNELBASE(00000000,?), ref: 009BF291
FindClose.KERNEL32(00000000), ref: 009BF29C
FindFirstFileW.KERNEL32(*.*,?), ref: 009BF2B8
_wcscmp.LIBCMT ref: 009BF2DF
_wcscmp.LIBCMT ref: 009BF2F6
SetCurrentDirectoryW.KERNEL32(?), ref: 009BF308
SetCurrentDirectoryW.KERNEL32(00A0A5A0), ref: 009BF326
FindNextFileW.KERNEL32(00000000,00000010), ref: 009BF330
FindClose.KERNEL32(00000000), ref: 009BF33D
FindClose.KERNEL32(00000000), ref: 009BF34F

Strings

*.*, xrefs: 009BF2B3

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: 1805c58b28b3b04ad5512715e075fa41ca151adddd715c98af55f5cbdccda747
Instruction ID: fadca15f99e4fb0f2bced36c5efe91edc77de24452af140dcd3327ce95c4be91
Opcode Fuzzy Hash: 1805c58b28b3b04ad5512715e075fa41ca151adddd715c98af55f5cbdccda747
Instruction Fuzzy Hash: FE3117765412096BDF10DBB4EC69ADEB3ECAF483B0F148276F915D3090EB30DA84DA54

Uniqueness

Uniqueness Score: -1.00%

Function 00953B4C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153windowCOMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00953B7A
IsDebuggerPresent.KERNEL32 ref: 00953B8C
GetFullPathNameW.KERNEL32(00007FFF,?,?,00A162F8,00A162E0,?,?), ref: 00953BFD

Part of subcall function 00957D2C: _memmove.LIBCMT ref: 00957D66

Part of subcall function 00960A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00953C26,00A162F8,?,?,?), ref: 00960ACE

SetCurrentDirectoryW.KERNEL32(?), ref: 00953C81
MessageBoxA.USER32 ref: 0098D4BC
SetCurrentDirectoryW.KERNEL32(?,00A162F8,?,?,?), ref: 0098D4F4
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00A05D40,00A162F8,?,?,?), ref: 0098D57A
ShellExecuteW.SHELL32(00000000,?,?), ref: 0098D581

Part of subcall function 00953A58: GetSysColorBrush.USER32(0000000F), ref: 00953A62
Part of subcall function 00953A58: LoadCursorW.USER32(00000000,00007F00), ref: 00953A71
Part of subcall function 00953A58: LoadIconW.USER32(00000063), ref: 00953A88
Part of subcall function 00953A58: LoadIconW.USER32(000000A4), ref: 00953A9A
Part of subcall function 00953A58: LoadIconW.USER32(000000A2), ref: 00953AAC
Part of subcall function 00953A58: LoadImageW.USER32 ref: 00953AD2
Part of subcall function 00953A58: RegisterClassExW.USER32 ref: 00953B28

Part of subcall function 009539E7: CreateWindowExW.USER32 ref: 00953A15
Part of subcall function 009539E7: CreateWindowExW.USER32 ref: 00953A36
Part of subcall function 009539E7: ShowWindow.USER32(00000000,?,?), ref: 00953A4A
Part of subcall function 009539E7: ShowWindow.USER32(00000000,?,?), ref: 00953A53

Part of subcall function 009543DB: _memset.LIBCMT ref: 00954401
Part of subcall function 009543DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 009544A6

Strings

runas, xrefs: 0098D575
This is a third-party compiled AutoIt script., xrefs: 0098D4B4

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas
API String ID: 529118366-3287110873
Opcode ID: 586bdbd3705c6f4adaef6248d9903bc3d6c2a32d31e9b64247df7e7f8c3b6e70
Instruction ID: 40b039f369a9d011d541fa9c3dbf1c44f88e628246b514955d4e584bb9a194a9
Opcode Fuzzy Hash: 586bdbd3705c6f4adaef6248d9903bc3d6c2a32d31e9b64247df7e7f8c3b6e70
Instruction Fuzzy Hash: FB510B30D09248BACF11EBF5EC16EEDBB79AB84341B048165FC51E61A2DA74474ADB21

Uniqueness

Uniqueness Score: -1.00%

Function 00953633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151timewindowregistryCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_W.USER32(?,?,?,?), ref: 009536D2
KillTimer.USER32(?,00000001), ref: 009536FC
SetTimer.USER32 ref: 0095371F
RegisterClipboardFormatW.USER32 ref: 0095372A
CreatePopupMenu.USER32 ref: 0095373E
PostQuitMessage.USER32(00000000), ref: 0095375F

Strings

TaskbarCreated, xrefs: 00953725

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: Timer$ClipboardCreateFormatKillMenuMessageNtdllPopupPostProc_QuitRegisterWindow
String ID: TaskbarCreated
API String ID: 157504867-2362178303
Opcode ID: 160ad49d24bc5718bf1102ba7616c1b3c141641150bbd1d6d105949803674d12
Instruction ID: 16b370be24508d3472cb855fde2521f025830376b40edf624fccaa30fd494bcd
Opcode Fuzzy Hash: 160ad49d24bc5718bf1102ba7616c1b3c141641150bbd1d6d105949803674d12
Instruction Fuzzy Hash: 1C4148B2615105ABDF10EF75EC0ABF937ADEB44382F048529FD02C62A1CA759E899361

Uniqueness

Uniqueness Score: -1.00%

Function 00954AFE Relevance: 10.7, APIs: 7, Instructions: 223COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?), ref: 00954B2B

Part of subcall function 00957D2C: _memmove.LIBCMT ref: 00957D66

GetCurrentProcess.KERNEL32(?,009DFAEC,00000000,00000000,?), ref: 00954BF8
IsWow64Process.KERNEL32(00000000), ref: 00954BFF
GetNativeSystemInfo.KERNELBASE(00000000), ref: 00954C45
FreeLibrary.KERNEL32(00000000), ref: 00954C50
GetSystemInfo.KERNEL32(00000000), ref: 00954C81
GetSystemInfo.KERNEL32(00000000), ref: 00954C8D

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: 7a4d6452ac8df8fdf955c0029c7161abac02fc04e2be8f317fe174a764efea20
Instruction ID: b56865f2ed8ad95ab8514ae046cd06b5a7ce8de1e268460b695427175ea2edb6
Opcode Fuzzy Hash: 7a4d6452ac8df8fdf955c0029c7161abac02fc04e2be8f317fe174a764efea20
Instruction Fuzzy Hash: 6D91143194A7C0DEC731DB6984611AAFFE8AF6A305B084D9ED4CB83B41D224E98CD719

Uniqueness

Uniqueness Score: -1.00%

Function 00954FE9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

76DCC0F0.OLE32(00000000,00000001,?,?,?,?,?,00954EEE,?,?,00000000,00000000), ref: 00954FF9
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00954EEE,?,?,00000000,00000000), ref: 00955010
LoadResource.KERNEL32(?,00000000,?,?,00954EEE,?,?,00000000,00000000,?,?,?,?,?,?,00954F8F), ref: 0098DD60
SizeofResource.KERNEL32(?,00000000,?,?,00954EEE,?,?,00000000,00000000,?,?,?,?,?,?,00954F8F), ref: 0098DD75
LockResource.KERNEL32(00954EEE,?,?,00954EEE,?,?,00000000,00000000,?,?,?,?,?,?,00954F8F,00000000), ref: 0098DD88

Strings

SCRIPT, xrefs: 00955006

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: Resource$FindLoadLockSizeof
String ID: SCRIPT
API String ID: 3473537107-3967369404
Opcode ID: 29f0daf2377ff4003cce6055487e96cefd5caea90b67b593e8be5128a90a8bd0
Instruction ID: 13ac2f2693f0341a95a2a62b60acf56ab136cc263fe1b5fb7bafd3999409e5ce
Opcode Fuzzy Hash: 29f0daf2377ff4003cce6055487e96cefd5caea90b67b593e8be5128a90a8bd0
Instruction Fuzzy Hash: 49119A70240700AFD7208B66DC69F277BBDEBC9B12F24816DF91A862A0DB61E844D660

Uniqueness

Uniqueness Score: -1.00%

Function 0095FE40 Relevance: 5.5, APIs: 3, Instructions: 1040COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: BuffCharUpper
String ID:
API String ID: 3964851224-0
Opcode ID: 647af2b51086dd80ab330a1bd37c192d6ee2ccd945c6ee9f0f4d7448fd89dd6c
Instruction ID: 75a09ded02e6d6bbb6a1849f677a0bbdf165778ca43e333f727a97c2c255f63b
Opcode Fuzzy Hash: 647af2b51086dd80ab330a1bd37c192d6ee2ccd945c6ee9f0f4d7448fd89dd6c
Instruction Fuzzy Hash: CE9256746083418FDB25DF18C480B6BBBE5BF89304F14896DE88A9B352D775EC46CB92

Uniqueness

Uniqueness Score: -1.00%

Function 009B4C03 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 009B4C2C
CheckTokenMembership.KERNELBASE(00000000,?,?), ref: 009B4C43
FreeSid.ADVAPI32(?), ref: 009B4C53

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: dbb4892b1ddd1be8baa929a367bf3b4cb036be2647dc339e745b26b195f85827
Instruction ID: 2bb0c37961c87b3475d095dd8a17c48089d84d4ba2844717b085d7324734ac2a
Opcode Fuzzy Hash: dbb4892b1ddd1be8baa929a367bf3b4cb036be2647dc339e745b26b195f85827
Instruction Fuzzy Hash: ADF04F7595130CBFDF04DFF0DD9AAADBBBCEF08311F404469A502E3281D6705A449B50

Uniqueness

Uniqueness Score: -1.00%

Function 0095E060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49b89441b7bd61be2f7b122ff4c3a36a2fd4a4d9a8daa258928fe497e3d940ed
Instruction ID: 2468afab0497b1cedd0329e9d957b5566c0bf452209db14f0ec3ed4b2a61d5d4
Opcode Fuzzy Hash: 49b89441b7bd61be2f7b122ff4c3a36a2fd4a4d9a8daa258928fe497e3d940ed
Instruction Fuzzy Hash: 4E22AD74A04216CFDB28DF59C480BBEB7B4FF48301F148469EC569B351E736AA89CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00960B30 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32 ref: 00960BBB
timeGetTime.WINMM ref: 00960E76
PeekMessageW.USER32 ref: 00960FB3
TranslateMessage.USER32(?), ref: 00960FC7
DispatchMessageW.USER32 ref: 00960FD5
Sleep.KERNEL32(0000000A), ref: 00960FDF
LockWindowUpdate.USER32(00000000,?,?), ref: 0096105A
DestroyWindow.USER32 ref: 00961066
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00961080
Sleep.KERNEL32(0000000A,?,?), ref: 009952AD
TranslateMessage.USER32(?), ref: 0099608A
DispatchMessageW.USER32 ref: 00996098
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 009960AC

Strings

@GUI_WINHANDLE, xrefs: 009953B9
@GUI_CTRLID, xrefs: 00995364
@COM_EVENTOBJ, xrefs: 0099591A
@TRAY_ID, xrefs: 00995BB9
@GUI_CTRLHANDLE, xrefs: 0099540E

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: Message$DispatchPeekSleepTranslateWindow$DestroyLockTimeUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 4003667617-3242690629
Opcode ID: c0c9ff2bfaeea2f78bb0c1d280f6c677926bd51a873ef1eda76cb7f429562d3c
Instruction ID: 6096d44f8e2a47c0f5a894bda1c30d931aac6ab894d8fe8f8c5be86817a58e33
Opcode Fuzzy Hash: c0c9ff2bfaeea2f78bb0c1d280f6c677926bd51a873ef1eda76cb7f429562d3c
Instruction Fuzzy Hash: 35B2D470608741DFDB25DF28C894BABB7E9BFC4304F15891DE48A872A1D775E885CB82

Uniqueness

Uniqueness Score: -1.00%

Function 009BDB04 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 009BDC7B
_wcscat.LIBCMT ref: 009BDC93
_wcscat.LIBCMT ref: 009BDCA5
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 009BDCBA
SetCurrentDirectoryW.KERNELBASE(?), ref: 009BDCCE
GetFileAttributesW.KERNELBASE(?), ref: 009BDCE6
SetFileAttributesW.KERNELBASE(?,00000000), ref: 009BDD00
SetCurrentDirectoryW.KERNEL32(?), ref: 009BDD12

Strings

*.*, xrefs: 009BDD51

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: a7073d7f3aec944327a50b71883c69288bbb964862fbea1b8de47a1c332286fa
Instruction ID: d615ecffa73f860eaa008f2f8037e4e85be1d33fdbba236039c853ff8c5de506
Opcode Fuzzy Hash: a7073d7f3aec944327a50b71883c69288bbb964862fbea1b8de47a1c332286fa
Instruction Fuzzy Hash: DF8191725052519FCB64EF24CA459EAB7E8BBC8720F198C2EF88AC7251F734D944CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00953015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 71registrywindowclipboardCOMMON

Download Yara Rule

APIs

GetSysColorBrush.USER32(0000000F), ref: 00953074
RegisterClassExW.USER32 ref: 0095309E
RegisterClipboardFormatW.USER32 ref: 009530AF
6F7E8420.COMCTL32(?), ref: 009530CC
6F7E7CB0.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 009530DC
LoadIconW.USER32(000000A9), ref: 009530F2
6F7E0620.COMCTL32(000000FF,00000000), ref: 00953101

Strings

0, xrefs: 00953056
+, xrefs: 0095305D
TaskbarCreated, xrefs: 009530A4
AutoIt v3 GUI, xrefs: 00953090

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: Register$BrushClassClipboardColorE0620E8420FormatIconLoad
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 3748824598-1005189915
Opcode ID: eeac1dda1fdec3f0d9b2fb4335d8e42f6fda1877c8ceff4b0b021bdc2d7b31cf
Instruction ID: ed8a74bf63de28b3d7f01478a8c778fc68933cbf888bf91f29e6fa56c8ffec17
Opcode Fuzzy Hash: eeac1dda1fdec3f0d9b2fb4335d8e42f6fda1877c8ceff4b0b021bdc2d7b31cf
Instruction Fuzzy Hash: B73149B1996309EFDB50DFE4DC89AC9BBF0FB09310F14852AE591E62A0D3B50686CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00953041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54registrywindowclipboardCOMMON

Download Yara Rule

APIs

GetSysColorBrush.USER32(0000000F), ref: 00953074
RegisterClassExW.USER32 ref: 0095309E
RegisterClipboardFormatW.USER32 ref: 009530AF
6F7E8420.COMCTL32(?), ref: 009530CC
6F7E7CB0.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 009530DC
LoadIconW.USER32(000000A9), ref: 009530F2
6F7E0620.COMCTL32(000000FF,00000000), ref: 00953101

Strings

0, xrefs: 00953056
+, xrefs: 0095305D
TaskbarCreated, xrefs: 009530A4
AutoIt v3 GUI, xrefs: 00953090

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: Register$BrushClassClipboardColorE0620E8420FormatIconLoad
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 3748824598-1005189915
Opcode ID: 9d0940f857cc13a40888d5848dafc5d22edbfff0409021cf1f5495271057cfa4
Instruction ID: 4f6c4a4502245ecbbb42a001bc864f5c922d6bbdf554b63b34712b6421cc73cc
Opcode Fuzzy Hash: 9d0940f857cc13a40888d5848dafc5d22edbfff0409021cf1f5495271057cfa4
Instruction Fuzzy Hash: E621B2B5D56218AFDB00DFE4E89ABDDBBF4FB08700F00812AF911E62A0D7B145859F91

Uniqueness

Uniqueness Score: -1.00%

Function 009571EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00954864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00A162F8,?,009537C0,?), ref: 00954882

Part of subcall function 0097074F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,009572C5), ref: 00970771

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00957308
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0098ECF1
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0098ED32
RegCloseKey.ADVAPI32(?), ref: 0098ED70
_wcscat.LIBCMT ref: 0098EDC9

Strings

\Include\, xrefs: 009572C5
Software\AutoIt v3\AutoIt, xrefs: 009572FE
Include, xrefs: 0098ECE8, 0098ED29
\, xrefs: 0098EDEC

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: 991e507f8620d8839f98211c783f291e36c42d1deff50dd965e06fa1cd023308
Instruction ID: 94e623991e6b65788dd35867b25a9e2d05f9f5673bc479ccd115301c82d9fa4e
Opcode Fuzzy Hash: 991e507f8620d8839f98211c783f291e36c42d1deff50dd965e06fa1cd023308
Instruction Fuzzy Hash: EA716C714093019EC314EFA6EC91AEFB7F8FF98350B44952EF845872A1EB70994ACB51

Uniqueness

Uniqueness Score: -1.00%

Function 00959997 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 009599C2
__swprintf.LIBCMT ref: 00959A0C
__i64tow.LIBCMT ref: 0098FA0F

Strings

0x%p, xrefs: 0098F9F1
True, xrefs: 0098F9D0
False, xrefs: 0098F9D7
%.15g, xrefs: 00959A06

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: dcda031245258145530eec25b1815e18f37421f0fbc6cd0c7918e7f5e0d81f0c
Instruction ID: 7bd57259fa1cd015706184fe8a46f19a7c3d681360446a98193a83ba5a5f9328
Opcode Fuzzy Hash: dcda031245258145530eec25b1815e18f37421f0fbc6cd0c7918e7f5e0d81f0c
Instruction Fuzzy Hash: DF41F772514205EFEB24EF39D852F7A73E8EB84300F20886EE94DD7291EA729945DB11

Uniqueness

Uniqueness Score: -1.00%

Function 00953A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON

Download Yara Rule

APIs

GetSysColorBrush.USER32(0000000F), ref: 00953A62
LoadCursorW.USER32(00000000,00007F00), ref: 00953A71
LoadIconW.USER32(00000063), ref: 00953A88
LoadIconW.USER32(000000A4), ref: 00953A9A
LoadIconW.USER32(000000A2), ref: 00953AAC
LoadImageW.USER32 ref: 00953AD2
RegisterClassExW.USER32 ref: 00953B28

Part of subcall function 00953041: GetSysColorBrush.USER32(0000000F), ref: 00953074
Part of subcall function 00953041: RegisterClassExW.USER32 ref: 0095309E
Part of subcall function 00953041: RegisterClipboardFormatW.USER32 ref: 009530AF
Part of subcall function 00953041: 6F7E8420.COMCTL32(?), ref: 009530CC
Part of subcall function 00953041: 6F7E7CB0.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 009530DC
Part of subcall function 00953041: LoadIconW.USER32(000000A9), ref: 009530F2
Part of subcall function 00953041: 6F7E0620.COMCTL32(000000FF,00000000), ref: 00953101

Strings

0, xrefs: 00953B06
AutoIt v3, xrefs: 00953B17
#, xrefs: 00953B0D

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: Load$Icon$Register$BrushClassColor$ClipboardCursorE0620E8420FormatImage
String ID: #$0$AutoIt v3
API String ID: 872398581-4155596026
Opcode ID: 33f2a3fad2d9bdd86ddbd4a25578883b78ff437b4b93d151e33efc64dba7b827
Instruction ID: a39b691c159119fac224941bb760ea4bc9eebed548774a31fa2187c757934163
Opcode Fuzzy Hash: 33f2a3fad2d9bdd86ddbd4a25578883b78ff437b4b93d151e33efc64dba7b827
Instruction Fuzzy Hash: 36213CB0D51304AFEB10DFA5EC0ABDD7BB4EB08751F00812AE504A62A0D3B95655DF44

Uniqueness

Uniqueness Score: -1.00%

Function 00953778 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267COMMON

Download Yara Rule

Strings

/AutoIt3ExecuteLine, xrefs: 009538B9
CMDLINERAW, xrefs: 0095380D
/ErrorStdOut, xrefs: 0095388F
/AutoIt3ExecuteScript, xrefs: 009538CE
CMDLINE, xrefs: 00953834
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 009537C0
/AutoIt3OutputDebug, xrefs: 009538A4

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
API String ID: 1825951767-3513169116
Opcode ID: 2d2068e1170736a978b0e2b47ab829e2e3487096f096a17bb487a4dadf27b305
Instruction ID: 5212d081debc4050302bdd7bce471259064d5b7839352f1e6420fe78c29d567f
Opcode Fuzzy Hash: 2d2068e1170736a978b0e2b47ab829e2e3487096f096a17bb487a4dadf27b305
Instruction Fuzzy Hash: 00A14F72C142299ADB04EBA2DC92AEEB778BF94341F44442AF816B7191DF745A0DCB60

Uniqueness

Uniqueness Score: -1.00%

Function 009573E5 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0098EE62
757DB9D0.COMDLG32(?), ref: 0098EEAC

Part of subcall function 009548AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,009548A1,?,?,009537C0,?), ref: 009548CE

Part of subcall function 009709D5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 009709F4

Strings

au3, xrefs: 0098EEA5
Run Script:, xrefs: 0098EE81
AutoIt script files (*.au3, *.a3x), xrefs: 0098EE90
X, xrefs: 0098EE7A

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: NamePath$FullLong_memset
String ID: AutoIt script files (*.au3, *.a3x)$Run Script:$X$au3
API String ID: 3051022977-1954568251
Opcode ID: d749562840cf7277b9a2c3ed81ddad9e88339f3ddec0349610b58982363ef112
Instruction ID: b22dfaaad440172732e3e60a462539bb023ba7d9b475343ad76a120be07355b9
Opcode Fuzzy Hash: d749562840cf7277b9a2c3ed81ddad9e88339f3ddec0349610b58982363ef112
Instruction Fuzzy Hash: 6C21C97191425C9BCB01DF95D8457EE7BFD9F89315F008019E808E7282DBB45A8D8B91

Uniqueness

Uniqueness Score: -1.00%

Function 009539E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32 ref: 00953A15
CreateWindowExW.USER32 ref: 00953A36
ShowWindow.USER32(00000000,?,?), ref: 00953A4A
ShowWindow.USER32(00000000,?,?), ref: 00953A53

Strings

AutoIt v3, xrefs: 00953A0D, 00953A12, 00953A13
edit, xrefs: 00953A30

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: ad592785b2ff51866f7bcfb6235bec250d26a0426b6a6d90d3e4ffd547a17599
Instruction ID: f637f00f1a9b4bddcbbd578b8436d745fe8b3fa6e132cbad15b6dd0476c29f6c
Opcode Fuzzy Hash: ad592785b2ff51866f7bcfb6235bec250d26a0426b6a6d90d3e4ffd547a17599
Instruction Fuzzy Hash: 94F03A70A412907EEA3097A36C19EE72E7DD7C6F50B05802AB900E2270C2B50842DAB0

Uniqueness

Uniqueness Score: -1.00%

Function 0095410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0098D5EC

Part of subcall function 00957D2C: _memmove.LIBCMT ref: 00957D66

_memset.LIBCMT ref: 0095418D
_wcscpy.LIBCMT ref: 009541E1
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 009541F1

Strings

Line: , xrefs: 0098D615

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: 1f39c5eeb18d219d2365f29b1f2736edb19afb31efa81e24be6ded01afcf9058
Instruction ID: 39cff5b88b9e9b234b5645043bbbf0e8c18b4dc9237a63cfa5df219235bc9921
Opcode Fuzzy Hash: 1f39c5eeb18d219d2365f29b1f2736edb19afb31efa81e24be6ded01afcf9058
Instruction Fuzzy Hash: B831D37140C314AAD361EBA1EC46BDBB7ECAF94305F10891AF985920A1EB74968DC792

Uniqueness

Uniqueness Score: -1.00%

Function 009569CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 00954F3D: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00A162F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00954F6F

_free.LIBCMT ref: 0098E68C
_free.LIBCMT ref: 0098E6D3

Part of subcall function 00956BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00956D0D

Strings

Bad directive syntax error, xrefs: 0098E6BB
>>>AUTOIT SCRIPT<<<, xrefs: 0098E462

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: 826f503e03ac71054b1bf3d0baf022941fe06768f1cb39b62056b15fa8ce8b34
Instruction ID: 56f718108c63ef3112eaff2d140587c26e22e27200e375c38d0a66cc1985734c
Opcode Fuzzy Hash: 826f503e03ac71054b1bf3d0baf022941fe06768f1cb39b62056b15fa8ce8b34
Instruction Fuzzy Hash: DC916171910219EFCF04EFA5C8A1AEDB7B8FF55314F14446AF815AB2A1EB349905CB50

Uniqueness

Uniqueness Score: -1.00%

Function 009535B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,009535A1,SwapMouseButtons,00000004,?), ref: 009535D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,009535A1,SwapMouseButtons,00000004,?,?,?,?,00952754), ref: 009535F5
RegCloseKey.KERNELBASE(00000000,?,?,009535A1,SwapMouseButtons,00000004,?,?,?,?,00952754), ref: 00953617

Strings

Control Panel\Mouse, xrefs: 009535D2

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 61cf720fea56205c0c0da223cc1c480c490992ff371d09b05db48fd9c8496a0a
Instruction ID: 680a8a22bda68b587ccda9b04ddbea2d88ebaf34e7d07af3a220790d4b136fc6
Opcode Fuzzy Hash: 61cf720fea56205c0c0da223cc1c480c490992ff371d09b05db48fd9c8496a0a
Instruction Fuzzy Hash: 3B115A71516208BFDB20CF66DC42EAEB7BCEF05781F00846AF805D7210D2719F54AB60

Uniqueness

Uniqueness Score: -1.00%

Function 009B97E5 Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00955045: _fseek.LIBCMT ref: 0095505D

Part of subcall function 009B99BE: _wcscmp.LIBCMT ref: 009B9AAE
Part of subcall function 009B99BE: _wcscmp.LIBCMT ref: 009B9AC1

_free.LIBCMT ref: 009B992C
_free.LIBCMT ref: 009B9933
_free.LIBCMT ref: 009B999E

Part of subcall function 00972F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00979C64), ref: 00972FA9
Part of subcall function 00972F95: GetLastError.KERNEL32(00000000,?,00979C64), ref: 00972FBB

_free.LIBCMT ref: 009B99A6

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: c040f5d591410a8d3afab51092a26b6f5939c84b98243336257d617f1f09bfd3
Instruction ID: 4a5cdae8fda7455df1795a3e5d32908d566cec30a3884a2ce2a7854fee317639
Opcode Fuzzy Hash: c040f5d591410a8d3afab51092a26b6f5939c84b98243336257d617f1f09bfd3
Instruction Fuzzy Hash: 51513DB1904218AFDF249F65DC41B9EBBB9EF88310F1044AEF649A7281DB755A80CF58

Uniqueness

Uniqueness Score: -1.00%

Function 009B3C66 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,009DFAC0), ref: 009B3CA0
GetLastError.KERNEL32 ref: 009B3CAF
CreateDirectoryW.KERNEL32(?,00000000), ref: 009B3CBE
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,009DFAC0), ref: 009B3D1B

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: ed8b2f5a4e969d8c6f16a3d30390884d0c7c3ff2d1c6a94b8b330857aa5bdd92
Instruction ID: 834d29022529e8173c25433cc9528eb6e091e516a859d3bae932fe15eae76a5c
Opcode Fuzzy Hash: ed8b2f5a4e969d8c6f16a3d30390884d0c7c3ff2d1c6a94b8b330857aa5bdd92
Instruction Fuzzy Hash: CC21E7705093019F8700DF24D98199AB7E8EF96364F148A1EF49AC72E1DB30DE4ACB92

Uniqueness

Uniqueness Score: -1.00%

Function 00954531 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00954560

Part of subcall function 0095410D: _memset.LIBCMT ref: 0095418D
Part of subcall function 0095410D: _wcscpy.LIBCMT ref: 009541E1
Part of subcall function 0095410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 009541F1

KillTimer.USER32(?,00000001,?,?), ref: 009545B5
SetTimer.USER32 ref: 009545C4
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0098D6CE

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: f29361bc25f584a75b488f3d7870061361b183c10862379c30d36f72d1cda8d6
Instruction ID: df1c4a7cb204322f2227d702bcdfb405212803c278072e7c4de63c1e704170b6
Opcode Fuzzy Hash: f29361bc25f584a75b488f3d7870061361b183c10862379c30d36f72d1cda8d6
Instruction Fuzzy Hash: EE214C709097889FEB72DB20CC55BE7BBEC9F01308F04009EE68E56281D7741AC9DB41

Uniqueness

Uniqueness Score: -1.00%

Function 00970FF6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

Part of subcall function 0097594C: __FF_MSGBANNER.LIBCMT ref: 00975963
Part of subcall function 0097594C: __NMSG_WRITE.LIBCMT ref: 0097596A
Part of subcall function 0097594C: RtlAllocateHeap.NTDLL(01540000,00000000,00000001,00000000,?,?,?,00971013,?), ref: 0097598F

std::exception::exception.LIBCMT ref: 0097102C
__CxxThrowException@8.LIBCMT ref: 00971041

Part of subcall function 009787DB: RaiseException.KERNEL32(?,?,?,00A0BAF8,00000000,?,?,?,?,00971046,?,00A0BAF8,?,00000001), ref: 00978830

Strings

bad allocation, xrefs: 00971021

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID: bad allocation
API String ID: 3902256705-2104205924
Opcode ID: cb622a65b212f07083ed0682f24a30f2b7c021716b88a02d86f4c5d32a1c1e26
Instruction ID: da26f3a85e00e95c3da3ecf462eebb1530c7b850eca0a18c272465c83a010be9
Opcode Fuzzy Hash: cb622a65b212f07083ed0682f24a30f2b7c021716b88a02d86f4c5d32a1c1e26
Instruction Fuzzy Hash: A2F0FF3654434DA7CB25AB98EC05BDF7BACAF40350F108426F90CA6191EFF08E8092A0

Uniqueness

Uniqueness Score: -1.00%

Function 009CCDF1 Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92e7c427d65d2ac712f49936d14381567024efe40a068a14a3879a38455cfb05
Instruction ID: df8de62c43257a8385f237a7d533853d419e030d97b27f9db40e0a101dece1b5
Opcode Fuzzy Hash: 92e7c427d65d2ac712f49936d14381567024efe40a068a14a3879a38455cfb05
Instruction Fuzzy Hash: F7F13870A083019FDB14DF29C584A6ABBE5FFC9314F14892EF89A9B251D731E945CF82

Uniqueness

Uniqueness Score: -1.00%

Function 0095F8CF Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON

Download Yara Rule

APIs

Part of subcall function 009703A2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 009703D3
Part of subcall function 009703A2: MapVirtualKeyW.USER32(00000010,00000000), ref: 009703DB
Part of subcall function 009703A2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 009703E6
Part of subcall function 009703A2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 009703F1
Part of subcall function 009703A2: MapVirtualKeyW.USER32(00000011,00000000), ref: 009703F9
Part of subcall function 009703A2: MapVirtualKeyW.USER32(00000012,00000000), ref: 00970401

Part of subcall function 00966259: RegisterClipboardFormatW.USER32 ref: 009662B4

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0095FB2D
OleInitialize.OLE32(00000000), ref: 0095FBAA
CloseHandle.KERNEL32(00000000), ref: 009949F2

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: Virtual$Handle$ClipboardCloseFormatInitializeRegister
String ID:
API String ID: 3094916012-0
Opcode ID: e8f57c43561300d6ebe4621254ab4ad1afb48e81c009bd3aabadc1b9bec31301
Instruction ID: 648652f35094171c90c757814f09edf1f0f3793caee43dc33e9a4fd3a4fe1957
Opcode Fuzzy Hash: e8f57c43561300d6ebe4621254ab4ad1afb48e81c009bd3aabadc1b9bec31301
Instruction Fuzzy Hash: 9381B9B4902250CFD384DFAAEE556D5BBE9FB98318311C17AD429CB2A2EB31444ACF14

Uniqueness

Uniqueness Score: -1.00%

Function 009543DB Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00954401
Shell_NotifyIconW.SHELL32(00000000,?), ref: 009544A6
Shell_NotifyIconW.SHELL32(00000001,?), ref: 009544C3

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: 42dd6185c69f18d2345f67c0b990aa176272337b0ce585fd2e36524ffa10c9ff
Instruction ID: 7710762df7fb3006686a68873c1a7c6cfe0f8ee8190db2a498e2e0d8c3bf2eff
Opcode Fuzzy Hash: 42dd6185c69f18d2345f67c0b990aa176272337b0ce585fd2e36524ffa10c9ff
Instruction Fuzzy Hash: F73181709097118FD760DF65D8847DBBBF8FB48309F00492EE99AC3250D7B56988CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0097594C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00975963

Part of subcall function 0097A3AB: __NMSG_WRITE.LIBCMT ref: 0097A3D2
Part of subcall function 0097A3AB: __NMSG_WRITE.LIBCMT ref: 0097A3DC

__NMSG_WRITE.LIBCMT ref: 0097596A

Part of subcall function 0097A408: GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\RDVGHelper\at.exeR6002- floating point support not loaded,00000104,?,00000001,00000000), ref: 0097A49A
Part of subcall function 0097A408: ___crtMessageBoxW.LIBCMT ref: 0097A548

Part of subcall function 009732DF: ___crtCorExitProcess.LIBCMT ref: 009732E5
Part of subcall function 009732DF: ExitProcess.KERNEL32 ref: 009732EE

Part of subcall function 00978D68: __getptd_noexit.LIBCMT ref: 00978D68

RtlAllocateHeap.NTDLL(01540000,00000000,00000001,00000000,?,?,?,00971013,?), ref: 0097598F

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: f2082ed8e01ec8945b1c701a44cce7455ad1642481c56e1c5d3d279636c8db70
Instruction ID: c9ec0015796e4699c4ccc977e9e247f16d87a01aaf154d6b535c8328f59c9070
Opcode Fuzzy Hash: f2082ed8e01ec8945b1c701a44cce7455ad1642481c56e1c5d3d279636c8db70
Instruction Fuzzy Hash: 9B01D237341B15DEE6616B78D842BAE728C9F81B70F92C02AF60D9B1C1DEB09D419264

Uniqueness

Uniqueness Score: -1.00%

Function 009B8F97 Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 009B8FA5

Part of subcall function 00972F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00979C64), ref: 00972FA9
Part of subcall function 00972F95: GetLastError.KERNEL32(00000000,?,00979C64), ref: 00972FBB

_free.LIBCMT ref: 009B8FB6
_free.LIBCMT ref: 009B8FC8

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 358057a8cee776a4634d1da6a11f7167cf7af4a4bc472a0de26b354d0d310ced
Instruction ID: eb7d4dc999ebd3ef7f0308b37942998b14a9bb3947cbdc674e97177d2ba5048f
Opcode Fuzzy Hash: 358057a8cee776a4634d1da6a11f7167cf7af4a4bc472a0de26b354d0d310ced
Instruction Fuzzy Hash: 24E012A261D7015ACA24A678AE44BE367FE5F8C360718081DF44DDB142DE24E841C564

Uniqueness

Uniqueness Score: -1.00%

Function 0095AB23 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 0099002B

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: 0cd6b2122f5a045968fa7ba74d2badef08eb09470703e6fa90d47ad187f4e33f
Instruction ID: 1924370356dd0d874cf58a8b0be84a1b3a4301df8a1eb32a47140dccf3755643
Opcode Fuzzy Hash: 0cd6b2122f5a045968fa7ba74d2badef08eb09470703e6fa90d47ad187f4e33f
Instruction Fuzzy Hash: 02224770508241CFCB24DF29C491B6ABBF5BF84301F15895DE89A8B362D735ED89CB86

Uniqueness

Uniqueness Score: -1.00%

Function 00954DD0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00954E1A

Strings

EA06, xrefs: 0098DCF5

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: _memmove
String ID: EA06
API String ID: 4104443479-3962188686
Opcode ID: 45586263c4930fa0e34223ea6b06487f171ebfffc12b7f2c61e0010161fb421c
Instruction ID: 286127254799d1d93c58a7ca289f5425ee6418c59609b322ad01ef03227435b8
Opcode Fuzzy Hash: 45586263c4930fa0e34223ea6b06487f171ebfffc12b7f2c61e0010161fb421c
Instruction Fuzzy Hash: DD419D32A04154ABCF51DB6598637BE7FA5AB4130AF284464EC869B282C6658DCC83E1

Uniqueness

Uniqueness Score: -1.00%

Function 009CDD64 Relevance: 3.2, APIs: 2, Instructions: 227COMMON

Download Yara Rule

APIs

_strcat.LIBCMT ref: 009CDE37

Part of subcall function 00959997: __itow.LIBCMT ref: 009599C2
Part of subcall function 00959997: __swprintf.LIBCMT ref: 00959A0C

_wcscpy.LIBCMT ref: 009CDEC6

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: __itow__swprintf_strcat_wcscpy
String ID:
API String ID: 1012013722-0
Opcode ID: 8aa1e4882ec8c1fefd71876c1ab6786e22ddf3d792fb3cf2ef81c2c3e855c836
Instruction ID: ad4f5d0d1e015715a01fc9776f6615bea2cfdd8de19c8fbdbfd3bce0b5ba6eb1
Opcode Fuzzy Hash: 8aa1e4882ec8c1fefd71876c1ab6786e22ddf3d792fb3cf2ef81c2c3e855c836
Instruction Fuzzy Hash: 0E912335A10504DFCB18EF18C591AA9BBF5FF89310B55846EF84A8F7A2DB30E945CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00957BB1 Relevance: 3.1, APIs: 2, Instructions: 97COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00957C0B
_memmove.LIBCMT ref: 00957C76

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: ddec6748d30ce72ea3c0c87625da98b47dec0512f9110af64af129092c5f9071
Instruction ID: b3cdc55f7b6e4f9b53aff58b5a66eb4621539d32bb7a7f979f46ad7edd4fae65
Opcode Fuzzy Hash: ddec6748d30ce72ea3c0c87625da98b47dec0512f9110af64af129092c5f9071
Instruction Fuzzy Hash: C43105B2604506AFC714DF69E8D1E69F3A9FF883107148629E859CB391DB30E954CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0095492E Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

73324310.UXTHEME ref: 00954992

Part of subcall function 009735AC: __lock.LIBCMT ref: 009735B2
Part of subcall function 009735AC: RtlDecodePointer.KERNEL32(00000001,?,009549A7,009A81BC), ref: 009735BE
Part of subcall function 009735AC: RtlEncodePointer.KERNEL32(?,?,009549A7,009A81BC), ref: 009735C9

Part of subcall function 00954A5B: SystemParametersInfoW.USER32 ref: 00954A73
Part of subcall function 00954A5B: SystemParametersInfoW.USER32 ref: 00954A88

Part of subcall function 00953B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00953B7A
Part of subcall function 00953B4C: IsDebuggerPresent.KERNEL32 ref: 00953B8C
Part of subcall function 00953B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,00A162F8,00A162E0,?,?), ref: 00953BFD
Part of subcall function 00953B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 00953C81

SystemParametersInfoW.USER32 ref: 009549D2

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$73324310DebuggerDecodeEncodeFullNamePathPresent__lock
String ID:
API String ID: 3252798321-0
Opcode ID: 398f2c066e8d196e21620671df998f5af1bc1c0f43e50618296533e45e77566b
Instruction ID: 435d8a3624aa2bd80938cdf5aa9a66e96859ce73f3081f575e36a31c97950a37
Opcode Fuzzy Hash: 398f2c066e8d196e21620671df998f5af1bc1c0f43e50618296533e45e77566b
Instruction Fuzzy Hash: 66118C719183119BC700DFA9EC06A8AFBF8EBD4710F00851EF485832A1DB709A4ACB96

Uniqueness

Uniqueness Score: -1.00%

Function 00955DF9 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000,?,00955981,?,?,?,?), ref: 00955E27
CreateFileW.KERNELBASE(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000000,?,00955981,?,?,?,?), ref: 0098E19C

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 84e543855af823ba8ca3ad5a5c28d0027c036fc61bf4605d23b96e65609570b0
Instruction ID: dc21b9352580e50036c19644df1d703706cf18df1564d6485bd1ac7fca0d1494
Opcode Fuzzy Hash: 84e543855af823ba8ca3ad5a5c28d0027c036fc61bf4605d23b96e65609570b0
Instruction Fuzzy Hash: 64019270288708BEF3245E25CC9BF663B9CAB01769F118319FEE55A1E1C6B41E4D8B50

Uniqueness

Uniqueness Score: -1.00%

Function 0098F852 Relevance: 3.1, APIs: 2, Instructions: 52COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0098F87C
_memmove.LIBCMT ref: 0098F89A

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 8a531411484eda5ac11978cf2f8506139dd6ed996fb850f35d4ef0769d2e727f
Instruction ID: 00176af3019a68226211112a7ec2a09d06c8456b2cb419246ac51ab40133cddd
Opcode Fuzzy Hash: 8a531411484eda5ac11978cf2f8506139dd6ed996fb850f35d4ef0769d2e727f
Instruction Fuzzy Hash: 77018032601420DFDF01EF68C891B2A37A5FF8A31131484A9F9098F316CB35AC15DB96

Uniqueness

Uniqueness Score: -1.00%

Function 00960A8D Relevance: 3.1, APIs: 2, Instructions: 52COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00953C26,00A162F8,?,?,?), ref: 00960ACE

Part of subcall function 00957D2C: _memmove.LIBCMT ref: 00957D66

_wcscat.LIBCMT ref: 009950E1

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: FullNamePath_memmove_wcscat
String ID:
API String ID: 257928180-0
Opcode ID: 5722c9be4d1cd0955ed3f7c6399e30ae47810c0f3245bccacc27522c0fa4c7f3
Instruction ID: 039dc3094f3b120942c220da0a8baddf3988cb8e7d8d65a5ee55e4da05155ad4
Opcode Fuzzy Hash: 5722c9be4d1cd0955ed3f7c6399e30ae47810c0f3245bccacc27522c0fa4c7f3
Instruction Fuzzy Hash: 3D11653590421C9BCB01EBB4DC42FEA77BCEF88354B0144A6B95DD7291EA70DB889751

Uniqueness

Uniqueness Score: -1.00%

Function 009755D6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00978D68: __getptd_noexit.LIBCMT ref: 00978D68

__lock_file.LIBCMT ref: 0097561B

Part of subcall function 00976E4E: __lock.LIBCMT ref: 00976E71

__fclose_nolock.LIBCMT ref: 00975626

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: b7a3a15c0b6b0b91681c5d046105803c4046ad7d8b486a9139c3a44daf181e6b
Instruction ID: 30933c076eac78e7c9ed4871e9dad2359237023123dc86e85877088c1084776a
Opcode Fuzzy Hash: b7a3a15c0b6b0b91681c5d046105803c4046ad7d8b486a9139c3a44daf181e6b
Instruction Fuzzy Hash: D0F0B473940A04DBD760AF758806B6F77A16F81734F56C209F41CAB1C1CFBC8A019B95

Uniqueness

Uniqueness Score: -1.00%

Function 009544CB Relevance: 3.0, APIs: 2, Instructions: 25windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 009544F7
Shell_NotifyIconW.SHELL32(00000002,?), ref: 00954527

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: IconNotifyShell__memset
String ID:
API String ID: 928536360-0
Opcode ID: b42ba84f0df4a93463413650b5955ae8948155a7c88678c6dd98ee97a280a3fc
Instruction ID: 6162ecd34570573c596f6826f678a856b977cd137416212d2f07196a74aaebb9
Opcode Fuzzy Hash: b42ba84f0df4a93463413650b5955ae8948155a7c88678c6dd98ee97a280a3fc
Instruction Fuzzy Hash: 81F0A771D043189FD792CB64EC4A7D577BC970030CF0441EAAA08D6252D7B50B89CF51

Uniqueness

Uniqueness Score: -1.00%

Function 009732F5 Relevance: 3.0, APIs: 2, Instructions: 9COMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 009732F8

Part of subcall function 0097A3AB: __NMSG_WRITE.LIBCMT ref: 0097A3D2
Part of subcall function 0097A3AB: __NMSG_WRITE.LIBCMT ref: 0097A3DC

__NMSG_WRITE.LIBCMT ref: 00973300

Part of subcall function 0097A408: GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\RDVGHelper\at.exeR6002- floating point support not loaded,00000104,?,00000001,00000000), ref: 0097A49A
Part of subcall function 0097A408: ___crtMessageBoxW.LIBCMT ref: 0097A548

Part of subcall function 009733B3: _doexit.LIBCMT ref: 009733BD

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: FileMessageModuleName___crt_doexit
String ID:
API String ID: 288729343-0
Opcode ID: 0478fc138bff0bdfba48d5da90ca71d4110bad54cdedc0e3e94b10a5ac17904e
Instruction ID: 80ee35897faad54330b75970761fb3d983db97b0ede9fdc4054541ed4b94bb1e
Opcode Fuzzy Hash: 0478fc138bff0bdfba48d5da90ca71d4110bad54cdedc0e3e94b10a5ac17904e
Instruction Fuzzy Hash: 4AB0922208421D2AD5643B60C90BB2D36088FC0710F90C420761C088A3AD96698130A7

Uniqueness

Uniqueness Score: -1.00%

Function 009732DF Relevance: 3.0, APIs: 2, Instructions: 7COMMONLIBRARYCODE

Download Yara Rule

APIs

___crtCorExitProcess.LIBCMT ref: 009732E5

Part of subcall function 009732AB: GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,?,?,?,009732EA,00000000,?,00979EFE,000000FF,0000001E,00A0BE28,00000008,00979E62,00000000,00000000), ref: 009732BA
Part of subcall function 009732AB: GetProcAddress.KERNEL32(?,CorExitProcess), ref: 009732CC

ExitProcess.KERNEL32 ref: 009732EE

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: ExitProcess$AddressHandleModuleProc___crt
String ID:
API String ID: 2427264223-0
Opcode ID: eeb6ebca5177748881264d4ff65d9efbea95496af787e09255ea461e3a264966
Instruction ID: 3808951a43fe9f5e81f8836fcdcfd051ab8f3713929ee50e6eb2d546ae51afba
Opcode Fuzzy Hash: eeb6ebca5177748881264d4ff65d9efbea95496af787e09255ea461e3a264966
Instruction Fuzzy Hash: 3DB09231014208BBCB052F11DC0B8487F29FF40BD0B00C021F81908032DB72AAD2EA80

Uniqueness

Uniqueness Score: -1.00%

Function 0095F3F0 Relevance: 1.7, APIs: 1, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13a6ef6600af6db8292c8085d3170e298f6273b6bf340209c4e57ad4043788e5
Instruction ID: fbcdf4cac7f3b1b45c58032a79220a8a351c3c3c9fa3bf38aa7bffa9c658f68f
Opcode Fuzzy Hash: 13a6ef6600af6db8292c8085d3170e298f6273b6bf340209c4e57ad4043788e5
Instruction Fuzzy Hash: BC61B97060020ADFDB10DF69C9A4BBBB7E9EB44321F148479ED068B291E734ED4ACB51

Uniqueness

Uniqueness Score: -1.00%

Function 00962123 Relevance: 1.7, APIs: 1, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abf78994c0f0656e744ae3811dd31a217a1a7bfc2995aadf2b22210525719d4f
Instruction ID: d23f659e888867caf1087406be17e61bcb4b898118bc0ae39899bd6f04859f11
Opcode Fuzzy Hash: abf78994c0f0656e744ae3811dd31a217a1a7bfc2995aadf2b22210525719d4f
Instruction Fuzzy Hash: 2C518F35604604EFCF14EF69C9A1FAE77A5AF85710F158468F90AAB392CB34ED04CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0095766F Relevance: 1.6, APIs: 1, Instructions: 103COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0095774A

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 405f307328a2e7d0cd849543312621786cd0ed689acacd4b436cf5b7a65d8ccd
Instruction ID: 830148c28faec52809ac96b2f3b2bd9ed9a336a25a1ffa82526d5aaa7b7652fb
Opcode Fuzzy Hash: 405f307328a2e7d0cd849543312621786cd0ed689acacd4b436cf5b7a65d8ccd
Instruction Fuzzy Hash: 0731C179209A02DFC724DF5AE090A21F7E4FF48311B14C569ED8ACB365E730E985CB84

Uniqueness

Uniqueness Score: -1.00%

Function 00955C4E Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000000,?,?,00000000), ref: 00955CF6

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: c9b3d2dbee864593bcfcffffaef53143828aeb5d5769888d3bceb3a9db32e49e
Instruction ID: 82661828a50d1ba5f9390adb4144552657fe273e584fde185bdd148ec2282d93
Opcode Fuzzy Hash: c9b3d2dbee864593bcfcffffaef53143828aeb5d5769888d3bceb3a9db32e49e
Instruction Fuzzy Hash: DA318C31A00B09AFCB08DF6EC4A4A6DB7B5FF88311F158629EC1993751D730B964DB90

Uniqueness

Uniqueness Score: -1.00%

Function 009900D6 Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 009900E1

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 05b456bbb30cf5eed823338b93fc06d3d1b4405dacdc1547fe2adc8e99b75d86
Instruction ID: ab29b351ca260ff4f651aff100aab5a8f5fbdc006a3c69e44e43c984bce5dab0
Opcode Fuzzy Hash: 05b456bbb30cf5eed823338b93fc06d3d1b4405dacdc1547fe2adc8e99b75d86
Instruction Fuzzy Hash: 03411874508341CFDB24DF19C484B1ABBE4BF85319F19899CE8994B362C336EC89CB56

Uniqueness

Uniqueness Score: -1.00%

Function 00957CB3 Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00957D13

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 687bbac6da33db89412d23ad4d516cea3c416c3fe9b8de43780a84608c335226
Instruction ID: e8038036538999459e65d6fc827910a02191d59d177ea131b6fefef5fc44f2e9
Opcode Fuzzy Hash: 687bbac6da33db89412d23ad4d516cea3c416c3fe9b8de43780a84608c335226
Instruction Fuzzy Hash: E721367260860EEBDB10EF91FC51779BBB8FF50391F21846EE886C5291EB3085E18705

Uniqueness

Uniqueness Score: -1.00%

Function 00960A3B Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00953C26,00A162F8,?,?,?), ref: 00960ACE

Part of subcall function 00957D2C: _memmove.LIBCMT ref: 00957D66

_wcscat.LIBCMT ref: 009950E1

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: FullNamePath_memmove_wcscat
String ID:
API String ID: 257928180-0
Opcode ID: 77d8d3e673046a1fcd93fea55f013039465ff686a599cce0505565750dfd4eb6
Instruction ID: b83d84963e19b4443eca5732b70255d9665f738e224def4681ee83229b2d1da4
Opcode Fuzzy Hash: 77d8d3e673046a1fcd93fea55f013039465ff686a599cce0505565750dfd4eb6
Instruction Fuzzy Hash: 6E21B2705092889FCB03DBB4DCA2AE9BFB9EF4A340B0544D6F9C8CB152D634965AC711

Uniqueness

Uniqueness Score: -1.00%

Function 0095C707 Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

_wcscmp.LIBCMT ref: 0095C73D

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: _wcscmp
String ID:
API String ID: 856254489-0
Opcode ID: 4a742be93d2b9b7d13e6de253ea960fc048df3934732223b81f8933152549314
Instruction ID: 6ce0236b30d73ffa829c6fdf01a5337380d5fa5d85ce35e348e9f1f29e4591c9
Opcode Fuzzy Hash: 4a742be93d2b9b7d13e6de253ea960fc048df3934732223b81f8933152549314
Instruction Fuzzy Hash: 58116371904219EBCF14EBAADC81AEEF7B8BF95351F104116FC11A7190E6309E09CB90

Uniqueness

Uniqueness Score: -1.00%

Function 009580D7 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00958109

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: eb2710e5cb16ddfd39129744760223e1f4b56c2d8d4f4da250d44081183c863d
Instruction ID: 5fc3a76cce40676d1cb3795bc271a6cc3d997e66de808fb6dff897c62540016a
Opcode Fuzzy Hash: eb2710e5cb16ddfd39129744760223e1f4b56c2d8d4f4da250d44081183c863d
Instruction Fuzzy Hash: 89115B76204605DFC724CF29D481A26B7E9FF48314B20C82EE88EDB361DB32E842CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00954F3D Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00954D13: FreeLibrary.KERNEL32(00000000,?), ref: 00954D4D

Part of subcall function 0097548B: __wfsopen.LIBCMT ref: 00975496

LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00A162F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00954F6F

Part of subcall function 00954CC8: FreeLibrary.KERNEL32(00000000), ref: 00954D02

Part of subcall function 00954DD0: _memmove.LIBCMT ref: 00954E1A

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: 0cbed0b9d59dcc5b4c1a4253c8db0ba9efeb661981d86946da88c55211c9bd13
Instruction ID: f4b3f6346517359022eab15ae36f7496aa295a6ebbad7ad2048a67d40bb0fcb4
Opcode Fuzzy Hash: 0cbed0b9d59dcc5b4c1a4253c8db0ba9efeb661981d86946da88c55211c9bd13
Instruction Fuzzy Hash: 2211E731640205ABCB14FF76DC12BAE77A89FC0716F108429FD46A62C1DA759A4997A0

Uniqueness

Uniqueness Score: -1.00%

Function 009901AF Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 009901BB

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 1039b8b997dc254a06bc68f797087f95f434a4cbc7e03d224e6202f8b3960bba
Instruction ID: 769e7b2dfda5fbdbaf9744253c86abb949afe49483bf8d338dd3afe3360bf1d2
Opcode Fuzzy Hash: 1039b8b997dc254a06bc68f797087f95f434a4cbc7e03d224e6202f8b3960bba
Instruction Fuzzy Hash: AD2120B4508341CFCB24DF28C485B1ABBE4BF88304F048A6CF89A47761D735E849CB56

Uniqueness

Uniqueness Score: -1.00%

Function 00955D20 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,00010000,?,00000000,00000000,?,00010000,?,00955807,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00955D76

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 82cc7311c87892d69906fd4a589231046fb7d9fec400f9118b9c076338d9871a
Instruction ID: cddaf005054b3bc36c1487ba985683954d87d6f491a60a261581174fbff3315e
Opcode Fuzzy Hash: 82cc7311c87892d69906fd4a589231046fb7d9fec400f9118b9c076338d9871a
Instruction Fuzzy Hash: 78116A72200B019FD330CF06C494B62B7F8EF44711F11C92EE8AA86A91D771E948CF60

Uniqueness

Uniqueness Score: -1.00%

Function 0095C6DA Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

_wcscmp.LIBCMT ref: 0095C73D

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: _wcscmp
String ID:
API String ID: 856254489-0
Opcode ID: 54c49233f09a2a0f2ec7aa68bd2c230f0c729686faf2b87ad81eb1cc06cf7194
Instruction ID: fba37f2f9d774278bf2ff22d74e2e28300a1edcaa83a8f8da9e93d412036f4cd
Opcode Fuzzy Hash: 54c49233f09a2a0f2ec7aa68bd2c230f0c729686faf2b87ad81eb1cc06cf7194
Instruction Fuzzy Hash: 961104729083955FDB069F7A8C506ADFFB4DF5A311F1980ABD890AF192D2309D0ACB45

Uniqueness

Uniqueness Score: -1.00%

Function 009AFC4D Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 009AFC88

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 9502df7d4da385b50e50aefd748cf53d09596ce246b432b33c14a6fcd2925f94
Instruction ID: f86025d4d44b7cda9cd9d547466bfbe88023e9b9e0935b99964e0226b61e1904
Opcode Fuzzy Hash: 9502df7d4da385b50e50aefd748cf53d09596ce246b432b33c14a6fcd2925f94
Instruction Fuzzy Hash: 7D018672201225ABCB24DF2DD891A6BB7A9EFC5364714842EF94ACB245E631E901C790

Uniqueness

Uniqueness Score: -1.00%

Function 00957F41 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00957F82

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 86523e99b97c2b2acf34c6243acac418dacdacafaad77d6ff111eb4d4c7db86c
Instruction ID: c59a138ad847e4aa7a87cf63909988fce5aabe3beb66a4a54a2cc1646c18d1a0
Opcode Fuzzy Hash: 86523e99b97c2b2acf34c6243acac418dacdacafaad77d6ff111eb4d4c7db86c
Instruction Fuzzy Hash: 4101D673214701AED720DF69DC02F67FB98AB847A0F10852AFD5ACA191EA31E5448750

Uniqueness

Uniqueness Score: -1.00%

Function 009B794E Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 00970FF6: std::exception::exception.LIBCMT ref: 0097102C
Part of subcall function 00970FF6: __CxxThrowException@8.LIBCMT ref: 00971041

_memset.LIBCMT ref: 009B7983

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: Exception@8Throw_memsetstd::exception::exception
String ID:
API String ID: 525207782-0
Opcode ID: 284876664663f73bc52d9acb02b0945479c06a9470952084d8fd09db9e5ca2e3
Instruction ID: c1ab7d210178bc953a90ef0a8694dcc4b8e8d5b0a4b9bd492f2dc4a2b5f3a17c
Opcode Fuzzy Hash: 284876664663f73bc52d9acb02b0945479c06a9470952084d8fd09db9e5ca2e3
Instruction Fuzzy Hash: E501F675204200DFD320EF5CD541B46BBE5AF99310F24C45AF9888B392DB72E800CB91

Uniqueness

Uniqueness Score: -1.00%

Function 009583A8 Relevance: 1.5, APIs: 1, Instructions: 38COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(00000000,?,00000000,00000048,-00000003,?,00963FC9,?,?,?,-00000003,00000000,00000000), ref: 009583E0

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: BuffCharUpper
String ID:
API String ID: 3964851224-0
Opcode ID: 7e7d2fa5bdcaf875ae9aa2f7c1645c13a218e3cae859231ec929b00279b3539d
Instruction ID: de3b3dc8c46b0ef71046963c99079216365e4ca800e931869d5d82b2af35f943
Opcode Fuzzy Hash: 7e7d2fa5bdcaf875ae9aa2f7c1645c13a218e3cae859231ec929b00279b3539d
Instruction Fuzzy Hash: C4F0C2B6205622EBC7219F56D80072BFBA8EF84F22F008129EC495A651CF34D824C7C4

Uniqueness

Uniqueness Score: -1.00%

Function 0098FB2E Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

Part of subcall function 00970FF6: std::exception::exception.LIBCMT ref: 0097102C
Part of subcall function 00970FF6: __CxxThrowException@8.LIBCMT ref: 00971041

_memmove.LIBCMT ref: 0098FB5F

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: Exception@8Throw_memmovestd::exception::exception
String ID:
API String ID: 1602317333-0
Opcode ID: bf37620448648d936dbc2e6022f9d4728a09b95421ca140e1c6f8a960e8c20d7
Instruction ID: 2da8556fb7f6dc70858a75026d93cbe1a942b1ee711e1aaa712458a453905d12
Opcode Fuzzy Hash: bf37620448648d936dbc2e6022f9d4728a09b95421ca140e1c6f8a960e8c20d7
Instruction Fuzzy Hash: 96F0F974641241DFD720DF6CC991B11BBE1FF99304B2484ACE58A8B3A2EB36E811CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00954FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00A162F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00954FDE

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 8ba70898b7a78c172a77fe0b887d5d8dcec88a8e3e15ae83d9bf3b989ea2bb83
Instruction ID: 3edf58a5e75fd293dbf2ba4d64a7fd233cafdf4393b0718d125fadc346d90c2d
Opcode Fuzzy Hash: 8ba70898b7a78c172a77fe0b887d5d8dcec88a8e3e15ae83d9bf3b989ea2bb83
Instruction Fuzzy Hash: 09F03071109711CFC774DF69D894812BBE5BF0432A3208A3EEDD782610C7719888DF50

Uniqueness

Uniqueness Score: -1.00%

Function 00992587 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00992592

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: b2a48ca2bdd1d19f26bd4a37f031e07ef006595c0cb900f70e378f2d9c9c5558
Instruction ID: 8855be8db63e5ea092bd14aad56f8ea48669004e8884ec8015cbe5e21b851c50
Opcode Fuzzy Hash: b2a48ca2bdd1d19f26bd4a37f031e07ef006595c0cb900f70e378f2d9c9c5558
Instruction Fuzzy Hash: B7E02BB1B14245AFEF30DB7DD404B25FBD89B10311F10482AE886D1280D77658D89762

Uniqueness

Uniqueness Score: -1.00%

Function 009709D5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 009709F4

Part of subcall function 00957D2C: _memmove.LIBCMT ref: 00957D66

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: a879aa2c91740f43ca545d2a95af8ddd01f2399c95d11c2ce57f8390dba2ed1a
Instruction ID: 2559d8aabb86c5ed38365b11c19e7915671a42911d93acb8a119ffd5f82f10bb
Opcode Fuzzy Hash: a879aa2c91740f43ca545d2a95af8ddd01f2399c95d11c2ce57f8390dba2ed1a
Instruction Fuzzy Hash: 3AE0863694522857C720E6989C06FFAB7ADDFC8791F0401B6FD0CD7248E9609D818690

Uniqueness

Uniqueness Score: -1.00%

Function 009B49FF Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 009B4A18

Part of subcall function 00957D2C: _memmove.LIBCMT ref: 00957D66

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: FolderPath_memmove
String ID:
API String ID: 3334745507-0
Opcode ID: e6b3615029764058f8f9e4e3b7bca15a64275c2721ac30e6045e0d8e9f997561
Instruction ID: e0d98579fd115d0ddf2d8c9969e677d6e40a3e9b24f653774b6a13cc1450b68b
Opcode Fuzzy Hash: e6b3615029764058f8f9e4e3b7bca15a64275c2721ac30e6045e0d8e9f997561
Instruction Fuzzy Hash: D6D05EA291432C2BDB60E6B9AC0EDB77BACDB44221F0006A27C5DC3152E9249D8586E0

Uniqueness

Uniqueness Score: -1.00%

Function 009B3696 Relevance: 1.5, APIs: 1, Instructions: 20fileCOMMON

Download Yara Rule

APIs

Part of subcall function 009B3595: SetFilePointerEx.KERNEL32(?,?,?,00000000,00000001,?,?,009B36A2,?,?,?,0098E060,00A070A0,00000002,?,?), ref: 009B3613

WriteFile.KERNELBASE(?,?,?,00000000,00000000,?,?,?,0098E060,00A070A0,00000002,?,?,?,?), ref: 009B36B0

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: File$PointerWrite
String ID:
API String ID: 539440098-0
Opcode ID: 8f5f25caf1268dd3699706886ee455c469705b674f23665e71e65d93c0138951
Instruction ID: 98b8437b321021c1f44c44214c4f3e63d24461f58ea6ac1ba0f16c4faadd952d
Opcode Fuzzy Hash: 8f5f25caf1268dd3699706886ee455c469705b674f23665e71e65d93c0138951
Instruction Fuzzy Hash: D7E04636410218FBDB20EF94D909BDAB7BCEB08320F00465BF94486110D7B2AF24ABA0

Uniqueness

Uniqueness Score: -1.00%

Function 00955DCF Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?,?,?,00955921,?,00956C37), ref: 00955DEF

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: c2a2c7730ae618a228b875751f7f431291052a2079b721d26873f3e22ca354c1
Instruction ID: 70f37ddfe072fceaf16ab8695b8aa955c6daaf567d2bece5cde6ab7e60e0a278
Opcode Fuzzy Hash: c2a2c7730ae618a228b875751f7f431291052a2079b721d26873f3e22ca354c1
Instruction Fuzzy Hash: 22E09A75400A01CEC3318F1AD814411F7F8FFE13623224A2FD4E6826A0D3B154899B50

Uniqueness

Uniqueness Score: -1.00%

Function 00955DAE Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001,?,?,?,0098E16B,?,?,00000000), ref: 00955DBF

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: ad2209df1b18e9697cc0613f100ed0c96944f6be6a6ffa805830302fa2af1268
Instruction ID: 0eb335781afe666eb7bc0085642087ee86a5c71f3af43b10c9cf1cce0e109841
Opcode Fuzzy Hash: ad2209df1b18e9697cc0613f100ed0c96944f6be6a6ffa805830302fa2af1268
Instruction Fuzzy Hash: 69D0C77465420CBFE710DB80DC47FA9777CD705710F100195FD0456690D6B27D509795

Uniqueness

Uniqueness Score: -1.00%

Function 00972E84 Relevance: 1.5, APIs: 1, Instructions: 16COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00973457: __lock.LIBCMT ref: 00973459

__onexit_nolock.LIBCMT ref: 00972EA0

Part of subcall function 00972EC8: RtlDecodePointer.NTDLL(?,00000000,00000000,?,?,00972EA5,0098B80A,00A0BB50), ref: 00972EDB
Part of subcall function 00972EC8: RtlDecodePointer.KERNEL32(?,?,00972EA5,0098B80A,00A0BB50), ref: 00972EE6
Part of subcall function 00972EC8: __realloc_crt.LIBCMT ref: 00972F27
Part of subcall function 00972EC8: __realloc_crt.LIBCMT ref: 00972F3B
Part of subcall function 00972EC8: RtlEncodePointer.KERNEL32(00000000,?,?,00972EA5,0098B80A,00A0BB50), ref: 00972F4D
Part of subcall function 00972EC8: RtlEncodePointer.KERNEL32(0098B80A,?,?,00972EA5,0098B80A,00A0BB50), ref: 00972F5B
Part of subcall function 00972EC8: RtlEncodePointer.KERNEL32(00000004,?,?,00972EA5,0098B80A,00A0BB50), ref: 00972F67

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: Pointer$Encode$Decode__realloc_crt$__lock__onexit_nolock
String ID:
API String ID: 3536590627-0
Opcode ID: c322ffcdb60b8c14ac7772da58e117f65f343ae54547fcb1f3f404960344b0c3
Instruction ID: 61fc4277a3b240667616ad95a0953ac023014c97201a0369839f7fd368b2d35b
Opcode Fuzzy Hash: c322ffcdb60b8c14ac7772da58e117f65f343ae54547fcb1f3f404960344b0c3
Instruction Fuzzy Hash: 5CD01273D5020DABDB51FBE4990675D7B606F84722F50C144F01CA61D2CB7407425B95

Uniqueness

Uniqueness Score: -1.00%

Function 009B4CD3 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,009B3947), ref: 009B4CD4

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: c1142eb928b8e5f9fc88b6ccfe162b07be3932204600a5a555e3c0b61f8d32e0
Instruction ID: cf32d9d65bc882c3f40e3bd885d91064584dd4360728b1401131dc12e9fbc8cc
Opcode Fuzzy Hash: c1142eb928b8e5f9fc88b6ccfe162b07be3932204600a5a555e3c0b61f8d32e0
Instruction Fuzzy Hash: DFB092AD1AA60006AD288A3C9B190D92B097852BB57D81BA0E4BA850E29339A84BF510

Uniqueness

Uniqueness Score: -1.00%

Function 009733B3 Relevance: 1.5, APIs: 1, Instructions: 9COMMONLIBRARYCODE

Download Yara Rule

APIs

_doexit.LIBCMT ref: 009733BD

Part of subcall function 00973469: __lock.LIBCMT ref: 00973477
Part of subcall function 00973469: RtlDecodePointer.KERNEL32(00A0BB70,0000001C,009733C2,00000000,00000001,00000000,?,00973310,000000FF,?,00979E6E,00000011,00000000,?,00979CBC,0000000D), ref: 009734B6
Part of subcall function 00973469: RtlDecodePointer.KERNEL32(?,00973310,000000FF,?,00979E6E,00000011,00000000,?,00979CBC,0000000D), ref: 009734C7
Part of subcall function 00973469: RtlEncodePointer.KERNEL32(00000000,?,00973310,000000FF,?,00979E6E,00000011,00000000,?,00979CBC,0000000D), ref: 009734E0
Part of subcall function 00973469: RtlDecodePointer.KERNEL32(-00000004,?,00973310,000000FF,?,00979E6E,00000011,00000000,?,00979CBC,0000000D), ref: 009734F0
Part of subcall function 00973469: RtlEncodePointer.KERNEL32(00000000,?,00973310,000000FF,?,00979E6E,00000011,00000000,?,00979CBC,0000000D), ref: 009734F6
Part of subcall function 00973469: RtlDecodePointer.KERNEL32(?,00973310,000000FF,?,00979E6E,00000011,00000000,?,00979CBC,0000000D), ref: 0097350C
Part of subcall function 00973469: RtlDecodePointer.KERNEL32(?,00973310,000000FF,?,00979E6E,00000011,00000000,?,00979CBC,0000000D), ref: 00973517

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: Pointer$Decode$Encode$__lock_doexit
String ID:
API String ID: 2158581194-0
Opcode ID: b4e928c0e26b8b31f7bbd767efdfabfe1f62d1646d37685f8d7537e28665a351
Instruction ID: 1ce944b4dc4547da99208338ed0ba37729f81b9f77f4277ca77c5d1b291e9763
Opcode Fuzzy Hash: b4e928c0e26b8b31f7bbd767efdfabfe1f62d1646d37685f8d7537e28665a351
Instruction Fuzzy Hash: D3B0123258030CF3DD112945EC03F553B0D4780B50F00C060FA0C5C1F1E5D366A050C5

Uniqueness

Uniqueness Score: -1.00%

Function 0097548B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00975496

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: f53e8851d258add63ead007a3132d3e3f6d346a09fdfdca80ee7b84ade4af6e7
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: 82B0927684020C77DE412E92EC03B593B199B80678F808020FB0C18172A6B3A6A09689

Uniqueness

Uniqueness Score: -1.00%

Function 009BD2E6 Relevance: 1.4, APIs: 1, Instructions: 198COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000002,00000000), ref: 009BD46A

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 742f447e53447b8a5eb750c5a5e8eb22fa87c5588f0383d0a8c33e1056cf8113
Instruction ID: 3bc0bde92a9b1a2db934b5144dddb9372b393f84a4b04756a45f40228b9e0cd5
Opcode Fuzzy Hash: 742f447e53447b8a5eb750c5a5e8eb22fa87c5588f0383d0a8c33e1056cf8113
Instruction Fuzzy Hash: B4719334209301CFC714EF65D591BAAB7E5AFC8325F04496DF8968B2A2DB30ED49CB52

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 009A8858 Relevance: 37.0, APIs: 17, Strings: 4, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 009A8CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 009A8D0D
Part of subcall function 009A8CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 009A8D3A
Part of subcall function 009A8CC3: GetLastError.KERNEL32 ref: 009A8D47

_memset.LIBCMT ref: 009A889B
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 009A88ED
CloseHandle.KERNEL32(?), ref: 009A88FE
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 009A8915
GetProcessWindowStation.USER32 ref: 009A892E
SetProcessWindowStation.USER32(00000000), ref: 009A8938
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 009A8952

Part of subcall function 009A8713: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,009A8851), ref: 009A8728
Part of subcall function 009A8713: CloseHandle.KERNEL32(?,?,009A8851), ref: 009A873A

Strings

default, xrefs: 009A894D
winsta0\default, xrefs: 009A89D3
winsta0, xrefs: 009A8910
, xrefs: 009A88AA

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0$winsta0\default
API String ID: 2063423040-1685893292
Opcode ID: 78a38747b7f1d80f718f99c581ee8f38705d6abe0a507b552ee3566e23715a30
Instruction ID: 96f6dc0adb9ace2478362f84e52cc2c8667b5ed618e2532136f111f6cd1f8e70
Opcode Fuzzy Hash: 78a38747b7f1d80f718f99c581ee8f38705d6abe0a507b552ee3566e23715a30
Instruction Fuzzy Hash: E5816871941209AFDF11DFA4DC49AEFBBBCEF05304F08812AF911A6261DB318E55DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 009C425A Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(009DF910), ref: 009C4284
IsClipboardFormatAvailable.USER32(0000000D), ref: 009C4292
GetClipboardData.USER32 ref: 009C429A
CloseClipboard.USER32 ref: 009C42A6
GlobalFix.KERNEL32 ref: 009C42C2
CloseClipboard.USER32 ref: 009C42CC
GlobalUnWire.KERNEL32 ref: 009C42E1
IsClipboardFormatAvailable.USER32(00000001), ref: 009C42EE
GetClipboardData.USER32 ref: 009C42F6
GlobalFix.KERNEL32 ref: 009C4303
GlobalUnWire.KERNEL32 ref: 009C4337
CloseClipboard.USER32 ref: 009C4447

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatWire$Open
String ID:
API String ID: 941120096-0
Opcode ID: d5d983d65dfb5412bf0518d4f38709ec1b91f8672ede831ad7f29ea8b963fce1
Instruction ID: cdb1cc1a08e78dc2fa37023878da9f921e46fd595985eb8c3f829666a385c803
Opcode Fuzzy Hash: d5d983d65dfb5412bf0518d4f38709ec1b91f8672ede831ad7f29ea8b963fce1
Instruction Fuzzy Hash: 0951C231748305ABE300EF61ECA7F6E77A8AF84B01F10452EF966D21A1DB70D9449B63

Uniqueness

Uniqueness Score: -1.00%

Function 009BC9C7 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 009BC9F8
FindClose.KERNEL32(00000000), ref: 009BCA4C
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 009BCA71
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 009BCA88
FileTimeToSystemTime.KERNEL32(?,?), ref: 009BCAAF
__swprintf.LIBCMT ref: 009BCAFB
__swprintf.LIBCMT ref: 009BCB3E

Part of subcall function 00957F41: _memmove.LIBCMT ref: 00957F82

__swprintf.LIBCMT ref: 009BCB92

Part of subcall function 009738D8: __woutput_l.LIBCMT ref: 00973931

__swprintf.LIBCMT ref: 009BCBE0

Part of subcall function 009738D8: __flsbuf.LIBCMT ref: 00973953
Part of subcall function 009738D8: __flsbuf.LIBCMT ref: 0097396B

__swprintf.LIBCMT ref: 009BCC2F
__swprintf.LIBCMT ref: 009BCC7E
__swprintf.LIBCMT ref: 009BCCCD

Strings

%4d, xrefs: 009BCB38
%4d%02d%02d%02d%02d%02d, xrefs: 009BCAF5
%02d, xrefs: 009BCB86, 009BCB90, 009BCBDE, 009BCC2D, 009BCC7C, 009BCCCB

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: 52085516613d77b1730346cb6797f10e55765f41ed5ad3f7f7107dce94d0b366
Instruction ID: 93de33cd5868237a06a526b8d2b7f72e2499ea340f1a9b951eda36f4faa81077
Opcode Fuzzy Hash: 52085516613d77b1730346cb6797f10e55765f41ed5ad3f7f7107dce94d0b366
Instruction Fuzzy Hash: A8A14FB2418304ABD700EB65D996EAFB7ECFFD4701F404919B986D3191EB34DA08CB62

Uniqueness

Uniqueness Score: -1.00%

Function 009DC8EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfilenativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00952612: GetWindowLongW.USER32(?,000000EB), ref: 00952623

DragQueryPoint.SHELL32(?,?), ref: 009DC917

Part of subcall function 009DADF1: ClientToScreen.USER32(?,?), ref: 009DAE1A
Part of subcall function 009DADF1: GetWindowRect.USER32 ref: 009DAE90
Part of subcall function 009DADF1: PtInRect.USER32(?,?,009DC304), ref: 009DAEA0

SendMessageW.USER32(?,000000B0,?,?), ref: 009DC980
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 009DC98B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 009DC9AE
_wcscat.LIBCMT ref: 009DC9DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 009DC9F5
SendMessageW.USER32(?,000000B0,?,?), ref: 009DCA0E
SendMessageW.USER32(?,000000B1,?,?), ref: 009DCA25
SendMessageW.USER32(?,000000B1,?,?), ref: 009DCA47
DragFinish.SHELL32(?), ref: 009DCA4E
NtdllDialogWndProc_W.USER32(?,00000233,?,00000000,?,?,?), ref: 009DCB41

Strings

@GUI_DROPID, xrefs: 009DCA6E
@GUI_DRAGFILE, xrefs: 009DCAF0
@GUI_DRAGID, xrefs: 009DCAB9

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientDialogFinishLongNtdllPointProc_Screen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 2166380349-3440237614
Opcode ID: c40560a65bfa31bb3df2be26486c0fb724fbbc5049b58b9b9c8ad8e4711c5340
Instruction ID: 00b3946fdae98d025e5425446b1939705f3f47129cbe8cdaec3ceddff5718093
Opcode Fuzzy Hash: c40560a65bfa31bb3df2be26486c0fb724fbbc5049b58b9b9c8ad8e4711c5340
Instruction Fuzzy Hash: E7617C71548301AFC701DF65DC95E9FBBE8EFC8710F004A2EF992922A1DB309A49CB52

Uniqueness

Uniqueness Score: -1.00%

Function 009BF35D Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,766861D0,?,00000000), ref: 009BF37E
_wcscmp.LIBCMT ref: 009BF393
_wcscmp.LIBCMT ref: 009BF3AA

Part of subcall function 009B45C1: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 009B45DC

FindNextFileW.KERNEL32(00000000,?), ref: 009BF3D9
FindClose.KERNEL32(00000000), ref: 009BF3E4
FindFirstFileW.KERNEL32(*.*,?), ref: 009BF400
_wcscmp.LIBCMT ref: 009BF427
_wcscmp.LIBCMT ref: 009BF43E
SetCurrentDirectoryW.KERNEL32(?), ref: 009BF450
SetCurrentDirectoryW.KERNEL32(00A0A5A0), ref: 009BF46E
FindNextFileW.KERNEL32(00000000,00000010), ref: 009BF478
FindClose.KERNEL32(00000000), ref: 009BF485
FindClose.KERNEL32(00000000), ref: 009BF497

Strings

*.*, xrefs: 009BF3FB

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: 8f40994cc9b5989f34953a212c30811403e3539bb9dc90862b7db2338f39595d
Instruction ID: 2fb081f8e07a9289ed0f771968fd002c7081e9b7d52b5f2ecc1986d6bd236bf8
Opcode Fuzzy Hash: 8f40994cc9b5989f34953a212c30811403e3539bb9dc90862b7db2338f39595d
Instruction Fuzzy Hash: BD31163250121D6FCF10AB64EDA9ADE77ADAF49370F108276E854E30E0DB30DE84DA64

Uniqueness

Uniqueness Score: -1.00%

Function 009DC49C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windownativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00952612: GetWindowLongW.USER32(?,000000EB), ref: 00952623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 009DC4EC
GetFocus.USER32 ref: 009DC4FC
GetDlgCtrlID.USER32 ref: 009DC507
_memset.LIBCMT ref: 009DC632
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 009DC65D
GetMenuItemCount.USER32 ref: 009DC67D
GetMenuItemID.USER32(?,00000000), ref: 009DC690
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 009DC6C4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 009DC70C
CheckMenuRadioItem.USER32 ref: 009DC744
NtdllDialogWndProc_W.USER32(?,00000111,?,?,?,?,?,?,?), ref: 009DC779

Strings

0, xrefs: 009DC62A

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlDialogFocusLongMessageNtdllPostProc_RadioWindow_memset
String ID: 0
API String ID: 3616455698-4108050209
Opcode ID: 37e2588095e9dc7f6f8e67c43d0ec69be7f1ece14b317600763c760eb0857dff
Instruction ID: 129efd8d8fc5ae4048acc8a7446d746a4f08361b9597c6048901e6ee7f402704
Opcode Fuzzy Hash: 37e2588095e9dc7f6f8e67c43d0ec69be7f1ece14b317600763c760eb0857dff
Instruction Fuzzy Hash: 1D817DB0649302AFD710CF14D985AABBBE8FB88314F00892EF99597391D730E945DF92

Uniqueness

Uniqueness Score: -1.00%

Function 009A81F7 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 009A874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 009A8766
Part of subcall function 009A874A: GetLastError.KERNEL32(?,009A822A,?,?,?), ref: 009A8770
Part of subcall function 009A874A: GetProcessHeap.KERNEL32(00000008,?,?,009A822A,?,?,?), ref: 009A877F
Part of subcall function 009A874A: RtlAllocateHeap.KERNEL32(00000000,?,009A822A,?,?,?), ref: 009A8786
Part of subcall function 009A874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 009A879D

Part of subcall function 009A87E7: GetProcessHeap.KERNEL32(00000008,009A8240,00000000,00000000,?,009A8240,?), ref: 009A87F3
Part of subcall function 009A87E7: RtlAllocateHeap.KERNEL32(00000000,?,009A8240,?), ref: 009A87FA
Part of subcall function 009A87E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,009A8240,?), ref: 009A880B

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 009A825B
_memset.LIBCMT ref: 009A8270
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 009A828F
GetLengthSid.ADVAPI32(?), ref: 009A82A0
GetAce.ADVAPI32(?,00000000,?), ref: 009A82DD
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 009A82F9
GetLengthSid.ADVAPI32(?), ref: 009A8316
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 009A8325
RtlAllocateHeap.KERNEL32(00000000), ref: 009A832C
GetLengthSid.ADVAPI32(?,00000008,?), ref: 009A834D
CopySid.ADVAPI32(00000000), ref: 009A8354
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 009A8385
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 009A83AB
SetUserObjectSecurity.USER32 ref: 009A83BF

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: HeapSecurity$AllocateDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 2347767575-0
Opcode ID: 8ae29ac40aa8a61e9062aa8bc1442700e195f7a36978365ff494296738d1ec45
Instruction ID: 6ebd052231022c1d0e46f9a3533f42e2e2a5c8424405bbdfaf17759070f3c2e7
Opcode Fuzzy Hash: 8ae29ac40aa8a61e9062aa8bc1442700e195f7a36978365ff494296738d1ec45
Instruction Fuzzy Hash: 03615B71904209EBDF009FA5DC59AAEBBB9FF05700F04816AE816A7291DB319A45DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 009D0665 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 009D10A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,009D0038,?,?), ref: 009D10BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 009D0737

Part of subcall function 00959997: __itow.LIBCMT ref: 009599C2
Part of subcall function 00959997: __swprintf.LIBCMT ref: 00959A0C

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 009D07D6
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 009D086E
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 009D0AAD
RegCloseKey.ADVAPI32(00000000), ref: 009D0ABA

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: 367d652553db07668477abe4e6bb6c7388ed0fee2923af2ecd98a9580d31c4d7
Instruction ID: 63c0658907e6da76061bb1dcf3b6ca185d900ee75569bdc85a996df4b49c5b41
Opcode Fuzzy Hash: 367d652553db07668477abe4e6bb6c7388ed0fee2923af2ecd98a9580d31c4d7
Instruction Fuzzy Hash: 8AE13E31604210AFCB14DF29C995E6ABBE8EFC9714F04C96EF84ADB361DA30E945CB51

Uniqueness

Uniqueness Score: -1.00%

Function 009DC27C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149nativewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00952612: GetWindowLongW.USER32(?,000000EB), ref: 00952623

Part of subcall function 00952344: GetCursorPos.USER32(?,?,00A167B0,?,00A167B0,00A167B0,?,009DC247,00000000,00000001,?,?,?,0098BC4F,?,?), ref: 00952357
Part of subcall function 00952344: ScreenToClient.USER32 ref: 00952374
Part of subcall function 00952344: GetAsyncKeyState.USER32(00000001), ref: 00952399
Part of subcall function 00952344: GetAsyncKeyState.USER32(00000002), ref: 009523A7

6F83B200.COMCTL32(00000000,00000000,00000001,?,?), ref: 009DC2E4
6F83B5E0.COMCTL32 ref: 009DC2EA
ReleaseCapture.USER32 ref: 009DC2F0
SetWindowTextW.USER32(?,00000000), ref: 009DC39A
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 009DC3AD
NtdllDialogWndProc_W.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 009DC48F

Strings

@GUI_DROPID, xrefs: 009DC3E1
@GUI_DRAGFILE, xrefs: 009DC424

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: AsyncStateWindow$B200CaptureClientCursorDialogLongMessageNtdllProc_ReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 2232639836-2107944366
Opcode ID: 720132cb7342308bd50189eea685fb2a383d04af794ba232155909c365804cb6
Instruction ID: 8fb716529fa41163a72b99add23fd6a3e65f5310d0cb9816d12b78e870344909
Opcode Fuzzy Hash: 720132cb7342308bd50189eea685fb2a383d04af794ba232155909c365804cb6
Instruction Fuzzy Hash: BF518E70244305AFD700DF24C856FAA7BF5EB88310F00852EF9969B2E1DB70A949CB52

Uniqueness

Uniqueness Score: -1.00%

Function 009BF65E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00957F41: _memmove.LIBCMT ref: 00957F82

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 009BF6AB
Sleep.KERNEL32(0000000A), ref: 009BF6DB
_wcscmp.LIBCMT ref: 009BF6EF
_wcscmp.LIBCMT ref: 009BF70A
FindNextFileW.KERNEL32(?,?), ref: 009BF7A8
FindClose.KERNEL32(00000000), ref: 009BF7BE

Strings

*.*, xrefs: 009BF690

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: 577a9d6afe053ad78bed08a29426e6043d58f4d5f68d33963f9ec80bd196c23d
Instruction ID: 3381775ef007fd2a6624c28e16714c04005ce8d76b7609b36569d3204a229501
Opcode Fuzzy Hash: 577a9d6afe053ad78bed08a29426e6043d58f4d5f68d33963f9ec80bd196c23d
Instruction Fuzzy Hash: 68416471904219AFCF15DF64CDA9AEEBBB8FF45320F1445A6E815A31A1DB309E44CB90

Uniqueness

Uniqueness Score: -1.00%

Function 009DD74C Relevance: 12.3, APIs: 8, Instructions: 257windownativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00952612: GetWindowLongW.USER32(?,000000EB), ref: 00952623

GetSystemMetrics.USER32 ref: 009DD78A
GetSystemMetrics.USER32 ref: 009DD7AA
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 009DD9E5
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 009DDA03
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 009DDA24
ShowWindow.USER32(00000003,00000000), ref: 009DDA43
InvalidateRect.USER32(?,00000000,00000001), ref: 009DDA68
NtdllDialogWndProc_W.USER32(?,00000005,?,?), ref: 009DDA8B

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$DialogInvalidateLongMoveNtdllProc_RectShow
String ID:
API String ID: 830902736-0
Opcode ID: ab9e16366de035510c7569f33e9a309939125fa1d8ba3f3e3daf476cded1ab4d
Instruction ID: 51ac2b930054eb4d8dd019f85c405d6cf5e691f30f7aeeeebf1689861896e2a0
Opcode Fuzzy Hash: ab9e16366de035510c7569f33e9a309939125fa1d8ba3f3e3daf476cded1ab4d
Instruction Fuzzy Hash: 42B19871642229EFDF14CF68C9957BD7BB5BF08701F08C06AEC489B295D735AA90CB90

Uniqueness

Uniqueness Score: -1.00%

Function 009B545F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 009A8CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 009A8D0D
Part of subcall function 009A8CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 009A8D3A
Part of subcall function 009A8CC3: GetLastError.KERNEL32 ref: 009A8D47

ExitWindowsEx.USER32(?,00000000), ref: 009B549B

Strings

SeShutdownPrivilege, xrefs: 009B546B
, xrefs: 009B5489
@, xrefs: 009B548E

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: c2f2c8c72369781ff62314c23054e818e61c8967bda0ba16a2fa01d985aa48db
Instruction ID: d84f70ee917795bb1f456c37f7c464aeaaf132036f6c674c47e73ab20d9b64c6
Opcode Fuzzy Hash: c2f2c8c72369781ff62314c23054e818e61c8967bda0ba16a2fa01d985aa48db
Instruction Fuzzy Hash: 1601F731695B156AE7286774EE8BBFB735DEB05372F250921FD07D60F2DA941C808190

Uniqueness

Uniqueness Score: -1.00%

Function 009C6596 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 009C65EF
WSAGetLastError.WSOCK32(00000000), ref: 009C65FE
bind.WSOCK32(00000000,?,00000010), ref: 009C661A
listen.WSOCK32(00000000,00000005), ref: 009C6629
WSAGetLastError.WSOCK32(00000000), ref: 009C6643
closesocket.WSOCK32(00000000,00000000), ref: 009C6657

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 00c09243c23edec969c7182ae4b6ea6c9532553d87cb885828d3175c4d3b58a6
Instruction ID: 58dcd160d3c38ac0eb1793cc5021c5ccb1d0bc69e6223f7d689332dd6f9424e9
Opcode Fuzzy Hash: 00c09243c23edec969c7182ae4b6ea6c9532553d87cb885828d3175c4d3b58a6
Instruction Fuzzy Hash: 2421CE316402009FDB00EF24C95AF6EB7A9EF85320F14815AE957A73D1CB30AD44DB52

Uniqueness

Uniqueness Score: -1.00%

Function 00951287 Relevance: 7.9, APIs: 5, Instructions: 379nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00952612: GetWindowLongW.USER32(?,000000EB), ref: 00952623

NtdllDialogWndProc_W.USER32(?,?,?,?,?), ref: 009519FA
GetSysColor.USER32(0000000F), ref: 00951A4E
SetBkColor.GDI32(?,00000000), ref: 00951A61

Part of subcall function 00951290: NtdllDialogWndProc_W.USER32(?,00000020,?), ref: 009512D8

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: ColorDialogNtdllProc_$LongWindow
String ID:
API String ID: 591255283-0
Opcode ID: 9d59790ebc31c032d9948d147a7fdf22eba2406d263068ecbc07b0ebea7032fd
Instruction ID: 31d5fb94127b1789c06f8bbf3273eb948b0b2a8fa4cfea76ad83e50956e57e44
Opcode Fuzzy Hash: 9d59790ebc31c032d9948d147a7fdf22eba2406d263068ecbc07b0ebea7032fd
Instruction Fuzzy Hash: A2A159B5106585BADB3AFB2B5C55FBF259CDB82343F18451AFC02D62A1CA28CD09D3B1

Uniqueness

Uniqueness Score: -1.00%

Function 009D55FD Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 009D564C
IsWindowEnabled.USER32 ref: 009D565A
GetForegroundWindow.USER32(?,?,00000001), ref: 009D5667
IsIconic.USER32 ref: 009D5675
IsZoomed.USER32 ref: 009D5683

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: b993333725944e95f3b07a02245465d6e34a3994b5da20200f09da194fa4406a
Instruction ID: 0fbdc50708b9a25e94faa5025ac0f6662edb96b5d473515b5465730e0e42fff0
Opcode Fuzzy Hash: b993333725944e95f3b07a02245465d6e34a3994b5da20200f09da194fa4406a
Instruction Fuzzy Hash: A9119D32385A106BEB215F26DC55B2ABB9CEF94761B86842AF806D7341CB30D9418BA4

Uniqueness

Uniqueness Score: -1.00%

Function 009DC788 Relevance: 6.1, APIs: 4, Instructions: 83nativewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00952612: GetWindowLongW.USER32(?,000000EB), ref: 00952623

GetCursorPos.USER32(?,?,?,?,?,?,?,?,0098BBFB,?,?,?,?,?), ref: 009DC7C2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0098BBFB,?,?,?,?,?), ref: 009DC7D7
GetCursorPos.USER32(?,?,?,?,?,?,?,?,?,0098BBFB,?,?,?,?,?), ref: 009DC824
NtdllDialogWndProc_W.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0098BBFB,?,?,?), ref: 009DC85E

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: Cursor$DialogLongMenuNtdllPopupProc_TrackWindow
String ID:
API String ID: 1423138444-0
Opcode ID: 0940220d5f3b0b55eb53037a0f0ed79e36a5350e6dec33aef3e973b48601301c
Instruction ID: 83f247763e3ea219be5eb271c843558f3c2f9f3ea08fd92b0f28b5e5bd11555c
Opcode Fuzzy Hash: 0940220d5f3b0b55eb53037a0f0ed79e36a5350e6dec33aef3e973b48601301c
Instruction Fuzzy Hash: 91319175645018BFCB15CF99D898EFA7BBAEB49310F04806AF9068B261C7319D51EFA0

Uniqueness

Uniqueness Score: -1.00%

Function 009B40B1 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 009B40D1
_memset.LIBCMT ref: 009B40F2
DeviceIoControl.KERNEL32 ref: 009B4144
CloseHandle.KERNEL32(00000000), ref: 009B414D

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset
String ID:
API String ID: 1157408455-0
Opcode ID: 2c92116601b9ed0c41cfce17d1fba692fb2555377f4e6c17514dc374208ee06c
Instruction ID: 878c7b7cf5727a97cc379d3f0716d03ac820434fa5acf852c14a22b78ca32938
Opcode Fuzzy Hash: 2c92116601b9ed0c41cfce17d1fba692fb2555377f4e6c17514dc374208ee06c
Instruction Fuzzy Hash: 8511A775D422287AD7309BA5AC4DFEBBB7CEF44760F1045AAF908D7280D6744F809BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00951290 Relevance: 6.1, APIs: 4, Instructions: 59nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00952612: GetWindowLongW.USER32(?,000000EB), ref: 00952623

NtdllDialogWndProc_W.USER32(?,00000020,?), ref: 009512D8
GetClientRect.USER32 ref: 0098B84B
GetCursorPos.USER32(?), ref: 0098B855
ScreenToClient.USER32 ref: 0098B860

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: Client$CursorDialogLongNtdllProc_RectScreenWindow
String ID:
API String ID: 1010295502-0
Opcode ID: 748ea694f3bc3b1843524d1d5bf6286805af0152644706a960755063cfd81d7f
Instruction ID: 65657dc138f948ec3a74fa947426f169dcee3726701c57229ed16401d26ca733
Opcode Fuzzy Hash: 748ea694f3bc3b1843524d1d5bf6286805af0152644706a960755063cfd81d7f
Instruction Fuzzy Hash: DF114C35A01019BFCB00EF95D886AFE77B8FB45302F404456F912E7250C730BA95DBA6

Uniqueness

Uniqueness Score: -1.00%

Function 009C25E2 Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000), ref: 009C26D5
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 009C270C

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 25b59ad8ab32222bc74f1c0d75afa8015b7daeda5a362200de3f387bd2d2e208
Instruction ID: 502db50c3984e2f4f36dbee1719da90001ddeb1a9979ac7a5334ae80e8437a6f
Opcode Fuzzy Hash: 25b59ad8ab32222bc74f1c0d75afa8015b7daeda5a362200de3f387bd2d2e208
Instruction Fuzzy Hash: E841E271D04309BFEB20DB94DDC5FBBB7BCEB40724F10406EF605A6140EA75AE419A62

Uniqueness

Uniqueness Score: -1.00%

Function 009BB59E Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 009BB5AE
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 009BB608
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 009BB655

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 8669a5f77ea2c34173235ca660097dfb6ffcde3f7f89721f7e57a1d71785089e
Instruction ID: 036b623ee83479a186ffddbc228d8baa0ee049f620642051965b58d811ea4c01
Opcode Fuzzy Hash: 8669a5f77ea2c34173235ca660097dfb6ffcde3f7f89721f7e57a1d71785089e
Instruction Fuzzy Hash: 52217435A10118EFCB00DF65D991EEDBBB8FF88311F1480A9E906AB351DB319956CB51

Uniqueness

Uniqueness Score: -1.00%

Function 009B4696 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0098E7C1), ref: 009B46A6
FindFirstFileW.KERNEL32(?,?), ref: 009B46B7
FindClose.KERNEL32(00000000), ref: 009B46C7

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 5441959979d833405e448a2405b09d744ec3ef37a36af0da2861923fb822f548
Instruction ID: 23f1e91add930f680484767f86841e4ff4a5d17dc8822fc995f2c72c8571b693
Opcode Fuzzy Hash: 5441959979d833405e448a2405b09d744ec3ef37a36af0da2861923fb822f548
Instruction Fuzzy Hash: 7AE020324254009BC210673CED5E4FA775CDE06375F100717F936C10E0E7B05D90A5D5

Uniqueness

Uniqueness Score: -1.00%

Function 009BC93C Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 009BC966
FindClose.KERNEL32(00000000), ref: 009BC996

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: fbf67ad0164d2cfe2bcc92e2aced08be2ce24268102236b60be9db04a822d96a
Instruction ID: 6a07578dc6316a68def35df20660224d1250d53683b1829a1deaffc2f3175f5b
Opcode Fuzzy Hash: fbf67ad0164d2cfe2bcc92e2aced08be2ce24268102236b60be9db04a822d96a
Instruction Fuzzy Hash: 9B11C8726102009FDB10DF29C845A2AF7E9FF84321F04851EF8A6D7391DB30AC04CB91

Uniqueness

Uniqueness Score: -1.00%

Function 009A8713 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,009A8851), ref: 009A8728
CloseHandle.KERNEL32(?,?,009A8851), ref: 009A873A

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 3809d72ed164a6f3c86802a4ce49872e474fab92cef5a46b40d4a1c74a8a2ae1
Instruction ID: 64faefc9deade5f81b40199422fedf7c5c24669417756a5fb6abef5f1ca57a42
Opcode Fuzzy Hash: 3809d72ed164a6f3c86802a4ce49872e474fab92cef5a46b40d4a1c74a8a2ae1
Instruction Fuzzy Hash: 62E0B676025610EFE7252B64EC09E77BBE9EB44350725C82AF49A80470DB62ACD0EB50

Uniqueness

Uniqueness Score: -1.00%

Function 009C41FD Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 009C4218

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 18ef39c27c36039233dba67bdb313ccb3900d591b84a1313edd16ec27fd5aa35
Instruction ID: c22b1508852f4103d289004c0c4228782a4f91795686c732bcafe6c4186f68f8
Opcode Fuzzy Hash: 18ef39c27c36039233dba67bdb313ccb3900d591b84a1313edd16ec27fd5aa35
Instruction Fuzzy Hash: F9E01A312502149FDB10EF5AD855F9AB7E8AF94761F00842AFC4AC7652DA70EC448BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00992230 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00992242

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 12411829e258125fe225bff82ce76da7bf5e08cf307f91949552c40fe99a6590
Instruction ID: 14f479f551613085dccf8def9e5b86ed1267b26b01a0f8adeade20785605443b
Opcode Fuzzy Hash: 12411829e258125fe225bff82ce76da7bf5e08cf307f91949552c40fe99a6590
Instruction Fuzzy Hash: 33C048F581510AEBDB05DBA0DA98DEEB7BCBB08304F2044A6A102F2100E7789B849A71

Uniqueness

Uniqueness Score: -1.00%

Function 009D37F3 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,009DF910), ref: 009D38AF
IsWindowVisible.USER32 ref: 009D38D3

Strings

SETCURRENTSELECTION, xrefs: 009D3A3E
GETLINECOUNT, xrefs: 009D3B4E
GETSELECTED, xrefs: 009D3B2B
FINDSTRING, xrefs: 009D39FE
ADDSTRING, xrefs: 009D399E
ISVISIBLE, xrefs: 009D38BF
ISENABLED, xrefs: 009D38F3
ISCHECKED, xrefs: 009D3AC1
HIDEDROPDOWN, xrefs: 009D3988
DELSTRING, xrefs: 009D39D1
GETCURRENTCOL, xrefs: 009D3BB0
UNCHECK, xrefs: 009D3B0B
GETLINE, xrefs: 009D3C23
TABRIGHT, xrefs: 009D3925
GETCURRENTLINE, xrefs: 009D3B75
SENDCOMMANDID, xrefs: 009D3C62
SHOWDROPDOWN, xrefs: 009D3968
SELECTSTRING, xrefs: 009D3A8E
TABLEFT, xrefs: 009D390F
EDITPASTE, xrefs: 009D3BE7
GETCURRENTSELECTION, xrefs: 009D3A6B
CHECK, xrefs: 009D3AF5
CURRENTTAB, xrefs: 009D3945

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: 82fdce1d37b57b2438621139eaf2d15a66052ecb8a72ead4db39979bf50eba3b
Instruction ID: cf82dcf9d0ce3f25f24301dba48d26b2af7ee0ac9d2eb03ccfaf032c43b95224
Opcode Fuzzy Hash: 82fdce1d37b57b2438621139eaf2d15a66052ecb8a72ead4db39979bf50eba3b
Instruction Fuzzy Hash: D3D1A130254309DBCB14EF20C551B6A77A5AFD5345F14C85ABC8A5B3E2CB35EE0ACB92

Uniqueness

Uniqueness Score: -1.00%

Function 009DA849 Relevance: 49.8, APIs: 33, Instructions: 274COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 009DA89F
GetSysColorBrush.USER32(0000000F), ref: 009DA8D0
GetSysColor.USER32(0000000F), ref: 009DA8DC
SetBkColor.GDI32(?,000000FF), ref: 009DA8F6
SelectObject.GDI32(?,?), ref: 009DA905
InflateRect.USER32(?,000000FF,000000FF), ref: 009DA930
GetSysColor.USER32(00000010), ref: 009DA938
CreateSolidBrush.GDI32(00000000), ref: 009DA93F
FrameRect.USER32 ref: 009DA94E
DeleteObject.GDI32(00000000), ref: 009DA955
InflateRect.USER32(?,000000FE,000000FE), ref: 009DA9A0
FillRect.USER32 ref: 009DA9D2
GetWindowLongW.USER32(?,000000F0), ref: 009DA9FD

Part of subcall function 009DAB60: GetSysColor.USER32(00000012), ref: 009DAB99
Part of subcall function 009DAB60: SetTextColor.GDI32(?,?), ref: 009DAB9D
Part of subcall function 009DAB60: GetSysColorBrush.USER32(0000000F), ref: 009DABB3
Part of subcall function 009DAB60: GetSysColor.USER32(0000000F), ref: 009DABBE
Part of subcall function 009DAB60: GetSysColor.USER32(00000011), ref: 009DABDB
Part of subcall function 009DAB60: CreatePen.GDI32(00000000,00000001,00743C00), ref: 009DABE9
Part of subcall function 009DAB60: SelectObject.GDI32(?,00000000), ref: 009DABFA
Part of subcall function 009DAB60: SetBkColor.GDI32(?,00000000), ref: 009DAC03
Part of subcall function 009DAB60: SelectObject.GDI32(?,?), ref: 009DAC10
Part of subcall function 009DAB60: InflateRect.USER32(?,000000FF,000000FF), ref: 009DAC2F
Part of subcall function 009DAB60: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 009DAC46
Part of subcall function 009DAB60: GetWindowLongW.USER32(00000000,000000F0), ref: 009DAC5B

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 80d413389feaddd6055e9a84d9312a0facf52397e78b22ea0d4d3d2ee892b84d
Instruction ID: 9cce99a44b54ecad9e3a7b0a58d7150c1a09d76edbaeeabfe6f6b2e7f5bcb7ab
Opcode Fuzzy Hash: 80d413389feaddd6055e9a84d9312a0facf52397e78b22ea0d4d3d2ee892b84d
Instruction Fuzzy Hash: 7CA1A37205D301EFDB109F64DC19A6B7BA9FF88321F108B2AF962961E0D734D984DB52

Uniqueness

Uniqueness Score: -1.00%

Function 009C77BE Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 009C77F1
SystemParametersInfoW.USER32 ref: 009C78B0
SetRect.USER32 ref: 009C78EE
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 009C7900
CreateWindowExW.USER32 ref: 009C7946
GetClientRect.USER32 ref: 009C7952
CreateWindowExW.USER32 ref: 009C7996
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 009C79A5
GetStockObject.GDI32(00000011), ref: 009C79B5
SelectObject.GDI32(00000000,00000000), ref: 009C79B9
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 009C79C9
GetDeviceCaps.GDI32(00000000,0000005A), ref: 009C79D2
DeleteDC.GDI32(00000000), ref: 009C79DB
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?,?,50000000), ref: 009C7A07
SendMessageW.USER32(00000030,00000000,00000001), ref: 009C7A1E
CreateWindowExW.USER32 ref: 009C7A59
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 009C7A6D
SendMessageW.USER32(00000404,00000001,00000000), ref: 009C7A7E
CreateWindowExW.USER32 ref: 009C7AAE
GetStockObject.GDI32(00000011), ref: 009C7AB9
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 009C7AC4
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 009C7ACE

Strings

msctls_progress32, xrefs: 009C7A4F
AutoIt v3, xrefs: 009C793E
DISPLAY, xrefs: 009C799B
static, xrefs: 009C7990, 009C7AA8

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 077f48f47d90ace727fb382cd4748a26ab5c165ab117cbbf3081c44e32b48c4c
Instruction ID: 693e9bac9865404bec2111ade9b3a9d84e934d4c9a3a85b5f494a3cec54477ea
Opcode Fuzzy Hash: 077f48f47d90ace727fb382cd4748a26ab5c165ab117cbbf3081c44e32b48c4c
Instruction Fuzzy Hash: 0EA15E71A50219BFEB14DBA4DC5AFEABBA9EB44710F048119FA15E72E0C770AD41CB60

Uniqueness

Uniqueness Score: -1.00%

Function 009B46D6 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

73921580.VERSION(?,?), ref: 009B46E8
739215A0.VERSION(?,00000000,00000000,00000000,?,?), ref: 009B470E
_wcscpy.LIBCMT ref: 009B473C
_wcscmp.LIBCMT ref: 009B4747
_wcscat.LIBCMT ref: 009B475D
_wcsstr.LIBCMT ref: 009B4768
73921520.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 009B4784
_wcscat.LIBCMT ref: 009B47CD
_wcscat.LIBCMT ref: 009B47D4
_wcsncpy.LIBCMT ref: 009B47FF

Strings

StringFileInfo\, xrefs: 009B4757
DefaultLangCodepage, xrefs: 009B47E7
%u.%u.%u.%u, xrefs: 009B4862
\VarFileInfo\Translation, xrefs: 009B477C
04090000, xrefs: 009B47BA

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: _wcscat$7392157392152073921580_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 318435120-1459072770
Opcode ID: 5656245c3daec5b4932862c1072748b93a29899637155978c75dcf218eefd357
Instruction ID: 7d6952e444f31002e60ad78f0dbee6e6431fb788f0e42ffd6f3dd1b7e8f3060a
Opcode Fuzzy Hash: 5656245c3daec5b4932862c1072748b93a29899637155978c75dcf218eefd357
Instruction Fuzzy Hash: 60414837614214BBDB10A7649C43FFF77BCEF85720F048066F909E6183EB34AA40A6A5

Uniqueness

Uniqueness Score: -1.00%

Function 009527D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32 ref: 009528BC
GetSystemMetrics.USER32 ref: 009528C4
SystemParametersInfoW.USER32 ref: 009528EF
GetSystemMetrics.USER32 ref: 009528F7
GetSystemMetrics.USER32 ref: 0095291C
SetRect.USER32 ref: 00952939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00952949
CreateWindowExW.USER32 ref: 0095297C
SetWindowLongW.USER32 ref: 00952990
GetClientRect.USER32 ref: 009529AE
GetStockObject.GDI32(00000011), ref: 009529CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 009529D5

Part of subcall function 00952344: GetCursorPos.USER32(?,?,00A167B0,?,00A167B0,00A167B0,?,009DC247,00000000,00000001,?,?,?,0098BC4F,?,?), ref: 00952357
Part of subcall function 00952344: ScreenToClient.USER32 ref: 00952374
Part of subcall function 00952344: GetAsyncKeyState.USER32(00000001), ref: 00952399
Part of subcall function 00952344: GetAsyncKeyState.USER32(00000002), ref: 009523A7

SetTimer.USER32 ref: 009529FC

Strings

AutoIt v3 GUI, xrefs: 00952974

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: c8bca023f5ce924f6f47c3e99c7275742e72ae1dc07ce6645066d81c380b366b
Instruction ID: e097afc294b2ab47f32be57ce035c6664d310be68a6ab181e23b1526972266e8
Opcode Fuzzy Hash: c8bca023f5ce924f6f47c3e99c7275742e72ae1dc07ce6645066d81c380b366b
Instruction Fuzzy Hash: B1B17C71A4020AAFDB14DFA9DC55BEE7BB4FB48315F10812AFA16E7290DB34A845CB50

Uniqueness

Uniqueness Score: -1.00%

Function 009D4069 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 009D40F6
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 009D41B6

Strings

GETSELECTEDCOUNT, xrefs: 009D4199
SELECTCLEAR, xrefs: 009D4235
GETSELECTED, xrefs: 009D42E4
ISSELECTED, xrefs: 009D41C1
FINDITEM, xrefs: 009D4329
GETITEMCOUNT, xrefs: 009D4128
DESELECT, xrefs: 009D42A4
GETTEXT, xrefs: 009D415F
SELECTINVERT, xrefs: 009D4286
SELECT, xrefs: 009D4250
GETSUBITEMCOUNT, xrefs: 009D4141
SELECTALL, xrefs: 009D421D
VIEWCHANGE, xrefs: 009D4375

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-719923060
Opcode ID: df8affe2f9b10edb21a74476d70bbe5e233767c9323ecc1ae8d6ec1b796cf774
Instruction ID: 2f74246a366d0ac034120e59506dd9f511b749338797a3bb7c99281e1889ecab
Opcode Fuzzy Hash: df8affe2f9b10edb21a74476d70bbe5e233767c9323ecc1ae8d6ec1b796cf774
Instruction Fuzzy Hash: 46A19E30254305DBCB14EF24CA51B6AB3A5BFC5314F14896EB8AA9B7D2DB30EC09CB51

Uniqueness

Uniqueness Score: -1.00%

Function 009C52F0 Relevance: 27.1, APIs: 18, Instructions: 124COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 009C5309
LoadCursorW.USER32(00000000,00007F8A), ref: 009C5314
LoadCursorW.USER32(00000000,00007F00), ref: 009C531F
LoadCursorW.USER32(00000000,00007F03), ref: 009C532A
LoadCursorW.USER32(00000000,00007F8B), ref: 009C5335
LoadCursorW.USER32(00000000,00007F01), ref: 009C5340
LoadCursorW.USER32(00000000,00007F81), ref: 009C534B
LoadCursorW.USER32(00000000,00007F88), ref: 009C5356
LoadCursorW.USER32(00000000,00007F80), ref: 009C5361
LoadCursorW.USER32(00000000,00007F86), ref: 009C536C
LoadCursorW.USER32(00000000,00007F83), ref: 009C5377
LoadCursorW.USER32(00000000,00007F85), ref: 009C5382
LoadCursorW.USER32(00000000,00007F82), ref: 009C538D
LoadCursorW.USER32(00000000,00007F84), ref: 009C5398
LoadCursorW.USER32(00000000,00007F04), ref: 009C53A3
LoadCursorW.USER32(00000000,00007F02), ref: 009C53AE
GetCursorInfo.USER32(?), ref: 009C53BE
GetLastError.KERNEL32(00000001,00000000), ref: 009C53E9

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 205f6bdf9212296b87f86d907b3e376965a88cec92be6a5da3e69fe2465025ec
Instruction ID: ad184093e0e314c1b8e4fef975e943a99a3c5e5c349fab5cf3317ae684edd410
Opcode Fuzzy Hash: 205f6bdf9212296b87f86d907b3e376965a88cec92be6a5da3e69fe2465025ec
Instruction Fuzzy Hash: 5C417470E083196ADB109FB68C49D6FFFB8EF51B50B10452FE509E7291DAB8A440CE61

Uniqueness

Uniqueness Score: -1.00%

Function 009AB397 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32 ref: 009AB3DB
_wcscmp.LIBCMT ref: 009AB3EC
GetWindowTextW.USER32 ref: 009AB414
CharUpperBuffW.USER32(?,00000000), ref: 009AB431
_wcscmp.LIBCMT ref: 009AB44F
_wcsstr.LIBCMT ref: 009AB460
GetClassNameW.USER32 ref: 009AB498
_wcscmp.LIBCMT ref: 009AB4A8
GetWindowTextW.USER32 ref: 009AB4CF
GetClassNameW.USER32 ref: 009AB518
_wcscmp.LIBCMT ref: 009AB528
GetClassNameW.USER32 ref: 009AB550
GetWindowRect.USER32 ref: 009AB5B9

Strings

@, xrefs: 009AB3BC
ThumbnailClass, xrefs: 009AB4A3, 009AB523

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: 20f76f3be6fb1b53bdd0e32ffcabd6aeaa70f0721472597e3d937b537ac07444
Instruction ID: b6171fea834baa2d5d98fd65e26a4f2a6a609c2e21f372942a812f2600b5f993
Opcode Fuzzy Hash: 20f76f3be6fb1b53bdd0e32ffcabd6aeaa70f0721472597e3d937b537ac07444
Instruction Fuzzy Hash: DB819F710083099BDB04DF10D895FAA7BECEF85314F04856AFD899A0A3DB34DD49DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 009AB1E0 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 009AB23F

Strings

[HANDLE:, xrefs: 009AB24B
ALL, xrefs: 009AB2D3
[LAST, xrefs: 009AB2EC
ACTIVE, xrefs: 009AB21A
REGEXP=, xrefs: 009AB254
[CLASS:, xrefs: 009AB28F
[ACTIVE, xrefs: 009AB22C
HANDLE=, xrefs: 009AB238
LAST, xrefs: 009AB204
CLASSNAME=, xrefs: 009AB27C
[REGEXPTITLE:, xrefs: 009AB267
[ALL, xrefs: 009AB2E5

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: a24022ab5030cfbbd2e1aa703fbe3cc937ca74ef3adb8b817e5fb5c4c4fd2405
Instruction ID: bf044c023238d7c72eb937df9131aef28ccddf2e70ec499f8709d06a2dc9439b
Opcode Fuzzy Hash: a24022ab5030cfbbd2e1aa703fbe3cc937ca74ef3adb8b817e5fb5c4c4fd2405
Instruction Fuzzy Hash: 7C31E232908209B6DB14FA61ED43FEFB7A8AF61751F604825B815710E3EF526F08C691

Uniqueness

Uniqueness Score: -1.00%

Function 009AC4C1 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 009AC4D4
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 009AC4E6
SetWindowTextW.USER32(?,?), ref: 009AC4FD
GetDlgItem.USER32 ref: 009AC512
SetWindowTextW.USER32(00000000,?), ref: 009AC518
GetDlgItem.USER32 ref: 009AC528
SetWindowTextW.USER32(00000000,?), ref: 009AC52E
SendDlgItemMessageW.USER32 ref: 009AC54F
SendDlgItemMessageW.USER32 ref: 009AC569
GetWindowRect.USER32 ref: 009AC572
SetWindowTextW.USER32(?,?), ref: 009AC5DD
GetDesktopWindow.USER32 ref: 009AC5E3
GetWindowRect.USER32 ref: 009AC5EA
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 009AC636
GetClientRect.USER32 ref: 009AC643
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 009AC668
SetTimer.USER32 ref: 009AC693

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: 8a05bd6a58f238254fcd50ffec243e5b72e789b6ff0a30425c957691205da652
Instruction ID: 4c8cd73007c2fb6c5f4bd07e6fc17443108256a3ceeb0f7c5ada982801a270f6
Opcode Fuzzy Hash: 8a05bd6a58f238254fcd50ffec243e5b72e789b6ff0a30425c957691205da652
Instruction Fuzzy Hash: 51518070904709AFDB20DFA8CD8AB6EBBF5FF04705F004929F682A65A0C774E944DB40

Uniqueness

Uniqueness Score: -1.00%

Function 009DA428 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 009DA4C8
DestroyWindow.USER32(00000000,?), ref: 009DA542

Part of subcall function 00957D2C: _memmove.LIBCMT ref: 00957D66

CreateWindowExW.USER32 ref: 009DA5BC
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 009DA5DE
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 009DA5F1
DestroyWindow.USER32(00000000), ref: 009DA613
CreateWindowExW.USER32 ref: 009DA64A
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 009DA663
GetDesktopWindow.USER32 ref: 009DA67C
GetWindowRect.USER32 ref: 009DA683
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 009DA69B
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 009DA6B3

Part of subcall function 009525DB: GetWindowLongW.USER32(?,000000EB), ref: 009525EC

Strings

0, xrefs: 009DA4DE
tooltips_class32, xrefs: 009DA5B5, 009DA643

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: c3b84fbd1c5e3aa816f4cf766ad640cc9d42aa161678b06ec02fdff287d63c9f
Instruction ID: 5d41a3291f22b04a04ce541478b839c861e40c317f436b553465e329e92202be
Opcode Fuzzy Hash: c3b84fbd1c5e3aa816f4cf766ad640cc9d42aa161678b06ec02fdff287d63c9f
Instruction Fuzzy Hash: D2718B71184205AFD720CF28CC55FAA77E9EB88304F48892EF985873A0D771E956DB16

Uniqueness

Uniqueness Score: -1.00%

Function 009BA45A Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 009BA47A
__swprintf.LIBCMT ref: 009BA49C
CreateDirectoryW.KERNEL32(?,00000000), ref: 009BA4D9
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 009BA4FE
_memset.LIBCMT ref: 009BA51D
_wcsncpy.LIBCMT ref: 009BA559
DeviceIoControl.KERNEL32 ref: 009BA58E
CloseHandle.KERNEL32(00000000), ref: 009BA599
RemoveDirectoryW.KERNEL32(?), ref: 009BA5A2
CloseHandle.KERNEL32(00000000), ref: 009BA5AC

Strings

:, xrefs: 009BA4BD
\, xrefs: 009BA4B2
\??\%s, xrefs: 009BA496
m, xrefs: 009BA5A2

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s$m
API String ID: 2733774712-2556854512
Opcode ID: 5b709320b2a94724e6d92a5045b4beaaeea28f2a569752b0cca893047cf63f58
Instruction ID: 5bdd4c1966ffa18a400f8622f9c3c45a0f6ea548e47b213b4b9caf7e75fdb8b2
Opcode Fuzzy Hash: 5b709320b2a94724e6d92a5045b4beaaeea28f2a569752b0cca893047cf63f58
Instruction Fuzzy Hash: 7B31B0B2644219ABDB209FA0DC49FEF73BCEF88751F1040B6FA09D2160E77097848B25

Uniqueness

Uniqueness Score: -1.00%

Function 009D4619 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 009D46AB
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 009D46F6

Strings

ISCHECKED, xrefs: 009D4879
GETTEXT, xrefs: 009D4849
UNCHECK, xrefs: 009D48D2
SELECT, xrefs: 009D48A7
GETSELECTED, xrefs: 009D4806
GETTOTALCOUNT, xrefs: 009D46DD
GETITEMCOUNT, xrefs: 009D47D8
COLLAPSE, xrefs: 009D473C
EXISTS, xrefs: 009D475F
CHECK, xrefs: 009D4716
EXPAND, xrefs: 009D47A8

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: 08d8667cb4cc79ebace7db472094f6d27ebe70522cafea6ab7f3da2f50194ea6
Instruction ID: 53e51a4255f66fca62ca64ecf64efa40a87a94d526d08b32bd20d23749a9916b
Opcode Fuzzy Hash: 08d8667cb4cc79ebace7db472094f6d27ebe70522cafea6ab7f3da2f50194ea6
Instruction Fuzzy Hash: 6A918A34204305DFCB14EF21C861B6AB7A5AFD5314F04886DBC9A5B3A2CB35ED4ACB91

Uniqueness

Uniqueness Score: -1.00%

Function 009DBAB8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32 ref: 009DBB6E
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,009D9431), ref: 009DBBCA
LoadImageW.USER32 ref: 009DBC03
LoadImageW.USER32 ref: 009DBC46
LoadImageW.USER32 ref: 009DBC7D
FreeLibrary.KERNEL32(?), ref: 009DBC89
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 009DBC99
DestroyCursor.USER32(?), ref: 009DBCA8
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 009DBCC5
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 009DBCD1

Part of subcall function 0097313D: __wcsicmp_l.LIBCMT ref: 009731C6

Strings

.icl, xrefs: 009DBAE4
.exe, xrefs: 009DBB04
.dll, xrefs: 009DBB27

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: Load$Image$LibraryMessageSend$CursorDestroyExtractFreeIcon__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 3907162815-1154884017
Opcode ID: 3dd31541e1c545bd847f2737c908870e250b0ba5fdb27bdca4c86c9e10d9bc22
Instruction ID: 9823fc507839d793b6ae00225a8f3f1bda3c9fcee1a3591f9ec9649853f32de9
Opcode Fuzzy Hash: 3dd31541e1c545bd847f2737c908870e250b0ba5fdb27bdca4c86c9e10d9bc22
Instruction Fuzzy Hash: 4161C072690219FAEB14DF74CC46BBE77ACFB08711F108516F815D62C0DB749A80DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 009BA5BD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00959997: __itow.LIBCMT ref: 009599C2
Part of subcall function 00959997: __swprintf.LIBCMT ref: 00959A0C

CharLowerBuffW.USER32(?,?), ref: 009BA636
GetDriveTypeW.KERNEL32 ref: 009BA683
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 009BA6CB
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 009BA702
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 009BA730

Part of subcall function 00957D2C: _memmove.LIBCMT ref: 00957D66

Strings

type cdaudio alias cd wait, xrefs: 009BA6AE
close, xrefs: 009BA63C
close cd wait, xrefs: 009BA71B
set cd door , xrefs: 009BA6D1
wait, xrefs: 009BA6ED
open , xrefs: 009BA692
open, xrefs: 009BA65D
closed, xrefs: 009BA64A, 009BA653

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: 4bab3fe48c183ba2676d532572fae5920243f97a62902e45009902e2d814a9ca
Instruction ID: f4c9d27ba7a1b639f8acbb196979374dc44b002dce8c4bd36f97f527aa832c6f
Opcode Fuzzy Hash: 4bab3fe48c183ba2676d532572fae5920243f97a62902e45009902e2d814a9ca
Instruction Fuzzy Hash: 265181715083089FC700EF21D991A6AB7F8FF94718F04496DF89A572A1DB31EE0ACB52

Uniqueness

Uniqueness Score: -1.00%

Function 009A83F4 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 009A874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 009A8766
Part of subcall function 009A874A: GetLastError.KERNEL32(?,009A822A,?,?,?), ref: 009A8770
Part of subcall function 009A874A: GetProcessHeap.KERNEL32(00000008,?,?,009A822A,?,?,?), ref: 009A877F
Part of subcall function 009A874A: RtlAllocateHeap.KERNEL32(00000000,?,009A822A,?,?,?), ref: 009A8786
Part of subcall function 009A874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 009A879D

Part of subcall function 009A87E7: GetProcessHeap.KERNEL32(00000008,009A8240,00000000,00000000,?,009A8240,?), ref: 009A87F3
Part of subcall function 009A87E7: RtlAllocateHeap.KERNEL32(00000000,?,009A8240,?), ref: 009A87FA
Part of subcall function 009A87E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,009A8240,?), ref: 009A880B

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 009A8458
_memset.LIBCMT ref: 009A846D
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 009A848C
GetLengthSid.ADVAPI32(?), ref: 009A849D
GetAce.ADVAPI32(?,00000000,?), ref: 009A84DA
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 009A84F6
GetLengthSid.ADVAPI32(?), ref: 009A8513
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 009A8522
RtlAllocateHeap.KERNEL32(00000000), ref: 009A8529
GetLengthSid.ADVAPI32(?,00000008,?), ref: 009A854A
CopySid.ADVAPI32(00000000), ref: 009A8551
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 009A8582
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 009A85A8
SetUserObjectSecurity.USER32 ref: 009A85BC

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: HeapSecurity$AllocateDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 2347767575-0
Opcode ID: 0ec49f9090e44cb24716517c1aaa7b16bbb5ca47256cf5644b29c219bee88f8c
Instruction ID: 95a1f8cbdc5ef8c8cf06c538bb6fb59e2395303d60dd76d05fcca716400c5556
Opcode Fuzzy Hash: 0ec49f9090e44cb24716517c1aaa7b16bbb5ca47256cf5644b29c219bee88f8c
Instruction Fuzzy Hash: 3F614B7594020AABDF04DFA4DC49AAEBBB9FF05300F04816AF815A7291DB319A55DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 009C762D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 009C76A2
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 009C76AE
CreateCompatibleDC.GDI32(?), ref: 009C76BA
SelectObject.GDI32(00000000,?), ref: 009C76C7
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 009C771B
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 009C7757
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 009C777B
SelectObject.GDI32(00000006,?), ref: 009C7783
DeleteObject.GDI32(?), ref: 009C778C
DeleteDC.GDI32(00000006), ref: 009C7793
ReleaseDC.USER32 ref: 009C779E

Strings

(, xrefs: 009C7723

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: d861c6569ffc6260e9f9cfc5f419ff2ea0ba6649c9bd4597115acdd37cef25e4
Instruction ID: 0b44cea32982dc3c0586868e9e60cf268186f6fa35e87fbcefa2673fddfbacb8
Opcode Fuzzy Hash: d861c6569ffc6260e9f9cfc5f419ff2ea0ba6649c9bd4597115acdd37cef25e4
Instruction Fuzzy Hash: 00512775948209EFCB15CFA8CC85EAEBBB9EF48710F14852EF95A97210D731A9408F61

Uniqueness

Uniqueness Score: -1.00%

Function 009BA0B5 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 156COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,009DFB78), ref: 009BA0FC

Part of subcall function 00957F41: _memmove.LIBCMT ref: 00957F82

LoadStringW.USER32(?,?,00000FFF,?), ref: 009BA11E
__swprintf.LIBCMT ref: 009BA177
__swprintf.LIBCMT ref: 009BA190
_wprintf.LIBCMT ref: 009BA246
_wprintf.LIBCMT ref: 009BA264

Strings

Line %d (File "%s"):, xrefs: 009BA171, 009BA18A
Error: , xrefs: 009BA20E
"%s" (%d) : ==> %s:%s%s, xrefs: 009BA241
"%s" (%d) : ==> %s:, xrefs: 009BA25F
^ ERROR, xrefs: 009BA1E8

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-2391861430
Opcode ID: 92cbb2bab397125d93365fd9be419a8ab6ad2b89c202bf7b35b6fa16f558ecf0
Instruction ID: 371822942bc243da94a5a83ddbbcbeea11672d49ccf8723ce31d7b4c758a5e8f
Opcode Fuzzy Hash: 92cbb2bab397125d93365fd9be419a8ab6ad2b89c202bf7b35b6fa16f558ecf0
Instruction Fuzzy Hash: 9F519C72904209BACF15EBE1EE82FEEB779AF44301F104565F815720A2EB316F49DB61

Uniqueness

Uniqueness Score: -1.00%

Function 009B93DF Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON

Download Yara Rule

APIs

Part of subcall function 009B91E9: __time64.LIBCMT ref: 009B91F3

Part of subcall function 00955045: _fseek.LIBCMT ref: 0095505D

__wsplitpath.LIBCMT ref: 009B94BE

Part of subcall function 0097432E: __wsplitpath_helper.LIBCMT ref: 0097436E

_wcscpy.LIBCMT ref: 009B94D1
_wcscat.LIBCMT ref: 009B94E4
__wsplitpath.LIBCMT ref: 009B9509
_wcscat.LIBCMT ref: 009B951F
_wcscat.LIBCMT ref: 009B9532

Part of subcall function 009B922F: _memmove.LIBCMT ref: 009B9268
Part of subcall function 009B922F: _memmove.LIBCMT ref: 009B9277

_wcscmp.LIBCMT ref: 009B9479

Part of subcall function 009B99BE: _wcscmp.LIBCMT ref: 009B9AAE
Part of subcall function 009B99BE: _wcscmp.LIBCMT ref: 009B9AC1

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 009B96DC
_wcsncpy.LIBCMT ref: 009B974F
DeleteFileW.KERNEL32(?,?), ref: 009B9785
CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 009B979B
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 009B97AC
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 009B97BE

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: ec25f01507ecc82f524b3d42a663583439fdfe1b78f82f3940a0dd411fb3f5f5
Instruction ID: 3de325d616b6ed7bcc34bf7c98401efaa8ba1c297143980daa14b26bd0548505
Opcode Fuzzy Hash: ec25f01507ecc82f524b3d42a663583439fdfe1b78f82f3940a0dd411fb3f5f5
Instruction Fuzzy Hash: 95C13CB1D10229AACF21DFA5CD85BDEB7BDEF84310F0040AAF609E6151DB709A848F65

Uniqueness

Uniqueness Score: -1.00%

Function 009545DF Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 009545F9
GetMenuItemCount.USER32 ref: 0098D7CD
GetMenuItemCount.USER32 ref: 0098D87D
GetCursorPos.USER32(?), ref: 0098D8C1
SetForegroundWindow.USER32(00000000), ref: 0098D8CA
TrackPopupMenuEx.USER32(00A16890,00000000,?,00000000,00000000,00000000), ref: 0098D8DD
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 0098D8E9

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 2751501086-0
Opcode ID: 0336f1bf75442a6f8d1508ead67e8bb9c3ab8ac572dc8a43896cc2f30bdc0b33
Instruction ID: c434d72f253a8e411448c09e52fa88e129be2e5d9545c243571879d8688411fe
Opcode Fuzzy Hash: 0336f1bf75442a6f8d1508ead67e8bb9c3ab8ac572dc8a43896cc2f30bdc0b33
Instruction Fuzzy Hash: E0714670646209BFEB20EF25DC45FAABF68FF05368F204216F915A62E0C7B15C50DB90

Uniqueness

Uniqueness Score: -1.00%

Function 009D10A5 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,009D0038,?,?), ref: 009D10BC

Strings

HKLM, xrefs: 009D113A
HKCC, xrefs: 009D118A
HKEY_LOCAL_MACHINE, xrefs: 009D1125
HKEY_CLASSES_ROOT, xrefs: 009D114F
HKEY_CURRENT_CONFIG, xrefs: 009D1179
HKEY_USERS, xrefs: 009D11BD
HKCU, xrefs: 009D11AC
HKU, xrefs: 009D11CE
HKEY_CURRENT_USER, xrefs: 009D119B
HKCR, xrefs: 009D1164

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: f218596bec97bb9941f48be04441f5573d590234a005f64e10b2fc55e7a9a49a
Instruction ID: c47ce375e9ca8314e535bfb5a35f90db6f1acbaa2f34de859837335e820da244
Opcode Fuzzy Hash: f218596bec97bb9941f48be04441f5573d590234a005f64e10b2fc55e7a9a49a
Instruction Fuzzy Hash: 1241713229434EDBCF20EF90E991AEA3724BF95300F108555FDA55B392D731AD5ACB60

Uniqueness

Uniqueness Score: -1.00%

Function 009B5569 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00957D2C: _memmove.LIBCMT ref: 00957D66

Part of subcall function 00957A84: _memmove.LIBCMT ref: 00957B0D

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 009B55D2
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 009B55E8
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 009B55F9
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 009B560B
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 009B561C

Strings

alias PlayMe, xrefs: 009B55AB
status PlayMe mode, xrefs: 009B55CD
play PlayMe wait, xrefs: 009B5606
close PlayMe, xrefs: 009B55E3, 009B5610
play PlayMe, xrefs: 009B5617
open , xrefs: 009B5581

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: 774959aa97c889b750c6881ed0d5e99bcc18bc317cab0ed7eb819c93bcd1f445
Instruction ID: 8f18d87516c73ac93f0aa54e4b2bdbbcda06c5085e55f20f823e24803f02c75d
Opcode Fuzzy Hash: 774959aa97c889b750c6881ed0d5e99bcc18bc317cab0ed7eb819c93bcd1f445
Instruction Fuzzy Hash: F611982495025DB9D724F6B2EC5AEFFBB7CFFE5B10F400859B801960D1DEA01E49C6A2

Uniqueness

Uniqueness Score: -1.00%

Function 009B48F3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 009B490E
gethostname.WSOCK32(?,00000100), ref: 009B4928
gethostbyname.WSOCK32(?), ref: 009B4935
_wcscpy.LIBCMT ref: 009B495D
_memmove.LIBCMT ref: 009B4970
inet_ntoa.WSOCK32(?), ref: 009B497B
_strcat.LIBCMT ref: 009B4989
_wcscpy.LIBCMT ref: 009B49A0
WSACleanup.WSOCK32 ref: 009B49AE
_wcscpy.LIBCMT ref: 009B49BC

Strings

0.0.0.0, xrefs: 009B4957

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: b70754cba8d1ce79aed7d35badcb6d4e647ef25f5566f76948069c84ce6c3be9
Instruction ID: 04bc6cce1079224aa5f198e81463c5bbfc211ea0921a434129ce1e0584c344c9
Opcode Fuzzy Hash: b70754cba8d1ce79aed7d35badcb6d4e647ef25f5566f76948069c84ce6c3be9
Instruction Fuzzy Hash: 1F110A32918115ABCB24EB24DD46FDB77BCDF81B20F044176F40A96092EF709AC1A751

Uniqueness

Uniqueness Score: -1.00%

Function 009B5217 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 009B521C

Part of subcall function 00970719: timeGetTime.WINMM(?,762E8EC0,00960FF9), ref: 0097071D

Sleep.KERNEL32(0000000A), ref: 009B5248
EnumThreadWindows.USER32(?,Function_000651CA,00000000), ref: 009B526C
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 009B528E
SetActiveWindow.USER32 ref: 009B52AD
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 009B52BB
SendMessageW.USER32(00000010,00000000,00000000), ref: 009B52DA
Sleep.KERNEL32(000000FA), ref: 009B52E5
IsWindow.USER32 ref: 009B52F1
EndDialog.USER32(00000000), ref: 009B5302

Strings

BUTTON, xrefs: 009B5280

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 6695832bc01a89ea49a2e2aabd0d2dab1d68e3bf451bb40578418c1c359ff1f0
Instruction ID: 2e2ec18540e2c1fb3b1a1d991c288a073dde4ea244613ae759a4895966599bd8
Opcode Fuzzy Hash: 6695832bc01a89ea49a2e2aabd0d2dab1d68e3bf451bb40578418c1c359ff1f0
Instruction Fuzzy Hash: 8D21A47014A704EFE7009BA0EE9ABED3B6AEB44766F059425F003912B1CB719C819B21

Uniqueness

Uniqueness Score: -1.00%

Function 009BD7F8 Relevance: 18.3, APIs: 12, Instructions: 283COMMON

Download Yara Rule

APIs

Part of subcall function 00959997: __itow.LIBCMT ref: 009599C2
Part of subcall function 00959997: __swprintf.LIBCMT ref: 00959A0C

CoInitialize.OLE32(00000000), ref: 009BD855
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 009BD8E8
SHGetDesktopFolder.SHELL32(?), ref: 009BD8FC
76E2B690.OLE32(009E2D7C,00000000,00000001,00A0A89C,?), ref: 009BD948
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 009BD9B7
76E3A680.OLE32(?,?), ref: 009BDA0F
_memset.LIBCMT ref: 009BDA4C
SHBrowseForFolderW.SHELL32(?), ref: 009BDA88
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 009BDAAB
76E3A680.OLE32(00000000), ref: 009BDAB2
76E3A680.OLE32(00000000,00000001,00000000), ref: 009BDAE9
76E2F460.OLE32(00000001,00000000), ref: 009BDAEB

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: A680Folder$B690BrowseCreateDesktopF460FromInitializeItemListLocationPathShellSpecial__itow__swprintf_memset
String ID:
API String ID: 561780608-0
Opcode ID: a4ef02bca2a0d54f2787289ad303ebfa97cee68c2f241daa383c06dc58d4def6
Instruction ID: de52f4b36ec8d7aaf79c89ab18c1058b90f18741c286eca2eb7e40e848a02e0c
Opcode Fuzzy Hash: a4ef02bca2a0d54f2787289ad303ebfa97cee68c2f241daa383c06dc58d4def6
Instruction Fuzzy Hash: 4BB11F75A00109EFDB04DFA5C999EAEBBB9FF89314B048469F806EB251DB30ED45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 009B052C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 009B05A7
SetKeyboardState.USER32(?), ref: 009B0612
GetAsyncKeyState.USER32(000000A0), ref: 009B0632
GetKeyState.USER32(000000A0), ref: 009B0649
GetAsyncKeyState.USER32(000000A1), ref: 009B0678
GetKeyState.USER32(000000A1), ref: 009B0689
GetAsyncKeyState.USER32(00000011), ref: 009B06B5
GetKeyState.USER32(00000011), ref: 009B06C3
GetAsyncKeyState.USER32(00000012), ref: 009B06EC
GetKeyState.USER32(00000012), ref: 009B06FA
GetAsyncKeyState.USER32(0000005B), ref: 009B0723
GetKeyState.USER32(0000005B), ref: 009B0731

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 25b9103f04cd8f60a154e57e27da88481ace8af4c22face31dcb3c9be278aeb2
Instruction ID: b7ccf7c375c17ba3e85e2250e425232cf8d6e8afd1e3664f7c49b013e7234abc
Opcode Fuzzy Hash: 25b9103f04cd8f60a154e57e27da88481ace8af4c22face31dcb3c9be278aeb2
Instruction Fuzzy Hash: 5351FC20A0478459FB34DBB08A557EFBFB89F81390F08459ED5C2565C2DA94AB8CCB51

Uniqueness

Uniqueness Score: -1.00%

Function 009AC72A Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 009AC746
GetWindowRect.USER32 ref: 009AC758
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 009AC7B6
GetDlgItem.USER32 ref: 009AC7C1
GetWindowRect.USER32 ref: 009AC7D3
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 009AC827
GetDlgItem.USER32 ref: 009AC835
GetWindowRect.USER32 ref: 009AC846
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 009AC889
GetDlgItem.USER32 ref: 009AC897
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 009AC8B4
InvalidateRect.USER32(?,00000000,00000001), ref: 009AC8C1

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: b39e6dc7cada7b7446c9106fae46ba34c41cd8387d496869e9ec045b5a4061bd
Instruction ID: 9ef43947d71172e8d587fc3842a670f479546fc646e0a9f0a688fa24a3f495a4
Opcode Fuzzy Hash: b39e6dc7cada7b7446c9106fae46ba34c41cd8387d496869e9ec045b5a4061bd
Instruction Fuzzy Hash: 975140B1B50205ABDB18CF68DD9AAAEBBBAFB89310F14812DF516D6290D7709D408B50

Uniqueness

Uniqueness Score: -1.00%

Function 0095201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00951B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00952036,?,00000000,?,?,?,?,009516CB,00000000,?), ref: 00951B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 009520D3
KillTimer.USER32(-00000001,?,?,?,?,009516CB,00000000,?,?,00951AE2,?,?), ref: 0095216E
DestroyAcceleratorTable.USER32 ref: 0098BEF6
6F7E7D50.COMCTL32(00000000,?,00000000,?,?,?,?,009516CB,00000000,?,?,00951AE2,?,?), ref: 0098BF27
6F7E7D50.COMCTL32(00000000,?,00000000,?,?,?,?,009516CB,00000000,?,?,00951AE2,?,?), ref: 0098BF3E
6F7E7D50.COMCTL32(00000000,?,00000000,?,?,?,?,009516CB,00000000,?,?,00951AE2,?,?), ref: 0098BF5A
DeleteObject.GDI32(00000000), ref: 0098BF6C

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: Destroy$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 2402799130-0
Opcode ID: 0d0641a6ba1bd77ed55bf45ce1c6db659b54be152b8e100091ec9b33c2d66a82
Instruction ID: 418abbe4eeac598e0259158a056b1ea371feedb7f2560e6a846df57720572252
Opcode Fuzzy Hash: 0d0641a6ba1bd77ed55bf45ce1c6db659b54be152b8e100091ec9b33c2d66a82
Instruction Fuzzy Hash: 4761CF31106600DFCB35EF66DD49B6AB7F5FF41312F148829E94287AA0C775A886DF80

Uniqueness

Uniqueness Score: -1.00%

Function 009521A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 009525DB: GetWindowLongW.USER32(?,000000EB), ref: 009525EC

GetSysColor.USER32(0000000F), ref: 009521D3

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 70d308537ffecb92d857bf24a083d4564a6c80cb34817025ed9850b06a901a4b
Instruction ID: 1d2ccb46068590a6287024bcc1ba8aeb6499e7b61c52cdd59e16e65dc8f0d8a5
Opcode Fuzzy Hash: 70d308537ffecb92d857bf24a083d4564a6c80cb34817025ed9850b06a901a4b
Instruction Fuzzy Hash: 6641F8350081009FDF259F29EC99BB93769EB07332F144266FD768A2E2C7318C86DB21

Uniqueness

Uniqueness Score: -1.00%

Function 009D73C1 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 009D73D9
CreateMenu.USER32 ref: 009D73F4
SetMenu.USER32(?,00000000), ref: 009D7403
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 009D7490
IsMenu.USER32 ref: 009D74A6
CreatePopupMenu.USER32 ref: 009D74B0
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 009D74DD
DrawMenuBar.USER32 ref: 009D74E5

Strings

F, xrefs: 009D74D1
0, xrefs: 009D73CF

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: 90d471d72b85819ef0e78afdbe871d6e35427f4e2a43f339e7b1797fb6ef8014
Instruction ID: 4465dbb822523df84c5f25e92abafebca2882890232a0c146916a401effb88ed
Opcode Fuzzy Hash: 90d471d72b85819ef0e78afdbe871d6e35427f4e2a43f339e7b1797fb6ef8014
Instruction Fuzzy Hash: FD416874A05205EFDB11DFA4E885BAABBBAFF49300F14842AFD0697360E730A910DB50

Uniqueness

Uniqueness Score: -1.00%

Function 009D772A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 009D77CD
CreateCompatibleDC.GDI32(00000000), ref: 009D77D4
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 009D77E7
SelectObject.GDI32(00000000,00000000), ref: 009D77EF
GetPixel.GDI32(00000000,00000000,00000000), ref: 009D77FA
DeleteDC.GDI32(00000000), ref: 009D7803
GetWindowLongW.USER32(?,000000EC), ref: 009D780D
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 009D7821
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 009D782D

Strings

static, xrefs: 009D7765

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 96ba2a81c4e908e358f486e2fc11e2703226215bbbec9db9e0aa96c5ca965453
Instruction ID: 4e17f368064d6d7a06c69c7ff2d6da0d27013c3cda925388f5df1098a55239eb
Opcode Fuzzy Hash: 96ba2a81c4e908e358f486e2fc11e2703226215bbbec9db9e0aa96c5ca965453
Instruction Fuzzy Hash: A631B032159114BBDF119FB4DC19FDA3B6DFF09320F118226FA16A21A0D731D851EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00977040 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0097707B

Part of subcall function 00978D68: __getptd_noexit.LIBCMT ref: 00978D68

__gmtime64_s.LIBCMT ref: 00977114
__gmtime64_s.LIBCMT ref: 0097714A
__gmtime64_s.LIBCMT ref: 00977167
__allrem.LIBCMT ref: 009771BD
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 009771D9
__allrem.LIBCMT ref: 009771F0
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0097720E
__allrem.LIBCMT ref: 00977225
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00977243
__invoke_watson.LIBCMT ref: 009772B4

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
Instruction ID: 9579503da04de53de11d32176c7bf3054d6506122f4d25918cc63e096575fb47
Opcode Fuzzy Hash: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
Instruction Fuzzy Hash: 7A71B873A04717EBD714AEB9CC42B6AF3A8AF54720F14C23AF928D6781E770D9408790

Uniqueness

Uniqueness Score: -1.00%

Function 009D7192 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 009D7214
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 009D7217
GetWindowLongW.USER32(?,000000F0), ref: 009D723B
_memset.LIBCMT ref: 009D724C
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 009D725E
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 009D72D6

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 78277425ec90539d506af16f00bb8a748a71aca7ee83b3ff251a89f17eed4625
Instruction ID: 31e716e35fba78a6b32c860dbae0623988bf1a46d0b6f230f6d7772361263017
Opcode Fuzzy Hash: 78277425ec90539d506af16f00bb8a748a71aca7ee83b3ff251a89f17eed4625
Instruction Fuzzy Hash: 71617C75940208AFDB10DFA8CC81EEEB7B8AB09700F14815AFA14E73A1D774A946DB60

Uniqueness

Uniqueness Score: -1.00%

Function 009A710E Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 009A7135
SafeArrayAllocData.OLEAUT32(?), ref: 009A718E
VariantInit.OLEAUT32(?), ref: 009A71A0
SafeArrayAccessData.OLEAUT32(?,?), ref: 009A71C0
VariantCopy.OLEAUT32(?,?), ref: 009A7213
SafeArrayUnaccessData.OLEAUT32(?), ref: 009A7227
VariantClear.OLEAUT32(?), ref: 009A723C
SafeArrayDestroyData.OLEAUT32(?), ref: 009A7249
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 009A7252
VariantClear.OLEAUT32(?), ref: 009A7264
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 009A726F

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 69060ecd8dcd1d895d2c18217eeff4b317e00b94178cb9d93f0c2eb07311830b
Instruction ID: 4e7c0dc77222576733a420dfbe1eb144abbf7eea0181a9d6e2872c5f61746e22
Opcode Fuzzy Hash: 69060ecd8dcd1d895d2c18217eeff4b317e00b94178cb9d93f0c2eb07311830b
Instruction Fuzzy Hash: 57415135904219EFCF00DFA8DC59AAEBBB9FF49354F008069F916A7261CB30A945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 009B0219 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 009B0241
GetAsyncKeyState.USER32(000000A0), ref: 009B02C2
GetKeyState.USER32(000000A0), ref: 009B02DD
GetAsyncKeyState.USER32(000000A1), ref: 009B02F7
GetKeyState.USER32(000000A1), ref: 009B030C
GetAsyncKeyState.USER32(00000011), ref: 009B0324
GetKeyState.USER32(00000011), ref: 009B0336
GetAsyncKeyState.USER32(00000012), ref: 009B034E
GetKeyState.USER32(00000012), ref: 009B0360
GetAsyncKeyState.USER32(0000005B), ref: 009B0378
GetKeyState.USER32(0000005B), ref: 009B038A

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: d7e3388d8466c33eadfac7049c9433059733bf3c0fd88652710bc0c0dbf787c8
Instruction ID: bbd586752e3ce85fe45f77640da2510c5f528fe60dea4e1f72312bb53cc975ec
Opcode Fuzzy Hash: d7e3388d8466c33eadfac7049c9433059733bf3c0fd88652710bc0c0dbf787c8
Instruction Fuzzy Hash: 6841DB245087C96EFF314A64961D3FBBEE86F51360F08409ED5C6461C2EB9559C88792

Uniqueness

Uniqueness Score: -1.00%

Function 009C9428 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 009C947C
VariantInit.OLEAUT32(?), ref: 009C954D
VariantInit.OLEAUT32(?), ref: 009C964E
VariantClear.OLEAUT32(?), ref: 009C9658
VariantClear.OLEAUT32(?), ref: 009C96B5

Strings

Incorrect Object type in FOR..IN loop, xrefs: 009C9631
get__NewEnum, xrefs: 009C9454
_NewEnum, xrefs: 009C9436
Null Object assignment in FOR..IN loop, xrefs: 009C94DD, 009C960B, 009C96C3

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop$_NewEnum$get__NewEnum
API String ID: 2862541840-1765764032
Opcode ID: 4b89ce10a89f0e55b4757f85fef24a2f5fa04a1a8731330eb5fa51e5b4797040
Instruction ID: 4a516d45d67a7833705b62f0884d655d77d8e51c8ee7f417b75bd3ea2001916e
Opcode Fuzzy Hash: 4b89ce10a89f0e55b4757f85fef24a2f5fa04a1a8731330eb5fa51e5b4797040
Instruction Fuzzy Hash: 4591AB71E00219ABDF24DFA5C848FAEBBB8EF85710F10855DF909AB290D7709945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 009C86D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197COMMON

Download Yara Rule

APIs

Part of subcall function 00959997: __itow.LIBCMT ref: 009599C2
Part of subcall function 00959997: __swprintf.LIBCMT ref: 00959A0C

CoInitialize.OLE32 ref: 009C8718
76E2F460.OLE32 ref: 009C8723
76E2B690.OLE32(?,00000000,00000017,009E2BEC,?), ref: 009C8783
76E37DC0.OLE32(?,?), ref: 009C87F6
VariantInit.OLEAUT32(?), ref: 009C8890
VariantClear.OLEAUT32(?), ref: 009C88F1

Strings

Invalid parameter, xrefs: 009C880F
NULL Pointer assignment, xrefs: 009C87C8
Failed to create object, xrefs: 009C878E, 009C8844

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: Variant$B690ClearF460InitInitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 485621340-1287834457
Opcode ID: f12465558844403397f2de2329ec81a714ce84be01ef68eede054c2e90f89bbb
Instruction ID: d759b6c11317ab60e27846bfe62b98893e6c0d8562ec05934785f5787c8118af
Opcode Fuzzy Hash: f12465558844403397f2de2329ec81a714ce84be01ef68eede054c2e90f89bbb
Instruction Fuzzy Hash: 8E618830A08301AFD710DB64C949F6BBBE8AF89714F10481DF9969B291DB34ED48CB93

Uniqueness

Uniqueness Score: -1.00%

Function 009662F2 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 143COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 009663A8
_memmove.LIBCMT ref: 00966446
_memset.LIBCMT ref: 0096646A

Strings

argument not compiled in 16 bit mode, xrefs: 009A1150
ERCP, xrefs: 00966313
argument is not a compiled regular expression, xrefs: 009A1160
internal error: missing capturing bracket, xrefs: 009A1158
failed to get memory, xrefs: 00966488
internal error: opcode not recognized, xrefs: 0096647D

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: _memset$_memmove
String ID: ERCP$argument is not a compiled regular expression$argument not compiled in 16 bit mode$failed to get memory$internal error: missing capturing bracket$internal error: opcode not recognized
API String ID: 2532777613-264027815
Opcode ID: 8e57517aaff029dc4d3d3bd1ebba7e69cf0f8f08061f100ce1a77003bd2381cf
Instruction ID: 86a1c48eb01c589b47377e24382a8544cfc1f8e833f1b776d0b2c6b66e062014
Opcode Fuzzy Hash: 8e57517aaff029dc4d3d3bd1ebba7e69cf0f8f08061f100ce1a77003bd2381cf
Instruction Fuzzy Hash: 5B51B371900309DFDB24CF65C881BAABBF8FF44714F20856EE54ACB291EB75A584CB90

Uniqueness

Uniqueness Score: -1.00%

Function 009BB72E Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 009BB73B
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 009BB7B1
GetLastError.KERNEL32 ref: 009BB7BB
SetErrorMode.KERNEL32(00000000,READY), ref: 009BB828

Strings

NOTREADY, xrefs: 009BB7E7
READONLY, xrefs: 009BB7F3
INVALID, xrefs: 009BB7FA
READY, xrefs: 009BB801
UNKNOWN, xrefs: 009BB7E0

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 67248e02b3270e1641c272482ccd0da1d8f32b853e966ade214564c0e2d7edcc
Instruction ID: 503d2bb347bbc93cf289e3a8459808bbc3e9ab3836bf2a9b7848e51ad587dae6
Opcode Fuzzy Hash: 67248e02b3270e1641c272482ccd0da1d8f32b853e966ade214564c0e2d7edcc
Instruction Fuzzy Hash: 25319235A00209AFDB00EF64D985EFEB7B8FF94720F14842AE902D72D1DBB19A46C751

Uniqueness

Uniqueness Score: -1.00%

Function 009A9471 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00957F41: _memmove.LIBCMT ref: 00957F82

Part of subcall function 009AB0C4: GetClassNameW.USER32 ref: 009AB0E7

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 009A94F6
GetDlgCtrlID.USER32 ref: 009A9501
GetParent.USER32 ref: 009A951D
SendMessageW.USER32(00000000,?,00000111,?), ref: 009A9520
GetDlgCtrlID.USER32 ref: 009A9529
GetParent.USER32(?), ref: 009A9545
SendMessageW.USER32(00000000,?,?,00000111), ref: 009A9548

Strings

ComboBox, xrefs: 009A947E
ListBox, xrefs: 009A94B3

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 1381755bbb009a6c3a67985c93c655cba1436c51222ccebe51b4a915f67003e5
Instruction ID: 4ee342a529783c1e09a75ab8c667c2261e9a02da2b4ce8ec64930b15e8e35c27
Opcode Fuzzy Hash: 1381755bbb009a6c3a67985c93c655cba1436c51222ccebe51b4a915f67003e5
Instruction Fuzzy Hash: D421E270D00108BBCF00EB65DC96EFEBB68FF8A300F104116B922972E2DB7599199B60

Uniqueness

Uniqueness Score: -1.00%

Function 009A955C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00957F41: _memmove.LIBCMT ref: 00957F82

Part of subcall function 009AB0C4: GetClassNameW.USER32 ref: 009AB0E7

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 009A95DF
GetDlgCtrlID.USER32 ref: 009A95EA
GetParent.USER32 ref: 009A9606
SendMessageW.USER32(00000000,?,00000111,?), ref: 009A9609
GetDlgCtrlID.USER32 ref: 009A9612
GetParent.USER32(?), ref: 009A962E
SendMessageW.USER32(00000000,?,?,00000111), ref: 009A9631

Strings

ComboBox, xrefs: 009A9569
ListBox, xrefs: 009A959E

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: fc176c80ebbd6d2d865a5d988f2783803fc672f562e5ca227a118ea8cedec706
Instruction ID: b1a825952ddace193b24fade31cdb1df31718d26d254d579d5df8ab614f8ad6d
Opcode Fuzzy Hash: fc176c80ebbd6d2d865a5d988f2783803fc672f562e5ca227a118ea8cedec706
Instruction Fuzzy Hash: 4D21C170D40208BBDF00EBA1CC96EFEBB68FF49300F104016B912971E2DB7599599B60

Uniqueness

Uniqueness Score: -1.00%

Function 009A9645 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 009A9651
GetClassNameW.USER32 ref: 009A9666
_wcscmp.LIBCMT ref: 009A9678
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 009A96F3

Strings

largeicons, xrefs: 009A9687
SHELLDLL_DefView, xrefs: 009A9672
smallicons, xrefs: 009A96BB
list, xrefs: 009A96D5
details, xrefs: 009A96A1

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: 20646ddf30d0a18edabbda220359261fc34ba79f3194b6460bd10f12300af827
Instruction ID: b13ae5a3b8edde07a1b1c755dbdab5f5ff0fb5180ccfbfd966aeaa742652bb05
Opcode Fuzzy Hash: 20646ddf30d0a18edabbda220359261fc34ba79f3194b6460bd10f12300af827
Instruction Fuzzy Hash: 5E11297728C30BBAFA012621EC1BEE7779CFF06764F204026F905A50D2FEA1695069D8

Uniqueness

Uniqueness Score: -1.00%

Function 009B4189 Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 009B419D
__swprintf.LIBCMT ref: 009B41AA

Part of subcall function 009738D8: __woutput_l.LIBCMT ref: 00973931

FindResourceW.KERNEL32(?,?,0000000E), ref: 009B41D4
LoadResource.KERNEL32(?,00000000), ref: 009B41E0
LockResource.KERNEL32(00000000), ref: 009B41ED
FindResourceW.KERNEL32(?,?,00000003), ref: 009B420D
LoadResource.KERNEL32(?,00000000), ref: 009B421F
SizeofResource.KERNEL32(?,00000000), ref: 009B422E
LockResource.KERNEL32(?), ref: 009B423A
CreateIconFromResourceEx.USER32 ref: 009B429B

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
String ID:
API String ID: 1433390588-0
Opcode ID: eaba33c4ef50b114d0942dca0ca4df6f6588a202927c860bddbf9aa8da4965d0
Instruction ID: e362bdeeaa8b1db8589893f65bda041311b5ee71aaee3ae7ad59378a2a0364d8
Opcode Fuzzy Hash: eaba33c4ef50b114d0942dca0ca4df6f6588a202927c860bddbf9aa8da4965d0
Instruction Fuzzy Hash: 8C31D071A4920AABDB009FA0DD55EFF7BADEF08321F008526F926D6151D730DA51ABA0

Uniqueness

Uniqueness Score: -1.00%

Function 009B16DE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 009B1700
GetForegroundWindow.USER32(00000000,?,?,?,?,?,009B0778,?,00000001), ref: 009B1714
GetWindowThreadProcessId.USER32(00000000), ref: 009B171B
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,009B0778,?,00000001), ref: 009B172A
GetWindowThreadProcessId.USER32(?,00000000), ref: 009B173C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,009B0778,?,00000001), ref: 009B1755
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,009B0778,?,00000001), ref: 009B1767
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,009B0778,?,00000001), ref: 009B17AC
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,009B0778,?,00000001), ref: 009B17C1
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,009B0778,?,00000001), ref: 009B17CC

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: dc48e4b3e324c833e4663ace80abc7b335619000a15fdc4bb807dc75351bd0d1
Instruction ID: 741afee660bfd29b7b202de5f89336a0971652c5064951fc8a6e93e25780f884
Opcode Fuzzy Hash: dc48e4b3e324c833e4663ace80abc7b335619000a15fdc4bb807dc75351bd0d1
Instruction Fuzzy Hash: FF31BF79244208BBDB11DF50DEA5BFA37BEEB05761F508065F801C72A0DB749E81CB50

Uniqueness

Uniqueness Score: -1.00%

Function 009C4458 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 009C447F
EmptyClipboard.USER32 ref: 009C4485
GlobalAlloc.KERNEL32(00000002,?), ref: 009C449A
CloseClipboard.USER32 ref: 009C4539

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 3f460ef236c4d6160f05ef80402dd4c9a8e2e71630f5444e4d7da9252507aa06
Instruction ID: 3e33cdd0a7d7abe294eab81df7a22df5aae6b23ead60e22dfbd6324b7e7e090c
Opcode Fuzzy Hash: 3f460ef236c4d6160f05ef80402dd4c9a8e2e71630f5444e4d7da9252507aa06
Instruction Fuzzy Hash: 2021CA357412109FEB00AF20EC2AF697BA8EF44311F14802AF906CB2B1CB35A900DB95

Uniqueness

Uniqueness Score: -1.00%

Function 009AA693 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32 ref: 009AA9A2

Strings

INSTANCE, xrefs: 009AA8B0
CLASS, xrefs: 009AA721
NAME, xrefs: 009AA7D4
TEXT, xrefs: 009AA8D9
REGEXPCLASS, xrefs: 009AA767
CLASSNN, xrefs: 009AA744

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: d429e35dbcf2552075b3f6fcf0698ec033b48c5ad5bb6d9bd2804f3ddac34073
Instruction ID: 43226d243d4ec2d79228339ac76adb92f864aa10e9f2a0d4dfe14cfdbdb0596c
Opcode Fuzzy Hash: d429e35dbcf2552075b3f6fcf0698ec033b48c5ad5bb6d9bd2804f3ddac34073
Instruction Fuzzy Hash: 92919331A0060AEBDB58DF60C481BEEFB79BF85304F108519E89EA7191DF306A59DBD1

Uniqueness

Uniqueness Score: -1.00%

Function 009CF9A8 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 009CF9C9
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 009CFB5C
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 009CFB80
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 009CFBC0
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 009CFBE2
CreateProcessW.KERNEL32 ref: 009CFD5E
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 009CFD90
CloseHandle.KERNEL32(?), ref: 009CFDBF
CloseHandle.KERNEL32(?), ref: 009CFE36

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: adc9e16ec93b8559a3408c0beeb030c676a8d71a2eec544f9b7186e78563594f
Instruction ID: 7d16726d1ad8fe2a53bcd13089446ba5bc4f393396bc733f45de75ab07bb0cbc
Opcode Fuzzy Hash: adc9e16ec93b8559a3408c0beeb030c676a8d71a2eec544f9b7186e78563594f
Instruction Fuzzy Hash: AAE1B231604301DFDB14EF24C4A1F6ABBE5AF85354F14896DF89A8B2A2DB31EC44CB52

Uniqueness

Uniqueness Score: -1.00%

Function 009D88B4 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 009D896E

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: c2c6896ca24871a2f05464ff48af325c59135d558f22a029bbe2eb0299f0edd0
Instruction ID: 6aa50adb54ad0c61963f338d281a3caa5c56aaa9182c610f54d612da7c1729df
Opcode Fuzzy Hash: c2c6896ca24871a2f05464ff48af325c59135d558f22a029bbe2eb0299f0edd0
Instruction Fuzzy Hash: 2C51A330680208BFDF20DF29CC85BAB3B69AB05310F50C513F525E63A2DF71A9809B41

Uniqueness

Uniqueness Score: -1.00%

Function 009B3226 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 009B32C5

Strings

info, xrefs: 009B3266
blank, xrefs: 009B3247
warning, xrefs: 009B32AE
question, xrefs: 009B327E
stop, xrefs: 009B3296

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 94518d4e157e4a065e180c7312180110867b28bb200801ea406f3828649a87a3
Instruction ID: ee2443e51cd4cec546722ad1a8130ddd9727313c75e3ee0d008723ce5507ab96
Opcode Fuzzy Hash: 94518d4e157e4a065e180c7312180110867b28bb200801ea406f3828649a87a3
Instruction Fuzzy Hash: 0711273224C35ABAEB019A54ED43DEAB39CEF19370F20C02AF514A61C1E6655B4056A5

Uniqueness

Uniqueness Score: -1.00%

Function 009B4534 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 009B454E
LoadStringW.USER32(00000000), ref: 009B4555
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 009B456B
LoadStringW.USER32(00000000), ref: 009B4572
_wprintf.LIBCMT ref: 009B4598
MessageBoxW.USER32(00000000,?,?,00011010), ref: 009B45B6

Strings

%s (%d) : ==> %s: %s %s, xrefs: 009B4593

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 11157ba3bba046f426a9af043b3ea67713012d57135e05c33b7d0ec60684fada
Instruction ID: 76a205a9f0f0975e263614e33b1be11ee4c38fe448eb7e82aefb3dae545136bb
Opcode Fuzzy Hash: 11157ba3bba046f426a9af043b3ea67713012d57135e05c33b7d0ec60684fada
Instruction Fuzzy Hash: 9501A7F384420CBFE71097A0DD8AEE7736CD708300F4044A6B706D2051E6749EC45B70

Uniqueness

Uniqueness Score: -1.00%

Function 009B7368 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 009B737F

Part of subcall function 00970FF6: std::exception::exception.LIBCMT ref: 0097102C
Part of subcall function 00970FF6: __CxxThrowException@8.LIBCMT ref: 00971041

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 009B73B6
RtlEnterCriticalSection.KERNEL32(?), ref: 009B73D2
_memmove.LIBCMT ref: 009B7420
_memmove.LIBCMT ref: 009B743D
RtlLeaveCriticalSection.KERNEL32(?), ref: 009B744C
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 009B7461
InterlockedExchange.KERNEL32(?,000001F6), ref: 009B7480

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: 763a5d2e0c730a4ff64929464eecd5fb9998b18420f15498e00d52e7672c8853
Instruction ID: 2129d244cabceac875c9f51364316b025aacb52643e5b065e8547545ca1eb07a
Opcode Fuzzy Hash: 763a5d2e0c730a4ff64929464eecd5fb9998b18420f15498e00d52e7672c8853
Instruction Fuzzy Hash: F0319436904205EBCF10DF94DD85AAFB7B8FF84710B1481B6F9049B256DB309A51DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 009D6442 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 009D645A
GetDC.USER32(00000000), ref: 009D6462
GetDeviceCaps.GDI32(00000000,0000005A), ref: 009D646D
ReleaseDC.USER32 ref: 009D6479
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 009D64B5
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 009D64C6
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,009D9299,?,?,000000FF,00000000,?,000000FF,?), ref: 009D6500
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 009D6520

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 2e48753f8842d97ed3140e326bf6f9637bc2ccdab81c64c73f89e43928ae056a
Instruction ID: d462fb8838bfa1660838242ec30e58583aeec87d71adf419fe3ca6aa4be762b9
Opcode Fuzzy Hash: 2e48753f8842d97ed3140e326bf6f9637bc2ccdab81c64c73f89e43928ae056a
Instruction Fuzzy Hash: 1C319F72295214BFEF108F50DC4AFEA3FADEF0A765F044066FE099A291C6759C81CB60

Uniqueness

Uniqueness Score: -1.00%

Function 009AC072 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 009AC087
_memcmp.LIBCMT ref: 009AC0A9
_memcmp.LIBCMT ref: 009AC0C1
_memcmp.LIBCMT ref: 009AC0D4
_memcmp.LIBCMT ref: 009AC0EE
_memcmp.LIBCMT ref: 009AC101
_memcmp.LIBCMT ref: 009AC119
_memcmp.LIBCMT ref: 009AC134

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 0e5598de679d05fc185a49b5b00d3568636ac493bb70924849578832358e6c55
Instruction ID: 7966963391c2509bdb0cbf33e68b05a9a8d8be35bf4708742e72eaea218ea4ec
Opcode Fuzzy Hash: 0e5598de679d05fc185a49b5b00d3568636ac493bb70924849578832358e6c55
Instruction Fuzzy Hash: BC210BF2744215BBDB11AA258C42FBF339DAF92398F084020FD099E282E756ED11C1E5

Uniqueness

Uniqueness Score: -1.00%

Function 00951424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de1ce03ae826d01be72a5fd4d2f1c7467a90a46b0689e2aba65401645f40d24a
Instruction ID: 9b3586c90a67d606d79848ab8a4062af442035621ffebd2ad1c416ee18c1ac3b
Opcode Fuzzy Hash: de1ce03ae826d01be72a5fd4d2f1c7467a90a46b0689e2aba65401645f40d24a
Instruction Fuzzy Hash: 6E717630904109EFCB04DF99CC89BBEBB79FF85315F248549F916AA261C734AA55CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 009DB60B Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(01558788), ref: 009DB6A5
IsWindowEnabled.USER32(01558788), ref: 009DB6B1
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 009DB795
SendMessageW.USER32(01558788,000000B0,?,?), ref: 009DB7CC
IsDlgButtonChecked.USER32(?,?), ref: 009DB809
GetWindowLongW.USER32(01558788,000000EC), ref: 009DB82B
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 009DB843

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 267813816a21eaafab00bd9a717375a8fc72916c05890bb9cfbaf7551e13ed7e
Instruction ID: bfb0ef772d7f1abb8bc711468f45233ff5f048bf3c51ad01b2be3f5c5caa6915
Opcode Fuzzy Hash: 267813816a21eaafab00bd9a717375a8fc72916c05890bb9cfbaf7551e13ed7e
Instruction Fuzzy Hash: 9A71BF38685204EFDB20DF64C8A4FAA7BBDFF89310F56845AE946973A1C731E841DB50

Uniqueness

Uniqueness Score: -1.00%

Function 009CF732 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 009CF75C
_memset.LIBCMT ref: 009CF825
ShellExecuteExW.SHELL32(?), ref: 009CF86A

Part of subcall function 00959997: __itow.LIBCMT ref: 009599C2
Part of subcall function 00959997: __swprintf.LIBCMT ref: 00959A0C

Part of subcall function 0096FEC6: _wcscpy.LIBCMT ref: 0096FEE9

GetProcessId.KERNEL32(00000000), ref: 009CF8E1
CloseHandle.KERNEL32(00000000), ref: 009CF910

Strings

@, xrefs: 009CF839

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: a94fd4bfa8a3954c378adbd2dd8772e5eba661a448df3493e4bf5c3e86bfb105
Instruction ID: 0b4eb7dd6c370808bdae6011a8b83e743a2be7981893f091a411b9674c29b6de
Opcode Fuzzy Hash: a94fd4bfa8a3954c378adbd2dd8772e5eba661a448df3493e4bf5c3e86bfb105
Instruction Fuzzy Hash: 8F618C75E00619DFCF14DF55C5A1AAEBBB5FF88310B14846DE84AAB351CB30AE44CB91

Uniqueness

Uniqueness Score: -1.00%

Function 009B145D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 009B149C
GetKeyboardState.USER32(?), ref: 009B14B1
SetKeyboardState.USER32(?), ref: 009B1512
PostMessageW.USER32(?,00000101,00000010,?), ref: 009B1540
PostMessageW.USER32(?,00000101,00000011,?), ref: 009B155F
PostMessageW.USER32(?,00000101,00000012,?), ref: 009B15A5
PostMessageW.USER32(?,00000101,0000005B,?), ref: 009B15C8

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: b1d82e033f323c8e86357036ab4597c5460061aa8472424c130540b44a01c956
Instruction ID: 271762f2d9faee8ae75ea2e79930887fefa76076b0e205c90c53917afa908755
Opcode Fuzzy Hash: b1d82e033f323c8e86357036ab4597c5460061aa8472424c130540b44a01c956
Instruction Fuzzy Hash: 2C51F1A0A083D53EFB3642248D65BFA7FAE5B46324F488489F1D6468D2C2D8ECC4D750

Uniqueness

Uniqueness Score: -1.00%

Function 009B1276 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 009B12B5
GetKeyboardState.USER32(?), ref: 009B12CA
SetKeyboardState.USER32(?), ref: 009B132B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 009B1357
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 009B1374
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 009B13B8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 009B13D9

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 12f7fdbdc59a68898b891e1c863df467ce861ab5733ac18eefa484c2795f73ab
Instruction ID: 983d48071a18dc6a8e75cd311be4875ab808e3bb35ddc375b23d6ffa9720065d
Opcode Fuzzy Hash: 12f7fdbdc59a68898b891e1c863df467ce861ab5733ac18eefa484c2795f73ab
Instruction Fuzzy Hash: 785124A09083D53DFB3283248D65BFABFED5F06320F488489E1E5868D2E794EC84E750

Uniqueness

Uniqueness Score: -1.00%

Function 009B589F Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 009B58AC
_wcsncpy.LIBCMT ref: 009B58E1
_wcsncpy.LIBCMT ref: 009B5913
_wcsncpy.LIBCMT ref: 009B5946
_wcsncpy.LIBCMT ref: 009B5988
_wcsncpy.LIBCMT ref: 009B59C2
_wcsncpy.LIBCMT ref: 009B59F1

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: c5470217f2537f76e32bfd2bcd8522197fc73d8e73510d03f3f352a4f1423d94
Instruction ID: f27a9203eaf8208d93036017d439b34efc0ba658d466c8905e5f6fa74e87bf16
Opcode Fuzzy Hash: c5470217f2537f76e32bfd2bcd8522197fc73d8e73510d03f3f352a4f1423d94
Instruction Fuzzy Hash: A8418366C2052876CB10EBB4888ABCFB3AC9F45710F51C966F518E3122E734E755C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 009B38AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 009B48AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,009B38D3,?), ref: 009B48C7

Part of subcall function 009B48AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,009B38D3,?), ref: 009B48E0

lstrcmpiW.KERNEL32(?,?), ref: 009B38F3
_wcscmp.LIBCMT ref: 009B390F
MoveFileW.KERNEL32(?,?), ref: 009B3927
_wcscat.LIBCMT ref: 009B396F
SHFileOperationW.SHELL32(?), ref: 009B39DB

Strings

\*.*, xrefs: 009B3969

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: 5dd954fdd63df7017c0ecf327e9bb289686249e5745872d9f242c70ca700de28
Instruction ID: 9bbde0d5130dcd39bec2db6fc9622705f8d3ef34a7377d848a1db8dc73e7236b
Opcode Fuzzy Hash: 5dd954fdd63df7017c0ecf327e9bb289686249e5745872d9f242c70ca700de28
Instruction Fuzzy Hash: 5A416EB250D3449AC751EF64D981AEFB7ECAF88350F14492EB48AC3152EA74D68CC752

Uniqueness

Uniqueness Score: -1.00%

Function 009D7500 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 009D7519
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 009D75C0
IsMenu.USER32 ref: 009D75D8
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 009D7620
DrawMenuBar.USER32 ref: 009D7633

Strings

0, xrefs: 009D750D

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: 20a0a73dbea265034d0a788dc9ca97116384d9713e86184e58fab57e2a0bedda
Instruction ID: 3054fd24fc39923161a127b0b168e98bdde9d86ef37a197e1ca2eafdf65b4232
Opcode Fuzzy Hash: 20a0a73dbea265034d0a788dc9ca97116384d9713e86184e58fab57e2a0bedda
Instruction Fuzzy Hash: 03413875A45609AFDB10DF94E884EAABBF8FB04310F44812AF91597350E731ED50DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 009D122D Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32 ref: 009D125C
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 009D1286
FreeLibrary.KERNEL32(00000000), ref: 009D133D

Part of subcall function 009D122D: RegCloseKey.ADVAPI32(?), ref: 009D12A3
Part of subcall function 009D122D: FreeLibrary.KERNEL32(?), ref: 009D12F5
Part of subcall function 009D122D: RegEnumKeyExW.ADVAPI32 ref: 009D1318

RegDeleteKeyW.ADVAPI32(?,?), ref: 009D12E0

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: 48f50fbd711c4b8a800746bb4ecf5709079259feaf1c2c310eea9c80f90ee0fa
Instruction ID: 8eade2e03839e3aff33488516d20dd538ba0ab04f2c3546d6e5a1487c4168e71
Opcode Fuzzy Hash: 48f50fbd711c4b8a800746bb4ecf5709079259feaf1c2c310eea9c80f90ee0fa
Instruction Fuzzy Hash: 58314D72951109BFDB149F90DC9AEFEB7BCEF09300F00416AE512E3241DA749E859AA0

Uniqueness

Uniqueness Score: -1.00%

Function 009D653C Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 009D655B
GetWindowLongW.USER32(01558788,000000F0), ref: 009D658E
GetWindowLongW.USER32(01558788,000000F0), ref: 009D65C3
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 009D65F5
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 009D661F
GetWindowLongW.USER32(?,000000F0), ref: 009D6630
SetWindowLongW.USER32 ref: 009D664A

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 8ead9b2ff908f258baf692946831e053792852d2e2a85c7e471c96b514aa45bc
Instruction ID: d14f79e526930d3d8a0f4a4dede94cc1e90de015c9b7b3e5a009b3de1c14d681
Opcode Fuzzy Hash: 8ead9b2ff908f258baf692946831e053792852d2e2a85c7e471c96b514aa45bc
Instruction Fuzzy Hash: 22310330685114AFDB20CF58EC89F553BE9FB5A314F1881AAF501DB3B5CB61E880DB41

Uniqueness

Uniqueness Score: -1.00%

Function 009C6486 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 009C80A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 009C80CB

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 009C64D9
WSAGetLastError.WSOCK32(00000000), ref: 009C64E8
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 009C6521
connect.WSOCK32(00000000,?,00000010), ref: 009C652A
WSAGetLastError.WSOCK32 ref: 009C6534
closesocket.WSOCK32(00000000), ref: 009C655D
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 009C6576

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: cd4dc8f691dc0748ce746f6f7b5ee63fe403e674defd6c4bc6291b982f861b4e
Instruction ID: 1b880b34793c2675d8aee74ac3661249302b2aadf62f0361fb53bbc7ce1bd0fc
Opcode Fuzzy Hash: cd4dc8f691dc0748ce746f6f7b5ee63fe403e674defd6c4bc6291b982f861b4e
Instruction Fuzzy Hash: 0431A131A00118ABEB109F24CC85FBE7BBDEB44711F04402DFD0697291CB74AD44DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 009AE0B5 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 009AE0FA
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 009AE120
SysAllocString.OLEAUT32(00000000), ref: 009AE123
SysAllocString.OLEAUT32 ref: 009AE144
SysFreeString.OLEAUT32 ref: 009AE14D
76E37B20.OLE32(?,?,00000028), ref: 009AE167
SysAllocString.OLEAUT32(?), ref: 009AE175

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$Free
String ID:
API String ID: 1313759350-0
Opcode ID: ae3c1fa563a06cf394cb75ef42835b96be948c6f9bee00e1e6d9c61e3d5feb65
Instruction ID: 18dc884ffb05ee4159eaf13f7a1ce28de372d6f42c4723b97df4c9bda9a571bf
Opcode Fuzzy Hash: ae3c1fa563a06cf394cb75ef42835b96be948c6f9bee00e1e6d9c61e3d5feb65
Instruction Fuzzy Hash: 62219B35609118BFDB10AFA8DC89DAB77ECEB09760B108135F915CB260DA74DC81DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 009D783C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00951D35: CreateWindowExW.USER32 ref: 00951D73
Part of subcall function 00951D35: GetStockObject.GDI32(00000011), ref: 00951D87
Part of subcall function 00951D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00951D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 009D78A1
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 009D78AE
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 009D78B9
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 009D78C8
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 009D78D4

Strings

Msctls_Progress32, xrefs: 009D7872

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 8f666bf156f3b59e0bf449f73274c18199a86cd1f9617f158759aaa1c4c18cb3
Instruction ID: aa034aee155a5b0cb8f57fd0588b2c174e99de9cc0558283e075cb16c50e561c
Opcode Fuzzy Hash: 8f666bf156f3b59e0bf449f73274c18199a86cd1f9617f158759aaa1c4c18cb3
Instruction Fuzzy Hash: BE1190B2150219BFEF159FA0CC85EE77F6DEF08798F018115FA04A2190DB729C21EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 009741C9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize), ref: 009741E3
GetProcAddress.KERNEL32(00000000), ref: 009741EA
RtlEncodePointer.KERNEL32(00000000), ref: 009741F6
RtlDecodePointer.KERNEL32(00000001), ref: 00974213

Strings

combase.dll, xrefs: 009741DE
RoInitialize, xrefs: 009741D2

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 3489934621-340411864
Opcode ID: e87aa0b411b67e8ee718ac198a4ce3694a95967045211df0f047e6c493c22797
Instruction ID: 6aa28a573a0736f782a52a537c7bcb339d46f86f14233a5dc5657f5181a2abc5
Opcode Fuzzy Hash: e87aa0b411b67e8ee718ac198a4ce3694a95967045211df0f047e6c493c22797
Instruction Fuzzy Hash: BEE092B05E5700BEDB109BF5EC1EB443698B764746F01C524B522D50E0D7B004D29F00

Uniqueness

Uniqueness Score: -1.00%

Function 0097429E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,009741B8), ref: 009742B8
GetProcAddress.KERNEL32(00000000), ref: 009742BF
RtlEncodePointer.KERNEL32(00000000), ref: 009742CA
RtlDecodePointer.KERNEL32(009741B8), ref: 009742E5

Strings

combase.dll, xrefs: 009742B3
RoUninitialize, xrefs: 009742A7

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: f13e935971262b8fdf0f2b67434b4cd0b284310eeac458227adee1be2852fc26
Instruction ID: 61cd4ef3ef41b552aae0182036b0a6eee1f6beaebd90109b4c182c42e6aa9546
Opcode Fuzzy Hash: f13e935971262b8fdf0f2b67434b4cd0b284310eeac458227adee1be2852fc26
Instruction Fuzzy Hash: 85E04F7C5D6301BBEB01DBA4EC0EB403BA8B718786F108135F112F10A0CBB045D1DA04

Uniqueness

Uniqueness Score: -1.00%

Function 009B675A Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 009B68AD
_memmove.LIBCMT ref: 009B67E8

Part of subcall function 00959997: __itow.LIBCMT ref: 009599C2
Part of subcall function 00959997: __swprintf.LIBCMT ref: 00959A0C

_memmove.LIBCMT ref: 009B685B
_memmove.LIBCMT ref: 009B6942
_memmove.LIBCMT ref: 009B695B
_memmove.LIBCMT ref: 009B6977

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: ce0cd8cf810dde96a5469e945aa9a49f0b1fc4fdcdb89b8285c5ff828ef9e88c
Instruction ID: 5b8a4d569a7a0b38f2209067ccb741a792886a9ed7fde9c2f74f67375a20b043
Opcode Fuzzy Hash: ce0cd8cf810dde96a5469e945aa9a49f0b1fc4fdcdb89b8285c5ff828ef9e88c
Instruction Fuzzy Hash: 7261CB3150025ADBDF11EF69CD82FFE77A8AF84318F044519FC5A5B292DB38A909CB90

Uniqueness

Uniqueness Score: -1.00%

Function 009D046F Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00957F41: _memmove.LIBCMT ref: 00957F82

Part of subcall function 009D10A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,009D0038,?,?), ref: 009D10BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 009D0548
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 009D0588
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 009D05AB
RegEnumValueW.ADVAPI32 ref: 009D05D4
RegCloseKey.ADVAPI32(?,?,00000000), ref: 009D0617
RegCloseKey.ADVAPI32(00000000), ref: 009D0624

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: 26d5754bb527e5197427bbe247ecbe51e99427f106169ba9c924032dd2055298
Instruction ID: 4043320059e9c823549fe7d95e7a3fedae5f3efe9e8518e0c421e4b22bef22e3
Opcode Fuzzy Hash: 26d5754bb527e5197427bbe247ecbe51e99427f106169ba9c924032dd2055298
Instruction Fuzzy Hash: 87515A31508200AFC714EF65D895F6ABBE8FFC9314F04891EF945972A1DB31E908DB52

Uniqueness

Uniqueness Score: -1.00%

Function 009AF3DD Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 009AF3F7
VariantClear.OLEAUT32(00000013), ref: 009AF469
VariantClear.OLEAUT32(00000000), ref: 009AF4C4
_memmove.LIBCMT ref: 009AF4EE
VariantClear.OLEAUT32(?), ref: 009AF53B
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 009AF569

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: d13c2a4781cb4028d80dfdb7b623672b2ab06c3ad97acbd6423604597af03223
Instruction ID: 631d0f46c40c468d759d559787bbe901557489b77c075e2a71d2f1771513fbb4
Opcode Fuzzy Hash: d13c2a4781cb4028d80dfdb7b623672b2ab06c3ad97acbd6423604597af03223
Instruction Fuzzy Hash: 5B5156B5A00209AFCB10CF98D894AAAB7F8FF4D354B15856AF959DB310D730E951CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 009B26F9 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 009B2747
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 009B2792
IsMenu.USER32 ref: 009B27B2
CreatePopupMenu.USER32(00A16890,00000000,762D33D0), ref: 009B27E6
GetMenuItemCount.USER32 ref: 009B2844
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 009B2875

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: d9af8362c4edc13acd293a5df6810ac65e8e9f6b2a91ebb5e1a4f290c7374526
Instruction ID: be7121d80c1bd5f64d572a07e116ea6b536b413044f4f41aad3b50d176b6a22d
Opcode Fuzzy Hash: d9af8362c4edc13acd293a5df6810ac65e8e9f6b2a91ebb5e1a4f290c7374526
Instruction Fuzzy Hash: 5351C270A04349EFDF25CF68DA88BEEBBF9EF44324F104669E8159B290D7709944CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00951765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00952612: GetWindowLongW.USER32(?,000000EB), ref: 00952623

BeginPaint.USER32(?,?,?,?,?,?), ref: 0095179A
GetWindowRect.USER32 ref: 009517FE
ScreenToClient.USER32 ref: 0095181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0095182C
EndPaint.USER32(?,?), ref: 00951876

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: 2359442ed74be560c6c70ca7823d8da19d80924a01784d0a5108da831bbb2465
Instruction ID: 9354f086e5124b962f84948efaad1c90eec9582529e94e8f74c2d291e369c94b
Opcode Fuzzy Hash: 2359442ed74be560c6c70ca7823d8da19d80924a01784d0a5108da831bbb2465
Instruction Fuzzy Hash: 1D41BE70104301AFD720DF65CC85FBA7BF8EB49725F044669FAA5C72A1C730984ADB61

Uniqueness

Uniqueness Score: -1.00%

Function 009DB958 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(00A167B0,00000000,01558788,?,?,00A167B0,?,009DB862,?,?), ref: 009DB9CC
EnableWindow.USER32(?,00000000), ref: 009DB9F0
ShowWindow.USER32(00A167B0,00000000,01558788,?,?,00A167B0,?,009DB862,?,?), ref: 009DBA50
ShowWindow.USER32(?,00000004,?,009DB862,?,?), ref: 009DBA62
EnableWindow.USER32(?,00000001), ref: 009DBA86
SendMessageW.USER32(?,0000130C,?,00000000), ref: 009DBAA9

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 2282b9bfa84b39d03766b8dcbe00ae6092c36f70803945deba9f2529355e572a
Instruction ID: 99163b2780dd7ed13fd981f39ef0bb2ca92aeb5f7b68af6baa02e45f48d6f599
Opcode Fuzzy Hash: 2282b9bfa84b39d03766b8dcbe00ae6092c36f70803945deba9f2529355e572a
Instruction Fuzzy Hash: 84418034680640EFDB21CF24C499B957BE4FB09314F5A82BBEA498F7A2C731E845CB50

Uniqueness

Uniqueness Score: -1.00%

Function 009C73B1 Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,009C5134,?,?,00000000,00000001), ref: 009C73BF

Part of subcall function 009C3C94: GetWindowRect.USER32 ref: 009C3CA7

GetDesktopWindow.USER32 ref: 009C73E9
GetWindowRect.USER32 ref: 009C73F0
mouse_event.USER32 ref: 009C7422

Part of subcall function 009B54E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 009B555E

GetCursorPos.USER32(?,?,?,?,?,?,009C5134,?,?,00000000,00000001), ref: 009C744E
mouse_event.USER32 ref: 009C74AC

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: 123a7525043405d18b169a7f425d5f48da3f02b1cfda05d14f289bce4c0aaff7
Instruction ID: 694c4aaf3a291a61a4dfff0d13d7fccaa1cc4a8838ea5a9bf6b503ccbd7a281c
Opcode Fuzzy Hash: 123a7525043405d18b169a7f425d5f48da3f02b1cfda05d14f289bce4c0aaff7
Instruction Fuzzy Hash: E831C472509305ABD724DF54D849F9BBBEAFF88314F00491EF58997191C730EA49CB92

Uniqueness

Uniqueness Score: -1.00%

Function 009DC19A Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 009512F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0095134D
Part of subcall function 009512F3: SelectObject.GDI32(?,00000000), ref: 0095135C
Part of subcall function 009512F3: BeginPath.GDI32(?), ref: 00951373
Part of subcall function 009512F3: SelectObject.GDI32(?,00000000), ref: 0095139C

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 009DC1C4
LineTo.GDI32(00000000,00000003,?), ref: 009DC1D8
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 009DC1E6
LineTo.GDI32(00000000,00000000,?), ref: 009DC1F6
EndPath.GDI32(00000000), ref: 009DC206
StrokePath.GDI32(00000000), ref: 009DC216

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: fcf93818eade0cb4d191b459eb0684feca5eb3232335256bffed2726540a85e6
Instruction ID: b123d872bffebec25a2e9a8e4a3915f069f702f947718f76a5c2a4a65cfcd24b
Opcode Fuzzy Hash: fcf93818eade0cb4d191b459eb0684feca5eb3232335256bffed2726540a85e6
Instruction Fuzzy Hash: 68111B7644410DBFDF119F90DC89FEA7FADEF08354F048022BA198A161C7719E95EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 009703A2 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 009703D3
MapVirtualKeyW.USER32(00000010,00000000), ref: 009703DB
MapVirtualKeyW.USER32(000000A0,00000000), ref: 009703E6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 009703F1
MapVirtualKeyW.USER32(00000011,00000000), ref: 009703F9
MapVirtualKeyW.USER32(00000012,00000000), ref: 00970401

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: bf045f75c952561c0926a6ca5e150054bfa50126837991802b05b95df63ad760
Instruction ID: 724221bb911ccc274b16a3c35f10d2b71110f35041fe1eefb34e360fb0f1fa8a
Opcode Fuzzy Hash: bf045f75c952561c0926a6ca5e150054bfa50126837991802b05b95df63ad760
Instruction Fuzzy Hash: 9A016CB09427597DE3008F5A8C85B52FFA8FF19354F00411BA15C47941C7F5A864CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 009B568B Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 009B569B
SendMessageTimeoutW.USER32 ref: 009B56B1
GetWindowThreadProcessId.USER32(?,?), ref: 009B56C0
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 009B56CF
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 009B56D9
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 009B56E0

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 1cb733bddd1b7618e0665803cb032301b3e6278222e8b84e1901eef732d9c5c9
Instruction ID: 32ce50a0528ea2031171f8647b625e640d82ebab24bd7b677a011ec82390ce3a
Opcode Fuzzy Hash: 1cb733bddd1b7618e0665803cb032301b3e6278222e8b84e1901eef732d9c5c9
Instruction Fuzzy Hash: A5F0903229A118BBE3205BA2DC0EEEF7B7CEFC6B11F00016AFA02D1050D7A05A4196B5

Uniqueness

Uniqueness Score: -1.00%

Function 009B74D2 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 009B74E5
RtlEnterCriticalSection.KERNEL32(?,?,00961044,?,?), ref: 009B74F6
TerminateThread.KERNEL32(00000000,000001F6,?,00961044,?,?), ref: 009B7503
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00961044,?,?), ref: 009B7510

Part of subcall function 009B6ED7: CloseHandle.KERNEL32(00000000,?,009B751D,?,00961044,?,?), ref: 009B6EE1

InterlockedExchange.KERNEL32(?,000001F6), ref: 009B7523
RtlLeaveCriticalSection.KERNEL32(?,?,00961044,?,?), ref: 009B752A

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 07bd14379444569d4f73dad5ff4f87c03adf9b369de2231c1faca612826b93a6
Instruction ID: 66472f3320884d8b8ab0c01b58329d91ce40b9f05b8a96a47726b582d22fed6f
Opcode Fuzzy Hash: 07bd14379444569d4f73dad5ff4f87c03adf9b369de2231c1faca612826b93a6
Instruction Fuzzy Hash: F9F0B43A099612EBD7111B64FD4DADB7729EF44312B000132F203900B0CB755980DB60

Uniqueness

Uniqueness Score: -1.00%

Function 009C8902 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 009C8928
CharUpperBuffW.USER32(?,?), ref: 009C8A37
VariantClear.OLEAUT32(?), ref: 009C8BAF

Part of subcall function 009B7804: VariantInit.OLEAUT32(00000000), ref: 009B7844
Part of subcall function 009B7804: VariantCopy.OLEAUT32(00000000,?), ref: 009B784D
Part of subcall function 009B7804: VariantClear.OLEAUT32(00000000), ref: 009B7859

Strings

AUTOIT.ERROR, xrefs: 009C8A3D
Incorrect Parameter format, xrefs: 009C8960, 009C8B22

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 5b72ec27c722bf0eeae3fbf7884f4a5731a4f8a00e89b2b6b9c453061b2ac3d2
Instruction ID: 579962d33a03c203b2af6431b89fff408eb51dd21f6b27f59e7f8b880df691c7
Opcode Fuzzy Hash: 5b72ec27c722bf0eeae3fbf7884f4a5731a4f8a00e89b2b6b9c453061b2ac3d2
Instruction Fuzzy Hash: 64915B75A083019FC710DF25C495E5BBBE4AFC9354F04896EF89A8B362DB30E949CB52

Uniqueness

Uniqueness Score: -1.00%

Function 009A9372 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00957F41: _memmove.LIBCMT ref: 00957F82

Part of subcall function 009AB0C4: GetClassNameW.USER32 ref: 009AB0E7

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 009A93F6
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 009A9409
SendMessageW.USER32(?,00000189,?,00000000), ref: 009A9439

Part of subcall function 00957D2C: _memmove.LIBCMT ref: 00957D66

Strings

ComboBox, xrefs: 009A9380
ListBox, xrefs: 009A93B5

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: ec239a901e6e94c2410f18dbc8ac574f28318ece50f1d986f3d86f0a3c6d1497
Instruction ID: a534f0d158bac24906c22d92b728906689baaf955568c502751cb6f2ffc2464d
Opcode Fuzzy Hash: ec239a901e6e94c2410f18dbc8ac574f28318ece50f1d986f3d86f0a3c6d1497
Instruction Fuzzy Hash: FF212671940108BBDB14ABB1DC86DFFB7BCEF86310B108519F926972E1DB344E0A9650

Uniqueness

Uniqueness Score: -1.00%

Function 009D6656 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00951D35: CreateWindowExW.USER32 ref: 00951D73
Part of subcall function 00951D35: GetStockObject.GDI32(00000011), ref: 00951D87
Part of subcall function 00951D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00951D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 009D66D0
LoadLibraryW.KERNEL32(?), ref: 009D66D7
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 009D66EC
DestroyWindow.USER32(?), ref: 009D66F4

Strings

SysAnimate32, xrefs: 009D66AB

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: 5c3262d36002ae9902684b686dd890eb5fbe325e62060f51cd25774a22c734a6
Instruction ID: 76c7c9370985a3afe41a0664b875d22d14374c490213a90090f479204cd9dede
Opcode Fuzzy Hash: 5c3262d36002ae9902684b686dd890eb5fbe325e62060f51cd25774a22c734a6
Instruction Fuzzy Hash: BE21A171150209BFEF104F64EC81EBB77ADEF59368F90862AF911922D0D771CC919760

Uniqueness

Uniqueness Score: -1.00%

Function 009B703E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 009B705E
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 009B7091
GetStdHandle.KERNEL32(0000000C), ref: 009B70A3
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 009B70DD

Strings

nul, xrefs: 009B70D8

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: a400a056cebe9a5705dd1887e1d6a5475d7d807944b9b509b8ce16c4d9b807e7
Instruction ID: 69e705482172c5bdbd1b03ea0a6472636807f0e886041edad75c0522cc366d90
Opcode Fuzzy Hash: a400a056cebe9a5705dd1887e1d6a5475d7d807944b9b509b8ce16c4d9b807e7
Instruction Fuzzy Hash: 19215174548209ABDB20AF78DD05ADAB7A8BF94730F204B1AFDA1D72D0D770A9509B50

Uniqueness

Uniqueness Score: -1.00%

Function 009B710C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 009B712B
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 009B715D
GetStdHandle.KERNEL32(000000F6), ref: 009B716E
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 009B71A8

Strings

nul, xrefs: 009B71A3

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 110e2b8badb71f3ca63aa1d325239fee1ec953b5051a23e70dd0a362adc7017f
Instruction ID: 03f901af55d47e758fc5dadcdd8e8ee03381dc27440f26b9e88a6e3a19e06e12
Opcode Fuzzy Hash: 110e2b8badb71f3ca63aa1d325239fee1ec953b5051a23e70dd0a362adc7017f
Instruction Fuzzy Hash: 88217F7564C205ABDB209FAC9D05AEAB7ACAF95730F200B19FDB1D72D0D770A8418B70

Uniqueness

Uniqueness Score: -1.00%

Function 009AA52F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00957D2C: _memmove.LIBCMT ref: 00957D66

Part of subcall function 009AA37C: SendMessageTimeoutW.USER32 ref: 009AA399
Part of subcall function 009AA37C: GetWindowThreadProcessId.USER32(?,00000000), ref: 009AA3AC
Part of subcall function 009AA37C: GetCurrentThreadId.KERNEL32 ref: 009AA3B3
Part of subcall function 009AA37C: AttachThreadInput.USER32(00000000), ref: 009AA3BA

GetFocus.USER32 ref: 009AA554

Part of subcall function 009AA3C5: GetParent.USER32(?), ref: 009AA3D3

GetClassNameW.USER32 ref: 009AA59D
EnumChildWindows.USER32 ref: 009AA5C5
__swprintf.LIBCMT ref: 009AA5DF

Strings

%s%d, xrefs: 009AA5D9

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
String ID: %s%d
API String ID: 1941087503-1110647743
Opcode ID: 8c1d8115ac56df086466ef1e6bbfe5f3f9ddaaa6b22fe1185988570396b0ebe5
Instruction ID: f8d08672ddc1729525087db17e572abdd57ab1501f4f8133196676ca3e01674a
Opcode Fuzzy Hash: 8c1d8115ac56df086466ef1e6bbfe5f3f9ddaaa6b22fe1185988570396b0ebe5
Instruction Fuzzy Hash: F611A2716402087BDF11BF60EC86FEA777CAF89701F048075BD09AA192DB705A45DBB5

Uniqueness

Uniqueness Score: -1.00%

Function 009B2017 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 009B2048

Strings

KEYS, xrefs: 009B205F
REMOVE, xrefs: 009B204E
APPEND, xrefs: 009B2081
EXISTS, xrefs: 009B2070

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: 4a8a95b05639e05cd9c15181d7deaf4d287dd491bc6cba073bffbcca83e62456
Instruction ID: e555413beda904453d0cf8477f95e2ae80cd5d198946a5ec93d53a5e2404945b
Opcode Fuzzy Hash: 4a8a95b05639e05cd9c15181d7deaf4d287dd491bc6cba073bffbcca83e62456
Instruction Fuzzy Hash: 5D11A13191420DDFCF10EFA4D9515EEB3B4FF69300B108968D85967292DB32590ACB40

Uniqueness

Uniqueness Score: -1.00%

Function 0097564D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 009756AB
_memcpy_s.LIBCMT ref: 0097571D
__read_nolock.LIBCMT ref: 0097577B
__filbuf.LIBCMT ref: 0097579E
_memset.LIBCMT ref: 009757E2

Part of subcall function 00978D68: __getptd_noexit.LIBCMT ref: 00978D68

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: fd1a262b7e6f1cb596d0076786feeeb097306c284ce0f321d4276a437e8c5e71
Instruction ID: b39346048ca26b976efcbac04a88e2c1f7402d681fa05ff3b029b1a0c5990f01
Opcode Fuzzy Hash: fd1a262b7e6f1cb596d0076786feeeb097306c284ce0f321d4276a437e8c5e71
Instruction Fuzzy Hash: 9E51A472A00B09DBDB689F79C88466E77A9AF40320F66C729F83D962D0D7F49D518B40

Uniqueness

Uniqueness Score: -1.00%

Function 009D02C2 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00957F41: _memmove.LIBCMT ref: 00957F82

Part of subcall function 009D10A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,009D0038,?,?), ref: 009D10BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 009D0388
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 009D03C7
RegEnumKeyExW.ADVAPI32 ref: 009D040E
RegCloseKey.ADVAPI32(?,?), ref: 009D043A
RegCloseKey.ADVAPI32(00000000), ref: 009D0447

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: 349c37344c67f4924517119e9d68e555f4e6fad642085af8c15abceb9b1e984b
Instruction ID: 47be59caf0f4977c671c2adef0f1dd9db45687facf63575ef9ea3d9aca3c2060
Opcode Fuzzy Hash: 349c37344c67f4924517119e9d68e555f4e6fad642085af8c15abceb9b1e984b
Instruction Fuzzy Hash: BE514B31648204AFD704EF65D891F6EB7E8FFC8304F04892EB596972A1DB74E908DB52

Uniqueness

Uniqueness Score: -1.00%

Function 009BE7DC Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32 ref: 009BE88A
GetPrivateProfileSectionW.KERNEL32 ref: 009BE8B3
WritePrivateProfileSectionW.KERNEL32 ref: 009BE8F2

Part of subcall function 00959997: __itow.LIBCMT ref: 009599C2
Part of subcall function 00959997: __swprintf.LIBCMT ref: 00959A0C

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 009BE917
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 009BE91F

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 61ca76ad410e3d437866d3dcb7c1de4a5d2980ccf9abf118e64f0fce592f94c4
Instruction ID: 4db441b8aaef228660726cb1b2aa4aa38bff6f47e9a5232c1c1131a71b05fcc5
Opcode Fuzzy Hash: 61ca76ad410e3d437866d3dcb7c1de4a5d2980ccf9abf118e64f0fce592f94c4
Instruction Fuzzy Hash: 2E515F35A00209DFDF01EF65C991AADBBF5FF48311B188099E80AAB361CB31ED45DB50

Uniqueness

Uniqueness Score: -1.00%

Function 009DA2C5 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28413987a1d634c10dd67d16e320e59d7284188e986b94a5b4769422cbb7d7b7
Instruction ID: 25e14cb60c206f9b825173e7a8cfd7893e2ae21921673625d2fcb7089b451f37
Opcode Fuzzy Hash: 28413987a1d634c10dd67d16e320e59d7284188e986b94a5b4769422cbb7d7b7
Instruction Fuzzy Hash: 8B410435985104AFC710DF28CC49FA9FBAAEB09310F148266F816A73E0D770AE61DA51

Uniqueness

Uniqueness Score: -1.00%

Function 00952344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?,?,00A167B0,?,00A167B0,00A167B0,?,009DC247,00000000,00000001,?,?,?,0098BC4F,?,?), ref: 00952357
ScreenToClient.USER32 ref: 00952374
GetAsyncKeyState.USER32(00000001), ref: 00952399
GetAsyncKeyState.USER32(00000002), ref: 009523A7

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 32a5ee6742b739529f206bd9fb3b40c71fc2327f7fbb8322882f33f17ade8d51
Instruction ID: ceaaf6a8cfb6e360777b58e9ab2067fcb7daa998a4673ef0824b08fa100d6918
Opcode Fuzzy Hash: 32a5ee6742b739529f206bd9fb3b40c71fc2327f7fbb8322882f33f17ade8d51
Instruction Fuzzy Hash: E841A171508119FBCF15EF69C844AE9BB74FB46721F10435AF82592290C734A994DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 009A6920 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32 ref: 009A695D
TranslateAcceleratorW.USER32(?,?,?), ref: 009A69A9
TranslateMessage.USER32(?), ref: 009A69D2
DispatchMessageW.USER32 ref: 009A69DC
PeekMessageW.USER32 ref: 009A69EB

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: 99c0cc39a5a1f5a19b9d1a84b83f5c3aab2867caa95996f98c47c153a80757c4
Instruction ID: bdac7bc49eda7d9aa117c64d326e057e91c93e059e305cb5155d55ce6dc7d388
Opcode Fuzzy Hash: 99c0cc39a5a1f5a19b9d1a84b83f5c3aab2867caa95996f98c47c153a80757c4
Instruction Fuzzy Hash: C531C171944246AADB20CFB49C49BF77BACAB43304F1C856AE426D20A1D734D88AD7E0

Uniqueness

Uniqueness Score: -1.00%

Function 009AB6AF Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 009AB6C7
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 009AB6E4
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 009AB71C
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 009AB742
_wcsstr.LIBCMT ref: 009AB74C

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: 6737f244d87de93f88630ec9052c8d605f92e95cd4e0e58d5be900dbca35e386
Instruction ID: b3668fae9c731eb38c1402c2b1b1dd45184957cc4ee5a9894903b0a882b55d58
Opcode Fuzzy Hash: 6737f244d87de93f88630ec9052c8d605f92e95cd4e0e58d5be900dbca35e386
Instruction Fuzzy Hash: 0E21FC32245204BBEB155B399C49E7B7B9CDF86720F10803AFC09CA1A2EF61DC409690

Uniqueness

Uniqueness Score: -1.00%

Function 009DB405 Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00952612: GetWindowLongW.USER32(?,000000EB), ref: 00952623

GetWindowLongW.USER32(?,000000F0), ref: 009DB44C
SetWindowLongW.USER32 ref: 009DB471
SetWindowLongW.USER32 ref: 009DB489
GetSystemMetrics.USER32 ref: 009DB4B2
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,009C1184,00000000), ref: 009DB4D0

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: df84f25cce9663b86f2dad3e13bbdcf063f73cfeb871b076ef6df8f6ee531c49
Instruction ID: f428e6b374000520ec7143f7c8d45583b0e192e8374f72cd4aa601a68db86f2d
Opcode Fuzzy Hash: df84f25cce9663b86f2dad3e13bbdcf063f73cfeb871b076ef6df8f6ee531c49
Instruction Fuzzy Hash: AD219131554215EFCB10CF79DC04A6A37A8EB05720F16CB3AF926C22F1E7309851DB80

Uniqueness

Uniqueness Score: -1.00%

Function 009A97E9 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 009A9802

Part of subcall function 00957D2C: _memmove.LIBCMT ref: 00957D66

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 009A9834
__itow.LIBCMT ref: 009A984C
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 009A9874
__itow.LIBCMT ref: 009A9885

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: 11990a83145d0e29cccac29763d276550a506fa83303fc5c11421a96a857d683
Instruction ID: f55b09a1a2701fec5d8a576b13cc3ed28220022d87195a5294777b45eb95e7d1
Opcode Fuzzy Hash: 11990a83145d0e29cccac29763d276550a506fa83303fc5c11421a96a857d683
Instruction Fuzzy Hash: 1A21C531B01208BBDB109AA99C8AFAE7BADFF8BB14F044025FD05DB291D6748D4597D1

Uniqueness

Uniqueness Score: -1.00%

Function 009512F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0095134D
SelectObject.GDI32(?,00000000), ref: 0095135C
BeginPath.GDI32(?), ref: 00951373
SelectObject.GDI32(?,00000000), ref: 0095139C

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: e2de9fcbb3fcd340669385692b83ddd08594cc5e68432b9a04777213de3fe480
Instruction ID: 8740da896a7878edc2282d775fa18d5d24b7136c3c953e62df9419198cc429c9
Opcode Fuzzy Hash: e2de9fcbb3fcd340669385692b83ddd08594cc5e68432b9a04777213de3fe480
Instruction Fuzzy Hash: 4F217C70815308EFDB10DFAADC197E97BB9FB00322F14C226F851D65A0D371989ADB90

Uniqueness

Uniqueness Score: -1.00%

Function 009AC161 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 009AC176
_memcmp.LIBCMT ref: 009AC194
_memcmp.LIBCMT ref: 009AC1A7
_memcmp.LIBCMT ref: 009AC1BF
_memcmp.LIBCMT ref: 009AC1D7

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: e7aca660dbb5549c51a82787d7c6dfe4a38955fbdf5195004f2ca2903082a5d9
Instruction ID: 02f46365cdb11cf191bed44ddc946e72791187ac182441c62b2e03853cdfa311
Opcode Fuzzy Hash: e7aca660dbb5549c51a82787d7c6dfe4a38955fbdf5195004f2ca2903082a5d9
Instruction Fuzzy Hash: 9401B9F27081057BD205AA259C42F6B739D9BA2398F148411FD04AE283EA55EE1183E0

Uniqueness

Uniqueness Score: -1.00%

Function 009A874A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 009A8766
GetLastError.KERNEL32(?,009A822A,?,?,?), ref: 009A8770
GetProcessHeap.KERNEL32(00000008,?,?,009A822A,?,?,?), ref: 009A877F
RtlAllocateHeap.KERNEL32(00000000,?,009A822A,?,?,?), ref: 009A8786
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 009A879D

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocateErrorLastProcess
String ID:
API String ID: 883493501-0
Opcode ID: 3d57d5f71f530355177346d9c50ab91c53b25fc6e75cdb5c89490cc7890e2d3a
Instruction ID: cd0c350e6910d5249f1e4011187ffb0cc91bbf2ad353d37ed9cfe36670bf8371
Opcode Fuzzy Hash: 3d57d5f71f530355177346d9c50ab91c53b25fc6e75cdb5c89490cc7890e2d3a
Instruction Fuzzy Hash: 38016275255204FFDB104FA5DC59D67BB6CFF86355720043AF84AC3160DA318D40DAA0

Uniqueness

Uniqueness Score: -1.00%

Function 009B54E6 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 009B5502
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 009B5510
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 009B5518
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 009B5522
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 009B555E

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 5ee7fb26c38e462835ca348ecc24bcc7d3b0815349b5ba8591a6c252fb355b1f
Instruction ID: 36eab4b8009aab06a34152846d647e726e19724c51aa7be796fcac03a36b948e
Opcode Fuzzy Hash: 5ee7fb26c38e462835ca348ecc24bcc7d3b0815349b5ba8591a6c252fb355b1f
Instruction Fuzzy Hash: C8018B75C19A19DBCF10EFE8E9596EDBB78BB09322F010056E802F2100DB705590DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 009A7652 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

76DABC30.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,009A758C,80070057,?,?,?,009A799D), ref: 009A766F
76E68640.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,009A758C,80070057,?,?), ref: 009A768A
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,009A758C,80070057,?,?), ref: 009A7698
76E3A680.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,009A758C,80070057,?), ref: 009A76A8
76E37540.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,009A758C,80070057,?,?), ref: 009A76B4

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: A680E37540E68640lstrcmpi
String ID:
API String ID: 1415869715-0
Opcode ID: 40135b928405c26e3afaf227ca64d1ec56cc05f8d73876a639687660b0e13de5
Instruction ID: 5618a1717d0aecea3dd181fc646ca066caab631a6e092a05bdbd086647ed84d3
Opcode Fuzzy Hash: 40135b928405c26e3afaf227ca64d1ec56cc05f8d73876a639687660b0e13de5
Instruction Fuzzy Hash: 6A01D4B2615608BBDB104F98DC0ABAABBECEB45751F144029FD06D2211E731DE40A7E1

Uniqueness

Uniqueness Score: -1.00%

Function 009A85F1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 009A8608
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 009A8612
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 009A8621
RtlAllocateHeap.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 009A8628
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 009A863E

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: HeapInformationToken$AllocateErrorLastProcess
String ID:
API String ID: 47921759-0
Opcode ID: d829e303e5be75250c4a49f85aee15fee5774f7169bdcceba846ad627ff58d9b
Instruction ID: 7ab99c4a20ce8b80fd45f1d8ef842edc7a62dae59a5272bcf54d6fcc9267a979
Opcode Fuzzy Hash: d829e303e5be75250c4a49f85aee15fee5774f7169bdcceba846ad627ff58d9b
Instruction Fuzzy Hash: 99F06235256204AFEB100FA5DD9EE6B3BACEF8A794B044426F946C7150CB719C81EAA0

Uniqueness

Uniqueness Score: -1.00%

Function 009A8652 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 009A8669
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 009A8673
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 009A8682
RtlAllocateHeap.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 009A8689
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 009A869F

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: HeapInformationToken$AllocateErrorLastProcess
String ID:
API String ID: 47921759-0
Opcode ID: 8c8872e849145d24c0034965e63a978e8d6281f0f75ffe917eaddcb07c064e64
Instruction ID: 154f08b160de69faee23b761d56441e2a0ed747f6d3b05f5ccc2486bd9759151
Opcode Fuzzy Hash: 8c8872e849145d24c0034965e63a978e8d6281f0f75ffe917eaddcb07c064e64
Instruction Fuzzy Hash: 0CF0C274255304BFEB111FA4EC99E677BBCEF8A794B140026F906C3150CB70DD80EAA0

Uniqueness

Uniqueness Score: -1.00%

Function 009AC6A6 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 009AC6BA
GetWindowTextW.USER32 ref: 009AC6D1
MessageBeep.USER32(00000000), ref: 009AC6E9
KillTimer.USER32(?,0000040A), ref: 009AC705
EndDialog.USER32(?,00000001), ref: 009AC71F

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 6f1aee449e78ec408a5a483fd3386cc1d1589873771fa76b83518502c2e8a424
Instruction ID: 3dccccc5d593e7e8648812e54577c04c19f496232caca8d9c2afba327d42edca
Opcode Fuzzy Hash: 6f1aee449e78ec408a5a483fd3386cc1d1589873771fa76b83518502c2e8a424
Instruction Fuzzy Hash: 8E01A270455708ABEB219B20DD5EF9677B8FF01701F00066AF543A54E0DBE4A9949FC0

Uniqueness

Uniqueness Score: -1.00%

Function 009513B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 009513BF
StrokeAndFillPath.GDI32(?,?,0098BAD8,00000000,?), ref: 009513DB
SelectObject.GDI32(?,00000000), ref: 009513EE
DeleteObject.GDI32 ref: 00951401
StrokePath.GDI32(?), ref: 0095141C

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: bd0c2bcab76955e97ee3c6081cd180147df08d7dd019dece42e28e9df0f8e1c1
Instruction ID: 9c0ec9abadb7eccec5688129065bd34413d114ff72bc53a801f2861da82501e9
Opcode Fuzzy Hash: bd0c2bcab76955e97ee3c6081cd180147df08d7dd019dece42e28e9df0f8e1c1
Instruction Fuzzy Hash: 69F0FF30059308EBDB15DFAAEC1D7983FA9A701326F04C225F86A894F1C735499AEF50

Uniqueness

Uniqueness Score: -1.00%

Function 009BC602 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 009BC69D
76E2B690.OLE32(009E2D6C,00000000,00000001,009E2BDC,?), ref: 009BC6B5

Part of subcall function 00957F41: _memmove.LIBCMT ref: 00957F82

76E2F460.OLE32 ref: 009BC922

Strings

.lnk, xrefs: 009BC631, 009BC659, 009BC663

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: B690F460Initialize_memmove
String ID: .lnk
API String ID: 2555018700-24824748
Opcode ID: 77a9c6e3807519b146fb7c03c5f6b1d6933288c2f50b5227fb5f03dcc793599b
Instruction ID: ead0b41cb3b8ebf0637598b3f6c33f60627be6d4252fa4baf2cd4582f37a90b9
Opcode Fuzzy Hash: 77a9c6e3807519b146fb7c03c5f6b1d6933288c2f50b5227fb5f03dcc793599b
Instruction Fuzzy Hash: 81A14C71108205AFD700EF65C891EABB7ECEFD4305F04492CF556971A2DB70EA49CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0097524D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 009752DD

Part of subcall function 00980340: __87except.LIBCMT ref: 0098037B

Strings

pow, xrefs: 009752B5, 009752D2

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: e838a168d8f8087df68b3e515b0da316e2e6b9c3f24c9f4296383d1fe07880b9
Instruction ID: ee7e640850b74d014432bd77256dc97bd932ebb2a9a8a4200309c7310fbc5786
Opcode Fuzzy Hash: e838a168d8f8087df68b3e515b0da316e2e6b9c3f24c9f4296383d1fe07880b9
Instruction Fuzzy Hash: 2B516A22A1DA01C7DB90B724C94137E6B989B80750F21CD59E4DD863F6FEB88CC89B46

Uniqueness

Uniqueness Score: -1.00%

Function 0097023B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON

Download Yara Rule

Strings

+, xrefs: 00970277
#, xrefs: 00970280

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID:
String ID: #$+
API String ID: 0-2552117581
Opcode ID: 5c6af35b44cf98569d7068778d1cde960772aea55994714ff1d81e26d8edb74c
Instruction ID: 39ab29e28c7088d0730a04834b0513178a25b6de2ff259198db44da92d34df21
Opcode Fuzzy Hash: 5c6af35b44cf98569d7068778d1cde960772aea55994714ff1d81e26d8edb74c
Instruction Fuzzy Hash: 3E513376604246DFCF15DF28C488AFABBA8EF96310F198055FC959B2E0D7349D46CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 009D7648 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 009D76D0
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 009D76E4
SendMessageW.USER32(?,00001002,00000000,?), ref: 009D7708

Strings

SysMonthCal32, xrefs: 009D769B

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 3008c70811c6a84a216aa7db50bce7313f5ca3c9b60314241cfd4fa642c6f69a
Instruction ID: 254c7cbcdeb63c47891adaf19200b07936721d9d5c992e5f1d8d0a71fd614d4d
Opcode Fuzzy Hash: 3008c70811c6a84a216aa7db50bce7313f5ca3c9b60314241cfd4fa642c6f69a
Instruction Fuzzy Hash: 8121E232554219BBDF11CFA4CC46FEA3B79EF88724F114215FE156B2D0EAB1E8509BA0

Uniqueness

Uniqueness Score: -1.00%

Function 009D797D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 009D79E1
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 009D79F6
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 009D7A03

Strings

msctls_trackbar32, xrefs: 009D79B8

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 9aec69f56833e858fdcbc66ace96398292a030e43061f86f7567a83ce9bfab4b
Instruction ID: 8ad7687093a9d86abf61dc3584e0e6f3a1530a9179cbd8b970812baeba5af4fe
Opcode Fuzzy Hash: 9aec69f56833e858fdcbc66ace96398292a030e43061f86f7567a83ce9bfab4b
Instruction Fuzzy Hash: 5611E332294208BAEF109FA0CC05FEB77ADEF89764F02851AFA41A61D0E671D851DB60

Uniqueness

Uniqueness Score: -1.00%

Function 009CC304 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00991D88,?), ref: 009CC312
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 009CC324

Strings

kernel32.dll, xrefs: 009CC30D
GetSystemWow64DirectoryW, xrefs: 009CC31E

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: 7cb879efa84cf3551c29b0029cb50b4e3faeeb0af1803d5c90069015a9be55f3
Instruction ID: 10999a44a6330e46b1cba6821aa70709aa425ea9d1a980f47856a684700125d6
Opcode Fuzzy Hash: 7cb879efa84cf3551c29b0029cb50b4e3faeeb0af1803d5c90069015a9be55f3
Instruction Fuzzy Hash: 90E08CB0A50303CFCB204F25E815F467AD8EB08344B84C83EE89ED2261E774D881CB60

Uniqueness

Uniqueness Score: -1.00%

Function 009D1072 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,009D12C1), ref: 009D1080
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 009D1092

Strings

advapi32.dll, xrefs: 009D107B
RegDeleteKeyExW, xrefs: 009D108C

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: c8ab087aa5c2113ac6a52b2804507fd746416a2d033ce85d7cd22db8c6a03eb6
Instruction ID: 9519a68ec0a3b5572c7d7d8e84c75f48997eb60795d5fbd3954ecf0c31668c9a
Opcode Fuzzy Hash: c8ab087aa5c2113ac6a52b2804507fd746416a2d033ce85d7cd22db8c6a03eb6
Instruction Fuzzy Hash: 62D012315A8713EFD7205F35D92955676E8AF09751B15CC3BA496D6290D770C4C0C650

Uniqueness

Uniqueness Score: -1.00%

Function 009C93F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,009C9009,?,009DF910), ref: 009C9403
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 009C9415

Strings

GetModuleHandleExW, xrefs: 009C940F
kernel32.dll, xrefs: 009C93FE

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: e38426f4952f0ba2d61ccf0cf80091eb14708b1e79b1c73cfa5ed3ab62afac08
Instruction ID: 3c15dd0bf45fa75061ae4e63fe28a83869e6222fc4d5f41e275a735e24a78fda
Opcode Fuzzy Hash: e38426f4952f0ba2d61ccf0cf80091eb14708b1e79b1c73cfa5ed3ab62afac08
Instruction Fuzzy Hash: DBD0C7309A8723CFD7208F30D91EA0273E8AF00346B01C83FA486D26A0E770C8C0CA11

Uniqueness

Uniqueness Score: -1.00%

Function 009A76C5 Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c10a5ef842577ef94f4d535981bd03a50a4699f24b4ef14969f2a3426f5af7a
Instruction ID: 085b7b9e5f47fe3f59c7b6950af8aa45a0e3664aa41d4dda1dbff025ef3e6442
Opcode Fuzzy Hash: 0c10a5ef842577ef94f4d535981bd03a50a4699f24b4ef14969f2a3426f5af7a
Instruction Fuzzy Hash: 15C16D75A04216EFCB14CF98C885EAEF7B9FF89714B118599E805EB251D730ED81CB90

Uniqueness

Uniqueness Score: -1.00%

Function 009CE33E Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 009CE3D2
CharLowerBuffW.USER32(?,?), ref: 009CE415

Part of subcall function 009CDAB9: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 009CDAD9

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 009CE615
_memmove.LIBCMT ref: 009CE628

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: 92b2561c9eb1336bf2e2e4da89dd427e81003937608a898aa0ddcbf8964a6cb9
Instruction ID: e07e58980c71b3e92497aa9b378b6f61b1b2618bf75d1990cd1340071d400d9b
Opcode Fuzzy Hash: 92b2561c9eb1336bf2e2e4da89dd427e81003937608a898aa0ddcbf8964a6cb9
Instruction Fuzzy Hash: 5AC16C71A08341DFCB14DF28C490A5ABBE4FF88714F14896DF89A9B351D731E945CB92

Uniqueness

Uniqueness Score: -1.00%

Function 009C83A8 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 009C83D8
76E2F460.OLE32 ref: 009C83E3

Part of subcall function 009ADA5D: 76E2B690.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 009ADAC5

VariantInit.OLEAUT32(?), ref: 009C83EE
VariantClear.OLEAUT32(?), ref: 009C86BF

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: Variant$B690ClearF460InitInitialize
String ID:
API String ID: 893945453-0
Opcode ID: 1ebf6d3ae6a64a2b042ee968446c74adb4252bfa5625d96c9e73b44d27e14b8e
Instruction ID: e4d909468755b33f40dca8c3d4154037b702914c38195dcaa7f713469a15f722
Opcode Fuzzy Hash: 1ebf6d3ae6a64a2b042ee968446c74adb4252bfa5625d96c9e73b44d27e14b8e
Instruction Fuzzy Hash: 88A112756047019FDB10DF29C995B2AB7E4BF88314F08884DF99A9B3A1CB30ED04CB92

Uniqueness

Uniqueness Score: -1.00%

Function 009CF121 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 009CF151
Process32FirstW.KERNEL32(00000000,?), ref: 009CF15F

Part of subcall function 00957F41: _memmove.LIBCMT ref: 00957F82

Process32NextW.KERNEL32(00000000,?), ref: 009CF21F
CloseHandle.KERNEL32(00000000,?,?,?), ref: 009CF22E

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: 1a35646e50b5f72a5015281282607a029d5ad9afb8d95905bc8971d3f049c2f5
Instruction ID: 287bdd8e230a7bf701862fbe32b5f095b26caefb00cda7127276a9ac007fc5fd
Opcode Fuzzy Hash: 1a35646e50b5f72a5015281282607a029d5ad9afb8d95905bc8971d3f049c2f5
Instruction Fuzzy Hash: C6515071508311AFD310EF25DC96F6BB7E8EF94750F14482DF89697291DB70AA08CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0097493A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 009749D0
__flush.LIBCMT ref: 009749F0
__write.LIBCMT ref: 00974A23
__flsbuf.LIBCMT ref: 00974A51

Part of subcall function 00978D68: __getptd_noexit.LIBCMT ref: 00978D68

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 77f2016c9fe07f3f4c6b5a71a57f6989e74bda5ebcf982639f8c246fb637a88d
Instruction ID: 995d34d3649f9a9bbfb1ed8e680c53fbbd8f5cf8c75e372bae0033c404dd24f2
Opcode Fuzzy Hash: 77f2016c9fe07f3f4c6b5a71a57f6989e74bda5ebcf982639f8c246fb637a88d
Instruction Fuzzy Hash: 0741A2736406069BDF2C8EA9C8809AF77AEEF80760B24C57DE95D87682E774DD408B44

Uniqueness

Uniqueness Score: -1.00%

Function 009C672D Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

6F9B1E90.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,009DF910), ref: 009C67BA
_strlen.LIBCMT ref: 009C67EC

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: 08d0fc6ff2b4069c81b1748fa8e6be82bcddb69ceb4655e777131d2212647b20
Instruction ID: ab9fff9470861aa4cc65c264683df332aaeeb4dad010d8df9dd654bca879d59e
Opcode Fuzzy Hash: 08d0fc6ff2b4069c81b1748fa8e6be82bcddb69ceb4655e777131d2212647b20
Instruction Fuzzy Hash: 67419531E00104AFDB14EB65DCD5FAEB7A9AF88314F148169F91A97292DB30AD44C751

Uniqueness

Uniqueness Score: -1.00%

Function 009B1121 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,762D73F0,?,00008000), ref: 009B1176
SetKeyboardState.USER32(00000080,?,00008000), ref: 009B1192
PostMessageW.USER32(00000000,00000101,00000000), ref: 009B11F1
SendInput.USER32(00000001,?,0000001C,762D73F0,?,00008000), ref: 009B1243

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: baa9442ddc873e5fb901589c5230931e9a089e99ca055867522e903c00043a1a
Instruction ID: 1a8792bb86e356a111098abc848a022e83017737657a04aebf39ac7b39853fb6
Opcode Fuzzy Hash: baa9442ddc873e5fb901589c5230931e9a089e99ca055867522e903c00043a1a
Instruction Fuzzy Hash: 5431483094820C5EEF248A698D357FA7BAEAB89330F84435BF691921D5C33889959751

Uniqueness

Uniqueness Score: -1.00%

Function 00986415 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0098644B
__isleadbyte_l.LIBCMT ref: 00986479
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 009864A7
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 009864DD

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 4820c69ec08ff5bd05ade06cdd27a0b7dd362df8500e187ac8223a1198920504
Instruction ID: b31cd595b620fe6722592c52aaef26ddf70afbcf3cd075e6ff981961dfa9532c
Opcode Fuzzy Hash: 4820c69ec08ff5bd05ade06cdd27a0b7dd362df8500e187ac8223a1198920504
Instruction Fuzzy Hash: 0731EF31600246EFDB21AF74CC45BAF7BA9FF40320F158429F8558B2A0EB35D890DB90

Uniqueness

Uniqueness Score: -1.00%

Function 009D5175 Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 009D5189

Part of subcall function 009B387D: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 009B3897
Part of subcall function 009B387D: GetCurrentThreadId.KERNEL32 ref: 009B389E
Part of subcall function 009B387D: AttachThreadInput.USER32(00000000,?,009B52A7), ref: 009B38A5

GetCaretPos.USER32(?), ref: 009D519A
ClientToScreen.USER32(00000000,?), ref: 009D51D5
GetForegroundWindow.USER32 ref: 009D51DB

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 0991d3e91b657a1a12b65996359fb6db4db0d05d52a9397868c90c7b357e45eb
Instruction ID: 33607984db15a1be9c09c9120db36561da7849d73fc9c471fadc5e45ff573c76
Opcode Fuzzy Hash: 0991d3e91b657a1a12b65996359fb6db4db0d05d52a9397868c90c7b357e45eb
Instruction Fuzzy Hash: BD310F71900108AFDB00EFB5C945AEFB7F9EF98300F11846AE816E7251DA759E45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 009AE1AF Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 009AF5AD: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,009AE1C4,?,?,?,009AEFB7,00000000,000000EF,00000119,?,?), ref: 009AF5BC
Part of subcall function 009AF5AD: lstrcpyW.KERNEL32 ref: 009AF5E2
Part of subcall function 009AF5AD: lstrcmpiW.KERNEL32(00000000,?,009AE1C4,?,?,?,009AEFB7,00000000,000000EF,00000119,?,?), ref: 009AF613

lstrlenW.KERNEL32(?,00000002,?,?,?,?,009AEFB7,00000000,000000EF,00000119,?,?,00000000), ref: 009AE1DD
lstrcpyW.KERNEL32 ref: 009AE203
lstrcmpiW.KERNEL32(00000002,cdecl,?,009AEFB7,00000000,000000EF,00000119,?,?,00000000), ref: 009AE237

Strings

cdecl, xrefs: 009AE22E

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 311f96dcc31c71c8ba58c4a66ea8e8a24cedf3494a53bbd9f6250925bd84aaa5
Instruction ID: a664fe9958379005d77a30eb7f21e8c263c785d32f020a53273052709376c5d9
Opcode Fuzzy Hash: 311f96dcc31c71c8ba58c4a66ea8e8a24cedf3494a53bbd9f6250925bd84aaa5
Instruction Fuzzy Hash: FD119036214345EFCB25AF64DC49E7A77ACFF86350B40802AF816CB2A0EB719951D7E0

Uniqueness

Uniqueness Score: -1.00%

Function 00985332 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00985351

Part of subcall function 0097594C: __FF_MSGBANNER.LIBCMT ref: 00975963
Part of subcall function 0097594C: __NMSG_WRITE.LIBCMT ref: 0097596A
Part of subcall function 0097594C: RtlAllocateHeap.NTDLL(01540000,00000000,00000001,00000000,?,?,?,00971013,?), ref: 0097598F

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: dff7a1a1f6bd7d409116769e064f113a9b3c151fa2e24478cc20870dea80d5dc
Instruction ID: 0f4f75aef7ff0310036d1d1a0046981c89310f5e64d7e8a0e63511b96be01d79
Opcode Fuzzy Hash: dff7a1a1f6bd7d409116769e064f113a9b3c151fa2e24478cc20870dea80d5dc
Instruction Fuzzy Hash: 78112333544A05EFCB313F70EC05B5E3B989F503E0B12842BF9099A290DEB58D44A390

Uniqueness

Uniqueness Score: -1.00%

Function 009C667C Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00955B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,009B7B20,?,?,00000000), ref: 00955B8C
Part of subcall function 00955B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,009B7B20,?,?,00000000,?,?), ref: 00955BB0

gethostbyname.WSOCK32(?,?,?), ref: 009C66AC
WSAGetLastError.WSOCK32(00000000), ref: 009C66B7
_memmove.LIBCMT ref: 009C66E4
inet_ntoa.WSOCK32(?), ref: 009C66EF

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: 9461ba5f6e37ff9dc013e6c94568f0846cf9fd6137a7ba67d3b528f2ff43438e
Instruction ID: 1743058bfda6f8d2e9cd0faab4ec268f9e7bc75a87ad083bc2ca09611a2d69bd
Opcode Fuzzy Hash: 9461ba5f6e37ff9dc013e6c94568f0846cf9fd6137a7ba67d3b528f2ff43438e
Instruction Fuzzy Hash: 86116335900508AFCB00EBA5DD96EEE77B8AF84311B144069F907A7162DF30AF44DB52

Uniqueness

Uniqueness Score: -1.00%

Function 009A9023 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 009A9043
SendMessageW.USER32(?,000000C9,?,00000000), ref: 009A9055
SendMessageW.USER32(?,000000C9,?,00000000), ref: 009A906B
SendMessageW.USER32(?,000000C9,?,00000000), ref: 009A9086

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 058300847e44bfcf4a20aaf36e6e2703d27c10fdae9e4f219dcf53f57040e352
Instruction ID: e3ed5963e9d2b1999d830acdf0e51a0791c6a18df5f749bd4f32b67329da651a
Opcode Fuzzy Hash: 058300847e44bfcf4a20aaf36e6e2703d27c10fdae9e4f219dcf53f57040e352
Instruction Fuzzy Hash: 2A114C79901228FFDB10DFA5C885E9DBB78FB48350F204095E904B7290D6716E50DBD0

Uniqueness

Uniqueness Score: -1.00%

Function 009B1652 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,009B01FD,?,009B1250,?,00008000), ref: 009B166F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,009B01FD,?,009B1250,?,00008000), ref: 009B1694
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,009B01FD,?,009B1250,?,00008000), ref: 009B169E
Sleep.KERNEL32(?,?,?,?,?,?,?,009B01FD,?,009B1250,?,00008000), ref: 009B16D1

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 6ac44d9c6c1cfc4d61d5f131581a280118a43b44278091e51bef02b6c60b1047
Instruction ID: a4f99aa060b4e10125eb3d370ed225a03d503f0def7086443d6281fbf53c1a36
Opcode Fuzzy Hash: 6ac44d9c6c1cfc4d61d5f131581a280118a43b44278091e51bef02b6c60b1047
Instruction Fuzzy Hash: 6B118E31C1551DEBCF009FA5DA69BEEBB78FF09761F444056E941B2240CB3055A0DB96

Uniqueness

Uniqueness Score: -1.00%

Function 00987207 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 0098722B

Part of subcall function 00987912: __fltout2.LIBCMT ref: 0098793B

__cftog_l.LIBCMT ref: 00987251
__cftoe_l.LIBCMT ref: 00987283

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 0cc38f4564135a4700f652b9ba859121795f65db29981bc7b00d9209e7b0df66
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: D2014C3604814ABBCF526EC4CC418EE7F66BF69351B688615FA2858231D337C9B1AB81

Uniqueness

Uniqueness Score: -1.00%

Function 009DB57F Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32 ref: 009DB59E
ScreenToClient.USER32 ref: 009DB5B6
ScreenToClient.USER32 ref: 009DB5DA
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 009DB5F5

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 1321a70a70e644fa9068d276aa7e010226d0e1dc63aa7ccf1142e9dc38aa9cbe
Instruction ID: 3934c7c5b0d430887e640dc2d7b1e84a08cda100cca35a472d6efd8d42b94059
Opcode Fuzzy Hash: 1321a70a70e644fa9068d276aa7e010226d0e1dc63aa7ccf1142e9dc38aa9cbe
Instruction Fuzzy Hash: 3F1163B9D0420DEFDB01CFA9D8859EEFBB9FB08310F508166E915E3620D731AA519F90

Uniqueness

Uniqueness Score: -1.00%

Function 009DB8EF Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 009DB8FE
_memset.LIBCMT ref: 009DB90D
CreateProcessW.KERNEL32 ref: 009DB93C
CloseHandle.KERNEL32 ref: 009DB94E

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: cd6873c7cc0af09cfa30b04d326fb5b85fb24d11154d97db45e9336a0efb53d8
Instruction ID: fd510701d48ef93a936808234c1e4a48141a08356dc024fb6effe0e6e38f9bb8
Opcode Fuzzy Hash: cd6873c7cc0af09cfa30b04d326fb5b85fb24d11154d97db45e9336a0efb53d8
Instruction Fuzzy Hash: D5F089B26443107BF21067A5AC06FFF7BADEB08754F00D021BB09D5291D7714D02D7A9

Uniqueness

Uniqueness Score: -1.00%

Function 009DC00C Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 009512F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0095134D
Part of subcall function 009512F3: SelectObject.GDI32(?,00000000), ref: 0095135C
Part of subcall function 009512F3: BeginPath.GDI32(?), ref: 00951373
Part of subcall function 009512F3: SelectObject.GDI32(?,00000000), ref: 0095139C

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 009DC030
LineTo.GDI32(00000000,?,?), ref: 009DC03D
EndPath.GDI32(00000000), ref: 009DC04D
StrokePath.GDI32(00000000), ref: 009DC05B

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: e7212affeb07037d3b6c8706ed04a4cfc4c6d51f2589ea8e325c8c918a30d649
Instruction ID: ce3b7e3891e36d70e81e1ffaca9b8ab5e09e3b588a319804efc873667ad9e824
Opcode Fuzzy Hash: e7212affeb07037d3b6c8706ed04a4cfc4c6d51f2589ea8e325c8c918a30d649
Instruction Fuzzy Hash: 50F0E23208A21AFBDB126F90EC0AFCE3F58AF05311F048002FA12620E2C7751691DFD5

Uniqueness

Uniqueness Score: -1.00%

Function 009AA37C Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32 ref: 009AA399
GetWindowThreadProcessId.USER32(?,00000000), ref: 009AA3AC
GetCurrentThreadId.KERNEL32 ref: 009AA3B3
AttachThreadInput.USER32(00000000), ref: 009AA3BA

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 2d83d3f5b5d888b835a387551472c598accc8ce02caab52065015859c3739ded
Instruction ID: 09fb13af17da4d850abaa8564d6cbb4c4cb0796d9255b18f76f81733a4305620
Opcode Fuzzy Hash: 2d83d3f5b5d888b835a387551472c598accc8ce02caab52065015859c3739ded
Instruction Fuzzy Hash: 5AE0C03158A228BBDB205F61DC0DEE77F5CEF167A1F444025F50995460CB76C580D7E1

Uniqueness

Uniqueness Score: -1.00%

Function 00952218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00952231
SetTextColor.GDI32(?,000000FF), ref: 0095223B
SetBkMode.GDI32(?,00000001), ref: 00952250
GetStockObject.GDI32(00000005), ref: 00952258
GetWindowDC.USER32(?,00000000), ref: 0098C0D3
GetPixel.GDI32(00000000,00000000,00000000), ref: 0098C0E0
GetPixel.GDI32(00000000,?,00000000), ref: 0098C0F9
GetPixel.GDI32(00000000,00000000,?), ref: 0098C112
GetPixel.GDI32(00000000,?,?), ref: 0098C132
ReleaseDC.USER32 ref: 0098C13D

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 10cfdf466a02614ba2a70add79fe72cabe0f146ffed715d57355c2fd141e617e
Instruction ID: 00f197984ddff516b8db93578641617eba37787b64af680ac9ac79f56853ce65
Opcode Fuzzy Hash: 10cfdf466a02614ba2a70add79fe72cabe0f146ffed715d57355c2fd141e617e
Instruction Fuzzy Hash: CDE06D32158244EADF215FA4FC0E7E83B14EB05336F048367FA7A480E1877149C4EB21

Uniqueness

Uniqueness Score: -1.00%

Function 00992187 Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00992187
GetDC.USER32(00000000), ref: 00992191
GetDeviceCaps.GDI32(00000000,0000000C), ref: 009921B1
ReleaseDC.USER32 ref: 009921D2

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: c4c6b1f679b7f6ddbe0caa4395fed34225b418d254c341902187217bdbeb7ac2
Instruction ID: 49ec693aba8a622a6054f78d0260884c7933966badf557d0f6385e8c1bbb5d1a
Opcode Fuzzy Hash: c4c6b1f679b7f6ddbe0caa4395fed34225b418d254c341902187217bdbeb7ac2
Instruction Fuzzy Hash: 7BE01AB5859208EFDF019F61C819A9D7BF1EB4C351F108426FD5B97620CB388281AF40

Uniqueness

Uniqueness Score: -1.00%

Function 0099219B Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0099219B
GetDC.USER32(00000000), ref: 009921A5
GetDeviceCaps.GDI32(00000000,0000000C), ref: 009921B1
ReleaseDC.USER32 ref: 009921D2

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 9012867420ab30b55428986f51f773bc1753227026a5912066232c1a8a388cdf
Instruction ID: f2d00dad79f29988cd23fb2392f749f409a2e21b39121ee8ee7a33a271ba37d6
Opcode Fuzzy Hash: 9012867420ab30b55428986f51f773bc1753227026a5912066232c1a8a388cdf
Instruction Fuzzy Hash: 24E01AB5855208EFCF019F71C81969D7BF1EB4C311F108426FD5B97620CB389281AF40

Uniqueness

Uniqueness Score: -1.00%

Function 009AB7B6 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 009AB981

Strings

Container, xrefs: 009AB8FE
AutoIt3GUI, xrefs: 009AB8F9

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: 0e4dd1869d410274f432acab6a343993499dd23062f489e8b8cba29a361e625e
Instruction ID: 5610256ab36d088d7f736724eccdc2d973d9ae73ea01ed85bd4b2db10ea73923
Opcode Fuzzy Hash: 0e4dd1869d410274f432acab6a343993499dd23062f489e8b8cba29a361e625e
Instruction Fuzzy Hash: 16914C716006019FDB64DF68C894B6ABBF9FF49710F14856DF94ACB6A2DB70E840CB90

Uniqueness

Uniqueness Score: -1.00%

Function 009BB217 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 0096FEC6: _wcscpy.LIBCMT ref: 0096FEE9

Part of subcall function 00959997: __itow.LIBCMT ref: 009599C2
Part of subcall function 00959997: __swprintf.LIBCMT ref: 00959A0C

__wcsnicmp.LIBCMT ref: 009BB298
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 009BB361

Strings

LPT, xrefs: 009BB292

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: 2107c20e73de1f5f3860edf844b6e6ad65b5ba2a94a8daac5da781d2860df48e
Instruction ID: fa9e471fda63c6ac9f621fdea72c1926e21b3d215b671061daeb4d9fdb30fc48
Opcode Fuzzy Hash: 2107c20e73de1f5f3860edf844b6e6ad65b5ba2a94a8daac5da781d2860df48e
Instruction Fuzzy Hash: E561B375A00219EFCB14DF58C991EEEB7F8AF48310F044459F806AB391DBB0AE44CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00962AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00962AC8
GlobalMemoryStatusEx.KERNEL32(?), ref: 00962AE1

Strings

@, xrefs: 00962AD5

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: e3d52381df3a29d84bd40710342b77daf7bf8e8237d025e3d1985ad1a145cf3e
Instruction ID: 012315e5a79df8073d2460da3bb3da92d62eb2c0a6317c5a80dcbe2d5d88b71d
Opcode Fuzzy Hash: e3d52381df3a29d84bd40710342b77daf7bf8e8237d025e3d1985ad1a145cf3e
Instruction Fuzzy Hash: F85134724287449BE320EF61D886BAFBBE8FBC4311F42885DF5D9411A1DB308569CB26

Uniqueness

Uniqueness Score: -1.00%

Function 009B99BE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 0095506B: __fread_nolock.LIBCMT ref: 00955089

_wcscmp.LIBCMT ref: 009B9AAE
_wcscmp.LIBCMT ref: 009B9AC1

Strings

FILE, xrefs: 009B99FA

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: 5ca26df20f5baf9be386c96a6051461c9baef47cf82cca2daecc518fa74d649b
Instruction ID: 11c5d8202df16b9aafd7c4573c109e7404cb937fe76326bc2bff7a1750cf427d
Opcode Fuzzy Hash: 5ca26df20f5baf9be386c96a6051461c9baef47cf82cca2daecc518fa74d649b
Instruction Fuzzy Hash: AA411471A00619BBDF20ABA5DC45FEFBBBDEF85710F014469BA04A71C1CA75AE0487A1

Uniqueness

Uniqueness Score: -1.00%

Function 009C2882 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 009C2892
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 009C28C8

Strings

|, xrefs: 009C2899

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: e84b1629c92b0448c708b6c499d879f3ea17e6a3f5f584093309be82fd33422f
Instruction ID: 0a3a47a44d6c4b6fe8f34a14839bfbb5a8bdd3c2f20736c1d162abe696b2e5e8
Opcode Fuzzy Hash: e84b1629c92b0448c708b6c499d879f3ea17e6a3f5f584093309be82fd33422f
Instruction Fuzzy Hash: 82310771C00119AFCF01EFA1DC85EEEBFB9FF48310F104069F915A6166EA315A5ADBA1

Uniqueness

Uniqueness Score: -1.00%

Function 009D6943 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 009D69D0
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 009D69DB

Strings

Combobox, xrefs: 009D699D

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 6e8455898c6b4abcd3dd8a27e17012e4b0a6dd641d1dadb1a2edf15ad3f45b97
Instruction ID: 2648358d8ab0dd819b1835f803caed0792a91f5ab4681ef593a049b99417cb9b
Opcode Fuzzy Hash: 6e8455898c6b4abcd3dd8a27e17012e4b0a6dd641d1dadb1a2edf15ad3f45b97
Instruction Fuzzy Hash: 8B11B2716402086FEF119E18CCA0FAB376EEB983A4F118126F958A73D0D6719C5187A0

Uniqueness

Uniqueness Score: -1.00%

Function 009C24CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 009C2520
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 009C2549

Strings

<local>, xrefs: 009C2511

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 17e3b7cb9312cc915f4651868a166b2bbc1f375ac0247dca957f541a06af5d28
Instruction ID: a6276219d81f002f028008d91a9ef4086b210971d6ad9f0047fbaa64b3a7bd78
Opcode Fuzzy Hash: 17e3b7cb9312cc915f4651868a166b2bbc1f375ac0247dca957f541a06af5d28
Instruction Fuzzy Hash: 2211ECB0A01265BADB288F618C99FFBFFACFB06351F10812EF90546040D2706980DAF2

Uniqueness

Uniqueness Score: -1.00%

Function 009C80A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON

Download Yara Rule

APIs

Part of subcall function 009C830B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,009C80C8,?,00000000,?,?), ref: 009C8322

inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 009C80CB
htons.WSOCK32(00000000,?,00000000), ref: 009C8108

Strings

255.255.255.255, xrefs: 009C80E3

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: ByteCharMultiWidehtonsinet_addr
String ID: 255.255.255.255
API String ID: 2496851823-2422070025
Opcode ID: f30a5f64e08cf331d8ff14ad58a29a998a36f40a5c1cd8e83a7e1a08b6342d41
Instruction ID: 9001b279080c624e4d3c65dffee972724dd8419d9d4260b54f615c3d72de4e33
Opcode Fuzzy Hash: f30a5f64e08cf331d8ff14ad58a29a998a36f40a5c1cd8e83a7e1a08b6342d41
Instruction Fuzzy Hash: 5411E534A04205ABCB10EF64CC56FFEB364FF45310F14852BE91197292DB31A805C792

Uniqueness

Uniqueness Score: -1.00%

Function 009A92E7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00957F41: _memmove.LIBCMT ref: 00957F82

Part of subcall function 009AB0C4: GetClassNameW.USER32 ref: 009AB0E7

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 009A9355

Strings

ComboBox, xrefs: 009A92F4
ListBox, xrefs: 009A931F

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: e3b2459000128ee5044738cbd76d0a1a856486beb923dd26d5e49981263213dc
Instruction ID: ed8e8672385d0a6b904c7716f9b577c1a5c29241d891e14c16620f5803058d70
Opcode Fuzzy Hash: e3b2459000128ee5044738cbd76d0a1a856486beb923dd26d5e49981263213dc
Instruction Fuzzy Hash: 40019271A45218ABCF04EBA5DC919FE7769BF47320B140A19B932572D2DF31590C9790

Uniqueness

Uniqueness Score: -1.00%

Function 009B901B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 009B9036
__fread_nolock.LIBCMT ref: 009B904B

Strings

EA06, xrefs: 009B907D

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: a457998f44ad6b31e5ab42a365a52e852fe63a6f8480be712281e19cdd3f483d
Instruction ID: 77e63b77d7b264da2d74c3a406aa6319002639bf0c4f8f19bc45e76c274bd085
Opcode Fuzzy Hash: a457998f44ad6b31e5ab42a365a52e852fe63a6f8480be712281e19cdd3f483d
Instruction Fuzzy Hash: 4501F972804218BFDB28CAA8C856FFE7BFC9B11311F00859EF556D2181E5B5A6048760

Uniqueness

Uniqueness Score: -1.00%

Function 009A91DF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00957F41: _memmove.LIBCMT ref: 00957F82

Part of subcall function 009AB0C4: GetClassNameW.USER32 ref: 009AB0E7

SendMessageW.USER32(?,00000180,00000000,?), ref: 009A924D

Strings

ComboBox, xrefs: 009A91EC
ListBox, xrefs: 009A9217

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 36c2b32a6b137daad652117aa1ad1e6faca0727774136b1f4bbd892d80fcc005
Instruction ID: 56932c6d23d454fad6ee697425c69204fb37a90f38086abc45587478ecd6e10e
Opcode Fuzzy Hash: 36c2b32a6b137daad652117aa1ad1e6faca0727774136b1f4bbd892d80fcc005
Instruction Fuzzy Hash: A2018471A411087BCB14EBA1D992FFFB3ACAF86300F140019BD12672D2EA156F0C96A1

Uniqueness

Uniqueness Score: -1.00%

Function 009A9264 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00957F41: _memmove.LIBCMT ref: 00957F82

Part of subcall function 009AB0C4: GetClassNameW.USER32 ref: 009AB0E7

SendMessageW.USER32(?,00000182,?,00000000), ref: 009A92D0

Strings

ComboBox, xrefs: 009A9271
ListBox, xrefs: 009A929C

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: c26677c898fc070739d3c79e2d10601b995cb7f463c5adc8b8bd8a0cc0bbd84b
Instruction ID: c9ae004e3acddefad28fa024fe88550401b5bc39545710c8718b109e887ffabd
Opcode Fuzzy Hash: c26677c898fc070739d3c79e2d10601b995cb7f463c5adc8b8bd8a0cc0bbd84b
Instruction Fuzzy Hash: 5D01A271A411187BCB04EAA5D992FFFB7ACAF52301F240515BC12632C2DA255F0C92B1

Uniqueness

Uniqueness Score: -1.00%

Function 009B53C5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 009B48AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,009B38D3,?), ref: 009B48C7

Part of subcall function 009B4CD3: GetFileAttributesW.KERNELBASE(?,009B3947), ref: 009B4CD4

RemoveDirectoryW.KERNEL32(?,00000000,?,009B5113,?,?,?), ref: 009B5403
SHFileOperationW.SHELL32(?,00000000,?,009B5113,?,?,?), ref: 009B544E

Strings

m, xrefs: 009B5403

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: File$AttributesDirectoryFullNameOperationPathRemove
String ID: m
API String ID: 934956312-3775001192
Opcode ID: ad19d1ad692f30b10f2fa8f8fcd40192b8ec821cd9af7ba255d7e7190feadd9e
Instruction ID: 3e0409e3985d9ab47b59c715e51d1d776dd7225a9bd0fc8e51bdc82e24a3d8f1
Opcode Fuzzy Hash: ad19d1ad692f30b10f2fa8f8fcd40192b8ec821cd9af7ba255d7e7190feadd9e
Instruction Fuzzy Hash: B5013971D042098BCF01DFA4D945BEEB7B9AF08311F1404AAE449E3262EA7886848B50

Uniqueness

Uniqueness Score: -1.00%

Function 009B51CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32 ref: 009B51E8
_wcscmp.LIBCMT ref: 009B51FA

Strings

#32770, xrefs: 009B51F4

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: b0b35db5b2aa22ada9b80ff8a4aa31243ca0c5bf837275b230d972460e3f7b76
Instruction ID: 37e34c01e7396f9f60646f0c345091fefffe6a496e85ac855de5be7393c56b5b
Opcode Fuzzy Hash: b0b35db5b2aa22ada9b80ff8a4aa31243ca0c5bf837275b230d972460e3f7b76
Instruction Fuzzy Hash: CEE02B3290532C27E3109695AC05BD7F7ACEB44731F000167FD14D3050D570994587D0

Uniqueness

Uniqueness Score: -1.00%

Function 009A81BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 009A81CA

Part of subcall function 00973598: _doexit.LIBCMT ref: 009735A2

Strings

Error allocating memory., xrefs: 009A81C3
AutoIt, xrefs: 009A81BE

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: 21e6a881cbb768bf282a86799f0a5cbc066ac3c6366c8652d96497b211a98927
Instruction ID: 6bbfeab282b23b72c2a5468ecadadc79141ad33ade524b9efa8a8cd5602c9d94
Opcode Fuzzy Hash: 21e6a881cbb768bf282a86799f0a5cbc066ac3c6366c8652d96497b211a98927
Instruction Fuzzy Hash: 06D017322D935832D25532A96C0BBCA6A884B45B56F508426BB0C955D38AE299C252E9

Uniqueness

Uniqueness Score: -1.00%

Function 0098B511 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0098B564: _memset.LIBCMT ref: 0098B571

Part of subcall function 00970B84: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,0098B540,?,?,?,0095100A), ref: 00970B89

IsDebuggerPresent.KERNEL32(?,?,?,0095100A), ref: 0098B544
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0095100A), ref: 0098B553

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0098B54E

Memory Dump Source

Source File: 00000002.00000002.357588171.0000000000951000.00000080.00000001.01000000.00000007.sdmp, Offset: 00950000, based on PE: true

Associated: 00000002.00000002.357582782.0000000000950000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357664006.00000000009DF000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357678924.00000000009E0000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357724033.0000000000A05000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357787235.0000000000A0F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357801303.0000000000A55000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357809967.0000000000A5C000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357819653.0000000000A6B000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357847679.0000000000A91000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000002.00000002.357854734.0000000000A94000.00000008.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_950000_at.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: c72116ff152fc31db2c9f1053f0bd3c41a6aa3835004c1fd1fdbef74cca32c96
Instruction ID: 43dd6676035ea4e0832e56e78c07d90f402cd03cd4533a4901ae1e41898f1709
Opcode Fuzzy Hash: c72116ff152fc31db2c9f1053f0bd3c41a6aa3835004c1fd1fdbef74cca32c96
Instruction Fuzzy Hash: 9BE06D706003158FD720EF68D8053427BE4AB40744F08892DF946C37A0E7B4D448CBA1

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	AWS CloudTrail logs, Authentication logs, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to collect elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Application logs, Process monitoring, Windows Error Reporting
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report POv5Nk1dlu.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Sigma Signatures

Data Obfuscation

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runas.url

C:\Users\user\RDVGHelper\at.exe

C:\Users\user\RDVGHelper\runas.vbs

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Windows Analysis Report
POv5Nk1dlu.exe

Function 00F53633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
timewindowregistryCOMMON

Function 00F5E060 Relevance: 3.5, APIs: 2, Instructions: 539
COMMON

Function 00F60B30 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300
windowsleeptimeCOMMON

Function 00F53041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
registrywindowclipboardCOMMON

Function 00F59997 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146
COMMON

Function 00F5410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Function 00F535B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59
registryCOMMON

Function 00F70FF6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44
COMMON

Function 00F54531 Relevance: 6.1, APIs: 4, Instructions: 66
timewindowCOMMON

Function 00F543DB Relevance: 4.6, APIs: 3, Instructions: 77
windowCOMMON

Function 00F732F5 Relevance: 4.5, APIs: 3, Instructions: 15
COMMONLIBRARYCODE

Function 00F57BB1 Relevance: 3.1, APIs: 2, Instructions: 97
COMMON

Function 00F544CB Relevance: 3.0, APIs: 2, Instructions: 25
windowCOMMON

Function 00F732DF Relevance: 3.0, APIs: 2, Instructions: 7
COMMONLIBRARYCODE

Function 00F5F3F0 Relevance: 1.7, APIs: 1, Instructions: 185
COMMON

Function 00FDCDAC Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 637
windowkeyboardnativeCOMMON

Function 00FD804A Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 571
windowCOMMONCrypto

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre