Edit tour

Windows Analysis Report
43643456.exe

Overview

General Information

Sample name:	43643456.exe renamed because original name is a hash value
Original sample name:	Aviso de cuenta vencida de DHL - ##1606622076_86576432567897664542354656767896756442356789000876543643456.exe
Analysis ID:	1436297
MD5:	d8435d6f34662bcfc8d667a437daf5bc
SHA1:	116c1cfb5b75edb97aba0d15d5aa2b5c1ea2f3f1
SHA256:	17ae4c9d2754b1dd9b4619f6a24b25b86345bc04b314431aa54e95ce29787d73
Tags:	AgentTeslaexe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected AntiVM3

Binary is likely a compiled AutoIt script file

Check if machine is in data center or colocation facility

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to log keystrokes (.Net Source)

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Maps a DLL or memory area into another process

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected Generic Downloader

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

May check the online IP address of the machine

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

43643456.exe (PID: 5512 cmdline: "C:\Users\user\Desktop\43643456.exe" MD5: D8435D6F34662BCFC8D667A437DAF5BC)

RegSvcs.exe (PID: 3064 cmdline: "C:\Users\user\Desktop\43643456.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://asec.ahnlab.com/ko/29133/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://ftp.fosna.net", "Username": "madamweb@fosna.net", "Password": "=A+N^@~c]~#I"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.2336000397.0000000000D20000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.2336000397.0000000000D20000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000001.00000002.2336000397.0000000000D20000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.2336000397.0000000000D20000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x34429:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3449b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x34525:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x345b7:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x34621:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x34693:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x34729:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x347b9:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
00000001.00000002.2336000397.0000000000D20000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x31623:$s2: GetPrivateProfileString 0x30cdb:$s3: get_OSFullName 0x3234c:$s5: remove_Key 0x324e3:$s5: remove_Key 0x3347a:$s6: FtpWebRequest 0x3440b:$s7: logins 0x3497d:$s7: logins 0x376f6:$s7: logins 0x37740:$s7: logins 0x39095:$s7: logins 0x382da:$s9: 1.85 (Hash, version 2, native byte-order)
00000002.00000002.3580843458.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.3580843458.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.3581765309.0000000002D75000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 43643456.exe PID: 5512	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 43643456.exe PID: 5512	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: 43643456.exe PID: 5512	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegSvcs.exe PID: 3064	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 3064	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 8 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x34429:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3449b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x34525:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x345b7:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x34621:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x34693:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x34729:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x347b9:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
2.2.RegSvcs.exe.400000.0.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x31623:$s2: GetPrivateProfileString 0x30cdb:$s3: get_OSFullName 0x3234c:$s5: remove_Key 0x324e3:$s5: remove_Key 0x3347a:$s6: FtpWebRequest 0x3440b:$s7: logins 0x3497d:$s7: logins 0x376f6:$s7: logins 0x37740:$s7: logins 0x39095:$s7: logins 0x382da:$s9: 1.85 (Hash, version 2, native byte-order)
1.2.43643456.exe.d20000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.43643456.exe.d20000.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.43643456.exe.d20000.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x32629:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3269b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x32725:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x327b7:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x32821:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x32893:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x32929:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x329b9:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
1.2.43643456.exe.d20000.1.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x2f823:$s2: GetPrivateProfileString 0x2eedb:$s3: get_OSFullName 0x3054c:$s5: remove_Key 0x306e3:$s5: remove_Key 0x3167a:$s6: FtpWebRequest 0x3260b:$s7: logins 0x32b7d:$s7: logins 0x358f6:$s7: logins 0x35940:$s7: logins 0x37295:$s7: logins 0x364da:$s9: 1.85 (Hash, version 2, native byte-order)
1.2.43643456.exe.d20000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.43643456.exe.d20000.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
1.2.43643456.exe.d20000.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.43643456.exe.d20000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x34429:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3449b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x34525:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x345b7:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x34621:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x34693:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x34729:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x347b9:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
1.2.43643456.exe.d20000.1.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x31623:$s2: GetPrivateProfileString 0x30cdb:$s3: get_OSFullName 0x3234c:$s5: remove_Key 0x324e3:$s5: remove_Key 0x3347a:$s6: FtpWebRequest 0x3440b:$s7: logins 0x3497d:$s7: logins 0x376f6:$s7: logins 0x37740:$s7: logins 0x39095:$s7: logins 0x382da:$s9: 1.85 (Hash, version 2, native byte-order)
Click to see the 9 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 2.2.RegSvcs.exe.400000.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.fosna.net", "Username": "madamweb@fosna.net", "Password": "=A+N^@~c]~#I"}

Multi AV Scanner detection for submitted file

Source: 43643456.exe	Virustotal: Detection: 23%			Perma Link
Source: 43643456.exe	ReversingLabs: Detection: 44%

Machine Learning detection for sample

Source: 43643456.exe

Joe Sandbox ML: detected

Source: 43643456.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: wntdll.pdbUGP source: 43643456.exe, 00000001.00000003.2314158894.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, 43643456.exe, 00000001.00000003.2312037971.0000000003740000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: 43643456.exe, 00000001.00000003.2314158894.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, 43643456.exe, 00000001.00000003.2312037971.0000000003740000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\43643456.exe	Code function: 1_2_003DDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	1_2_003DDBBE
Source: C:\Users\user\Desktop\43643456.exe	Code function: 1_2_003AC2A2 FindFirstFileExW,	1_2_003AC2A2
Source: C:\Users\user\Desktop\43643456.exe	Code function: 1_2_003E68EE FindFirstFileW,FindClose,	1_2_003E68EE
Source: C:\Users\user\Desktop\43643456.exe	Code function: 1_2_003E698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	1_2_003E698F
Source: C:\Users\user\Desktop\43643456.exe	Code function: 1_2_003DD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_003DD076
Source: C:\Users\user\Desktop\43643456.exe	Code function: 1_2_003DD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_003DD3A9
Source: C:\Users\user\Desktop\43643456.exe	Code function: 1_2_003E9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_003E9642
Source: C:\Users\user\Desktop\43643456.exe	Code function: 1_2_003E979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_003E979D
Source: C:\Users\user\Desktop\43643456.exe	Code function: 1_2_003E9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	1_2_003E9B2B
Source: C:\Users\user\Desktop\43643456.exe	Code function: 1_2_003E5C97 FindFirstFileW,FindNextFileW,FindClose,	1_2_003E5C97

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.43643456.exe.d20000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2336000397.0000000000D20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 208.95.112.1 208.95.112.1

Source: unknown

DNS query: name: ip-api.com

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\43643456.exe

Code function: 1_2_003ECE44 InternetReadFile,SetEvent,GetLastError,SetEvent,

1_2_003ECE44

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: ip-api.com

Source: RegSvcs.exe, 00000002.00000002.3581765309.0000000002E17000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3581765309.0000000002D41000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3581765309.0000000002DFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: 43643456.exe, 00000001.00000002.2336000397.0000000000D20000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3580843458.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3581765309.0000000002D41000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3581765309.0000000002DFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: RegSvcs.exe, 00000002.00000002.3581204980.0000000001101000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting$
Source: RegSvcs.exe, 00000002.00000002.3581204980.0000000001101000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting2
Source: RegSvcs.exe, 00000002.00000002.3581765309.0000000002D41000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3581765309.0000000002DFC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 43643456.exe, 00000001.00000002.2336000397.0000000000D20000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3580843458.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 1.2.43643456.exe.d20000.1.raw.unpack, cPKWk.cs

.Net Code: VG0StEU

Source: C:\Users\user\Desktop\43643456.exe

Code function: 1_2_003EEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

1_2_003EEAFF

Source: C:\Users\user\Desktop\43643456.exe

Code function: 1_2_003EED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

1_2_003EED6A

Source: C:\Users\user\Desktop\43643456.exe

1_2_003EEAFF

Source: C:\Users\user\Desktop\43643456.exe

Code function: 1_2_003DAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

1_2_003DAA57

Source: C:\Users\user\Desktop\43643456.exe

Code function: 1_2_00409576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

1_2_00409576

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 1.2.43643456.exe.d20000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 1.2.43643456.exe.d20000.1.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 1.2.43643456.exe.d20000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 1.2.43643456.exe.d20000.1.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 00000001.00000002.2336000397.0000000000D20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000001.00000002.2336000397.0000000000D20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen

Binary is likely a compiled AutoIt script file

Source: 43643456.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: 43643456.exe, 00000001.00000000.2302597233.0000000000432000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_ba571355-c
Source: 43643456.exe, 00000001.00000000.2302597233.0000000000432000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_15077cd2-1
Source: 43643456.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_8dd066c8-3
Source: 43643456.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_462cd6e5-9

Source: C:\Users\user\Desktop\43643456.exe

Code function: 1_2_003DD5EB: CreateFileW,DeviceIoControl,CloseHandle,

1_2_003DD5EB

Source: C:\Users\user\Desktop\43643456.exe

Code function: 1_2_003D1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

1_2_003D1201

Source: C:\Users\user\Desktop\43643456.exe

Code function: 1_2_003DE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

1_2_003DE8F6

Source: C:\Users\user\Desktop\43643456.exe	Code function: 1_2_0037BF40	1_2_0037BF40
Source: C:\Users\user\Desktop\43643456.exe	Code function: 1_2_00378060	1_2_00378060
Source: C:\Users\user\Desktop\43643456.exe	Code function: 1_2_003E2046	1_2_003E2046
Source: C:\Users\user\Desktop\43643456.exe	Code function: 1_2_003D8298	1_2_003D8298
Source: C:\Users\user\Desktop\43643456.exe	Code function: 1_2_003AE4FF	1_2_003AE4FF
Source: C:\Users\user\Desktop\43643456.exe	Code function: 1_2_003A676B	1_2_003A676B
Source: C:\Users\user\Desktop\43643456.exe	Code function: 1_2_00404873	1_2_00404873
Source: C:\Users\user\Desktop\43643456.exe	Code function: 1_2_0039CAA0	1_2_0039CAA0
Source: C:\Users\user\Desktop\43643456.exe	Code function: 1_2_0037CAF0	1_2_0037CAF0
Source: C:\Users\user\Desktop\43643456.exe	Code function: 1_2_0038CC39	1_2_0038CC39
Source: C:\Users\user\Desktop\43643456.exe	Code function: 1_2_003A6DD9	1_2_003A6DD9
Source: C:\Users\user\Desktop\43643456.exe	Code function: 1_2_0038B119	1_2_0038B119
Source: C:\Users\user\Desktop\43643456.exe	Code function: 1_2_003791C0	1_2_003791C0
Source: C:\Users\user\Desktop\43643456.exe	Code function: 1_2_00391394	1_2_00391394
Source: C:\Users\user\Desktop\43643456.exe	Code function: 1_2_0039781B	1_2_0039781B
Source: C:\Users\user\Desktop\43643456.exe	Code function: 1_2_00377920	1_2_00377920
Source: C:\Users\user\Desktop\43643456.exe	Code function: 1_2_0038997D	1_2_0038997D
Source: C:\Users\user\Desktop\43643456.exe	Code function: 1_2_00397A4A	1_2_00397A4A
Source: C:\Users\user\Desktop\43643456.exe	Code function: 1_2_00397CA7	1_2_00397CA7
Source: C:\Users\user\Desktop\43643456.exe	Code function: 1_2_003FBE44	1_2_003FBE44
Source: C:\Users\user\Desktop\43643456.exe	Code function: 1_2_003A9EEE	1_2_003A9EEE
Source: C:\Users\user\Desktop\43643456.exe	Code function: 1_2_00CE3640	1_2_00CE3640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_012A4A80	2_2_012A4A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_012AD038	2_2_012AD038
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_012A3E68	2_2_012A3E68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_012A41B0	2_2_012A41B0

Source: C:\Users\user\Desktop\43643456.exe	Code function: String function: 0038F9F2 appears 40 times
Source: C:\Users\user\Desktop\43643456.exe	Code function: String function: 00390A30 appears 46 times
Source: C:\Users\user\Desktop\43643456.exe	Code function: String function: 00379CB3 appears 31 times

Source: 43643456.exe, 00000001.00000003.2314158894.0000000003713000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 43643456.exe
Source: 43643456.exe, 00000001.00000003.2314396992.00000000038BD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 43643456.exe
Source: 43643456.exe, 00000001.00000002.2336000397.0000000000D20000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilename3905be8d-577f-496a-8d1a-8aa930b08db2.exe4 vs 43643456.exe

Source: 43643456.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 1.2.43643456.exe.d20000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 1.2.43643456.exe.d20000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 1.2.43643456.exe.d20000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 1.2.43643456.exe.d20000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 00000001.00000002.2336000397.0000000000D20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000001.00000002.2336000397.0000000000D20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload

Source: 1.2.43643456.exe.d20000.1.raw.unpack, cPs8D.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.43643456.exe.d20000.1.raw.unpack, 72CF8egH.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.43643456.exe.d20000.1.raw.unpack, G5CXsdn.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.43643456.exe.d20000.1.raw.unpack, 3uPsILA6U.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.43643456.exe.d20000.1.raw.unpack, 6oQOw74dfIt.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.43643456.exe.d20000.1.raw.unpack, aMIWm.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: 1.2.43643456.exe.d20000.1.raw.unpack, 3QjbQ514BDx.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.43643456.exe.d20000.1.raw.unpack, 3QjbQ514BDx.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/4@1/1

Source: C:\Users\user\Desktop\43643456.exe

Code function: 1_2_003E37B5 GetLastError,FormatMessageW,

1_2_003E37B5

Source: C:\Users\user\Desktop\43643456.exe	Code function: 1_2_003D10BF AdjustTokenPrivileges,CloseHandle,		1_2_003D10BF
Source: C:\Users\user\Desktop\43643456.exe	Code function: 1_2_003D16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		1_2_003D16C3

Source: C:\Users\user\Desktop\43643456.exe

Code function: 1_2_003E51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

1_2_003E51CD

Source: C:\Users\user\Desktop\43643456.exe

Code function: 1_2_003FA67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

1_2_003FA67C

Source: C:\Users\user\Desktop\43643456.exe

Code function: 1_2_003E648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

1_2_003E648E

Source: C:\Users\user\Desktop\43643456.exe

Code function: 1_2_003742A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

1_2_003742A2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\43643456.exe

File created: C:\Users\user\AppData\Local\Temp\aut5703.tmp

Jump to behavior

Source: 43643456.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\43643456.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegSvcs.exe, 00000002.00000002.3581765309.0000000002E2C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3581765309.0000000002E3F000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: 43643456.exe	Virustotal: Detection: 23%
Source: 43643456.exe	ReversingLabs: Detection: 44%

Source: unknown	Process created: C:\Users\user\Desktop\43643456.exe "C:\Users\user\Desktop\43643456.exe"
Source: C:\Users\user\Desktop\43643456.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\43643456.exe"
Source: C:\Users\user\Desktop\43643456.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\43643456.exe"	Jump to behavior

Source: C:\Users\user\Desktop\43643456.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\43643456.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\43643456.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\43643456.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\43643456.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\43643456.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\43643456.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\43643456.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\43643456.exe	Section loaded: kernel.appcore.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: 43643456.exe

Static file information: File size 45088768 > 1048576

Source: 43643456.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 43643456.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 43643456.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 43643456.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 43643456.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 43643456.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 43643456.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: 43643456.exe, 00000001.00000003.2314158894.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, 43643456.exe, 00000001.00000003.2312037971.0000000003740000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: 43643456.exe, 00000001.00000003.2314158894.00000000035F0000.00000004.00001000.00020000.00000000.sdmp, 43643456.exe, 00000001.00000003.2312037971.0000000003740000.00000004.00001000.00020000.00000000.sdmp

Source: 43643456.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 43643456.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 43643456.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 43643456.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 43643456.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\43643456.exe

Code function: 1_2_003742DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

1_2_003742DE

Source: C:\Users\user\Desktop\43643456.exe	Code function: 1_2_00390A76 push ecx; ret	1_2_00390A89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_012A6998 pushfd ; iretd	2_2_012A699B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_012AAF7F push esi; iretd	2_2_012AAF83

Source: C:\Users\user\Desktop\43643456.exe	Code function: 1_2_0038F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		1_2_0038F98E
Source: C:\Users\user\Desktop\43643456.exe	Code function: 1_2_00401C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		1_2_00401C41

Source: C:\Users\user\Desktop\43643456.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: 43643456.exe PID: 5512, type: MEMORYSTR

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\43643456.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_1-97373

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: 43643456.exe, 00000001.00000002.2336000397.0000000000D20000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3580843458.0000000000402000.00000040.80000000.00040000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\43643456.exe

API coverage: 3.8 %

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\43643456.exe	Code function: 1_2_003DDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	1_2_003DDBBE
Source: C:\Users\user\Desktop\43643456.exe	Code function: 1_2_003AC2A2 FindFirstFileExW,	1_2_003AC2A2
Source: C:\Users\user\Desktop\43643456.exe	Code function: 1_2_003E68EE FindFirstFileW,FindClose,	1_2_003E68EE
Source: C:\Users\user\Desktop\43643456.exe	Code function: 1_2_003E698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	1_2_003E698F
Source: C:\Users\user\Desktop\43643456.exe	Code function: 1_2_003DD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_003DD076
Source: C:\Users\user\Desktop\43643456.exe	Code function: 1_2_003DD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	1_2_003DD3A9
Source: C:\Users\user\Desktop\43643456.exe	Code function: 1_2_003E9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_003E9642
Source: C:\Users\user\Desktop\43643456.exe	Code function: 1_2_003E979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	1_2_003E979D
Source: C:\Users\user\Desktop\43643456.exe	Code function: 1_2_003E9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	1_2_003E9B2B
Source: C:\Users\user\Desktop\43643456.exe	Code function: 1_2_003E5C97 FindFirstFileW,FindNextFileW,FindClose,	1_2_003E5C97

Source: C:\Users\user\Desktop\43643456.exe

Code function: 1_2_003742DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

1_2_003742DE

Source: RegSvcs.exe, 00000002.00000002.3582655330.0000000006158000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll:
Source: RegSvcs.exe, 00000002.00000002.3580843458.0000000000402000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: vmware
Source: RegSvcs.exe, 00000002.00000002.3580843458.0000000000402000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: VMwareVBoxESelect * from Win32_ComputerSystem

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 2_2_012A7068 CheckRemoteDebuggerPresent,

2_2_012A7068

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\43643456.exe

Code function: 1_2_003EEAA2 BlockInput,

1_2_003EEAA2

Source: C:\Users\user\Desktop\43643456.exe

Code function: 1_2_003A2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

1_2_003A2622

Source: C:\Users\user\Desktop\43643456.exe

Code function: 1_2_003742DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

1_2_003742DE

Source: C:\Users\user\Desktop\43643456.exe	Code function: 1_2_00394CE8 mov eax, dword ptr fs:[00000030h]	1_2_00394CE8
Source: C:\Users\user\Desktop\43643456.exe	Code function: 1_2_00CE34D0 mov eax, dword ptr fs:[00000030h]	1_2_00CE34D0
Source: C:\Users\user\Desktop\43643456.exe	Code function: 1_2_00CE3530 mov eax, dword ptr fs:[00000030h]	1_2_00CE3530
Source: C:\Users\user\Desktop\43643456.exe	Code function: 1_2_00CE1ED0 mov eax, dword ptr fs:[00000030h]	1_2_00CE1ED0

Source: C:\Users\user\Desktop\43643456.exe

Code function: 1_2_003D0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

1_2_003D0B62

Source: C:\Users\user\Desktop\43643456.exe	Code function: 1_2_003A2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_003A2622
Source: C:\Users\user\Desktop\43643456.exe	Code function: 1_2_0039083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_0039083F
Source: C:\Users\user\Desktop\43643456.exe	Code function: 1_2_003909D5 SetUnhandledExceptionFilter,	1_2_003909D5
Source: C:\Users\user\Desktop\43643456.exe	Code function: 1_2_00390C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00390C21

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\43643456.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\43643456.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: DC0008

Jump to behavior

Source: C:\Users\user\Desktop\43643456.exe

1_2_003D1201

Source: C:\Users\user\Desktop\43643456.exe

Code function: 1_2_003B2BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

1_2_003B2BA5

Source: C:\Users\user\Desktop\43643456.exe

Code function: 1_2_003DB226 SendInput,keybd_event,

1_2_003DB226

Source: C:\Users\user\Desktop\43643456.exe

Code function: 1_2_003F22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

1_2_003F22DA

Source: C:\Users\user\Desktop\43643456.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\43643456.exe"

Jump to behavior

Source: C:\Users\user\Desktop\43643456.exe

1_2_003D0B62

Source: C:\Users\user\Desktop\43643456.exe

Code function: 1_2_003D1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

1_2_003D1663

Source: 43643456.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: 43643456.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\43643456.exe

Code function: 1_2_00390698 cpuid

1_2_00390698

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\43643456.exe

Code function: 1_2_003E8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

1_2_003E8195

Source: C:\Users\user\Desktop\43643456.exe

Code function: 1_2_003CD27A GetUserNameW,

1_2_003CD27A

Source: C:\Users\user\Desktop\43643456.exe

Code function: 1_2_003AB952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

1_2_003AB952

Source: C:\Users\user\Desktop\43643456.exe

Code function: 1_2_003742DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

1_2_003742DE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.43643456.exe.d20000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.43643456.exe.d20000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2336000397.0000000000D20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3580843458.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 43643456.exe PID: 5512, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 3064, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: 43643456.exe	Binary or memory string: WIN_81
Source: 43643456.exe	Binary or memory string: WIN_XP
Source: 43643456.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: 43643456.exe	Binary or memory string: WIN_XPe
Source: 43643456.exe	Binary or memory string: WIN_VISTA
Source: 43643456.exe	Binary or memory string: WIN_7
Source: 43643456.exe	Binary or memory string: WIN_8

Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.43643456.exe.d20000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.43643456.exe.d20000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2336000397.0000000000D20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3580843458.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3581765309.0000000002D75000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 43643456.exe PID: 5512, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 3064, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.43643456.exe.d20000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.43643456.exe.d20000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2336000397.0000000000D20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3580843458.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 43643456.exe PID: 5512, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 3064, type: MEMORYSTR

Source: C:\Users\user\Desktop\43643456.exe	Code function: 1_2_003F1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		1_2_003F1204
Source: C:\Users\user\Desktop\43643456.exe	Code function: 1_2_003F1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		1_2_003F1806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	121 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	38 System Information Discovery	Distributed Component Object Model	121 Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	2 Valid Accounts	LSA Secrets	541 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	22 Virtualization/Sandbox Evasion	Cached Domain Credentials	22 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Access Token Manipulation	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	212 Process Injection	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
43643456.exe	24%	Virustotal		Browse
43643456.exe	45%	ReversingLabs	Win32.Trojan.AgentTesla
43643456.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
fp2e7a.wpc.phicdn.net	0%	Virustotal		Browse

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ip-api.com	208.95.112.1	true	false		high
fp2e7a.wpc.phicdn.net	192.229.211.108	true	false	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ip-api.com/line/?fields=hosting	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://ip-api.com/line/?fields=hosting$	RegSvcs.exe, 00000002.00000002.3581204980.0000000001101000.00000004.00000020.00020000.00000000.sdmp	false	high
http://ip-api.com/line/?fields=hosting2	RegSvcs.exe, 00000002.00000002.3581204980.0000000001101000.00000004.00000020.00020000.00000000.sdmp	false	high
https://account.dyn.com/	43643456.exe, 00000001.00000002.2336000397.0000000000D20000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3580843458.0000000000402000.00000040.80000000.00040000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 00000002.00000002.3581765309.0000000002D41000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3581765309.0000000002DFC000.00000004.00000800.00020000.00000000.sdmp	false	high
http://ip-api.com	RegSvcs.exe, 00000002.00000002.3581765309.0000000002E17000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3581765309.0000000002D41000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3581765309.0000000002DFC000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States		53334	TUT-ASUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1436297
Start date and time:	2024-05-04 10:00:31 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 47s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	43643456.exe renamed because original name is a hash value
Original Sample Name:	Aviso de cuenta vencida de DHL - ##1606622076_86576432567897664542354656767896756442356789000876543643456.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/4@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 48 Number of non-executed functions: 293
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ocsp.edge.digicert.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtQueryValueKey calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	DHL_VTER000105450.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	ip-api.com/line/?fields=hosting
	DHL Receipt_AWB 9899691321..exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	ip-api.com/line/?fields=hosting
	Sipari#U015f.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	ip-api.com/line/?fields=hosting
	Aviso de cuenta vencida de DHL - 1606622076_865764325678976645423546567678967564423567890008765.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	Dekont.pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	ip-api.com/line/?fields=hosting
	http://www.open-sora.org	Get hash	malicious	Exela Stealer, Growtopia, Python Stealer	Browse	ip-api.com/json
	nXaujG6G1F.exe	Get hash	malicious	Blank Grabber, DCRat, Umbral Stealer	Browse	ip-api.com/json/?fields=225545
	NFs_98776.msi	Get hash	malicious	VMdetect	Browse	ip-api.com/json/
	Invoice _ 2357.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	RFQ-M310 .exe	Get hash	malicious	GuLoader, PXRECVOWEIWOEI Stealer	Browse	ip-api.com/line/?fields=hosting

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fp2e7a.wpc.phicdn.net	Hesaphareketi-01.exe	Get hash	malicious	AgentTesla	Browse	192.229.211.108
	LFfjUMuUFU.exe	Get hash	malicious	AsyncRAT, PureLog Stealer, XWorm	Browse	192.229.211.108
	https://lestore.lenovo.com/detail/L109130	Get hash	malicious	Unknown	Browse	192.229.211.108
	https://www.67rwzb.cn/	Get hash	malicious	Unknown	Browse	192.229.211.108
	https://jingxinwl.com/	Get hash	malicious	Unknown	Browse	192.229.211.108
	https://vpassz.xu4nblog.com/	Get hash	malicious	Unknown	Browse	192.229.211.108
	https://rdtetsyutfuyfrxytf.azurewebsites.net/	Get hash	malicious	TechSupportScam	Browse	192.229.211.108
	https://8952627338.z28.web.core.windows.net/?phone=09-70-18-72-82	Get hash	malicious	Unknown	Browse	192.229.211.108
	https://nthturn.com/	Get hash	malicious	Unknown	Browse	192.229.211.108
	https://bshgjc.com/	Get hash	malicious	Unknown	Browse	192.229.211.108
ip-api.com	DHL_VTER000105450.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	DHL Receipt_AWB 9899691321..exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	Sipari#U015f.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	Aviso de cuenta vencida de DHL - 1606622076_865764325678976645423546567678967564423567890008765.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Dekont.pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	http://www.open-sora.org	Get hash	malicious	Exela Stealer, Growtopia, Python Stealer	Browse	208.95.112.1
	nXaujG6G1F.exe	Get hash	malicious	Blank Grabber, DCRat, Umbral Stealer	Browse	208.95.112.1
	NFs_98776.msi	Get hash	malicious	VMdetect	Browse	208.95.112.1
	Invoice _ 2357.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	RFQ-M310 .exe	Get hash	malicious	GuLoader, PXRECVOWEIWOEI Stealer	Browse	208.95.112.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TUT-ASUS	DHL_VTER000105450.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	DHL Receipt_AWB 9899691321..exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	Sipari#U015f.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	Aviso de cuenta vencida de DHL - 1606622076_865764325678976645423546567678967564423567890008765.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Dekont.pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	http://www.open-sora.org	Get hash	malicious	Exela Stealer, Growtopia, Python Stealer	Browse	208.95.112.1
	nXaujG6G1F.exe	Get hash	malicious	Blank Grabber, DCRat, Umbral Stealer	Browse	208.95.112.1
	NFs_98776.msi	Get hash	malicious	VMdetect	Browse	208.95.112.1
	Invoice _ 2357.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	RFQ-M310 .exe	Get hash	malicious	GuLoader, PXRECVOWEIWOEI Stealer	Browse	208.95.112.1

Process:	C:\Users\user\Desktop\43643456.exe
File Type:	data
Category:	dropped
Size (bytes):	142022
Entropy (8bit):	7.92291698867858
Encrypted:	false
SSDEEP:	3072:sjJ6YS+yzfQKDJmhPo7w1+ao144rrrNKAwTyKMoBgUE/Ilwl5b:sQYhyzfQK1mhPoU1B4oVNMoBxE/V5b
MD5:	D3A95CBB4A1605D2457CB8B26BEE462B
SHA1:	28DF99545F9DD905DE63575B7E12C88CF64F3C1F
SHA-256:	0B1F4E2A5BBF18E1291C0913BDE5346D818BF42AF11C8A63585585C055F6E8ED
SHA-512:	803FFC0DD14AD6D357F6A7226399640C52175E507EDF5B4F98E5F517D3DC4AA0C9CAC0AEBCEF23FB833BD2C92CBD8414E325CCF2413062CF032B77AE2D4DB2DE
Malicious:	false
Reputation:	low
Preview:	EA06......:4..gW...NN..S.L.....m..T.@.y....\| ...K.N(?j.>%.A31[..W .P.i\|..[..fR...[h.Tb.9...Z..a..<ZY-.........<r.T.M.T-.:_1.X.gU.P......4W.....Pfu{..Y....:.f..,P.U:0.~h..Z.L.4..^&.h...B...5..&.....5..o.,.....".p....B...~@..E...`..D.......6.N...d.75.,...]Ri4.M.lS:...&..$@....,u.......7\|.j..'l...y..mM...s.....M\|..ER..a.........,Uk4.#_C.u.....7.n.....U.g9./.n.{.Y.Si....p...]o......u".v:7.=?%...w....{..c.?..k]...>.6.wR.Rv.?w..k.N$.y.....H....b....hP.O..].H...."..."...X.....-.C9.y...!.N..%..$.@$uY..C.s(..N.S..dp\n..ux..)u.T..:..t{...L.z.[.}4....c....l..\.4I...7..).....p...f..X\@..x.as.,)@..B.<.u.{........M.../.xt..]......x..ka..../<'...A84y....E7}..oy?.wj....!....)...T.L+vJ4......4i.J.O.M.W.dcy...7w-.....t(_O...N..@]...M6.r.....6....[Y.u9sn..YB...4..j.#.M.Ty..u1..e.I........J$.t.....kE.V.@.mm..P.t..VM..M&[....l....J..o..R..\X...ksi..mK..hS:.n.G..(.....Y.T..].V.R..i..T.u5.7/..U^.A.O-.....T.E.4*...A..h\....{.L..022eA..w. .b.~.L@!..^.J.Z......}.......U.

C:\Users\user\AppData\Local\Temp\aut5742.tmp

Download File

Process:	C:\Users\user\Desktop\43643456.exe
File Type:	data
Category:	dropped
Size (bytes):	9852
Entropy (8bit):	7.597443171314243
Encrypted:	false
SSDEEP:	192:C+cKAFEeHCTNT/Uy48+s5DFVZJf3dQ3x0OmKbqKsXfQFUtXdsnG:h7ACeHCTR2WBVZJ/dQ36Y0XfQFGdgG
MD5:	3A265134B930B97245B788FC31CD009B
SHA1:	A5568BDAAEE0162A3CFAFB6958603FE81BB4A681
SHA-256:	33B05DE4EE01033E3D42C96D5983D295916A024730653F7513DECB1F5454E037
SHA-512:	1C448539DA1C8250EB7A637B9E2E95396C56F015E589938E6A5AD0801193D46DA90DFFDCAFFF9BFB68D6F20FD50BE5269E2231F0746A926BD911E93D2D750EBB
Malicious:	false
Reputation:	low
Preview:	EA06..p0.M'.)..e4.N'.).......T9..l.0L.s.5..3..s.4.8.......k8.Yls....c..&S...k6...S....1.L&.i..i5.M,S....K.@...7...p. ....P.o...m.X.V........9....3...f....s2.Xf@.]..g3@..h.m.M.......8.l..6.....a........i4........g3Y...c ._..k4...d....H, ......Ac.H..g...(.F..=d....>....C`....@02..N@...u......Y..ab.M.]>.$....M.x>;$....N.j.;%....X.j.;%......j.;,....P'.b.5... .^..f./Z..@F.6.z..G......`......i..G../Z...zqd...l.;.........\|......7...}3{(........;^..l =..p.........3p.o....,.......x.....H<.lX.:...b.....,. ...2...f.[...K.)....b..i\|v F......X......`....,.9....5...._..l......>K.....ir.e....[4..d..f.y.....,.....S >..p...........s9.... !..Y....f...ja4....ea.h,.p.....,.a8.,..3........f.....f ....,j.0..&...J......f ....6K%.ke..f....L..;2.X...4.Y.V@.Fn.....f@....l..05.....!;3.X...c )D.g6... ...'&`....,f.6..&....r...Brh.....l...i2...B....@.......d.L.`!.....P...@X5d..lSK...9...!;5.X...cVY......'.B...,vl.!..>.a..l...M..@...X...b.M&.X..B.a.Q...sp..X..9..o5..f.!...,vn......d...

C:\Users\user\AppData\Local\Temp\brawlys

Download File

Process:	C:\Users\user\Desktop\43643456.exe
File Type:	data
Category:	dropped
Size (bytes):	244224
Entropy (8bit):	6.543228882678003
Encrypted:	false
SSDEEP:	6144:1CoyXPpDCigdVF1nwDNiVxtcF6+90ztM8:hYBWrwyOFr90zt9
MD5:	335C849AEEF83AB1D71E92E85F0E9810
SHA1:	E4C028FD7F24CF7FFD37E87D449FC7AF830F4DDB
SHA-256:	5D0E14E96C7DA9F492A21B4B36690A746DA4A06E2A0A5DFB311F70910C004843
SHA-512:	1F19B8A3B0200B93F48A9FD00D3E27625A893AC11067C41735827DE6A8F83F9F4C43FACCE4BC28AB16C3F677BAED8DF39FBEAA9DC89CCFF849C05A3A525B16E9
Malicious:	false
Reputation:	low
Preview:	yl.BPB3W]HT4.BS.3WYHT46.BSB3WYHT46ABSB3WYHT46ABSB3WYHT46ABS.3WYFK.8A.Z...X...b)+ bC%6/&U[a!2,]8-h6Q.37=bZ9y..g.,-7'.ZTBp46ABSB3..HTx7BB../1YHT46ABS.3UXCU?6A.PB3_YHT46A..A3WyHT4.BBSBsWYhT46CBSF3WYHT46EBSB3WYHT.2ABQB3WYHT66..SB#WYXT46ARSB#WYHT46QBSB3WYHT46AB.A3.YHT4.BB.G3WYHT46ABSB3WYHT46ABWB?WYHT46ABSB3WYHT46ABSB3WYHT46ABSB3WYHT46ABSB3WYHT46ABsB3_YHT46ABSB3WQhT4~ABSB3WYHT46o66:GWYH..5ABsB3W.KT44ABSB3WYHT46ABSb3W9f&GD"BSBuRYHT.5ABUB3W.KT46ABSB3WYHT4vAB.lA25'746MBSB3W]HT66AB.A3WYHT46ABSB3W.HTv6ABSB3WYHT46ABSB..ZHT46A.SB3UYMTH.CB.w2WZHT47ABUB3WYHT46ABSB3WYHT46ABSB3WYHT46ABSB3WYHT46ABSB3WYU.....\|{gB63.g.4.0..[.O..\.&."\..}.O....o!2..B.M...]...&.;R I.....k"8&W .C.N#._....i.B...D].#..Hs.=D..p...b....X-...5..!\:w)$DZ$l.#U6+!.6.@BSB3........::x.tK[.S:...\|FL`...MWYH046A0SB36YHTs6AB<B3W7HT4HABS<3WY.T46.BSB.WYHq46A/SB3sYHTJ6AB.?<X...]E.SB3WY}..../........w3.<h5a...R....6..G<.A.....Y.?x.V.8D...OU22D@TF0[dF...cQF7R[OP7:\|L...x.r..x..B...N.=BSB3WY.T4.ABS.W.HT4.A.S.WYH..6.B.B...H

C:\Users\user\AppData\Local\Temp\intemeration

Download File

Process:	C:\Users\user\Desktop\43643456.exe
File Type:	ASCII text, with very long lines (28720), with no line terminators
Category:	dropped
Size (bytes):	28720
Entropy (8bit):	3.592823508440391
Encrypted:	false
SSDEEP:	768:wiTZ+2QoioGRk6ZklputwjpjBkCiw2RuJ3nXKUrvzjsNbiE+Ik6Ng4vfF3if6gyr:wiTZ+2QoioGRk6ZklputwjpjBkCiw2Rx
MD5:	F09465A793199ED255FB0B90A39CC6B1
SHA1:	A9A08015C505D2E558885B8FC6BD00E608799DC1
SHA-256:	E60E3DFC5AFACD35B6A94AE43AEA9A45197870303784233D929256FB4DEE8839
SHA-512:	F7380719B029D777D39A4C99E64EFAAE6BFAFD3CD5D6CE1D0BF3129E8074F4370AFCB0DC7251AFF1C4E5660063139226DED1E41E37A4D76A3EA1044BA9274FB3
Malicious:	false
Reputation:	low
Preview:	048B4C24088B008B093BC8760483C8FFC31BC0F7D8C38B0x558bec81eccc0200005657b86b00000066894584b96500000066894d86ba7200000066895588b86e0000006689458ab96500000066894d8cba6c0000006689558eb83300000066894590b93200000066894d92ba2e00000066895594b86400000066894596b96c00000066894d98ba6c0000006689559a33c06689459cb96e00000066898d44ffffffba7400000066899546ffffffb86400000066898548ffffffb96c00000066898d4affffffba6c0000006689954cffffffb82e0000006689854effffffb96400000066898d50ffffffba6c00000066899552ffffffb86c00000066898554ffffff33c966898d56ffffffba75000000668955d0b873000000668945d2b96500000066894dd4ba72000000668955d6b833000000668945d8b93200000066894ddaba2e000000668955dcb864000000668945deb96c00000066894de0ba6c000000668955e233c0668945e4b96100000066898d68ffffffba640000006689956affffffb8760000006689856cffffffb96100000066898d6effffffba7000000066899570ffffffb86900000066898572ffffffb93300000066898d74ffffffba3200000066899576ffffffb82e00000066898578ffffffb96400000066898d7affffffba6c0000006689957cffffffb86c00000066

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	0.3089890165461794
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	43643456.exe
File size:	45'088'768 bytes
MD5:	d8435d6f34662bcfc8d667a437daf5bc
SHA1:	116c1cfb5b75edb97aba0d15d5aa2b5c1ea2f3f1
SHA256:	17ae4c9d2754b1dd9b4619f6a24b25b86345bc04b314431aa54e95ce29787d73
SHA512:	4b75c4557200542d0daec35cf2f8bbe7e92b9080f1e993bbaa2f09d1f126092c0e74be4efc1182d4c2c343900009625940d7c16a58e656b817a167e9b205e49e
SSDEEP:	24576:OqDEvCTbMWu7rQYlBQcBiT6rprG8aAGTMBeq:OTvC/MTQYxsWR7aAG
TLSH:	4AA7BF0273D1C062FF9B92334B5AF6515BBC69260123E62F13A81D79BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x6634F313 [Fri May 3 14:22:11 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007FE40CF550B3h
jmp 00007FE40CF549BFh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FE40CF54B9Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FE40CF54B6Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007FE40CF5775Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007FE40CF577A8h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007FE40CF57791h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x3cc08	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x111000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x3cc08	0x3ce00	6fc8966a124aa0050b9c38f8bc1c30cf	False	0.8937251347535934	data	7.817739766115667	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x111000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd44a0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd45c8	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd48b0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd49d8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5880	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6128	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd6690	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8c38	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xd9ce0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_STRING	0xda148	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xda6dc	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdad68	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb1f8	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdb7f4	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdbe50	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc2b8	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc410	0x3426e	data			1.0003557819244058
RT_GROUP_ICON	0x110680	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x1106f8	0x14	data	English	Great Britain	1.15
RT_VERSION	0x11070c	0x10c	data	English	Great Britain	0.5970149253731343
RT_MANIFEST	0x110818	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 4, 2024 10:01:44.469780922 CEST	49703	80	192.168.2.6	208.95.112.1
May 4, 2024 10:01:44.629239082 CEST	80	49703	208.95.112.1	192.168.2.6
May 4, 2024 10:01:44.629412889 CEST	49703	80	192.168.2.6	208.95.112.1
May 4, 2024 10:01:44.638154984 CEST	49703	80	192.168.2.6	208.95.112.1
May 4, 2024 10:01:44.799556971 CEST	80	49703	208.95.112.1	192.168.2.6
May 4, 2024 10:01:44.852762938 CEST	49703	80	192.168.2.6	208.95.112.1
May 4, 2024 10:02:33.887285948 CEST	80	49703	208.95.112.1	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 4, 2024 10:01:44.239995003 CEST	57620	53	192.168.2.6	1.1.1.1
May 4, 2024 10:01:44.400971889 CEST	53	57620	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
May 4, 2024 10:01:44.239995003 CEST	192.168.2.6	1.1.1.1	0x2e4b	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
May 4, 2024 10:01:37.282376051 CEST	1.1.1.1	192.168.2.6	0x5003	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
May 4, 2024 10:01:37.282376051 CEST	1.1.1.1	192.168.2.6	0x5003	No error (0)	fp2e7a.wpc.phicdn.net		192.229.211.108	A (IP address)	IN (0x0001)	false
May 4, 2024 10:01:44.400971889 CEST	1.1.1.1	192.168.2.6	0x2e4b	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49703	208.95.112.1	80	3064	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
May 4, 2024 10:01:44.638154984 CEST	80	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
May 4, 2024 10:01:44.799556971 CEST	174	IN	HTTP/1.1 200 OK Date: Sat, 04 May 2024 08:01:43 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 5 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 74 72 75 65 0a Data Ascii: true

Target ID:	1
Start time:	10:01:39
Start date:	04/05/2024
Path:	C:\Users\user\Desktop\43643456.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\43643456.exe"
Imagebase:	0x370000
File size:	45'088'768 bytes
MD5 hash:	D8435D6F34662BCFC8D667A437DAF5BC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.2336000397.0000000000D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000001.00000002.2336000397.0000000000D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.2336000397.0000000000D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000001.00000002.2336000397.0000000000D20000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_AgentTeslaV2, Description: AgenetTesla Type 2 Keylogger payload, Source: 00000001.00000002.2336000397.0000000000D20000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	10:01:40
Start date:	04/05/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\43643456.exe"
Imagebase:	0xa50000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3580843458.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.3580843458.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3581765309.0000000002D75000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	3.3%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	4.8%
Total number of Nodes:	2000
Total number of Limit Nodes:	39

Executed Functions

Function 003742DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0037430D

Part of subcall function 00376B57: _wcslen.LIBCMT ref: 00376B6A

GetCurrentProcess.KERNEL32(?,0040CB64,00000000,?,?), ref: 00374422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00374429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00374454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00374466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00374474
FreeLibrary.KERNEL32(00000000,?,?), ref: 0037447B
GetSystemInfo.KERNEL32(?,?,?), ref: 003744A0

Strings

|O, xrefs: 003B36F8
GetNativeSystemInfo, xrefs: 00374460
kernel32.dll, xrefs: 0037444F

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: bf18efc22efabbd3862e83f244338c70e6be63c467c5b564ef64dcf5250850ff
Instruction ID: d2462e098557142f16a00fdd0923176d92fad378781cbcae8722370061629eb5
Opcode Fuzzy Hash: bf18efc22efabbd3862e83f244338c70e6be63c467c5b564ef64dcf5250850ff
Instruction Fuzzy Hash: BBA1D56A90A2D0CFE723CF6A7C812E43FA46B27344F0484B9D84597E32E3345598DB2D

Uniqueness

Uniqueness Score: -1.00%

Function 003742A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,003750AA,?,?,00000000,00000000), ref: 003742B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,003750AA,?,?,00000000,00000000), ref: 003742C9
LoadResource.KERNEL32(?,00000000,?,?,003750AA,?,?,00000000,00000000,?,?,?,?,?,?,00374F20), ref: 003B35BE
SizeofResource.KERNEL32(?,00000000,?,?,003750AA,?,?,00000000,00000000,?,?,?,?,?,?,00374F20), ref: 003B35D3
LockResource.KERNEL32(003750AA,?,?,003750AA,?,?,00000000,00000000,?,?,?,?,?,?,00374F20,?), ref: 003B35E6

Strings

SCRIPT, xrefs: 003742BF

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 38b1d96bfad9e620ec29c178d29888196495612d23af6a7bd479c66d0d9a8dd1
Instruction ID: 2da501eef84d88543a59051c9def0392626aa25d03c4fba75249dd83ba4b3338
Opcode Fuzzy Hash: 38b1d96bfad9e620ec29c178d29888196495612d23af6a7bd479c66d0d9a8dd1
Instruction Fuzzy Hash: 1A117C71600700FFD7228B65DD88F677BBDEBC6B51F20866DF406A6690DB71E8108A61

Uniqueness

Uniqueness Score: -1.00%

Function 003B2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00372B6B

Part of subcall function 00373A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00441418,?,00372E7F,?,?,?,00000000), ref: 00373A78

Part of subcall function 00379CB3: _wcslen.LIBCMT ref: 00379CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00432224), ref: 003B2C10
ShellExecuteW.SHELL32(00000000,?,?,00432224), ref: 003B2C17

Strings

runas, xrefs: 003B2C0B

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: cf5942e15eabd73d41e766b7f2ad78d841bdd6e773bdf5e931d972644068327e
Instruction ID: 5b57c2858499df08b55cf6fad336a726f9ccefb5f0df37ac39edfe3d75bcf83a
Opcode Fuzzy Hash: cf5942e15eabd73d41e766b7f2ad78d841bdd6e773bdf5e931d972644068327e
Instruction Fuzzy Hash: E911B431208345AAD737FF60D892AAE77A49F95300F04952EF14A1B0A3CF3C8549E716

Uniqueness

Uniqueness Score: -1.00%

Function 003DDBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,003B5222), ref: 003DDBCE
GetFileAttributesW.KERNELBASE(?), ref: 003DDBDD
FindFirstFileW.KERNELBASE(?,?), ref: 003DDBEE
FindClose.KERNEL32(00000000), ref: 003DDBFA

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 63131af062bc23065a9502860ce649716559e3dea8979338c32d842abc9ac7c6
Instruction ID: e0874b611c472ab7a41e82c6c5a7a70b445046f98d483a0030a92396b2228fa0
Opcode Fuzzy Hash: 63131af062bc23065a9502860ce649716559e3dea8979338c32d842abc9ac7c6
Instruction Fuzzy Hash: 7FF0A03282091097C2216B78BE4E8BA376C9E01334F244757F836D26E1EBB059648699

Uniqueness

Uniqueness Score: -1.00%

Function 0037BF40 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON

Download Yara Rule

Strings

p#D, xrefs: 003C07CE

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: BuffCharUpper
String ID: p#D
API String ID: 3964851224-1688748970
Opcode ID: 79b01e1a1d44f0a736bf5aa1497626d5c923d798e3794a2d0a6a370b3280a4e4
Instruction ID: 7bfe0acf88868e31a3b64d9ba1f1b7b266a087bb7fee6125dff8a06271045873
Opcode Fuzzy Hash: 79b01e1a1d44f0a736bf5aa1497626d5c923d798e3794a2d0a6a370b3280a4e4
Instruction Fuzzy Hash: AFA28B70608341DFC726DF28C480B2ABBE5BF89304F15996DE99A8B352D735EC45CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0037D730 Relevance: 21.6, APIs: 14, Instructions: 625windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0037D807
timeGetTime.WINMM ref: 0037DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0037DB28
TranslateMessage.USER32(?), ref: 0037DB7B
DispatchMessageW.USER32(?), ref: 0037DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0037DB9F
Sleep.KERNEL32(0000000A), ref: 0037DBB1

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 2a2b6fd1762109b2b778cd25e823ece042a1ed1dec37601558143e8992402582
Instruction ID: 2f6cdb1c8022e143fdd6f617cbdf9829909fa63e303f0be1c4df542d68f8fdf5
Opcode Fuzzy Hash: 2a2b6fd1762109b2b778cd25e823ece042a1ed1dec37601558143e8992402582
Instruction Fuzzy Hash: C142CE30608341EFD736DB24C884F6AB7B4BF86304F15866DE55A9B291D778EC44CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00372CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00372D07
RegisterClassExW.USER32(00000030), ref: 00372D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00372D42
InitCommonControlsEx.COMCTL32(?), ref: 00372D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00372D6F
LoadIconW.USER32(000000A9), ref: 00372D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00372D94

Strings

TaskbarCreated, xrefs: 00372D37
0, xrefs: 00372CE9
AutoIt v3 GUI, xrefs: 00372D23
+, xrefs: 00372CF0

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: d74558e3205822db004112df4f18e5e1ba036d354f8906cb0e928b73a9d5088e
Instruction ID: 34d960e79a594a100cd2729c670aa1fc90e195341911511c44e57a27414f32b0
Opcode Fuzzy Hash: d74558e3205822db004112df4f18e5e1ba036d354f8906cb0e928b73a9d5088e
Instruction Fuzzy Hash: 6821E4B5901209EFDB00DFA4E989B9DBBB4FB09700F00822AE911B62A0D7B50584CF98

Uniqueness

Uniqueness Score: -1.00%

Function 003A8D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

.9, xrefs: 003A903A, 003A8FD0, 003A8FF2

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID:
String ID: .9
API String ID: 0-4137932486
Opcode ID: e0d153ce06e3a498377fb51b87abeb44f9360a7a7b6689b6daf82d749b5eacef
Instruction ID: 9aa3f6597274d0f44f609910d03e563efcb32cae6435c2735276a2f4748910e9
Opcode Fuzzy Hash: e0d153ce06e3a498377fb51b87abeb44f9360a7a7b6689b6daf82d749b5eacef
Instruction Fuzzy Hash: D8C1F278904249AFDF12DFA8D845BADBBB4EF0B310F0541AAE954AB392C7708941CB61

Uniqueness

Uniqueness Score: -1.00%

Function 003B065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 003B039A: CreateFileW.KERNELBASE(00000000,00000000,?,003B0704,?,?,00000000,?,003B0704,00000000,0000000C), ref: 003B03B7

GetLastError.KERNEL32 ref: 003B076F
__dosmaperr.LIBCMT ref: 003B0776
GetFileType.KERNELBASE(00000000), ref: 003B0782
GetLastError.KERNEL32 ref: 003B078C
__dosmaperr.LIBCMT ref: 003B0795
CloseHandle.KERNEL32(00000000), ref: 003B07B5
CloseHandle.KERNEL32(?), ref: 003B08FF
GetLastError.KERNEL32 ref: 003B0931
__dosmaperr.LIBCMT ref: 003B0938

Strings

H, xrefs: 003B08BD

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 7ed9040503b1419186ad5061bf1fea2af7e48df82ad6fee308bb15c81801d1fa
Instruction ID: 0439cf58a31caa194441edc627de430d7eb921a8679a62d0c0f4638bd1d03397
Opcode Fuzzy Hash: 7ed9040503b1419186ad5061bf1fea2af7e48df82ad6fee308bb15c81801d1fa
Instruction Fuzzy Hash: 59A12736A141088FDF1EAF68D852BEE7BA0EB06324F140169F955EF291DB319912CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0037344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00373A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00441418,?,00372E7F,?,?,?,00000000), ref: 00373A78

Part of subcall function 00373357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00373379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0037356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 003B318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 003B31CE
RegCloseKey.ADVAPI32(?), ref: 003B3210
_wcslen.LIBCMT ref: 003B3277
_wcslen.LIBCMT ref: 003B3286

Strings

Include, xrefs: 003B3184, 003B31C5
\, xrefs: 003B328C
Software\AutoIt v3\AutoIt, xrefs: 00373560
\Include\, xrefs: 00373527

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 6c84d470c8813e2d5eb41182f8869f79fe3748f12b727811e00114df01e1ceaf
Instruction ID: 94345ba15c128c42ba21fc05f9eb1341fd64a2dcdbc63141dddb7c3c77cd7783
Opcode Fuzzy Hash: 6c84d470c8813e2d5eb41182f8869f79fe3748f12b727811e00114df01e1ceaf
Instruction Fuzzy Hash: 8771B0714043019ED315EF65DD8299BBBF8FF86740F80493EF9449B1A0DB789A48CB56

Uniqueness

Uniqueness Score: -1.00%

Function 00372B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00372B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00372B9D
LoadIconW.USER32(00000063), ref: 00372BB3
LoadIconW.USER32(000000A4), ref: 00372BC5
LoadIconW.USER32(000000A2), ref: 00372BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00372BEF
RegisterClassExW.USER32(?), ref: 00372C40

Part of subcall function 00372CD4: GetSysColorBrush.USER32(0000000F), ref: 00372D07
Part of subcall function 00372CD4: RegisterClassExW.USER32(00000030), ref: 00372D31
Part of subcall function 00372CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00372D42
Part of subcall function 00372CD4: InitCommonControlsEx.COMCTL32(?), ref: 00372D5F
Part of subcall function 00372CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00372D6F
Part of subcall function 00372CD4: LoadIconW.USER32(000000A9), ref: 00372D85
Part of subcall function 00372CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00372D94

Strings

0, xrefs: 00372C0F
AutoIt v3, xrefs: 00372C2F
#, xrefs: 00372C16

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 784d97c01cc7fe84274278edd8274f23e4a79f4627cc48ab9619d8ccb4850247
Instruction ID: 5c744ba9a7749fdd347af37a8b15f2d3aa7e975f75ee8f66ac037529a056a261
Opcode Fuzzy Hash: 784d97c01cc7fe84274278edd8274f23e4a79f4627cc48ab9619d8ccb4850247
Instruction Fuzzy Hash: 69214C78E40314ABEB109FA5ED85A997FB4FB09B50F00413AF901B76B0D3B50580CF98

Uniqueness

Uniqueness Score: -1.00%

Function 0037B710 Relevance: 16.3, APIs: 1, Strings: 8, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0037BB4E

Strings

x#D, xrefs: 003C0168
p#D, xrefs: 003C0263
x#D, xrefs: 003C0207
p%D, xrefs: 0037B8DC
p#D, xrefs: 003C024F
p#D, xrefs: 0037BA72
p#D, xrefs: 0037BB6B
p%D, xrefs: 0037BB32

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: Init_thread_footer
String ID: p#D$p#D$p#D$p#D$p%D$p%D$x#D$x#D
API String ID: 1385522511-1069978052
Opcode ID: ed26132710e73361a7ccdbb62b825fa052a4e2bf361ca6027bb2d182858c08b6
Instruction ID: 0a78d179cb5b0a27c71523189a90aea68abdf40a86e00f1fefcdbf220dcc323e
Opcode Fuzzy Hash: ed26132710e73361a7ccdbb62b825fa052a4e2bf361ca6027bb2d182858c08b6
Instruction Fuzzy Hash: 2932BE34A00249EFDB2ACF64C894FBEB7B9EF45304F19C059E919AB251C778AD41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00373170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0037316A,?,?), ref: 003731D8
KillTimer.USER32(?,00000001,?,?,?,?,?,0037316A,?,?), ref: 00373204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00373227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0037316A,?,?), ref: 00373232
CreatePopupMenu.USER32 ref: 00373246
PostQuitMessage.USER32(00000000), ref: 00373267

Strings

TaskbarCreated, xrefs: 0037322D

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: c51d0e33f02fb1e2ffe2dd17e7115b3b76f8c037c59f36502d69376fdbdc708c
Instruction ID: 67e57379a62e9193b242c7d220e656421ba43999b15ddd9af336132ac3a5e4c9
Opcode Fuzzy Hash: c51d0e33f02fb1e2ffe2dd17e7115b3b76f8c037c59f36502d69376fdbdc708c
Instruction Fuzzy Hash: 41414935250204E6EB372B78DD49BB93719E706340F14C236F91A966B2C77CCA80E76A

Uniqueness

Uniqueness Score: -1.00%

Function 0037DFD0 Relevance: 15.4, APIs: 2, Strings: 6, Instructions: 1414COMMON

Download Yara Rule

Strings

D%D, xrefs: 0037E1E0
D%D, xrefs: 003C302D
D%DD%D, xrefs: 0037E27E
D%D, xrefs: 003C2FDA
D%D, xrefs: 0037E4B1
Variable must be of type 'Object'., xrefs: 003C32B7

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID:
String ID: D%D$D%D$D%D$D%D$D%DD%D$Variable must be of type 'Object'.
API String ID: 0-3449319901
Opcode ID: 8c2fe0035d601b95678b32f7a9636ea8b1f7a0e3058b6962c88118eccc608ea3
Instruction ID: ba4306360852ac720cef4818d125ea787122eacee7173638d990afb74546db91
Opcode Fuzzy Hash: 8c2fe0035d601b95678b32f7a9636ea8b1f7a0e3058b6962c88118eccc608ea3
Instruction Fuzzy Hash: 29C29B75A00214CFDB26DF58C881AADB7F1BF09300F25C5A9E919AB3A1D379ED41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00CE2620 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 00CE26F1
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00CE2917

Memory Dump Source

Source File: 00000001.00000002.2335962090.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ce0000_43643456.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: c69e8af538ca099f1199ea1a41374fe769c00d7324591793f5319154b009097c
Instruction ID: 4266f479f14d3508e1911558e7fbe83ffa21fdde8c0ac7292101f7e7c3cc8f72
Opcode Fuzzy Hash: c69e8af538ca099f1199ea1a41374fe769c00d7324591793f5319154b009097c
Instruction Fuzzy Hash: B8A12875E00248EBDB24CFA5C895BEEBBB9FF48304F208159E511BB280D7759A81DF94

Uniqueness

Uniqueness Score: -1.00%

Function 00372C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00372C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00372CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00371CAD,?), ref: 00372CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00371CAD,?), ref: 00372CCF

Strings

AutoIt v3, xrefs: 00372C89, 00372C8E, 00372C8F
edit, xrefs: 00372CAC

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 396ae771297733c1ec9bfbf3c93604707dab1375e43c4730e0d81181769d0efc
Instruction ID: c5f052f2ecca63b6eb7e0b76c9e4b917d273a157cfd3dafffa4114c98ec10b25
Opcode Fuzzy Hash: 396ae771297733c1ec9bfbf3c93604707dab1375e43c4730e0d81181769d0efc
Instruction Fuzzy Hash: 9BF0DA79540290BAFB311B17AC48E772EBDD7C7F50B10407AFD00A35B0C6751894DAB8

Uniqueness

Uniqueness Score: -1.00%

Function 00CE2410 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 135
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00CE2300: Sleep.KERNELBASE(000001F4), ref: 00CE2311

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00CE250B

Strings

46ABSB3WYHT, xrefs: 00CE256E, 00CE2571

Memory Dump Source

Source File: 00000001.00000002.2335962090.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ce0000_43643456.jbxd

Similarity

API ID: CreateFileSleep
String ID: 46ABSB3WYHT
API String ID: 2694422964-3820306694
Opcode ID: 0a5b52cc71cbf4459ff0763a91dac9175423bcd904a5a3895568517bf88ffa6b
Instruction ID: a216a1ed104afe7a07f6bad5605d4ff2eb6ea3c681e7febb809a9d0a2a4626e8
Opcode Fuzzy Hash: 0a5b52cc71cbf4459ff0763a91dac9175423bcd904a5a3895568517bf88ffa6b
Instruction Fuzzy Hash: F2519E31D04249EBEF10DBE5C819BEEBB78AF08300F104199E619BB2C0D6B95B44CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 003E2947 Relevance: 7.8, APIs: 5, Instructions: 313
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 003E2C05
DeleteFileW.KERNEL32(?), ref: 003E2C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 003E2C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 003E2CAE
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 003E2CC0

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: ee2fa4c48912ea23ed823f875af15c51badb2e8c648f38b1ddec9f1174d87feb
Instruction ID: e922a4280d4450caa561d77121fee638dbb2dc7e01234ad6cf279fc77bdc4ac6
Opcode Fuzzy Hash: ee2fa4c48912ea23ed823f875af15c51badb2e8c648f38b1ddec9f1174d87feb
Instruction Fuzzy Hash: 81B16F71D00129ABDF26EBA5CC85EDFB7BDEF49340F1041A6F509EA181EB349A448F61

Uniqueness

Uniqueness Score: -1.00%

Function 003A5AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

JO7, xrefs: 003A5BA8, 003A5C6C

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID:
String ID: JO7
API String ID: 0-1292904385
Opcode ID: ce54922bd0f50b8d688a0cfaea5c6c654d04b73b91e2d941105f074cdcc4710a
Instruction ID: 516dbfb2adcb02a49d58dedd9d69beb915c14ba14396dcf6fee32fe9a0b938dc
Opcode Fuzzy Hash: ce54922bd0f50b8d688a0cfaea5c6c654d04b73b91e2d941105f074cdcc4710a
Instruction Fuzzy Hash: 1551B075D00609AFDF129FA8C845FAEBBB8EF17320F150069F505AB292D7759A01CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00373B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00373B0F,SwapMouseButtons,00000004,?), ref: 00373B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00373B0F,SwapMouseButtons,00000004,?), ref: 00373B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00373B0F,SwapMouseButtons,00000004,?), ref: 00373B83

Strings

Control Panel\Mouse, xrefs: 00373B3E

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 9e8e91cab4cc28a3e186071ed917a6edfaea934a149a393f42bc85ad0a0acc1a
Instruction ID: 649d1c9b970908e59faa072ddfbe33bf138d7a0a9ba2739ac72736ef742ef18b
Opcode Fuzzy Hash: 9e8e91cab4cc28a3e186071ed917a6edfaea934a149a393f42bc85ad0a0acc1a
Instruction Fuzzy Hash: 10112AB5510208FFDB218FA5DC84AEEB7BCEF44744B11856AA809E7110D2359E40A7A4

Uniqueness

Uniqueness Score: -1.00%

Function 00CE1300 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 00CE1B2D
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00CE1B51
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00CE1B73

Memory Dump Source

Source File: 00000001.00000002.2335962090.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ce0000_43643456.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 4a62210935fbc19ac52c28b7856ac9112c9a9e608a38d15f0a7da1a89c903d0f
Instruction ID: 9e7f7f42e14286bc030f849e27eab10bd9f49affc62222a64b1131143c66c209
Opcode Fuzzy Hash: 4a62210935fbc19ac52c28b7856ac9112c9a9e608a38d15f0a7da1a89c903d0f
Instruction Fuzzy Hash: FE622A30A14258DBEB24CFA5C844BDEB372EF58300F1091A9E50DEB390E7799E81CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00372DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 003B2C8C

Part of subcall function 00373AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00373A97,?,?,00372E7F,?,?,?,00000000), ref: 00373AC2

Part of subcall function 00372DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00372DC4

Strings

X, xrefs: 003B2C5A
`eC, xrefs: 003B2C85

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`eC
API String ID: 779396738-1587089302
Opcode ID: 2f44cf31e93664fe98e7ff66dd4d288901b29dea1ce2eb6bd96c449c3588cca7
Instruction ID: db2a1c97d808d1d7a189f0dd30ef7e967841a769db80475fae2bf17b0e7b0db0
Opcode Fuzzy Hash: 2f44cf31e93664fe98e7ff66dd4d288901b29dea1ce2eb6bd96c449c3588cca7
Instruction Fuzzy Hash: 6A216371A00258ABDB52DF94C845BEE7BFCAF49314F00C05AE509BB241DBB85A898B65

Uniqueness

Uniqueness Score: -1.00%

Function 0038FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00390668

Part of subcall function 003932A4: RaiseException.KERNEL32(?,?,?,0039068A,?,00441444,?,?,?,?,?,?,0039068A,00371129,00438738,00371129), ref: 00393304

__CxxThrowException@8.LIBVCRUNTIME ref: 00390685

Strings

Unknown exception, xrefs: 00390692

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: b3b5879070563c90753010ad4bed72f8bd81580a59e26f333ab3ee4b62795014
Instruction ID: 565b253572fbb4b4a497769f9d867e0c57eca9d12e3ff30ad7e5ed0c15e081fa
Opcode Fuzzy Hash: b3b5879070563c90753010ad4bed72f8bd81580a59e26f333ab3ee4b62795014
Instruction Fuzzy Hash: BAF0F63490030DBBCF06B7A4DC46D9EB76C9E00310B604575B924DA9D5EF71EB6AC6C0

Uniqueness

Uniqueness Score: -1.00%

Function 003E3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 003E302F
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 003E3044

Strings

aut, xrefs: 003E3038

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: bf5987f8cc74b0a3392f7e2a7ff8cb92830fcfc33dfb419cfab3f5e7503efd6f
Instruction ID: 159d0f2ffdf41eb53683707d96a661d7e1e423c3ae3c76da6089df1953dfd18a
Opcode Fuzzy Hash: bf5987f8cc74b0a3392f7e2a7ff8cb92830fcfc33dfb419cfab3f5e7503efd6f
Instruction Fuzzy Hash: CBD05E72900328B7DA20A7A4AD4EFCB3A6CDB05750F0002A2B655E20D1DAB49984CAD4

Uniqueness

Uniqueness Score: -1.00%

Function 003F7F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 003F82F5
TerminateProcess.KERNEL32(00000000), ref: 003F82FC
FreeLibrary.KERNEL32(?,?,?,?), ref: 003F84DD

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: 5c6c598a9ff1de9ddbb06ef9879df86b2a4b06f74f2a0dc850f9673e68553d34
Instruction ID: 03b032ed3c666d6260d2c4c451186ddb87585ab2f56d92d4c80b20949f0ffc8e
Opcode Fuzzy Hash: 5c6c598a9ff1de9ddbb06ef9879df86b2a4b06f74f2a0dc850f9673e68553d34
Instruction Fuzzy Hash: DB128B71A083059FC725DF28C484B2ABBE5BF89314F05895DE9898B392CB34ED45CF92

Uniqueness

Uniqueness Score: -1.00%

Function 003710F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00371BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00371BF4
Part of subcall function 00371BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00371BFC
Part of subcall function 00371BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00371C07
Part of subcall function 00371BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00371C12
Part of subcall function 00371BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00371C1A
Part of subcall function 00371BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00371C22

Part of subcall function 00371B4A: RegisterWindowMessageW.USER32(00000004,?,003712C4), ref: 00371BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0037136A
OleInitialize.OLE32 ref: 00371388
CloseHandle.KERNEL32(00000000,00000000), ref: 003B24AB

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 09bf8d104ded9729f09c4fda8d36e41a92b2362f130097546d2eaefd6da45a60
Instruction ID: b92716a4807b7ac81709fe0091c905c3a7b69b935d80c6e368c0aaf015137f9c
Opcode Fuzzy Hash: 09bf8d104ded9729f09c4fda8d36e41a92b2362f130097546d2eaefd6da45a60
Instruction Fuzzy Hash: EA71ACBD911304AFD385EF79ED856953AE0BB8A344714823AD51ADB271EB3844C0CF4C

Uniqueness

Uniqueness Score: -1.00%

Function 003754C6 Relevance: 4.6, APIs: 3, Instructions: 103COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000001,?,00000000), ref: 0037556D
SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001), ref: 0037557D

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 26a2f45dcb5f81d97b784eeefe33d5a43bb074649f0d09efebdbeba3d924d2a5
Instruction ID: de1055649477050628509fc329fd56ada5842599dc355941edefa556df9c05cd
Opcode Fuzzy Hash: 26a2f45dcb5f81d97b784eeefe33d5a43bb074649f0d09efebdbeba3d924d2a5
Instruction Fuzzy Hash: 8F316271A00609FFDB29CF28C880B99B7B5FB48724F15C229E91997640D7B5FD94CB90

Uniqueness

Uniqueness Score: -1.00%

Function 003A86AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,003A85CC,?,00438CC8,0000000C), ref: 003A8704
GetLastError.KERNEL32(?,003A85CC,?,00438CC8,0000000C), ref: 003A870E
__dosmaperr.LIBCMT ref: 003A8739

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: ChangeCloseErrorFindLastNotification__dosmaperr
String ID:
API String ID: 490808831-0
Opcode ID: d41858f94dd6918ce23badf15f2edc75fc8a40f3b3721c0993e9325c63bdcb15
Instruction ID: 4f435b2815cda2ebadf37007a22549d3656711769b6093160b1ff3fb75029176
Opcode Fuzzy Hash: d41858f94dd6918ce23badf15f2edc75fc8a40f3b3721c0993e9325c63bdcb15
Instruction Fuzzy Hash: 92012B3660562026EA6763346849B7E6749CBD3774F3A0229FA149F1E2DEB1CC858294

Uniqueness

Uniqueness Score: -1.00%

Function 003E2FD8 Relevance: 4.5, APIs: 3, Instructions: 27filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,003E2CD4,?,?,?,00000004,00000001), ref: 003E2FF2
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,003E2CD4,?,?,?,00000004,00000001,?,?,00000004,00000001), ref: 003E3006
CloseHandle.KERNEL32(00000000,?,003E2CD4,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 003E300D

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 420ba6703a67a5fd4d68b36e4209a72924d1ef5a377743dd1dcca3b1f12d54bf
Instruction ID: 14db734605adf95b3463ca15fe940a5f10f5aa54771bcb047d4d9bf8a806e137
Opcode Fuzzy Hash: 420ba6703a67a5fd4d68b36e4209a72924d1ef5a377743dd1dcca3b1f12d54bf
Instruction Fuzzy Hash: EBE08632280224B7D2311765BD4DF8B3A1CD786B71F114320FB197A0D046B0190156AC

Uniqueness

Uniqueness Score: -1.00%

Function 00381310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 003817F6

Strings

CALL, xrefs: 003817C6

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 8ce934566272a99569867f15bbb39b3907229ab7e971086471d3f9543c682d2a
Instruction ID: 2fb1fef86c8ec80746f42e01e3eef1970131dd0a3aa863b05cba62aef3a7052b
Opcode Fuzzy Hash: 8ce934566272a99569867f15bbb39b3907229ab7e971086471d3f9543c682d2a
Instruction Fuzzy Hash: CE228B706083419FC716EF14C481B2ABBF9BF85314F2489ADF4968B7A1D771E946CB82

Uniqueness

Uniqueness Score: -1.00%

Function 003E6EF1 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 297COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 003E6F6B

Part of subcall function 00374ECB: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00441418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00374EFD

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 003E6F5A, 003E6F63

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: LibraryLoad_wcslen
String ID: >>>AUTOIT SCRIPT<<<
API String ID: 3312870042-2806939583
Opcode ID: 87ad832b315f607b1a6560c6fce6d25fa0c793df6bfffa3adcd1c56492c76211
Instruction ID: f2e2c8a818ee7a85d1622a048572697ff5d1a5633dcab7a164b4cec7b663db19
Opcode Fuzzy Hash: 87ad832b315f607b1a6560c6fce6d25fa0c793df6bfffa3adcd1c56492c76211
Instruction Fuzzy Hash: 7CB1E7311087519FCB26EF20C49196EB7E5BF95310F00C95DF49A8B2A2EB34ED49CB92

Uniqueness

Uniqueness Score: -1.00%

Function 003E2557 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 003E2587

Strings

EA06, xrefs: 003E25B9

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: __fread_nolock
String ID: EA06
API String ID: 2638373210-3962188686
Opcode ID: 70437a9448c6d0f7bd7ff3690318f50e39eaca99d43cd7fcfd05cc7e89944ef6
Instruction ID: f6f3876e34b093dedacbb98377126c8a5560a3184c1146e66961f1ec84da4bdd
Opcode Fuzzy Hash: 70437a9448c6d0f7bd7ff3690318f50e39eaca99d43cd7fcfd05cc7e89944ef6
Instruction Fuzzy Hash: D901B5729042687EDF19C7A8C856EEEBBFC9B05301F00455AE552D61C1E5B8E6088B60

Uniqueness

Uniqueness Score: -1.00%

Function 00375745 Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0037949C,?,00008000), ref: 00375773
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,?,?,0037949C,?,00008000), ref: 003B4052

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 33bd011208c79823bb4116423a8041bb2106e3ec150c5b8bf574f649c47c55b4
Instruction ID: dbcee6f390b4fab3772a8a109c463f1219aaf429c5bec8267b99edb8502f47cd
Opcode Fuzzy Hash: 33bd011208c79823bb4116423a8041bb2106e3ec150c5b8bf574f649c47c55b4
Instruction Fuzzy Hash: 75018030245225B6E3351A2ACD0EF977F98EF027B4F11C314BA9C6E1E1C7B45854CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00CE12FD Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 00CE1B2D
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00CE1B51
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00CE1B73

Memory Dump Source

Source File: 00000001.00000002.2335962090.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ce0000_43643456.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: c7490eb0849e98549b11c4fe0459da6d53c4872c769bbd933b9fbf1e0076ab14
Instruction ID: 8318fb6019707dc4059a17b47e5bf1255a08219bc04b79732af1ab0c59e76273
Opcode Fuzzy Hash: c7490eb0849e98549b11c4fe0459da6d53c4872c769bbd933b9fbf1e0076ab14
Instruction Fuzzy Hash: 9A12EF24E24658C6EB24DF64D8507DEB232EF68300F1090E9910DEB7A5E77A4F91CF5A

Uniqueness

Uniqueness Score: -1.00%

Function 00374ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00374E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00374EDD,?,00441418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00374E9C
Part of subcall function 00374E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00374EAE
Part of subcall function 00374E90: FreeLibrary.KERNEL32(00000000,?,?,00374EDD,?,00441418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00374EC0

LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00441418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00374EFD

Part of subcall function 00374E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,003B3CDE,?,00441418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00374E62
Part of subcall function 00374E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00374E74
Part of subcall function 00374E59: FreeLibrary.KERNEL32(00000000,?,?,003B3CDE,?,00441418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00374E87

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 3e1018432574f530af34912b975bb1938890e9f04057ca8883edba3ba26d56d0
Instruction ID: 2284e7fbbd9c67a532a119c09220a43fefe28c91022d8e2ecf4ea60555fd8055
Opcode Fuzzy Hash: 3e1018432574f530af34912b975bb1938890e9f04057ca8883edba3ba26d56d0
Instruction Fuzzy Hash: 8511C132600215AADF26AB60DC02FAD77A5AF44B11F20C42DF54ABA1C1EFB8AA059750

Uniqueness

Uniqueness Score: -1.00%

Function 003A8402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 003A8440

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 9a5b2e4a864762b32d81424bc42b8705240649e53ac01f239da21cdaa89e9a4c
Instruction ID: 97fe5077b6ed34560deefded560adddc5a923511bc44e730a529f727bcbf10df
Opcode Fuzzy Hash: 9a5b2e4a864762b32d81424bc42b8705240649e53ac01f239da21cdaa89e9a4c
Instruction Fuzzy Hash: 01111C7590420AAFCB06DF59E94199A7BF9EF49314F114059F804AB311D731DA11CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00379A40 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,00010000,00000000,00000000,?,?,00000000,?,0037543F,?,00010000,00000000,00000000,00000000,00000000), ref: 00379A9C

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 6e39bcf6aefee8c7f53594af4d71387a82f8cb783ef69b54bf9b57396ca6e8a4
Instruction ID: 08f02535df10f00dc5f5c2155a5ca0ddfbb39c23e5282165077fcdb316524576
Opcode Fuzzy Hash: 6e39bcf6aefee8c7f53594af4d71387a82f8cb783ef69b54bf9b57396ca6e8a4
Instruction Fuzzy Hash: 921136312057059FDB728F0AC880B66B7F9EB44764F10C62EE99B8AA51C774A945CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0039E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 8215734dfdc526fee79d10695daf7705a3d780780325cea09dc2a4111bd3163b
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 0BF0F432510E10AADF337A699C05B5B339CDFA3330F110715F8209A2D2DB74D8018AA5

Uniqueness

Uniqueness Score: -1.00%

Function 003A3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00441444,?,0038FDF5,?,?,0037A976,00000010,00441440,003713FC,?,003713C6,?,00371129), ref: 003A3852

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: e16f20ee1b5e49e1c231968c6c18d32149f8dcbdde9740ba5c05ec6953a377df
Instruction ID: 0a0cd8b4775863e9fdd5032eec19d557e8ff101354b7e321de033cdfc525f07f
Opcode Fuzzy Hash: e16f20ee1b5e49e1c231968c6c18d32149f8dcbdde9740ba5c05ec6953a377df
Instruction Fuzzy Hash: A5E0E53150122496EB232B669C04F9A374CEF437B0F060130BC059A890DB28DD0582E1

Uniqueness

Uniqueness Score: -1.00%

Function 00374F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00441418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00374F6D

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 3eb1dd40dd2dd05f506745f3a852871da89c84b33b419f764da29670d223e87f
Instruction ID: b7f553b6b073e5171ae40eb2da3bd0f7fa1c432ae4a9ab60ec0a5c01ec19ab3e
Opcode Fuzzy Hash: 3eb1dd40dd2dd05f506745f3a852871da89c84b33b419f764da29670d223e87f
Instruction Fuzzy Hash: 76F03971105752CFDB369F64E490822FBE4EF15329321CA7EE1EE86A21C736A844DF10

Uniqueness

Uniqueness Score: -1.00%

Function 00372DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00372DC4

Part of subcall function 00376B57: _wcslen.LIBCMT ref: 00376B6A

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 0e6c5e9d11548ae4173c03b2b7efe34780034c2ed748eef57df0903129232926
Instruction ID: e850a76ecf23f59aa4a876060c73b66051da94d2e45f7a4327e9a4dfda4e80c6
Opcode Fuzzy Hash: 0e6c5e9d11548ae4173c03b2b7efe34780034c2ed748eef57df0903129232926
Instruction Fuzzy Hash: 9BE0C272A002245BCB21A3989C06FEA77EDDFC8790F0442B5FD09EB249DA74AD80C690

Uniqueness

Uniqueness Score: -1.00%

Function 003E2693 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 003E26B5

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
Instruction ID: 4e133266be4f90567f2834b0ef5ee6ffb6fe0130c3ecef7bafe5f2578acaaea6
Opcode Fuzzy Hash: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
Instruction Fuzzy Hash: 89E04FB0609B105FDF3A9A28A8517B777E89F49300F01096EF69B82252E5B268458A4D

Uniqueness

Uniqueness Score: -1.00%

Function 00372B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00373837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00373908

Part of subcall function 0037D730: GetInputState.USER32 ref: 0037D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00372B6B

Part of subcall function 003730F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0037314E

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 4691cc7137d34760584fec001d3358ffa527d304ad09776274633aac6df5ecb7
Instruction ID: 08322ebe0b3bf1daabded74dfd38e63cbbc1869db9a27ec494f414423599b77e
Opcode Fuzzy Hash: 4691cc7137d34760584fec001d3358ffa527d304ad09776274633aac6df5ecb7
Instruction Fuzzy Hash: F7E0262130024816C62ABB30985256DA7598BD2311F00853EF04E4B1A3CF3C45895212

Uniqueness

Uniqueness Score: -1.00%

Function 003B039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,003B0704,?,?,00000000,?,003B0704,00000000,0000000C), ref: 003B03B7

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 3db14531b5655632bd4de9bfbd1ccc228187a0d6a5c6f93a96f13acb8b32b91e
Instruction ID: 65bb30d15aeb228a9d506d69e1faed6429bebac3f4a4e7f702ea3743d389460b
Opcode Fuzzy Hash: 3db14531b5655632bd4de9bfbd1ccc228187a0d6a5c6f93a96f13acb8b32b91e
Instruction Fuzzy Hash: 85D06C3204010DFBDF028F84DD46EDA3BAAFB48714F014110BE1866020C732E821AB94

Uniqueness

Uniqueness Score: -1.00%

Function 00371CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00371CBC

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: d1ef19c2f059073f1d2a0b3f62c41bb29c1929f54d2a5ffd4c8f3fe3a84af1a2
Instruction ID: 4ddc74b12658c8889ec8a272dd17212f7d240d41b84af1ae17668a3dda0e30e9
Opcode Fuzzy Hash: d1ef19c2f059073f1d2a0b3f62c41bb29c1929f54d2a5ffd4c8f3fe3a84af1a2
Instruction Fuzzy Hash: 41C09B3D280314FFF2144B80BD4AF107754A349F00F444011F609655F3C3F11450E658

Uniqueness

Uniqueness Score: -1.00%

Function 003E744A Relevance: 1.5, APIs: 1, Instructions: 220COMMON

Download Yara Rule

APIs

Part of subcall function 00375745: CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0037949C,?,00008000), ref: 00375773

GetLastError.KERNEL32(00000002,00000000), ref: 003E76DE

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: CreateErrorFileLast
String ID:
API String ID: 1214770103-0
Opcode ID: fe5f8fb3a519e73d69c31604e43a9c7338aec0922aabb3360a2c4f1a8c1e9220
Instruction ID: ea42b9b4291d730026d0afb8714273b5748ed34a29385e5042ce3e0bba08bebe
Opcode Fuzzy Hash: fe5f8fb3a519e73d69c31604e43a9c7338aec0922aabb3360a2c4f1a8c1e9220
Instruction Fuzzy Hash: A7819F302087419FC726EF29C492B69B7E1AF89314F04865DF88A5B2E2DB34AD45CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0038FC70 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 0038FD1F

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 714533f069d6800c3646fe5eafcd6060f325c5960ead61a885fbd9761f72abc0
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: EC31D275A002099FC71AEF59D480969F7B6FB49300B2586E5E909CB655D731EEC1CBC0

Uniqueness

Uniqueness Score: -1.00%

Function 00CE2300 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 00CE2311

Memory Dump Source

Source File: 00000001.00000002.2335962090.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ce0000_43643456.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 449037b3232aa9f92a45b4175ef728bfb21d277848162b8a38cddadfd73f4868
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: D0E0E67594010DDFDB00EFB4D54969E7FB4EF04301F100561FD01D2280D6309D508A62

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00409576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00389BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00389BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0040961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0040965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0040969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 004096C9
SendMessageW.USER32 ref: 004096F2
GetKeyState.USER32(00000011), ref: 0040978B
GetKeyState.USER32(00000009), ref: 00409798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 004097AE
GetKeyState.USER32(00000010), ref: 004097B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 004097E9
SendMessageW.USER32 ref: 00409810
SendMessageW.USER32(?,00001030,?,00407E95), ref: 00409918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0040992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00409941
SetCapture.USER32(?), ref: 0040994A
ClientToScreen.USER32(?,?), ref: 004099AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 004099BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 004099D6
ReleaseCapture.USER32 ref: 004099E1
GetCursorPos.USER32(?), ref: 00409A19
ScreenToClient.USER32(?,?), ref: 00409A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00409A80
SendMessageW.USER32 ref: 00409AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00409AEB
SendMessageW.USER32 ref: 00409B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00409B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00409B4A
GetCursorPos.USER32(?), ref: 00409B68
ScreenToClient.USER32(?,?), ref: 00409B75
GetParent.USER32(?), ref: 00409B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00409BFA
SendMessageW.USER32 ref: 00409C2B
ClientToScreen.USER32(?,?), ref: 00409C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00409CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00409CDE
SendMessageW.USER32 ref: 00409D01
ClientToScreen.USER32(?,?), ref: 00409D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00409D82

Part of subcall function 00389944: GetWindowLongW.USER32(?,000000EB), ref: 00389952

GetWindowLongW.USER32(?,000000F0), ref: 00409E05

Strings

@GUI_DRAGID, xrefs: 0040997D
p#D, xrefs: 00409990
F, xrefs: 00409D07

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F$p#D
API String ID: 3429851547-2595749892
Opcode ID: 9b3d7f24aa482e2d1b1ce519230e8ddf7b0bf31ee3371ec5fe8d4932dcd1c096
Instruction ID: 44ac9d45bb8bdcc87f9fa2302faf7c87b8e66e76b639bee5866ba26feef2f442
Opcode Fuzzy Hash: 9b3d7f24aa482e2d1b1ce519230e8ddf7b0bf31ee3371ec5fe8d4932dcd1c096
Instruction Fuzzy Hash: 50429075108201EFD725CF24CC84EAABBE5FF89310F144A2AF655A72E2D7369C51CB49

Uniqueness

Uniqueness Score: -1.00%

Function 00404873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 004048F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00404908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00404927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0040494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0040495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0040497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 004049AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 004049D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00404A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00404A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00404A7E
IsMenu.USER32(?), ref: 00404A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00404AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00404B20
GetWindowLongW.USER32(?,000000F0), ref: 00404B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00404BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00404C82
wsprintfW.USER32 ref: 00404CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00404CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00404CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00404D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00404D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00404D5A

Strings

%d/%02d/%02d, xrefs: 00404CA8

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 5f0aea4ea9d21a32095dc34cf4e681a563744db18c6ebe2901284f9105d57a43
Instruction ID: 28488a5eb859d7377de3c7a79ea612b988df2dc5a57f4b5e3f8a124b7faa206d
Opcode Fuzzy Hash: 5f0aea4ea9d21a32095dc34cf4e681a563744db18c6ebe2901284f9105d57a43
Instruction Fuzzy Hash: A612F2B1600214ABEB259F24CC49FAF7BF8EF85310F10463AF615EA2E1DB789941CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0038F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0038F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 003CF474
IsIconic.USER32(00000000), ref: 003CF47D
ShowWindow.USER32(00000000,00000009), ref: 003CF48A
SetForegroundWindow.USER32(00000000), ref: 003CF494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 003CF4AA
GetCurrentThreadId.KERNEL32 ref: 003CF4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 003CF4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 003CF4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 003CF4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 003CF4DE
SetForegroundWindow.USER32(00000000), ref: 003CF4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 003CF4F6
keybd_event.USER32(00000012,00000000), ref: 003CF501
MapVirtualKeyW.USER32(00000012,00000000), ref: 003CF50B
keybd_event.USER32(00000012,00000000), ref: 003CF510
MapVirtualKeyW.USER32(00000012,00000000), ref: 003CF519
keybd_event.USER32(00000012,00000000), ref: 003CF51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 003CF528
keybd_event.USER32(00000012,00000000), ref: 003CF52D
SetForegroundWindow.USER32(00000000), ref: 003CF530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 003CF557

Strings

Shell_TrayWnd, xrefs: 003CF46F

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: ec04d5e6ac6acbb24c51e8f4a5bf41d65d8b954d08ee97ee7486db22ca819b73
Instruction ID: c700ebe6cab5fe56924519f1af800b5caa9bd0eda743d859acbe45a042295e16
Opcode Fuzzy Hash: ec04d5e6ac6acbb24c51e8f4a5bf41d65d8b954d08ee97ee7486db22ca819b73
Instruction Fuzzy Hash: 32316071A40218BEEB216BB64D8AFBF7E6DEB44B50F110139FA00F61D1C6B15D00AB64

Uniqueness

Uniqueness Score: -1.00%

Function 003D1201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 003D16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 003D170D
Part of subcall function 003D16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 003D173A
Part of subcall function 003D16C3: GetLastError.KERNEL32 ref: 003D174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 003D1286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 003D12A8
CloseHandle.KERNEL32(?), ref: 003D12B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 003D12D1
GetProcessWindowStation.USER32 ref: 003D12EA
SetProcessWindowStation.USER32(00000000), ref: 003D12F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 003D1310

Part of subcall function 003D10BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,003D11FC), ref: 003D10D4
Part of subcall function 003D10BF: CloseHandle.KERNEL32(?,?,003D11FC), ref: 003D10E9

Strings

winsta0, xrefs: 003D12CC
ZC, xrefs: 003D1392
, xrefs: 003D125A
default, xrefs: 003D130B

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$ZC
API String ID: 22674027-471795638
Opcode ID: d61769525f13f7f706757b0adad68e175e7efbc7e545e301e98addb30b04443c
Instruction ID: 0bf0e2769ced364d4e80a68742a8bf1864676f51ef9388b6c8c7ca0ca82b0569
Opcode Fuzzy Hash: d61769525f13f7f706757b0adad68e175e7efbc7e545e301e98addb30b04443c
Instruction Fuzzy Hash: 9381BF72900209BFDF229FA5ED89FEE7BB9EF04700F14412AF910B62A0C7758944DB24

Uniqueness

Uniqueness Score: -1.00%

Function 003D0B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 003D10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 003D1114
Part of subcall function 003D10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,003D0B9B,?,?,?), ref: 003D1120
Part of subcall function 003D10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,003D0B9B,?,?,?), ref: 003D112F
Part of subcall function 003D10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,003D0B9B,?,?,?), ref: 003D1136
Part of subcall function 003D10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 003D114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 003D0BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 003D0C00
GetLengthSid.ADVAPI32(?), ref: 003D0C17
GetAce.ADVAPI32(?,00000000,?), ref: 003D0C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 003D0C6D
GetLengthSid.ADVAPI32(?), ref: 003D0C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 003D0C8C
HeapAlloc.KERNEL32(00000000), ref: 003D0C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 003D0CB4
CopySid.ADVAPI32(00000000), ref: 003D0CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 003D0CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 003D0D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 003D0D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 003D0D45
HeapFree.KERNEL32(00000000), ref: 003D0D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 003D0D55
HeapFree.KERNEL32(00000000), ref: 003D0D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 003D0D65
HeapFree.KERNEL32(00000000), ref: 003D0D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 003D0D78
HeapFree.KERNEL32(00000000), ref: 003D0D7F

Part of subcall function 003D1193: GetProcessHeap.KERNEL32(00000008,003D0BB1,?,00000000,?,003D0BB1,?), ref: 003D11A1
Part of subcall function 003D1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,003D0BB1,?), ref: 003D11A8
Part of subcall function 003D1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,003D0BB1,?), ref: 003D11B7

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 318d26caca2f0e7c0359f1a9086a10b060c598dddd1e9a9a7d7e49a0b0622012
Instruction ID: 717872b1318438b832df531d50b3b5136aaf3fd2319544bd4890a45cd27a636e
Opcode Fuzzy Hash: 318d26caca2f0e7c0359f1a9086a10b060c598dddd1e9a9a7d7e49a0b0622012
Instruction Fuzzy Hash: CE716B7290020AEBDF159FE4ED84FAEBBB9AF05700F054626E914BB291D771A905CB60

Uniqueness

Uniqueness Score: -1.00%

Function 003EEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0040CC08), ref: 003EEB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 003EEB37
GetClipboardData.USER32(0000000D), ref: 003EEB43
CloseClipboard.USER32 ref: 003EEB4F
GlobalLock.KERNEL32(00000000), ref: 003EEB87
CloseClipboard.USER32 ref: 003EEB91
GlobalUnlock.KERNEL32(00000000,00000000), ref: 003EEBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 003EEBC9
GetClipboardData.USER32(00000001), ref: 003EEBD1
GlobalLock.KERNEL32(00000000), ref: 003EEBE2
GlobalUnlock.KERNEL32(00000000,?), ref: 003EEC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 003EEC38
GetClipboardData.USER32(0000000F), ref: 003EEC44
GlobalLock.KERNEL32(00000000), ref: 003EEC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 003EEC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 003EEC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 003EECD2
GlobalUnlock.KERNEL32(00000000,?,?), ref: 003EECF3
CountClipboardFormats.USER32 ref: 003EED14
CloseClipboard.USER32 ref: 003EED59

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: e656220fea6c618f57c305b555ab0d76444811338a2549e6d104b18b30e01880
Instruction ID: 50c4a9c1d0597f7a1c465bf7f5784183ef3dde33f5392e647921e922aead935f
Opcode Fuzzy Hash: e656220fea6c618f57c305b555ab0d76444811338a2549e6d104b18b30e01880
Instruction Fuzzy Hash: 8561E235204242EFD322EF21DD85F2A77A8AF84704F15466DF4569B2E2DB31DD05CB62

Uniqueness

Uniqueness Score: -1.00%

Function 003E698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 003E69BE
FindClose.KERNEL32(00000000), ref: 003E6A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 003E6A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 003E6A75

Part of subcall function 00379CB3: _wcslen.LIBCMT ref: 00379CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 003E6AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 003E6ADF

Strings

%4d%02d%02d%02d%02d%02d%03d, xrefs: 003E6B32
%02d, xrefs: 003E6C00, 003E6C0A, 003E6C5A, 003E6CAA, 003E6CFA, 003E6D4A
%4d, xrefs: 003E6BB1
%03d, xrefs: 003E6DA2
%4d%02d%02d%02d%02d%02d, xrefs: 003E6B6A

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: f0ad201d503a4c36a66703291d1ad0daa7e0c2b9249b19d1ce8d78f34965c84c
Instruction ID: d470a2afd394316d127b33d99b01e8edf4baecf7c825aaf64c5b7b3bbacfedea
Opcode Fuzzy Hash: f0ad201d503a4c36a66703291d1ad0daa7e0c2b9249b19d1ce8d78f34965c84c
Instruction Fuzzy Hash: 58D17271508340AFC711EB64C992EAFB7ECAF98704F04491DF589DB191EB78DA44CB62

Uniqueness

Uniqueness Score: -1.00%

Function 003E9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 003E9663
GetFileAttributesW.KERNEL32(?), ref: 003E96A1
SetFileAttributesW.KERNEL32(?,?), ref: 003E96BB
FindNextFileW.KERNEL32(00000000,?), ref: 003E96D3
FindClose.KERNEL32(00000000), ref: 003E96DE
FindFirstFileW.KERNEL32(*.*,?), ref: 003E96FA
SetCurrentDirectoryW.KERNEL32(?), ref: 003E974A
SetCurrentDirectoryW.KERNEL32(00436B7C), ref: 003E9768
FindNextFileW.KERNEL32(00000000,00000010), ref: 003E9772
FindClose.KERNEL32(00000000), ref: 003E977F
FindClose.KERNEL32(00000000), ref: 003E978F

Strings

*.*, xrefs: 003E96F5

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 506846687229107bc476c755e59458cd44e864cfa5c28cc463b094b8d91a705d
Instruction ID: eb3dd5829e483bb33a1a44580f662e34baad6e8731d6270459c7cec4aa22402b
Opcode Fuzzy Hash: 506846687229107bc476c755e59458cd44e864cfa5c28cc463b094b8d91a705d
Instruction Fuzzy Hash: 1731C332500269AADF11AFB5DD49BDE77AC9F09360F2142A7F945E20D1DB34DD448B18

Uniqueness

Uniqueness Score: -1.00%

Function 003E979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 003E97BE
FindNextFileW.KERNEL32(00000000,?), ref: 003E9819
FindClose.KERNEL32(00000000), ref: 003E9824
FindFirstFileW.KERNEL32(*.*,?), ref: 003E9840
SetCurrentDirectoryW.KERNEL32(?), ref: 003E9890
SetCurrentDirectoryW.KERNEL32(00436B7C), ref: 003E98AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 003E98B8
FindClose.KERNEL32(00000000), ref: 003E98C5
FindClose.KERNEL32(00000000), ref: 003E98D5

Part of subcall function 003DDAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 003DDB00

Strings

*.*, xrefs: 003E983B

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 374110f7f45eef8eecb5b789bff5de15a6c8c5db707b82cc2c3f1efe3c894842
Instruction ID: 3343171731043e998cb47e6cc2153c2295f5a38beefc3634016c23ff0f8e7080
Opcode Fuzzy Hash: 374110f7f45eef8eecb5b789bff5de15a6c8c5db707b82cc2c3f1efe3c894842
Instruction Fuzzy Hash: F631D632500269AADF12EFB5DC48BDE77AC9F0A320F214267E850B21E1DB30DD85CB24

Uniqueness

Uniqueness Score: -1.00%

Function 003E8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 003E8257
SystemTimeToFileTime.KERNEL32(?,?), ref: 003E8267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 003E8273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 003E8310
SetCurrentDirectoryW.KERNEL32(?), ref: 003E8324
SetCurrentDirectoryW.KERNEL32(?), ref: 003E8356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 003E838C
SetCurrentDirectoryW.KERNEL32(?), ref: 003E8395

Strings

*.*, xrefs: 003E839B

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: f7140c45701a9b503b3793d26f02ac7c7c5c5306b903b71fb4693ea6c397381a
Instruction ID: 65cb39f9779a989b2a6d050925e4386fc02d6da4fbf3c4d89674df05a93a4a93
Opcode Fuzzy Hash: f7140c45701a9b503b3793d26f02ac7c7c5c5306b903b71fb4693ea6c397381a
Instruction Fuzzy Hash: DE619E765043559FCB11EF60C881A9EB3E8FF89314F048A1EF98997291DB35E905CB92

Uniqueness

Uniqueness Score: -1.00%

Function 003DD076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00373AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00373A97,?,?,00372E7F,?,?,?,00000000), ref: 00373AC2

Part of subcall function 003DE199: GetFileAttributesW.KERNEL32(?,003DCF95), ref: 003DE19A

FindFirstFileW.KERNEL32(?,?), ref: 003DD122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 003DD1DD
MoveFileW.KERNEL32(?,?), ref: 003DD1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 003DD20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 003DD237

Part of subcall function 003DD29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,003DD21C,?,?), ref: 003DD2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 003DD253
FindClose.KERNEL32(00000000), ref: 003DD264

Strings

\*.*, xrefs: 003DD0CD, 003DD0D6, 003DD0EB

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 7cf7bd244f4c506dfadefe989465701779e6b425a9fe947b59804ee97dac2aa8
Instruction ID: 80dc1220dd4e942b5978890c3df5bd8dde27cfb28e06af3fab437f6a4ec96c84
Opcode Fuzzy Hash: 7cf7bd244f4c506dfadefe989465701779e6b425a9fe947b59804ee97dac2aa8
Instruction Fuzzy Hash: F5615032C0110DAACF16EBE0DE92DEDB775AF55300F2085A6E4067B291EB345F09DB61

Uniqueness

Uniqueness Score: -1.00%

Function 003EED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 003EED91
EmptyClipboard.USER32 ref: 003EED97
GlobalAlloc.KERNEL32(00000002,?), ref: 003EEDAC
CloseClipboard.USER32 ref: 003EEEA3

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: fe01721d57bd369abc41146dc7f752aa3decab1d91de86b29dd1814383bb6b42
Instruction ID: 3882cbb2fd0d44fc0f0f07c639b975f557c3a8b5a9e06ce7ba0fc84ae9fc324a
Opcode Fuzzy Hash: fe01721d57bd369abc41146dc7f752aa3decab1d91de86b29dd1814383bb6b42
Instruction Fuzzy Hash: 1541C035604661DFE322CF16D888B1ABBE5EF44318F15C6ADE4199F6A2C735EC41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 003DE8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 003D16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 003D170D
Part of subcall function 003D16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 003D173A
Part of subcall function 003D16C3: GetLastError.KERNEL32 ref: 003D174A

ExitWindowsEx.USER32(?,00000000), ref: 003DE932

Strings

SeShutdownPrivilege, xrefs: 003DE902
@, xrefs: 003DE925
, xrefs: 003DE920
, xrefs: 003DE95C

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 46dad2fdd9d4de3a6d2cb9c359ddaed5d4527e8f2b743cd64042a12979c5c022
Instruction ID: de8aad5d7ba86dae9339c7c0f6924966f9a4b381d89e13fb289df7975c2ca213
Opcode Fuzzy Hash: 46dad2fdd9d4de3a6d2cb9c359ddaed5d4527e8f2b743cd64042a12979c5c022
Instruction Fuzzy Hash: 09012673A11211BBEB5637B4BC96BBF765C9B04744F160927FC12FA2D1D7B85C408194

Uniqueness

Uniqueness Score: -1.00%

Function 003F1204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006), ref: 003F1276
WSAGetLastError.WSOCK32 ref: 003F1283
bind.WSOCK32(00000000,?,00000010), ref: 003F12BA
WSAGetLastError.WSOCK32 ref: 003F12C5
closesocket.WSOCK32(00000000), ref: 003F12F4
listen.WSOCK32(00000000,00000005), ref: 003F1303
WSAGetLastError.WSOCK32 ref: 003F130D
closesocket.WSOCK32(00000000), ref: 003F133C

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 5c1ff798952d038f75c53a021babce94af7c9393bec891a22635721667cb2e64
Instruction ID: 3f0600cf82dea9f3a87c9af6d6568ec7de28c6e1712c7a97de54b4622ea590c0
Opcode Fuzzy Hash: 5c1ff798952d038f75c53a021babce94af7c9393bec891a22635721667cb2e64
Instruction Fuzzy Hash: EC41BF31600104EFD721EF64D5C8B2ABBE5AF86318F19C598E9569F292C731EC81CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 003AB952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 003AB9D4
_free.LIBCMT ref: 003AB9F8
_free.LIBCMT ref: 003ABB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00413700), ref: 003ABB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0044121C,000000FF,00000000,0000003F,00000000,?,?), ref: 003ABC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00441270,000000FF,?,0000003F,00000000,?), ref: 003ABC36
_free.LIBCMT ref: 003ABD4B

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 9eacebc594097909013e905c4f6cd098dd5a7f9e7b7448253ec5e501e9153d0e
Instruction ID: 23b6fdeab81c03555acca08f5e1419098ed64b9be299a587d303d667841843b9
Opcode Fuzzy Hash: 9eacebc594097909013e905c4f6cd098dd5a7f9e7b7448253ec5e501e9153d0e
Instruction Fuzzy Hash: 81C12675904244AFDB269F789C41BAAFBBCEF43310F1541AAE495EB293E7308E41C750

Uniqueness

Uniqueness Score: -1.00%

Function 003DD3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00373AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00373A97,?,?,00372E7F,?,?,?,00000000), ref: 00373AC2

Part of subcall function 003DE199: GetFileAttributesW.KERNEL32(?,003DCF95), ref: 003DE19A

FindFirstFileW.KERNEL32(?,?), ref: 003DD420
DeleteFileW.KERNEL32(?,?,?,?), ref: 003DD470
FindNextFileW.KERNEL32(00000000,00000010), ref: 003DD481
FindClose.KERNEL32(00000000), ref: 003DD498
FindClose.KERNEL32(00000000), ref: 003DD4A1

Strings

\*.*, xrefs: 003DD3F2

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 41a2ae180219a188701a494c80dd35ba275b8c4fb1b2d0863396846750e1a6f0
Instruction ID: 62e6edd3c13a8a0b921b55bb417b6a518860e4bbbdc3f9fe7d9ac8d68d45cf53
Opcode Fuzzy Hash: 41a2ae180219a188701a494c80dd35ba275b8c4fb1b2d0863396846750e1a6f0
Instruction Fuzzy Hash: CF31A272008345ABC316EF60D8929AF77E8BE91304F408A6EF4D557291EF34AA09D763

Uniqueness

Uniqueness Score: -1.00%

Function 003AE4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 003AE645

Strings

1#IND, xrefs: 003AF83D
1#SNAN, xrefs: 003AF844
1#INF, xrefs: 003AF852
1#QNAN, xrefs: 003AF84B

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 8f067ad792a34d50523167ea1536fe230922c9bf487accbe5c6f7a6d54931264
Instruction ID: e5a8e9c227ec1517544bccec4f4db1d7b5417fc535d95bd5750b58098795d1f7
Opcode Fuzzy Hash: 8f067ad792a34d50523167ea1536fe230922c9bf487accbe5c6f7a6d54931264
Instruction Fuzzy Hash: A6C24C71E046288FDB26CF68DD407EAB7B9EB4A305F1541EAD44DE7240E779AE818F40

Uniqueness

Uniqueness Score: -1.00%

Function 003E648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 003E64DC
CoInitialize.OLE32(00000000), ref: 003E6639
CoCreateInstance.OLE32(0040FCF8,00000000,00000001,0040FB68,?), ref: 003E6650
CoUninitialize.OLE32 ref: 003E68D4

Strings

.lnk, xrefs: 003E64BA, 003E6524, 003E65E0

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 0e80409ab3712c018ce3599a2ef2ee1b5bc2b446f994e127a7c8511763a6029c
Instruction ID: fcf9ad03f9a7ace0988f5f9c600fb60729c24d42c94d40f166d788acdb2c62cf
Opcode Fuzzy Hash: 0e80409ab3712c018ce3599a2ef2ee1b5bc2b446f994e127a7c8511763a6029c
Instruction Fuzzy Hash: CDD15C71608351AFC315EF24C882E6BB7E8FF95704F10896DF5598B2A1DB30E905CB92

Uniqueness

Uniqueness Score: -1.00%

Function 003F22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 003F22E8

Part of subcall function 003EE4EC: GetWindowRect.USER32(?,?), ref: 003EE504

GetDesktopWindow.USER32 ref: 003F2312
GetWindowRect.USER32(00000000), ref: 003F2319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 003F2355
GetCursorPos.USER32(?), ref: 003F2381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 003F23DF

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: e35e79227e512bda01eac03b40692259672f4c3cf3e58d06f1d7e77dc6180343
Instruction ID: 642bfa708d9499fa4804655931e0cc7752f7e16ca174924c585f49220cc62952
Opcode Fuzzy Hash: e35e79227e512bda01eac03b40692259672f4c3cf3e58d06f1d7e77dc6180343
Instruction Fuzzy Hash: 0B31D0B6505319EFC721DF14D845F6BBBA9FF84314F000A1AF985AB191DB34E908CB92

Uniqueness

Uniqueness Score: -1.00%

Function 003E9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00379CB3: _wcslen.LIBCMT ref: 00379CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 003E9B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 003E9C8B

Part of subcall function 003E3874: GetInputState.USER32 ref: 003E38CB
Part of subcall function 003E3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 003E3966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 003E9BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 003E9C75

Strings

*.*, xrefs: 003E9B5D

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: a153a46acfcc845fa2dc91abeb22f595be31a847825c9ea28530ade0b81a940c
Instruction ID: c1b5e7adf3a9d4ffb7c1290d7f59c137e27db3d25bedc810be682271bce80de8
Opcode Fuzzy Hash: a153a46acfcc845fa2dc91abeb22f595be31a847825c9ea28530ade0b81a940c
Instruction Fuzzy Hash: B941727190025AAFDF26EF65C985BEE7BB8EF05300F204256E405A61D1D7349E84CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0038997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00389BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00389BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00389A4E
GetSysColor.USER32(0000000F), ref: 00389B23
SetBkColor.GDI32(?,00000000), ref: 00389B36

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: cb05a44678ced58d547fd17f426283610f7c40b3f08bc7f51c78b6d79a6a455b
Instruction ID: 28e369df88c84788203a21de502c84669bc96714962cc377814bc6e9696f1c47
Opcode Fuzzy Hash: cb05a44678ced58d547fd17f426283610f7c40b3f08bc7f51c78b6d79a6a455b
Instruction Fuzzy Hash: CCA11B70208604BEE72BBB2D8C89F7B269DDB42344B1A015FF902D6DD1CA399D41C779

Uniqueness

Uniqueness Score: -1.00%

Function 003F1806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 003F304E: inet_addr.WSOCK32(?), ref: 003F307A
Part of subcall function 003F304E: _wcslen.LIBCMT ref: 003F309B

socket.WSOCK32(00000002,00000002,00000011), ref: 003F185D
WSAGetLastError.WSOCK32 ref: 003F1884
bind.WSOCK32(00000000,?,00000010), ref: 003F18DB
WSAGetLastError.WSOCK32 ref: 003F18E6
closesocket.WSOCK32(00000000), ref: 003F1915

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 42f6b55fd394a3684f83a4c03cbb7c9033d5c3f7654194c8d0f7e3e8b38752f5
Instruction ID: 86b933cafa9320f0523ab2a11c72ed0f88028a40028902ca6f504f81528f64bb
Opcode Fuzzy Hash: 42f6b55fd394a3684f83a4c03cbb7c9033d5c3f7654194c8d0f7e3e8b38752f5
Instruction Fuzzy Hash: 9F51B171A00200AFDB21AF24D986F3A77E5AB45718F14C49CFA0A6F3D3D775AD418BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00401C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00401CC0
IsWindowEnabled.USER32 ref: 00401CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00401CDB
IsIconic.USER32 ref: 00401CE9
IsZoomed.USER32 ref: 00401CF7

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: ca825999732195aa78e4886c1fa5a46b7abfdc69bb6bcd4c06636c02075e6c72
Instruction ID: fe0fd7096eacd5474414a1c8d7be27b0e1f680ec9c7b2466d8dfc70ead0b8c01
Opcode Fuzzy Hash: ca825999732195aa78e4886c1fa5a46b7abfdc69bb6bcd4c06636c02075e6c72
Instruction Fuzzy Hash: BC21B6317442119FE7208F16C884B1B7B95AF95314F19807EE846AB3A1C779EC42CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00378060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

ERCP, xrefs: 0037813C
VUUU, xrefs: 003783FA
VUUU, xrefs: 003B5DF0
VUUU, xrefs: 003783E8
VUUU, xrefs: 0037843C

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: cb5d809b8a67761e24ee0d6c8f51aa1ab424fb97e4dfc0b6313157ef9b96451e
Instruction ID: e5552a9958eb12118a91d8b1b806afbad25e9eee8e4b8bfe12cd8e1c454aa687
Opcode Fuzzy Hash: cb5d809b8a67761e24ee0d6c8f51aa1ab424fb97e4dfc0b6313157ef9b96451e
Instruction Fuzzy Hash: 65A29E70E0061ACBDF36CF58C8457EDB7B1BF44318F2585AAD919ABA81DB389D81CB50

Uniqueness

Uniqueness Score: -1.00%

Function 003D8298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 003D82AA

Strings

(, xrefs: 003D82F0
tbC, xrefs: 003D84F4
|, xrefs: 003D82DA

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: lstrlen
String ID: ($tbC$|
API String ID: 1659193697-3136911626
Opcode ID: 5240764ebb8ae020590b924e3bb02a395bb5397866238244758bdbdc6a627014
Instruction ID: df2c8b5671dd54109219e60e57c4ba7b6113295d9f5c5aeb629145368554a783
Opcode Fuzzy Hash: 5240764ebb8ae020590b924e3bb02a395bb5397866238244758bdbdc6a627014
Instruction Fuzzy Hash: DC324579A007059FCB29CF19D481A6AB7F0FF48720B15C46EE59ADB7A1EB70E941CB40

Uniqueness

Uniqueness Score: -1.00%

Function 003FA67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 003FA6AC
Process32FirstW.KERNEL32(00000000,?), ref: 003FA6BA

Part of subcall function 00379CB3: _wcslen.LIBCMT ref: 00379CBD

Process32NextW.KERNEL32(00000000,?), ref: 003FA79C
CloseHandle.KERNEL32(00000000), ref: 003FA7AB

Part of subcall function 0038CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,003B3303,?), ref: 0038CE8A

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 2fbe79fb2c8881de211c0ccbb5f355d8431f9bdc45bde3a3321f4331cef0182e
Instruction ID: e230ab4ba1e4a22a823beb25e24542fbb664b10faac913834afa9a37425a6b23
Opcode Fuzzy Hash: 2fbe79fb2c8881de211c0ccbb5f355d8431f9bdc45bde3a3321f4331cef0182e
Instruction Fuzzy Hash: 0C5151B15047009FD711EF24C886E6BBBE8FF89754F00892DF5899B252EB34D904CB92

Uniqueness

Uniqueness Score: -1.00%

Function 003DAA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 003DAAAC
SetKeyboardState.USER32(00000080), ref: 003DAAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 003DAB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 003DAB88

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: e8e29d488c2edb28c4a1eb07bdc7965b762eca0bc8c289e7516f5ec9759937f8
Instruction ID: 28a8e1df0f470f8f019f44cbfe4bc6fac233066337990caa4f5d52611704e6ca
Opcode Fuzzy Hash: e8e29d488c2edb28c4a1eb07bdc7965b762eca0bc8c289e7516f5ec9759937f8
Instruction Fuzzy Hash: CF313D32A40A08AEFF36CB64ED05BFA7BAAAB45310F04431BF181563D0D3758986D756

Uniqueness

Uniqueness Score: -1.00%

Function 003ECE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 003ECE89
GetLastError.KERNEL32(?,00000000), ref: 003ECEEA
SetEvent.KERNEL32(?,?,00000000), ref: 003ECEFE

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: cc1e55660a0d70c4f377456b4e8a8c88881059101e329874f9e917027ac2a20d
Instruction ID: 530e2c5c539a506fde9fabf2b29bc0d8171ae77b327d9383faffbebf53c6d6be
Opcode Fuzzy Hash: cc1e55660a0d70c4f377456b4e8a8c88881059101e329874f9e917027ac2a20d
Instruction Fuzzy Hash: CD21ED71510315EFDB22DFA6C989BAA77FCEB40305F10462EE542A2191E730EE068B64

Uniqueness

Uniqueness Score: -1.00%

Function 003E5C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 003E5CC1
FindNextFileW.KERNEL32(00000000,?), ref: 003E5D17
FindClose.KERNEL32(?), ref: 003E5D5F

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: d165b59bb316c92fa9a4dd73f37969762e7bbeb6d34e8511d007118caac9c8aa
Instruction ID: e2f5c0d9ce8204612d1ad19fb930009ba05e6db3735d872145f6003cd9647581
Opcode Fuzzy Hash: d165b59bb316c92fa9a4dd73f37969762e7bbeb6d34e8511d007118caac9c8aa
Instruction Fuzzy Hash: 0B51BC34604A41DFC715DF29C894A9AB7E4FF0A318F14865EE95A8B3A2CB30EC44CB91

Uniqueness

Uniqueness Score: -1.00%

Function 003A2622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 003A271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 003A2724
UnhandledExceptionFilter.KERNEL32(?), ref: 003A2731

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: db1445e693f5a1588b6ef6cf820aa93450735720e68ce18e3a5d53851010d2e7
Instruction ID: a8b7119b3e4d9ab69f1cbb0bbeafcd81da782a5e69cf1cd749077ca3665915b2
Opcode Fuzzy Hash: db1445e693f5a1588b6ef6cf820aa93450735720e68ce18e3a5d53851010d2e7
Instruction Fuzzy Hash: 1131B574911218ABCB22DF68DD897DDB7B8EF18310F5042EAE81CA7261E7749F818F45

Uniqueness

Uniqueness Score: -1.00%

Function 003E51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 003E51DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 003E5238
SetErrorMode.KERNEL32(00000000), ref: 003E52A1

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: c58f0959abdcbaea84851be8d7b277d7c656d600ccb3b7aaaa177c3b21f628de
Instruction ID: dd0465e902c9b33fcfc1b617d12a4a3be9a25170db08317857293eaf3e2877a1
Opcode Fuzzy Hash: c58f0959abdcbaea84851be8d7b277d7c656d600ccb3b7aaaa177c3b21f628de
Instruction Fuzzy Hash: EE315A75A00518DFDB01DF54D884EADBBB4FF09318F048199E909AF3A2CB35E845CB90

Uniqueness

Uniqueness Score: -1.00%

Function 003D16C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0038FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00390668
Part of subcall function 0038FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00390685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 003D170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 003D173A
GetLastError.KERNEL32 ref: 003D174A

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 902ee9916808ea360c610870072a45f3a88df1111238910176d4194507872a3a
Instruction ID: ac7bf3b5004ff352ef88d974e6e098edbff9f4b1787e839b3d89f44cc5076e92
Opcode Fuzzy Hash: 902ee9916808ea360c610870072a45f3a88df1111238910176d4194507872a3a
Instruction Fuzzy Hash: 6B11BCB2410304FFE718AF64ECC6D6AB7BDEB04714B20852EE45666251EB70BC418B64

Uniqueness

Uniqueness Score: -1.00%

Function 003DD5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 003DD608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 003DD645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 003DD650

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 09a89594dc8d82f52183abaed1cc8b0723ac8f1b74ececc3472415d3139e5fbf
Instruction ID: 99e9d8cf0b87917ea1f6f1316794f63c0338953a1bfe9b9c50cb51cd3c415f7e
Opcode Fuzzy Hash: 09a89594dc8d82f52183abaed1cc8b0723ac8f1b74ececc3472415d3139e5fbf
Instruction Fuzzy Hash: 55117071E01228BBDB108F94AC44FAFBBBCEB45B50F108166F904E7290D2704A018BA1

Uniqueness

Uniqueness Score: -1.00%

Function 003D1663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 003D168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 003D16A1
FreeSid.ADVAPI32(?), ref: 003D16B1

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 1f8539a05d9229b9c51949eec6d2a43041df4d154aa8657d9eec4b1a6033c8d2
Instruction ID: b930279d00f76221f51695b813dbe2d413fae36e52471e89c823b8f0f9ba6aa1
Opcode Fuzzy Hash: 1f8539a05d9229b9c51949eec6d2a43041df4d154aa8657d9eec4b1a6033c8d2
Instruction Fuzzy Hash: 73F0F471950309FBEB00DFE49D89AAEBBBCEB08604F504565E901E2181E774AA448A54

Uniqueness

Uniqueness Score: -1.00%

Function 00394CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(003A28E9,?,00394CBE,003A28E9,004388B8,0000000C,00394E15,003A28E9,00000002,00000000,?,003A28E9), ref: 00394D09
TerminateProcess.KERNEL32(00000000,?,00394CBE,003A28E9,004388B8,0000000C,00394E15,003A28E9,00000002,00000000,?,003A28E9), ref: 00394D10
ExitProcess.KERNEL32 ref: 00394D22

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 727525433ca6c593f902dabe375353a145c555455255c28ba1769df85558bf7f
Instruction ID: 5cf7ab36d29e5cd17ff62f778cb295aea76951aceff56ee21ad39ad36adbcf1d
Opcode Fuzzy Hash: 727525433ca6c593f902dabe375353a145c555455255c28ba1769df85558bf7f
Instruction Fuzzy Hash: 6EE0B635010148EBCF16AF64DE49E593B69FB46781B118124FC059A133CB35DD42CA84

Uniqueness

Uniqueness Score: -1.00%

Function 003AC2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 003AC36C

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: f139f3d2faef13fe1bcb46a8a37d15535f1c3a49a0dae46142cc0d0d56c0eaef
Instruction ID: 882ec5ea95b99d30892f5bf1cf1b0eb95f27a5efafea40d7f6e73115a525a6b0
Opcode Fuzzy Hash: f139f3d2faef13fe1bcb46a8a37d15535f1c3a49a0dae46142cc0d0d56c0eaef
Instruction Fuzzy Hash: 12416A76900218AFCF21DFB9CC88EBB77B8EB86314F1046A9F915DB180E6709D80CB50

Uniqueness

Uniqueness Score: -1.00%

Function 003CD27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 003CD28C

Strings

X64, xrefs: 003CD2A8

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 6fc2836e945a1d412e64074a8b56b188a304fb2b78f511100353824a697fce9d
Instruction ID: c86503fa29fd8f1eaf037ed5b6856bf68428cd4b5c5b836e3988014252dc55e0
Opcode Fuzzy Hash: 6fc2836e945a1d412e64074a8b56b188a304fb2b78f511100353824a697fce9d
Instruction Fuzzy Hash: B5D0C9B480111DEACB95DB90DCC8DD9B37CBB04305F1006A5F106E2440D73095498F10

Uniqueness

Uniqueness Score: -1.00%

Function 0039CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 5814c38f54efa9f4def704ec1ef9251f459bbe89469c10d0992269545950e8de
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 86021C71E102199BDF15CFA9C8806ADFBF1EF88314F25816AD919EB384D731AE418B94

Uniqueness

Uniqueness Score: -1.00%

Function 0037CAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON

Download Yara Rule

Strings

p#D, xrefs: 0037CF7F
Variable is not of type 'Object'., xrefs: 003C0C40

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.$p#D
API String ID: 0-543306404
Opcode ID: 6e693280b27de4acc384b5cf5b514761309668dac1cf06276dafd5d8328e0646
Instruction ID: 90a6eafe8ee42d5402daa047d3d102d38883a190711b39a5679e2934a89c2e71
Opcode Fuzzy Hash: 6e693280b27de4acc384b5cf5b514761309668dac1cf06276dafd5d8328e0646
Instruction Fuzzy Hash: 5F329D74910218DBDF2ADF90C984BEDB7B9BF05304F14906DE80AAF292D779AE45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 003E68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 003E6918
FindClose.KERNEL32(00000000), ref: 003E6961

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: d621abc8a39125672b0634fa4876bba41f1e59189dfe34760c0fa9c7dd778caf
Instruction ID: 8c328daed29f4b9ca0da5fccd8279cab3d97fd7b5f94cf3e31ffde7d91e162b3
Opcode Fuzzy Hash: d621abc8a39125672b0634fa4876bba41f1e59189dfe34760c0fa9c7dd778caf
Instruction Fuzzy Hash: 8B11BE316042509FC710DF2AC4C5A1ABBE4EF85328F15C6ADF4698F6A2C734EC05CB90

Uniqueness

Uniqueness Score: -1.00%

Function 003E37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,003F4891,?,?,00000035,?), ref: 003E37E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,003F4891,?,?,00000035,?), ref: 003E37F4

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: d9c19ee20c890de0f46408b1ea385854ebc70eadf7bb3a4554f43b3242555d40
Instruction ID: 7c42a82c864eca8d5b184e608ac5626a5ce2b23dcd9edee9215ac1266d2eee34
Opcode Fuzzy Hash: d9c19ee20c890de0f46408b1ea385854ebc70eadf7bb3a4554f43b3242555d40
Instruction Fuzzy Hash: 8FF0E5B06052296AEB2117678C8DFEB3AAEEFC4761F000379F509E36C1D9709904C6B0

Uniqueness

Uniqueness Score: -1.00%

Function 003DB226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 003DB25D
keybd_event.USER32(?,7694C0D0,?,00000000), ref: 003DB270

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 4127c0c73e7567a9794cd935aa4023c9458f74b7ee2c3ecf2380c6ae6f1dbd72
Instruction ID: d6ec40f6c4e4e12e79d252a11aeb3f146efef793cb3ba48ee9e34363074fe8f8
Opcode Fuzzy Hash: 4127c0c73e7567a9794cd935aa4023c9458f74b7ee2c3ecf2380c6ae6f1dbd72
Instruction Fuzzy Hash: 96F01D7580424EEBDB059FA0D805BAEBBB4FF04305F00841AF955A6191C37986119F94

Uniqueness

Uniqueness Score: -1.00%

Function 003D10BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,003D11FC), ref: 003D10D4
CloseHandle.KERNEL32(?,?,003D11FC), ref: 003D10E9

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 53ff0b0c2ce3ecb0fdb5308d92683344aae377f3563f553f2a5cecb67eae68dc
Instruction ID: aec7aeb7dfbc2d76a1387b52224170bdc79552c654864d24cca6afaf0577df0c
Opcode Fuzzy Hash: 53ff0b0c2ce3ecb0fdb5308d92683344aae377f3563f553f2a5cecb67eae68dc
Instruction Fuzzy Hash: A5E04F32014700EFE7263B61FC05E7377A9EB04310B10892EF5A5844B1DB726CA0DB54

Uniqueness

Uniqueness Score: -1.00%

Function 003A676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,003A6766,?,?,00000008,?,?,003AFEFE,00000000), ref: 003A6998

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: d177585a9ba027a2817f4ff10f22b2ad0e1ac78c431f38b62f332b76337a3fe4
Instruction ID: 9347619974d8b255f29b107de54e37a4aa39f7ecc206f06e998e03bfc20f7bc9
Opcode Fuzzy Hash: d177585a9ba027a2817f4ff10f22b2ad0e1ac78c431f38b62f332b76337a3fe4
Instruction Fuzzy Hash: B4B14D71610608DFD716CF28C48AB657BE4FF46364F2A865CE899CF2A2C735D991CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0038B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 003C851F

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: ba6a6b2715c583a6794f77813e32fd4398c59edd78212b0062d6d47f2e51cc97
Instruction ID: b17ab067d47be915b947190d437ab16fb4efa72cdbaead4d80016f6fe38f6d6a
Opcode Fuzzy Hash: ba6a6b2715c583a6794f77813e32fd4398c59edd78212b0062d6d47f2e51cc97
Instruction Fuzzy Hash: C9127F759002299BCB25DF59C881BEEB7B5FF48310F1581AAE849EB251DB709E81CF90

Uniqueness

Uniqueness Score: -1.00%

Function 003EEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 003EEABD

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: c0ecb7c9cd328470562131f07203dcd8ff8c564d285d968642e5abcf77098423
Instruction ID: 570a2b34a770f4d4f40c057d7ebc404c9fa061b7eee188d6f3f05ce2eeeff5c3
Opcode Fuzzy Hash: c0ecb7c9cd328470562131f07203dcd8ff8c564d285d968642e5abcf77098423
Instruction Fuzzy Hash: 39E01A312102149FC721EF6AD844E9AF7E9AF99760F00842AFC49DB291DB74A8408B90

Uniqueness

Uniqueness Score: -1.00%

Function 003909D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,003903EE), ref: 003909DA

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 6d3746c7a4f2d4c51391624d7f7bf2b45618da74fc6d10359eb55c418aa31858
Instruction ID: b5dd6706bb4079ff3c6caec7e2549e6181ef73d668f00d482fab260dcc54f4c9
Opcode Fuzzy Hash: 6d3746c7a4f2d4c51391624d7f7bf2b45618da74fc6d10359eb55c418aa31858
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 0039781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0039798B

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 68e6931895f59b8c65e78455a1c4e3d31123e43214a2d6e7435ef5cad61a6b9d
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: FD51647263C6095BDF3B962C885FBFE2389DB42344F190509E882DB6C2CB15EE02D356

Uniqueness

Uniqueness Score: -1.00%

Function 003E2046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

0&D, xrefs: 003E2053

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID:
String ID: 0&D
API String ID: 0-1766144559
Opcode ID: 9eb90a74bbbde5a7a86f0c05788cf743c44086aabc8baa44e89e88795e6ef555
Instruction ID: 82f712fbb637d8a2c2cf3b206451ea714eb8a2fb46818a48407c546c517d8a2d
Opcode Fuzzy Hash: 9eb90a74bbbde5a7a86f0c05788cf743c44086aabc8baa44e89e88795e6ef555
Instruction Fuzzy Hash: DA21D5322206158BDB28CF79C92267E73E9A754310F558A2EE4A7C77D0DE79AD04CB84

Uniqueness

Uniqueness Score: -1.00%

Function 003A6DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90ac7d6e7f30e37c3446d114325da222d0b0c494b043a693aa74a7a0c5d3f55a
Instruction ID: f03093341c4f252e7136cabe237b07c8ae0dadf4bd03b3310b3d948966d7a886
Opcode Fuzzy Hash: 90ac7d6e7f30e37c3446d114325da222d0b0c494b043a693aa74a7a0c5d3f55a
Instruction Fuzzy Hash: 0F324322D29F014DD7239635DD62336A68DEFB73C5F15C737E81AB5AA9EB29C4834100

Uniqueness

Uniqueness Score: -1.00%

Function 0038CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a34ba2489718056df8d6bd0c65bb35a2c9c1fdf50657c583b15a53834c1a6d60
Instruction ID: 7cfd96761d1e099dc1616e1690ecb8cc5ba219d4317f8f4429e343c1a2616380
Opcode Fuzzy Hash: a34ba2489718056df8d6bd0c65bb35a2c9c1fdf50657c583b15a53834c1a6d60
Instruction Fuzzy Hash: 21320732A202058BDF26DF28C494F7D77B1EB45300F2AA5AED84EDB691D630DD82DB51

Uniqueness

Uniqueness Score: -1.00%

Function 00377920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbf41c78468501e489a98c8eb53b9d237a8d614f6562974fb26d2f36fe67d2e5
Instruction ID: d56357f0f694835b0dafba554834b52c53b6308c1d52ffdaa477129be629e046
Opcode Fuzzy Hash: bbf41c78468501e489a98c8eb53b9d237a8d614f6562974fb26d2f36fe67d2e5
Instruction Fuzzy Hash: 6222A070A04609DFDF26DF64C881BEEB3F5FF44304F148529E81AAB691E739A915CB50

Uniqueness

Uniqueness Score: -1.00%

Function 003791C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce849bc93bfaadb7ef65da0fec04d231dc715598673879ae77c9950de2384977
Instruction ID: 90964afb922239fec9df2249a5dc86f811e96bdb2fa3a1bc803d28adc8e45d9d
Opcode Fuzzy Hash: ce849bc93bfaadb7ef65da0fec04d231dc715598673879ae77c9950de2384977
Instruction Fuzzy Hash: 0402D7B1E00209EFDF16DF58D881AEDB7B5FF44304F118169E91A9B691EB35AE10CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00397A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfe1f1a392bd09d49f0249a906ca26a82b5dbce21dda395fa51e1f7e075e5b69
Instruction ID: d16b990d7c38507fd9718726163c0a6524eaf7ff2920a5661c9432da06463014
Opcode Fuzzy Hash: bfe1f1a392bd09d49f0249a906ca26a82b5dbce21dda395fa51e1f7e075e5b69
Instruction Fuzzy Hash: 6161773123C34A66EE3B9A2C8C96BBF2399DF82700F15091AE843DF7D1DA119E428755

Uniqueness

Uniqueness Score: -1.00%

Function 00397CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fdc32d60989c1df5090284abde49426e71157c751b28c3af8de4bb6ab1b6248
Instruction ID: aa322a4184d77bc8acc19daa9789b4bf528fe3c44efaf2ccae44b5f4d50ea9ac
Opcode Fuzzy Hash: 5fdc32d60989c1df5090284abde49426e71157c751b28c3af8de4bb6ab1b6248
Instruction Fuzzy Hash: 3C618971B38709A7DE3B5A2C8892BBF2398EF43744F110959E943DF6C1DA12ED428355

Uniqueness

Uniqueness Score: -1.00%

Function 00CE3640 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2335962090.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ce0000_43643456.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: f61c18e9d534e0c08fb4a0e5448d53716517826f6ef98d6d12ff2d5f7af341ce
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: A541B3B1D1051CEBCF48CFADC991AEEBBF2AF88201F548299D516AB345D730AB41DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00CE34D0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2335962090.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ce0000_43643456.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: 8a4f29fba8efde4dd66b200fdbaf872dc356f41751a0fac0a0d871f05e3126a6
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: 46018078A01149EFCB44DF99C5949AEF7B5FB48310B208599E819A7741D730AF41DB80

Uniqueness

Uniqueness Score: -1.00%

Function 00CE3530 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2335962090.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ce0000_43643456.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: 7a9cdee82211bdc420c4b02c80d2e9a20bda99dc03799f4949fffad941835830
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: 5E019278A01249EFCB44DF99C5949AEF7B5FB48310F208599E819A7701D730AF41DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00CE1ED0 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2335962090.0000000000CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_ce0000_43643456.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Uniqueness

Uniqueness Score: -1.00%

Function 003F2ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 003F2B30
DeleteObject.GDI32(00000000), ref: 003F2B43
DestroyWindow.USER32 ref: 003F2B52
GetDesktopWindow.USER32 ref: 003F2B6D
GetWindowRect.USER32(00000000), ref: 003F2B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 003F2CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 003F2CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 003F2CF8
GetClientRect.USER32(00000000,?), ref: 003F2D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 003F2D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 003F2D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 003F2D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 003F2D80
GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 003F2D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 003F2D98
GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 003F2DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 003F2DA8
GlobalFree.KERNEL32(00000000), ref: 003F2DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 003F2DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,0040FC38,00000000), ref: 003F2DDB
GlobalFree.KERNEL32(00000000), ref: 003F2DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 003F2E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 003F2E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 003F2E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 003F303F

Strings

static, xrefs: 003F2D3A, 003F2E91
DISPLAY, xrefs: 003F2EA2
AutoIt v3, xrefs: 003F2CF2
, xrefs: 003F2FC5

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: a1a8b57565c3eb32e9ff8029a53ec46ce666e52b09dfdd3ad19b24ef3dc63d21
Instruction ID: c28fbdbd143c8152281c413c49d916f051866bed941532a8d83d22337e790c9c
Opcode Fuzzy Hash: a1a8b57565c3eb32e9ff8029a53ec46ce666e52b09dfdd3ad19b24ef3dc63d21
Instruction Fuzzy Hash: ED028E71500209EFDB15DFA4CD89EAE7BB9EF49710F108668F915AB2A1CB34AD01CF64

Uniqueness

Uniqueness Score: -1.00%

Function 004070D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0040712F
GetSysColorBrush.USER32(0000000F), ref: 00407160
GetSysColor.USER32(0000000F), ref: 0040716C
SetBkColor.GDI32(?,000000FF), ref: 00407186
SelectObject.GDI32(?,?), ref: 00407195
InflateRect.USER32(?,000000FF,000000FF), ref: 004071C0
GetSysColor.USER32(00000010), ref: 004071C8
CreateSolidBrush.GDI32(00000000), ref: 004071CF
FrameRect.USER32(?,?,00000000), ref: 004071DE
DeleteObject.GDI32(00000000), ref: 004071E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00407230
FillRect.USER32(?,?,?), ref: 00407262
GetWindowLongW.USER32(?,000000F0), ref: 00407284

Part of subcall function 004073E8: GetSysColor.USER32(00000012), ref: 00407421
Part of subcall function 004073E8: SetTextColor.GDI32(?,?), ref: 00407425
Part of subcall function 004073E8: GetSysColorBrush.USER32(0000000F), ref: 0040743B
Part of subcall function 004073E8: GetSysColor.USER32(0000000F), ref: 00407446
Part of subcall function 004073E8: GetSysColor.USER32(00000011), ref: 00407463
Part of subcall function 004073E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00407471
Part of subcall function 004073E8: SelectObject.GDI32(?,00000000), ref: 00407482
Part of subcall function 004073E8: SetBkColor.GDI32(?,00000000), ref: 0040748B
Part of subcall function 004073E8: SelectObject.GDI32(?,?), ref: 00407498
Part of subcall function 004073E8: InflateRect.USER32(?,000000FF,000000FF), ref: 004074B7
Part of subcall function 004073E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004074CE
Part of subcall function 004073E8: GetWindowLongW.USER32(00000000,000000F0), ref: 004074DB

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 4927eefda52f617f22d3bb8120fe3af580eb48bfc9c7a43a2407793934484234
Instruction ID: 5a0219a2844545f5472c85f21dba40617929a50c7b06e402a84b36353cf11fc4
Opcode Fuzzy Hash: 4927eefda52f617f22d3bb8120fe3af580eb48bfc9c7a43a2407793934484234
Instruction Fuzzy Hash: 75A1AF72408311FFD7009F60DD88E5B7BA9FB89320F100B29F962A61E1D735E944CB96

Uniqueness

Uniqueness Score: -1.00%

Function 003F2711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 003F273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 003F286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 003F28A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 003F28B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 003F2900
GetClientRect.USER32(00000000,?), ref: 003F290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 003F2955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 003F2964
GetStockObject.GDI32(00000011), ref: 003F2974
SelectObject.GDI32(00000000,00000000), ref: 003F2978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 003F2988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 003F2991
DeleteDC.GDI32(00000000), ref: 003F299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 003F29C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 003F29DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 003F2A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 003F2A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 003F2A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 003F2A77
GetStockObject.GDI32(00000011), ref: 003F2A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 003F2A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 003F2A97

Strings

DISPLAY, xrefs: 003F295A
static, xrefs: 003F294F, 003F2A71
AutoIt v3, xrefs: 003F28F8
msctls_progress32, xrefs: 003F2A13

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 2f4f5e8735dbe891382164c8dfaeec376a86ec3b569a9dac567f7b4098141ed1
Instruction ID: 2527da5dc622be26aaee47944e6df697338d539296fb9ba84997b1be980edc5e
Opcode Fuzzy Hash: 2f4f5e8735dbe891382164c8dfaeec376a86ec3b569a9dac567f7b4098141ed1
Instruction Fuzzy Hash: B0B15D75A40219EFEB14DF68CD85FAE7BA9EB09710F108215FA14EB2A0D774AD40CB94

Uniqueness

Uniqueness Score: -1.00%

Function 003E4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 003E4AED
GetDriveTypeW.KERNEL32(?,0040CB68,?,\\.\,0040CC08), ref: 003E4BCA
SetErrorMode.KERNEL32(00000000,0040CB68,?,\\.\,0040CC08), ref: 003E4D36

Strings

Fixed, xrefs: 003E4C09
ATA, xrefs: 003E4C98
Network, xrefs: 003E4C02
SSD, xrefs: 003E4C4A
ATAPI, xrefs: 003E4C91
MMC, xrefs: 003E4CDE
iSCSI, xrefs: 003E4CC2
Fibre, xrefs: 003E4CAD
Virtual, xrefs: 003E4CE5
RAMDisk, xrefs: 003E4BF4
SATA, xrefs: 003E4CD0
Removable, xrefs: 003E4C10, 003E4C15
1394, xrefs: 003E4C9F
FileBackedVirtual, xrefs: 003E4CEC
\\.\, xrefs: 003E4B3F
SAS, xrefs: 003E4CC9
Unknown, xrefs: 003E4BED, 003E4C83
USB, xrefs: 003E4CB4
RAID, xrefs: 003E4CBB
SCSI, xrefs: 003E4C8A
PhysicalDrive, xrefs: 003E4B76
SSA, xrefs: 003E4CA6
CDROM, xrefs: 003E4BFB

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 30740e8899a3e89d0ccd46c26ef35a025b42a3519adcd9445774ab61f9af6c20
Instruction ID: fec868422ce7e6c6238522cfad895d29307914473605ce9e9a90f52e90443e75
Opcode Fuzzy Hash: 30740e8899a3e89d0ccd46c26ef35a025b42a3519adcd9445774ab61f9af6c20
Instruction Fuzzy Hash: D961E530601256BBCB16DF25C981A6977B4AB0C300F31D216F80AABAD5DB39ED41DB45

Uniqueness

Uniqueness Score: -1.00%

Function 004073E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00407421
SetTextColor.GDI32(?,?), ref: 00407425
GetSysColorBrush.USER32(0000000F), ref: 0040743B
GetSysColor.USER32(0000000F), ref: 00407446
CreateSolidBrush.GDI32(?), ref: 0040744B
GetSysColor.USER32(00000011), ref: 00407463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00407471
SelectObject.GDI32(?,00000000), ref: 00407482
SetBkColor.GDI32(?,00000000), ref: 0040748B
SelectObject.GDI32(?,?), ref: 00407498
InflateRect.USER32(?,000000FF,000000FF), ref: 004074B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004074CE
GetWindowLongW.USER32(00000000,000000F0), ref: 004074DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0040752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00407554
InflateRect.USER32(?,000000FD,000000FD), ref: 00407572
DrawFocusRect.USER32(?,?), ref: 0040757D
GetSysColor.USER32(00000011), ref: 0040758E
SetTextColor.GDI32(?,00000000), ref: 00407596
DrawTextW.USER32(?,004070F5,000000FF,?,00000000), ref: 004075A8
SelectObject.GDI32(?,?), ref: 004075BF
DeleteObject.GDI32(?), ref: 004075CA
SelectObject.GDI32(?,?), ref: 004075D0
DeleteObject.GDI32(?), ref: 004075D5
SetTextColor.GDI32(?,?), ref: 004075DB
SetBkColor.GDI32(?,?), ref: 004075E5

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 003dc35c9e49ba726b45f2ab78e77df27e3cb8b5cb099c99cb58ea0258bcbadb
Instruction ID: 249748302a50eb2bb577df7cbca854678750fe431ff7c9ccc24694f2bc19189e
Opcode Fuzzy Hash: 003dc35c9e49ba726b45f2ab78e77df27e3cb8b5cb099c99cb58ea0258bcbadb
Instruction Fuzzy Hash: 21615C76D00218FFDB019FA4DD89AEE7BB9EB09320F104225F911BB2E1D675A940CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00400FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00401128
GetDesktopWindow.USER32 ref: 0040113D
GetWindowRect.USER32(00000000), ref: 00401144
GetWindowLongW.USER32(?,000000F0), ref: 00401199
DestroyWindow.USER32(?), ref: 004011B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 004011ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0040120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0040121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00401232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00401245
IsWindowVisible.USER32(00000000), ref: 004012A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 004012BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 004012D0
GetWindowRect.USER32(00000000,?), ref: 004012E8
MonitorFromPoint.USER32(?,?,00000002), ref: 0040130E
GetMonitorInfoW.USER32(00000000,?), ref: 00401328
CopyRect.USER32(?,?), ref: 0040133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 004013AA

Strings

(, xrefs: 0040131B
0, xrefs: 004010D3
tooltips_class32, xrefs: 004011E6

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: b6c487387bccca443c131a9de384e8a58ae91b041110afee308e8a233bc89e87
Instruction ID: 4db00ff6455ac356d6b5aab77919bf3bb66ee534b4f427abb463aa0c2aa3352e
Opcode Fuzzy Hash: b6c487387bccca443c131a9de384e8a58ae91b041110afee308e8a233bc89e87
Instruction Fuzzy Hash: AEB1AA71604341AFD714DF64C984B6BBBE4FF89314F008A2DF999AB2A1C735E844CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00400241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 004002E5
_wcslen.LIBCMT ref: 0040031F
_wcslen.LIBCMT ref: 00400389
_wcslen.LIBCMT ref: 004003F1
_wcslen.LIBCMT ref: 00400475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 004004C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00400504

Part of subcall function 0038F9F2: _wcslen.LIBCMT ref: 0038F9FD

Part of subcall function 003D223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 003D2258
Part of subcall function 003D223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 003D228A

Strings

FINDITEM, xrefs: 00400627
GETTEXT, xrefs: 004003EC, 00400407
GETSELECTED, xrefs: 004005E1
VIEWCHANGE, xrefs: 00400675
GETITEMCOUNT, xrefs: 00400316, 00400337
DESELECT, xrefs: 0040059C
SELECTALL, xrefs: 00400515
SELECT, xrefs: 00400548
SELECTCLEAR, xrefs: 0040052D
ISSELECTED, xrefs: 004004DD
GETSELECTEDCOUNT, xrefs: 00400470, 0040048B
SELECTINVERT, xrefs: 0040057E
GETSUBITEMCOUNT, xrefs: 00400384, 0040039F

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: 64bc5e3c80de02bc817e46a8469e13afa315ad14acf68aa9867b4cc5ada1f4f9
Instruction ID: 33bd191fd54677b03a085a339da0bdab799d8e344cf9a5b3c2c2d49094c633b0
Opcode Fuzzy Hash: 64bc5e3c80de02bc817e46a8469e13afa315ad14acf68aa9867b4cc5ada1f4f9
Instruction Fuzzy Hash: 53E1B2312083019FC725DF24C551A2BB3E6BF98714F14896EF896AB391DB38ED46CB46

Uniqueness

Uniqueness Score: -1.00%

Function 00388891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00388968
GetSystemMetrics.USER32(00000007), ref: 00388970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0038899B
GetSystemMetrics.USER32(00000008), ref: 003889A3
GetSystemMetrics.USER32(00000004), ref: 003889C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 003889E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 003889F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00388A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00388A3C
GetClientRect.USER32(00000000,000000FF), ref: 00388A5A
GetStockObject.GDI32(00000011), ref: 00388A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00388A81

Part of subcall function 0038912D: GetCursorPos.USER32(?), ref: 00389141
Part of subcall function 0038912D: ScreenToClient.USER32(00000000,?), ref: 0038915E
Part of subcall function 0038912D: GetAsyncKeyState.USER32(00000001), ref: 00389183
Part of subcall function 0038912D: GetAsyncKeyState.USER32(00000002), ref: 0038919D

SetTimer.USER32(00000000,00000000,00000028,003890FC), ref: 00388AA8

Strings

AutoIt v3 GUI, xrefs: 00388A20

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 6a9bb2ff96bf405ffef1c45c311330b7d94e268773f01ae5051317da5953cf65
Instruction ID: 8f078e55cc8b598429b978812ee1656cecf737e34692058e77b6e50a6a525053
Opcode Fuzzy Hash: 6a9bb2ff96bf405ffef1c45c311330b7d94e268773f01ae5051317da5953cf65
Instruction Fuzzy Hash: BCB18E75A00209EFDB15EF68CD85FAE3BB5FB48314F114229FA15EB290DB34A840CB54

Uniqueness

Uniqueness Score: -1.00%

Function 003D0D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 003D10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 003D1114
Part of subcall function 003D10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,003D0B9B,?,?,?), ref: 003D1120
Part of subcall function 003D10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,003D0B9B,?,?,?), ref: 003D112F
Part of subcall function 003D10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,003D0B9B,?,?,?), ref: 003D1136
Part of subcall function 003D10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 003D114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 003D0DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 003D0E29
GetLengthSid.ADVAPI32(?), ref: 003D0E40
GetAce.ADVAPI32(?,00000000,?), ref: 003D0E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 003D0E96
GetLengthSid.ADVAPI32(?), ref: 003D0EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 003D0EB5
HeapAlloc.KERNEL32(00000000), ref: 003D0EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 003D0EDD
CopySid.ADVAPI32(00000000), ref: 003D0EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 003D0F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 003D0F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 003D0F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 003D0F6E
HeapFree.KERNEL32(00000000), ref: 003D0F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 003D0F7E
HeapFree.KERNEL32(00000000), ref: 003D0F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 003D0F8E
HeapFree.KERNEL32(00000000), ref: 003D0F95
GetProcessHeap.KERNEL32(00000000,?), ref: 003D0FA1
HeapFree.KERNEL32(00000000), ref: 003D0FA8

Part of subcall function 003D1193: GetProcessHeap.KERNEL32(00000008,003D0BB1,?,00000000,?,003D0BB1,?), ref: 003D11A1
Part of subcall function 003D1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,003D0BB1,?), ref: 003D11A8
Part of subcall function 003D1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,003D0BB1,?), ref: 003D11B7

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 6128424d90f2d888570fa8031e1c8495e9b619a0fca7e54a1dc252f958f85a7a
Instruction ID: 27cc8081b18245b3f010d0ccec3e9db3af7c6eddfa990ce6906713072d12f969
Opcode Fuzzy Hash: 6128424d90f2d888570fa8031e1c8495e9b619a0fca7e54a1dc252f958f85a7a
Instruction Fuzzy Hash: FE715E7290020AEBDF259FA4ED48FEEBBBCBF04700F154226F959B6291D7719905CB60

Uniqueness

Uniqueness Score: -1.00%

Function 003FC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 003FC4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,0040CC08,00000000,?,00000000,?,?), ref: 003FC544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 003FC5A4
_wcslen.LIBCMT ref: 003FC5F4
_wcslen.LIBCMT ref: 003FC66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 003FC6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 003FC7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 003FC84D
RegCloseKey.ADVAPI32(?), ref: 003FC881
RegCloseKey.ADVAPI32(00000000), ref: 003FC88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 003FC960

Strings

REG_EXPAND_SZ, xrefs: 003FC5CD
REG_SZ, xrefs: 003FC644
REG_BINARY, xrefs: 003FC913
REG_QWORD, xrefs: 003FC8C3
REG_MULTI_SZ, xrefs: 003FC6F5
REG_DWORD, xrefs: 003FC804

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 15ea6f7faac5972c7ddfc5dac3281d1fa378002e381b2cddb2dfa1173b7487a2
Instruction ID: a386218a6d989b129820f5524cecf3a8cade6d23b400971cecb0eb74e8510b38
Opcode Fuzzy Hash: 15ea6f7faac5972c7ddfc5dac3281d1fa378002e381b2cddb2dfa1173b7487a2
Instruction Fuzzy Hash: AF127A352142049FD726DF14C981E2AB7E5FF89724F15885CF98A9B3A2DB35EC41CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0040091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 004009C6
_wcslen.LIBCMT ref: 00400A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00400A54
_wcslen.LIBCMT ref: 00400A8A
_wcslen.LIBCMT ref: 00400B06
_wcslen.LIBCMT ref: 00400B81

Part of subcall function 0038F9F2: _wcslen.LIBCMT ref: 0038F9FD

Part of subcall function 003D2BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 003D2BFA

Strings

EXPAND, xrefs: 00400BF8
GETSELECTED, xrefs: 00400C4E
GETTEXT, xrefs: 00400C97
GETITEMCOUNT, xrefs: 00400C1E
ISCHECKED, xrefs: 00400CE1
EXISTS, xrefs: 00400B7C, 00400B97
GETTOTALCOUNT, xrefs: 004009F2, 00400A17
SELECT, xrefs: 00400D11
UNCHECK, xrefs: 00400D3E
COLLAPSE, xrefs: 00400B01, 00400B1C
CHECK, xrefs: 00400A85, 00400AA0

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 762171f79155186b750d8c10cef0e3970e240428850d368fdc04d110d60244f1
Instruction ID: 26537bcb6a87feec2c5c32059ef5b8e605aaa25c83262fe7aa7fc98056d3575d
Opcode Fuzzy Hash: 762171f79155186b750d8c10cef0e3970e240428850d368fdc04d110d60244f1
Instruction Fuzzy Hash: 90E1B1312083019FC725EF24C450A2AB7E1FF99314F14896EF8996B3A2D738ED45CB96

Uniqueness

Uniqueness Score: -1.00%

Function 003FC998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,003FB6AE,?,?), ref: 003FC9B5
_wcslen.LIBCMT ref: 003FC9F1
_wcslen.LIBCMT ref: 003FCA68
_wcslen.LIBCMT ref: 003FCA9E
_wcslen.LIBCMT ref: 003FCAF9
_wcslen.LIBCMT ref: 003FCB2F
_wcslen.LIBCMT ref: 003FCB7F

Strings

HKU, xrefs: 003FCBF0
HKEY_LOCAL_MACHINE, xrefs: 003FCA62, 003FCA67
HKEY_CURRENT_CONFIG, xrefs: 003FCB79, 003FCB7E
HKEY_CLASSES_ROOT, xrefs: 003FCAF3, 003FCAF8
HKEY_CURRENT_USER, xrefs: 003FCBBD
HKLM, xrefs: 003FCA98, 003FCA9D
HKCC, xrefs: 003FCBAC
HKEY_USERS, xrefs: 003FCBDF
HKCU, xrefs: 003FCBCE
HKCR, xrefs: 003FCB29, 003FCB2E

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 49234329fa84b1bf98e2c64eabccc315411827bc5004f0335df78ba62f81b765
Instruction ID: b1d7a42f8f1d146565351cdc43824ebcebec11711788300f3a3eb8e270fcd70c
Opcode Fuzzy Hash: 49234329fa84b1bf98e2c64eabccc315411827bc5004f0335df78ba62f81b765
Instruction Fuzzy Hash: 317134326A012E8BCF22DE3CCA415BE3395AF64750F226525FE569B284E735DD45C3A0

Uniqueness

Uniqueness Score: -1.00%

Function 0040833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0040835A
_wcslen.LIBCMT ref: 0040836E
_wcslen.LIBCMT ref: 00408391
_wcslen.LIBCMT ref: 004083B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 004083F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00405BF2), ref: 0040844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00408487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 004084CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00408501
FreeLibrary.KERNEL32(?), ref: 0040850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0040851D
DestroyIcon.USER32(?,?,?,?,?,00405BF2), ref: 0040852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00408549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00408555

Strings

.dll, xrefs: 004083AB
.icl, xrefs: 00408368
.exe, xrefs: 00408388

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 93c2b91e48ecb886318e3fcf96d075782c54751107596ecede9c3f658444b50c
Instruction ID: 1206b88f5ca36cd8920b39e6650c1140bfddf5b708e04e6bb1fb476dc745c3ee
Opcode Fuzzy Hash: 93c2b91e48ecb886318e3fcf96d075782c54751107596ecede9c3f658444b50c
Instruction Fuzzy Hash: DC61F371500215FAEB14DF64CD81FBF77A8BB04B21F10462AF855EA1D1EB78A941CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00377778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#requireadmin, xrefs: 003777FF
Bad directive syntax error, xrefs: 003B519A
#pragma compile, xrefs: 003777D3
Unterminated group of comments, xrefs: 003B528C
Cannot parse #include, xrefs: 003B5279
", xrefs: 003B5153
#OnAutoItStartRegister, xrefs: 00377817
#cs, xrefs: 00377873, 003778C5
#comments-end, xrefs: 003778D9
#ce, xrefs: 003778ED
#comments-start, xrefs: 0037785F, 003778B1
#notrayicon, xrefs: 003777E7
', xrefs: 003B5169
#include, xrefs: 00377847
#include-once, xrefs: 0037782F

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: d7bd12bd5170722a4f0e7ec2e9950d56487da31b154aef729260d9735ec1c69e
Instruction ID: 9ef74b186200f0d027563ca87feb0cd7ee6ab270b8cf3bfc2070424e1465630d
Opcode Fuzzy Hash: d7bd12bd5170722a4f0e7ec2e9950d56487da31b154aef729260d9735ec1c69e
Instruction Fuzzy Hash: AA810571A04205BBDF37AF64CC82FBE37A8AF55300F118025F909AE596EB79D911C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 003D5A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 003D5A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 003D5A40
SetWindowTextW.USER32(?,?), ref: 003D5A57
GetDlgItem.USER32(?,000003EA), ref: 003D5A6C
SetWindowTextW.USER32(00000000,?), ref: 003D5A72
GetDlgItem.USER32(?,000003E9), ref: 003D5A82
SetWindowTextW.USER32(00000000,?), ref: 003D5A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 003D5AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 003D5AC3
GetWindowRect.USER32(?,?), ref: 003D5ACC
_wcslen.LIBCMT ref: 003D5B33
SetWindowTextW.USER32(?,?), ref: 003D5B6F
GetDesktopWindow.USER32 ref: 003D5B75
GetWindowRect.USER32(00000000), ref: 003D5B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 003D5BD3
GetClientRect.USER32(?,?), ref: 003D5BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 003D5C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 003D5C2F

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 5cc857dcc7b3c26afd8690927009eff3511218ba33c7210e5ff3a807390dbe4e
Instruction ID: 79e086e9bf647b13c0af72b0acf918dc473c07f744524da717ae3c73f49d7eae
Opcode Fuzzy Hash: 5cc857dcc7b3c26afd8690927009eff3511218ba33c7210e5ff3a807390dbe4e
Instruction Fuzzy Hash: 03719132900B05DFDB21DFA8DE85A6EBBF5FF48704F104A2AE142A76A0D775E940CB54

Uniqueness

Uniqueness Score: -1.00%

Function 003D30F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 003D318D
_wcslen.LIBCMT ref: 003D31F8

Strings

REGEXPCLASS, xrefs: 003D3255, 003D3266
TEXT, xrefs: 003D347C
CLASSNN, xrefs: 003D31F3, 003D3204
NAME, xrefs: 003D3335, 003D3346
INSTANCE, xrefs: 003D3453
[C, xrefs: 003D339A
CLASS, xrefs: 003D3188, 003D31A5

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[C
API String ID: 176396367-267077460
Opcode ID: 671263a3c58f278ccc7900a98be3932e78f80276d02c01052ecd8784645c243c
Instruction ID: 60092ddadbdc9d20dc3d3cfac0e4498d777ebf089f57c444b5b2cc04b5d9d2f0
Opcode Fuzzy Hash: 671263a3c58f278ccc7900a98be3932e78f80276d02c01052ecd8784645c243c
Instruction Fuzzy Hash: 30E1F433A00516ABCF169F68E451BEEFBB5BF44710F15812BE456B7340DB30AE858791

Uniqueness

Uniqueness Score: -1.00%

Function 003900C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 003900C6

Part of subcall function 003900ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0044070C,00000FA0,B8C70140,?,?,?,?,003B23B3,000000FF), ref: 0039011C
Part of subcall function 003900ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,003B23B3,000000FF), ref: 00390127
Part of subcall function 003900ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,003B23B3,000000FF), ref: 00390138
Part of subcall function 003900ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0039014E
Part of subcall function 003900ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0039015C
Part of subcall function 003900ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0039016A
Part of subcall function 003900ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00390195
Part of subcall function 003900ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 003901A0

___scrt_fastfail.LIBCMT ref: 003900E7

Part of subcall function 003900A3: __onexit.LIBCMT ref: 003900A9

Strings

WakeAllConditionVariable, xrefs: 00390162
SleepConditionVariableCS, xrefs: 00390154
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00390122
InitializeConditionVariable, xrefs: 00390148
kernel32.dll, xrefs: 00390133

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 1d2d1fbafac12e4f4844b76805da8eabb03595ecf409a40152c01319e69a6f7c
Instruction ID: 75ef4c53ad440f99d60f67f094d24ba1ba45a87fac5cbe13958810509228f606
Opcode Fuzzy Hash: 1d2d1fbafac12e4f4844b76805da8eabb03595ecf409a40152c01319e69a6f7c
Instruction Fuzzy Hash: EA213B36644710EFEB266BA4AC49B6A7394DF05B51F11023AF901FB6D1DB789C008A99

Uniqueness

Uniqueness Score: -1.00%

Function 003E44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,0040CC08), ref: 003E4527
_wcslen.LIBCMT ref: 003E453B
_wcslen.LIBCMT ref: 003E4599
_wcslen.LIBCMT ref: 003E45F4
_wcslen.LIBCMT ref: 003E463F
_wcslen.LIBCMT ref: 003E46A7

Part of subcall function 0038F9F2: _wcslen.LIBCMT ref: 0038F9FD

GetDriveTypeW.KERNEL32(?,00436BF0,00000061), ref: 003E4743

Strings

removable, xrefs: 003E45EA, 003E45EF
ramdisk, xrefs: 003E46F1
cdrom, xrefs: 003E458F, 003E4594
fixed, xrefs: 003E4635, 003E463A
unknown, xrefs: 003E4708
all, xrefs: 003E4531, 003E4536
network, xrefs: 003E469D, 003E46A2

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: dbe712b4b0181933c5ec87d4afb11089a0083491a7f7105a672ccb737fdb8575
Instruction ID: d8b31c14072057ecec8caba71726fd7aa4746f93a6b1f02fe52acd815c9a82d6
Opcode Fuzzy Hash: dbe712b4b0181933c5ec87d4afb11089a0083491a7f7105a672ccb737fdb8575
Instruction Fuzzy Hash: BDB117316083629FC712DF29C890A6EB7E5BFA9710F518A1DF496CB2D1D734D844CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0040911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00389BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00389BB2

DragQueryPoint.SHELL32(?,?), ref: 00409147

Part of subcall function 00407674: ClientToScreen.USER32(?,?), ref: 0040769A
Part of subcall function 00407674: GetWindowRect.USER32(?,?), ref: 00407710
Part of subcall function 00407674: PtInRect.USER32(?,?,00408B89), ref: 00407720

SendMessageW.USER32(?,000000B0,?,?), ref: 004091B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 004091BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 004091DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00409225
SendMessageW.USER32(?,000000B0,?,?), ref: 0040923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00409255
SendMessageW.USER32(?,000000B1,?,?), ref: 00409277
DragFinish.SHELL32(?), ref: 0040927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00409371

Strings

@GUI_DRAGFILE, xrefs: 00409320
@GUI_DROPID, xrefs: 0040929E
@GUI_DRAGID, xrefs: 004092E9
p#D, xrefs: 004092BB

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#D
API String ID: 221274066-33073620
Opcode ID: 714f737cee4fd92694c5a6cc0e54b249cd8b7cca9049557ee2d1722245fbacdf
Instruction ID: 66f34f870fdc282f259b61567643d61655c435dba3f55ffee9a9c70eeaba94ef
Opcode Fuzzy Hash: 714f737cee4fd92694c5a6cc0e54b249cd8b7cca9049557ee2d1722245fbacdf
Instruction Fuzzy Hash: 91618A71108301AFD712DF60CC85EAFBBE8EF89750F004A2EF595A61A1DB349A49CB56

Uniqueness

Uniqueness Score: -1.00%

Function 003FAFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 003FB198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 003FB1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 003FB1D4
_wcslen.LIBCMT ref: 003FB200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 003FB214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 003FB236
_wcslen.LIBCMT ref: 003FB332

Part of subcall function 003E05A7: GetStdHandle.KERNEL32(000000F6), ref: 003E05C6

_wcslen.LIBCMT ref: 003FB34B
_wcslen.LIBCMT ref: 003FB366
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 003FB3B6
GetLastError.KERNEL32(00000000), ref: 003FB407
CloseHandle.KERNEL32(?), ref: 003FB439
CloseHandle.KERNEL32(00000000), ref: 003FB44A
CloseHandle.KERNEL32(00000000), ref: 003FB45C
CloseHandle.KERNEL32(00000000), ref: 003FB46E
CloseHandle.KERNEL32(?), ref: 003FB4E3

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: ea986c9e503cbd7b02cf208def9e93853094c635edefe60881951b0b5256b79e
Instruction ID: 56eb9d81d0d6d903536d108c25512100dd793fbc1ebaff9e5f1e2c2835e57b1f
Opcode Fuzzy Hash: ea986c9e503cbd7b02cf208def9e93853094c635edefe60881951b0b5256b79e
Instruction Fuzzy Hash: FEF19A71608304DFC726EF24C881B2ABBE5AF85714F15895DF9999F2A2CB35EC40CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0037326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00441990), ref: 003B2F8D
GetMenuItemCount.USER32(00441990), ref: 003B303D
GetCursorPos.USER32(?), ref: 003B3081
SetForegroundWindow.USER32(00000000), ref: 003B308A
TrackPopupMenuEx.USER32(00441990,00000000,?,00000000,00000000,00000000), ref: 003B309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 003B30A9

Strings

0, xrefs: 0037327D

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: cb48625bc8cc8b5495e3421df22cd4a6fafcef6e99b593bb4562b9758d65275f
Instruction ID: c6a94a58d88b607e56a6edce01c4c6088181736feeeb99a349ea6a6147a51fe2
Opcode Fuzzy Hash: cb48625bc8cc8b5495e3421df22cd4a6fafcef6e99b593bb4562b9758d65275f
Instruction Fuzzy Hash: FC711771644215BEEB329F24CC89FEABF68FF04328F204316F6196A5E1C7B1A910DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00406CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00406DEB

Part of subcall function 00376B57: _wcslen.LIBCMT ref: 00376B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00406E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00406E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00406E94
DestroyWindow.USER32(?), ref: 00406EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00370000,00000000), ref: 00406EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00406EFD
GetDesktopWindow.USER32 ref: 00406F16
GetWindowRect.USER32(00000000), ref: 00406F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00406F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00406F4D

Part of subcall function 00389944: GetWindowLongW.USER32(?,000000EB), ref: 00389952

Strings

0, xrefs: 00406D98
tooltips_class32, xrefs: 00406E58, 00406EDD

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 27f2d6176d994e8a447501a110103dc1a827068cc5d34a5f0daeeb04af3ddfbe
Instruction ID: df49c08fc747b3c9ab9111e3dbb5f5e5a13b211391e62aaa1415befbb3e748d3
Opcode Fuzzy Hash: 27f2d6176d994e8a447501a110103dc1a827068cc5d34a5f0daeeb04af3ddfbe
Instruction Fuzzy Hash: BC718B74104341AFDB21DF18DC44F6BBBE9FB89300F14092EF98AA72A1C775A956CB19

Uniqueness

Uniqueness Score: -1.00%

Function 003EC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 003EC4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 003EC4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 003EC4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 003EC4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 003EC533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 003EC549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 003EC554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 003EC584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 003EC5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 003EC5F0
InternetCloseHandle.WININET(00000000), ref: 003EC5FB

Strings

, xrefs: 003EC575

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 33fee123f1febeb455862c7cc3b48b612153411399f4549cab0718553bf6a3c2
Instruction ID: 974604bd7994a08e6f348bf2a824cbc94e775067368cdfbd00b339161d785934
Opcode Fuzzy Hash: 33fee123f1febeb455862c7cc3b48b612153411399f4549cab0718553bf6a3c2
Instruction Fuzzy Hash: D1517FB0510355FFDB229F62C988AAF7BBCFF05344F005629F945A6690D734E905DB60

Uniqueness

Uniqueness Score: -1.00%

Function 0040856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00408592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 004085A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 004085AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 004085BA
GlobalLock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 004085C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 004085D7
GlobalUnlock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 004085E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 004085E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 004085F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,0040FC38,?), ref: 00408611
GlobalFree.KERNEL32(00000000), ref: 00408621
GetObjectW.GDI32(?,00000018,?), ref: 00408641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00408671
DeleteObject.GDI32(?), ref: 00408699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 004086AF

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: c76805f7442b019c58c757e5e6f5ebe5ced457245f0771144616e9a023ff00e3
Instruction ID: 41e083e8da732d6c3d48dce5dd14732d40017fd13658d4d483899e5d85b088bc
Opcode Fuzzy Hash: c76805f7442b019c58c757e5e6f5ebe5ced457245f0771144616e9a023ff00e3
Instruction Fuzzy Hash: C4414C71600204FFDB119FA5CE88EAB7BB8FF89711F108569F905E7290DB359901CB24

Uniqueness

Uniqueness Score: -1.00%

Function 003E14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 003E1502
VariantCopy.OLEAUT32(?,?), ref: 003E150B
VariantClear.OLEAUT32(?), ref: 003E1517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 003E15FB
VarR8FromDec.OLEAUT32(?,?), ref: 003E1657
VariantInit.OLEAUT32(?), ref: 003E1708
SysFreeString.OLEAUT32(?), ref: 003E178C
VariantClear.OLEAUT32(?), ref: 003E17D8
VariantClear.OLEAUT32(?), ref: 003E17E7
VariantInit.OLEAUT32(00000000), ref: 003E1823

Strings

Default, xrefs: 003E16AF
%4d%02d%02d%02d%02d%02d, xrefs: 003E1625

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: ecfb55ad1c53096ad7f517f841bce4e0626774d10189d0dc5b5f9c8a3c038020
Instruction ID: ea4892a05bd0687a7189c40bed5ae41f76b3b9c923370634a278095def9bb761
Opcode Fuzzy Hash: ecfb55ad1c53096ad7f517f841bce4e0626774d10189d0dc5b5f9c8a3c038020
Instruction Fuzzy Hash: 2DD13531A00265DBDB12AF66D884BBDB7B9BF46700F20825AF846AF5C4DB34EC44DB51

Uniqueness

Uniqueness Score: -1.00%

Function 003FB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00379CB3: _wcslen.LIBCMT ref: 00379CBD

Part of subcall function 003FC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,003FB6AE,?,?), ref: 003FC9B5
Part of subcall function 003FC998: _wcslen.LIBCMT ref: 003FC9F1
Part of subcall function 003FC998: _wcslen.LIBCMT ref: 003FCA68
Part of subcall function 003FC998: _wcslen.LIBCMT ref: 003FCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 003FB6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 003FB772
RegDeleteValueW.ADVAPI32(?,?), ref: 003FB80A
RegCloseKey.ADVAPI32(?), ref: 003FB87E
RegCloseKey.ADVAPI32(?), ref: 003FB89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 003FB8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 003FB904
RegDeleteKeyW.ADVAPI32(?,?), ref: 003FB922
FreeLibrary.KERNEL32(00000000), ref: 003FB983
RegCloseKey.ADVAPI32(00000000), ref: 003FB994

Strings

advapi32.dll, xrefs: 003FB8ED
RegDeleteKeyExW, xrefs: 003FB8FE

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: cfcf05d805c88989890245fcf018faecea91f94932fd2bae531bd1a5a3562ade
Instruction ID: c2704b39ea938cf35374077163f0c481ca6f8f44b2c7dc2dc2dfffc154d8d898
Opcode Fuzzy Hash: cfcf05d805c88989890245fcf018faecea91f94932fd2bae531bd1a5a3562ade
Instruction Fuzzy Hash: 6EC19C70204205EFD722DF24C495F2AFBE5BF84308F15859CE69A8B2A2CB75EC45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 003F255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 003F25D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 003F25E8
CreateCompatibleDC.GDI32(?), ref: 003F25F4
SelectObject.GDI32(00000000,?), ref: 003F2601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 003F266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 003F26AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 003F26D0
SelectObject.GDI32(?,?), ref: 003F26D8
DeleteObject.GDI32(?), ref: 003F26E1
DeleteDC.GDI32(?), ref: 003F26E8
ReleaseDC.USER32(00000000,?), ref: 003F26F3

Strings

(, xrefs: 003F268D

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: ab3f688ccbb6c0933a7905fe063093e7fe89f49b5bb8041932de0bf8847b97d7
Instruction ID: 7c27fd0b84f97aea144a8a21beb904936dd8ce51ff4c5ac783ecb01af34b1dfa
Opcode Fuzzy Hash: ab3f688ccbb6c0933a7905fe063093e7fe89f49b5bb8041932de0bf8847b97d7
Instruction Fuzzy Hash: 0D61F275D00219EFCF05CFA8D984EAEBBB5FF48310F208529EA55AB250D770A951CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 003ADA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 003ADAA1

Part of subcall function 003AD63C: _free.LIBCMT ref: 003AD659
Part of subcall function 003AD63C: _free.LIBCMT ref: 003AD66B
Part of subcall function 003AD63C: _free.LIBCMT ref: 003AD67D
Part of subcall function 003AD63C: _free.LIBCMT ref: 003AD68F
Part of subcall function 003AD63C: _free.LIBCMT ref: 003AD6A1
Part of subcall function 003AD63C: _free.LIBCMT ref: 003AD6B3
Part of subcall function 003AD63C: _free.LIBCMT ref: 003AD6C5
Part of subcall function 003AD63C: _free.LIBCMT ref: 003AD6D7
Part of subcall function 003AD63C: _free.LIBCMT ref: 003AD6E9
Part of subcall function 003AD63C: _free.LIBCMT ref: 003AD6FB
Part of subcall function 003AD63C: _free.LIBCMT ref: 003AD70D
Part of subcall function 003AD63C: _free.LIBCMT ref: 003AD71F
Part of subcall function 003AD63C: _free.LIBCMT ref: 003AD731

_free.LIBCMT ref: 003ADA96

Part of subcall function 003A29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,003AD7D1,00000000,00000000,00000000,00000000,?,003AD7F8,00000000,00000007,00000000,?,003ADBF5,00000000), ref: 003A29DE
Part of subcall function 003A29C8: GetLastError.KERNEL32(00000000,?,003AD7D1,00000000,00000000,00000000,00000000,?,003AD7F8,00000000,00000007,00000000,?,003ADBF5,00000000,00000000), ref: 003A29F0

_free.LIBCMT ref: 003ADAB8
_free.LIBCMT ref: 003ADACD
_free.LIBCMT ref: 003ADAD8
_free.LIBCMT ref: 003ADAFA
_free.LIBCMT ref: 003ADB0D
_free.LIBCMT ref: 003ADB1B
_free.LIBCMT ref: 003ADB26
_free.LIBCMT ref: 003ADB5E
_free.LIBCMT ref: 003ADB65
_free.LIBCMT ref: 003ADB82
_free.LIBCMT ref: 003ADB9A

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 881c3b6a4f727081492d266ffcc2c6aed1f68a50e94635e8b6be5f6d7aaa445e
Instruction ID: 849890d062aae07e382410e3ac2fb7b69587b4c29c459b0e41cdc165c8102f3b
Opcode Fuzzy Hash: 881c3b6a4f727081492d266ffcc2c6aed1f68a50e94635e8b6be5f6d7aaa445e
Instruction Fuzzy Hash: 0A316B316043049FEB63AA38E849B5B77E9FF03710F124519E44ADB5A1DF35AC508B21

Uniqueness

Uniqueness Score: -1.00%

Function 003D365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 003D369C
_wcslen.LIBCMT ref: 003D36A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 003D3797
GetClassNameW.USER32(?,?,00000400), ref: 003D380C
GetDlgCtrlID.USER32(?), ref: 003D385D
GetWindowRect.USER32(?,?), ref: 003D3882
GetParent.USER32(?), ref: 003D38A0
ScreenToClient.USER32(00000000), ref: 003D38A7
GetClassNameW.USER32(?,?,00000100), ref: 003D3921
GetWindowTextW.USER32(?,?,00000400), ref: 003D395D

Strings

%s%u, xrefs: 003D3734

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: f6a48cdd14a0cc543316e1d0717fcfcd25ee69b0d493f95e9c68c47dbb29cbf6
Instruction ID: d50ce29f319643d1c5b21b80b125ac36bceed2dc822919807d7b2f33e061fd89
Opcode Fuzzy Hash: f6a48cdd14a0cc543316e1d0717fcfcd25ee69b0d493f95e9c68c47dbb29cbf6
Instruction Fuzzy Hash: 7391D672204606EFD716DF24D895FAAF7A8FF44350F00462AF999D6290DB30EE45CB92

Uniqueness

Uniqueness Score: -1.00%

Function 003D4954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 003D4994
GetWindowTextW.USER32(?,?,00000400), ref: 003D49DA
_wcslen.LIBCMT ref: 003D49EB
CharUpperBuffW.USER32(?,00000000), ref: 003D49F7
_wcsstr.LIBVCRUNTIME ref: 003D4A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 003D4A64
GetWindowTextW.USER32(?,?,00000400), ref: 003D4A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 003D4AE6
GetClassNameW.USER32(?,?,00000400), ref: 003D4B20
GetWindowRect.USER32(?,?), ref: 003D4B8B

Strings

ThumbnailClass, xrefs: 003D4A6F, 003D4AF1

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 8ef4f2cd3edb7a8b0a0017214bd19ac1cd2acaab32b3edbb9848c573a379ead0
Instruction ID: 40a26adbbe586252bc7f658edff8814dc8519ab43a4489ef173428d202ef366e
Opcode Fuzzy Hash: 8ef4f2cd3edb7a8b0a0017214bd19ac1cd2acaab32b3edbb9848c573a379ead0
Instruction Fuzzy Hash: E291EF32008205AFDB16CF14E985FAA77E8FF54304F04856BFD859A296EB34ED45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00408D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00389BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00389BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00408D5A
GetFocus.USER32 ref: 00408D6A
GetDlgCtrlID.USER32(00000000), ref: 00408D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00408E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00408ECF
GetMenuItemCount.USER32(?), ref: 00408EEC
GetMenuItemID.USER32(?,00000000), ref: 00408EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00408F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00408F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00408FA1

Strings

0, xrefs: 00408E9F

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: 09c8c80bd4e425896a7652490526b0f2ef2c6223cc97d15b91fcab9488b3fb45
Instruction ID: 4000a513e74b85377ad33d00b0a12b380089a988731b23b230050cc61b85a268
Opcode Fuzzy Hash: 09c8c80bd4e425896a7652490526b0f2ef2c6223cc97d15b91fcab9488b3fb45
Instruction Fuzzy Hash: 5E81AF71504311AFD710DF24CA84A6B7BE9FB88314F140A2EF984E72D1DB78D941CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 003DDC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 003DDC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 003DDC46
_wcslen.LIBCMT ref: 003DDC50
_wcsstr.LIBVCRUNTIME ref: 003DDCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 003DDCBC

Strings

%u.%u.%u.%u, xrefs: 003DDD9A
\VarFileInfo\Translation, xrefs: 003DDCB4
04090000, xrefs: 003DDCF2
DefaultLangCodepage, xrefs: 003DDD1F
StringFileInfo\, xrefs: 003DDC8F

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 298df9fbdccf8fa74153af8af9fbe8b46981781cc377f03f94e63d012414d2a9
Instruction ID: 174a3ee686c7f1d89f80e8bf914518e515fa41fc5f984591f8a7f99250df1893
Opcode Fuzzy Hash: 298df9fbdccf8fa74153af8af9fbe8b46981781cc377f03f94e63d012414d2a9
Instruction Fuzzy Hash: A5410832940205BADF16B774AC43FBF776CEF55750F10416BF900AA2C2EB74A90187A4

Uniqueness

Uniqueness Score: -1.00%

Function 003FCC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 003FCC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 003FCC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 003FCD48

Part of subcall function 003FCC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 003FCCAA
Part of subcall function 003FCC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 003FCCBD
Part of subcall function 003FCC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 003FCCCF
Part of subcall function 003FCC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 003FCD05
Part of subcall function 003FCC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 003FCD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 003FCCF3

Strings

advapi32.dll, xrefs: 003FCCB8
RegDeleteKeyExW, xrefs: 003FCCC9

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 1697ad8a9a7d7a33883adf8a231a3e76aecad14ac070748eca7bfee197ff3752
Instruction ID: 9e3039ab863660fa9b06864b8d9cd17f64d4545dbe6c48b41c078efccb1ea9f3
Opcode Fuzzy Hash: 1697ad8a9a7d7a33883adf8a231a3e76aecad14ac070748eca7bfee197ff3752
Instruction Fuzzy Hash: CE318E7194112CFBDB219B90DD88EFFBB7CEF45750F010275BA06E6240DA349A45DAA4

Uniqueness

Uniqueness Score: -1.00%

Function 003DE6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 003DE6B4

Part of subcall function 0038E551: timeGetTime.WINMM(?,?,003DE6D4), ref: 0038E555

Sleep.KERNEL32(0000000A), ref: 003DE6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 003DE705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 003DE727
SetActiveWindow.USER32 ref: 003DE746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 003DE754
SendMessageW.USER32(00000010,00000000,00000000), ref: 003DE773
Sleep.KERNEL32(000000FA), ref: 003DE77E
IsWindow.USER32 ref: 003DE78A
EndDialog.USER32(00000000), ref: 003DE79B

Strings

BUTTON, xrefs: 003DE719

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 2a5db6d825371e6b730b228216da47b070d47bf074de986e1f628d5840c3c910
Instruction ID: 81b06361aded2bec29db65ef9b8f64d7b4703b2e1cf3927426bafdeec13101c1
Opcode Fuzzy Hash: 2a5db6d825371e6b730b228216da47b070d47bf074de986e1f628d5840c3c910
Instruction Fuzzy Hash: C121A775200201EFEB126F60FEC9A363F69F755349F510536F805A92B1DBB29C008A1D

Uniqueness

Uniqueness Score: -1.00%

Function 003DE9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00379CB3: _wcslen.LIBCMT ref: 00379CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 003DEA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 003DEA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 003DEA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 003DEA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 003DEAA7

Strings

alias PlayMe, xrefs: 003DEA36
play PlayMe, xrefs: 003DEAA2
open , xrefs: 003DEA0C
close PlayMe, xrefs: 003DEA6E, 003DEA9B
play PlayMe wait, xrefs: 003DEA91
status PlayMe mode, xrefs: 003DEA58

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 414c21149980823146f9da8ac609242d45de9b82efaaaa9777dc2af4de7ec5bc
Instruction ID: c2d6b6ca86ecf2341aed4a54440d46dffb75602e8de41375cc57cf9801bd6c13
Opcode Fuzzy Hash: 414c21149980823146f9da8ac609242d45de9b82efaaaa9777dc2af4de7ec5bc
Instruction Fuzzy Hash: 4E11947169025A79D721B761DC4AFFF6A7CEFD5B00F11442B7815A60D0DB741905C9B0

Uniqueness

Uniqueness Score: -1.00%

Function 00388BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00388F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00388BE8,?,00000000,?,?,?,?,00388BBA,00000000,?), ref: 00388FC5

DestroyWindow.USER32(?), ref: 00388C81
KillTimer.USER32(00000000,?,?,?,?,00388BBA,00000000,?), ref: 00388D1B
DestroyAcceleratorTable.USER32(00000000), ref: 003C6973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00388BBA,00000000,?), ref: 003C69A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00388BBA,00000000,?), ref: 003C69B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00388BBA,00000000), ref: 003C69D4
DeleteObject.GDI32(00000000), ref: 003C69E6

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 4bc76de0ec3dcc5dc2e9fcd30a95882b61f1dad0a1281b05a404f440e30f2981
Instruction ID: 07f7bdfcfe7ae381a831c8f89c02dcd15d7d07d7a657177aae3922163d4134ec
Opcode Fuzzy Hash: 4bc76de0ec3dcc5dc2e9fcd30a95882b61f1dad0a1281b05a404f440e30f2981
Instruction Fuzzy Hash: 68618974102710DFDB22AF18DA89B25B7F1FB41312F55456CE042AB9B4CB31AD80CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00389838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00389944: GetWindowLongW.USER32(?,000000EB), ref: 00389952

GetSysColor.USER32(0000000F), ref: 00389862

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: a746187e47834b16c916165963569d57566d012cfa80941f328fcd2f20bb60f6
Instruction ID: 63cc0490c136d368f48211ad64207357817d4b668846e10bd52737b64fc70d18
Opcode Fuzzy Hash: a746187e47834b16c916165963569d57566d012cfa80941f328fcd2f20bb60f6
Instruction Fuzzy Hash: 3241B431104750EFDB226F389C88BB93BA5FB46334F19469AF9A29B1E1C7319C42DB10

Uniqueness

Uniqueness Score: -1.00%

Function 003D96E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,003BF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 003D9717
LoadStringW.USER32(00000000,?,003BF7F8,00000001), ref: 003D9720

Part of subcall function 00379CB3: _wcslen.LIBCMT ref: 00379CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,003BF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 003D9742
LoadStringW.USER32(00000000,?,003BF7F8,00000001), ref: 003D9745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 003D9866

Strings

Error: , xrefs: 003D981D
Line %d (File "%s"):, xrefs: 003D978F
%s (%d) : ==> %s: %s %s, xrefs: 003D984A
^ ERROR, xrefs: 003D97FB
Line %d:, xrefs: 003D97A0

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: d58856a588c1f4c6da336c4933bb01efc719f6fdf7f5117f1ae0acda8aba6156
Instruction ID: 70fb44f11d6d08fbfdf681fc9eb3a44201f153c9df145e74efa6ad539e5b066c
Opcode Fuzzy Hash: d58856a588c1f4c6da336c4933bb01efc719f6fdf7f5117f1ae0acda8aba6156
Instruction Fuzzy Hash: F0417272900209BADF16FBE0DD92EEE7378AF15300F104166F6097A092EB395F48DB61

Uniqueness

Uniqueness Score: -1.00%

Function 003D06DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00376B57: _wcslen.LIBCMT ref: 00376B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 003D07A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 003D07BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 003D07DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 003D0804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 003D082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 003D0837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 003D083C

Strings

SOFTWARE\Classes\, xrefs: 003D070E
\CLSID, xrefs: 003D0724
\IPC$, xrefs: 003D0784

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: d3f48ade57bed22c5684bd44a8dda01d3a0a38115d1f17917f5b04a01eb7afe5
Instruction ID: 0f073248dc4e0f5152489f76010a282da5f1a0a18bb19642c62ec9c314081f56
Opcode Fuzzy Hash: d3f48ade57bed22c5684bd44a8dda01d3a0a38115d1f17917f5b04a01eb7afe5
Instruction Fuzzy Hash: 58412A72C10228EBDF26EBA4DC95DEDB7B8BF44740F158126E905B71A1EB345E04CB90

Uniqueness

Uniqueness Score: -1.00%

Function 003F3C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 003F3C5C
CoInitialize.OLE32(00000000), ref: 003F3C8A
CoUninitialize.OLE32 ref: 003F3C94
_wcslen.LIBCMT ref: 003F3D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 003F3DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 003F3ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 003F3F0E
CoGetObject.OLE32(?,00000000,0040FB98,?), ref: 003F3F2D
SetErrorMode.KERNEL32(00000000), ref: 003F3F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 003F3FC4
VariantClear.OLEAUT32(?), ref: 003F3FD8

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 61ae4a2e1abe0111bbb14b71bf214dbc572b6713d730b0f40f338a67316be7ed
Instruction ID: fd20d9a3bf3b72be225ddc1d713c3d8a275880562d29166a45e249847c794d20
Opcode Fuzzy Hash: 61ae4a2e1abe0111bbb14b71bf214dbc572b6713d730b0f40f338a67316be7ed
Instruction Fuzzy Hash: DFC135716083099FD711DF68C88492BB7E9FF89748F10492DFA8A9B251D731EE05CB52

Uniqueness

Uniqueness Score: -1.00%

Function 003E7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 003E7AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 003E7B8F
SHGetDesktopFolder.SHELL32(?), ref: 003E7BA3
CoCreateInstance.OLE32(0040FD08,00000000,00000001,00436E6C,?), ref: 003E7BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 003E7C74
CoTaskMemFree.OLE32(?,?), ref: 003E7CCC
SHBrowseForFolderW.SHELL32(?), ref: 003E7D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 003E7D7A
CoTaskMemFree.OLE32(00000000), ref: 003E7D81
CoTaskMemFree.OLE32(00000000), ref: 003E7DD6
CoUninitialize.OLE32 ref: 003E7DDC

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 36164778d887ca03fd15ba90ff919a09fe450b289e4133ef1d6ea1b8fb49bdc2
Instruction ID: ee51d1548c3368cb15f3bdff6e98d784bb02956fccb7d331fe603b7aea00b569
Opcode Fuzzy Hash: 36164778d887ca03fd15ba90ff919a09fe450b289e4133ef1d6ea1b8fb49bdc2
Instruction Fuzzy Hash: 8CC14B75A04159EFCB15DFA5C884DAEBBF9FF48304B1481A9E809EB261D730EE41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0040541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00405504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405515
CharNextW.USER32(00000158), ref: 00405544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00405585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0040559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004055AC

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 5c25c99765271f03b5fe62b39392a8b21381aa261e59e13dfdd326d8c845f2dd
Instruction ID: 53b70cae9f1aed18182f5048dd2c3d9047e2d2d7f0ce5fadc0f1cefd64162332
Opcode Fuzzy Hash: 5c25c99765271f03b5fe62b39392a8b21381aa261e59e13dfdd326d8c845f2dd
Instruction Fuzzy Hash: BB617A74900608EBDF209F54CC84AFF7BB9EB09320F104566F925BA2D0D7789A81DF69

Uniqueness

Uniqueness Score: -1.00%

Function 003CFA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 003CFAAF
SafeArrayAllocData.OLEAUT32(?), ref: 003CFB08
VariantInit.OLEAUT32(?), ref: 003CFB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 003CFB3A
VariantCopy.OLEAUT32(?,?), ref: 003CFB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 003CFBA1
VariantClear.OLEAUT32(?), ref: 003CFBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 003CFBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 003CFBCC
VariantClear.OLEAUT32(?), ref: 003CFBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 003CFBE9

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 277b0ba012ff8e2d57e21bc728363edd96a60571491c39db93257d03f165f7a4
Instruction ID: f153c507229a8f388a0c42ee6f74bd24ca5150a3f2f4964392daee20e2c72995
Opcode Fuzzy Hash: 277b0ba012ff8e2d57e21bc728363edd96a60571491c39db93257d03f165f7a4
Instruction Fuzzy Hash: B7413D35A00219DFCB05DF64C894EAEBBBAFF48344F018169E945EB261CB34AD45CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 003D9C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 003D9CA1
GetAsyncKeyState.USER32(000000A0), ref: 003D9D22
GetKeyState.USER32(000000A0), ref: 003D9D3D
GetAsyncKeyState.USER32(000000A1), ref: 003D9D57
GetKeyState.USER32(000000A1), ref: 003D9D6C
GetAsyncKeyState.USER32(00000011), ref: 003D9D84
GetKeyState.USER32(00000011), ref: 003D9D96
GetAsyncKeyState.USER32(00000012), ref: 003D9DAE
GetKeyState.USER32(00000012), ref: 003D9DC0
GetAsyncKeyState.USER32(0000005B), ref: 003D9DD8
GetKeyState.USER32(0000005B), ref: 003D9DEA

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 5afca16c674b50b51e7c7bae143cd312767c5b8f425e653504f50cb4b5af99bd
Instruction ID: fc72ce2e0a87e868138d26c3db5933b032045b3b0b3cef43265fde2a2f08a5a8
Opcode Fuzzy Hash: 5afca16c674b50b51e7c7bae143cd312767c5b8f425e653504f50cb4b5af99bd
Instruction Fuzzy Hash: 5C4128355047C96DFF329760A8443B5BEA16F11304F05806BDAC6573C2EBA499C8C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 003F055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 003F05BC
inet_addr.WSOCK32(?), ref: 003F061C
gethostbyname.WSOCK32(?), ref: 003F0628
IcmpCreateFile.IPHLPAPI ref: 003F0636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 003F06C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 003F06E5
IcmpCloseHandle.IPHLPAPI(?), ref: 003F07B9
WSACleanup.WSOCK32 ref: 003F07BF

Strings

Ping, xrefs: 003F0676

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: e78e7bb6b198142ad8c2bf7c1ce530025e8070d95638ce0b7eb9cab1ee457010
Instruction ID: 6e887a6ff4997d655b8cef7bbcd2f7bd4ded627b93902e75cb98002d6cddee14
Opcode Fuzzy Hash: e78e7bb6b198142ad8c2bf7c1ce530025e8070d95638ce0b7eb9cab1ee457010
Instruction Fuzzy Hash: 5F91AC34608201DFD726EF19C988F2ABBE4AF44318F1585A9E5699F7A2C734EC45CF81

Uniqueness

Uniqueness Score: -1.00%

Function 003F8CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 003F8CF3

Part of subcall function 003D8E54: _wcslen.LIBCMT ref: 003D8E77

_wcslen.LIBCMT ref: 003F8D4E
_wcslen.LIBCMT ref: 003F8D9C
_wcslen.LIBCMT ref: 003F8DDC
_wcslen.LIBCMT ref: 003F8E6E

Strings

stdcall, xrefs: 003F8DD6, 003F8DDB
winapi, xrefs: 003F8D96, 003F8D9B
none, xrefs: 003F8E65, 003F8E6A
cdecl, xrefs: 003F8D48, 003F8D4D

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: c2336c11ed72d2702c7bcc70200da103ba057b5c66e65fd4c51b33841f5e4153
Instruction ID: ad3c71b6a7e2933bef4ff58e23c2baedc41853a5ecc271ecb9b8bcab00389a0d
Opcode Fuzzy Hash: c2336c11ed72d2702c7bcc70200da103ba057b5c66e65fd4c51b33841f5e4153
Instruction Fuzzy Hash: 2F51D532A0051A9BCF2ADF6CC9519BEB3A5BF74324B214229F656EB2C0DB34DD41C790

Uniqueness

Uniqueness Score: -1.00%

Function 003F372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 003F3774
CoUninitialize.OLE32 ref: 003F377F
CoCreateInstance.OLE32(?,00000000,00000017,0040FB78,?), ref: 003F37D9
IIDFromString.OLE32(?,?), ref: 003F384C
VariantInit.OLEAUT32(?), ref: 003F38E4
VariantClear.OLEAUT32(?), ref: 003F3936

Strings

NULL Pointer assignment, xrefs: 003F381E
Invalid parameter, xrefs: 003F3865
Failed to create object, xrefs: 003F37E4, 003F389A

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 05d51148b33d07ab246c68d6227320e18ecc4f2787c9f5cf58f91b6f468cb2dd
Instruction ID: cbd9a35f5733d5cddfa3f34534be3438847fabca8c61d1b164b3710b6292792f
Opcode Fuzzy Hash: 05d51148b33d07ab246c68d6227320e18ecc4f2787c9f5cf58f91b6f468cb2dd
Instruction Fuzzy Hash: E561B171608305EFD312EF54C888F6AB7E8EF49750F104919FA859B291C774EE48CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00408B02 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00389BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00389BB2

Part of subcall function 0038912D: GetCursorPos.USER32(?), ref: 00389141
Part of subcall function 0038912D: ScreenToClient.USER32(00000000,?), ref: 0038915E
Part of subcall function 0038912D: GetAsyncKeyState.USER32(00000001), ref: 00389183
Part of subcall function 0038912D: GetAsyncKeyState.USER32(00000002), ref: 0038919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00408B6B
ImageList_EndDrag.COMCTL32 ref: 00408B71
ReleaseCapture.USER32 ref: 00408B77
SetWindowTextW.USER32(?,00000000), ref: 00408C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00408C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00408CFF

Strings

@GUI_DRAGFILE, xrefs: 00408C9A
@GUI_DROPID, xrefs: 00408C51
p#D, xrefs: 00408C71

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$p#D
API String ID: 1924731296-221686180
Opcode ID: 6be58fe1c5f0bd44720345aa83f16eede03376a7513bac21632172a3746e045c
Instruction ID: b50799368a3c7b0dea42228e5ce179946a88654e5466a0fecdac73caf9f7feaa
Opcode Fuzzy Hash: 6be58fe1c5f0bd44720345aa83f16eede03376a7513bac21632172a3746e045c
Instruction Fuzzy Hash: B151B174104304AFE711EF20CD95FAA77E4FB88714F000A2EF9966B2E1CB749944CB66

Uniqueness

Uniqueness Score: -1.00%

Function 003E3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 003E33CF

Part of subcall function 00379CB3: _wcslen.LIBCMT ref: 00379CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 003E33F0

Strings

Error: , xrefs: 003E34D1
Line %d (File "%s"):, xrefs: 003E3443, 003E345C
Incorrect parameters to object property !, xrefs: 003E34AB
"%s" (%d) : ==> %s:, xrefs: 003E3522
"%s" (%d) : ==> %s:%s%s, xrefs: 003E3504
^ ERROR , xrefs: 003E349E

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: d6b96d69be491ff3e2aab969a436fa87e364ad3a76f6ad2e29a3959e112e3264
Instruction ID: f3af80cf37e7ddc283c71d172f12687bd57ec4b599d2cdc8febe4551ef717b14
Opcode Fuzzy Hash: d6b96d69be491ff3e2aab969a436fa87e364ad3a76f6ad2e29a3959e112e3264
Instruction Fuzzy Hash: FE51B531900119BADF26EBA0CD56EEEB378AF15300F208162F509771A1DB352F58DF61

Uniqueness

Uniqueness Score: -1.00%

Function 003DB5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 003DB5FC
_wcslen.LIBCMT ref: 003DB608
_wcslen.LIBCMT ref: 003DB64D
_wcslen.LIBCMT ref: 003DB68C
_wcslen.LIBCMT ref: 003DB6C7

Strings

REMOVE, xrefs: 003DB602, 003DB607
EXISTS, xrefs: 003DB686, 003DB68B
APPEND, xrefs: 003DB6C1, 003DB6C6
KEYS, xrefs: 003DB647, 003DB64C

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 0fa19cee4f0fa55e55865b166ddac45f83893b658e39fdf4aff66db33b19c3d4
Instruction ID: 3414c500720fe4fa208556abc12b4d0cb17b9a7f557c86024e3c1701943f3f39
Opcode Fuzzy Hash: 0fa19cee4f0fa55e55865b166ddac45f83893b658e39fdf4aff66db33b19c3d4
Instruction Fuzzy Hash: AD41B233A00026DACB216F7D98905BEF7A5AFA4B54B27422BE421DB384E735CD81C790

Uniqueness

Uniqueness Score: -1.00%

Function 003E5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 003E53A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 003E5416
GetLastError.KERNEL32 ref: 003E5420
SetErrorMode.KERNEL32(00000000,READY), ref: 003E54A7

Strings

INVALID, xrefs: 003E5459
UNKNOWN, xrefs: 003E5444
READY, xrefs: 003E5460, 003E5468
READONLY, xrefs: 003E5452
NOTREADY, xrefs: 003E544B

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 5aef2ab476e22fa3d2958fcf20d9ce925dd9640bcb37317179df0174228085ba
Instruction ID: 1ea9fffc2825ed6e2699d6a26dfb2f2b44f059eafedc8d18b7760863136b6938
Opcode Fuzzy Hash: 5aef2ab476e22fa3d2958fcf20d9ce925dd9640bcb37317179df0174228085ba
Instruction Fuzzy Hash: C431AE35A00155AFCB12DF6AC484AAABBB4EB04309F15C26AE405DF2D2DB74DD86CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00403C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00403C79
SetMenu.USER32(?,00000000), ref: 00403C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00403D10
IsMenu.USER32(?), ref: 00403D24
CreatePopupMenu.USER32 ref: 00403D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00403D5B
DrawMenuBar.USER32 ref: 00403D63

Strings

0, xrefs: 00403C54
F, xrefs: 00403D4E

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 5e21cda6480fdfaf2fb6ca1eac7295853344165907e975048dee1cf7af7835c9
Instruction ID: 542b81f7a75c4dbbf11c5ef5d3656bf68cfe795cca4464c08a876345ad366660
Opcode Fuzzy Hash: 5e21cda6480fdfaf2fb6ca1eac7295853344165907e975048dee1cf7af7835c9
Instruction Fuzzy Hash: 01417C79A01209EFDB14CF64D884EAA7BB9FF49351F140139F946A73A0D734AA10DF98

Uniqueness

Uniqueness Score: -1.00%

Function 00403A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00403A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00403AA0
GetWindowLongW.USER32(?,000000F0), ref: 00403AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00403AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00403B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00403BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00403BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00403BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00403BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00403C13

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: df78ba890356822130437ad5e583627d6aad9e7564ad5e4c89ab36dbecab6ab6
Instruction ID: 75515ef7cfc9c90fea3ef2c068329cadfecb62596ba073bb25218c72c349af88
Opcode Fuzzy Hash: df78ba890356822130437ad5e583627d6aad9e7564ad5e4c89ab36dbecab6ab6
Instruction Fuzzy Hash: A3618B75900248AFDB10DF68CC81EEE77B8EB49304F1001AAFA05E72E2D774AE81DB54

Uniqueness

Uniqueness Score: -1.00%

Function 003A2C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 003A2C94

Part of subcall function 003A29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,003AD7D1,00000000,00000000,00000000,00000000,?,003AD7F8,00000000,00000007,00000000,?,003ADBF5,00000000), ref: 003A29DE
Part of subcall function 003A29C8: GetLastError.KERNEL32(00000000,?,003AD7D1,00000000,00000000,00000000,00000000,?,003AD7F8,00000000,00000007,00000000,?,003ADBF5,00000000,00000000), ref: 003A29F0

_free.LIBCMT ref: 003A2CA0
_free.LIBCMT ref: 003A2CAB
_free.LIBCMT ref: 003A2CB6
_free.LIBCMT ref: 003A2CC1
_free.LIBCMT ref: 003A2CCC
_free.LIBCMT ref: 003A2CD7
_free.LIBCMT ref: 003A2CE2
_free.LIBCMT ref: 003A2CED
_free.LIBCMT ref: 003A2CFB

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: c110f58ab37b1fed8a869d2c1697d22602d553a5114494f9b543b422f634af0c
Instruction ID: 6680ce2b7b8f6510e1632c3b576e71ec687b4810a9565c980ac1c3050eb027f0
Opcode Fuzzy Hash: c110f58ab37b1fed8a869d2c1697d22602d553a5114494f9b543b422f634af0c
Instruction Fuzzy Hash: 73119676100108AFCB42EF58D846CDE3BA5FF06750F4144A9FA485F222D731EA609B91

Uniqueness

Uniqueness Score: -1.00%

Function 00371410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00371459
OleUninitialize.OLE32(?,00000000), ref: 003714F8
UnregisterHotKey.USER32(?), ref: 003716DD
DestroyWindow.USER32(?), ref: 003B24B9
FreeLibrary.KERNEL32(?), ref: 003B251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 003B254B

Strings

close all, xrefs: 00371454

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: bf8e9b70742454a9e2b88a60c7684f33f1d66598fd4a7e2516ea31684b83329c
Instruction ID: ceca172878a78d7c99e2717e0c5ab27b246afc7f095b39428eba0b0440985256
Opcode Fuzzy Hash: bf8e9b70742454a9e2b88a60c7684f33f1d66598fd4a7e2516ea31684b83329c
Instruction Fuzzy Hash: 95D1AF32701212CFCB2AEF19C495B69F7A4BF05704F1582AEE94A6B651CB34ED12CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00375BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00375C7A

Part of subcall function 00375D0A: GetClientRect.USER32(?,?), ref: 00375D30
Part of subcall function 00375D0A: GetWindowRect.USER32(?,?), ref: 00375D71
Part of subcall function 00375D0A: ScreenToClient.USER32(?,?), ref: 00375D99

GetDC.USER32 ref: 003B46F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 003B4708
SelectObject.GDI32(00000000,00000000), ref: 003B4716
SelectObject.GDI32(00000000,00000000), ref: 003B472B
ReleaseDC.USER32(?,00000000), ref: 003B4733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 003B47C4

Strings

U, xrefs: 003B4693

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: ca59e35c7145d34b1acb1d471fcadd39f939609dc44ec7490fc66f544ce9ed9e
Instruction ID: ad61989a8d6221bfee9ccb6b5d991c2111d343666444e792104dbd6cf0b966e2
Opcode Fuzzy Hash: ca59e35c7145d34b1acb1d471fcadd39f939609dc44ec7490fc66f544ce9ed9e
Instruction Fuzzy Hash: 0C710134400205DFCF278F64C986AFA3BB5FF4A318F144269EE655A6A7CB318881DF54

Uniqueness

Uniqueness Score: -1.00%

Function 003E359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 003E35E4

Part of subcall function 00379CB3: _wcslen.LIBCMT ref: 00379CBD

LoadStringW.USER32(00442390,?,00000FFF,?), ref: 003E360A

Strings

Error: , xrefs: 003E36EF
Line %d (File "%s"):, xrefs: 003E366B
"%s" (%d) : ==> %s:, xrefs: 003E3742
^ ERROR, xrefs: 003E36C9
"%s" (%d) : ==> %s:%s%s, xrefs: 003E3724

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 2b346d2cacb043163355c6c9339fe2941673dfc9fbeff15a6eeb4750bd3ec3e4
Instruction ID: 6f4e7e234f08478663725bc6e295cee8f651dcf8e1a4994bf8d45db0ff7d97e8
Opcode Fuzzy Hash: 2b346d2cacb043163355c6c9339fe2941673dfc9fbeff15a6eeb4750bd3ec3e4
Instruction Fuzzy Hash: 8C51B47180011ABADF26EBA0CC46EEDBB74AF14300F148226F509771A1DB341B98DF55

Uniqueness

Uniqueness Score: -1.00%

Function 003EC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 003EC272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 003EC29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 003EC2CA
GetLastError.KERNEL32 ref: 003EC322
SetEvent.KERNEL32(?), ref: 003EC336
InternetCloseHandle.WININET(00000000), ref: 003EC341

Strings

, xrefs: 003EC2BB

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 02c55f62d2f7156e46d54ba768dde146fb365018aaf4e2241b04423fe2df7399
Instruction ID: 8eb64508829048106622e3977bbc9db5e3f27dbd0fc8d52f22707a8f98eac6bf
Opcode Fuzzy Hash: 02c55f62d2f7156e46d54ba768dde146fb365018aaf4e2241b04423fe2df7399
Instruction Fuzzy Hash: 0131C275510254AFD7229F668D84AAF7BFCEB49740F04962DF446E7280DB34DD068B60

Uniqueness

Uniqueness Score: -1.00%

Function 003D989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,003B3AAF,?,?,Bad directive syntax error,0040CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 003D98BC
LoadStringW.USER32(00000000,?,003B3AAF,?), ref: 003D98C3

Part of subcall function 00379CB3: _wcslen.LIBCMT ref: 00379CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 003D9987

Strings

Line %d (File "%s"):, xrefs: 003D992D
., xrefs: 003D996D
%s (%d) : ==> %s.: %s %s, xrefs: 003D98F1
Error: , xrefs: 003D9955
Line %d:, xrefs: 003D9912

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: ff0b0a0dda97801ce47fd177bf30e8aeacf4fcf2fb353a6e5d931ce20a7f81f2
Instruction ID: 874b849ddc12f44fe08694611ab7b8f8102efe3f2b5798420188868b91ed269b
Opcode Fuzzy Hash: ff0b0a0dda97801ce47fd177bf30e8aeacf4fcf2fb353a6e5d931ce20a7f81f2
Instruction Fuzzy Hash: 30215E3290021ABBDF22AF90CC56FED7779BF18300F048466B5196A0A1DB359618DB55

Uniqueness

Uniqueness Score: -1.00%

Function 003D209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 003D20AB
GetClassNameW.USER32(00000000,?,00000100), ref: 003D20C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 003D214D

Strings

SHELLDLL_DefView, xrefs: 003D20CC
largeicons, xrefs: 003D20E1
details, xrefs: 003D20FB
smallicons, xrefs: 003D2115
list, xrefs: 003D212F

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 9016258901c10d36a8d5d09252468bf04374695e39b24f98aaebfaef6ce6efa1
Instruction ID: 8ecc514b5bbd49bfc99afbf0f0a03ff0a091eb581debd5605110a881e6e48ec4
Opcode Fuzzy Hash: 9016258901c10d36a8d5d09252468bf04374695e39b24f98aaebfaef6ce6efa1
Instruction Fuzzy Hash: 36110677688706B9FA132220EC07DA7779CCF28724F215227FB04A92D1EE6568565618

Uniqueness

Uniqueness Score: -1.00%

Function 003ACE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 003ACEB7
_free.LIBCMT ref: 003ACF22
_free.LIBCMT ref: 003ACF48
_free.LIBCMT ref: 003ACF71
_free.LIBCMT ref: 003ACFA9
_free.LIBCMT ref: 003ACFDA
_free.LIBCMT ref: 003AD01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 003AD09C
_free.LIBCMT ref: 003AD0B5

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: c88d7fdafe22bd40cf65f0976204b8f437651de54e4175e81a67e8d2414a3cce
Instruction ID: 919bb7c63df423a714236a61f366e4ff3dceaa540981524980bcad4b531c0195
Opcode Fuzzy Hash: c88d7fdafe22bd40cf65f0976204b8f437651de54e4175e81a67e8d2414a3cce
Instruction Fuzzy Hash: F96148B2904300AFDF27AFB89885A6A7BA9EF07360F05417DFA55AB281D7319D01C791

Uniqueness

Uniqueness Score: -1.00%

Function 004050D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00405186
ShowWindow.USER32(?,00000000), ref: 004051C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 004051CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 004051D1

Part of subcall function 00406FBA: DeleteObject.GDI32(00000000), ref: 00406FE6

GetWindowLongW.USER32(?,000000F0), ref: 0040520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0040521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0040524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00405287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00405296

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: bcf22de8279fe8f14829b66e7edbf6583a0bd86b6d33eb40bdd1d630d80a4ffd
Instruction ID: a19c20abbbe892092fa961006772d22572598fb10b425e1b3ddcfb8d47aa53a3
Opcode Fuzzy Hash: bcf22de8279fe8f14829b66e7edbf6583a0bd86b6d33eb40bdd1d630d80a4ffd
Instruction Fuzzy Hash: B6518D30A40A08FEEF20AF24CC49B9B3B65EF05325F144167F615BA2E0C779A990DF49

Uniqueness

Uniqueness Score: -1.00%

Function 00388B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 003C6890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 003C68A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 003C68B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 003C68D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 003C68F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00388874,00000000,00000000,00000000,000000FF,00000000), ref: 003C6901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 003C691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00388874,00000000,00000000,00000000,000000FF,00000000), ref: 003C692D

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 4e929c23da394e793b4676d1990daf5da177d666bfcc7f908575d95a7298e962
Instruction ID: 5683a4f2309f211a344b7656138efee08731a264a0292527298f457f92249596
Opcode Fuzzy Hash: 4e929c23da394e793b4676d1990daf5da177d666bfcc7f908575d95a7298e962
Instruction Fuzzy Hash: FA514974600305EFDB229F24CC96FAA7BA5EB88750F104668F916E62A0DB70AD91DB50

Uniqueness

Uniqueness Score: -1.00%

Function 003EC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 003EC182
GetLastError.KERNEL32 ref: 003EC195
SetEvent.KERNEL32(?), ref: 003EC1A9

Part of subcall function 003EC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 003EC272
Part of subcall function 003EC253: GetLastError.KERNEL32 ref: 003EC322
Part of subcall function 003EC253: SetEvent.KERNEL32(?), ref: 003EC336
Part of subcall function 003EC253: InternetCloseHandle.WININET(00000000), ref: 003EC341

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: fc3b8b56af3378a7d3f8ca99db1ca416fe9da2da683dab7ae1561d2b7379e911
Instruction ID: fdd2082253043e6c6e1a6cfc075744bc8f1b26f5dd3dd05607c95c6101815d94
Opcode Fuzzy Hash: fc3b8b56af3378a7d3f8ca99db1ca416fe9da2da683dab7ae1561d2b7379e911
Instruction Fuzzy Hash: FE31E170110691EFCB229FA6DD44A6ABBF9FF18300B005A2DFA5693650C730E812DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 003D25A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 003D3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 003D3A57
Part of subcall function 003D3A3D: GetCurrentThreadId.KERNEL32 ref: 003D3A5E
Part of subcall function 003D3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,003D25B3), ref: 003D3A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 003D25BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 003D25DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 003D25DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 003D25E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 003D2601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 003D2605
MapVirtualKeyW.USER32(00000025,00000000), ref: 003D260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 003D2623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 003D2627

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 18443dab2d5f04feac483eed1c30944f8c6f4eb239e1303ce2a4137c8c9a989b
Instruction ID: 4e224787edd644bcbd4f7b5d62c8aec09925cb2a115cf3484ba7d7979a8064de
Opcode Fuzzy Hash: 18443dab2d5f04feac483eed1c30944f8c6f4eb239e1303ce2a4137c8c9a989b
Instruction Fuzzy Hash: 1001B531790210BBFB2067689CCAF593E59DB5AB11F100112F354AE1D1C9F254448AAA

Uniqueness

Uniqueness Score: -1.00%

Function 003D1803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,003D1449,?,?,00000000), ref: 003D180C
HeapAlloc.KERNEL32(00000000,?,003D1449,?,?,00000000), ref: 003D1813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,003D1449,?,?,00000000), ref: 003D1828
GetCurrentProcess.KERNEL32(?,00000000,?,003D1449,?,?,00000000), ref: 003D1830
DuplicateHandle.KERNEL32(00000000,?,003D1449,?,?,00000000), ref: 003D1833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,003D1449,?,?,00000000), ref: 003D1843
GetCurrentProcess.KERNEL32(003D1449,00000000,?,003D1449,?,?,00000000), ref: 003D184B
DuplicateHandle.KERNEL32(00000000,?,003D1449,?,?,00000000), ref: 003D184E
CreateThread.KERNEL32(00000000,00000000,003D1874,00000000,00000000,00000000), ref: 003D1868

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 01b52fb17eafebd91a9990a5ef58ba1cf054bec9858e8689a186f3b4f7868489
Instruction ID: 5458e197309884f3e31f36601b3dd4e5af3049f245d4629ba2fc4a3201304bbb
Opcode Fuzzy Hash: 01b52fb17eafebd91a9990a5ef58ba1cf054bec9858e8689a186f3b4f7868489
Instruction Fuzzy Hash: 4001AC75240304FFE610AB75DD89F573B6CEB89B11F004521FA05DB191C6709C00CF24

Uniqueness

Uniqueness Score: -1.00%

Function 003FA0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 003DD4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 003DD501
Part of subcall function 003DD4DC: Process32FirstW.KERNEL32(00000000,?), ref: 003DD50F
Part of subcall function 003DD4DC: CloseHandle.KERNEL32(00000000), ref: 003DD5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 003FA16D
GetLastError.KERNEL32 ref: 003FA180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 003FA1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 003FA268
GetLastError.KERNEL32(00000000), ref: 003FA273
CloseHandle.KERNEL32(00000000), ref: 003FA2C4

Strings

SeDebugPrivilege, xrefs: 003FA18F

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: ab1909a247ac15d45477661a7fa507a45316de3d1ed307c63dd2b9db76b41d02
Instruction ID: cd7aa2599f44ae00e5bd73b8ea46b4a386e5e263a36c79b1ff504140a7c00742
Opcode Fuzzy Hash: ab1909a247ac15d45477661a7fa507a45316de3d1ed307c63dd2b9db76b41d02
Instruction Fuzzy Hash: 7D61AC71204602AFD322DF18C4D4F29BBA5AF44318F15849CE56A4F7A3C776EC45CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00403886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00403925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0040393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00403954
_wcslen.LIBCMT ref: 00403999
SendMessageW.USER32(?,00001057,00000000,?), ref: 004039C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 004039F4

Strings

SysListView32, xrefs: 004038F7

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: b5983d623d38b2bbcc7073d6b81ba41fc3ab45c2a14694e32a33c05b7865a6ea
Instruction ID: eed7703068d2814efbaabf01068b3338bc8c07160c91198fb05e49128c3ad7f2
Opcode Fuzzy Hash: b5983d623d38b2bbcc7073d6b81ba41fc3ab45c2a14694e32a33c05b7865a6ea
Instruction Fuzzy Hash: 2B41A171A00218ABEB219F64CC45BEB7BA9EF08350F100536F958F72C1D7799D80CB94

Uniqueness

Uniqueness Score: -1.00%

Function 003DBC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 003DBCFD
IsMenu.USER32(00000000), ref: 003DBD1D
CreatePopupMenu.USER32 ref: 003DBD53
GetMenuItemCount.USER32(00D95B08), ref: 003DBDA4
InsertMenuItemW.USER32(00D95B08,?,00000001,00000030), ref: 003DBDCC

Strings

0, xrefs: 003DBCA8
2, xrefs: 003DBD37

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 845153bab7cc46b837389b0807f10d4b369b4bab1ba7298dfa0f60c89863bf98
Instruction ID: 78caa5e97113cfc83a08d33a90e06c0aedd62c037d2260adbf17ebeea576073e
Opcode Fuzzy Hash: 845153bab7cc46b837389b0807f10d4b369b4bab1ba7298dfa0f60c89863bf98
Instruction Fuzzy Hash: 09519172600245EBDB12CFA8E9C4BADFBFABF49314F16425AE441AB390D7709940CB51

Uniqueness

Uniqueness Score: -1.00%

Function 00392D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00392D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00392D53
_ValidateLocalCookies.LIBCMT ref: 00392DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00392E0C
_ValidateLocalCookies.LIBCMT ref: 00392E61

Strings

&H9, xrefs: 00392DFE, 00392E07, 00392E18
csm, xrefs: 00392DF6

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: &H9$csm
API String ID: 1170836740-3902721481
Opcode ID: 7e42714fa4ecd24624004d01f201293f99d1568622c80844b2a5a24c8b83b2aa
Instruction ID: 3dd9b3020ccf8d4e58bef565e0212342f3146a4779f73f9c2a9a7fb03dbd5b81
Opcode Fuzzy Hash: 7e42714fa4ecd24624004d01f201293f99d1568622c80844b2a5a24c8b83b2aa
Instruction Fuzzy Hash: FE419234E01609ABCF16DF68C885A9FBBB5BF44324F158165E824AB392D731AE45CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 003DC874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 003DC913

Strings

stop, xrefs: 003DC8E4
blank, xrefs: 003DC895
warning, xrefs: 003DC8FC
info, xrefs: 003DC8B4
question, xrefs: 003DC8CC

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 44b599eb4e43165bf1852ee00357d9c829a02bd759c2e08c85fef418a2a75c55
Instruction ID: d35aae2d8450f0757bd59bb523e4262b33547d8a87d06a47d8709c12b49e6900
Opcode Fuzzy Hash: 44b599eb4e43165bf1852ee00357d9c829a02bd759c2e08c85fef418a2a75c55
Instruction Fuzzy Hash: DB113D336B9307BAEB035B54FC93DAA27DCDF15324B61502BF500A6382D7745D00D268

Uniqueness

Uniqueness Score: -1.00%

Function 003DED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 003DED2A
_wcslen.LIBCMT ref: 003DED3B
_wcslen.LIBCMT ref: 003DED79
_wcslen.LIBCMT ref: 003DEDAF
_wcslen.LIBCMT ref: 003DEDDF
_wcslen.LIBCMT ref: 003DEDEF
_wcslen.LIBCMT ref: 003DEE2B
_wcslen.LIBCMT ref: 003DEE5A

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 642d03c27b903aa901330ee4f66056aaa4beda0a0e4167ea3b0c2daf48aea430
Instruction ID: fe7244ed7257e0cef523e0081e4f7c448afe3cf6e1e7d43281c91352370b136d
Opcode Fuzzy Hash: 642d03c27b903aa901330ee4f66056aaa4beda0a0e4167ea3b0c2daf48aea430
Instruction Fuzzy Hash: BB418166C1021875CF12FBB48C8B9CFB7A8AF45710F508962E558EB222FB34E255C3E5

Uniqueness

Uniqueness Score: -1.00%

Function 0038F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,003C682C,00000004,00000000,00000000), ref: 0038F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,003C682C,00000004,00000000,00000000), ref: 003CF3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,003C682C,00000004,00000000,00000000), ref: 003CF454

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: bf8042bda7f9e5743f35035c1ef8e0d725549814d16663137f2c1aa9cbc7b614
Instruction ID: 5ea3b9bc89bb5d330dc7c96a1ecca0d74a3a73d49c32d1b0bae5e4d82cd93f82
Opcode Fuzzy Hash: bf8042bda7f9e5743f35035c1ef8e0d725549814d16663137f2c1aa9cbc7b614
Instruction Fuzzy Hash: 0F412A35608780FED73BBB29C988B2A7B96AB56314F15457DE087A7960C736A880CB11

Uniqueness

Uniqueness Score: -1.00%

Function 00402D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00402D1B
GetDC.USER32(00000000), ref: 00402D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00402D2E
ReleaseDC.USER32(00000000,00000000), ref: 00402D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00402D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00402D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00405A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00402DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00402DE1

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: c38bea09b39ea9f9c24ebb64b9d94c39580ca1b7a9944e3282e99458b880d1c7
Instruction ID: 1be4d317e68232733c7121cc9e075da050426d62f86a185ec45976965bd32700
Opcode Fuzzy Hash: c38bea09b39ea9f9c24ebb64b9d94c39580ca1b7a9944e3282e99458b880d1c7
Instruction Fuzzy Hash: F9317F72201214BFEB214F50CD89FEB3BADEF09755F044165FE08AA2D1C6B59C51CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 003D5622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 003D5637
_memcmp.LIBVCRUNTIME ref: 003D5659
_memcmp.LIBVCRUNTIME ref: 003D5671
_memcmp.LIBVCRUNTIME ref: 003D5684
_memcmp.LIBVCRUNTIME ref: 003D569E
_memcmp.LIBVCRUNTIME ref: 003D56B1
_memcmp.LIBVCRUNTIME ref: 003D56C9
_memcmp.LIBVCRUNTIME ref: 003D56E4

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: e4c496fecb08f274b85e314c38acb353ffffc8fafc487fea71dba04fe9179a93
Instruction ID: fc276b970acabc494372bc924ca5e2bea64c7542b43b8c6c101d751fd7a11a1b
Opcode Fuzzy Hash: e4c496fecb08f274b85e314c38acb353ffffc8fafc487fea71dba04fe9179a93
Instruction Fuzzy Hash: 1221AA67645A09B7E6175520AD82FBA336CAF11385F640033FD047EB81F734ED1485A9

Uniqueness

Uniqueness Score: -1.00%

Function 003F4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 003F502E, 003F5383
Not an Object type, xrefs: 003F5007

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 7c3973103ae70678b3a1920768802b3ce109225700b51428e1ec36ed5eba4d5d
Instruction ID: 248aad4d44aa40b588ce8044aea742e16d093d195ee5abf4a130e074daafc6e1
Opcode Fuzzy Hash: 7c3973103ae70678b3a1920768802b3ce109225700b51428e1ec36ed5eba4d5d
Instruction Fuzzy Hash: 54D1B175A0060EAFDF11CFA8C880BBEB7B5BF48344F158569EA15AB281D770ED45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 003B1522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,003B17FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 003B15CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,003B17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 003B1651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,003B17FB,?,003B17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 003B16E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,003B17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 003B16FB

Part of subcall function 003A3820: RtlAllocateHeap.NTDLL(00000000,?,00441444,?,0038FDF5,?,?,0037A976,00000010,00441440,003713FC,?,003713C6,?,00371129), ref: 003A3852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,003B17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 003B1777
__freea.LIBCMT ref: 003B17A2
__freea.LIBCMT ref: 003B17AE

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 29acf06168ccb87c1ba72878dee5fcb22a21e556a91c85ac0159281d80067195
Instruction ID: 9b1021d397ba27e579c26af9d7d25a08928d80a20a20accad3f75ee4c8a38f99
Opcode Fuzzy Hash: 29acf06168ccb87c1ba72878dee5fcb22a21e556a91c85ac0159281d80067195
Instruction Fuzzy Hash: 0891E971E102069EDF228F74C8A2AEF7BB5DF46318F950629EA01E7540DB35CC44C760

Uniqueness

Uniqueness Score: -1.00%

Function 003F4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 003F4648
VariantInit.OLEAUT32(?), ref: 003F4749
VariantClear.OLEAUT32(?), ref: 003F4753
VariantClear.OLEAUT32(?), ref: 003F47B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 003F472C
Null Object assignment in FOR..IN loop, xrefs: 003F45D8, 003F4706, 003F47BE

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 43f9e57b8e1c8fffc3ccfc1f71db20e34e9c6fd8d952d0b879a0f5a72ace08e2
Instruction ID: 2e1d13ce97047e6488376848379725e4556f6ac140c7cff9704e8dd3833dc195
Opcode Fuzzy Hash: 43f9e57b8e1c8fffc3ccfc1f71db20e34e9c6fd8d952d0b879a0f5a72ace08e2
Instruction Fuzzy Hash: 53919D71A00219ABDF25DFA5C884FBFBBB8EF46710F108569F615AB280D7709945CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 003E1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 003E125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 003E1284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 003E12A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 003E12D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 003E135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 003E13C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 003E1430

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: fa68f44879b4deeb356aa264523f3e6f0fce2c1898ca2e02309c90c2a0acbc34
Instruction ID: ad68eafa304078e9b2e45ca8462a5d07c78bd4e85447d1b9ab3b699131249b86
Opcode Fuzzy Hash: fa68f44879b4deeb356aa264523f3e6f0fce2c1898ca2e02309c90c2a0acbc34
Instruction Fuzzy Hash: B191E175A00268DFDB02DFA6C885BBEB7B9FF45314F114629EA00EB2D1D774A941CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0038948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: b058a5661b5c1c8d2fa9f4f651a84730e0ac6744a16d6505b2061966bbd7c414
Instruction ID: 35685665b2642e265abae0366d339d0228d27087be00e7ec2ff107786df6aa35
Opcode Fuzzy Hash: b058a5661b5c1c8d2fa9f4f651a84730e0ac6744a16d6505b2061966bbd7c414
Instruction Fuzzy Hash: 42911771900219EFCB11DFA9C884AEEBBB8FF49320F18459AE915B7251D374AA41CF60

Uniqueness

Uniqueness Score: -1.00%

Function 003F3947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 003F396B
CharUpperBuffW.USER32(?,?), ref: 003F3A7A
_wcslen.LIBCMT ref: 003F3A8A
VariantClear.OLEAUT32(?), ref: 003F3C1F

Part of subcall function 003E0CDF: VariantInit.OLEAUT32(00000000), ref: 003E0D1F
Part of subcall function 003E0CDF: VariantCopy.OLEAUT32(?,?), ref: 003E0D28
Part of subcall function 003E0CDF: VariantClear.OLEAUT32(?), ref: 003E0D34

Strings

Incorrect Parameter format, xrefs: 003F39A6, 003F3BA1
AUTOIT.ERROR, xrefs: 003F3A80, 003F3A85

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: c302ab5c9e30515a7ff91926245996195e7763159a501ed468a4a5420f2447e3
Instruction ID: 7f68eae111bab92acd3eaec91fbf816571a1bfce21cf937cbebcb1be5b1f2f4d
Opcode Fuzzy Hash: c302ab5c9e30515a7ff91926245996195e7763159a501ed468a4a5420f2447e3
Instruction Fuzzy Hash: 59918A746083059FCB15EF28C48196AB7E4FF88314F14896EF98A9B351DB31EE45CB92

Uniqueness

Uniqueness Score: -1.00%

Function 003F4BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 003D000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,003CFF41,80070057,?,?,?,003D035E), ref: 003D002B
Part of subcall function 003D000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,003CFF41,80070057,?,?), ref: 003D0046
Part of subcall function 003D000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,003CFF41,80070057,?,?), ref: 003D0054
Part of subcall function 003D000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,003CFF41,80070057,?), ref: 003D0064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 003F4C51
_wcslen.LIBCMT ref: 003F4D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 003F4DCF
CoTaskMemFree.OLE32(?), ref: 003F4DDA

Strings

NULL Pointer assignment, xrefs: 003F4E23, 003F4E52

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 685d8e292f9051ee65b8e8638fc0f37f2dc0baa0458cd8902018dab88f046eb2
Instruction ID: dcfad94634e0fe26a872d5754c44b64ac93723844a3136235f71da597f0a918e
Opcode Fuzzy Hash: 685d8e292f9051ee65b8e8638fc0f37f2dc0baa0458cd8902018dab88f046eb2
Instruction Fuzzy Hash: C2910A71D0021DEFDF26DFA4D891EEEB7B8BF48314F10816AE519AB251DB349A448F60

Uniqueness

Uniqueness Score: -1.00%

Function 004020FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00402183
GetMenuItemCount.USER32(00000000), ref: 004021B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 004021DD
_wcslen.LIBCMT ref: 00402213
GetMenuItemID.USER32(?,?), ref: 0040224D
GetSubMenu.USER32(?,?), ref: 0040225B

Part of subcall function 003D3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 003D3A57
Part of subcall function 003D3A3D: GetCurrentThreadId.KERNEL32 ref: 003D3A5E
Part of subcall function 003D3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,003D25B3), ref: 003D3A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 004022E3

Part of subcall function 003DE97B: Sleep.KERNEL32 ref: 003DE9F3

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 910b7bec19ecb59effe4972564fc624a503fd1dc29a498f7f5f6f2fbed9509ee
Instruction ID: 119edc1eeb309ebbf6aa019364f9eb206b0bec22743727bc6e7a4db5f901f08f
Opcode Fuzzy Hash: 910b7bec19ecb59effe4972564fc624a503fd1dc29a498f7f5f6f2fbed9509ee
Instruction Fuzzy Hash: 4A718375A00215AFCB11EFA4C985AAEB7F5EF48310F1484A9E816FB381D778ED418B94

Uniqueness

Uniqueness Score: -1.00%

Function 003DAEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 003DAEF9
GetKeyboardState.USER32(?), ref: 003DAF0E
SetKeyboardState.USER32(?), ref: 003DAF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 003DAF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 003DAFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 003DAFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 003DB020

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 891f3067d93fafee15b42e649df282b7f38da3ad0a3c91c77010722181a4869a
Instruction ID: 2bde09360076d66d81dd5b666d7b41b372bdb14924394bb6e7ccd57c2ee1679b
Opcode Fuzzy Hash: 891f3067d93fafee15b42e649df282b7f38da3ad0a3c91c77010722181a4869a
Instruction Fuzzy Hash: 335103A2A04BD57DFB3343349C45BBBBEE95B06304F0A898AE1D9559C2C3D8ADC8D351

Uniqueness

Uniqueness Score: -1.00%

Function 003DACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 003DAD19
GetKeyboardState.USER32(?), ref: 003DAD2E
SetKeyboardState.USER32(?), ref: 003DAD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 003DADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 003DADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 003DAE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 003DAE38

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: bae9a32ef09c82999887f15345d4d5a57f66901b1e26f2851ad27d81232b31c7
Instruction ID: 920769793d57a9e3b24b53e4c21bcc1a6800688ee594826ef8ea8c5824fe26cf
Opcode Fuzzy Hash: bae9a32ef09c82999887f15345d4d5a57f66901b1e26f2851ad27d81232b31c7
Instruction Fuzzy Hash: 54512AA3504BD53DFB334334DD55B7ABF996B06300F09898AE0D546AC2C394EC98E362

Uniqueness

Uniqueness Score: -1.00%

Function 003A542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(003B3CD6,?,?,?,?,?,?,?,?,003A5BA3,?,?,003B3CD6,?,?), ref: 003A5470
__fassign.LIBCMT ref: 003A54EB
__fassign.LIBCMT ref: 003A5506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,003B3CD6,00000005,00000000,00000000), ref: 003A552C
WriteFile.KERNEL32(?,003B3CD6,00000000,003A5BA3,00000000,?,?,?,?,?,?,?,?,?,003A5BA3,?), ref: 003A554B
WriteFile.KERNEL32(?,?,00000001,003A5BA3,00000000,?,?,?,?,?,?,?,?,?,003A5BA3,?), ref: 003A5584

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: a82b23714d93a5bf9d298251f9682e2829c0a3f9cc10321497dc29863b06f9cf
Instruction ID: ca9b67b8cdaee76c2a193f2af34197dff163c1b15b7dcbb9d225d39953ca9e7a
Opcode Fuzzy Hash: a82b23714d93a5bf9d298251f9682e2829c0a3f9cc10321497dc29863b06f9cf
Instruction Fuzzy Hash: 5551C571E006499FDB11CFA8D885AEEBBF9EF0A300F14412AF956E7291D730DA45CB64

Uniqueness

Uniqueness Score: -1.00%

Function 003F10B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 003F304E: inet_addr.WSOCK32(?), ref: 003F307A
Part of subcall function 003F304E: _wcslen.LIBCMT ref: 003F309B

socket.WSOCK32(00000002,00000001,00000006), ref: 003F1112
WSAGetLastError.WSOCK32 ref: 003F1121
WSAGetLastError.WSOCK32 ref: 003F11C9
closesocket.WSOCK32(00000000), ref: 003F11F9

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 0936ee9880f1e68a83bdbbe05f8e6a49c6e0ac998e8027fc41c9a6567621ad34
Instruction ID: 147c845c5099f860d8232e389ad60ca816ecd76c469f869591c0684b68cb8d61
Opcode Fuzzy Hash: 0936ee9880f1e68a83bdbbe05f8e6a49c6e0ac998e8027fc41c9a6567621ad34
Instruction Fuzzy Hash: 2B41D431600208EFDB219F24D885BBAB7E9EF45324F148169FA19AF291C774AD41CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 003DCF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 003DDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,003DCF22,?), ref: 003DDDFD

Part of subcall function 003DDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,003DCF22,?), ref: 003DDE16

lstrcmpiW.KERNEL32(?,?), ref: 003DCF45
MoveFileW.KERNEL32(?,?), ref: 003DCF7F
_wcslen.LIBCMT ref: 003DD005
_wcslen.LIBCMT ref: 003DD01B
SHFileOperationW.SHELL32(?), ref: 003DD061

Strings

\*.*, xrefs: 003DCFF3

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 58fbcc52cf14a05b4fa85b9da9d0aab39ddb5d52344b7911d2e9a2a0cd380064
Instruction ID: 480e316087b1ff632e4de6dbe055005925f76eb6087d65a160e24000485b5826
Opcode Fuzzy Hash: 58fbcc52cf14a05b4fa85b9da9d0aab39ddb5d52344b7911d2e9a2a0cd380064
Instruction Fuzzy Hash: 714156729552199FDF13EBA4D981EDDB7BDAF08780F1000E7E509EB241EB34A648CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00402DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00402E1C
GetWindowLongW.USER32(00000000,000000F0), ref: 00402E4F
GetWindowLongW.USER32(00000000,000000F0), ref: 00402E84
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00402EB6
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00402EE0
GetWindowLongW.USER32(00000000,000000F0), ref: 00402EF1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00402F0B

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 539af94d766928d004d985f5f1874b385dd7531e2097d5495ea5450a56d92259
Instruction ID: d3cccf2422f1d46d505961081031bee019b921736404247e78e31c904dd6afc9
Opcode Fuzzy Hash: 539af94d766928d004d985f5f1874b385dd7531e2097d5495ea5450a56d92259
Instruction Fuzzy Hash: AF310734684150EFDB21CF58DE88F6637E5EB8A750F150176FA04AB2F1CBB5A840DB89

Uniqueness

Uniqueness Score: -1.00%

Function 003D7726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 003D7769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 003D778F
SysAllocString.OLEAUT32(00000000), ref: 003D7792
SysAllocString.OLEAUT32(?), ref: 003D77B0
SysFreeString.OLEAUT32(?), ref: 003D77B9
StringFromGUID2.OLE32(?,?,00000028), ref: 003D77DE
SysAllocString.OLEAUT32(?), ref: 003D77EC

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 701f1bb87bf5438b472bed9cca20c567b4b90556ee6fa33cb0f34d89d88db265
Instruction ID: 4ad2638a2898fb0983182720c7810614b34824a7e2c6bae065f6eaeef5b7e18a
Opcode Fuzzy Hash: 701f1bb87bf5438b472bed9cca20c567b4b90556ee6fa33cb0f34d89d88db265
Instruction Fuzzy Hash: DA21B076604219AFDB11EFB8DC88CBB73ACFB093647008926FA14DB290E670DC418B64

Uniqueness

Uniqueness Score: -1.00%

Function 003D77FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 003D7842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 003D7868
SysAllocString.OLEAUT32(00000000), ref: 003D786B
SysAllocString.OLEAUT32 ref: 003D788C
SysFreeString.OLEAUT32 ref: 003D7895
StringFromGUID2.OLE32(?,?,00000028), ref: 003D78AF
SysAllocString.OLEAUT32(?), ref: 003D78BD

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 671cc77b8db4024698e6eab25472220e4f861f71680e6ca707f9492ee5fdb8bc
Instruction ID: 36bba7f77379beca84655be5867aff107ff56716361638807e24a4ea40029c8b
Opcode Fuzzy Hash: 671cc77b8db4024698e6eab25472220e4f861f71680e6ca707f9492ee5fdb8bc
Instruction Fuzzy Hash: 3F218632604204EFDB11AFB8DC8EDAA77ECFB097607118126F915DB2A1E670DC41DB68

Uniqueness

Uniqueness Score: -1.00%

Function 003E04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 003E04F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 003E052E

Strings

nul, xrefs: 003E0567

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 7f023ce5379895187af463a2121e1c38e7f73502821c0fa01cf85303614a5e8e
Instruction ID: 76f7675ac2fcf7048197b089497155198802cfd00e169af3dbb66d4d0f8aab04
Opcode Fuzzy Hash: 7f023ce5379895187af463a2121e1c38e7f73502821c0fa01cf85303614a5e8e
Instruction Fuzzy Hash: D1218D75504355EBDB259F2ADC44A9A77B8AF46724F204B29F8E1E62E0D7B0D980CF20

Uniqueness

Uniqueness Score: -1.00%

Function 003E05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 003E05C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 003E0601

Strings

nul, xrefs: 003E0639

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 9ee1400e97b54fd03ea7d898cadfde03f4130c13ce73f235e6af0614ee86564a
Instruction ID: 32c63cbc17a9267e8526e159086d064b3d1630e399e43d283ce3c9162fef36c1
Opcode Fuzzy Hash: 9ee1400e97b54fd03ea7d898cadfde03f4130c13ce73f235e6af0614ee86564a
Instruction Fuzzy Hash: 02219F35500365DBDB259F6A9C44B9A77A8EF85720F200B19E8A1E72E0D7B098A0CB14

Uniqueness

Uniqueness Score: -1.00%

Function 004040AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0037600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0037604C
Part of subcall function 0037600E: GetStockObject.GDI32(00000011), ref: 00376060
Part of subcall function 0037600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0037606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00404112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0040411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0040412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00404139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00404145

Strings

Msctls_Progress32, xrefs: 004040E3

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: e7d426e5f884652880c4722bb6f3521353b51b38edfbe5a075884771f407c4f7
Instruction ID: 8aa0cab16fec5c3c3d333e99afab9de84d0676911ea25425d83e85c8a3cbaf53
Opcode Fuzzy Hash: e7d426e5f884652880c4722bb6f3521353b51b38edfbe5a075884771f407c4f7
Instruction Fuzzy Hash: 6311B6B214011DBEEF219F64CC86EE77F5DEF08798F004121B718A6190CB769C61DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 003AD7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 003AD7A3: _free.LIBCMT ref: 003AD7CC

_free.LIBCMT ref: 003AD82D

Part of subcall function 003A29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,003AD7D1,00000000,00000000,00000000,00000000,?,003AD7F8,00000000,00000007,00000000,?,003ADBF5,00000000), ref: 003A29DE
Part of subcall function 003A29C8: GetLastError.KERNEL32(00000000,?,003AD7D1,00000000,00000000,00000000,00000000,?,003AD7F8,00000000,00000007,00000000,?,003ADBF5,00000000,00000000), ref: 003A29F0

_free.LIBCMT ref: 003AD838
_free.LIBCMT ref: 003AD843
_free.LIBCMT ref: 003AD897
_free.LIBCMT ref: 003AD8A2
_free.LIBCMT ref: 003AD8AD
_free.LIBCMT ref: 003AD8B8

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 1fb63285f9c56c4f7c83b1c46e82600fd9d055a38eb6ea40749a365d986213d5
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 31112171540B04AAD567BFB0CC4BFCB7BDCEF07700F404829B29AAE8A2DB67B5154651

Uniqueness

Uniqueness Score: -1.00%

Function 003DDA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 003DDA74
LoadStringW.USER32(00000000), ref: 003DDA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 003DDA91
LoadStringW.USER32(00000000), ref: 003DDA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 003DDADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 003DDAB9

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: f1168b336655925d872902093b5c6f8b51090074e6c2c91d9b4c8e562d6fdd52
Instruction ID: 4a3714a1a480eca7f9cf81999cc6d2d97784ae2563232b7c44d4c378d782de68
Opcode Fuzzy Hash: f1168b336655925d872902093b5c6f8b51090074e6c2c91d9b4c8e562d6fdd52
Instruction Fuzzy Hash: 860162F6900208BFE7119BA49EC9EE7326CE708301F4449A2B706F6081E6749E844F78

Uniqueness

Uniqueness Score: -1.00%

Function 003E096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(00D8E578,00D8E578), ref: 003E097B
EnterCriticalSection.KERNEL32(00D8E558,00000000), ref: 003E098D
TerminateThread.KERNEL32(00000000,000001F6), ref: 003E099B
WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 003E09A9
CloseHandle.KERNEL32(00000000), ref: 003E09B8
InterlockedExchange.KERNEL32(00D8E578,000001F6), ref: 003E09C8
LeaveCriticalSection.KERNEL32(00D8E558), ref: 003E09CF

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: f2a896317e966c60ae4e53948426d34895af459c1a389a75e198bc919f84fb05
Instruction ID: 2b0e951a412a50a6beefea964218dae10655f6b3786ea0723c5317fe73ef07fb
Opcode Fuzzy Hash: f2a896317e966c60ae4e53948426d34895af459c1a389a75e198bc919f84fb05
Instruction Fuzzy Hash: 94F01D31442512EBD7465FA4EFC8AD67A25BF01702F401225F10160CA1C7749465CF94

Uniqueness

Uniqueness Score: -1.00%

Function 003F1C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?), ref: 003F1DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 003F1DE1
WSAGetLastError.WSOCK32 ref: 003F1DF2
htons.WSOCK32(?), ref: 003F1EDB
inet_ntoa.WSOCK32(?), ref: 003F1E8C

Part of subcall function 003D39E8: _strlen.LIBCMT ref: 003D39F2

Part of subcall function 003F3224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,003EEC0C), ref: 003F3240

_strlen.LIBCMT ref: 003F1F35

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: e867b841eb423bb0c84130142054e5bedb9be5f577de34b5506e30c3bb66224d
Instruction ID: f734fa1215a87712c60baf8a01cdc4fdf9b0f412ef77a776f75d8a8304f31ea1
Opcode Fuzzy Hash: e867b841eb423bb0c84130142054e5bedb9be5f577de34b5506e30c3bb66224d
Instruction Fuzzy Hash: 6EB1DD31204344EFC326EF24D891E3AB7A5AF84318F548A5CF55A5F2A2CB31ED41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 003A01B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 003A00BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 003A00D6
__allrem.LIBCMT ref: 003A00ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 003A010B
__allrem.LIBCMT ref: 003A0122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 003A0140

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: 75437bfd2d9815ef6c844d77a7f14b00d2c3029fd4eee3eec147697f53783b1a
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: FF811776A007069FEB269F78CC41BABB3E8EF42724F25463AF551DB681E774D9008B50

Uniqueness

Uniqueness Score: -1.00%

Function 003A61FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,003982D9,003982D9,?,?,?,003A644F,00000001,00000001,8BE85006), ref: 003A6258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,003A644F,00000001,00000001,8BE85006,?,?,?), ref: 003A62DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 003A63D8
__freea.LIBCMT ref: 003A63E5

Part of subcall function 003A3820: RtlAllocateHeap.NTDLL(00000000,?,00441444,?,0038FDF5,?,?,0037A976,00000010,00441440,003713FC,?,003713C6,?,00371129), ref: 003A3852

__freea.LIBCMT ref: 003A63EE
__freea.LIBCMT ref: 003A6413

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: e40a2c737b88fd044169f8f5916ddf5c668b0fb4b6e65b22ea8f02179c510b6d
Instruction ID: 8105d3485dbc01e21882946602313c07c1805ef7e1ca540e16169715d044424e
Opcode Fuzzy Hash: e40a2c737b88fd044169f8f5916ddf5c668b0fb4b6e65b22ea8f02179c510b6d
Instruction Fuzzy Hash: 4D51B472A00216AFDF278F64CC82EAF77A9EF46750F1A4629FD05DA190DB34DC45C660

Uniqueness

Uniqueness Score: -1.00%

Function 003FBBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00379CB3: _wcslen.LIBCMT ref: 00379CBD

Part of subcall function 003FC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,003FB6AE,?,?), ref: 003FC9B5
Part of subcall function 003FC998: _wcslen.LIBCMT ref: 003FC9F1
Part of subcall function 003FC998: _wcslen.LIBCMT ref: 003FCA68
Part of subcall function 003FC998: _wcslen.LIBCMT ref: 003FCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 003FBCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 003FBD25
RegCloseKey.ADVAPI32(00000000), ref: 003FBD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 003FBD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 003FBDF3
RegCloseKey.ADVAPI32(?), ref: 003FBDFF

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 3243fd9117d7828eefbdcd6dda0813685349cadce8a0343db2b2c994d1cd5126
Instruction ID: abafbda6018fa209eb918f49d1b59915671d34fde84455e870329a07cc0d61eb
Opcode Fuzzy Hash: 3243fd9117d7828eefbdcd6dda0813685349cadce8a0343db2b2c994d1cd5126
Instruction Fuzzy Hash: 7581A070208245EFD716DF24C881E2ABBE9FF84308F14856DF5594B2A2DB31ED45CB92

Uniqueness

Uniqueness Score: -1.00%

Function 003CF7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 003CF7B9
SysAllocString.OLEAUT32(00000001), ref: 003CF860
VariantCopy.OLEAUT32(003CFA64,00000000), ref: 003CF889
VariantClear.OLEAUT32(003CFA64), ref: 003CF8AD
VariantCopy.OLEAUT32(003CFA64,00000000), ref: 003CF8B1
VariantClear.OLEAUT32(?), ref: 003CF8BB

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 5bdc0dbded7714a0de29e329de2daaa689be11d17931c9c0d3bd84a3d791169e
Instruction ID: 4c38ba58cd43c2266a16a2e02f637dbfa94e28da7d94124710346a8654e227c1
Opcode Fuzzy Hash: 5bdc0dbded7714a0de29e329de2daaa689be11d17931c9c0d3bd84a3d791169e
Instruction Fuzzy Hash: 0A51D135600310FFCF26AB65D895F29B3AAEF45310B20956BE906EF295DB748C40CB97

Uniqueness

Uniqueness Score: -1.00%

Function 003E910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00377620: _wcslen.LIBCMT ref: 00377625

Part of subcall function 00376B57: _wcslen.LIBCMT ref: 00376B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 003E94E5
_wcslen.LIBCMT ref: 003E9506
_wcslen.LIBCMT ref: 003E952D
GetSaveFileNameW.COMDLG32(00000058), ref: 003E9585

Strings

X, xrefs: 003E9412

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: ea4f47103aafe290eca0c6d4cc2adc1b5d17ff0f869650cae03013e2564c6bcf
Instruction ID: 305132647472c3ccc2c474306d4426e4e83831ff784e4a39fc6c12be2708a2de
Opcode Fuzzy Hash: ea4f47103aafe290eca0c6d4cc2adc1b5d17ff0f869650cae03013e2564c6bcf
Instruction Fuzzy Hash: D9E1C2305043509FD726DF25C481B6AB7E4BF85314F058A6EF8899B2E2DB30ED05CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0038920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00389BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00389BB2

BeginPaint.USER32(?,?,?), ref: 00389241
GetWindowRect.USER32(?,?), ref: 003892A5
ScreenToClient.USER32(?,?), ref: 003892C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 003892D3
EndPaint.USER32(?,?,?,?,?), ref: 00389321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 003C71EA

Part of subcall function 00389339: BeginPath.GDI32(00000000), ref: 00389357

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 6e7d5bab1bbfcfb6532411cd0a79b5f14e97dd985f92443a0e14c45a4427d077
Instruction ID: a6a0eee0223402cf336cfb27df321a88f428b88a7c5d80b621bf3becaabb1561
Opcode Fuzzy Hash: 6e7d5bab1bbfcfb6532411cd0a79b5f14e97dd985f92443a0e14c45a4427d077
Instruction Fuzzy Hash: D8418074104300EFD722EF24D885FBA7BA8EB4A320F18066AF9959B1F1C7719845DB65

Uniqueness

Uniqueness Score: -1.00%

Function 003E07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 003E080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 003E0847
EnterCriticalSection.KERNEL32(?), ref: 003E0863
LeaveCriticalSection.KERNEL32(?), ref: 003E08DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 003E08F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 003E0921

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 94d4f33bc7310d5c77bcc50fa7f09bf85627074b5f1de3f05f64741882182cc2
Instruction ID: 31fec14e673ff73b9ab8a971c2cb2309c4186f35b5266b0f5f2ecb0d31947f2e
Opcode Fuzzy Hash: 94d4f33bc7310d5c77bcc50fa7f09bf85627074b5f1de3f05f64741882182cc2
Instruction Fuzzy Hash: C9415A71900205EFDF15AF54DC85A6AB778FF44300B1441A9E900AE297DB70EE60DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004081DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,003CF3AB,00000000,?,?,00000000,?,003C682C,00000004,00000000,00000000), ref: 0040824C
EnableWindow.USER32(00000000,00000000), ref: 00408272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 004082D1
ShowWindow.USER32(00000000,00000004), ref: 004082E5
EnableWindow.USER32(00000000,00000001), ref: 0040830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0040832F

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: e8d672a699b6861628bad4a8c1b730ac3eaf91633c746b4f985c6b3034711a77
Instruction ID: 7a4967caaecb2dbbe0340c3b4b31896dd3f68e0010469eee2b03e6d2878326c0
Opcode Fuzzy Hash: e8d672a699b6861628bad4a8c1b730ac3eaf91633c746b4f985c6b3034711a77
Instruction Fuzzy Hash: 94419534601644EFDF21CF15CA99FA57BE0BB4A714F1842BEE9486B2F2CB365841CB58

Uniqueness

Uniqueness Score: -1.00%

Function 003D4C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 003D4C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 003D4CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 003D4CEA
_wcslen.LIBCMT ref: 003D4D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 003D4D10
_wcsstr.LIBVCRUNTIME ref: 003D4D1A

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 48e0bf9f14619fb8bdfb4592f6a3e45e96accbcee1d84fa276d6ed5140fb1e94
Instruction ID: 97f448390abb293e0ea0974a777354668a9d5293a88bc4e31e3c65ce7ffd0d42
Opcode Fuzzy Hash: 48e0bf9f14619fb8bdfb4592f6a3e45e96accbcee1d84fa276d6ed5140fb1e94
Instruction Fuzzy Hash: 0B210432204200BBEB266B39BC49E7B7B9DDF45750F10807AF809DA292EA71DC4187A0

Uniqueness

Uniqueness Score: -1.00%

Function 003E581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00373AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00373A97,?,?,00372E7F,?,?,?,00000000), ref: 00373AC2

_wcslen.LIBCMT ref: 003E587B
CoInitialize.OLE32(00000000), ref: 003E5995
CoCreateInstance.OLE32(0040FCF8,00000000,00000001,0040FB68,?), ref: 003E59AE
CoUninitialize.OLE32 ref: 003E59CC

Strings

.lnk, xrefs: 003E5876, 003E58C1, 003E5985

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 50b6c061d9cf875354b715712f61bb7d070457b3a38c3c5c5295d24e544c1e37
Instruction ID: 499aa0f1ec5cf9ccd959bcb4325fba6b3e22b84df5c532ec94f28dd9df74c658
Opcode Fuzzy Hash: 50b6c061d9cf875354b715712f61bb7d070457b3a38c3c5c5295d24e544c1e37
Instruction Fuzzy Hash: 33D17571604711DFC716DF25C480A6ABBE1EF89728F118A5DF8899B3A2C731EC05CB92

Uniqueness

Uniqueness Score: -1.00%

Function 003D175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 003D0FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 003D0FCA
Part of subcall function 003D0FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 003D0FD6
Part of subcall function 003D0FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 003D0FE5
Part of subcall function 003D0FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 003D0FEC
Part of subcall function 003D0FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 003D1002

GetLengthSid.ADVAPI32(?,00000000,003D1335), ref: 003D17AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 003D17BA
HeapAlloc.KERNEL32(00000000), ref: 003D17C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 003D17DA
GetProcessHeap.KERNEL32(00000000,00000000,003D1335), ref: 003D17EE
HeapFree.KERNEL32(00000000), ref: 003D17F5

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: ccb4ebe1d8da6e3546aa5b5c2f1a16d0cb425338b4988400259f8a253d9a6658
Instruction ID: b9d170ea41431abb81620f5d0cfcdfe0666d95604510aba71e6e6ca962d32a2e
Opcode Fuzzy Hash: ccb4ebe1d8da6e3546aa5b5c2f1a16d0cb425338b4988400259f8a253d9a6658
Instruction Fuzzy Hash: D711BE72600205FFDB219FA4ED89FAF7BB9FB45355F10422AF441AB220C736A940CB60

Uniqueness

Uniqueness Score: -1.00%

Function 003D14CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 003D14FF
OpenProcessToken.ADVAPI32(00000000), ref: 003D1506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 003D1515
CloseHandle.KERNEL32(00000004), ref: 003D1520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 003D154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 003D1563

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 21319b6b5a886f0dc47702a6d7d432ad549356c6b8ad34394440252c2681207b
Instruction ID: 73b6424108ae8d806e2bafcc8a85b4a6eef0dde5561ac9c91036c46aa2b22cdf
Opcode Fuzzy Hash: 21319b6b5a886f0dc47702a6d7d432ad549356c6b8ad34394440252c2681207b
Instruction Fuzzy Hash: 47112972500209FBDF128FA8EE49BDE7BB9EF49744F058125FA05A21A0C3758E60DB60

Uniqueness

Uniqueness Score: -1.00%

Function 00393382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00393379,00392FE5), ref: 00393390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0039339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 003933B7
SetLastError.KERNEL32(00000000,?,00393379,00392FE5), ref: 00393409

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 8a4b2a6be941dd8f3504141438609e809d90be37a8212b280fb6d868e4e16b04
Instruction ID: 623a69b721445398cd6f76b0cf36ecf48f1021f0eac634963cdfcd1f5ee7c625
Opcode Fuzzy Hash: 8a4b2a6be941dd8f3504141438609e809d90be37a8212b280fb6d868e4e16b04
Instruction Fuzzy Hash: 250124B224D312BEEF2B27B97DC59672AA4EB153793210339F810991F0EF214D015248

Uniqueness

Uniqueness Score: -1.00%

Function 003A2D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,003A5686,003B3CD6,?,00000000,?,003A5B6A,?,?,?,?,?,0039E6D1,?,00438A48), ref: 003A2D78
_free.LIBCMT ref: 003A2DAB
_free.LIBCMT ref: 003A2DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0039E6D1,?,00438A48,00000010,00374F4A,?,?,00000000,003B3CD6), ref: 003A2DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0039E6D1,?,00438A48,00000010,00374F4A,?,?,00000000,003B3CD6), ref: 003A2DEC
_abort.LIBCMT ref: 003A2DF2

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 091f4fffe6d59fec223f9f1cddf540d8dd73c95ebda25eb2b1002928475166b3
Instruction ID: ecbe3d20a2bde0c8bd32776891ed0110c494bf46ee76ca8870de3a05326fc16a
Opcode Fuzzy Hash: 091f4fffe6d59fec223f9f1cddf540d8dd73c95ebda25eb2b1002928475166b3
Instruction Fuzzy Hash: 92F0C232545A006BC623273DBC4AF5B365AEFC37A1F260628F834AA1D3EF3488015265

Uniqueness

Uniqueness Score: -1.00%

Function 00408A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00389639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00389693
Part of subcall function 00389639: SelectObject.GDI32(?,00000000), ref: 003896A2
Part of subcall function 00389639: BeginPath.GDI32(?), ref: 003896B9
Part of subcall function 00389639: SelectObject.GDI32(?,00000000), ref: 003896E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00408A4E
LineTo.GDI32(?,00000003,00000000), ref: 00408A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00408A70
LineTo.GDI32(?,00000000,00000003), ref: 00408A80
EndPath.GDI32(?), ref: 00408A90
StrokePath.GDI32(?), ref: 00408AA0

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 164e44c407e12cd9003d784939ab7599d31f874fd0409cd8107f295f7531f91c
Instruction ID: 9edc487609da31e553c2df0590724f9dd9cdfbafc612ab1f82b657892c91478a
Opcode Fuzzy Hash: 164e44c407e12cd9003d784939ab7599d31f874fd0409cd8107f295f7531f91c
Instruction Fuzzy Hash: 8111177600010CFFEF129F90DD88EAA7F6CEB08350F048122FA19AA1A1C7719D95DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 003D51FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 003D5218
GetDeviceCaps.GDI32(00000000,00000058), ref: 003D5229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 003D5230
ReleaseDC.USER32(00000000,00000000), ref: 003D5238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 003D524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 003D5261

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: ddde769e1bb3249919f9be839a6b33f02a9b17e771358cc033ff236479ab0795
Instruction ID: bba351f27f3a532546ec7f3c74bbcf56d93a79fc4d75566eb4079d7c5ff452be
Opcode Fuzzy Hash: ddde769e1bb3249919f9be839a6b33f02a9b17e771358cc033ff236479ab0795
Instruction Fuzzy Hash: 07018F75A01708FBEB109BA59D89F4EBFB8EB48351F044566FA04AB280D6709C04CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00371BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00371BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00371BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00371C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00371C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00371C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00371C22

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 8f7cc237e81da5c842682182284883185508f11a56cde9552644de574556804f
Instruction ID: b17aa6607ba9858041bb864917bff1697e0a552c25d371580589993b1c345298
Opcode Fuzzy Hash: 8f7cc237e81da5c842682182284883185508f11a56cde9552644de574556804f
Instruction Fuzzy Hash: 07016CB0902759BDE3008F5A8C85B52FFA8FF19354F00411B915C47941C7F5A864CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 003DEB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 003DEB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 003DEB46
GetWindowThreadProcessId.USER32(?,?), ref: 003DEB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 003DEB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 003DEB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 003DEB75

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 2a38d5d4b5904fc9dc31891c78a58666b415bf0e5e6c65a854219e270eaae2e7
Instruction ID: 3826180105263fa5d9e4d5136b72b845248ce26cc0952d550f4c0ce03fdf84d6
Opcode Fuzzy Hash: 2a38d5d4b5904fc9dc31891c78a58666b415bf0e5e6c65a854219e270eaae2e7
Instruction Fuzzy Hash: E1F03072140158FBE72157629D4DEEF3E7CEFCAB11F004269F601E5191D7B15A01CAB9

Uniqueness

Uniqueness Score: -1.00%

Function 003C7439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 003C7452
SendMessageW.USER32(?,00001328,00000000,?), ref: 003C7469
GetWindowDC.USER32(?), ref: 003C7475
GetPixel.GDI32(00000000,?,?), ref: 003C7484
ReleaseDC.USER32(?,00000000), ref: 003C7496
GetSysColor.USER32(00000005), ref: 003C74B0

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 2c63ab5e92f27980dda6ca54927e93d49f15f3e349dfe589d124ca06b6ebaa04
Instruction ID: 3203ba67490369e908c38c4d2bb3fe01cb6d7ce46d74fbc4a4edea35f33f402f
Opcode Fuzzy Hash: 2c63ab5e92f27980dda6ca54927e93d49f15f3e349dfe589d124ca06b6ebaa04
Instruction Fuzzy Hash: A7017831400215EFEB215F64DD48BAA7BB9FB04321F110664FE15A20A0CB311E41AF54

Uniqueness

Uniqueness Score: -1.00%

Function 003D1874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 003D187F
UnloadUserProfile.USERENV(?,?), ref: 003D188B
CloseHandle.KERNEL32(?), ref: 003D1894
CloseHandle.KERNEL32(?), ref: 003D189C
GetProcessHeap.KERNEL32(00000000,?), ref: 003D18A5
HeapFree.KERNEL32(00000000), ref: 003D18AC

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: a906a694b908f4fea31940c0648d38793f93fb378d1ffd59ec3f91992a9a41b8
Instruction ID: 6417558baee8d7b0c1a9fd6010d56d01d3c69fad6f71c3c71cca34e46f1e77ce
Opcode Fuzzy Hash: a906a694b908f4fea31940c0648d38793f93fb378d1ffd59ec3f91992a9a41b8
Instruction Fuzzy Hash: A4E0C236004101FBDA016BB1EE4CD0ABB39FB49B22B108330F225A50B0CB329420DF98

Uniqueness

Uniqueness Score: -1.00%

Function 0037BBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0037BEB3

Strings

D%D, xrefs: 0037BDED, 0037BD91, 0037BD1B
D%DD%D, xrefs: 0037BCA5
D%D, xrefs: 0037BCA2
D%D, xrefs: 0037BE9A

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: Init_thread_footer
String ID: D%D$D%D$D%D$D%DD%D
API String ID: 1385522511-2851881395
Opcode ID: 36828c531a990163e70055d45e571f33880f933d40f7a716c24c81c6ff4f5da4
Instruction ID: 80dedb854c564fef468c9944ffd24fa73b3fca05daf6070f296b46a0bf8c5d67
Opcode Fuzzy Hash: 36828c531a990163e70055d45e571f33880f933d40f7a716c24c81c6ff4f5da4
Instruction Fuzzy Hash: 5F916B75A0020ADFCB2ACF58C0917AAF7F5FF58310F25C16AE949AB350D775A981CB90

Uniqueness

Uniqueness Score: -1.00%

Function 003F7B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00390242: EnterCriticalSection.KERNEL32(0044070C,00441884,?,?,0038198B,00442518,?,?,?,003712F9,00000000), ref: 0039024D
Part of subcall function 00390242: LeaveCriticalSection.KERNEL32(0044070C,?,0038198B,00442518,?,?,?,003712F9,00000000), ref: 0039028A

Part of subcall function 00379CB3: _wcslen.LIBCMT ref: 00379CBD

Part of subcall function 003900A3: __onexit.LIBCMT ref: 003900A9

__Init_thread_footer.LIBCMT ref: 003F7BFB

Part of subcall function 003901F8: EnterCriticalSection.KERNEL32(0044070C,?,?,00388747,00442514), ref: 00390202
Part of subcall function 003901F8: LeaveCriticalSection.KERNEL32(0044070C,?,00388747,00442514), ref: 00390235

Strings

G, xrefs: 003F7C7F
+T<, xrefs: 003F7E2E
5, xrefs: 003F7C78
Variable must be of type 'Object'., xrefs: 003F7C3A

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: +T<$5$G$Variable must be of type 'Object'.
API String ID: 535116098-2746437690
Opcode ID: 2ed0cfa645f02ace88780a2a81255230ff1f47aa3242ea00d4eeed8fc3684ed7
Instruction ID: 1d1520874a72de0ea2e1aeb441122bcaaf66dbb3e0e75ea7a385eb938bed2ba1
Opcode Fuzzy Hash: 2ed0cfa645f02ace88780a2a81255230ff1f47aa3242ea00d4eeed8fc3684ed7
Instruction Fuzzy Hash: 4D919B74A04209EFCB16EF54D891DBDB7B5FF49300F50805AFA06AB2A2DB71AE41CB51

Uniqueness

Uniqueness Score: -1.00%

Function 003DC5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00377620: _wcslen.LIBCMT ref: 00377625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 003DC6EE
_wcslen.LIBCMT ref: 003DC735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 003DC79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 003DC7CA

Strings

0, xrefs: 003DC6AF

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 5b4ce38c1df8093326c47c9ff45bd454960bd5fb136f80508be25449bbcea7ed
Instruction ID: 790420aae74a8554dffce4d963aa2434b787b1d15af6f6d92f3741e05467f183
Opcode Fuzzy Hash: 5b4ce38c1df8093326c47c9ff45bd454960bd5fb136f80508be25449bbcea7ed
Instruction Fuzzy Hash: 8C5102726343029FD7169F28E885B6B77E8AF45310F042A2AF595D73E0DB74D844CB52

Uniqueness

Uniqueness Score: -1.00%

Function 003FAD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 003FAEA3

Part of subcall function 00377620: _wcslen.LIBCMT ref: 00377625

GetProcessId.KERNEL32(00000000), ref: 003FAF38
CloseHandle.KERNEL32(00000000), ref: 003FAF67

Strings

@, xrefs: 003FAE72
<, xrefs: 003FAE6B

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: d12c022b4361b687048a2b42d766e8ca5a60eab42c1aa2d68505e4e559acab8f
Instruction ID: 0c2eb170da08ab78e49b3a6b0aedaa5fbb99d2566cfa85e82954a4fa833409b6
Opcode Fuzzy Hash: d12c022b4361b687048a2b42d766e8ca5a60eab42c1aa2d68505e4e559acab8f
Instruction Fuzzy Hash: CD715A71A00619DFCB16DF54C484AAEBBF0BF08314F1584A9E91AAF352C774ED41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 003D719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 003D7206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 003D723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 003D724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 003D72CF

Strings

DllGetClassObject, xrefs: 003D7242

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 1677c6a7f179e95a063d42b018d49e534ca0e51ff9ae3a8c2ac712b8c0a547e8
Instruction ID: de3dbe95df14ea66670a32bc06b8bd3b4586335b51467b54ba278c27bc5f00cb
Opcode Fuzzy Hash: 1677c6a7f179e95a063d42b018d49e534ca0e51ff9ae3a8c2ac712b8c0a547e8
Instruction Fuzzy Hash: 47418172604204EFDB16CF54D884A9A7BB9EF44310F1585AEBD059F30AE7B5D944CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00402F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00402F8D
LoadLibraryW.KERNEL32(?), ref: 00402F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00402FA9
DestroyWindow.USER32(?), ref: 00402FB1

Strings

SysAnimate32, xrefs: 00402F68

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 9a9137b59eab63cd4a0307dd54af9f95a086ccc322ae1f8db87665883ffe83db
Instruction ID: 34c35f2fa268af2769eda6577c77a3d6b81c2555b29bcd059fabf9b6938b250a
Opcode Fuzzy Hash: 9a9137b59eab63cd4a0307dd54af9f95a086ccc322ae1f8db87665883ffe83db
Instruction Fuzzy Hash: 1121D471100206EBEB115F64DD88EBB77BDEB593A4F10063AF950E22D0C7B5DC41A768

Uniqueness

Uniqueness Score: -1.00%

Function 00394D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00394D1E,003A28E9,?,00394CBE,003A28E9,004388B8,0000000C,00394E15,003A28E9,00000002), ref: 00394D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00394DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00394D1E,003A28E9,?,00394CBE,003A28E9,004388B8,0000000C,00394E15,003A28E9,00000002,00000000), ref: 00394DC3

Strings

CorExitProcess, xrefs: 00394D98
mscoree.dll, xrefs: 00394D86

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 5b46a86efffa9dd90056b4cbb7a087ec2853094ba7de45f1b373037c1a78141e
Instruction ID: 6c11d16d7b0ed871af4fa265ff995d35be68e742efe6563448aa7d50d8121907
Opcode Fuzzy Hash: 5b46a86efffa9dd90056b4cbb7a087ec2853094ba7de45f1b373037c1a78141e
Instruction Fuzzy Hash: 25F0AF34A00208FBDB129F90DC89BEDBBB4EF04712F0002A5F809B62A0DB745981CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00374E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00374EDD,?,00441418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00374E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00374EAE
FreeLibrary.KERNEL32(00000000,?,?,00374EDD,?,00441418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00374EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 00374EA8
kernel32.dll, xrefs: 00374E94

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 723120d5d30dcbdad45c40db4c97ecbe03ba79c686ba419403d34316e7154bea
Instruction ID: 3f11657195f8ac1c653ce3d314a8df893bb267462f3e3402733c62ed7da69587
Opcode Fuzzy Hash: 723120d5d30dcbdad45c40db4c97ecbe03ba79c686ba419403d34316e7154bea
Instruction Fuzzy Hash: 44E08636A02522DBD2321B256C58B6B6594AF81B72B064225FC04F6144DB7CDD0188A8

Uniqueness

Uniqueness Score: -1.00%

Function 00374E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,003B3CDE,?,00441418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00374E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00374E74
FreeLibrary.KERNEL32(00000000,?,?,003B3CDE,?,00441418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00374E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 00374E6E
kernel32.dll, xrefs: 00374E5B

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: d09080ef0622523027bca22289bdbaa5252ed54b13a8df424da5b4ac588d5820
Instruction ID: 6627611ad73bb38880a6c61593fb41a1c4976494adacbedaa60a0366552f06f4
Opcode Fuzzy Hash: d09080ef0622523027bca22289bdbaa5252ed54b13a8df424da5b4ac588d5820
Instruction Fuzzy Hash: 42D0C232502621E7C6331B247C08E8B2A1CEF85B213064331B808FA154CF7CDD019AD8

Uniqueness

Uniqueness Score: -1.00%

Function 003FA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 003FA427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 003FA435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 003FA468
CloseHandle.KERNEL32(?), ref: 003FA63D

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 83720cba4fee24543ce3d68193793afc4ab938b2ca0379fedcd6ba378f3d4cb8
Instruction ID: 08d871fb248b37b16f853012893ea790af715dac79bc5661bb057c9583907643
Opcode Fuzzy Hash: 83720cba4fee24543ce3d68193793afc4ab938b2ca0379fedcd6ba378f3d4cb8
Instruction Fuzzy Hash: C3A190B16047009FD721DF24C886F2AB7E5AF84714F14885DFA9E9B392D774EC418B92

Uniqueness

Uniqueness Score: -1.00%

Function 003ABB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00413700), ref: 003ABB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0044121C,000000FF,00000000,0000003F,00000000,?,?), ref: 003ABC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00441270,000000FF,?,0000003F,00000000,?), ref: 003ABC36
_free.LIBCMT ref: 003ABB7F

Part of subcall function 003A29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,003AD7D1,00000000,00000000,00000000,00000000,?,003AD7F8,00000000,00000007,00000000,?,003ADBF5,00000000), ref: 003A29DE
Part of subcall function 003A29C8: GetLastError.KERNEL32(00000000,?,003AD7D1,00000000,00000000,00000000,00000000,?,003AD7F8,00000000,00000007,00000000,?,003ADBF5,00000000,00000000), ref: 003A29F0

_free.LIBCMT ref: 003ABD4B

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 2767e9c6165e2985c0100a26ed9c1973a6fccbfceb922e9bf723ea3310d7b5ff
Instruction ID: 9197da89066aaa5273d38078be6d9a9b000bdf2d16cb1263261f0e576c6cda97
Opcode Fuzzy Hash: 2767e9c6165e2985c0100a26ed9c1973a6fccbfceb922e9bf723ea3310d7b5ff
Instruction Fuzzy Hash: 2051FB75900209DFCB16DF659C819AEF7BCFF43320B11426AE555E71A2EB709D808B54

Uniqueness

Uniqueness Score: -1.00%

Function 003DE3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 003DDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,003DCF22,?), ref: 003DDDFD

Part of subcall function 003DDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,003DCF22,?), ref: 003DDE16

Part of subcall function 003DE199: GetFileAttributesW.KERNEL32(?,003DCF95), ref: 003DE19A

lstrcmpiW.KERNEL32(?,?), ref: 003DE473
MoveFileW.KERNEL32(?,?), ref: 003DE4AC
_wcslen.LIBCMT ref: 003DE5EB
_wcslen.LIBCMT ref: 003DE603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 003DE650

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 188255033b600b1e52ca2517d4e693e52b69d5e5be6b408fd3f7f2408ac3ba77
Instruction ID: 7dc18f2f2b997dda5b06f00d36eaf86865bd218a45bdd754405ce388c0ce2c03
Opcode Fuzzy Hash: 188255033b600b1e52ca2517d4e693e52b69d5e5be6b408fd3f7f2408ac3ba77
Instruction Fuzzy Hash: 285184B24083459BC726EB90DC81ADF77ECAF85340F00492FF589DB291EF74A6888756

Uniqueness

Uniqueness Score: -1.00%

Function 003FB9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00379CB3: _wcslen.LIBCMT ref: 00379CBD

Part of subcall function 003FC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,003FB6AE,?,?), ref: 003FC9B5
Part of subcall function 003FC998: _wcslen.LIBCMT ref: 003FC9F1
Part of subcall function 003FC998: _wcslen.LIBCMT ref: 003FCA68
Part of subcall function 003FC998: _wcslen.LIBCMT ref: 003FCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 003FBAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 003FBB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 003FBB63
RegCloseKey.ADVAPI32(?,?), ref: 003FBBA6
RegCloseKey.ADVAPI32(00000000), ref: 003FBBB3

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: d5f183e135ffd46ea7c199776c75bf6e3bf673102b8912e971f0f8b922a37cfc
Instruction ID: e0736415b855b4fc21e78a683523dd81783cd66e9962ee5a7744a6eab0825916
Opcode Fuzzy Hash: d5f183e135ffd46ea7c199776c75bf6e3bf673102b8912e971f0f8b922a37cfc
Instruction Fuzzy Hash: 43618C71208205EFD716DF14C490E2ABBE9FF84308F1485ADF5998B2A2DB35ED45CB92

Uniqueness

Uniqueness Score: -1.00%

Function 003D8BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 003D8BCD
VariantClear.OLEAUT32 ref: 003D8C3E
VariantClear.OLEAUT32 ref: 003D8C9D
VariantClear.OLEAUT32(?), ref: 003D8D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 003D8D3B

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: eaaaa6d0ec9ee3149469e39f87ca5c064a8830c04eb7479acfab7c349a895792
Instruction ID: 2ac91ae09c77386b750b1b089ec4f21a1f2e47255d31d403d7855e40d981eec2
Opcode Fuzzy Hash: eaaaa6d0ec9ee3149469e39f87ca5c064a8830c04eb7479acfab7c349a895792
Instruction Fuzzy Hash: A7516AB5A00219EFCB15CF68D884AAAB7F9FF89314B15856AE905DB350E730E911CF90

Uniqueness

Uniqueness Score: -1.00%

Function 003E8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 003E8BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 003E8BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 003E8C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 003E8C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 003E8C5F

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 520bbe4706f3e1b546dc1c582841624455e39692115dd39f796ce38ce052dd05
Instruction ID: 147fd4107bdc1ac973f50f7d579dbe5fb4d116794a0e392492749b76f87fe0b5
Opcode Fuzzy Hash: 520bbe4706f3e1b546dc1c582841624455e39692115dd39f796ce38ce052dd05
Instruction Fuzzy Hash: F2514835A00215AFCB16DF65C881A6DBBF5FF49314F18C498E849AB3A2CB35ED51CB90

Uniqueness

Uniqueness Score: -1.00%

Function 003F8EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 003F8F40
GetProcAddress.KERNEL32(00000000,?), ref: 003F8FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 003F8FEC
GetProcAddress.KERNEL32(00000000,?), ref: 003F9032
FreeLibrary.KERNEL32(00000000), ref: 003F9052

Part of subcall function 0038F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,003E1043,?,7644E610), ref: 0038F6E6
Part of subcall function 0038F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,003CFA64,00000000,00000000,?,?,003E1043,?,7644E610,?,003CFA64), ref: 0038F70D

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 5556bb843eb49a0705ab61135435f025e819e8b92419bc2f5b0a44b7d2881aa2
Instruction ID: 31be847ede50efc28b451ab1103a2e9c3a3c5c9e69cad1af2e7a8f2497b2f1cf
Opcode Fuzzy Hash: 5556bb843eb49a0705ab61135435f025e819e8b92419bc2f5b0a44b7d2881aa2
Instruction Fuzzy Hash: 95513934600209DFC716DF58C484AADBBB1FF49324B0581A9E90AAF762DB35ED85CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00406B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00406C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00406C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00406C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,003EAB79,00000000,00000000), ref: 00406C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00406CC7

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 8c9ea448b250702079a9ce6327f1cb0a8aed0a0df4831f2c51e54a3a9329d053
Instruction ID: 01a52d1ab425d0376474e4fcdbdf1f9fd8d9ca7ab77569f77d2e0bd41a808a62
Opcode Fuzzy Hash: 8c9ea448b250702079a9ce6327f1cb0a8aed0a0df4831f2c51e54a3a9329d053
Instruction Fuzzy Hash: DD410A35608114AFE724CF28CD94FA67BA4EB09350F16023AF956B73E0C375ED61CA48

Uniqueness

Uniqueness Score: -1.00%

Function 003A2051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 003A20C3
_free.LIBCMT ref: 003A20E3

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 9e8733f5d0822a1bcc521b2acdc4c87dda01ee935abc4c40693237e110273759
Instruction ID: 3766cb7727156579966240dc0c7f90669011a340e3129239ab20ea1fe0d8a750
Opcode Fuzzy Hash: 9e8733f5d0822a1bcc521b2acdc4c87dda01ee935abc4c40693237e110273759
Instruction Fuzzy Hash: 9A41B176A002009FCB26DF7CC881A5EB7F5EF8A714F1645A9E615EB391DB31AD01CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0038912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00389141
ScreenToClient.USER32(00000000,?), ref: 0038915E
GetAsyncKeyState.USER32(00000001), ref: 00389183
GetAsyncKeyState.USER32(00000002), ref: 0038919D

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 25edc5c88f83a07a670de556e0fb37240e116710669c6b23560a6d07596cfc6f
Instruction ID: 5e98ea654a4e513614ed7744ed4b06e3ad1c0ddf3d3908047d4ba7c8fb9a4538
Opcode Fuzzy Hash: 25edc5c88f83a07a670de556e0fb37240e116710669c6b23560a6d07596cfc6f
Instruction Fuzzy Hash: 70413D31A0861AFBDF16AF64C848BFEB774FB05324F25426AE825A62D0C7746D50CF51

Uniqueness

Uniqueness Score: -1.00%

Function 003E3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 003E38CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 003E3922
TranslateMessage.USER32(?), ref: 003E394B
DispatchMessageW.USER32(?), ref: 003E3955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 003E3966

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 00e9742bcaaae30e8a61f9c920d17f953b1abaf46bb6187fdd3bdfa8ed08e913
Instruction ID: 92040661f6cbb36671c4b75c051942f7b808a1605dfd0e161488e2fc90eeae18
Opcode Fuzzy Hash: 00e9742bcaaae30e8a61f9c920d17f953b1abaf46bb6187fdd3bdfa8ed08e913
Instruction Fuzzy Hash: 8E31C8745043E1EEEB36CB36984CBB637A8AB06304F050779F452931E1D3F49684CB25

Uniqueness

Uniqueness Score: -1.00%

Function 003ECF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 003ECF38
InternetReadFile.WININET(?,00000000,?,?), ref: 003ECF6F
GetLastError.KERNEL32(?,00000000,?,?,?,003EC21E,00000000), ref: 003ECFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,003EC21E,00000000), ref: 003ECFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,003EC21E,00000000), ref: 003ECFF2

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 0d07966bb558f76764398fef2989cbd0e9e725e80e7c6394a8f0bc9366d752ac
Instruction ID: 83336d2b64a630aaf6e72d2ccc53a64d2aced8887615312da30231ff9a3c4523
Opcode Fuzzy Hash: 0d07966bb558f76764398fef2989cbd0e9e725e80e7c6394a8f0bc9366d752ac
Instruction Fuzzy Hash: C9317C71610355EFDB21DFA6C984AAFBBF9EF04311B10466EF506E2181DB30AE429B60

Uniqueness

Uniqueness Score: -1.00%

Function 003D1901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 003D1915
PostMessageW.USER32(00000001,00000201,00000001), ref: 003D19C1
Sleep.KERNEL32(00000000,?,?,?), ref: 003D19C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 003D19DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 003D19E2

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 97701538d4e199fec35e87492bb437f04bc928ecc95ab32de3d8be505546b049
Instruction ID: a9d606f34c11232919d705c474a25a4a1baf179cbccce4fc2e238b11d43e18df
Opcode Fuzzy Hash: 97701538d4e199fec35e87492bb437f04bc928ecc95ab32de3d8be505546b049
Instruction Fuzzy Hash: 40319F72A00219EFCB14CFA8DDA9ADE7BB5EB44315F10432AF921AB2D1C7709D54DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00405706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00405745
SendMessageW.USER32(?,00001074,?,00000001), ref: 0040579D
_wcslen.LIBCMT ref: 004057AF
_wcslen.LIBCMT ref: 004057BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00405816

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: de35f5aacfeead352417b9468b1bb4b89a2966eb2286d96ae2ffa591e9c09060
Instruction ID: 7001ebbb522776b7136b30f64521c03524b194d7d723c62abe7e015495af67ec
Opcode Fuzzy Hash: de35f5aacfeead352417b9468b1bb4b89a2966eb2286d96ae2ffa591e9c09060
Instruction Fuzzy Hash: B9218075904618AADB209F60CC84AEF77B8EB44324F108227E919FB2C0D7789986CF59

Uniqueness

Uniqueness Score: -1.00%

Function 003F0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 003F0951
GetForegroundWindow.USER32 ref: 003F0968
GetDC.USER32(00000000), ref: 003F09A4
GetPixel.GDI32(00000000,?,00000003), ref: 003F09B0
ReleaseDC.USER32(00000000,00000003), ref: 003F09E8

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 5788aeed4ccedeaade6a1ff970f1db09a7b98ab04719e473c4c75de49a44a97b
Instruction ID: a7fc8048568aa3144487a535198708b814fd040806bb68deea1f98a727e7211d
Opcode Fuzzy Hash: 5788aeed4ccedeaade6a1ff970f1db09a7b98ab04719e473c4c75de49a44a97b
Instruction Fuzzy Hash: AD216235600214AFD714EF69C985A6EB7F5EF45700F048578F94AAB762DB70AC04CB50

Uniqueness

Uniqueness Score: -1.00%

Function 003ACDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 003ACDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 003ACDE9

Part of subcall function 003A3820: RtlAllocateHeap.NTDLL(00000000,?,00441444,?,0038FDF5,?,?,0037A976,00000010,00441440,003713FC,?,003713C6,?,00371129), ref: 003A3852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 003ACE0F
_free.LIBCMT ref: 003ACE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 003ACE31

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 154dd30d87c2b93901f429a4874adc422256f40712226c5637b59a24c4e6c100
Instruction ID: 575d963f2fe11ff166d1b9d8ce156b31380fd576800f8a784a3d8e0385390755
Opcode Fuzzy Hash: 154dd30d87c2b93901f429a4874adc422256f40712226c5637b59a24c4e6c100
Instruction Fuzzy Hash: F301F772611215BFA72317BA6C8CC7BB96DEEC7BA23161229FD05DB201EA708D0181F4

Uniqueness

Uniqueness Score: -1.00%

Function 00389639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00389693
SelectObject.GDI32(?,00000000), ref: 003896A2
BeginPath.GDI32(?), ref: 003896B9
SelectObject.GDI32(?,00000000), ref: 003896E2

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 670bc5b4a1f2ddc8a6639769cdd7478fbd9d3863da5f86e7c011508c01b93ad7
Instruction ID: 9010a1fb85d8d9ef7783c621bb8f374ec1822c2a20bd5dd36ba8b922ab0d04ed
Opcode Fuzzy Hash: 670bc5b4a1f2ddc8a6639769cdd7478fbd9d3863da5f86e7c011508c01b93ad7
Instruction Fuzzy Hash: 902192B4802305EFDB12AF64DD44BB93BA8BB01325F150277F820A61B0E37098D1CF98

Uniqueness

Uniqueness Score: -1.00%

Function 003D5711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 003D5726
_memcmp.LIBVCRUNTIME ref: 003D5744
_memcmp.LIBVCRUNTIME ref: 003D5757
_memcmp.LIBVCRUNTIME ref: 003D576F
_memcmp.LIBVCRUNTIME ref: 003D5787

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: b5a03dfa1acd7a6270fe0a67e5d9ae7b7b2eabad9282f0fa5272d3d7f1323583
Instruction ID: ff7d35b4d32a7c963aa22e8a305225e81ed96d5564c9bc64c097d7db080000ed
Opcode Fuzzy Hash: b5a03dfa1acd7a6270fe0a67e5d9ae7b7b2eabad9282f0fa5272d3d7f1323583
Instruction Fuzzy Hash: 6701D6A7645605FAE61A5510AD82FBA736C9B21394B200032FD04BEB81F730ED1486A4

Uniqueness

Uniqueness Score: -1.00%

Function 003A2DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0039F2DE,003A3863,00441444,?,0038FDF5,?,?,0037A976,00000010,00441440,003713FC,?,003713C6), ref: 003A2DFD
_free.LIBCMT ref: 003A2E32
_free.LIBCMT ref: 003A2E59
SetLastError.KERNEL32(00000000,00371129), ref: 003A2E66
SetLastError.KERNEL32(00000000,00371129), ref: 003A2E6F

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: e42f31f1a6b6964b582033fe3133e2f84353ef98eea519cf3f5784169c391273
Instruction ID: 0478cf5fa1c29eb51afb429b0bf4ad635034df53bbb1b1737dfd972c44a7556c
Opcode Fuzzy Hash: e42f31f1a6b6964b582033fe3133e2f84353ef98eea519cf3f5784169c391273
Instruction Fuzzy Hash: 7D0128322456006BC613273D6C8AE2B265DEBD37B1B220538F825F61D3EF78CC414120

Uniqueness

Uniqueness Score: -1.00%

Function 003D000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,003CFF41,80070057,?,?,?,003D035E), ref: 003D002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,003CFF41,80070057,?,?), ref: 003D0046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,003CFF41,80070057,?,?), ref: 003D0054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,003CFF41,80070057,?), ref: 003D0064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,003CFF41,80070057,?,?), ref: 003D0070

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 4589fcd4af7337bcd64c2c8fe23967457522fbe3f2b48943ddf5daecbd215eb6
Instruction ID: e136b60e40e0e245f94f3cf4b65e98ee1e60343e7041487fd51d225d25279e25
Opcode Fuzzy Hash: 4589fcd4af7337bcd64c2c8fe23967457522fbe3f2b48943ddf5daecbd215eb6
Instruction Fuzzy Hash: FA018B73600204FFDB165F68ED84BAE7AADEB84B92F148225F905E2210E771DD408BA4

Uniqueness

Uniqueness Score: -1.00%

Function 003DE97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 003DE997
QueryPerformanceFrequency.KERNEL32(?), ref: 003DE9A5
Sleep.KERNEL32(00000000), ref: 003DE9AD
QueryPerformanceCounter.KERNEL32(?), ref: 003DE9B7
Sleep.KERNEL32 ref: 003DE9F3

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: b2bcdcc41ccf0a1131955f5c1b63d876864a53690c4855cafa3c4ba8ebfdcdf4
Instruction ID: 3b452e49bbd38485a35627f1cb45ab2d2fd9de012dd1e0ee51b0bcff3845d217
Opcode Fuzzy Hash: b2bcdcc41ccf0a1131955f5c1b63d876864a53690c4855cafa3c4ba8ebfdcdf4
Instruction Fuzzy Hash: 9D016D32C02529DBCF01AFE4EDA9ADDBB78FF08300F010666E502B6240CB349550CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 003D10F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 003D1114
GetLastError.KERNEL32(?,00000000,00000000,?,?,003D0B9B,?,?,?), ref: 003D1120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,003D0B9B,?,?,?), ref: 003D112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,003D0B9B,?,?,?), ref: 003D1136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 003D114D

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 754d209b35c14a9604109a40f18e6f84c905344142a9c1ab025de6afdca9dc77
Instruction ID: 87ba6c7f9f024d7cba94b7c32c6bff641aec76344437bdff9accd1b95496f221
Opcode Fuzzy Hash: 754d209b35c14a9604109a40f18e6f84c905344142a9c1ab025de6afdca9dc77
Instruction Fuzzy Hash: EF011D75100205FFDB124FA5ED89E6A3B7EEF89360B214525FA45D7350DA31DC009A64

Uniqueness

Uniqueness Score: -1.00%

Function 003D0FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 003D0FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 003D0FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 003D0FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 003D0FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 003D1002

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 62abfd928371d1c7d4a1fcbc643a444860bb89720508cbffa6d1b32fa2a168cd
Instruction ID: a86c026ada7d1ef4750c6ba2b4b47e1b42cbfe43787c0fd1b345483c99077e55
Opcode Fuzzy Hash: 62abfd928371d1c7d4a1fcbc643a444860bb89720508cbffa6d1b32fa2a168cd
Instruction Fuzzy Hash: A7F06D36240301FBDB225FA4ED8DF563BADEF89762F114525FA45EB291CA70DC50CA60

Uniqueness

Uniqueness Score: -1.00%

Function 003D1014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 003D102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 003D1036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 003D1045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 003D104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 003D1062

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 08dadc3df5205d48b1dd198f6d1ebe934fa778f2da0b541fb189474808443a44
Instruction ID: 30b571995592101a40612a90ec8f80d2ebcc1aff077ff5dafe3b53823a5d0e91
Opcode Fuzzy Hash: 08dadc3df5205d48b1dd198f6d1ebe934fa778f2da0b541fb189474808443a44
Instruction Fuzzy Hash: 90F06D36240301FBDB226FA4ED89F563BADEF89761F110525FA45EB250CA70D840CA60

Uniqueness

Uniqueness Score: -1.00%

Function 003E030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,003E017D,?,003E32FC,?,00000001,003B2592,?), ref: 003E0324
CloseHandle.KERNEL32(?,?,?,?,003E017D,?,003E32FC,?,00000001,003B2592,?), ref: 003E0331
CloseHandle.KERNEL32(?,?,?,?,003E017D,?,003E32FC,?,00000001,003B2592,?), ref: 003E033E
CloseHandle.KERNEL32(?,?,?,?,003E017D,?,003E32FC,?,00000001,003B2592,?), ref: 003E034B
CloseHandle.KERNEL32(?,?,?,?,003E017D,?,003E32FC,?,00000001,003B2592,?), ref: 003E0358
CloseHandle.KERNEL32(?,?,?,?,003E017D,?,003E32FC,?,00000001,003B2592,?), ref: 003E0365

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 5c69762123b3c65973c1fea2f5b8f2987fbfa67907565c600770df62b66c8c64
Instruction ID: a14d5c5dd097ece253b61cbfd56d8817c4b9feda2bc2ced4c348cb7374c97acb
Opcode Fuzzy Hash: 5c69762123b3c65973c1fea2f5b8f2987fbfa67907565c600770df62b66c8c64
Instruction Fuzzy Hash: 2101A276800B65DFCB369F66D880416F7F5BF503153168A3FD19652971C3B1A994CF80

Uniqueness

Uniqueness Score: -1.00%

Function 003AD73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 003AD752

Part of subcall function 003A29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,003AD7D1,00000000,00000000,00000000,00000000,?,003AD7F8,00000000,00000007,00000000,?,003ADBF5,00000000), ref: 003A29DE
Part of subcall function 003A29C8: GetLastError.KERNEL32(00000000,?,003AD7D1,00000000,00000000,00000000,00000000,?,003AD7F8,00000000,00000007,00000000,?,003ADBF5,00000000,00000000), ref: 003A29F0

_free.LIBCMT ref: 003AD764
_free.LIBCMT ref: 003AD776
_free.LIBCMT ref: 003AD788
_free.LIBCMT ref: 003AD79A

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 3bc25798ed6aa81d3fda2558c3f12f8b45f3b836cb724547f79d26c8c1bd40a1
Instruction ID: 3822f0ba3964ba39cf5a9049d070c612f979071076b4c1e2c2fd8c1cb4f629d3
Opcode Fuzzy Hash: 3bc25798ed6aa81d3fda2558c3f12f8b45f3b836cb724547f79d26c8c1bd40a1
Instruction Fuzzy Hash: 92F04F72504208AF866AFF68F9C5C1B77DDFB07710B961819F049EB911C721FC808765

Uniqueness

Uniqueness Score: -1.00%

Function 003D5C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 003D5C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 003D5C6F
MessageBeep.USER32(00000000), ref: 003D5C87
KillTimer.USER32(?,0000040A), ref: 003D5CA3
EndDialog.USER32(?,00000001), ref: 003D5CBD

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 8dc312a568e26589ad340c600323c2c721328226be14a6896d2e65d2e3ede325
Instruction ID: 94f064bf20d57cd84dbe56dd4fe74131183078f58a00d93291ad1d113fa32b6b
Opcode Fuzzy Hash: 8dc312a568e26589ad340c600323c2c721328226be14a6896d2e65d2e3ede325
Instruction Fuzzy Hash: 93018B31510B04DBEB315B10EE8EFA577B8BB00B45F04066AB543725E1DBF559448A54

Uniqueness

Uniqueness Score: -1.00%

Function 003A22A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 003A22BE

Part of subcall function 003A29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,003AD7D1,00000000,00000000,00000000,00000000,?,003AD7F8,00000000,00000007,00000000,?,003ADBF5,00000000), ref: 003A29DE
Part of subcall function 003A29C8: GetLastError.KERNEL32(00000000,?,003AD7D1,00000000,00000000,00000000,00000000,?,003AD7F8,00000000,00000007,00000000,?,003ADBF5,00000000,00000000), ref: 003A29F0

_free.LIBCMT ref: 003A22D0
_free.LIBCMT ref: 003A22E3
_free.LIBCMT ref: 003A22F4
_free.LIBCMT ref: 003A2305

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 6808fb2101d916ec09f4aa115376e40f69f90f7bf0c4e22b06c5e74e6e01280d
Instruction ID: 3823d90bad98d4faf191204b62edee8f5dc62da6d3d53e95c306c1a778831e15
Opcode Fuzzy Hash: 6808fb2101d916ec09f4aa115376e40f69f90f7bf0c4e22b06c5e74e6e01280d
Instruction Fuzzy Hash: 8CF03A788002208FD757BF68BC4580A3B64F71BB62B01157AF510EA2B1C7710961ABED

Uniqueness

Uniqueness Score: -1.00%

Function 003895C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 003895D4
StrokeAndFillPath.GDI32(?,?,003C71F7,00000000,?,?,?), ref: 003895F0
SelectObject.GDI32(?,00000000), ref: 00389603
DeleteObject.GDI32 ref: 00389616
StrokePath.GDI32(?), ref: 00389631

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: acd091f5d9e9142926301e1d7bdf372338629c2a9fdf27c2b1d4909b48df97da
Instruction ID: 5e30c8e316e04e0c3baa6762eb0a8447d703b701e2ff3a8da7d7400cdd20fb84
Opcode Fuzzy Hash: acd091f5d9e9142926301e1d7bdf372338629c2a9fdf27c2b1d4909b48df97da
Instruction Fuzzy Hash: 70F0EC79006304EBDB166FA5EE5C7743B65AB02332F088375F469690F0D7348995DF68

Uniqueness

Uniqueness Score: -1.00%

Function 003A0F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 003A10F9
__freea.LIBCMT ref: 003A1117

Part of subcall function 003A1537: _free.LIBCMT ref: 003A154F

Strings

a/p, xrefs: 003A11DE
am/pm, xrefs: 003A117A

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 351760100788abfddbd9dbad7dd030f4dde1e3a91ebb2629da00f2a84d3fdba7
Instruction ID: 9eb2e3ba801063e28eef91ce923d5839d4c5513744d793ced561fe986ed48adf
Opcode Fuzzy Hash: 351760100788abfddbd9dbad7dd030f4dde1e3a91ebb2629da00f2a84d3fdba7
Instruction Fuzzy Hash: 79D1F339900206DADF2BDF68C855BFEB7B5EF07310F294159E901ABA90D3759D80CB91

Uniqueness

Uniqueness Score: -1.00%

Function 003F61D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

Part of subcall function 00390242: EnterCriticalSection.KERNEL32(0044070C,00441884,?,?,0038198B,00442518,?,?,?,003712F9,00000000), ref: 0039024D
Part of subcall function 00390242: LeaveCriticalSection.KERNEL32(0044070C,?,0038198B,00442518,?,?,?,003712F9,00000000), ref: 0039028A

Part of subcall function 003900A3: __onexit.LIBCMT ref: 003900A9

__Init_thread_footer.LIBCMT ref: 003F6238

Part of subcall function 003901F8: EnterCriticalSection.KERNEL32(0044070C,?,?,00388747,00442514), ref: 00390202
Part of subcall function 003901F8: LeaveCriticalSection.KERNEL32(0044070C,?,00388747,00442514), ref: 00390235

Part of subcall function 003E359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 003E35E4
Part of subcall function 003E359C: LoadStringW.USER32(00442390,?,00000FFF,?), ref: 003E360A

Strings

x#D, xrefs: 003F633A
x#D, xrefs: 003F6353
x#D, xrefs: 003F636F

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
String ID: x#D$x#D$x#D
API String ID: 1072379062-1009279002
Opcode ID: 6bb035251d23ca8e50969de346ea8167d0209f35bdb492326fec73843470c3e7
Instruction ID: 345498840c0220eaffb46840de6cb181ff87ca8626f2bb7f1c38c07603771738
Opcode Fuzzy Hash: 6bb035251d23ca8e50969de346ea8167d0209f35bdb492326fec73843470c3e7
Instruction Fuzzy Hash: F3C1A371A00109AFDB16DF58C891EBEB7B9FF49300F11806AFA15AB291D774ED44CB90

Uniqueness

Uniqueness Score: -1.00%

Function 003A8A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 003A8B6E
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 003A8B7A
__dosmaperr.LIBCMT ref: 003A8B81

Strings

.9, xrefs: 003A8A63

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr
String ID: .9
API String ID: 2434981716-4137932486
Opcode ID: afa29d29b903f75c44e432055914f31c621b67a8d9a1d5118389e2c2291a163f
Instruction ID: 211ab83fbc7d05584a2be871e4766b15be13bd983afd7ab1509bbe77b62cc496
Opcode Fuzzy Hash: afa29d29b903f75c44e432055914f31c621b67a8d9a1d5118389e2c2291a163f
Instruction Fuzzy Hash: A5418FB4A04045AFDB269F68CC80A7D7FA5DF47304F2985A9F8859B552DE31CC12C7A4

Uniqueness

Uniqueness Score: -1.00%

Function 003D2716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003DB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,003D21D0,?,?,00000034,00000800,?,00000034), ref: 003DB42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 003D2760

Part of subcall function 003DB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,003D21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 003DB3F8

Part of subcall function 003DB32A: GetWindowThreadProcessId.USER32(?,?), ref: 003DB355
Part of subcall function 003DB32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,003D2194,00000034,?,?,00001004,00000000,00000000), ref: 003DB365
Part of subcall function 003DB32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,003D2194,00000034,?,?,00001004,00000000,00000000), ref: 003DB37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 003D27CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 003D281A

Strings

@, xrefs: 003D2832

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 11970d83d3ff7f8ea2fa8ef3c50aeb3fc8b4571b2262d1f8b110b6c43e2d834c
Instruction ID: 7c5eb6e69addb83389d147e7f2f93ed02725e2cb8251d0704a87cfa9af803954
Opcode Fuzzy Hash: 11970d83d3ff7f8ea2fa8ef3c50aeb3fc8b4571b2262d1f8b110b6c43e2d834c
Instruction Fuzzy Hash: 3F413D76900218AFDB21DBA4DD81EDEBBB8EF05300F014056FA55B7281DB716E45DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 003A172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\43643456.exe,00000104), ref: 003A1769
_free.LIBCMT ref: 003A1834
_free.LIBCMT ref: 003A183E

Strings

C:\Users\user\Desktop\43643456.exe, xrefs: 003A1760, 003A1767, 003A1796, 003A17CE

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\43643456.exe
API String ID: 2506810119-4275042492
Opcode ID: 8f1f3b0e72b975244f37361794176d41a4c406d5774a85c150c1cb5cf9c6b41a
Instruction ID: 0b7e043728b1955eb438f36274eed96e6230ccd5a56c3fb5dc804c88cc79d8cf
Opcode Fuzzy Hash: 8f1f3b0e72b975244f37361794176d41a4c406d5774a85c150c1cb5cf9c6b41a
Instruction Fuzzy Hash: 70318075A00218EFDB22DB99D885D9EBBFCEB86310F1141A6F804DB211D7B08E80DB94

Uniqueness

Uniqueness Score: -1.00%

Function 003DC27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 003DC306
DeleteMenu.USER32(?,00000007,00000000), ref: 003DC34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00441990,00D95B08), ref: 003DC395

Strings

0, xrefs: 003DC2DF

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: e0f3faf7a38244a6df057d678813690c7c67d0846df34c29dafed448438e9d45
Instruction ID: 9d7709e6fa98c39b86f2d129d92502c334d8c801ed735436405650270bfc7c63
Opcode Fuzzy Hash: e0f3faf7a38244a6df057d678813690c7c67d0846df34c29dafed448438e9d45
Instruction Fuzzy Hash: 1741C336224342AFDB21DF28E884B1ABBE4AF85310F01961EF9659B3D1C734E904CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00404416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0040CC08,00000000,?,?,?,?), ref: 004044AA
GetWindowLongW.USER32 ref: 004044C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 004044D7

Strings

SysTreeView32, xrefs: 0040447C

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 28238564a3a1a4f061f7a85c53096ea839d90e2b3824c3e712d5909c4754ee7c
Instruction ID: b87c0ef79bb0a99877828c36c54cf3e4fe252be30286ea1f8520c147a6c33468
Opcode Fuzzy Hash: 28238564a3a1a4f061f7a85c53096ea839d90e2b3824c3e712d5909c4754ee7c
Instruction Fuzzy Hash: 3231B071200605AFDB219F38DC45BEB77A9EB48334F204726FA75A22D0D778EC509754

Uniqueness

Uniqueness Score: -1.00%

Function 003D6E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

SysReAllocString.OLEAUT32(?,?), ref: 003D6EED
VariantCopyInd.OLEAUT32(?,?), ref: 003D6F08
VariantClear.OLEAUT32(?), ref: 003D6F12

Strings

*j=, xrefs: 003D6E8B, 003D6E90, 003D6EF8

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: Variant$AllocClearCopyString
String ID: *j=
API String ID: 2173805711-232903960
Opcode ID: 09465e16bf879fc44e31a1793e78d6d9fad0d7b5f4b0eb6fefb51a73b3dd46d4
Instruction ID: 9f48e440253908e1bfe7d3aa0d60c74538a2e47f7a12554904f207fa9052d497
Opcode Fuzzy Hash: 09465e16bf879fc44e31a1793e78d6d9fad0d7b5f4b0eb6fefb51a73b3dd46d4
Instruction Fuzzy Hash: 0331A1B2604605DFCB16AF64E8929BE7779FF45304B1044AAF9264F3A1C7349D21DBD0

Uniqueness

Uniqueness Score: -1.00%

Function 003F304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 003F335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,003F3077,?,?), ref: 003F3378

inet_addr.WSOCK32(?), ref: 003F307A
_wcslen.LIBCMT ref: 003F309B
htons.WSOCK32(00000000), ref: 003F3106

Strings

255.255.255.255, xrefs: 003F3095, 003F309A

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 7a11ed713ef3392faa8a8a57fa785a31a88ec750d2497159b0f7c0f1edffb02a
Instruction ID: aa2b852ce5d97659169e3235c209b8371c07d8735af397341fb296c1e4df37eb
Opcode Fuzzy Hash: 7a11ed713ef3392faa8a8a57fa785a31a88ec750d2497159b0f7c0f1edffb02a
Instruction Fuzzy Hash: B231E43520420A9FCB22DF28C585E7A77E4EF14318F25C15AEA168F392CB32DE41C761

Uniqueness

Uniqueness Score: -1.00%

Function 00404653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00404705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00404713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0040471A

Strings

msctls_updown32, xrefs: 00404684

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: ceb3c3b988292cc950ed1a47ad5d82ab3366e7cfe25963e8ab11c7cdcc6c70c4
Instruction ID: 9ecd31fed8bddda889deea946db2e8dc045a488537781c4490e4a69d4e40f827
Opcode Fuzzy Hash: ceb3c3b988292cc950ed1a47ad5d82ab3366e7cfe25963e8ab11c7cdcc6c70c4
Instruction Fuzzy Hash: 922151F5600208AFDB11DF68DCD1DA737ADEB8A354B04056AF600AB3A1DB35EC51CA64

Uniqueness

Uniqueness Score: -1.00%

Function 003D95AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 003D961D

Strings

#requireadmin, xrefs: 003D95D9
#OnAutoItStartRegister, xrefs: 003D95F3
#notrayicon, xrefs: 003D95B7

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: e374c992bab915f19c4a6761022fdfe8e1d4364bae5cd07d6165f23c5c426dac
Instruction ID: 02b67e36068dfcfccfdd735f37424306cea44cd5f9aa4ebafa34439b9b40cc97
Opcode Fuzzy Hash: e374c992bab915f19c4a6761022fdfe8e1d4364bae5cd07d6165f23c5c426dac
Instruction Fuzzy Hash: B121233320421166C733BB24B802FBB73A99F92320F114037F9499B681EB69ED95C395

Uniqueness

Uniqueness Score: -1.00%

Function 004037B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00403840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00403850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00403876

Strings

Listbox, xrefs: 0040380F

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 7b9b87110418420e3d379c20203eaeb4582c31ee0100facaf942723cb8cd8058
Instruction ID: f57100482d03c2e7f9a15da7c5163c4e28fda9d04e98e3ee982bcef29d150c39
Opcode Fuzzy Hash: 7b9b87110418420e3d379c20203eaeb4582c31ee0100facaf942723cb8cd8058
Instruction Fuzzy Hash: 4521C272610118BBEF219F54CC81FBB3BAEEF89751F108125F944AB2D0CA75DC5287A4

Uniqueness

Uniqueness Score: -1.00%

Function 003E49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 003E4A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 003E4A5C
SetErrorMode.KERNEL32(00000000,?,?,0040CC08), ref: 003E4AD0

Strings

%lu, xrefs: 003E4A6F

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: d3e4faaeedd195787943678235fa94b617a8e9550dcd6dd17fd146bc84ea0892
Instruction ID: 54d809b5002dfdc73699a98104b12b705fdf6c965944bb1fb2b14b2024149e52
Opcode Fuzzy Hash: d3e4faaeedd195787943678235fa94b617a8e9550dcd6dd17fd146bc84ea0892
Instruction Fuzzy Hash: 11318F71A00109AFDB11DF64C985EAA7BF8EF08318F1481A9F809EF292D775ED45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 004041EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0040424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00404264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00404271

Strings

msctls_trackbar32, xrefs: 00404226

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 8b28665a626d3dabfd97d30f2c33d07d2e1dd01cf6fa4136f096a99fada32cd6
Instruction ID: 4ea6c67294a1928bbf0c2526274a298186d5cf238ee83d70e397d117dcef877a
Opcode Fuzzy Hash: 8b28665a626d3dabfd97d30f2c33d07d2e1dd01cf6fa4136f096a99fada32cd6
Instruction Fuzzy Hash: 1111C171240208BEEF205F29CC06FAB3BACEF85B64F110529FA55E61E0D675D8619B28

Uniqueness

Uniqueness Score: -1.00%

Function 003D2F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00376B57: _wcslen.LIBCMT ref: 00376B6A

Part of subcall function 003D2DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 003D2DC5
Part of subcall function 003D2DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 003D2DD6
Part of subcall function 003D2DA7: GetCurrentThreadId.KERNEL32 ref: 003D2DDD
Part of subcall function 003D2DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 003D2DE4

GetFocus.USER32 ref: 003D2F78

Part of subcall function 003D2DEE: GetParent.USER32(00000000), ref: 003D2DF9

GetClassNameW.USER32(?,?,00000100), ref: 003D2FC3
EnumChildWindows.USER32(?,003D303B), ref: 003D2FEB

Strings

%s%d, xrefs: 003D2FFF

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: c4b04755db2acc3870cbe242124f9a43b41ab47a55a7729693d697981cc7dc37
Instruction ID: 9e69f44e9cee7858dcd56e59c6d512e31f7feb289b4234482919e1dfa1421946
Opcode Fuzzy Hash: c4b04755db2acc3870cbe242124f9a43b41ab47a55a7729693d697981cc7dc37
Instruction Fuzzy Hash: 5D11D872600205ABCF127F749CD5EEE376AAF94304F044076FD199B292DE355E098B61

Uniqueness

Uniqueness Score: -1.00%

Function 00405882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 004058C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 004058EE
DrawMenuBar.USER32(?), ref: 004058FD

Strings

0, xrefs: 0040588F

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 4dc59d134f2b5941dfba969cf0487928b24945fe4363f3287fcc77232697aaa2
Instruction ID: 3446217cd5c052ce4fae164a53db0fd7091914e7c4c8b32f7ba8f90b52bcbb93
Opcode Fuzzy Hash: 4dc59d134f2b5941dfba969cf0487928b24945fe4363f3287fcc77232697aaa2
Instruction Fuzzy Hash: A201C071500218EFDB21AF11DC44BAFBBB4FF45361F0080AAE848EA291DB349A90DF25

Uniqueness

Uniqueness Score: -1.00%

Function 003CD3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 003CD3BF
FreeLibrary.KERNEL32 ref: 003CD3E5

Strings

X64, xrefs: 003CD2A8
GetSystemWow64DirectoryW, xrefs: 003CD3B9

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: e423cf4a523a6d9a69e4c3f48e2eda7d515aee91d0181bfa93110ee44daa824e
Instruction ID: 91820bf012b7c088af7f18c5c04227aafb1263961b2a435e040ec8c5bd438e17
Opcode Fuzzy Hash: e423cf4a523a6d9a69e4c3f48e2eda7d515aee91d0181bfa93110ee44daa824e
Instruction Fuzzy Hash: DAF02075901A21CAD33313104CA4F6A7318AF50701F668A7EB803F5088D738CD808B8A

Uniqueness

Uniqueness Score: -1.00%

Function 003D007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dd2b06276a89ad2b2a478a35c3394ff71725447ff2eee41123de0c422f4abbe
Instruction ID: 70a4edd32aff6340eb718d8d26f7236efe2b9021975ed2c233ff461a8d21ac26
Opcode Fuzzy Hash: 8dd2b06276a89ad2b2a478a35c3394ff71725447ff2eee41123de0c422f4abbe
Instruction Fuzzy Hash: 3EC14876A00206EFCB19CFA4D894BAEB7B5FF48B04F118599E505EB251D731EE41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 003F342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 003F3459
CoUninitialize.OLE32 ref: 003F3463
VariantInit.OLEAUT32(?), ref: 003F346E
VariantClear.OLEAUT32(?), ref: 003F371B

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 07151d20e78ac533ee76fb61d8e5f50a5c3a6023034d41416fc7e9c7556f6800
Instruction ID: aec02535cc21711c1734331fb01b77ea6143af35aecb5c0fdf1cfe2ae201432c
Opcode Fuzzy Hash: 07151d20e78ac533ee76fb61d8e5f50a5c3a6023034d41416fc7e9c7556f6800
Instruction Fuzzy Hash: 0BA15A752043049FC712EF24C485A2AB7E5FF89724F148859F98A9F362DB34EE05CB51

Uniqueness

Uniqueness Score: -1.00%

Function 003D0436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0040FC08,?), ref: 003D05F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0040FC08,?), ref: 003D0608
CLSIDFromProgID.OLE32(?,?,00000000,0040CC40,000000FF,?,00000000,00000800,00000000,?,0040FC08,?), ref: 003D062D
_memcmp.LIBVCRUNTIME ref: 003D064E

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: ad49083838302ddf5185b4e15fba39664945dfd16610cf8f5f94dec9f1052de1
Instruction ID: 6eb6a6696cbecaddd66c82275fe18df47c6d7595c5a5d8bd648bde9389f2e3fd
Opcode Fuzzy Hash: ad49083838302ddf5185b4e15fba39664945dfd16610cf8f5f94dec9f1052de1
Instruction Fuzzy Hash: FF814C72A00109EFCB05DF94D984EEEB7B9FF89715F204199E506AB250DB71AE06CF60

Uniqueness

Uniqueness Score: -1.00%

Function 003B1391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 003B14C0

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 78ed44e685281505a4eae8f6d9aced7753cfb7138a7be81fc0c30ab745b6d7ec
Instruction ID: 08f51a54cfe0ba7cf6fd7ea276182b4c5cf8be0df09eca96b9e6899b799fd01e
Opcode Fuzzy Hash: 78ed44e685281505a4eae8f6d9aced7753cfb7138a7be81fc0c30ab745b6d7ec
Instruction Fuzzy Hash: 0E417C35A00100AFDF236BBE8C567FE3AB4EF42334F650626F618DA992E63049015362

Uniqueness

Uniqueness Score: -1.00%

Function 00406278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(00D9F680,?), ref: 004062E2
ScreenToClient.USER32(?,?), ref: 00406315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00406382

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: bc65e7e986b92cdd9ad05382d0d04d74e5156d0cbd415e0fa4d3e9939166a424
Instruction ID: bc38aa7035e94a66ab3beab974b59b9560f5161e42fdaeb71c6ce4e86e74fe68
Opcode Fuzzy Hash: bc65e7e986b92cdd9ad05382d0d04d74e5156d0cbd415e0fa4d3e9939166a424
Instruction Fuzzy Hash: 2B512D74900209EFDB20DF54D980AAE7BB5EB45360F11826AF816AB3E0D734ED91CB94

Uniqueness

Uniqueness Score: -1.00%

Function 003F1AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 003F1AFD
WSAGetLastError.WSOCK32 ref: 003F1B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 003F1B8A
WSAGetLastError.WSOCK32 ref: 003F1B94

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 049a408468be41a14b54390b4b37757b97a9345e812b19eb80378b8f87338352
Instruction ID: 343cf156f22efebc942f0ac8d8c60fe87f3da2167850515919a7c15a3c20f096
Opcode Fuzzy Hash: 049a408468be41a14b54390b4b37757b97a9345e812b19eb80378b8f87338352
Instruction Fuzzy Hash: 9C41AD34640200AFE722AF24D886F3A77E5AB44718F54C598FA1A9F3D3D776ED418B90

Uniqueness

Uniqueness Score: -1.00%

Function 003AB41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a90aad6943160051c8eb90561041aa810da2cf2716d71afa4c535cf3d9bb018
Instruction ID: e1e42903030d84c490ea3d739e69bf01dcedd8d67b55685c86673f6e6d323c83
Opcode Fuzzy Hash: 3a90aad6943160051c8eb90561041aa810da2cf2716d71afa4c535cf3d9bb018
Instruction Fuzzy Hash: D0410476A00304AFD7269F79CC41BAABBA9EF8A710F10852EF541DF683D771A9018780

Uniqueness

Uniqueness Score: -1.00%

Function 003E56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 003E5783
GetLastError.KERNEL32(?,00000000), ref: 003E57A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 003E57CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 003E57FA

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: fee7ff5ad8c58281fc3e87e93232cbc1161ad11f27205b157a2b662a8e71bdd6
Instruction ID: 7bcdbdd793ecf0710fe0296db54771dfbbd90d2abe9417b7bd65b20f474047a3
Opcode Fuzzy Hash: fee7ff5ad8c58281fc3e87e93232cbc1161ad11f27205b157a2b662a8e71bdd6
Instruction Fuzzy Hash: 1241FF35600610DFCB22DF15C585A5DBBE2EF89724B19C498E84A6F361CB34FD41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 003AD8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,00396D71,00000000,00000000,003982D9,?,003982D9,?,00000001,00396D71,?,00000001,003982D9,003982D9), ref: 003AD910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 003AD999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 003AD9AB
__freea.LIBCMT ref: 003AD9B4

Part of subcall function 003A3820: RtlAllocateHeap.NTDLL(00000000,?,00441444,?,0038FDF5,?,?,0037A976,00000010,00441440,003713FC,?,003713C6,?,00371129), ref: 003A3852

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 08a4c5e98d4a9a379b0725b2d9cded54c3f79c25bc6b6b25444f2aad4d8b85ec
Instruction ID: 90b99929bc100c4249d94b150afd1fdd0a97087ec7f1fbad110c1e54bd93adc5
Opcode Fuzzy Hash: 08a4c5e98d4a9a379b0725b2d9cded54c3f79c25bc6b6b25444f2aad4d8b85ec
Instruction Fuzzy Hash: CD31B072A0020AABDF269F64DC85EAF7BA9EB42310F064268FC05DB150EB35CD54CB90

Uniqueness

Uniqueness Score: -1.00%

Function 004052C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00405352
GetWindowLongW.USER32(?,000000F0), ref: 00405375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00405382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 004053A8

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 69d27c31603481ed808054dc6d6e5df7a8bcf7c1e675319bf3430764ba9294d4
Instruction ID: 13be3864b6b11c1d6562733497500c0b5f2264252ca81f8c96192a632b8b1681
Opcode Fuzzy Hash: 69d27c31603481ed808054dc6d6e5df7a8bcf7c1e675319bf3430764ba9294d4
Instruction Fuzzy Hash: 7A31A334A55A08EFEB309B14DC46BEB7765EB05390F584123FE10B62E1C7B99980DF4A

Uniqueness

Uniqueness Score: -1.00%

Function 003DAB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,7694C0D0,?,00008000), ref: 003DABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 003DAC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 003DAC74
SendInput.USER32(00000001,?,0000001C,7694C0D0,?,00008000), ref: 003DACC6

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 28ecd1f2541504db5b777c4dddafba9d3a94698062a3e0cd49974bebd3daa4aa
Instruction ID: 55e37060ad6dd607b48ef2542e8b9750a5bab41a3cd29e82866c02b3be7ed8d4
Opcode Fuzzy Hash: 28ecd1f2541504db5b777c4dddafba9d3a94698062a3e0cd49974bebd3daa4aa
Instruction Fuzzy Hash: 63312872A24A18AFEF36CB64AD047FA7BA5AB85330F04471BE481D73D0C37589858792

Uniqueness

Uniqueness Score: -1.00%

Function 00407674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0040769A
GetWindowRect.USER32(?,?), ref: 00407710
PtInRect.USER32(?,?,00408B89), ref: 00407720
MessageBeep.USER32(00000000), ref: 0040778C

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 4f1c448effee9258bd9d60a8eafa0fba12754be6abe1cc1ebd6b8c0df8a46f2b
Instruction ID: e95cdfee989b3f10d94f70fa97d84ababe46cfb985c253f51d19e32c56e23173
Opcode Fuzzy Hash: 4f1c448effee9258bd9d60a8eafa0fba12754be6abe1cc1ebd6b8c0df8a46f2b
Instruction Fuzzy Hash: 2141B038A05214DFCB01DF58C894EA977F0FB49354F1441BAE814AB3A1C739B941CF95

Uniqueness

Uniqueness Score: -1.00%

Function 004016DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 004016EB

Part of subcall function 003D3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 003D3A57
Part of subcall function 003D3A3D: GetCurrentThreadId.KERNEL32 ref: 003D3A5E
Part of subcall function 003D3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,003D25B3), ref: 003D3A65

GetCaretPos.USER32(?), ref: 004016FF
ClientToScreen.USER32(00000000,?), ref: 0040174C
GetForegroundWindow.USER32 ref: 00401752

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 6847cf094a1f7a631cf97768621d9298745b2e33482693380ddd75f0b7d62c97
Instruction ID: 8a37b63593b98e32b43c6e6944cd8a97f9019bb39678d9efcaff48779cc40b37
Opcode Fuzzy Hash: 6847cf094a1f7a631cf97768621d9298745b2e33482693380ddd75f0b7d62c97
Instruction Fuzzy Hash: 25314F75D00149AFC711EFA9C8C1CAEBBF9EF48304B5080AAE415EB251E7359E45CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 003DD4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 003DD501
Process32FirstW.KERNEL32(00000000,?), ref: 003DD50F
Process32NextW.KERNEL32(00000000,?), ref: 003DD52F
CloseHandle.KERNEL32(00000000), ref: 003DD5DC

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 52bded7bbc71e453d784806e0a324e2289d47f4a74091981afb1f05446b1cf14
Instruction ID: c2eb1d1c181b1558477e2d8f34061ccf8e03e846dc043bb10c738a2fd202dccc
Opcode Fuzzy Hash: 52bded7bbc71e453d784806e0a324e2289d47f4a74091981afb1f05446b1cf14
Instruction Fuzzy Hash: C631A4320083009FD312EF54D881AAFBBF8EF99354F10452DF5859A2A1EB719945CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00408FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00389BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00389BB2

GetCursorPos.USER32(?), ref: 00409001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,003C7711,?,?,?,?,?), ref: 00409016
GetCursorPos.USER32(?), ref: 0040905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,003C7711,?,?,?), ref: 00409094

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 1c195a3700be5e665a47844bfece78641caaa69c6941a44c5c43c059dd434bd3
Instruction ID: e67da235173500ba7486da621d8e9a2964b90b1a9f9bc05fb50ddfbf374c5aa7
Opcode Fuzzy Hash: 1c195a3700be5e665a47844bfece78641caaa69c6941a44c5c43c059dd434bd3
Instruction Fuzzy Hash: 80219C35600018EFDB268F94CC98EEB7BB9EB8A350F044166F9456B2A2C3359D90DB64

Uniqueness

Uniqueness Score: -1.00%

Function 003DD2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0040CB68), ref: 003DD2FB
GetLastError.KERNEL32 ref: 003DD30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 003DD319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0040CB68), ref: 003DD376

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: b64824aa7ec80252d7c5911b6c6fe4c4edd74b1470543db255b6f369d499a64e
Instruction ID: 8f1607e508b986d19474a230c8af854d697a5a2b751a32fea13d42665307c364
Opcode Fuzzy Hash: b64824aa7ec80252d7c5911b6c6fe4c4edd74b1470543db255b6f369d499a64e
Instruction Fuzzy Hash: CC219F75508201DFC311DF28E88196A77E8AE56324F104B6EF499D73E1D731D945CB93

Uniqueness

Uniqueness Score: -1.00%

Function 003D1571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 003D1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 003D102A
Part of subcall function 003D1014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 003D1036
Part of subcall function 003D1014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 003D1045
Part of subcall function 003D1014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 003D104C
Part of subcall function 003D1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 003D1062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 003D15BE
_memcmp.LIBVCRUNTIME ref: 003D15E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 003D1617
HeapFree.KERNEL32(00000000), ref: 003D161E

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 0e638a9559f547134259545263fb8117005c942c34681e21b1eb33794f133fb1
Instruction ID: 7416fa23d7db843bd44ea4f273fbd52d8e9b2f6b4f01050bb796c84fb70c1d8a
Opcode Fuzzy Hash: 0e638a9559f547134259545263fb8117005c942c34681e21b1eb33794f133fb1
Instruction Fuzzy Hash: 2C21AC32E00108FFDF01DFA4E944BEEB7B8EF40344F09445AE841AB241E734AA48CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00402782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0040280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00402824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00402832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00402840

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 0a56572f45eba3f7ad0a19281c6abca1c9a6b19b4cc1cfb032e0e3880912e499
Instruction ID: d4444f61135fdcdcf536200523251423800f17eec1c8142fabaaedb633d4727e
Opcode Fuzzy Hash: 0a56572f45eba3f7ad0a19281c6abca1c9a6b19b4cc1cfb032e0e3880912e499
Instruction Fuzzy Hash: 02210635204510AFD7149B24CD88F6AB7A5AF46324F14826AF4169B6D2CBB9FC42CB94

Uniqueness

Uniqueness Score: -1.00%

Function 003D78F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 003D8D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,003D790A,?,000000FF,?,003D8754,00000000,?,0000001C,?,?), ref: 003D8D8C
Part of subcall function 003D8D7D: lstrcpyW.KERNEL32(00000000,?), ref: 003D8DB2
Part of subcall function 003D8D7D: lstrcmpiW.KERNEL32(00000000,?,003D790A,?,000000FF,?,003D8754,00000000,?,0000001C,?,?), ref: 003D8DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,003D8754,00000000,?,0000001C,?,?,00000000), ref: 003D7923
lstrcpyW.KERNEL32(00000000,?), ref: 003D7949
lstrcmpiW.KERNEL32(00000002,cdecl,?,003D8754,00000000,?,0000001C,?,?,00000000), ref: 003D7984

Strings

cdecl, xrefs: 003D797B

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 307520190d12d0db19e3e533f97df9f2d6d455b3bfa9e16285987fb849be76da
Instruction ID: 4e500ab4395c3900cea2abb8eab0d2b935bea3ec0a9502acbfb06d327cc3c31f
Opcode Fuzzy Hash: 307520190d12d0db19e3e533f97df9f2d6d455b3bfa9e16285987fb849be76da
Instruction Fuzzy Hash: B111B43B200302ABCB16AF34E855D7A77A9FF85350B50402BE946CB3A4FB319811C765

Uniqueness

Uniqueness Score: -1.00%

Function 00407CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00407D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00407D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00407D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,003EB7AD,00000000), ref: 00407D6B

Part of subcall function 00389BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00389BB2

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 279f278070b51376ec31736a893c2efa5863512360021d74349532643a6797ae
Instruction ID: c7bd105eba2e9db17dec4f309e929c85c82113a289167b90d24f6851382e8757
Opcode Fuzzy Hash: 279f278070b51376ec31736a893c2efa5863512360021d74349532643a6797ae
Instruction Fuzzy Hash: E311D235A05614AFDB109F28CC04E663BA4AF46360B254735F835E72F0E734E951CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00405660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 004056BB
_wcslen.LIBCMT ref: 004056CD
_wcslen.LIBCMT ref: 004056D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00405816

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 2f570ac0221d3396aa1eacb79db4d5dc7bafc2abc2d812b27dc551994fe60803
Instruction ID: 6f0c3cd85845ba989dbd150f2c1abcd6329070a6c1938999055a29ff7ed47768
Opcode Fuzzy Hash: 2f570ac0221d3396aa1eacb79db4d5dc7bafc2abc2d812b27dc551994fe60803
Instruction Fuzzy Hash: 6A11DF75A00608A6DF20EB61CC85AEF37ACEF00360B104437F905A61C1EB788A85CF69

Uniqueness

Uniqueness Score: -1.00%

Function 003D1A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 003D1A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 003D1A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 003D1A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 003D1A8A

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: d4b58147be752bd7596c6278f0bd53d16ab03dcdeaadde065cd3a0eb6b42268e
Instruction ID: 7ee34051d9f25b7b5d4b5fcf29124fa19cc497be21c0666ea474700358025f65
Opcode Fuzzy Hash: d4b58147be752bd7596c6278f0bd53d16ab03dcdeaadde065cd3a0eb6b42268e
Instruction Fuzzy Hash: 3C113C7AD01219FFEB11DBA4DD85FADBB78EB04750F210092E600B7290D671AE50DB94

Uniqueness

Uniqueness Score: -1.00%

Function 003DE1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 003DE1FD
MessageBoxW.USER32(?,?,?,?), ref: 003DE230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 003DE246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 003DE24D

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: f3e8ced0fa635e5b29a242c8ae24333878e8ea13fdc48cf99b88bfc7d1417a75
Instruction ID: ae988cbf814264dd2e6599d8f508712a5dffee3f5d6ed88188b0b30178f7eb97
Opcode Fuzzy Hash: f3e8ced0fa635e5b29a242c8ae24333878e8ea13fdc48cf99b88bfc7d1417a75
Instruction Fuzzy Hash: 3C110876904214BBD702AFA8EC45A9F7FAC9B45310F00472AF924E7390D270DE0487A4

Uniqueness

Uniqueness Score: -1.00%

Function 0039D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0039CFF9,00000000,00000004,00000000), ref: 0039D218
GetLastError.KERNEL32 ref: 0039D224
__dosmaperr.LIBCMT ref: 0039D22B
ResumeThread.KERNEL32(00000000), ref: 0039D249

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 364334752f3793f78fa67e507f23205966e22d41724897fa104abd3ba434f8e8
Instruction ID: c22bac48676e12c0acbdd9f825087ac7b4a81b330d049dc4aa25baeb7fb6b30f
Opcode Fuzzy Hash: 364334752f3793f78fa67e507f23205966e22d41724897fa104abd3ba434f8e8
Instruction Fuzzy Hash: 8C01F536805208BBDF135BA5DC0ABAF7A6DDF81730F210729F9259A1D0CB71C901C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 0037600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0037604C
GetStockObject.GDI32(00000011), ref: 00376060
SendMessageW.USER32(00000000,00000030,00000000), ref: 0037606A

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 474a5697a8304ff00c610a4c072b8647a00d40b492c5948fba18c544ff06eff5
Instruction ID: 86947eb8f7cdd346bf0f2273489926bb8f2132cb39b7c025be7cb114edb46763
Opcode Fuzzy Hash: 474a5697a8304ff00c610a4c072b8647a00d40b492c5948fba18c544ff06eff5
Instruction Fuzzy Hash: 0F118B72105909BFEF224FA48C95AEABB6DEF083A4F014215FA0852020C7369C60EFA0

Uniqueness

Uniqueness Score: -1.00%

Function 00393B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00393B56

Part of subcall function 00393AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00393AD2
Part of subcall function 00393AA3: ___AdjustPointer.LIBCMT ref: 00393AED

_UnwindNestedFrames.LIBCMT ref: 00393B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00393B7C
CallCatchBlock.LIBVCRUNTIME ref: 00393BA4

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 382909c6f94ad7715d729f14d3fbbfb84f4fb08eb09353399be9a54788cee36b
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 7E01E972100149BBDF126E95CC46EEB7B6AFF58754F054014FE489A121D732E962EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 003A3073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,003713C6,00000000,00000000,?,003A301A,003713C6,00000000,00000000,00000000,?,003A328B,00000006,FlsSetValue), ref: 003A30A5
GetLastError.KERNEL32(?,003A301A,003713C6,00000000,00000000,00000000,?,003A328B,00000006,FlsSetValue,00412290,FlsSetValue,00000000,00000364,?,003A2E46), ref: 003A30B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,003A301A,003713C6,00000000,00000000,00000000,?,003A328B,00000006,FlsSetValue,00412290,FlsSetValue,00000000), ref: 003A30BF

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: b7ba2b197775b3b3cc0210b8dc92956bf1900b1bc3134eb28fcaf81f8bfb28a1
Instruction ID: 155dc8fb6abe1cd149c64a8fe6da39e222e768c239c851da64f90ca1a86830d6
Opcode Fuzzy Hash: b7ba2b197775b3b3cc0210b8dc92956bf1900b1bc3134eb28fcaf81f8bfb28a1
Instruction Fuzzy Hash: 31018836751222EBC7228B799C889677B98DF467A1B214734F907E7190D731D901C6D4

Uniqueness

Uniqueness Score: -1.00%

Function 003D7464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 003D747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 003D7497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 003D74AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 003D74CA

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: bb49b5b94c190b8b5a5631cef762bc6ec09a0749961207164fd56ba7c83d3490
Instruction ID: b2ed2c573423b10b5fa4e0f80f26f438f5a684721876a51a1131a816bec1d6a8
Opcode Fuzzy Hash: bb49b5b94c190b8b5a5631cef762bc6ec09a0749961207164fd56ba7c83d3490
Instruction Fuzzy Hash: FD11C4B2205310DFE7228F15ED48FA2BFFCFB00B00F10856AA616D6691E770E904DB90

Uniqueness

Uniqueness Score: -1.00%

Function 003DB0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,003DACD3,?,00008000), ref: 003DB0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,003DACD3,?,00008000), ref: 003DB0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,003DACD3,?,00008000), ref: 003DB0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,003DACD3,?,00008000), ref: 003DB126

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 28ac3ecf01d71ae31c177010b917c685cd54465985c78b78ef326357e911b80b
Instruction ID: 49f7528fe59dfbbd69d5128809656e20b97d6f5ecdb8fa88b547598b31b1686d
Opcode Fuzzy Hash: 28ac3ecf01d71ae31c177010b917c685cd54465985c78b78ef326357e911b80b
Instruction Fuzzy Hash: D4116D32C0162CE7CF01AFE4E999AEEFB78FF09711F124196D981B6281CB3096508B95

Uniqueness

Uniqueness Score: -1.00%

Function 003D2DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 003D2DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 003D2DD6
GetCurrentThreadId.KERNEL32 ref: 003D2DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 003D2DE4

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: d000fac8b0647eca5cd59c75b24c9fd434291408a44372412f3d8ba5a54078da
Instruction ID: 2ac6322734782727c6842e773ad7e6baa95463fd786b623698ca9c7b377ede8b
Opcode Fuzzy Hash: d000fac8b0647eca5cd59c75b24c9fd434291408a44372412f3d8ba5a54078da
Instruction Fuzzy Hash: BEE09272141224FBD7301B72AD4DFEB3E6DEF56BA1F000626F505E11809AB1C840C6B0

Uniqueness

Uniqueness Score: -1.00%

Function 00408863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00389639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00389693
Part of subcall function 00389639: SelectObject.GDI32(?,00000000), ref: 003896A2
Part of subcall function 00389639: BeginPath.GDI32(?), ref: 003896B9
Part of subcall function 00389639: SelectObject.GDI32(?,00000000), ref: 003896E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00408887
LineTo.GDI32(?,?,?), ref: 00408894
EndPath.GDI32(?), ref: 004088A4
StrokePath.GDI32(?), ref: 004088B2

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: ff770ab50176afb24cb317137261ae12a194e149ee3b79137ba0131fb0949ae9
Instruction ID: a014d5348402b5a3df1471037bcb05c2f5e3d9256099cb4b954ddf91a8baf2c2
Opcode Fuzzy Hash: ff770ab50176afb24cb317137261ae12a194e149ee3b79137ba0131fb0949ae9
Instruction Fuzzy Hash: 04F09A36002218FAEB122F94AD09FCA3E19AF06310F048121FA01750E1C7780550CFED

Uniqueness

Uniqueness Score: -1.00%

Function 003898B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 003898CC
SetTextColor.GDI32(?,?), ref: 003898D6
SetBkMode.GDI32(?,00000001), ref: 003898E9
GetStockObject.GDI32(00000005), ref: 003898F1

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 133b53849db16ceae6bdd1af511436cc3935637ce258c73288c3d3a00dbdf371
Instruction ID: d7ea22e0875fbdccc80a0775d1be24435590882980a6f517335f8efbe6a3c140
Opcode Fuzzy Hash: 133b53849db16ceae6bdd1af511436cc3935637ce258c73288c3d3a00dbdf371
Instruction Fuzzy Hash: D9E06531244240EEDB215B74AD49BE83F10AB52335F048329FAF5A80E1C77146519F10

Uniqueness

Uniqueness Score: -1.00%

Function 003D162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 003D1634
OpenThreadToken.ADVAPI32(00000000,?,?,?,003D11D9), ref: 003D163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,003D11D9), ref: 003D1648
OpenProcessToken.ADVAPI32(00000000,?,?,?,003D11D9), ref: 003D164F

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: a9a4cd331fcc5c3c4db30c7dbcb1d37b256951b43dbaa900aed705bb2cf64793
Instruction ID: 053bc463617d07955b3b9fea2bc1858508215bf9070a26825e3f6b149dd92918
Opcode Fuzzy Hash: a9a4cd331fcc5c3c4db30c7dbcb1d37b256951b43dbaa900aed705bb2cf64793
Instruction Fuzzy Hash: 62E08632601211EBE7201FF0AF4DB463B7CAF44791F158929F645E9080D6348440C798

Uniqueness

Uniqueness Score: -1.00%

Function 003CD858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 003CD858
GetDC.USER32(00000000), ref: 003CD862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 003CD882
ReleaseDC.USER32(?), ref: 003CD8A3

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 13e43656d5eb0c68bfc7edd9b06a1ac5fd633201950a4349bcdb88a8fa860f91
Instruction ID: e9096da57c82a980d925e0ba5d8537ed7da6fa04f9fb6af8c519b4af3a7cebdb
Opcode Fuzzy Hash: 13e43656d5eb0c68bfc7edd9b06a1ac5fd633201950a4349bcdb88a8fa860f91
Instruction Fuzzy Hash: 2BE09AB5800205DFCF52AFA0DA88A6DBBB6FB08311F149569F846F7250CB399942AF54

Uniqueness

Uniqueness Score: -1.00%

Function 003CD86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 003CD86C
GetDC.USER32(00000000), ref: 003CD876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 003CD882
ReleaseDC.USER32(?), ref: 003CD8A3

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 6a98bbe2127404e64e3bdc509e95853022be4d9a4b9ebadf632cca82d1ed9130
Instruction ID: b96638ab04ea76a4c231268316cafaa0906ca4f4c15e49d778308e48dde0fd86
Opcode Fuzzy Hash: 6a98bbe2127404e64e3bdc509e95853022be4d9a4b9ebadf632cca82d1ed9130
Instruction Fuzzy Hash: 91E09AB5800204DFCF61AFA0D98866DBBB5BB08311F149559E94AF7250CB3959029F54

Uniqueness

Uniqueness Score: -1.00%

Function 003E4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00377620: _wcslen.LIBCMT ref: 00377625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 003E4ED4

Strings

LPT, xrefs: 003E4DFB
*, xrefs: 003E4E10

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: e61f9295e577ed9ff4e8dbba2850459a6c4f6030fe0347549f8114c35d698fc9
Instruction ID: 0ce32193688131c149b07976ff1f0d973c96178ec6abe6cfe59a87abea810cb2
Opcode Fuzzy Hash: e61f9295e577ed9ff4e8dbba2850459a6c4f6030fe0347549f8114c35d698fc9
Instruction Fuzzy Hash: 6091C474A00254DFCB16DF55C484EAABBF5BF48704F198199E80A9F3A2C735ED86CB90

Uniqueness

Uniqueness Score: -1.00%

Function 003F7771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(003C569E,00000000,?,0040CC08,?,00000000,00000000), ref: 003F78DD

Part of subcall function 00376B57: _wcslen.LIBCMT ref: 00376B6A

CharUpperBuffW.USER32(003C569E,00000000,?,0040CC08,00000000,?,00000000,00000000), ref: 003F783B

Strings

<sC, xrefs: 003F77C8

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: BuffCharUpper$_wcslen
String ID: <sC
API String ID: 3544283678-972554233
Opcode ID: 9295956608ecd175517e8d6f5a8403551e86a2acf78e4533d3a0e2980281f70c
Instruction ID: 62d494273189a23f25098033160bb6fc7d56985f88af82d8fd9d89915fa9af92
Opcode Fuzzy Hash: 9295956608ecd175517e8d6f5a8403551e86a2acf78e4533d3a0e2980281f70c
Instruction Fuzzy Hash: CE61527591411DEACF26EBA4CC92DFDB3B8BF14300B548125F646BB091EF785A05DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0038E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0038E1B1

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: ee6e8a7fb5eca653f615bb7750f26367f65ce865ebfa8574f602fe4701a5a453
Instruction ID: 02cffc4429db72ee7eb44f3275926c2a96661c4892d98f4467e8d70da15e2a8b
Opcode Fuzzy Hash: ee6e8a7fb5eca653f615bb7750f26367f65ce865ebfa8574f602fe4701a5a453
Instruction Fuzzy Hash: B0510275500346DFDB27EF68C481BBA7BA8EF25310F248499EC91DB290D6349D52CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0038F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0038F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0038F2BB

Strings

@, xrefs: 0038F2AF

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: d1bae9dfd6ac2aa701057a6ff20cc6d1e1f843283a41879d9a46d1ead39f1516
Instruction ID: 32b3328469abaa5a77be2f0068a9619b1d00ee9b06999c4a59282d14fffa6ee9
Opcode Fuzzy Hash: d1bae9dfd6ac2aa701057a6ff20cc6d1e1f843283a41879d9a46d1ead39f1516
Instruction Fuzzy Hash: 9F5164724187449BD331AF20DC86BAFBBF8FB94304F81885CF1D9450A5EB708529CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 003F5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 003F57E0
_wcslen.LIBCMT ref: 003F57EC

Strings

CALLARGARRAY, xrefs: 003F57E6, 003F57EB

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 13a86e7daf26fcd450d2b7703f43730e8888d1fb8d0eefe95dac382dbc4716dc
Instruction ID: 427e3a2d09943a711463f13c1a6880e829e912d5b9ffbe4f8c8c784f42e4b744
Opcode Fuzzy Hash: 13a86e7daf26fcd450d2b7703f43730e8888d1fb8d0eefe95dac382dbc4716dc
Instruction Fuzzy Hash: 1E41A471E00209DFCB15EFA9C8819BEBBB5FF59350F11416AF605AB291E7349D81CB90

Uniqueness

Uniqueness Score: -1.00%

Function 003ED0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 003ED130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 003ED13A

Strings

|, xrefs: 003ED10B

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 0a02d7d5a790f9383f3cc9dc08e36431dcac69d0ef9b80cede116c055facda23
Instruction ID: 1c30d1d08f4c80378a6e22574aeed2549226466778a9f3e7a612c7adde967300
Opcode Fuzzy Hash: 0a02d7d5a790f9383f3cc9dc08e36431dcac69d0ef9b80cede116c055facda23
Instruction Fuzzy Hash: F8313E71D00219ABCF16EFA5CD85EEE7FB9FF04300F004119F819AA162D735AA06DB61

Uniqueness

Uniqueness Score: -1.00%

Function 0040356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00403621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0040365C

Strings

static, xrefs: 004035BC

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 11108c1f3a0fad221259b960de0e8253ef7b650a7a27f4e95025245d0d98be16
Instruction ID: 32d6da8242b096c4aeb46cab2db2f9a6b24e53cc880a527e5ef11b1a358953c0
Opcode Fuzzy Hash: 11108c1f3a0fad221259b960de0e8253ef7b650a7a27f4e95025245d0d98be16
Instruction Fuzzy Hash: 9D31A171100604AADB20DF74DC80EBB77ADFF48714F10962EF895A7290DA39AD81C764

Uniqueness

Uniqueness Score: -1.00%

Function 00404537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 0040461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00404634

Strings

', xrefs: 0040458E

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: a5baa77e7ddc583a5e809c3f5c4768b7b6e058d3c38e92e54d8a47580679dc2a
Instruction ID: 4b9a1dca9b26412cbf88e3c337a3dd89499a02deb68cdf234c8267733541f754
Opcode Fuzzy Hash: a5baa77e7ddc583a5e809c3f5c4768b7b6e058d3c38e92e54d8a47580679dc2a
Instruction Fuzzy Hash: BB313DB4A01309AFDB14CFA5C980BDA7BB5FF89300F10447AEA04AB391E775A941CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00373923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 003B33A2

Part of subcall function 00376B57: _wcslen.LIBCMT ref: 00376B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00373A04

Strings

Line: , xrefs: 003B33EB

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 99d4f534a6ec6c81b76c9496f886f33d8370998d747eed4611f784696e9b7276
Instruction ID: 1c14e9335ec686cccb52c2f68d82e83cee6db8e461923bec3d33dbffb5abdb88
Opcode Fuzzy Hash: 99d4f534a6ec6c81b76c9496f886f33d8370998d747eed4611f784696e9b7276
Instruction Fuzzy Hash: 2231D671508310AAD732EF20DC56BEFB7E8AB81710F10892AF59D970A1DB789648C7C6

Uniqueness

Uniqueness Score: -1.00%

Function 004031EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0040327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00403287

Strings

Combobox, xrefs: 00403249

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: b2ae1c2465a2f43b88dc021fc4e433e8e9f97af36f56937e602f345ca4b23000
Instruction ID: edaa5f3c3aa831077fe0a969cd538b4b0ba1af553172766865f2185be612a3fa
Opcode Fuzzy Hash: b2ae1c2465a2f43b88dc021fc4e433e8e9f97af36f56937e602f345ca4b23000
Instruction Fuzzy Hash: C411B2713002087FEF219F94DC81EBB3B6EEB983A5F10457AF918AB2D0D6399D518764

Uniqueness

Uniqueness Score: -1.00%

Function 00403710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0037600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0037604C
Part of subcall function 0037600E: GetStockObject.GDI32(00000011), ref: 00376060
Part of subcall function 0037600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0037606A

GetWindowRect.USER32(00000000,?), ref: 0040377A
GetSysColor.USER32(00000012), ref: 00403794

Strings

static, xrefs: 00403757

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 3731b9627e053435bfe936fb5f7bb19ed6154c0bdc6d7d2320f0259b3f9b7b3d
Instruction ID: 2620eaf5c9f76d8460e8b8c5f2de65ffceacc25b7ad43313c7a7773f22d631ce
Opcode Fuzzy Hash: 3731b9627e053435bfe936fb5f7bb19ed6154c0bdc6d7d2320f0259b3f9b7b3d
Instruction Fuzzy Hash: 9A1129B2610209AFDB11DFA8CC46EEA7BB8EB08315F004A25F955E3290D739E8619B54

Uniqueness

Uniqueness Score: -1.00%

Function 003ECD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 003ECD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 003ECDA6

Strings

<local>, xrefs: 003ECD66

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 09b1b7203dba9b23f6c54cfc59b9ce8f6ebc115ca25bd257abad674cb2829ef0
Instruction ID: ecf2ca49f2838c672a8055871e7415412e7547b4f4246d59216568d532b5854a
Opcode Fuzzy Hash: 09b1b7203dba9b23f6c54cfc59b9ce8f6ebc115ca25bd257abad674cb2829ef0
Instruction Fuzzy Hash: 0B11A371225672BAD7254B678C85EEBBEACEB127A4F005336B109930C0D6759842D6F0

Uniqueness

Uniqueness Score: -1.00%

Function 00403429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 004034AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 004034BA

Strings

edit, xrefs: 0040348F

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 46c419ba51b0f7bbf17c16607aa2b1666ebb698c1bac3b0804362004de00cf0c
Instruction ID: 3865e2c556960f7be338165a6936e74303dd8127eae46a7ca59d1d7b5d163567
Opcode Fuzzy Hash: 46c419ba51b0f7bbf17c16607aa2b1666ebb698c1bac3b0804362004de00cf0c
Instruction Fuzzy Hash: AC11BF71100108ABEB224F64DC80AAB3B6EEF05379F504735F960AB2E0C779EC519B59

Uniqueness

Uniqueness Score: -1.00%

Function 003D6C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00379CB3: _wcslen.LIBCMT ref: 00379CBD

CharUpperBuffW.USER32(?,?,?), ref: 003D6CB6
_wcslen.LIBCMT ref: 003D6CC2

Strings

STOP, xrefs: 003D6CBC, 003D6CC1

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 9e5d0e75b1767cf058dee91c841c316f02ed082b370948eb994cb86db63c6e60
Instruction ID: abc1a2d8340419db36dd74636faa12c94f7f0baedff8bfde01690853796e19d9
Opcode Fuzzy Hash: 9e5d0e75b1767cf058dee91c841c316f02ed082b370948eb994cb86db63c6e60
Instruction Fuzzy Hash: 5A0104336109278ACB22AFBDEC829BF33A9EB607107010536E87297295EB35D800C650

Uniqueness

Uniqueness Score: -1.00%

Function 003D1CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00379CB3: _wcslen.LIBCMT ref: 00379CBD

Part of subcall function 003D3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 003D3CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 003D1D4C

Strings

ListBox, xrefs: 003D1D16
ComboBox, xrefs: 003D1CEB

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 8f7bf87e958e2d483a63b3d774199150fdc71f4364a0b400169693bcff5cd147
Instruction ID: 94e79ab38407e346d8d634ec71e20b0b59b7a9668b3462ee9d08b417a0c59ba8
Opcode Fuzzy Hash: 8f7bf87e958e2d483a63b3d774199150fdc71f4364a0b400169693bcff5cd147
Instruction Fuzzy Hash: 29012832610218BBCB16FBA0DC51DFE7369FB16350B10061BF8266B3C1EB3459088661

Uniqueness

Uniqueness Score: -1.00%

Function 003D1BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00379CB3: _wcslen.LIBCMT ref: 00379CBD

Part of subcall function 003D3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 003D3CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 003D1C46

Strings

ListBox, xrefs: 003D1C10
ComboBox, xrefs: 003D1BE5

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 3cdd8979a12a75b72ea71249ec2da0b9ad62b7b27e51e469cdd2dddbd46c4983
Instruction ID: 738f3b393fe58f31e8079f6b46e652d4c2c581ef720d461d16d5f2bc5ed5ad12
Opcode Fuzzy Hash: 3cdd8979a12a75b72ea71249ec2da0b9ad62b7b27e51e469cdd2dddbd46c4983
Instruction Fuzzy Hash: B401A776B9110477DF16EB90EE52EFF77AC9B15340F14011BA4067B382EA249E08D6B6

Uniqueness

Uniqueness Score: -1.00%

Function 003D1C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00379CB3: _wcslen.LIBCMT ref: 00379CBD

Part of subcall function 003D3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 003D3CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 003D1CC8

Strings

ListBox, xrefs: 003D1C94
ComboBox, xrefs: 003D1C69

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 6618ef80113c123879e7eb66dc3dce8d6ca1cfe4fb2c174c2e4ff8859691e05d
Instruction ID: 7329f3b73e06940a72ff569e19d612796ee26e93e3adc804a8d4b727f3c70344
Opcode Fuzzy Hash: 6618ef80113c123879e7eb66dc3dce8d6ca1cfe4fb2c174c2e4ff8859691e05d
Instruction Fuzzy Hash: B401A2B279011877CB26EBA0DA02FFE73ACAB11340F140117B80677381EA259F08D672

Uniqueness

Uniqueness Score: -1.00%

Function 0038A4D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0038A529

Part of subcall function 00379CB3: _wcslen.LIBCMT ref: 00379CBD

Strings

3y<, xrefs: 0038A545, 0038A54D, 0038A552
,%D, xrefs: 0038A509

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: Init_thread_footer_wcslen
String ID: ,%D$3y<
API String ID: 2551934079-3079420674
Opcode ID: 56ce6d8cab664613b43ecb53d864043d1815550aa53fda83210795c3970c0817
Instruction ID: 846f43838b866db4a0c00779a2ca7e95264f80494b3304e79f3fb5e72f644bf1
Opcode Fuzzy Hash: 56ce6d8cab664613b43ecb53d864043d1815550aa53fda83210795c3970c0817
Instruction Fuzzy Hash: E7017B31700B109BEA17F368E80BBAD7364DB06710F5041A7F5451F2C2DF645D418B9B

Uniqueness

Uniqueness Score: -1.00%

Function 00408172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00443018,0044305C), ref: 004081BF
CloseHandle.KERNEL32 ref: 004081D1

Strings

\0D, xrefs: 0040818A

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: \0D
API String ID: 3712363035-873512380
Opcode ID: 9f451495f0f4c32b39adedff28c1f49a6f959be130f30092447b0d7c1a0cca8a
Instruction ID: 97c2e66bbaa2716629e3c5e1a80ee840ee94bdbe8143f5bde66ab4e01e23b236
Opcode Fuzzy Hash: 9f451495f0f4c32b39adedff28c1f49a6f959be130f30092447b0d7c1a0cca8a
Instruction Fuzzy Hash: D6F054B5640300BAF7206F616C45F773A5CDB06B52F004531BF08E91A2D67A8E0082BC

Uniqueness

Uniqueness Score: -1.00%

Function 003F747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 003F7493
_wcslen.LIBCMT ref: 003F74B9

Strings

3, 3, 16, 1, xrefs: 003F7483

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 376cbd4b179227cf864863dfb2882fc165f799ed810a5ddfc9805dbd77ef7d3f
Instruction ID: a5b6abfbc573c55feaf235a7d38e53c757b9dc51ad33babd88fde7381961b529
Opcode Fuzzy Hash: 376cbd4b179227cf864863dfb2882fc165f799ed810a5ddfc9805dbd77ef7d3f
Instruction Fuzzy Hash: F0E02B02204224109233227B9CC5E7F5689CFC9790710182BFA81C6366EB948D9293A0

Uniqueness

Uniqueness Score: -1.00%

Function 003D0B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 003D0B23

Strings

AutoIt, xrefs: 003D0B17
Error allocating memory., xrefs: 003D0B1C

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 499862febf45dde6cf7195401a210ce9b826dc89d201452e241fe3ed26e61e1d
Instruction ID: c15205c0488cba405c7b0796a4654259ad18e8b610f769bc09dd49a99fff3248
Opcode Fuzzy Hash: 499862febf45dde6cf7195401a210ce9b826dc89d201452e241fe3ed26e61e1d
Instruction Fuzzy Hash: B0E04832248358AAD62537947C47F897B848F05F51F204477F758695C38AE5649046ED

Uniqueness

Uniqueness Score: -1.00%

Function 00390D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0038F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00390D71,?,?,?,0037100A), ref: 0038F7CE

IsDebuggerPresent.KERNEL32(?,?,?,0037100A), ref: 00390D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0037100A), ref: 00390D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00390D7F

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: f031eaa54f7f438b3c07aa524f049fedeea34c8459adf5b2e189fee13f1a35d6
Instruction ID: fd134f6c5296c28ea25f1b07d0765d9a78a7c5b6464fcf247dff7a5fb8d9a8ee
Opcode Fuzzy Hash: f031eaa54f7f438b3c07aa524f049fedeea34c8459adf5b2e189fee13f1a35d6
Instruction Fuzzy Hash: 5CE09274200301CFE735AFB8D5483427BE4BF00740F008A7DE896D6AA1DBB4E4488BD1

Uniqueness

Uniqueness Score: -1.00%

Function 0038E398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0038E3D5

Strings

0%D, xrefs: 0038E3B5
8%D, xrefs: 0038E3CA

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: Init_thread_footer
String ID: 0%D$8%D
API String ID: 1385522511-1400359183
Opcode ID: 7fbd4e4030adf490951f390725bfb4141a491d6a1dc175e15d1562fd2e3d76d5
Instruction ID: de898c257d9d28ba45ed541b4b0b8f8e227050e6163880294de797639826d858
Opcode Fuzzy Hash: 7fbd4e4030adf490951f390725bfb4141a491d6a1dc175e15d1562fd2e3d76d5
Instruction Fuzzy Hash: 77E0863D514B10EFDA0AB718BA55A8A3355EB46320BD151F6F1128B1D19FF42C41875D

Uniqueness

Uniqueness Score: -1.00%

Function 003CD21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 003CD220

Strings

X64, xrefs: 003CD2A8
%.3d, xrefs: 003CD22B

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 0c837d60bac277c81f5b1457e3770ccbdecd71264a05c44bd4f2e91df80e5348
Instruction ID: 058939a7f77b9ae3e6d4ed50c16213c83579028ef10b7c4ee0a2dcf322ae4308
Opcode Fuzzy Hash: 0c837d60bac277c81f5b1457e3770ccbdecd71264a05c44bd4f2e91df80e5348
Instruction Fuzzy Hash: 10D01DA1C04104E9CB51B7D0CC45EB9B37CFB09301F504876F806D1840D634C9445751

Uniqueness

Uniqueness Score: -1.00%

Function 00402356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0040236C
PostMessageW.USER32(00000000), ref: 00402373

Part of subcall function 003DE97B: Sleep.KERNEL32 ref: 003DE9F3

Strings

Shell_TrayWnd, xrefs: 00402365

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: a11d0083485e2de598a9c6f45a172ed70f3a0d41adc166abbff91502f4bccc92
Instruction ID: 2dccd735ae6b0dc89b2a30e8e2965ab8ddb1b52ee538357693edb7262d6a49b0
Opcode Fuzzy Hash: a11d0083485e2de598a9c6f45a172ed70f3a0d41adc166abbff91502f4bccc92
Instruction Fuzzy Hash: 0BD0C976381310BAE668B770AD4FFCA6A189B04B14F514A267645AA1D0CAB4A8018A58

Uniqueness

Uniqueness Score: -1.00%

Function 00402322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0040232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0040233F

Part of subcall function 003DE97B: Sleep.KERNEL32 ref: 003DE9F3

Strings

Shell_TrayWnd, xrefs: 00402325

Memory Dump Source

Source File: 00000001.00000002.2335659067.0000000000371000.00000020.00000001.01000000.00000003.sdmp, Offset: 00370000, based on PE: true

Associated: 00000001.00000002.2335641276.0000000000370000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.000000000040C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335715321.0000000000432000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335756150.000000000043C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.2335783334.0000000000444000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_370000_43643456.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: b72c550128358227a7902a958c34b042a2dc12e79a189413421ee965e9f4b7e2
Instruction ID: 84b216ca7d1902745604143ef9473b3e0135fdd2ed7f4bdcbc61397ec8c922f7
Opcode Fuzzy Hash: b72c550128358227a7902a958c34b042a2dc12e79a189413421ee965e9f4b7e2
Instruction Fuzzy Hash: E9D0C976395310F6E668B770AD5FFCA6A189B04B14F114A267645AA1D0CAB4A8018A58

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 43643456.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\aut5703.tmp

C:\Users\user\AppData\Local\Temp\aut5742.tmp

C:\Users\user\AppData\Local\Temp\brawlys

C:\Users\user\AppData\Local\Temp\intemeration

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Windows Analysis Report
43643456.exe

Function 003742DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Function 003742A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 003B2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Function 00372CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Function 003A8D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300
COMMONLIBRARYCODE

Function 003B065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Function 0037344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00372B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Function 00373170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Function 00CE2620 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 00372C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 00CE2410 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 135
fileCOMMON

Function 003E2947 Relevance: 7.8, APIs: 5, Instructions: 313
fileCOMMON

Function 003A5AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186
COMMONLIBRARYCODE

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre