Edit tour

Windows Analysis Report
app.exe

Overview

General Information

Sample name:	app.exe
Analysis ID:	1436386
MD5:	75b9ef9142a78671d449c8d22ab6be14
SHA1:	0461f1c46644acde8020bb59b53b1e34b65977ca
SHA256:	e9bc44cf548a70e7285499209973faf44b7374dece1413dfcdc03bf25a6c599c
Tags:	185213208245exe
Infos:

Detection

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Contains functionality to infect the boot sector

Machine Learning detection for sample

PE file contains section with special chars

PE file has a writeable .text section

Queries memory information (via WMI often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to query network adapater information

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Program does not show much activity (idle)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

app.exe (PID: 5348 cmdline: "C:\Users\user\Desktop\app.exe" MD5: 75B9EF9142A78671D449C8D22AB6BE14)

conhost.exe (PID: 6568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: app.exe

Virustotal: Detection: 11%

Perma Link

Machine Learning detection for sample

Source: app.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_024404D0 TlsGetValue,TlsGetValue,TlsSetValue,BCryptGenRandom,TlsSetValue,HeapFree,TlsSetValue,		0_2_024404D0
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_024404C0 TlsGetValue,TlsGetValue,TlsSetValue,BCryptGenRandom,		0_2_024404C0

Source: app.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_00427361 __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,	0_2_00427361
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0243A710 CloseHandle,FindFirstFileW,FindClose,HeapFree,HeapFree,HeapFree,	0_2_0243A710
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02454B93 FindFirstFileExW,	0_2_02454B93
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0243FEC0 HeapFree,HeapFree,HeapFree,HeapFree,FindFirstFileW,HeapFree,HeapFree,GetLastError,HeapFree,HeapFree,	0_2_0243FEC0

Source: app.exe, 00000000.00000002.2022098881.0000000002300000.00000004.00001000.00020000.00000000.sdmp

String found in binary or memory: https://POSTHTTP/1.1Content-Type:

Source: C:\Users\user\Desktop\app.exe

Code function: 0_2_00424B38 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,

0_2_00424B38

System Summary

PE file contains section with special chars

Source: app.exe

Static PE information: section name: )m&

PE file has a writeable .text section

Source: app.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_024302D0 GetStdHandle,GetLastError,GetConsoleMode,NtWriteFile,WaitForSingleObject,RtlNtStatusToDosError,CloseHandle,	0_2_024302D0
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_024377D0 NtReadFile,WaitForSingleObject,RtlNtStatusToDosError,	0_2_024377D0
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02419E36 AcquireSRWLockExclusive,AcquireSRWLockExclusive,NtDeviceIoControlFile,RtlNtStatusToDosError,AcquireSRWLockExclusive,AcquireSRWLockExclusive,AcquireSRWLockExclusive,AcquireSRWLockExclusive,	0_2_02419E36

Source: C:\Users\user\Desktop\app.exe

Code function: 0_2_0040A44A: GetCurrentProcess,SetPriorityClass,CreateFileA,DeviceIoControl,CloseHandle,GetCurrentProcess,SetPriorityClass,

0_2_0040A44A

Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_004092DE	0_2_004092DE
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_00404358	0_2_00404358
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0040941D	0_2_0040941D
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0040964F	0_2_0040964F
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0040A770	0_2_0040A770
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_00407703	0_2_00407703
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_004077F6	0_2_004077F6
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_00409A38	0_2_00409A38
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_00412AC0	0_2_00412AC0
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_00425B56	0_2_00425B56
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_00407DBE	0_2_00407DBE
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_00404E54	0_2_00404E54
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_00418E0E	0_2_00418E0E
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023F01BB	0_2_023F01BB
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_024491D2	0_2_024491D2
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0242E5F7	0_2_0242E5F7
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0240AA16	0_2_0240AA16
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023F3ABA	0_2_023F3ABA
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02441862	0_2_02441862
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02401E40	0_2_02401E40
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0240BD08	0_2_0240BD08
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02410225	0_2_02410225
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02413224	0_2_02413224
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02443239	0_2_02443239
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_024272C2	0_2_024272C2
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_024342F5	0_2_024342F5
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0241628E	0_2_0241628E
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0243F340	0_2_0243F340
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023D6320	0_2_023D6320
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0244430E	0_2_0244430E
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0244632B	0_2_0244632B
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0244D3C0	0_2_0244D3C0
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0245D3D0	0_2_0245D3D0
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_024153DD	0_2_024153DD
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023FC38E	0_2_023FC38E
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02453389	0_2_02453389
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_024613BD	0_2_024613BD
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023EA020	0_2_023EA020
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02413001	0_2_02413001
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0242E030	0_2_0242E030
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_024420E3	0_2_024420E3
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023EB090	0_2_023EB090
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023D3130	0_2_023D3130
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0245E16F	0_2_0245E16F
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0241B13B	0_2_0241B13B
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023DA1B0	0_2_023DA1B0
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023F11A0	0_2_023F11A0
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02421180	0_2_02421180
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023DB1F0	0_2_023DB1F0
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0245E605	0_2_0245E605
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023D2670	0_2_023D2670
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023EB695	0_2_023EB695
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02430690	0_2_02430690
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0241C6AE	0_2_0241C6AE
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023E771C	0_2_023E771C
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023E670C	0_2_023E670C
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023E7754	0_2_023E7754
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023D3790	0_2_023D3790
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023E47F3	0_2_023E47F3
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02416468	0_2_02416468
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023D3400	0_2_023D3400
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023F2449	0_2_023F2449
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0245F4C2	0_2_0245F4C2
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_024274D0	0_2_024274D0
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_024234D6	0_2_024234D6
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023DE490	0_2_023DE490
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023DB4C0	0_2_023DB4C0
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02414544	0_2_02414544
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0244352A	0_2_0244352A
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_024085C9	0_2_024085C9
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_024485F4	0_2_024485F4
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02408A44	0_2_02408A44
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023FBAB0	0_2_023FBAB0
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023E3AF8	0_2_023E3AF8
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02414A88	0_2_02414A88
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02441B40	0_2_02441B40
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02412B5E	0_2_02412B5E
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023FDB7B	0_2_023FDB7B
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023FEB69	0_2_023FEB69
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02426B1B	0_2_02426B1B
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0245BB18	0_2_0245BB18
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023F6B58	0_2_023F6B58
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023D1B50	0_2_023D1B50
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023DBB50	0_2_023DBB50
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023DAB90	0_2_023DAB90
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0245D844	0_2_0245D844
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0240585F	0_2_0240585F
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023D48A0	0_2_023D48A0
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023DF8EC	0_2_023DF8EC
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02443890	0_2_02443890
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_024298A5	0_2_024298A5
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023E3962	0_2_023E3962
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023D9950	0_2_023D9950
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023E799F	0_2_023E799F
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02431E40	0_2_02431E40
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02460E40	0_2_02460E40
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023FAE37	0_2_023FAE37
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02427E74	0_2_02427E74
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02419E36	0_2_02419E36
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02426ECC	0_2_02426ECC
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0241DEE0	0_2_0241DEE0
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023F7EF1	0_2_023F7EF1
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023D6EC0	0_2_023D6EC0
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02426F5B	0_2_02426F5B
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023E2F21	0_2_023E2F21
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0241CF7C	0_2_0241CF7C
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023F3C05	0_2_023F3C05
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02420C00	0_2_02420C00
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02407C09	0_2_02407C09
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023E2C6E	0_2_023E2C6E
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023F7C6F	0_2_023F7C6F
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02426CC5	0_2_02426CC5
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02445CD3	0_2_02445CD3
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023F7CA3	0_2_023F7CA3
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0245DCE6	0_2_0245DCE6
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023D2C90	0_2_023D2C90
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0245FCA7	0_2_0245FCA7
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02412D42	0_2_02412D42
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02424D4A	0_2_02424D4A
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02417D14	0_2_02417D14
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02418D25	0_2_02418D25
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02426DD2	0_2_02426DD2
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02434DD0	0_2_02434DD0

Source: C:\Users\user\Desktop\app.exe	Code function: String function: 00416398 appears 132 times
Source: C:\Users\user\Desktop\app.exe	Code function: String function: 0244DE90 appears 33 times
Source: C:\Users\user\Desktop\app.exe	Code function: String function: 023D3D50 appears 96 times
Source: C:\Users\user\Desktop\app.exe	Code function: String function: 00416EF8 appears 50 times
Source: C:\Users\user\Desktop\app.exe	Code function: String function: 0245CAF0 appears 158 times
Source: C:\Users\user\Desktop\app.exe	Code function: String function: 0245C9A0 appears 60 times

Source: app.exe, 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename vs app.exe
Source: app.exe	Binary or memory string: OriginalFilename vs app.exe

Source: app.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: app.exe	Binary string: Could not open \device\physicalmemory
Source: app.exe	Binary string: Could not map view of %X length %XCould not open \device\physicalmemory\device\physicalmemoryRtlNtStatusToDosErrorNtMapViewOfSectionNtOpenSectionNtUnmapViewOfSectionntdll.dllRtlInitUnicodeString%c

Source: classification engine

Classification label: mal76.evad.winEXE@2/0@0/0

Source: C:\Users\user\Desktop\app.exe

Code function: 0_2_02432A50 GetModuleHandleW,FormatMessageW,GetLastError,HeapFree,

0_2_02432A50

Source: C:\Users\user\Desktop\app.exe

Code function: 0_2_0040A130 GetVersionExA,CoCreateInstance,CoSetProxyBlanket,VariantInit,lstrlenW,lstrcpynA,WideCharToMultiByte,_strcat,

0_2_0040A130

Source: C:\Users\user\Desktop\app.exe

Code function: 0_2_00423119 EnableWindow,GetActiveWindow,SetActiveWindow,FreeResource,

0_2_00423119

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6568:120:WilError_03
Source: C:\Users\user\Desktop\app.exe	Mutant created: \Sessions\1\BaseNamedObjects\hrzbaov

Source: app.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: C:\Users\user\Desktop\app.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM Win32_Process

Source: C:\Users\user\Desktop\app.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: app.exe

Virustotal: Detection: 11%

Source: unknown	Process created: C:\Users\user\Desktop\app.exe "C:\Users\user\Desktop\app.exe"
Source: C:\Users\user\Desktop\app.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\Desktop\app.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\app.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Users\user\Desktop\app.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\app.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\app.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\app.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\app.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\app.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\app.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\app.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\app.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\app.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\app.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\app.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\app.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\app.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\app.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\app.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\app.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\app.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\app.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\app.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\app.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\app.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\Desktop\app.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: app.exe

Static file information: File size 1290240 > 1048576

Source: C:\Users\user\Desktop\app.exe

Code function: 0_2_0042C59F VirtualAlloc,VirtualAlloc,LoadLibraryA,GetProcAddress,

0_2_0042C59F

Source: app.exe

Static PE information: section name: )m&

Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_00416398 push eax; ret	0_2_004163B6
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_00415460 push eax; ret	0_2_00415474
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_00415460 push eax; ret	0_2_0041549C
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0047EC7F push FFFFFFA1h; retf	0_2_0047EC82
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_00416F33 push ecx; ret	0_2_00416F43
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_024623AD push es; iretd	0_2_02462454
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0245C6A1 push ecx; ret	0_2_0245C6B4
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02463881 push eax; ret	0_2_02463882
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0246691F push eax; ret	0_2_02466997

Persistence and Installation Behavior

Contains functionality to infect the boot sector

Source: C:\Users\user\Desktop\app.exe	Code function: CreateFileA,CreateFileA,_strncpy,DeviceIoControl,CloseHandle,CloseHandle,CreateFileA,DeviceIoControl,CloseHandle,CloseHandle,CreateFileA,DeviceIoControl,DeviceIoControl,CloseHandle,CloseHandle,GetSystemDirectoryA,CopyFileA,CreateFileA,DeviceIoControl,CloseHandle,GetCurrentProcess,SetPriorityClass,GetCurrentDirectoryA,CreateFileA,FindResourceA,LoadResource,LockResource,SizeofResource,WriteFile,FreeResource,CloseHandle,CloseHandle,CreateFileA,DeleteFileA,DeviceIoControl,CloseHandle,CloseHandle, \\.\PhysicalDrive%d	0_2_0040A770
Source: C:\Users\user\Desktop\app.exe	Code function: CreateFileA,CreateFileA,_strncpy,DeviceIoControl,CloseHandle,CloseHandle,CreateFileA,DeviceIoControl,CloseHandle,CloseHandle,CreateFileA,DeviceIoControl,DeviceIoControl,CloseHandle,CloseHandle,GetSystemDirectoryA,CopyFileA,CreateFileA,DeviceIoControl,CloseHandle,GetCurrentProcess,SetPriorityClass,GetCurrentDirectoryA,CreateFileA,FindResourceA,LoadResource,LockResource,SizeofResource,WriteFile,FreeResource,CloseHandle,CloseHandle,CreateFileA,DeleteFileA,DeviceIoControl,CloseHandle,CloseHandle, \\.\PhysicalDrive%d	0_2_0040A770
Source: C:\Users\user\Desktop\app.exe	Code function: CreateFileA,DeviceIoControl,_strcat,_strcat,CloseHandle, \\.\PhysicalDrive%d	0_2_00409F46

Boot Survival

Contains functionality to infect the boot sector

Source: C:\Users\user\Desktop\app.exe	Code function: CreateFileA,CreateFileA,_strncpy,DeviceIoControl,CloseHandle,CloseHandle,CreateFileA,DeviceIoControl,CloseHandle,CloseHandle,CreateFileA,DeviceIoControl,DeviceIoControl,CloseHandle,CloseHandle,GetSystemDirectoryA,CopyFileA,CreateFileA,DeviceIoControl,CloseHandle,GetCurrentProcess,SetPriorityClass,GetCurrentDirectoryA,CreateFileA,FindResourceA,LoadResource,LockResource,SizeofResource,WriteFile,FreeResource,CloseHandle,CloseHandle,CreateFileA,DeleteFileA,DeviceIoControl,CloseHandle,CloseHandle, \\.\PhysicalDrive%d	0_2_0040A770
Source: C:\Users\user\Desktop\app.exe	Code function: CreateFileA,CreateFileA,_strncpy,DeviceIoControl,CloseHandle,CloseHandle,CreateFileA,DeviceIoControl,CloseHandle,CloseHandle,CreateFileA,DeviceIoControl,DeviceIoControl,CloseHandle,CloseHandle,GetSystemDirectoryA,CopyFileA,CreateFileA,DeviceIoControl,CloseHandle,GetCurrentProcess,SetPriorityClass,GetCurrentDirectoryA,CreateFileA,FindResourceA,LoadResource,LockResource,SizeofResource,WriteFile,FreeResource,CloseHandle,CloseHandle,CreateFileA,DeleteFileA,DeviceIoControl,CloseHandle,CloseHandle, \\.\PhysicalDrive%d	0_2_0040A770
Source: C:\Users\user\Desktop\app.exe	Code function: CreateFileA,DeviceIoControl,_strcat,_strcat,CloseHandle, \\.\PhysicalDrive%d	0_2_00409F46

Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_00401660 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,		0_2_00401660
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0040CFF1 IsIconic,GetWindowPlacement,GetWindowRect,		0_2_0040CFF1

Source: C:\Users\user\Desktop\app.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Queries memory information (via WMI often done to detect virtual machines)

Source: C:\Users\user\Desktop\app.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_Memory

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: app.exe, 00000000.00000003.1976771818.0000000000871000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000000.00000002.2021942238.0000000000867000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000000.00000003.2021386733.0000000000864000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000000.00000003.2021401793.0000000000866000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: IDAQ.EXE

Source: C:\Users\user\Desktop\app.exe

Code function: 0_2_00408FF2 rdtsc

0_2_00408FF2

Source: C:\Users\user\Desktop\app.exe

Code function: __EH_prolog,LoadLibraryA,FreeLibrary,GetAdaptersInfo,_strcat,GetAdaptersInfo,

0_2_00402D69

Source: C:\Users\user\Desktop\app.exe

API coverage: 1.8 %

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_00427361 __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,	0_2_00427361
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0243A710 CloseHandle,FindFirstFileW,FindClose,HeapFree,HeapFree,HeapFree,	0_2_0243A710
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_02454B93 FindFirstFileExW,	0_2_02454B93
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0243FEC0 HeapFree,HeapFree,HeapFree,HeapFree,FindFirstFileW,HeapFree,HeapFree,GetLastError,HeapFree,HeapFree,	0_2_0243FEC0

Source: C:\Users\user\Desktop\app.exe

Code function: 0_2_0041E91D VirtualQuery,GetSystemInfo,VirtualQuery,VirtualAlloc,VirtualProtect,

0_2_0041E91D

Source: C:\Users\user\Desktop\app.exe

Code function: 0_2_00408FF2 rdtsc

0_2_00408FF2

Source: C:\Users\user\Desktop\app.exe

Code function: 0_2_024544E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_024544E2

Source: C:\Users\user\Desktop\app.exe

Code function: 0_2_0042C59F VirtualAlloc,VirtualAlloc,LoadLibraryA,GetProcAddress,

0_2_0042C59F

Source: C:\Users\user\Desktop\app.exe

Code function: 0_2_0243D430 GetProcessHeap,RtlAllocateHeap,

0_2_0243D430

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0041B198 SetUnhandledExceptionFilter,	0_2_0041B198
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0041B1AC SetUnhandledExceptionFilter,	0_2_0041B1AC
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_023DEAC0 RtlAddVectoredExceptionHandler,SetThreadStackGuarantee,GetLastError,HeapFree,HeapFree,	0_2_023DEAC0
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0244E0C8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0244E0C8
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_024544E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_024544E2
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0244DC6E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0244DC6E
Source: C:\Users\user\Desktop\app.exe	Code function: 0_2_0244DDCA SetUnhandledExceptionFilter,	0_2_0244DDCA

Source: C:\Users\user\Desktop\app.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\app.exe

Code function: 0_2_00409127 cpuid

0_2_00409127

Source: C:\Users\user\Desktop\app.exe	Code function: GetThreadLocale,GetLocaleInfoA,GetACP,	0_2_00401000
Source: C:\Users\user\Desktop\app.exe	Code function: GetLocaleInfoA,	0_2_0041E705
Source: C:\Users\user\Desktop\app.exe	Code function: lstrcpyA,wsprintfA,LoadLibraryA,GetLocaleInfoA,	0_2_00429E88

Source: C:\Users\user\Desktop\app.exe

Code function: 0_2_0041C882 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_0041C882

Source: C:\Users\user\Desktop\app.exe

Code function: 0_2_00415DDE EntryPoint,GetVersionExA,GetModuleHandleA,GetModuleHandleA,_fast_error_exit,_fast_error_exit,GetCommandLineA,GetStartupInfoA,GetModuleHandleA,

0_2_00415DDE

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	21 Windows Management Instrumentation	1 Bootkit	1 Process Injection	1 Disable or Modify Tools	1 Input Capture	1 System Time Discovery	Remote Services	1 Input Capture	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Process Injection	LSASS Memory	33 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	1 System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Bootkit	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	25 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Link
app.exe	11%	ReversingLabs
app.exe	11%	Virustotal	Browse
app.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
https://POSTHTTP/1.1Content-Type:	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
https://POSTHTTP/1.1Content-Type:	app.exe, 00000000.00000002.2022098881.0000000002300000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1436386
Start date and time:	2024-05-05 00:18:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 46s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	3
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	app.exe
Detection:	MAL
Classification:	mal76.evad.winEXE@2/0@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 37 Number of non-executed functions: 221
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.

File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	7.441704402192102
TrID:	Win32 Executable (generic) a (10002005/4) 99.83% Windows Screen Saver (13104/52) 0.13% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	app.exe
File size:	1'290'240 bytes
MD5:	75b9ef9142a78671d449c8d22ab6be14
SHA1:	0461f1c46644acde8020bb59b53b1e34b65977ca
SHA256:	e9bc44cf548a70e7285499209973faf44b7374dece1413dfcdc03bf25a6c599c
SHA512:	14ef889f580c02e319b6d9d899ddbd1bd523c1d8b493eab8b98da6d3d276d76efb9b5694759df7d68bb9d002a8ace8fc82d22121a7b4ea236d5f9cef38cc809c
SSDEEP:	24576:CIFxe+AY3rqYsavMOQdbac5IQH97wiI3dzAr09UDZ5YUD8:1xeSNR0vbac5/d8P3diDZ6q
TLSH:	8255CF05F3D2B8B1D15192772DC96161B6ED993048D83F0732D0EE5E1B3B9A6B40FE2A
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........P(..>{..>{..>{?.c{..>{v..{..>{...{..>{f."{..>{e."{..>{F.'{..>{..?{..>{F.~{..>{F."{&.>{...{..>{..5{..>{..^{..>{F.#{..>{F.{{..>

File Icon


Icon Hash:	0f4ecda7ae5d1715

Static PE Info

General

Entrypoint:	0x415dde
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x500F9507 [Wed Jul 25 06:41:11 2012 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	26600adf486f72b556f917a64c8fd23f

Entrypoint Preview

Instruction
push 00000060h
push 0043A478h
call 00007FD5D0B6F503h
mov edi, 00000094h
mov eax, edi
call 00007FD5D0B6DA5Fh
mov dword ptr [ebp-18h], esp
mov esi, esp
mov dword ptr [esi], edi
push esi
call dword ptr [0042F2B4h]
mov ecx, dword ptr [esi+10h]
mov dword ptr [0044B190h], ecx
mov eax, dword ptr [esi+04h]
mov dword ptr [0044B19Ch], eax
mov edx, dword ptr [esi+08h]
mov dword ptr [0044B1A0h], edx
mov esi, dword ptr [esi+0Ch]
and esi, 00007FFFh
mov dword ptr [0044B194h], esi
cmp ecx, 02h
je 00007FD5D0B6E3FEh
or esi, 00008000h
mov dword ptr [0044B194h], esi
shl eax, 08h
add eax, edx
mov dword ptr [0044B198h], eax
xor esi, esi
push esi
mov edi, dword ptr [0042F20Ch]
call edi
cmp word ptr [eax], 5A4Dh
jne 00007FD5D0B6E411h
mov ecx, dword ptr [eax+3Ch]
add ecx, eax
cmp dword ptr [ecx], 00004550h
jne 00007FD5D0B6E404h
movzx eax, word ptr [ecx+18h]
cmp eax, 0000010Bh
je 00007FD5D0B6E411h
cmp eax, 0000020Bh
je 00007FD5D0B6E3F7h
mov dword ptr [ebp-1Ch], esi
jmp 00007FD5D0B6E419h
cmp dword ptr [ecx+00000084h], 0Eh
jbe 00007FD5D0B6E3E4h
xor eax, eax
cmp dword ptr [ecx+000000F8h], esi
jmp 00007FD5D0B6E400h
cmp dword ptr [ecx+74h], 0Eh
jbe 00007FD5D0B6E3D4h
xor eax, eax
cmp dword ptr [ecx+000000E8h], esi
setne al
mov dword ptr [ebp-1Ch], eax

Rich Headers

Programming Language:

[ASM] VS2002 (.NET) build 9466
[ C ] VS2002 (.NET) build 9466
[C++] VS2003 (.NET) build 3077
[C++] VS2002 (.NET) build 9466
[RES] VS2002 (.NET) build 9466
[LNK] VS2002 (.NET) build 9466

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3f924	0x118	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4d000	0x2f5f0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2f000	0x594	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2db32	0x2e000	7868e2f41e5b3ab908ac5a72a66f5953	False	0.6095076851222826	data	6.670624963209676	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x2f000	0x126c6	0x13000	efd458d4cde7206fd4c5482997a30ba9	False	0.4482421875	data	5.736665908168061	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x42000	0xa9f4	0x4000	07b79e131c84ddfb0842641915843ec1	False	0.4459228515625	data	5.072911159589167	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x4d000	0x2f5f0	0x30000	2686df77c23e2ca3144ababd1a5e1501	False	0.2823994954427083	data	4.484521144858898	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
)m&	0x7d000	0xc5000	0xc5000	acab40631ef6f655b384348be6aac2b9	False	0.841724996034264	data	7.775469163423906	IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
JPG	0x4f2b0	0x2b1e6	PC bitmap, Windows 3.x format, 635 x 276 x 8, cbSize 176614, bits offset 1078	Chinese	China	0.27774128891254374
RT_CURSOR	0x7a498	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"	Chinese	China	0.4805194805194805
RT_CURSOR	0x7a5d0	0xb4	Targa image data - Map 32 x 65536 x 1 +16 "\001"	Chinese	China	0.7
RT_CURSOR	0x7a6b0	0x134	AmigaOS bitmap font "(", fc_YSize 4294967264, 5120 elements, 2nd "\377\360?\377\377\370\177\377\377\374\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377", 3rd	Chinese	China	0.36363636363636365
RT_CURSOR	0x7a800	0x134	Targa image data - RLE 64 x 65536 x 1 +32 "\001"	Chinese	China	0.35714285714285715
RT_CURSOR	0x7a950	0x134	data	Chinese	China	0.37337662337662336
RT_CURSOR	0x7aaa0	0x134	data	Chinese	China	0.37662337662337664
RT_CURSOR	0x7abf0	0x134	Targa image data 64 x 65536 x 1 +32 "\001"	Chinese	China	0.36688311688311687
RT_CURSOR	0x7ad40	0x134	Targa image data 64 x 65536 x 1 +32 "\001"	Chinese	China	0.37662337662337664
RT_CURSOR	0x7ae90	0x134	Targa image data - Mono - RLE 64 x 65536 x 1 +32 "\001"	Chinese	China	0.36688311688311687
RT_CURSOR	0x7afe0	0x134	Targa image data - RGB - RLE 64 x 65536 x 1 +32 "\001"	Chinese	China	0.38636363636363635
RT_CURSOR	0x7b130	0x134	data	Chinese	China	0.44155844155844154
RT_CURSOR	0x7b280	0x134	data	Chinese	China	0.4155844155844156
RT_CURSOR	0x7b3d0	0x134	AmigaOS bitmap font "(", fc_YSize 4294966847, 3840 elements, 2nd "\377?\374\377\377\300\003\377\377\300\003\377\377\340\007\377\377\360\017\377\377\370\037\377\377\374?\377\377\376\177\377\377\377\377\377\377\377\377\377\377\377\377\377", 3rd	Chinese	China	0.5422077922077922
RT_CURSOR	0x7b520	0x134	data	Chinese	China	0.2662337662337662
RT_CURSOR	0x7b670	0x134	data	Chinese	China	0.2824675324675325
RT_CURSOR	0x7b7c0	0x134	data	Chinese	China	0.3246753246753247
RT_BITMAP	0x7b9f8	0xb8	Device independent bitmap graphic, 12 x 10 x 4, image size 80	Chinese	China	0.44565217391304346
RT_BITMAP	0x7bab0	0x144	Device independent bitmap graphic, 33 x 11 x 4, image size 220	Chinese	China	0.37962962962962965
RT_ICON	0x4db70	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Chinese	China	0.6042418772563177
RT_ICON	0x4e430	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Chinese	China	0.6042418772563177
RT_DIALOG	0x4ecf0	0x23e	data	Chinese	China	0.5174216027874564
RT_DIALOG	0x4ef30	0x94	data	Chinese	China	0.6959459459459459
RT_DIALOG	0x7b910	0xe2	data	Chinese	China	0.6637168141592921
RT_STRING	0x7bbf8	0x46	data	Chinese	China	0.6857142857142857
RT_STRING	0x7bc40	0x54	data	Chinese	China	0.8571428571428571
RT_STRING	0x7bc98	0x2c	data	Chinese	China	0.5909090909090909
RT_STRING	0x7bcc8	0x74	data	Chinese	China	0.8448275862068966
RT_STRING	0x7bd40	0x1d0	data	Chinese	China	0.8060344827586207
RT_STRING	0x7c088	0x164	data	Chinese	China	0.48314606741573035
RT_STRING	0x7bf50	0x132	data	Chinese	China	0.6405228758169934
RT_STRING	0x7c570	0x50	data	Chinese	China	0.725
RT_STRING	0x7bf10	0x40	data	Chinese	China	0.65625
RT_STRING	0x7c4d8	0x6a	data	Chinese	China	0.7452830188679245
RT_STRING	0x7c1f0	0x1d6	data	Chinese	China	0.6723404255319149
RT_STRING	0x7c3c8	0x110	data	Chinese	China	0.625
RT_STRING	0x7c548	0x24	data	Chinese	China	0.4444444444444444
RT_STRING	0x7c5c0	0x30	data	Chinese	China	0.625
RT_GROUP_CURSOR	0x7a688	0x22	Lotus unknown worksheet or configuration, revision 0x2	Chinese	China	1.0294117647058822
RT_GROUP_CURSOR	0x7ae78	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China	1.3
RT_GROUP_CURSOR	0x7a7e8	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China	1.3
RT_GROUP_CURSOR	0x7ad28	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China	1.3
RT_GROUP_CURSOR	0x7abd8	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China	1.3
RT_GROUP_CURSOR	0x7b508	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China	1.3
RT_GROUP_CURSOR	0x7aa88	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China	1.3
RT_GROUP_CURSOR	0x7b118	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China	1.3
RT_GROUP_CURSOR	0x7a938	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China	1.3
RT_GROUP_CURSOR	0x7afc8	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China	1.3
RT_GROUP_CURSOR	0x7b268	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China	1.3
RT_GROUP_CURSOR	0x7b3b8	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China	1.3
RT_GROUP_CURSOR	0x7b658	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China	1.3
RT_GROUP_CURSOR	0x7b7a8	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China	1.3
RT_GROUP_CURSOR	0x7b8f8	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China	1.3
RT_GROUP_ICON	0x4e418	0x14	data	Chinese	China	1.15
RT_GROUP_ICON	0x4ecd8	0x14	data	Chinese	China	1.25
RT_VERSION	0x4efc8	0x2e8	data	Chinese	China	0.5631720430107527

Imports

DLL	Import
KERNEL32.dll	LockFile, UnlockFile, SetEndOfFile, DuplicateHandle, FindClose, FindFirstFileA, GetFullPathNameA, GetCPInfo, GetOEMCP, FileTimeToSystemTime, SetErrorMode, FileTimeToLocalFileTime, GetFileAttributesA, GetFileTime, GetTickCount, HeapAlloc, HeapFree, RtlUnwind, GetStartupInfoA, GetCommandLineA, RaiseException, GetSystemTimeAsFileTime, ExitProcess, TerminateProcess, HeapReAlloc, HeapSize, FlushFileBuffers, HeapCreate, VirtualFree, VirtualAlloc, IsBadWritePtr, GetStdHandle, UnhandledExceptionFilter, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, SetHandleCount, GetFileType, SetUnhandledExceptionFilter, GetStringTypeA, GetStringTypeW, GetCurrentProcessId, LCMapStringA, LCMapStringW, GetTimeZoneInformation, IsBadReadPtr, IsBadCodePtr, VirtualProtect, GetSystemInfo, VirtualQuery, SetStdHandle, SetEnvironmentVariableA, SetFilePointer, GlobalFlags, WritePrivateProfileStringA, TlsFree, DeleteCriticalSection, LocalReAlloc, TlsSetValue, TlsAlloc, InitializeCriticalSection, TlsGetValue, EnterCriticalSection, GlobalHandle, GlobalReAlloc, LeaveCriticalSection, LocalAlloc, GlobalGetAtomNameA, GlobalFindAtomA, lstrcatA, lstrcmpW, GlobalAddAtomA, GetCurrentThread, GetCurrentThreadId, GlobalDeleteAtom, lstrcmpA, ConvertDefaultLocale, EnumResourceLanguagesA, lstrcpyA, SetLastError, GlobalFree, MulDiv, GlobalAlloc, GlobalLock, GlobalUnlock, GetModuleHandleA, GetProcAddress, FormatMessageA, LocalFree, CopyFileA, GetCurrentDirectoryA, FreeResource, OpenFile, GetCurrentProcess, SetPriorityClass, lstrcpynA, DeviceIoControl, ReadFile, GetFileSize, GetLastError, QueryPerformanceCounter, QueryPerformanceFrequency, GetSystemDirectoryA, CreateFileA, WriteFile, CloseHandle, DeleteFileA, GetModuleFileNameA, LoadLibraryA, FreeLibrary, GetVolumeInformationA, OutputDebugStringA, DebugBreak, InterlockedIncrement, InterlockedDecrement, FindResourceA, LoadResource, LockResource, SizeofResource, lstrlenA, lstrcmpiA, CompareStringW, lstrlenW, CompareStringA, GetVersion, WideCharToMultiByte, MultiByteToWideChar, GetVersionExA, GetThreadLocale, GetLocaleInfoA, GetACP, HeapDestroy, InterlockedExchange
USER32.dll	InvalidateRgn, SetCapture, ReleaseCapture, GetNextDlgGroupItem, MessageBeep, RegisterClipboardFormatA, PostThreadMessageA, GetForegroundWindow, GetTopWindow, UnhookWindowsHookEx, GetMessagePos, MapWindowPoints, SetForegroundWindow, UpdateWindow, GetMenu, GetSysColor, AdjustWindowRectEx, EqualRect, GetClassInfoA, RegisterClassA, UnregisterClassA, GetDlgCtrlID, DefWindowProcA, CallWindowProcA, SetWindowLongA, OffsetRect, IntersectRect, SystemParametersInfoA, GetWindowPlacement, GetWindowRect, CopyRect, PtInRect, GetWindow, SetWindowContextHelpId, MapDialogRect, SetWindowPos, GetDesktopWindow, SetActiveWindow, EndPaint, DestroyWindow, IsWindow, InvalidateRect, GetNextDlgTabItem, EndDialog, SetMenuItemBitmaps, GetFocus, ModifyMenuA, EnableMenuItem, CheckMenuItem, GetMenuCheckMarkDimensions, LoadBitmapA, SetWindowsHookExA, CallNextHookEx, GetMessageA, TranslateMessage, DispatchMessageA, GetActiveWindow, IsWindowVisible, GetKeyState, PeekMessageA, GetCursorPos, ValidateRect, GetParent, GetWindowLongA, GetLastActivePopup, IsWindowEnabled, SetCursor, PostMessageA, PostQuitMessage, wsprintfA, GetMenuState, GetMenuItemID, GetMenuItemCount, CharLowerA, CharUpperA, BeginPaint, GetWindowDC, ReleaseDC, GetDC, ClientToScreen, GetSubMenu, MessageBoxA, CharNextA, wvsprintfA, GetSystemMetrics, LoadIconA, EnableWindow, GetClientRect, IsIconic, GetSystemMenu, SendMessageA, AppendMenuA, CopyAcceleratorTableA, SetRect, IsRectEmpty, DrawIcon, LoadCursorA, GetDlgItem, GetSysColorBrush, GrayStringA, DrawTextExA, DrawTextA, TabbedTextOutA, DestroyMenu, ShowWindow, MoveWindow, SetWindowTextA, IsDialogMessageA, RegisterWindowMessageA, WinHelpA, GetCapture, CreateWindowExA, GetClassLongA, GetClassInfoExA, GetClassNameA, SetPropA, GetPropA, RemovePropA, SendDlgItemMessageA, SetFocus, IsChild, GetWindowTextLengthA, CreateDialogIndirectParamA, GetWindowTextA, GetMessageTime
GDI32.dll	SetMapMode, DeleteObject, GetViewportExtEx, GetWindowExtEx, PtVisible, RectVisible, TextOutA, Escape, SelectObject, SetViewportOrgEx, OffsetViewportOrgEx, SetViewportExtEx, ScaleViewportExtEx, SetWindowExtEx, ScaleWindowExtEx, ExtSelectClipRgn, DeleteDC, GetStockObject, GetBkColor, GetTextColor, CreateRectRgnIndirect, GetRgnBox, GetMapMode, RestoreDC, SaveDC, ExtTextOutA, GetObjectA, SetBkColor, SetTextColor, GetClipBox, CreateBitmap, GetDeviceCaps
comdlg32.dll	GetFileTitleA
WINSPOOL.DRV	ClosePrinter, DocumentPropertiesA, OpenPrinterA
ADVAPI32.dll	RegEnumKeyA, RegSetValueExA, RegCreateKeyExA, RegQueryValueA, RegCloseKey, RegDeleteKeyA, RegOpenKeyExA, RegQueryValueExA, RegOpenKeyA
COMCTL32.dll
SHLWAPI.dll	PathFindExtensionA, PathFindFileNameA, PathStripToRootA, PathIsUNCA
oledlg.dll
ole32.dll	CreateILockBytesOnHGlobal, StgCreateDocfileOnILockBytes, StgOpenStorageOnILockBytes, CoGetClassObject, CLSIDFromString, CLSIDFromProgID, CoTaskMemAlloc, OleInitialize, OleUninitialize, CoTaskMemFree, CoCreateInstance, CoSetProxyBlanket, CoInitialize, CoUninitialize, CoRevokeClassObject, OleIsCurrentClipboard, OleFlushClipboard, CoFreeUnusedLibraries, CoRegisterMessageFilter
OLEAUT32.dll	VariantInit, SysAllocStringLen, VariantClear, VariantChangeType, SysStringLen, SysAllocStringByteLen, OleCreateFontIndirect, SystemTimeToVariantTime, SafeArrayDestroy, VariantCopy, SysAllocString, SysFreeString
iphlpapi.dll	GetAdaptersInfo
OLEACC.dll	LresultFromObject, CreateStdAccessibleObject

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	China

Target ID:	0
Start time:	00:18:52
Start date:	05/05/2024
Path:	C:\Users\user\Desktop\app.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\app.exe"
Imagebase:	0x400000
File size:	1'290'240 bytes
MD5 hash:	75B9EF9142A78671D449C8D22AB6BE14
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	00:18:52
Start date:	05/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1.6%
Dynamic/Decrypted Code Coverage:	88.3%
Signature Coverage:	57%
Total number of Nodes:	1329
Total number of Limit Nodes:	29

Executed Functions

Function 023F3ABA Relevance: 82.5, APIs: 43, Strings: 11, Instructions: 1522memoryCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?), ref: 023F632F

Part of subcall function 024496A2: CoInitializeEx.OLE32 ref: 024496B8
Part of subcall function 024496A2: CoInitializeSecurity.OLE32 ref: 024496E4

HeapFree.KERNEL32(00000000,?), ref: 023F552A

Part of subcall function 023FA578: __aulldiv.LIBCMT ref: 023FA5CC

Part of subcall function 023EA020: GetCommandLineW.KERNEL32 ref: 023EA05D

HeapFree.KERNEL32(00000000,?), ref: 023F400C
HeapFree.KERNEL32(00000000,?), ref: 023F41A8

Strings

\index.crates.io-1cd66030c949c28d\base64-0.21.7\src\engine\general_purpose\decode.rs, xrefs: 023F41BF
nown, xrefs: 023F4E88
ptth, xrefs: 023F4505
a Display implementation returned an error unexpectedly, xrefs: 023F53F7, 023F62F4
rc\unicode\printable.rs, xrefs: 023F4031
called `Result::unwrap()` on an `Err` value, xrefs: 023F5425
hrzbaov, xrefs: 023F3AD7
Invalid, xrefs: 023F4BB6
`async fn` resumed after completion, xrefs: 023F5447, 023F545B, 023F546F
, xrefs: 023F515A
ptth, xrefs: 023F4464

Memory Dump Source

Source File: 00000000.00000002.2022153806.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23d0000_app.jbxd

Similarity

API ID: FreeHeap$Initialize$CloseCommandHandleLineSecurity__aulldiv
String ID: $Invalid$\index.crates.io-1cd66030c949c28d\base64-0.21.7\src\engine\general_purpose\decode.rs$`async fn` resumed after completion$a Display implementation returned an error unexpectedly$called `Result::unwrap()` on an `Err` value$hrzbaov$nown$ptth$ptth$rc\unicode\printable.rs
API String ID: 3225680405-759402994
Opcode ID: cf2f79979e9b9cab2d05666031ac4f76e71be918ff1f122560c9220efa4a443f
Instruction ID: 5ccf36ee9879d1d69d0f3cdc23ba12a6c1b0175bec0b198076be9a65e752ce1a
Opcode Fuzzy Hash: cf2f79979e9b9cab2d05666031ac4f76e71be918ff1f122560c9220efa4a443f
Instruction Fuzzy Hash: 57F2A030A04781DFD765CF24D444B9AFBE1FF99304F108A1EEA999B261DB70A855CF82

Uniqueness

Uniqueness Score: -1.00%

Function 02401E40 Relevance: 61.5, APIs: 20, Strings: 13, Instructions: 3740memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0243D430: GetProcessHeap.KERNEL32(00000000,?,0245FBF2,?,?,0242AA2A,?,?,?,?,0242A70C,?,?,?,023E161A,0244D2B0), ref: 0243D43F
Part of subcall function 0243D430: RtlAllocateHeap.NTDLL(007F0000,00000000,00000014,00000000,?,0245FBF2,?,?,0242AA2A,?,?,?,?,0242A70C,?,?), ref: 0243D451

HeapFree.KERNEL32(00000000,?), ref: 02401FCF
GetSystemInfo.KERNEL32(?), ref: 0240200A
HeapReAlloc.KERNEL32(00000000,?,00000000), ref: 024022D4
HeapFree.KERNEL32(00000000,00000001), ref: 02404FE3

Part of subcall function 02431BB0: QueryPerformanceCounter.KERNEL32(?), ref: 02431BF7
Part of subcall function 02431BB0: QueryPerformanceFrequency.KERNEL32(00000000), ref: 02431C38
Part of subcall function 02431BB0: __aulldiv.LIBCMT ref: 02431C71
Part of subcall function 02431BB0: __aulldiv.LIBCMT ref: 02431CAC
Part of subcall function 02431BB0: __aulldiv.LIBCMT ref: 02431CD7

Part of subcall function 0244632B: AcquireSRWLockExclusive.KERNEL32(?,00000001,00000000,?,?,02448053,00000000,024817FC,?,?,?,?,?,?,?,?), ref: 02446335

HeapReAlloc.KERNEL32(00000000,?,00000001), ref: 024024D1
HeapFree.KERNEL32(00000000,?), ref: 024024EE
HeapFree.KERNEL32(00000000,?), ref: 02403146
HeapFree.KERNEL32(00000000,?), ref: 0240559D
HeapFree.KERNEL32(00000000,?), ref: 024055AE

Strings

Failed to `Enter::block_on`, xrefs: 024050D6
Failed building the Runtime, xrefs: 024051BA
thread name may not contain interior null bytes, xrefs: 02405224
Invalid, xrefs: 02404DE9, 02405039, 02405065, 024051F2, 02405275, 024052C3, 0240540B, 02405437, 024054A5, 024054D1, 024054FD
cannot access a Thread Local Storage value during or after destruction/rustc/25ef9e3d85d934b27d9dada2f9dd52b1dc63bb04\library\std\src\thread\local.rs, xrefs: 02405476, 0240551C
assertion failed: prev.ref_count() >= 1, xrefs: 02405092
failed to park thread, xrefs: 02405297
attempt to calculate the remainder with a divisor of zero/rustc/25ef9e3d85d934b27d9dada2f9dd52b1dc63bb04\library\core\src\slice\sort.rs, xrefs: 02404E83
TOKIO_WORKER_THREADS/registry\src\index.crates.io-1cd66030c949c28d\tokio-1.37.0\src\loom\std\mod.rs" cannot be set to 0, xrefs: 02401F5D
RUST_MIN_STACKfatal runtime error: assertion failed: thread_info.stack_guard.get().is_none() && thread_info.thread.get().is_none(), xrefs: 02402BEE
assertion failed: shared.shutdown_tx.is_some()/registry\src\index.crates.io-1cd66030c949c28d\tokio-1.37.0\src\runtime\blocking\pool.rs, xrefs: 024050F6
driver missing, xrefs: 02405553
assertion failed: self.tail.is_none(), xrefs: 0240514B

Memory Dump Source

Source File: 00000000.00000002.2022153806.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23d0000_app.jbxd

Similarity

API ID: Heap$Free$__aulldiv$AllocPerformanceQuery$AcquireAllocateCounterExclusiveFrequencyInfoLockProcessSystem
String ID: Failed building the Runtime$Failed to `Enter::block_on`$Invalid$RUST_MIN_STACKfatal runtime error: assertion failed: thread_info.stack_guard.get().is_none() && thread_info.thread.get().is_none()$TOKIO_WORKER_THREADS/registry\src\index.crates.io-1cd66030c949c28d\tokio-1.37.0\src\loom\std\mod.rs" cannot be set to 0$assertion failed: prev.ref_count() >= 1$assertion failed: self.tail.is_none()$assertion failed: shared.shutdown_tx.is_some()/registry\src\index.crates.io-1cd66030c949c28d\tokio-1.37.0\src\runtime\blocking\pool.rs$attempt to calculate the remainder with a divisor of zero/rustc/25ef9e3d85d934b27d9dada2f9dd52b1dc63bb04\library\core\src\slice\sort.rs$cannot access a Thread Local Storage value during or after destruction/rustc/25ef9e3d85d934b27d9dada2f9dd52b1dc63bb04\library\std\src\thread\local.rs$driver missing$failed to park thread$thread name may not contain interior null bytes
API String ID: 178985148-2573687003
Opcode ID: 597bf64f179f4f59bef4da3f5b4d78a56e40232bfb71557a13db063dd98fac6b
Instruction ID: 672f966ab2438a14669b6e1de55d9b164a3a5f4a0b567f8f1ccfa02299a700fd
Opcode Fuzzy Hash: 597bf64f179f4f59bef4da3f5b4d78a56e40232bfb71557a13db063dd98fac6b
Instruction Fuzzy Hash: 9A731A74600B018FD725DF29C494BA7BBE2BF88304F14896ED99A8B791DB71B885CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0240AA16 Relevance: 50.2, APIs: 26, Strings: 2, Instructions: 1215memorywindowCOMMON

Download Yara Rule

APIs

Part of subcall function 02449760: CoCreateInstance.OLE32(024837A4,00000000,00000001,02483788,?,?,0240AA3A,0000000A), ref: 02449781
Part of subcall function 02449760: SysFreeString.OLEAUT32(00000000), ref: 024497EC
Part of subcall function 02449760: CoSetProxyBlanket.OLE32 ref: 0244981A

HeapFree.KERNEL32(00000000,?), ref: 0240B3D3
HeapFree.KERNEL32(00000000,?), ref: 0240B3EC
HeapFree.KERNEL32(00000000,?), ref: 0240B405
HeapFree.KERNEL32(00000000), ref: 0240B436
HeapFree.KERNEL32(00000000,00000004), ref: 0240B486
HeapFree.KERNEL32(00000000,?), ref: 0240B4A6
HeapFree.KERNEL32(00000000,?), ref: 0240B4BF
GetModuleHandleW.KERNEL32(?), ref: 0240B660
HeapFree.KERNEL32(00000000,?), ref: 0240B678
HeapFree.KERNEL32(00000000,?), ref: 0240B68D

Part of subcall function 023E26A3: HeapFree.KERNEL32(00000000,?), ref: 023E2714
Part of subcall function 023E26A3: HeapFree.KERNEL32(00000000,?), ref: 023E275E

HeapFree.KERNEL32(00000000,?), ref: 0240B6B2
HeapFree.KERNEL32(00000000,?), ref: 0240B6D0
HeapFree.KERNEL32(00000000), ref: 0240B733
HeapFree.KERNEL32(00000000,00000004), ref: 0240B764
HeapFree.KERNEL32(00000000,?), ref: 0240B77D
HeapFree.KERNEL32(00000000,?), ref: 0240B796
__aulldiv.LIBCMT ref: 0240B845
__aullrem.LIBCMT ref: 0240B8BA
HeapFree.KERNEL32(00000000,?,?,?,00000006,00000000,?,019DB1DE,00989680,00000000,?), ref: 0240B939
MessageBoxW.USER32(00000000,02430AB0,023ECDE7,00000011), ref: 0240BA3F
HeapFree.KERNEL32(00000000,023ECDE7,?,?,00000006,00000000,?,019DB1DE,00989680,00000000,?), ref: 0240BA56
HeapFree.KERNEL32(00000000,?,?,?,00000006,00000000,?,019DB1DE,00989680,00000000,?), ref: 0240BA6F
HeapFree.KERNEL32(00000000,?,?,?,00000006,00000000,?,019DB1DE,00989680,00000000,?), ref: 0240BA9A
HeapFree.KERNEL32(00000000,?,?,?,00000006,00000000,?,019DB1DE,00989680,00000000,?), ref: 0240BAB3
HeapFree.KERNEL32(00000000,?), ref: 0240BCB0
HeapFree.KERNEL32(00000000,?), ref: 0240BCCA

Strings

hrono-0.4.38\src\format\mod.rs, xrefs: 0240B11A
ROOT\CIMV2, xrefs: 0240AA2E

Memory Dump Source

Source File: 00000000.00000002.2022153806.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23d0000_app.jbxd

Similarity

API ID: Free$Heap$BlanketCreateHandleInstanceMessageModuleProxyString__aulldiv__aullrem
String ID: ROOT\CIMV2$hrono-0.4.38\src\format\mod.rs
API String ID: 773367832-823739010
Opcode ID: 5f62da0b5a4cc58079a6d3eca29c8f2d047f21a7587c1a379ec983bca2b5d3fb
Instruction ID: 4c23e2a1688a5247803a4ec432a015456d2d706afd7add5a6ba7e1f7554bea37
Opcode Fuzzy Hash: 5f62da0b5a4cc58079a6d3eca29c8f2d047f21a7587c1a379ec983bca2b5d3fb
Instruction Fuzzy Hash: C8C27E71A083519FD725DF18C484B9AB7E2FFC8304F05892EE98997390DB70A985CF86

Uniqueness

Uniqueness Score: -1.00%

Function 0240BD08 Relevance: 35.7, APIs: 11, Strings: 7, Instructions: 4163memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 02449760: CoCreateInstance.OLE32(024837A4,00000000,00000001,02483788,?,?,0240AA3A,0000000A), ref: 02449781
Part of subcall function 02449760: SysFreeString.OLEAUT32(00000000), ref: 024497EC
Part of subcall function 02449760: CoSetProxyBlanket.OLE32 ref: 0244981A

Part of subcall function 0243D430: GetProcessHeap.KERNEL32(00000000,?,0245FBF2,?,?,0242AA2A,?,?,?,?,0242A70C,?,?,?,023E161A,0244D2B0), ref: 0243D43F
Part of subcall function 0243D430: RtlAllocateHeap.NTDLL(007F0000,00000000,00000014,00000000,?,0245FBF2,?,?,0242AA2A,?,?,?,?,0242A70C,?,?), ref: 0243D451

SysFreeString.OLEAUT32(00000000), ref: 0240C457
SysFreeString.OLEAUT32(00000000), ref: 0240C474
SysFreeString.OLEAUT32(00000000), ref: 0240C492
HeapFree.KERNEL32(00000000,?), ref: 0240C4AE
HeapFree.KERNEL32(00000000,?), ref: 0240C69F
HeapFree.KERNEL32(00000000,?), ref: 0240C908
HeapFree.KERNEL32(00000000,?), ref: 0240C933
HeapFree.KERNEL32(00000000,?), ref: 0241015C

Part of subcall function 023F1BFE: HeapFree.KERNEL32(00000000,?,?,?,00000000,?,023F1E0B), ref: 023F1C2B

Part of subcall function 0243C4E0: AcquireSRWLockExclusive.KERNEL32(02490B74), ref: 0243C566
Part of subcall function 0243C4E0: ReleaseSRWLockExclusive.KERNEL32(02490B74), ref: 0243C63D

HeapFree.KERNEL32(00000000,?), ref: 024100A2
HeapFree.KERNEL32(00000000,?), ref: 024100E2
HeapFree.KERNEL32(00000000,?), ref: 02410182

Strings

wr%, xrefs: 0240ECF8
66030c949c28d\base64-0.21.7\src\encode.rs, xrefs: 0240E8C4
WQL, xrefs: 0240C3F5
sing field `, xrefs: 0240E7AF
d to index str up to maximum usize, xrefs: 0240E9EA
called `Result::unwrap()` on an `Err` value, xrefs: 024101CC
ROOT\CIMV2, xrefs: 0240BD20

Memory Dump Source

Source File: 00000000.00000002.2022153806.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23d0000_app.jbxd

Similarity

API ID: Free$Heap$String$ExclusiveLock$AcquireAllocateBlanketCreateInstanceProcessProxyRelease
String ID: 66030c949c28d\base64-0.21.7\src\encode.rs$ROOT\CIMV2$WQL$called `Result::unwrap()` on an `Err` value$d to index str up to maximum usize$sing field `$wr%
API String ID: 3721730025-2485361945
Opcode ID: eedf47f81a16766c857456b2bc0cd9bd6abe784c370c446df950d435adf51dec
Instruction ID: a685820d199bf98065a5d223faa4016567995c3a44db63d8e712c3b03afba78c
Opcode Fuzzy Hash: eedf47f81a16766c857456b2bc0cd9bd6abe784c370c446df950d435adf51dec
Instruction Fuzzy Hash: EFA32C749087818BD325DF28C480AAAF7F1FFD9304F158A5EDAC947361DB359986CB82

Uniqueness

Uniqueness Score: -1.00%

Function 0242E5F7 Relevance: 23.1, APIs: 9, Strings: 4, Instructions: 345
memorylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapReAlloc.KERNEL32(00000000,?,00000000), ref: 0242E914
HeapFree.KERNEL32(00000000,?), ref: 0242E95B
CreateMutexW.KERNEL32(00000000,00000000,?), ref: 0242E96B
GetLastError.KERNEL32(00000000,00000000,?), ref: 0242E972
HeapFree.KERNEL32(00000000,?), ref: 0242E9D1

Part of subcall function 0243D430: GetProcessHeap.KERNEL32(00000000,?,0245FBF2,?,?,0242AA2A,?,?,?,?,0242A70C,?,?,?,023E161A,0244D2B0), ref: 0243D43F
Part of subcall function 0243D430: RtlAllocateHeap.NTDLL(007F0000,00000000,00000014,00000000,?,0245FBF2,?,?,0242AA2A,?,?,?,?,0242A70C,?,?), ref: 0243D451

CloseHandle.KERNEL32(00000000), ref: 0242E998
GetModuleHandleA.KERNEL32(api-ms-win-core-synch-l1-2-0,00000000,00000002), ref: 0242E9F7
GetProcAddress.KERNEL32(00000000,WaitOnAddress), ref: 0242EA09
GetProcAddress.KERNEL32(00000000,WakeByAddressSingle), ref: 0242EA1B

Strings

WaitOnAddress, xrefs: 0242EA03
WakeByAddressSingle, xrefs: 0242EA15
api-ms-win-core-synch-l1-2-0, xrefs: 0242E9F2
VUUU, xrefs: 0242E6B5

Memory Dump Source

Source File: 00000000.00000002.2022153806.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23d0000_app.jbxd

Similarity

API ID: Heap$AddressFreeHandleProc$AllocAllocateCloseCreateErrorLastModuleMutexProcess
String ID: VUUU$WaitOnAddress$WakeByAddressSingle$api-ms-win-core-synch-l1-2-0
API String ID: 4042372245-3834393415
Opcode ID: 9c5037684733e14ddebf7a4889dda5e362516e5d721fc19d3532283e15edc99a
Instruction ID: d17800698ce51b2ced6a43e3a85813f64415c56e5f2109b28cc693192e02a213
Opcode Fuzzy Hash: 9c5037684733e14ddebf7a4889dda5e362516e5d721fc19d3532283e15edc99a
Instruction Fuzzy Hash: 2CC1B272E083219FD718DF1AC44472ABBE1AF84704F55892FE99997391E770E84ACB81

Uniqueness

Uniqueness Score: -1.00%

Function 0042C59F Relevance: 19.6, APIs: 4, Strings: 7, Instructions: 331
memorylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,000C4E00,00003000,00000004), ref: 0042C6C3
VirtualAlloc.KERNELBASE(00000000,?,00003000,?,0000001B), ref: 0042C73A
LoadLibraryA.KERNELBASE(?), ref: 0042C8B1
GetProcAddress.KERNELBASE(?,-00000002), ref: 0042C8E1

Strings

O, xrefs: 0042C64D
M4U5, xrefs: 0042C60C
9+Di, xrefs: 0042C613
s<O?(Su(, xrefs: 0042C70B
6, xrefs: 0042C626
pfx8, xrefs: 0042C605
Gs, xrefs: 0042C61A

Memory Dump Source

Source File: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: AllocVirtual$AddressLibraryLoadProc
String ID: 6$9+Di$Gs$M4U5$O$pfx8$s<O?(Su(
API String ID: 2938105391-2690861754
Opcode ID: 916608cc3e3ec2ceff47aa40f93238c1188128ce52c19099b677353d2d13b359
Instruction ID: d8249402ebe6bdfeba434c09cdb94f051b8725f3fd3e4fd9d669bd8fa7343339
Opcode Fuzzy Hash: 916608cc3e3ec2ceff47aa40f93238c1188128ce52c19099b677353d2d13b359
Instruction Fuzzy Hash: B3D16B71F012699FDB24CFA8D9807ADBBB1FF49700F6480AAD845EB341E7749941CB58

Uniqueness

Uniqueness Score: -1.00%

Function 024302D0 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 272
filenativesynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32 ref: 02430307
GetLastError.KERNEL32 ref: 02430316
GetConsoleMode.KERNEL32(00000000,?), ref: 02430354
NtWriteFile.NTDLL ref: 024303DF
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 024303EF
RtlNtStatusToDosError.NTDLL ref: 02430472
CloseHandle.KERNEL32(00000000), ref: 0243067A

Strings

called `Result::unwrap()` on an `Err` value, xrefs: 02430634
Invalid, xrefs: 0243059B

Memory Dump Source

Source File: 00000000.00000002.2022153806.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23d0000_app.jbxd

Similarity

API ID: ErrorHandle$CloseConsoleFileLastModeObjectSingleStatusWaitWrite
String ID: Invalid$called `Result::unwrap()` on an `Err` value
API String ID: 3090192319-3400594596
Opcode ID: 21b6ac57a7dbe0b56643a6bd830121a939c2d500312978c2ecb83a7ce9d4a563
Instruction ID: 531e1d395e7ef60b7bb8dcf5170edd62ffaab09686ed660d24e7fe0d21a11b39
Opcode Fuzzy Hash: 21b6ac57a7dbe0b56643a6bd830121a939c2d500312978c2ecb83a7ce9d4a563
Instruction Fuzzy Hash: 0AB101B0D04248DFDB11CFA4C8847EEBFB5AF48714F14951AE492AB381D7749989CF61

Uniqueness

Uniqueness Score: -1.00%

Function 023F01BB Relevance: 14.9, APIs: 6, Strings: 2, Instructions: 879memoryCOMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 023F03CE
HeapFree.KERNEL32(00000000,?), ref: 023F0CBB

Part of subcall function 024404D0: TlsGetValue.KERNEL32(00000000), ref: 024404E9
Part of subcall function 024404D0: TlsGetValue.KERNEL32(00000000), ref: 02440510
Part of subcall function 024404D0: TlsSetValue.KERNEL32(00000000,00000000), ref: 0244055E
Part of subcall function 024404D0: BCryptGenRandom.BCRYPT(00000000,?,00000010,00000002), ref: 02440574

Part of subcall function 02448E9F: GetProcessHeap.KERNEL32(?,Invalid,?,02448DD0,?,?,?,?,023F0204,?,000000FF,00000001,?,?), ref: 02448EAD
Part of subcall function 02448E9F: HeapAlloc.KERNEL32(00000000,00000000,?,?,Invalid,?,02448DD0,?,?,?,?,023F0204,?,000000FF,00000001,?), ref: 02448EB7

HeapFree.KERNEL32(00000000,?), ref: 023F0F29
HeapFree.KERNEL32(00000000,?), ref: 023F0F6F

Strings

called `Result::unwrap()` on an `Err` value, xrefs: 023F1053
cannot access a Thread Local Storage value during or after destruction/rustc/25ef9e3d85d934b27d9dada2f9dd52b1dc63bb04\library\std\src\thread\local.rs, xrefs: 023F1069

Memory Dump Source

Source File: 00000000.00000002.2022153806.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23d0000_app.jbxd

Similarity

API ID: Heap$FreeValue$AllocArrayCryptDestroyProcessRandomSafe
String ID: called `Result::unwrap()` on an `Err` value$cannot access a Thread Local Storage value during or after destruction/rustc/25ef9e3d85d934b27d9dada2f9dd52b1dc63bb04\library\std\src\thread\local.rs
API String ID: 3513538077-3781368868
Opcode ID: dacc8e7bcc022349212659c266941f6c97fb58fce3ca4c184982a167013b3d38
Instruction ID: f98c6cdfd73a494c5d8cb042abbac962d237f89de67063183bbe92b2769a1aa5
Opcode Fuzzy Hash: dacc8e7bcc022349212659c266941f6c97fb58fce3ca4c184982a167013b3d38
Instruction Fuzzy Hash: 8B8247B1A083818FD364CF29D480B9AFBE1BFC9300F14896EE99997356E770D945CB52

Uniqueness

Uniqueness Score: -1.00%

Function 023DEAC0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 177
memorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAddVectoredExceptionHandler.NTDLL(00000000,0242EC80), ref: 023DEAF4
SetThreadStackGuarantee.KERNELBASE(00005000), ref: 023DEB0D
GetLastError.KERNEL32 ref: 023DEB17
HeapFree.KERNEL32(00000000,?), ref: 023DED40
HeapFree.KERNEL32(00000000,?), ref: 023DED66

Part of subcall function 0242F1B0: HeapFree.KERNEL32(00000000,00000000), ref: 0242F223
Part of subcall function 0242F1B0: HeapFree.KERNEL32(00000000,?), ref: 0242F232

Strings

Invalid, xrefs: 023DECB1, 023DECFB
main, xrefs: 023DEB2D

Memory Dump Source

Source File: 00000000.00000002.2022153806.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23d0000_app.jbxd

Similarity

API ID: FreeHeap$ErrorExceptionGuaranteeHandlerLastStackThreadVectored
String ID: Invalid$main
API String ID: 679289583-3302030394
Opcode ID: 95b645fe399edcd7b986a1d2de9c75681708f5afaf42de3854f787d6fd2f7fac
Instruction ID: 1c9dfee96a74237bee5aefd74bda5476110ef01b05daf616160ddf98e124a72a
Opcode Fuzzy Hash: 95b645fe399edcd7b986a1d2de9c75681708f5afaf42de3854f787d6fd2f7fac
Instruction Fuzzy Hash: 9D7143B1E002589FEB14DFE5E8887EEBFB5BF40318F14052AE815AB280DBB55548CF91

Uniqueness

Uniqueness Score: -1.00%

Function 024404D0 Relevance: 10.6, APIs: 7, Instructions: 142
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TlsGetValue.KERNEL32(00000000), ref: 024404E9
TlsGetValue.KERNEL32(00000000), ref: 02440510
TlsSetValue.KERNEL32(00000000,00000000), ref: 0244055E
BCryptGenRandom.BCRYPT(00000000,?,00000010,00000002), ref: 02440574

Part of subcall function 02460970: InitOnceBeginInitialize.KERNEL32(0249005C,00000000,00000000,00000000), ref: 02460993
Part of subcall function 02460970: TlsAlloc.KERNEL32 ref: 024609A8
Part of subcall function 02460970: InitOnceComplete.KERNEL32(0249005C,00000000,00000000), ref: 024609D9

Part of subcall function 0243CE20: SystemFunction036.ADVAPI32(?,00000010), ref: 0243CE64

Part of subcall function 02460970: TlsAlloc.KERNEL32 ref: 024609E1
Part of subcall function 02460970: InitOnceComplete.KERNEL32(0249005C,00000004,00000000), ref: 02460A30

TlsSetValue.KERNEL32(00000000,00000001), ref: 0244064A
HeapFree.KERNEL32(00000000,?), ref: 02440659
TlsSetValue.KERNEL32(00000000,00000000), ref: 0244067D

Memory Dump Source

Source File: 00000000.00000002.2022153806.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23d0000_app.jbxd

Similarity

API ID: Value$InitOnce$AllocComplete$BeginCryptFreeFunction036HeapInitializeRandomSystem
String ID:
API String ID: 3346809877-0
Opcode ID: 2fdce0655c0e9760fb35475aed2ff1df7f635b5ff00cfd354d74270f8378956e
Instruction ID: 19f315f0915d1ebc692f250c91e92343cd527c25b3ab6917138dda2356f96c8e
Opcode Fuzzy Hash: 2fdce0655c0e9760fb35475aed2ff1df7f635b5ff00cfd354d74270f8378956e
Instruction Fuzzy Hash: 0541E431A00205DBEB18DF65D808B6BBBA5FF44314F00591AEA55A7280DB70E9A0CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00415DDE Relevance: 10.6, APIs: 7, Instructions: 132
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExA.KERNEL32(?,0043A478,00000060), ref: 00415DFE
GetModuleHandleA.KERNEL32(00000000,?,0043A478,00000060), ref: 00415E51
_fast_error_exit.LIBCMT ref: 00415EB3
_fast_error_exit.LIBCMT ref: 00415EC4
GetCommandLineA.KERNEL32(?,0043A478,00000060), ref: 00415EE3
GetStartupInfoA.KERNEL32(?), ref: 00415F34
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00415F57

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: HandleModule_fast_error_exit$CommandInfoLineStartupVersion
String ID:
API String ID: 295806912-0
Opcode ID: 7580fc86ef3703e129c93f81ffe4cb78bab1cb0c9785aa81ad774adae03db122
Instruction ID: 4de3da79c62a0b75e44d7bd2c56d04160538a993b3b658ad46e0b3fd54b52aaf
Opcode Fuzzy Hash: 7580fc86ef3703e129c93f81ffe4cb78bab1cb0c9785aa81ad774adae03db122
Instruction Fuzzy Hash: 8D417D71D00B14CADB20AB76A8466EE37B1AF85714F24443FE5589A291DB3C89C2CB9D

Uniqueness

Uniqueness Score: -1.00%

Function 024491D2 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 235
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysAllocStringLen.OLEAUT32(?,?), ref: 02449413
SysStringLen.OLEAUT32(00000000), ref: 02449420
SysFreeString.OLEAUT32(00000000), ref: 02449439
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,023F1C5A), ref: 02449450

Strings

called `Result::unwrap()` on an `Err` value, xrefs: 02449487

Memory Dump Source

Source File: 00000000.00000002.2022153806.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23d0000_app.jbxd

Similarity

API ID: String$Free$AllocHeap
String ID: called `Result::unwrap()` on an `Err` value
API String ID: 1317130057-2333694755
Opcode ID: b18bdf5f5548581ba5e022e45201484b6cceb910e5822841528cb087eeaba1a3
Instruction ID: f3dc69ea84619a28cff7185f685d21062ff6dcd42a1b838eb7fefd34894b283c
Opcode Fuzzy Hash: b18bdf5f5548581ba5e022e45201484b6cceb910e5822841528cb087eeaba1a3
Instruction Fuzzy Hash: 57714B73E087545BE3188E59C89063BBBD2ABC5348F0A853FE89A8B381DE70DC06D741

Uniqueness

Uniqueness Score: -1.00%

Function 024404C0 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(00000000), ref: 024404E9
TlsGetValue.KERNEL32(00000000), ref: 02440510
TlsSetValue.KERNEL32(00000000,00000000), ref: 0244055E
BCryptGenRandom.BCRYPT(00000000,?,00000010,00000002), ref: 02440574

Memory Dump Source

Source File: 00000000.00000002.2022153806.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23d0000_app.jbxd

Similarity

API ID: Value$CryptRandom
String ID:
API String ID: 658332386-0
Opcode ID: ac3144caca293ccef4845c484dc6e76176d86bf7ee383b8958fb5a780b395254
Instruction ID: e7e69a6f5673e6b5a4dedd8aee9166bc457a07d9669742f278a8eaa3f25b1c9d
Opcode Fuzzy Hash: ac3144caca293ccef4845c484dc6e76176d86bf7ee383b8958fb5a780b395254
Instruction Fuzzy Hash: F1219030B506049BF728DB399809B6777E8EF05348F446915EE58DB290EB70E9B0CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0243D430 Relevance: 3.0, APIs: 2, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?,0245FBF2,?,?,0242AA2A,?,?,?,?,0242A70C,?,?,?,023E161A,0244D2B0), ref: 0243D43F
RtlAllocateHeap.NTDLL(007F0000,00000000,00000014,00000000,?,0245FBF2,?,?,0242AA2A,?,?,?,?,0242A70C,?,?), ref: 0243D451

Memory Dump Source

Source File: 00000000.00000002.2022153806.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23d0000_app.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: a80cc2b5be382724021e7c8cd2cb3170cc9f113f9f259504f89ad099ec23534b
Instruction ID: 16873b8c320c5b991cdb268ac0a08a6704de2b5bc18eacdf01973a4900d2e471
Opcode Fuzzy Hash: a80cc2b5be382724021e7c8cd2cb3170cc9f113f9f259504f89ad099ec23534b
Instruction Fuzzy Hash: 02D05B31F44111E7476D4A79BC0CD932AACEBE92753040836E805C2204EB60D451C7B1

Uniqueness

Uniqueness Score: -1.00%

Function 02441862 Relevance: 1.6, Strings: 1, Instructions: 320COMMON

Download Yara Rule

Strings

cannot access a Thread Local Storage value during or after destruction/rustc/25ef9e3d85d934b27d9dada2f9dd52b1dc63bb04\library\std\src\thread\local.rs, xrefs: 02441B26

Memory Dump Source

Source File: 00000000.00000002.2022153806.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23d0000_app.jbxd

Similarity

API ID: Value$CryptRandom
String ID: cannot access a Thread Local Storage value during or after destruction/rustc/25ef9e3d85d934b27d9dada2f9dd52b1dc63bb04\library\std\src\thread\local.rs
API String ID: 658332386-682668089
Opcode ID: dbaa85bbc87b9d4447b04d3eea70b567c1544c4928a7c0e888748a5b8c602f53
Instruction ID: 657c4e54eae9d5a3994723bd085a5523847d60748ffccb736a020f2dfc178180
Opcode Fuzzy Hash: dbaa85bbc87b9d4447b04d3eea70b567c1544c4928a7c0e888748a5b8c602f53
Instruction Fuzzy Hash: 86D14A71A087109FD358DF69C88035BF7E2EBC8310F1AC93EE99AD7251DA74E8459B81

Uniqueness

Uniqueness Score: -1.00%

Function 0042C5FF Relevance: 19.6, APIs: 4, Strings: 7, Instructions: 311
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,000C4E00,00003000,00000004), ref: 0042C6C3
VirtualAlloc.KERNELBASE(00000000,?,00003000,?,0000001B), ref: 0042C73A

Strings

O, xrefs: 0042C64D
M4U5, xrefs: 0042C60C
9+Di, xrefs: 0042C613
s<O?(Su(, xrefs: 0042C70B
6, xrefs: 0042C626
pfx8, xrefs: 0042C605
Gs, xrefs: 0042C61A

Memory Dump Source

Source File: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: AllocVirtual
String ID: 6$9+Di$Gs$M4U5$O$pfx8$s<O?(Su(
API String ID: 4275171209-2690861754
Opcode ID: 5771f0e1f234e3279db517ca23c00010e8d1b9e8e672e5662b23c37979f35266
Instruction ID: cd5d1eeb5dad64a7cc3f15a6d20144d3d4e45bed201563ddaa11bfec4b45d5f5
Opcode Fuzzy Hash: 5771f0e1f234e3279db517ca23c00010e8d1b9e8e672e5662b23c37979f35266
Instruction Fuzzy Hash: C8C14771F012699FCB24CFA8D9807ADBBB1FF49304F6881AAD845EB341E7749941CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0042B64B Relevance: 15.1, APIs: 10, Instructions: 101
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32(0044AEF4,?,?,?,0044AED8,0044AED8,0042BB1F,?,?,?,0042B380,00429E06,0040C70D), ref: 0042B65A
GlobalAlloc.KERNELBASE(00000002,00000000,00000000,?,?,?,0044AED8,0044AED8,0042BB1F,?,?,?,0042B380,00429E06,0040C70D), ref: 0042B6AC
GlobalHandle.KERNEL32(00801ED0), ref: 0042B6B5
GlobalUnlock.KERNEL32(00000000,?,?,?,0044AED8,0044AED8,0042BB1F,?,?,?,0042B380,00429E06,0040C70D), ref: 0042B6BE
GlobalReAlloc.KERNEL32(00000000,00000000,00002002), ref: 0042B6D0
GlobalHandle.KERNEL32(00801ED0), ref: 0042B6EC
GlobalLock.KERNEL32(00000000,?,?,?,0044AED8,0044AED8,0042BB1F,?,?,?,0042B380,00429E06,0040C70D), ref: 0042B6F3
LeaveCriticalSection.KERNEL32(00429E06,?,?,?,0044AED8,0044AED8,0042BB1F,?,?,?,0042B380,00429E06,0040C70D), ref: 0042B6F9
GlobalLock.KERNEL32(0040C70D,?,?,?,0044AED8,0044AED8,0042BB1F,?,?,?,0042B380,00429E06,0040C70D), ref: 0042B708
LeaveCriticalSection.KERNEL32(?), ref: 0042B74A

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock
String ID:
API String ID: 2667261700-0
Opcode ID: 78356631f8aaed9052733949075a33ef6c867759e15218fc8afabd321056c18c
Instruction ID: 222caff267ab2058375ee3363c8eab48129623bed3694301ddaedbbb3d00f7f7
Opcode Fuzzy Hash: 78356631f8aaed9052733949075a33ef6c867759e15218fc8afabd321056c18c
Instruction Fuzzy Hash: 0F3178B23007059FD720DF68EC88A26B7F8FB84300B84493EE892C3650D735EC198B69

Uniqueness

Uniqueness Score: -1.00%

Function 0243CCC0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 98
memorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadStackGuarantee.KERNELBASE(?), ref: 0243CCF8
GetLastError.KERNEL32 ref: 0243CD02
HeapFree.KERNEL32(00000000,00000000), ref: 0243CD4C
HeapFree.KERNEL32(00000000,?), ref: 0243CD5D
HeapFree.KERNEL32(00000000,?), ref: 0243CDFD
HeapFree.KERNEL32(00000000,?), ref: 0243CE0E

Strings

Invalid, xrefs: 0243CD95

Memory Dump Source

Source File: 00000000.00000002.2022153806.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23d0000_app.jbxd

Similarity

API ID: FreeHeap$ErrorGuaranteeLastStackThread
String ID: Invalid
API String ID: 3680998240-874791708
Opcode ID: 019257b1edde4a3b546b8d0f6bd48e675abc06889d5389d5e13697d4d45514a5
Instruction ID: 75a934353a417ac4d9dd1707ccdf8072e0ca1f63d4ee4fff44b7e7b9bd9481e8
Opcode Fuzzy Hash: 019257b1edde4a3b546b8d0f6bd48e675abc06889d5389d5e13697d4d45514a5
Instruction Fuzzy Hash: 73413A75D40208EFDB05DF94D988BAEBBB5FF08304F10446AF904AB2A0D7759954CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00426EB8 Relevance: 12.0, APIs: 8, Instructions: 38
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserCallbackDispatcher.NTDLL(0000000B), ref: 00426EC5
GetSystemMetrics.USER32(0000000C), ref: 00426ECC
GetSystemMetrics.USER32(00000002), ref: 00426ED3
GetSystemMetrics.USER32(00000003), ref: 00426EDD
GetDC.USER32(00000000), ref: 00426EE7
GetDeviceCaps.GDI32(00000000,00000058), ref: 00426EF8
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00426F00
ReleaseDC.USER32(00000000,00000000), ref: 00426F08

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: MetricsSystem$CapsDevice$CallbackDispatcherReleaseUser
String ID:
API String ID: 1031845853-0
Opcode ID: ed2417dc9456594cdf0b31a88eb29372da527a16b3c658b083092e7c9424d573
Instruction ID: b3796cda6346f1d9b14e489dd3367e8f14833ca86dd78446ae7436d4847d6f55
Opcode Fuzzy Hash: ed2417dc9456594cdf0b31a88eb29372da527a16b3c658b083092e7c9424d573
Instruction Fuzzy Hash: 23F09071A80700AEE3307F729C49F277BB8EBE1B51F51443AE6418B2D0CAF598068F54

Uniqueness

Uniqueness Score: -1.00%

Function 0042C6B6 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 239
memorylibraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,000C4E00,00003000,00000004), ref: 0042C6C3
VirtualAlloc.KERNELBASE(00000000,?,00003000,?,0000001B), ref: 0042C73A
LoadLibraryA.KERNELBASE(?), ref: 0042C8B1
GetProcAddress.KERNELBASE(?,-00000002), ref: 0042C8E1

Strings

s<O?(Su(, xrefs: 0042C70B

Memory Dump Source

Source File: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: AllocVirtual$AddressLibraryLoadProc
String ID: s<O?(Su(
API String ID: 2938105391-2579506083
Opcode ID: b3fac43b6f37ce7f2159d76fdb1eea15d15c32a495f9fe60442fcf7cf701a851
Instruction ID: 98f8efe1d1dce6292f322ff0c0b8de9db3192ba101f6e8a77763a19099652570
Opcode Fuzzy Hash: b3fac43b6f37ce7f2159d76fdb1eea15d15c32a495f9fe60442fcf7cf701a851
Instruction Fuzzy Hash: 39A12471E012299FCB14CFA8D980BADBBF1BF49305F6881AAD845EB341D778A941CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0242E597 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 203
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

VUUU, xrefs: 0242E6B5

Memory Dump Source

Source File: 00000000.00000002.2022153806.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23d0000_app.jbxd

Similarity

API ID:
String ID: VUUU
API String ID: 0-2040033107
Opcode ID: 7c992500194f379d7f60f829b34f1635b0ac9aa85b7c31bcd951610091f9b514
Instruction ID: 2e0cc6999f2bb34bff7e07ab698124aa396cd3f101e117e527c1e599298963ab
Opcode Fuzzy Hash: 7c992500194f379d7f60f829b34f1635b0ac9aa85b7c31bcd951610091f9b514
Instruction Fuzzy Hash: CD51E672B042224BD7188F2AC840327BBD6EFC4654F55857FD9999B391F731E84ACB81

Uniqueness

Uniqueness Score: -1.00%

Function 023F1C36 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 146
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysFreeString.OLEAUT32(00000000), ref: 023F1C96
SysFreeString.OLEAUT32(00000000), ref: 023F1CA1

Part of subcall function 023F1BFE: HeapFree.KERNEL32(00000000,?,?,?,00000000,?,023F1E0B), ref: 023F1C2B

SysFreeString.OLEAUT32(00000000), ref: 023F1CC2
SysFreeString.OLEAUT32(00000000), ref: 023F1CCD

Strings

WQL, xrefs: 023F1C4B

Memory Dump Source

Source File: 00000000.00000002.2022153806.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23d0000_app.jbxd

Similarity

API ID: Free$String$Heap
String ID: WQL
API String ID: 4134718113-1249411209
Opcode ID: b118baeb9626d3527c00936fc924f716e30074d116249e73f1c77be10e5157a7
Instruction ID: 5aedaa2b70575df17a89d1bf0c38e97edb727bf4f64d6fccb244e1b501cbff58
Opcode Fuzzy Hash: b118baeb9626d3527c00936fc924f716e30074d116249e73f1c77be10e5157a7
Instruction Fuzzy Hash: D3519C71908341DBD350CF24E44466BB7F5AF89354F148A1DF9CA57222E770EA85CB82

Uniqueness

Uniqueness Score: -1.00%

Function 0041AECC Relevance: 7.7, APIs: 5, Instructions: 172
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStartupInfoA.KERNEL32(?), ref: 0041AF29
GetFileType.KERNEL32(?), ref: 0041AFD3
GetStdHandle.KERNEL32(-000000F6), ref: 0041B054

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: FileHandleInfoStartupType
String ID:
API String ID: 2461013171-0
Opcode ID: 2d49ff2e1dac1d461a9ba017d4f7fce9fd659b37ad6f8575f489bd24d7f4b863
Instruction ID: cad9638fdaf26c8eb5ebf78c6630cc0ebb1e4dd1610fc6893beeae660980b453
Opcode Fuzzy Hash: 2d49ff2e1dac1d461a9ba017d4f7fce9fd659b37ad6f8575f489bd24d7f4b863
Instruction Fuzzy Hash: AE51E4712057418FC720CF28C8847A77BE0EB15324F298A7EE5A6C72E1D738D89AC759

Uniqueness

Uniqueness Score: -1.00%

Function 0042C704 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 215librarymemoryloaderCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,?,0000001B), ref: 0042C73A
LoadLibraryA.KERNELBASE(?), ref: 0042C8B1
GetProcAddress.KERNELBASE(?,-00000002), ref: 0042C8E1

Strings

s<O?(Su(, xrefs: 0042C70B

Memory Dump Source

Source File: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: AddressAllocLibraryLoadProcVirtual
String ID: s<O?(Su(
API String ID: 4074058790-2579506083
Opcode ID: f2fd0d41c120b0acc762afd2b1f5d72efe51c0065ea40216067eb6c2da04019b
Instruction ID: 4dfecaa40277070d29589cf71415a5a9c46b68c125777a1cbeafcd6e7af7fa96
Opcode Fuzzy Hash: f2fd0d41c120b0acc762afd2b1f5d72efe51c0065ea40216067eb6c2da04019b
Instruction Fuzzy Hash: 63912471E01229DFCB24CFA8D980BADBBF1BF49305F6881AAD845EB341D734A941CB54

Uniqueness

Uniqueness Score: -1.00%

Function 02449760 Relevance: 6.1, APIs: 4, Instructions: 111comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(024837A4,00000000,00000001,02483788,?,?,0240AA3A,0000000A), ref: 02449781
SysFreeString.OLEAUT32(00000000), ref: 024497EC
CoSetProxyBlanket.OLE32 ref: 0244981A
SysFreeString.OLEAUT32(00000000), ref: 02449865

Memory Dump Source

Source File: 00000000.00000002.2022153806.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23d0000_app.jbxd

Similarity

API ID: FreeString$BlanketCreateInstanceProxy
String ID:
API String ID: 459372342-0
Opcode ID: dee61d46d37487c468ddb621c66c1b6b12a3281aaa3d47e3617b6b25c3a3e687
Instruction ID: 47b49e56dada9439571df3f56bdaa1d030ea31dc313a5b4bc9680d55c4d238b8
Opcode Fuzzy Hash: dee61d46d37487c468ddb621c66c1b6b12a3281aaa3d47e3617b6b25c3a3e687
Instruction Fuzzy Hash: 27414170A047429FE314DF6AC88861BFBF5BFC4704F14896EE9898B210EB70D981DB52

Uniqueness

Uniqueness Score: -1.00%

Function 0243121A Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(00000000,?), ref: 02431195
HeapFree.KERNEL32(00000000,?), ref: 024311A6

Strings

#, xrefs: 0243121A

Memory Dump Source

Source File: 00000000.00000002.2022153806.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23d0000_app.jbxd

Similarity

API ID: FreeHeap
String ID: #
API String ID: 3298025750-1885708031
Opcode ID: 2c19034265216c147f399371fafc8e8e4aec0fb1481e570d60fee72cb7af9f2b
Instruction ID: 92e57c355ce44c29d800d19b874300ec41b8142b22e22a97f89ac0e408b132a1
Opcode Fuzzy Hash: 2c19034265216c147f399371fafc8e8e4aec0fb1481e570d60fee72cb7af9f2b
Instruction Fuzzy Hash: C0210A75E00108ABEF16CFA8D844BEEBBB1BB4D324F14451AE919BB390D7319851CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0242EE40 Relevance: 4.5, APIs: 3, Instructions: 39threadmemoryCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 0242EE8A
SetThreadDescription.KERNELBASE(00000000,?,?,?,?,?,?,?,?,023DEB3C), ref: 0242EE98
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,023DEB3C), ref: 0242EEA7

Part of subcall function 024316E0: HeapFree.KERNEL32(00000000,?), ref: 02431778

Memory Dump Source

Source File: 00000000.00000002.2022153806.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23d0000_app.jbxd

Similarity

API ID: FreeHeapThread$CurrentDescription
String ID:
API String ID: 2762239883-0
Opcode ID: 45cd936dd1552f634fb7c8f1b83663f80dfa30545f49f772099bae3a9063713c
Instruction ID: 5bebb4a7110f5f50710a06dd085861b64bee082fcd139c4712b5c296dcf7f4d1
Opcode Fuzzy Hash: 45cd936dd1552f634fb7c8f1b83663f80dfa30545f49f772099bae3a9063713c
Instruction Fuzzy Hash: 5AF0AF72A04211ABC718AA59EC08B2F7776ABD1314F80892DE84947254DB30A855CB82

Uniqueness

Uniqueness Score: -1.00%

Function 024565E2 Relevance: 3.1, APIs: 2, Instructions: 65COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 0245662E
GetFileType.KERNELBASE(00000000), ref: 02456640

Memory Dump Source

Source File: 00000000.00000002.2022153806.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23d0000_app.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: b8855dba3f962044aa2ca36a95385fa9f13b8cdffc9a6424d07f105d23de9cb8
Instruction ID: 963d0e86c698c3d8dc47f56c5474ee87469832dc487fd573cee4eaa1ae97c3d5
Opcode Fuzzy Hash: b8855dba3f962044aa2ca36a95385fa9f13b8cdffc9a6424d07f105d23de9cb8
Instruction Fuzzy Hash: 9C11B1715047624ACB348E3E9C98623BED9A766534B6B071BDDFAC62E3C330D5C6C641

Uniqueness

Uniqueness Score: -1.00%

Function 024496A2 Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32 ref: 024496B8
CoInitializeSecurity.OLE32 ref: 024496E4

Part of subcall function 02448B49: GetErrorInfo.OLEAUT32(00000000,?,?,023F0204,?,000000FF,00000001,?,?), ref: 02448B5C

Memory Dump Source

Source File: 00000000.00000002.2022153806.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23d0000_app.jbxd

Similarity

API ID: Initialize$ErrorInfoSecurity
String ID:
API String ID: 3572798514-0
Opcode ID: 3fbd3eed6099f8554aeaef8887db9e69d3aad1177ff249ce5f95809eb999457b
Instruction ID: a8cfdcefd21b55505aff85eec72b05b9a8ac917fe773befd00fcca394801b128
Opcode Fuzzy Hash: 3fbd3eed6099f8554aeaef8887db9e69d3aad1177ff249ce5f95809eb999457b
Instruction Fuzzy Hash: C211AE75908B41CBE704AF7AD50966ABBE0AF84214F048A2ED98997221FF70E1D4CB42

Uniqueness

Uniqueness Score: -1.00%

Function 023DED80 Relevance: 3.0, APIs: 2, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

FreeConsole.KERNEL32 ref: 023DEDC1

Part of subcall function 02401E40: HeapFree.KERNEL32(00000000,?), ref: 02401FCF

HeapFree.KERNEL32(00000000,00000000), ref: 023DEDF6

Memory Dump Source

Source File: 00000000.00000002.2022153806.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23d0000_app.jbxd

Similarity

API ID: Free$Heap$Console
String ID:
API String ID: 2715786339-0
Opcode ID: 0eda215a2be00be7b2e824fc3b0de6c4f4a085f5cbc957b4daf3ab8771fe5a43
Instruction ID: 042641f8c1e42abbd5e15e9048ff4ebc93a6f27e2a835de70808a80b7953b043
Opcode Fuzzy Hash: 0eda215a2be00be7b2e824fc3b0de6c4f4a085f5cbc957b4daf3ab8771fe5a43
Instruction Fuzzy Hash: 9601F9B3D811156FC724BB75BC0DB4E7B39AF50354F054436E91856244EB346229CFD6

Uniqueness

Uniqueness Score: -1.00%

Function 00418875 Relevance: 3.0, APIs: 2, Instructions: 26memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,00415EAC,00000001,?,0043A478,00000060), ref: 00418886

Part of subcall function 004188C6: HeapAlloc.KERNEL32(00000000,00000140,004188AE,000003F8,?,0043A478,00000060), ref: 004188D3

HeapDestroy.KERNEL32(?,0043A478,00000060), ref: 004188B9

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: Heap$AllocCreateDestroy
String ID:
API String ID: 2236781399-0
Opcode ID: 081eba9be5826635cbb7a29082c7bc61fc15faa81be005bd4fff385f22785363
Instruction ID: 558faf22d0d10c49c59805d7195a1265b1ee3e9db6c9b0bb3573a997b10f9ed6
Opcode Fuzzy Hash: 081eba9be5826635cbb7a29082c7bc61fc15faa81be005bd4fff385f22785363
Instruction Fuzzy Hash: C3E09A78B113029AEF507B70AC057AA3BE4EB64746FC4883EB404C50A8EF2888849A0C

Uniqueness

Uniqueness Score: -1.00%

Function 0243B6F0 Relevance: 2.6, APIs: 2, Instructions: 106memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(00000000,00000000), ref: 0243B7D6
HeapFree.KERNEL32(00000000,?), ref: 0243B7E7

Memory Dump Source

Source File: 00000000.00000002.2022153806.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23d0000_app.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 6aaecb653f882aaf6d9152fbbb73d1f4606e05828fe231f0d512342a10cc2417
Instruction ID: cd9ec6b4ea70636ba66f8768362f85334db7b4f081df9e0eb934e4e969e5fdb4
Opcode Fuzzy Hash: 6aaecb653f882aaf6d9152fbbb73d1f4606e05828fe231f0d512342a10cc2417
Instruction Fuzzy Hash: 75410774D00608DFDB05CF98D985BEEBBB1FB48328F04855AE919AB351D334A951CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 02431162 Relevance: 2.6, APIs: 2, Instructions: 77memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 024302D0: GetStdHandle.KERNEL32 ref: 02430307
Part of subcall function 024302D0: GetLastError.KERNEL32 ref: 02430316

HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 024312ED
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 024312FE

Memory Dump Source

Source File: 00000000.00000002.2022153806.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23d0000_app.jbxd

Similarity

API ID: FreeHeap$ErrorHandleLast
String ID:
API String ID: 642181330-0
Opcode ID: 053c36bc2c6ce888c3bda982fbf064ecfa42f94771b111da12dd8118fba897d3
Instruction ID: cc9e182165b47ddb0a3b1f801b8328cab5e3c3fa06af657d3b820561aa27f397
Opcode Fuzzy Hash: 053c36bc2c6ce888c3bda982fbf064ecfa42f94771b111da12dd8118fba897d3
Instruction Fuzzy Hash: DA319E75E40208DFDB068F98E944FAEBBB2BB4D314F18416AE91DAB391D7318950CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0243120B Relevance: 2.6, APIs: 2, Instructions: 71memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(00000000,?), ref: 02431195
HeapFree.KERNEL32(00000000,?), ref: 024311A6

Memory Dump Source

Source File: 00000000.00000002.2022153806.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23d0000_app.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 8ff6c7324c4e23bc267910931ca61e3ef6c287c64d0daac2e0b4329483066ba0
Instruction ID: bd5b797e70fcd1a144c1a75917c0245ae693e9b475dfec47d7129668e981abb6
Opcode Fuzzy Hash: 8ff6c7324c4e23bc267910931ca61e3ef6c287c64d0daac2e0b4329483066ba0
Instruction Fuzzy Hash: 1D211975E00208ABDF16CF98D884BEEBBB1BB4D324F14861AE919BB390D7319851CF54

Uniqueness

Uniqueness Score: -1.00%

Function 02431186 Relevance: 2.5, APIs: 2, Instructions: 32memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(00000000,?), ref: 02431195
HeapFree.KERNEL32(00000000,?), ref: 024311A6

Part of subcall function 024302D0: GetStdHandle.KERNEL32 ref: 02430307
Part of subcall function 024302D0: GetLastError.KERNEL32 ref: 02430316

HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 024312ED
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 024312FE

Memory Dump Source

Source File: 00000000.00000002.2022153806.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23d0000_app.jbxd

Similarity

API ID: FreeHeap$ErrorHandleLast
String ID:
API String ID: 642181330-0
Opcode ID: 53458cd329890ad28d011baebb01fbcb1e9085e7b3451f692ddd0c402ec42665
Instruction ID: ddc2c6a88b379650a4694bcc5f057e26f57cf402c96a8725cb8ee70b09a9aa28
Opcode Fuzzy Hash: 53458cd329890ad28d011baebb01fbcb1e9085e7b3451f692ddd0c402ec42665
Instruction Fuzzy Hash: EAF09035E00108ABEF1A8AA4DC48FAE7B72BB5C364F144619F529FA2D0D7308810CF14

Uniqueness

Uniqueness Score: -1.00%

Function 024547D2 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,?,?,0245436C,00000001,00000364,?,00000007,000000FF,?,024547C4,0245BE32,?,0245A8CB,?), ref: 02454813

Memory Dump Source

Source File: 00000000.00000002.2022153806.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23d0000_app.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: facefe7c126732e6863c7b437d4302aa08dab0da352a4bbaa734518b710985f1
Instruction ID: 9307e3339b00c0d7ac63aa70808d005c21002988ed06daa983ff3f65aa1a091a
Opcode Fuzzy Hash: facefe7c126732e6863c7b437d4302aa08dab0da352a4bbaa734518b710985f1
Instruction Fuzzy Hash: 63F05939A045B0679B219E729C04F5B3759AF42BB0B048023ED98DE286CF24D4808AF0

Uniqueness

Uniqueness Score: -1.00%

Function 0243D330 Relevance: 1.5, APIs: 1, Instructions: 2COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32 ref: 0243D331

Memory Dump Source

Source File: 00000000.00000002.2022153806.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23d0000_app.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 73504f4458b8c453c3d01216f3bccfeb81ecf47016fcd3bd1cc3e39ab8c5c46f
Instruction ID: 38d132b1274e6986ca2bbb4e36003bd2237054e0f059543939a88bda7b13698e
Opcode Fuzzy Hash: 73504f4458b8c453c3d01216f3bccfeb81ecf47016fcd3bd1cc3e39ab8c5c46f
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040A770 Relevance: 90.3, APIs: 35, Strings: 16, Instructions: 1068fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0040A740: GetVersionExA.KERNEL32(00000000), ref: 0040A753

CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000,00000000,?,?), ref: 0040A7CC
_strncpy.LIBCMT ref: 0040A825
DeviceIoControl.KERNEL32(00000000,0004D008,?,0000003C,?,0000022D,?,00000000), ref: 0040A86E
CloseHandle.KERNEL32(00000000,?,?,?,?,?,SCSIDISK,00000008), ref: 0040A8BA
CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 0040A9B2
DeviceIoControl.KERNEL32 ref: 0040A9E9
CloseHandle.KERNEL32(00000000,?,00000000,00000000,?,00000018,?,00000000), ref: 0040AA7B
GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0040ADB1
CopyFileA.KERNEL32(?,?,00000000), ref: 0040AEE7

Strings

L, xrefs: 0040ABF7
\DiskSerial.VXD, xrefs: 0040B0B7
DISKSERIAL, xrefs: 0040B11D
IOSUBSYS\SMARTVSD.VXD, xrefs: 0040AE67
\, xrefs: 0040B0BC
SCSIDISK, xrefs: 0040A7F2
\\.\DiskSerial.vxd, xrefs: 0040B178
DiskSerial.VXD, xrefs: 0040B0C3
\\.\PhysicalDrive%d, xrefs: 0040A98D, 0040AB4E
SMARTVSD.VXD, xrefs: 0040AE98
\\.\Scsi%d:, xrefs: 0040A7A1
\IOSUBSYS\SMARTVSD.VXD, xrefs: 0040AE2F
DiskSerial, xrefs: 0040B122
\SMARTVSD.VXD, xrefs: 0040AE60
\, xrefs: 0040AE25
\\.\SMARTVSD, xrefs: 0040AEF9

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: File$CloseControlCreateDeviceHandle$CopyDirectorySystemVersion_strncpy
String ID: DISKSERIAL$DiskSerial$DiskSerial.VXD$IOSUBSYS\SMARTVSD.VXD$L$SCSIDISK$SMARTVSD.VXD$\$\$\DiskSerial.VXD$\IOSUBSYS\SMARTVSD.VXD$\SMARTVSD.VXD$\\.\DiskSerial.vxd$\\.\PhysicalDrive%d$\\.\SMARTVSD$\\.\Scsi%d:
API String ID: 3337007040-3280731534
Opcode ID: 5381b5551287e4adfd786a5f55f6f4a67c4bd9771a8bb3c3fab6e6aed8b98872
Instruction ID: 93a60672a8556de03baec2beb5f329e244e6174530f919b371a39b0e8372696b
Opcode Fuzzy Hash: 5381b5551287e4adfd786a5f55f6f4a67c4bd9771a8bb3c3fab6e6aed8b98872
Instruction Fuzzy Hash: FA7246723003045BE328DA389C46BEB77D5EBC4310F544A3EFA5A9B2C0DEB99909C759

Uniqueness

Uniqueness Score: -1.00%

Function 02410225 Relevance: 77.0, APIs: 44, Strings: 6, Instructions: 2020memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(00000000,023ECDE7), ref: 02410462
HeapFree.KERNEL32(00000000,?), ref: 0241047B
HeapFree.KERNEL32(00000000,?), ref: 0241060C

Part of subcall function 023EFB9E: HeapFree.KERNEL32(00000000,?), ref: 023EFBD0
Part of subcall function 023EFB9E: HeapFree.KERNEL32(00000000,00000000), ref: 023EFBDF

HeapFree.KERNEL32(00000000,023ECDE7), ref: 024106B0
HeapFree.KERNEL32(00000000,?), ref: 024106C9
HeapFree.KERNEL32(00000000,?), ref: 024107AF
HeapFree.KERNEL32(00000000,?), ref: 02410C60

Part of subcall function 0243FEC0: HeapFree.KERNEL32(00000000,?), ref: 02440037
Part of subcall function 0243FEC0: HeapFree.KERNEL32(00000000,?), ref: 0244004C

HeapFree.KERNEL32(00000000,?), ref: 02410CE0
HeapFree.KERNEL32(00000000,?), ref: 02410F10
CloseHandle.KERNEL32(?), ref: 02410F85
HeapFree.KERNEL32(00000000,?), ref: 02410FE5
HeapFree.KERNEL32(00000000,?), ref: 024110A7
HeapFree.KERNEL32(00000000,?), ref: 024110F1
HeapFree.KERNEL32(00000000,?), ref: 024113F9

Part of subcall function 023F172D: HeapFree.KERNEL32(00000000,?,?,?,?,?,0242C142), ref: 023F1775

HeapFree.KERNEL32(00000000,00000000), ref: 0241111E
HeapFree.KERNEL32(00000000,?), ref: 024112D1
HeapFree.KERNEL32(00000000,?), ref: 024114FC
HeapFree.KERNEL32(00000000,?), ref: 02411592
HeapFree.KERNEL32(00000000,?), ref: 02411695
HeapFree.KERNEL32(00000000,?), ref: 02411700
HeapFree.KERNEL32(00000000,?), ref: 02411724
HeapFree.KERNEL32(00000000,?), ref: 024117A8
HeapFree.KERNEL32(00000000,00000004), ref: 024117E8
HeapFree.KERNEL32(00000000,?), ref: 02411807
HeapFree.KERNEL32(00000000,?), ref: 02411827
HeapFree.KERNEL32(00000000,?), ref: 02411840
HeapFree.KERNEL32(00000000,?), ref: 02411A0F
HeapFree.KERNEL32(00000000,?), ref: 02411AA5
HeapFree.KERNEL32(00000000,-0000000C), ref: 02411B12
HeapFree.KERNEL32(00000000,?), ref: 0241254D

Part of subcall function 023D17D0: HeapFree.KERNEL32(00000000,?), ref: 023D1998

HeapFree.KERNEL32(00000000,?), ref: 024123D7
HeapFree.KERNEL32(00000000,?), ref: 02412413
HeapFree.KERNEL32(00000000,?), ref: 02412432
HeapFree.KERNEL32(00000000,?), ref: 0241244B
HeapFree.KERNEL32(00000000,?), ref: 0241246A
HeapFree.KERNEL32(00000000,?), ref: 02412483
HeapFree.KERNEL32(00000000,?), ref: 024124C5
CloseHandle.KERNEL32(?), ref: 024124D3
HeapFree.KERNEL32(00000000,?), ref: 02412504
HeapFree.KERNEL32(00000000,?), ref: 02412572
HeapFree.KERNEL32(00000000,?), ref: 02412591
HeapFree.KERNEL32(00000000,?), ref: 024125AA

Strings

s, xrefs: 024120E9
l, xrefs: 024120FF
Invalid, xrefs: 0241043F, 02410446, 0241068B, 02410692, 02410DD5, 024113D3, 024113DA, 0241156C, 02411573, 0241232A, 02412331, 024123B1, 024123B8
q, xrefs: 024120F4
e, xrefs: 02411ED3
APPDATA, xrefs: 02410245, 0241048A, 02410734, 0241112D, 02411408, 024115A1

Memory Dump Source

Source File: 00000000.00000002.2022153806.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23d0000_app.jbxd

Similarity

API ID: FreeHeap$CloseHandle
String ID: APPDATA$Invalid$e$l$q$s
API String ID: 1910495013-1432503283
Opcode ID: 876b53d110ec965a5c703659f052b95ae99ae8bb2ddf78a2c72434441d537579
Instruction ID: ba01950573d49ea821d70238758fa2008c12c54843412ee34c17acef19dd4384
Opcode Fuzzy Hash: 876b53d110ec965a5c703659f052b95ae99ae8bb2ddf78a2c72434441d537579
Instruction Fuzzy Hash: 522324749083819FD735CF18C484B9BBBE1BF99304F14891EE98997390D7B1A985CF82

Uniqueness

Uniqueness Score: -1.00%

Function 023FC38E Relevance: 68.9, APIs: 37, Strings: 8, Instructions: 1390memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(00000000,?), ref: 023FC4D3
HeapFree.KERNEL32(00000000,?), ref: 023FC4F2
HeapFree.KERNEL32(00000000,?), ref: 023FC866
HeapFree.KERNEL32(00000000,?), ref: 023FC988
HeapFree.KERNEL32(00000000,?), ref: 023FCAAA
HeapFree.KERNEL32(00000000,?), ref: 023FCAD6
HeapFree.KERNEL32(00000000,?), ref: 023FCAF6
HeapFree.KERNEL32(00000000,?), ref: 023FCBE7
HeapFree.KERNEL32(00000000,?), ref: 023FCC06
HeapFree.KERNEL32(00000000,?), ref: 023FCC21
HeapFree.KERNEL32(00000000,?), ref: 023FCC36
HeapFree.KERNEL32(00000000,?), ref: 023FCC4B
HeapFree.KERNEL32(00000000,?), ref: 023FCC60
HeapFree.KERNEL32(00000000,?), ref: 023FCCB2
HeapFree.KERNEL32(00000000,?), ref: 023FCCD1
HeapFree.KERNEL32(00000000), ref: 023FCD82
HeapFree.KERNEL32(00000000,?), ref: 023FCDA0
HeapFree.KERNEL32(00000000,?), ref: 023FD092
HeapFree.KERNEL32(00000000,?), ref: 023FD3DB
HeapFree.KERNEL32(00000000,?), ref: 023FD46F
HeapFree.KERNEL32(00000000,?), ref: 023FD488

Part of subcall function 023EFB9E: HeapFree.KERNEL32(00000000,?), ref: 023EFBD0
Part of subcall function 023EFB9E: HeapFree.KERNEL32(00000000,00000000), ref: 023EFBDF

HeapFree.KERNEL32(00000000,?), ref: 023FD713
HeapFree.KERNEL32(00000000,?), ref: 023FCE30

Part of subcall function 02406AA8: HeapFree.KERNEL32(00000000,?), ref: 02406AD5
Part of subcall function 02406AA8: HeapFree.KERNEL32(00000000,00000001), ref: 02406AE4

HeapFree.KERNEL32(00000000,?), ref: 023FCE49
HeapFree.KERNEL32(00000000,023ECDE7), ref: 023FD126
HeapFree.KERNEL32(00000000,?), ref: 023FD13F
HeapFree.KERNEL32(00000000,?), ref: 023FD232
HeapFree.KERNEL32(00000000,?), ref: 023FD24B
HeapFree.KERNEL32(00000000,?), ref: 023FD268

Part of subcall function 0243A3F0: HeapFree.KERNEL32(00000000,00000000), ref: 0243A5D0
Part of subcall function 0243A3F0: HeapFree.KERNEL32(00000000,?), ref: 0243A5E1

HeapFree.KERNEL32(00000000,?), ref: 023FD77E

Part of subcall function 023D17D0: HeapFree.KERNEL32(00000000,?), ref: 023D1998

Part of subcall function 0243A3F0: HeapFree.KERNEL32(00000000,00000000), ref: 0243A615
Part of subcall function 0243A3F0: HeapFree.KERNEL32(00000000,?), ref: 0243A626

HeapFree.KERNEL32(00000000,?), ref: 023FD7EE
HeapFree.KERNEL32(00000000,?), ref: 023FD80B
HeapFree.KERNEL32(00000000,?), ref: 023FD82A
HeapFree.KERNEL32(00000000,00000000), ref: 023FD8F5
HeapFree.KERNEL32(00000000,?), ref: 023FD987
HeapFree.KERNEL32(00000000,?), ref: 023FD9A4
HeapFree.KERNEL32(00000000,?), ref: 023FD9C2

Strings

), xrefs: 023FC453
a Display implementation returned an error unexpectedly, xrefs: 023FD9E8
C:\Program Files (x86)\SteamC:\Program Files (x86)\Steam\config\Telegram Desktop\tdata, xrefs: 023FD497, 023FD524
Invalid, xrefs: 023FCE0D, 023FCE14, 023FD103, 023FD10A, 023FD1F9, 023FD218, 023FD44C, 023FD453, 023FD534, 023FD53B, 023FD5F0, 023FD5F7
c\winscp.rs, xrefs: 023FD684
grBH, xrefs: 023FC9BB
!, xrefs: 023FD51C
APPDATA, xrefs: 023FC501, 023FCE58, 023FD277, 023FD60C

Memory Dump Source

Source File: 00000000.00000002.2022153806.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23d0000_app.jbxd

Similarity

API ID: FreeHeap
String ID: !$)$APPDATA$C:\Program Files (x86)\SteamC:\Program Files (x86)\Steam\config\Telegram Desktop\tdata$Invalid$a Display implementation returned an error unexpectedly$c\winscp.rs$grBH
API String ID: 3298025750-3594040642
Opcode ID: 76e1fb0ce228c24b5848c0afe4cb1eb88394998525f8f0a706f069ac52e29524
Instruction ID: 07f4eb642592847335c0fd083d1c5372681d3173b892094ea02e376be4d7dc75
Opcode Fuzzy Hash: 76e1fb0ce228c24b5848c0afe4cb1eb88394998525f8f0a706f069ac52e29524
Instruction Fuzzy Hash: A8D259719083459FD765CF14D884B9BFBE2FF88304F10892EE99997261D770A899CF82

Uniqueness

Uniqueness Score: -1.00%

Function 024272C2 Relevance: 35.7, APIs: 16, Strings: 4, Instructions: 672memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(00000000,?), ref: 0242726C
HeapFree.KERNEL32(00000000,?), ref: 024283FC
HeapFree.KERNEL32(00000000,?), ref: 02428BF6
HeapFree.KERNEL32(00000000,?), ref: 02429082
HeapFree.KERNEL32(00000000,?), ref: 02429147

Strings

called `Result::unwrap()` on an `Err` value, xrefs: 02429412
Invalid, xrefs: 024292CA, 02429389
assertion failed: step != 0, xrefs: 024293BC
assertion failed: output_position <= output.len(), xrefs: 02429316

Memory Dump Source

Source File: 00000000.00000002.2022153806.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23d0000_app.jbxd

Similarity

API ID: FreeHeap
String ID: Invalid$assertion failed: output_position <= output.len()$assertion failed: step != 0$called `Result::unwrap()` on an `Err` value
API String ID: 3298025750-1422663253
Opcode ID: c61d06380fce59854c11afcc47c2f7b2fc2553889c9ec89186aedafeaf8fbec5
Instruction ID: aa1a6d92e8c5e41bfa975ba474e25a1b2bab9eced2afc41d7bcfde90eddd01f8
Opcode Fuzzy Hash: c61d06380fce59854c11afcc47c2f7b2fc2553889c9ec89186aedafeaf8fbec5
Instruction Fuzzy Hash: 5852E171A083609FD325DF26C880B9BBBE2BFC8704F54891FE98957351D770A849CB96

Uniqueness

Uniqueness Score: -1.00%

Function 023EA020 Relevance: 34.4, APIs: 17, Strings: 2, Instructions: 1112memoryCOMMON

Download Yara Rule

APIs

GetCommandLineW.KERNEL32 ref: 023EA05D
HeapFree.KERNEL32(00000000,00000000), ref: 023EA5C3
HeapFree.KERNEL32(00000000,?), ref: 023EA5D4
HeapFree.KERNEL32(00000000,?), ref: 023EA687
HeapFree.KERNEL32(00000000,?), ref: 023EA6A1
HeapFree.KERNEL32(00000000), ref: 023EA86C

Part of subcall function 023DA9F0: __aulldiv.LIBCMT ref: 023DAA2E

HeapFree.KERNEL32(00000000), ref: 023EABDE
HeapFree.KERNEL32(00000000,?), ref: 023EAC68
HeapFree.KERNEL32(00000000,?), ref: 023EAC7F
HeapFree.KERNEL32(00000000,?), ref: 023EAC99
HeapFree.KERNEL32(00000000), ref: 023EAD27
HeapFree.KERNEL32(00000000,?), ref: 023EAD94
HeapFree.KERNEL32(00000000,?), ref: 023EADAE
HeapFree.KERNEL32(00000000,?), ref: 023EADC9
HeapFree.KERNEL32(00000000,?), ref: 023EADE0
HeapFree.KERNEL32(00000000,?), ref: 023EAE03
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,0246F438,0247D02C), ref: 023EAEF1

Strings

a Display implementation returned an error unexpectedly, xrefs: 023EAE3C
Invalid, xrefs: 023EA811

Memory Dump Source

Source File: 00000000.00000002.2022153806.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23d0000_app.jbxd

Similarity

API ID: FreeHeap$CommandLine__aulldiv
String ID: Invalid$a Display implementation returned an error unexpectedly
API String ID: 2559509083-4203860457
Opcode ID: ff9a20dbe039c71a15df9e9cdc1cb1a14943a6979f92e1f62d36dc7007b24830
Instruction ID: 0a9a55766facab156ea63cf069e3ac9efcd9a4f2c5b4f3e91221bb1458ebb9d2
Opcode Fuzzy Hash: ff9a20dbe039c71a15df9e9cdc1cb1a14943a6979f92e1f62d36dc7007b24830
Instruction Fuzzy Hash: 3BB20775A00B018FD725CF29C584B66F7E2BF98304F14892DD99B87A91EB70B899CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0040A130 Relevance: 26.5, APIs: 8, Strings: 7, Instructions: 223comCOMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(?,00000000,00446FF0,?), ref: 0040A15F
CoCreateInstance.OLE32(00437030,00000000,00000001,00437040,?), ref: 0040A183
CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000006,00000003,00000000,00000020), ref: 0040A1BF

Strings

SerialNumber, xrefs: 0040A26B
WQL, xrefs: 0040A213
SELECT SerialNumber FROM Win32_PhysicalMedia WHERE TAG='\\\\.\\PHYSICALDRIVE2', xrefs: 0040A1F6
SELECT SerialNumber FROM Win32_PhysicalMedia WHERE TAG='\\\\.\\PHYSICALDRIVE1', xrefs: 0040A1E3
SELECT SerialNumber FROM Win32_PhysicalMedia WHERE TAG='\\\\.\\PHYSICALDRIVE3', xrefs: 0040A209
SELECT SerialNumber FROM Win32_PhysicalMedia WHERE TAG='\\\\.\\PHYSICALDRIVE0', xrefs: 0040A1D0
ROOT\CIMV2, xrefs: 0040A1A0

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: BlanketCreateInstanceProxyVersion
String ID: ROOT\CIMV2$SELECT SerialNumber FROM Win32_PhysicalMedia WHERE TAG='\\\\.\\PHYSICALDRIVE0'$SELECT SerialNumber FROM Win32_PhysicalMedia WHERE TAG='\\\\.\\PHYSICALDRIVE1'$SELECT SerialNumber FROM Win32_PhysicalMedia WHERE TAG='\\\\.\\PHYSICALDRIVE2'$SELECT SerialNumber FROM Win32_PhysicalMedia WHERE TAG='\\\\.\\PHYSICALDRIVE3'$SerialNumber$WQL
API String ID: 4052488553-668480656
Opcode ID: 2f43b8abd95bdce89a6337ee62f48717bf7de744291fe96b5a40e21d1573a07e
Instruction ID: f8abb40f569aaa07a23fa9f41c399833c975962cf1a17763c5e18912e3785d52
Opcode Fuzzy Hash: 2f43b8abd95bdce89a6337ee62f48717bf7de744291fe96b5a40e21d1573a07e
Instruction Fuzzy Hash: 00718C71640318ABCB20DF95CC48EEE3BB9FF49B54F20056AF919D7290C3799845CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00402D69 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 77libraryCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00402D6E
LoadLibraryA.KERNEL32(iphlpapi.dll,00000000,?,?,00403AB3,00000000,00000000,00000000,00000032), ref: 00402D7B
FreeLibrary.KERNEL32(00000000,?,?,00403AB3,00000000,00000000,00000000,00000032), ref: 00402D90
GetAdaptersInfo.IPHLPAPI(?), ref: 00402DB3
_strcat.LIBCMT ref: 00402E11

Strings

(1D, xrefs: 00402DB8
%02X-%02X-%02X-%02X-%02X-%02X, xrefs: 00402E00
iphlpapi.dll, xrefs: 00402D76

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: Library$AdaptersFreeH_prologInfoLoad_strcat
String ID: %02X-%02X-%02X-%02X-%02X-%02X$(1D$iphlpapi.dll
API String ID: 75280304-1156694461
Opcode ID: 667fbff6e5fb93a3dbdba40f8899a0c99632f19625a976099da760c66a306bb6
Instruction ID: 0f46a71ea7f385b85266391789cee45fc69f055f165f50e350831578ad950e10
Opcode Fuzzy Hash: 667fbff6e5fb93a3dbdba40f8899a0c99632f19625a976099da760c66a306bb6
Instruction Fuzzy Hash: 092127B1910160AECB169BA4DD58DFE7BB8AF09704F1006BFF015F21E1C7BC89008769

Uniqueness

Uniqueness Score: -1.00%

Function 00427361 Relevance: 13.6, APIs: 9, Instructions: 88stringfileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00427366
GetFullPathNameA.KERNEL32(?,00000104,?,?,?), ref: 0042738F
lstrcpynA.KERNEL32(?,?,00000104), ref: 0042739E
PathIsUNCA.SHLWAPI(?,?,?), ref: 004273D1
GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000), ref: 004273E9
CharUpperA.USER32(?), ref: 004273FA
FindFirstFileA.KERNEL32(?,?), ref: 00427410
FindClose.KERNEL32(00000000), ref: 0042741C
lstrcpyA.KERNEL32(?,?), ref: 0042742C

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: FindPath$CharCloseFileFirstFullH_prologInformationNameUpperVolumelstrcpylstrcpyn
String ID:
API String ID: 349063797-0
Opcode ID: d785ae596bc36cb49a6f511f2bb699120d703fbd36700d512b5beef6b0218590
Instruction ID: ccc9f5d38c50f98e637bc9214232b1860236d421002e11859fbdac53a034a38f
Opcode Fuzzy Hash: d785ae596bc36cb49a6f511f2bb699120d703fbd36700d512b5beef6b0218590
Instruction Fuzzy Hash: 48316171600128ABCB10EF61EC48AEFBF78FF49354F908576F909D6151D7349A45CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 02413224 Relevance: 12.7, APIs: 4, Strings: 4, Instructions: 704COMMON

Download Yara Rule

Strings

;rn, xrefs: 02413F92
cannot access a Thread Local Storage value during or after destruction/rustc/25ef9e3d85d934b27d9dada2f9dd52b1dc63bb04\library\std\src\thread\local.rs, xrefs: 02414515
top\Local Storage\, xrefs: 0241330E
nown, xrefs: 0241435E

Memory Dump Source

Source File: 00000000.00000002.2022153806.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23d0000_app.jbxd

Similarity

API ID:
String ID: cannot access a Thread Local Storage value during or after destruction/rustc/25ef9e3d85d934b27d9dada2f9dd52b1dc63bb04\library\std\src\thread\local.rs$nown$top\Local Storage\$;rn
API String ID: 0-1636215252
Opcode ID: 33bc8f142f39778312f7d2781f9cfb695cf9ba47c0874047972eeda084b89b08
Instruction ID: b023ae78e9005a80f82d8d4ea601df49c4069092c7b27036b109e5f60b3fa44e
Opcode Fuzzy Hash: 33bc8f142f39778312f7d2781f9cfb695cf9ba47c0874047972eeda084b89b08
Instruction Fuzzy Hash: 8A6239719083918FD725CF29C48079AFBE1BFC9304F158A6EE89D97351DB70A949CB82

Uniqueness

Uniqueness Score: -1.00%

Function 0243F340 Relevance: 12.7, APIs: 4, Strings: 3, Instructions: 418COMMON

Download Yara Rule

APIs

Part of subcall function 02430C80: TlsGetValue.KERNEL32(00000000,?,0243F3A0), ref: 02430C90

AcquireSRWLockShared.KERNEL32(02490AF4), ref: 0243F3FE
ReleaseSRWLockShared.KERNEL32(02490AF4), ref: 0243F5A2
ReleaseSRWLockExclusive.KERNEL32(?), ref: 0243F7F0

Part of subcall function 0242F580: HeapFree.KERNEL32(00000000,00000000,?,0243F991), ref: 0242F59C
Part of subcall function 0242F580: HeapFree.KERNEL32(00000000,?,?,0243F991), ref: 0242F5B6

Strings

Box<dyn Any><unnamed>, xrefs: 0243F760
cannot access a Thread Local Storage value during or after destruction/rustc/25ef9e3d85d934b27d9dada2f9dd52b1dc63bb04\library\std\src\thread\local.rs, xrefs: 0243F3A7, 0243F5CA, 0243F60A, 0243F739, 0243F831
Invalid, xrefs: 0243F3D4, 0243F6C6, 0243F895, 0243F935

Memory Dump Source

Source File: 00000000.00000002.2022153806.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23d0000_app.jbxd

Similarity

API ID: Lock$FreeHeapReleaseShared$AcquireExclusiveValue
String ID: Box<dyn Any><unnamed>$Invalid$cannot access a Thread Local Storage value during or after destruction/rustc/25ef9e3d85d934b27d9dada2f9dd52b1dc63bb04\library\std\src\thread\local.rs
API String ID: 1439667220-2178555723
Opcode ID: 6ac31aa2ffddbb12900b7977c0946cbced5bbba42b4298b5310a0c5bedec2b4d
Instruction ID: 10875853942f6a046567d8bc931f3e172acc69efc27282f3949f971c28a6ebca
Opcode Fuzzy Hash: 6ac31aa2ffddbb12900b7977c0946cbced5bbba42b4298b5310a0c5bedec2b4d
Instruction Fuzzy Hash: 760246B0904B408FE335CF25C444793BBE1AF59308F15895ED8AA87B82D7B5F449CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 023D6320 Relevance: 10.9, Strings: 8, Instructions: 875COMMON

Download Yara Rule

Strings

assertion failed: d.mant.checked_add(d.plus).is_some(), xrefs: 023D5623, 023D6E65
attempt to divide by zero, xrefs: 023D689D
assertion failed: d.mant.checked_sub(d.minus).is_some(), xrefs: 023D5637, 023D6E79
assertion failed: d.minus > 0, xrefs: 023D55FB, 023D6E3D
assertion failed: edelta >= 0library\core\src\num\diy_float.rs, xrefs: 023D6EA1
assertion failed: d.mant + d.plus < (1 << 61), xrefs: 023D6E8D
assertion failed: d.mant > 0, xrefs: 023D55E7, 023D6E29
assertion failed: d.plus > 0, xrefs: 023D560F, 023D6E51

Memory Dump Source

Source File: 00000000.00000002.2022153806.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23d0000_app.jbxd

Similarity

API ID:
String ID: assertion failed: d.mant + d.plus < (1 << 61)$assertion failed: d.mant > 0$assertion failed: d.mant.checked_add(d.plus).is_some()$assertion failed: d.mant.checked_sub(d.minus).is_some()$assertion failed: d.minus > 0$assertion failed: d.plus > 0$assertion failed: edelta >= 0library\core\src\num\diy_float.rs$attempt to divide by zero
API String ID: 0-4042176451
Opcode ID: e87d4c877d3f651e9598b5d7784ffa9fb4730d09d53b7ae9f39a8f00e78cf3f4
Instruction ID: b5a4e366997da0e604ae48f23b79bb34fd4b0250d8634cba531890b5426a6076
Opcode Fuzzy Hash: e87d4c877d3f651e9598b5d7784ffa9fb4730d09d53b7ae9f39a8f00e78cf3f4
Instruction Fuzzy Hash: 6C723772A083519FC708CF29D48061AFBE6BFC8754F158A2EF89997355D770EC498B82

Uniqueness

Uniqueness Score: -1.00%

Function 00409F46 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 95fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,00000000,00000003,00000000,00000003,00000000,00000000), ref: 00409F80
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00002710,?,00000000), ref: 00409FD6

Part of subcall function 00409E1B: _strlen.LIBCMT ref: 00409E23
Part of subcall function 00409E1B: _strcat.LIBCMT ref: 00409E36

_strcat.LIBCMT ref: 00409FFC
_strcat.LIBCMT ref: 0040A03C
CloseHandle.KERNEL32(00000000), ref: 0040A044

Strings

\\.\PhysicalDrive%d, xrefs: 00409F61

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: _strcat$CloseControlCreateDeviceFileHandle_strlen
String ID: \\.\PhysicalDrive%d
API String ID: 3463324093-2935326385
Opcode ID: 612e0084ea0f5b9f7467d435850855356c6e55c0f1ce1109650d98a2500b2ad0
Instruction ID: 827c4b2f77838a6cf85fa88315384c3a64bdadd1ed3bfbc8410d8de3e49c6994
Opcode Fuzzy Hash: 612e0084ea0f5b9f7467d435850855356c6e55c0f1ce1109650d98a2500b2ad0
Instruction Fuzzy Hash: 1F21ACB290421DAEE711EBA59C85EFF737CEB45318F0404BBF515E2081E67C9E844B69

Uniqueness

Uniqueness Score: -1.00%

Function 0040A44A Relevance: 10.6, APIs: 7, Instructions: 86fileCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000100), ref: 0040A465
SetPriorityClass.KERNEL32(00000000), ref: 0040A46C
CreateFileA.KERNEL32(00000000,00000000,00000000,00000000,04000000,00000000), ref: 0040A4A0
DeviceIoControl.KERNEL32(00000000,00000001,00000000,00000000,?,00000004,?,00000000), ref: 0040A4C5
CloseHandle.KERNEL32(00000000), ref: 0040A4CC
GetCurrentProcess.KERNEL32(00000020), ref: 0040A52C
SetPriorityClass.KERNEL32(00000000), ref: 0040A533

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: ClassCurrentPriorityProcess$CloseControlCreateDeviceFileHandle
String ID:
API String ID: 2852580560-0
Opcode ID: 65ca535f78cc64cf9aea046d4da315f8869e2603256f29e9bdf8a66fe15ff912
Instruction ID: 09672a527c137082c86a82ddad234cb0f4bb7b68b2f76d9faa745a067a63ae63
Opcode Fuzzy Hash: 65ca535f78cc64cf9aea046d4da315f8869e2603256f29e9bdf8a66fe15ff912
Instruction Fuzzy Hash: 932108B6A00218BFE7109BA49C88AEE776CEB45748F5040B5F501E31D0D7789D868B7A

Uniqueness

Uniqueness Score: -1.00%

Function 0244430E Relevance: 9.9, Strings: 7, Instructions: 1197COMMON

Download Yara Rule

Strings

assertion failed: next.is_notified()/registry\src\index.crates.io-1cd66030c949c28d\tokio-1.37.0\src\runtime\task\state.rs, xrefs: 02445208
attempt to divide by zero, xrefs: 0244521C
assertion failed: self.ref_count() > 0, xrefs: 02445230
attempt to calculate the remainder with a divisor of zero/rustc/25ef9e3d85d934b27d9dada2f9dd52b1dc63bb04\library\core\src\slice\sort.rs, xrefs: 024451D6, 024451EA
cannot access a Thread Local Storage value during or after destruction/rustc/25ef9e3d85d934b27d9dada2f9dd52b1dc63bb04\library\std\src\thread\local.rs, xrefs: 02445325
Invalid, xrefs: 0244528D
[internal exception] blocking task ran twice./registry\src\index.crates.io-1cd66030c949c28d\tokio-1.37.0\src\runtime\blocking\task.rs, xrefs: 024452C9

Memory Dump Source

Source File: 00000000.00000002.2022153806.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23d0000_app.jbxd

Similarity

API ID: Value$FreeHeap
String ID: Invalid$[internal exception] blocking task ran twice./registry\src\index.crates.io-1cd66030c949c28d\tokio-1.37.0\src\runtime\blocking\task.rs$assertion failed: next.is_notified()/registry\src\index.crates.io-1cd66030c949c28d\tokio-1.37.0\src\runtime\task\state.rs$assertion failed: self.ref_count() > 0$attempt to calculate the remainder with a divisor of zero/rustc/25ef9e3d85d934b27d9dada2f9dd52b1dc63bb04\library\core\src\slice\sort.rs$attempt to divide by zero$cannot access a Thread Local Storage value during or after destruction/rustc/25ef9e3d85d934b27d9dada2f9dd52b1dc63bb04\library\std\src\thread\local.rs
API String ID: 911738859-2440271640
Opcode ID: bbefeed5805db6c15f69ca858a2f74a5f2bd3a854cf4dbecf92e8e8b831cd7dc
Instruction ID: de3af5efd02f2ee42c940a6465341a6269c60fa41c69aa711f5adc3889252f70
Opcode Fuzzy Hash: bbefeed5805db6c15f69ca858a2f74a5f2bd3a854cf4dbecf92e8e8b831cd7dc
Instruction Fuzzy Hash: 33B28F756043418FEB14DF25C480B6AB7E2BF88314F198A6EE8899B355DF70E846CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02413001 Relevance: 9.3, APIs: 4, Strings: 2, Instructions: 264memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(00000000,?), ref: 02413E4D
HeapFree.KERNEL32(00000000,?), ref: 02414331
HeapFree.KERNEL32(00000000,?), ref: 024143AC

Strings

nown, xrefs: 0241435E
nown, xrefs: 024130D3

Memory Dump Source

Source File: 00000000.00000002.2022153806.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23d0000_app.jbxd

Similarity

API ID: FreeHeap
String ID: nown$nown
API String ID: 3298025750-102062727
Opcode ID: c90a9edce3fd5bdf1a7f07d0abe19cc4a82e3c43e0bb43f84a541038db6317fb
Instruction ID: 744fb92eb2b424b76c307c2fd67a7fa9c41769389889dd1baca75b01bbe0be7d
Opcode Fuzzy Hash: c90a9edce3fd5bdf1a7f07d0abe19cc4a82e3c43e0bb43f84a541038db6317fb
Instruction Fuzzy Hash: 34C15A71908781CFD725CF28C444B6AFBE1BFC8304F148A5EE99957390D774A985CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00401660 Relevance: 9.1, APIs: 6, Instructions: 67windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 0040166A

Part of subcall function 004289E6: __EH_prolog.LIBCMT ref: 004289EB
Part of subcall function 004289E6: BeginPaint.USER32(?,?,?,?,0042292D), ref: 00428A19

SendMessageA.USER32(?,00000027,?,00000000), ref: 00401691
GetSystemMetrics.USER32(0000000B), ref: 0040169F
GetSystemMetrics.USER32(0000000C), ref: 004016A5
GetClientRect.USER32(?,?), ref: 004016B2
DrawIcon.USER32(?,?,?,?), ref: 004016EA

Part of subcall function 00428A41: __EH_prolog.LIBCMT ref: 00428A46
Part of subcall function 00428A41: EndPaint.USER32(?,?,?,?,00422953,?), ref: 00428A63

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: H_prologMetricsPaintSystem$BeginClientDrawIconIconicMessageRectSend
String ID:
API String ID: 1530917984-0
Opcode ID: 9409bb8eba40420717aaa7fd0813d9b11a5f1be16e6c6ee5dd2cc23651046658
Instruction ID: afd92d8a271adbd764b9b009a381ddf531eb1141bad508cde5b1c4dc8f1a29e6
Opcode Fuzzy Hash: 9409bb8eba40420717aaa7fd0813d9b11a5f1be16e6c6ee5dd2cc23651046658
Instruction Fuzzy Hash: 081160B53043019FC224EF78DD89E5B77A9ABD8214F844A3DF586C3290DA74E80ACA55

Uniqueness

Uniqueness Score: -1.00%

Function 00429E88 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35librarystringCOMMON

Download Yara Rule

APIs

lstrcpyA.KERNEL32(00000800,LOC), ref: 00429EAE
wsprintfA.USER32 ref: 00429EC2
LoadLibraryA.KERNEL32(?), ref: 00429ED2
GetLocaleInfoA.KERNEL32(00000800,00000003,00000800,00000004), ref: 00429EED

Strings

LOC, xrefs: 00429EA8

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: InfoLibraryLoadLocalelstrcpywsprintf
String ID: LOC
API String ID: 2301429115-519433814
Opcode ID: 55c4f7f6bd3d83fe0638668a92045e554d39542dee11adfa9b5a70be7e0f19cc
Instruction ID: ba9a9e911526f724f6bd684c18380571f0978ced8412fde1539fc42cd5b17a32
Opcode Fuzzy Hash: 55c4f7f6bd3d83fe0638668a92045e554d39542dee11adfa9b5a70be7e0f19cc
Instruction Fuzzy Hash: 4001FB7060020DEBCF10DF60ED4AEDA77B9AB04318F808071B915D6190DB749A4A9B94

Uniqueness

Uniqueness Score: -1.00%

Function 023EB090 Relevance: 7.9, APIs: 2, Strings: 3, Instructions: 429memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(00000000,?), ref: 023EB173
HeapFree.KERNEL32(00000000,?), ref: 023EB50E

Strings

://, xrefs: 023EB0E1, 023EB199
ptth, xrefs: 023EB370
qtth, xrefs: 023EB53D

Memory Dump Source

Source File: 00000000.00000002.2022153806.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23d0000_app.jbxd

Similarity

API ID: FreeHeap
String ID: ://$ptth$qtth
API String ID: 3298025750-2468130592
Opcode ID: 8267f6e86bbc15c4bfa6233240ae9a70bfd0d4dbf5b2b84b0bb8d00557c9620e
Instruction ID: 40283e7963c645cb552dd0e8f0805a63668c61a264403f8fe47ae3f8a8f6ad78
Opcode Fuzzy Hash: 8267f6e86bbc15c4bfa6233240ae9a70bfd0d4dbf5b2b84b0bb8d00557c9620e
Instruction Fuzzy Hash: C8F17071A083219BDB168F15C48062AFBE2BFC4718F158A2EE49A973D1D770DD49CF82

Uniqueness

Uniqueness Score: -1.00%

Function 0041E91D Relevance: 7.6, APIs: 5, Instructions: 86memoryCOMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 0041E937
GetSystemInfo.KERNEL32(?,?,?,0000001C), ref: 0041E948
VirtualQuery.KERNEL32(?,?,0000001C,?,?,0000001C), ref: 0041E98E
VirtualAlloc.KERNEL32(?,?,00001000,00000004,?,?,0000001C), ref: 0041E9BD
VirtualProtect.KERNEL32(?,?,00000002,?,?,?,0000001C), ref: 0041E9E0

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: Virtual$Query$AllocInfoProtectSystem
String ID:
API String ID: 4136887677-0
Opcode ID: ff6dd850e0057acba23b8827cf18eb4f3ead2c0418c749c99c268d3db089d540
Instruction ID: 32a2ad3af116692e63516f6cd1c830bccfaa7a2d380c1cd808f7f1f6e83c7fb5
Opcode Fuzzy Hash: ff6dd850e0057acba23b8827cf18eb4f3ead2c0418c749c99c268d3db089d540
Instruction Fuzzy Hash: 0A21E7B6B10209EBDB20CBB5DC45FFE77B8EB08345F540076EA02E3281D6789D858798

Uniqueness

Uniqueness Score: -1.00%

Function 0041C882 Relevance: 7.5, APIs: 5, Instructions: 27timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 0041C88D
GetCurrentProcessId.KERNEL32 ref: 0041C899
GetCurrentThreadId.KERNEL32 ref: 0041C8A1
GetTickCount.KERNEL32 ref: 0041C8A9
QueryPerformanceCounter.KERNEL32(?), ref: 0041C8B5

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: b41a0e1cd665821b5796c0b158887a0f5ecc602c8a934c1cc93d59222d264265
Instruction ID: 5f89f51c378ddf9a993613850ddd4fdb9b59cca54c9a044c803801dbacbd09c9
Opcode Fuzzy Hash: b41a0e1cd665821b5796c0b158887a0f5ecc602c8a934c1cc93d59222d264265
Instruction Fuzzy Hash: 3DF07A76D00128DBCB20ABF4EC4859EB7B8FF49255BC24571E801E7160DB74A9558B98

Uniqueness

Uniqueness Score: -1.00%

Function 023DA1B0 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 418COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 023DA654
__aulldiv.LIBCMT ref: 023DA69F

Strings

attempt to divide by zero, xrefs: 023DA7D0
0000, xrefs: 023DA5C4, 023DA4A0

Memory Dump Source

Source File: 00000000.00000002.2022153806.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23d0000_app.jbxd

Similarity

API ID: __aulldiv
String ID: 0000$attempt to divide by zero
API String ID: 3732870572-2494717124
Opcode ID: c6011a84d6468aee211b4a55f20b6516d6e7e53f07f2e9708d10119dc2cd1599
Instruction ID: 5a57b58546cff82b465992b731ea012ddf6a8b49c7144277c76065219d1a503c
Opcode Fuzzy Hash: c6011a84d6468aee211b4a55f20b6516d6e7e53f07f2e9708d10119dc2cd1599
Instruction Fuzzy Hash: 0CF148B66083419FC708CF19D5A066ABBE2EFC8354F54C92EF48A8B351D730D945CB86

Uniqueness

Uniqueness Score: -1.00%

Function 024153DD Relevance: 6.6, APIs: 2, Strings: 2, Instructions: 605memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(00000000,?), ref: 0241585A
HeapFree.KERNEL32(00000000,?), ref: 0241588B

Strings

assertion failed: secondary_table_len <= 0x7ff, xrefs: 02415C5C
Invalid, xrefs: 02415C48

Memory Dump Source

Source File: 00000000.00000002.2022153806.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23d0000_app.jbxd

Similarity

API ID: FreeHeap
String ID: Invalid$assertion failed: secondary_table_len <= 0x7ff
API String ID: 3298025750-1198909562
Opcode ID: 75f59ae54d2037e8a6b3d3eba405fc6317c5f43a31f1045ce872d26a927590e9
Instruction ID: 0ca2cad5a73b5cf834691fbe4d4dced99e6a94080db2bcbc8014fd441dd44787
Opcode Fuzzy Hash: 75f59ae54d2037e8a6b3d3eba405fc6317c5f43a31f1045ce872d26a927590e9
Instruction Fuzzy Hash: F9321771A147914BE3249F28C8807FAB3E2FFC8300F558A2EE9D597382D7749895CB85

Uniqueness

Uniqueness Score: -1.00%

Function 02421180 Relevance: 6.5, Strings: 5, Instructions: 252COMMON

Download Yara Rule

Strings

_, xrefs: 02421315
E, xrefs: 024212B8
G, xrefs: 024211A9
_, xrefs: 024211BE
{invalid syntax}{recursion limit reached}?'for<> , ::{closureshim# as mut const ; dyn + unsafe extern ", xrefs: 024213A1

Memory Dump Source

Source File: 00000000.00000002.2022153806.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23d0000_app.jbxd

Similarity

API ID:
String ID: E$G$_$_${invalid syntax}{recursion limit reached}?'for<> , ::{closureshim# as mut const ; dyn + unsafe extern "
API String ID: 0-1976165044
Opcode ID: 7232590c3976261a92876bad61e185d334d6cc698e87c5efc8f6c0070ec1271d
Instruction ID: 5dc2b09c99a66704d34d830d6102dfc033c306f83a1ed39deb520c60f91e5c0b
Opcode Fuzzy Hash: 7232590c3976261a92876bad61e185d334d6cc698e87c5efc8f6c0070ec1271d
Instruction Fuzzy Hash: AF8114707003204BEB288E67D59072773D3AF81308F95893FD99E8BB93D761984E8A52

Uniqueness

Uniqueness Score: -1.00%

Function 023F11A0 Relevance: 6.5, APIs: 2, Strings: 2, Instructions: 475memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 023E2678: HeapFree.KERNEL32(00000000,?,023F12D5), ref: 023E269A

HeapFree.KERNEL32(00000000,?), ref: 023F1587
HeapFree.KERNEL32(00000000,?,?,?,?,?,0242C142), ref: 023F1775

Strings

assertion failed: prev/registry\src\index.crates.io-1cd66030c949c28d\futures-util-0.3.30\src\stream\futures_unordered\mod.rs, xrefs: 023F16D1
`async fn` resumed after completion, xrefs: 023F16EA, 023F16FE

Memory Dump Source

Source File: 00000000.00000002.2022153806.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23d0000_app.jbxd

Similarity

API ID: FreeHeap
String ID: `async fn` resumed after completion$assertion failed: prev/registry\src\index.crates.io-1cd66030c949c28d\futures-util-0.3.30\src\stream\futures_unordered\mod.rs
API String ID: 3298025750-1060740151
Opcode ID: 0b74f811f31d105b543c700671e64416e2f206bac8868ee609bbc5b39bac2838
Instruction ID: 7e27c85fb898f0fd58c08fac53e255325aceb381ac2fdb6441d552bb2d2676e6
Opcode Fuzzy Hash: 0b74f811f31d105b543c700671e64416e2f206bac8868ee609bbc5b39bac2838
Instruction Fuzzy Hash: 1B129B30604345CFC754CF19E490A6AB7E2BF88318F19856DEA9E9B752DB31E885CF81

Uniqueness

Uniqueness Score: -1.00%

Function 00424B38 Relevance: 6.0, APIs: 4, Instructions: 41keyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0042663C: GetWindowLongA.USER32(?,000000F0), ref: 00426648

GetKeyState.USER32(00000010), ref: 00424B5C
GetKeyState.USER32(00000011), ref: 00424B65
GetKeyState.USER32(00000012), ref: 00424B6E
SendMessageA.USER32(?,00000111,0000E146,00000000), ref: 00424B84

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: State$LongMessageSendWindow
String ID:
API String ID: 1063413437-0
Opcode ID: 6dc76eaeebcb73aca116473ecfa999c7a0d89d7e04904cc6fc94326bd96b1de0
Instruction ID: f4eab9a2a9dbeb830affcc38af44a6143a2cea5949d8d34eabc04b707fed75f8
Opcode Fuzzy Hash: 6dc76eaeebcb73aca116473ecfa999c7a0d89d7e04904cc6fc94326bd96b1de0
Instruction Fuzzy Hash: D2F0E93634036A55D52032B96C05FB65528CFC0BB4FC1063AB703EA1D6C998D807057C

Uniqueness

Uniqueness Score: -1.00%

Function 00423119 Relevance: 6.0, APIs: 4, Instructions: 32COMMON

Download Yara Rule

APIs

EnableWindow.USER32(00000000,00000001), ref: 0042312C
GetActiveWindow.USER32 ref: 00423137
SetActiveWindow.USER32(00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 00423145
FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 00423161

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: Window$Active$EnableFreeResource
String ID:
API String ID: 3751187028-0
Opcode ID: cf1dc8f164079878ce4882cf31a04c95128d9af479deed743c0b8a2d04076335
Instruction ID: ca44568af34e6e7f10c41bee158ea285ab5cab5ae77f8efcc955b62aa56a5184
Opcode Fuzzy Hash: cf1dc8f164079878ce4882cf31a04c95128d9af479deed743c0b8a2d04076335
Instruction Fuzzy Hash: C2F0AF35B00655CFCF20EFA4E9455AEBBB1FF08712F90457AE142B22A0C7795E06CE08

Uniqueness

Uniqueness Score: -1.00%

Function 0241B13B Relevance: 5.8, APIs: 2, Strings: 1, Instructions: 576COMMON

Download Yara Rule

APIs

Part of subcall function 0241BCBE: TlsGetValue.KERNEL32(00000000), ref: 0241BCD2
Part of subcall function 0241BCBE: TlsGetValue.KERNEL32(00000000), ref: 0241BCF4
Part of subcall function 0241BCBE: TlsSetValue.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,0245F933,00000000), ref: 0241BD35

__aulldiv.LIBCMT ref: 0241B533

Part of subcall function 02431BB0: QueryPerformanceCounter.KERNEL32(?), ref: 02431BF7
Part of subcall function 02431BB0: QueryPerformanceFrequency.KERNEL32(00000000), ref: 02431C38
Part of subcall function 02431BB0: __aulldiv.LIBCMT ref: 02431C71
Part of subcall function 02431BB0: __aulldiv.LIBCMT ref: 02431CAC
Part of subcall function 02431BB0: __aulldiv.LIBCMT ref: 02431CD7

__aulldiv.LIBCMT ref: 0241B6ED

Strings

attempted to use a condition variable with more than one mutex/registry\src\index.crates.io-1cd66030c949c28d\parking_lot-0.12.1\src\condvar.rs, xrefs: 0241B81B

Memory Dump Source

Source File: 00000000.00000002.2022153806.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23d0000_app.jbxd

Similarity

API ID: __aulldiv$Value$PerformanceQuery$CounterFrequency
String ID: attempted to use a condition variable with more than one mutex/registry\src\index.crates.io-1cd66030c949c28d\parking_lot-0.12.1\src\condvar.rs
API String ID: 3520724558-1284212713
Opcode ID: 684becbb55f92e8c21b8012aebdbd666437fee1aad98cd7118e19d827a89b9ad
Instruction ID: ca73b0b834e102a648a829ac626ceb2be8d7e996116fb562095821977cacc777
Opcode Fuzzy Hash: 684becbb55f92e8c21b8012aebdbd666437fee1aad98cd7118e19d827a89b9ad
Instruction Fuzzy Hash: 9F127E717087119FD719DF29C89062BB7E2EF88358F15892EE89ACB350DB34D845CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0040CFF1 Relevance: 4.5, APIs: 3, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 150943dc08c0167bc979cefcd71375d35153985db1d35b0f95c289b28cd95639
Instruction ID: 9fb67a88a75419fde22a6fe78b171526936af48b614b9b5a9a44be6ca3831610
Opcode Fuzzy Hash: 150943dc08c0167bc979cefcd71375d35153985db1d35b0f95c289b28cd95639
Instruction Fuzzy Hash: C6F03631900149ABDF116FA1CD4496F3B79AF05348F848036FD19A50A0D739D61FDB59

Uniqueness

Uniqueness Score: -1.00%

Function 00412AC0 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 511COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00412AC5

Strings

4, xrefs: 00412F52

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: H_prolog
String ID: 4
API String ID: 3519838083-4088798008
Opcode ID: 105ff6f28f0176ece59784b586960affd2c75ef0e9dd6e2caeb7df49e7281d12
Instruction ID: ce7be91b107c05d89f27200de5f74fd8ff5e1e004aeb1bf758a9aa92edd98eb5
Opcode Fuzzy Hash: 105ff6f28f0176ece59784b586960affd2c75ef0e9dd6e2caeb7df49e7281d12
Instruction Fuzzy Hash: EC129D71D00209AFCF15DF94D940AEEBBB1FF48314F24819AE815AB291C7B9DE52CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0244632B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32(?,00000001,00000000,?,?,02448053,00000000,024817FC,?,?,?,?,?,?,?,?), ref: 02446335

Strings

RNG seed generator is internally corrupt/registry\src\index.crates.io-1cd66030c949c28d\tokio-1.37.0\src\util\rand\rt.rs, xrefs: 024463B3

Memory Dump Source

Source File: 00000000.00000002.2022153806.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23d0000_app.jbxd

Similarity

API ID: AcquireExclusiveLock
String ID: RNG seed generator is internally corrupt/registry\src\index.crates.io-1cd66030c949c28d\tokio-1.37.0\src\util\rand\rt.rs
API String ID: 4021432409-4259227343
Opcode ID: 3ddc65d2a136a6c16d4c987e87135050b3921647e686c703fdc9d1cc4422483e
Instruction ID: 2b391a555a7613d8e7ce7c133b8feeaa17b594fed23ce0ab5a46531e50d5d6cf
Opcode Fuzzy Hash: 3ddc65d2a136a6c16d4c987e87135050b3921647e686c703fdc9d1cc4422483e
Instruction Fuzzy Hash: B11144723047011BA31CAEABAC4542BB7CBDBC5224324C63FDD6A83780CAB0A807D780

Uniqueness

Uniqueness Score: -1.00%

Function 0245D3D0 Relevance: 3.1, APIs: 2, Instructions: 562memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(00000000,?), ref: 0245D82B

Memory Dump Source

Source File: 00000000.00000002.2022153806.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23d0000_app.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: a6ccff16918f8c6716c150f85a32bf7b13ed69c882f81b0f72e29ab484b85e15
Instruction ID: 682fa500f4d5d29c468e94ed3798d4561d9504c1d1036a8a153365bdb0eb0c88
Opcode Fuzzy Hash: a6ccff16918f8c6716c150f85a32bf7b13ed69c882f81b0f72e29ab484b85e15
Instruction Fuzzy Hash: 7D22C171E087558BD719CF2CC48056ABBE2BFC8604F148A2EEDD997352EB30D955CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 3.0, APIs: 2, Instructions: 33threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32 ref: 00401006
GetLocaleInfoA.KERNEL32(00000000,00001004,00000007,00000007), ref: 00401019

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: Locale$InfoThread
String ID:
API String ID: 4232894706-0
Opcode ID: 1bfd077805e0b76a4cd0a89f1b1b1ebcb8d6ab1a177264c64a3ab03ef4350e1d
Instruction ID: dbec01051d8a6e41623a92cbe54c504c300f99dd774cbdae9b06207f921894f7
Opcode Fuzzy Hash: 1bfd077805e0b76a4cd0a89f1b1b1ebcb8d6ab1a177264c64a3ab03ef4350e1d
Instruction Fuzzy Hash: 29F0E93660536097CA218F14DC407E737246F01B81F8001BDEDC5A72A1E639584F86B9

Uniqueness

Uniqueness Score: -1.00%

Function 00404E54 Relevance: 2.9, Strings: 1, Instructions: 1648COMMON

Download Yara Rule

Strings

0, xrefs: 00404E8C

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 6e12085c91d98f2496f3240a5fa84f917683bfd7915eecf5a36aaaec95f5d5b0
Instruction ID: 8f72e5d40509f8cecb0b844fc2ba54b400947ee985e677df0f2cd9a9c27687f1
Opcode Fuzzy Hash: 6e12085c91d98f2496f3240a5fa84f917683bfd7915eecf5a36aaaec95f5d5b0
Instruction Fuzzy Hash: CBF27471E102099FCF08DFA5C992AEEB7F2FF88308F18446AD516B7241D738AA51DB54

Uniqueness

Uniqueness Score: -1.00%

Function 023D2670 Relevance: 2.8, Strings: 2, Instructions: 277COMMON

Download Yara Rule

Strings

00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899, xrefs: 023D297D, 023D2995, 023D29C7
Invalid, xrefs: 023D2A18

Memory Dump Source

Source File: 00000000.00000002.2022153806.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23d0000_app.jbxd

Similarity

API ID:
String ID: 00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899$Invalid
API String ID: 0-3863875730
Opcode ID: 56670e679307213e04122865cf4034e7c8c57aa18e6afa6e83007b05dc17e54b
Instruction ID: 6a989a6a35451dadbbc208ad24454aae4df89c043742a85c164d9c909bbaa057
Opcode Fuzzy Hash: 56670e679307213e04122865cf4034e7c8c57aa18e6afa6e83007b05dc17e54b
Instruction Fuzzy Hash: 65A13432B083158BD318DE2DD89076ABBD6EFC4704F19863EE89A8B3D2D6759C05C781

Uniqueness

Uniqueness Score: -1.00%

Function 00425B56 Relevance: 1.9, APIs: 1, Instructions: 441COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00425B5B

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: b497888ff59478dcbc58287f06f310b8c6890e4d9cc07b4980c569479dfc9433
Instruction ID: 647ce0f78b06017cf660a0f23f26868c8a6fa8cab28443e38f1770b9ff9b5a24
Opcode Fuzzy Hash: b497888ff59478dcbc58287f06f310b8c6890e4d9cc07b4980c569479dfc9433
Instruction Fuzzy Hash: CCE1AC70700625EBDB14DF15E880ABE77A9EF48304F91801BF816DB252DB3DDA01EB69

Uniqueness

Uniqueness Score: -1.00%

Function 0245E16F Relevance: 1.6, APIs: 1, Instructions: 374memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(00000000,?), ref: 0245E5EC

Memory Dump Source

Source File: 00000000.00000002.2022153806.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23d0000_app.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: ce5e309db71ef053397ebe4df87875b77818261036f3badc26554eca35d956a4
Instruction ID: f212fe14201b90d9e54e299d4543fbda0a74cd49181aedaddd55e2468fe27322
Opcode Fuzzy Hash: ce5e309db71ef053397ebe4df87875b77818261036f3badc26554eca35d956a4
Instruction Fuzzy Hash: 1DD1F571A083558FDB19CF6CC48066ABBE2BFC5300F088A6EE8D597346EB70DA45CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0245E605 Relevance: 1.6, APIs: 1, Instructions: 371memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(00000000,?), ref: 0245EA73

Memory Dump Source

Source File: 00000000.00000002.2022153806.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23d0000_app.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: f0e13a8e6d06e963cba7d407a95c66ebdbb7b7db6260441c3fcc01449043e019
Instruction ID: 7164cd77a68c6fc490dd4119b2df39dc6ba5fb21f2e285f6dc63159fa65769ad
Opcode Fuzzy Hash: f0e13a8e6d06e963cba7d407a95c66ebdbb7b7db6260441c3fcc01449043e019
Instruction Fuzzy Hash: 41E1D335A087518BDB19CF2CC48056AFBE2BFC9304F088A6EE9D597352EB31DA45CB41

Uniqueness

Uniqueness Score: -1.00%

Function 024613BD Relevance: 1.6, APIs: 1, Instructions: 357memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(00000000,023D2930), ref: 0246180A

Memory Dump Source

Source File: 00000000.00000002.2022153806.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23d0000_app.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 287bd6f94e841d7c69efb6774dd7e14c0aa3630083a6ee08dd130fd1b941d71d
Instruction ID: 12619adaf29060b72e003163387ffbf3bd5886b78f6adb5420ed3b18cb01f4ea
Opcode Fuzzy Hash: 287bd6f94e841d7c69efb6774dd7e14c0aa3630083a6ee08dd130fd1b941d71d
Instruction Fuzzy Hash: 49D1D071A087428FD715CF2CC49493AFBE1AFC9214F088A2EE99A97351EB70D845CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0041E705 Relevance: 1.5, APIs: 1, Instructions: 26COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(?,00001004,00000100,00000006,00000100,?,00000000), ref: 0041E728

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: aec6594c86302d122d4f71fb4d9b161a13d7bbfc32bbdc78518e23443962e317
Instruction ID: e85e805a3fba895054420c9dab990c78e1ee1b5e14cd5d478966e3f2ece6382d
Opcode Fuzzy Hash: aec6594c86302d122d4f71fb4d9b161a13d7bbfc32bbdc78518e23443962e317
Instruction Fuzzy Hash: 30F03035A04208EBDB00DB71D946BDE77B9AF04318F504176F921DA1D0DB74EA459708

Uniqueness

Uniqueness Score: -1.00%

Function 0041B198 Relevance: 1.5, APIs: 1, Instructions: 5COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0001B152), ref: 0041B19D

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 90184e0bf99737bad7b3f49374a4ba74c04221f632f12a436ad7bc65f60bf99e
Instruction ID: 44c96ef74a1c1fbbfd07129883de79b675f03fbc3a68b556817faf6bab53d9ec
Opcode Fuzzy Hash: 90184e0bf99737bad7b3f49374a4ba74c04221f632f12a436ad7bc65f60bf99e
Instruction Fuzzy Hash: 05A012753012008747108F709C091403665E2016453814435A000C1311DB3040145589

Uniqueness

Uniqueness Score: -1.00%

Function 0041B1AC Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 0041B1B1

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: abca96f171b0050d79f7799da41200dda6ac2e8c85e9cb135c27efb12445af08
Instruction ID: 1845281a5277d0a3e631376a96d3cbc5c82ed2965258bf50e72ab3e51ac72b24
Opcode Fuzzy Hash: abca96f171b0050d79f7799da41200dda6ac2e8c85e9cb135c27efb12445af08
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 02443239 Relevance: 1.5, Strings: 1, Instructions: 252COMMON

Download Yara Rule

Strings

Invalid, xrefs: 02443516

Memory Dump Source

Source File: 00000000.00000002.2022153806.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23d0000_app.jbxd

Similarity

API ID:
String ID: Invalid
API String ID: 0-874791708
Opcode ID: ceb51756aec0cca20838634a0d67935ffcaabf15fbeb3347255ce4742049cd83
Instruction ID: f813c1e847a9d2f0980aa041fa22ed1b7a2891f81c7e7656e56adf771b3bb71b
Opcode Fuzzy Hash: ceb51756aec0cca20838634a0d67935ffcaabf15fbeb3347255ce4742049cd83
Instruction Fuzzy Hash: D3915371B043018FD718DF29C49066ABBE6AFC8714F24C66EE45ADB791DB31E846CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00404358 Relevance: .8, Instructions: 806COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49ea5447d0855135be658535b3d383872752d319a27ff9739b2d70c6a8c7ad55
Instruction ID: 1f32112f5d1d97fa5f5208333258e9b5d7bed76fe60824153b00f1bbb4c0fe1f
Opcode Fuzzy Hash: 49ea5447d0855135be658535b3d383872752d319a27ff9739b2d70c6a8c7ad55
Instruction Fuzzy Hash: B9529F36B4060A9BEB0CCE9ACCD15DCB7A3ABC835471DC23CD915D7745DAB8A907CA90

Uniqueness

Uniqueness Score: -1.00%

Function 02453389 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2022153806.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23d0000_app.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06cbcc225892c12bac393f3f83809d1ad5add3db824f62974e8dc918c23c3c9f
Instruction ID: 69448e5d13c8e03b9e96a52f169eb6835273e0e5700fcbca8617d292f8a4578e
Opcode Fuzzy Hash: 06cbcc225892c12bac393f3f83809d1ad5add3db824f62974e8dc918c23c3c9f
Instruction Fuzzy Hash: 4B324621D79F114DD7279934D82233AA688AFB72C4F15DB2BFC1AB5E96EB29C4C34100

Uniqueness

Uniqueness Score: -1.00%

Function 0040964F Relevance: .4, Instructions: 367COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b172e2b0bcc3e4b70a5f746494a3de25a59c6e33974ff90734639386dca649a6
Instruction ID: 38452df248bf53abee5655b8306aeabdc0ec6d6b7da8aebdf4c000082fc220b6
Opcode Fuzzy Hash: b172e2b0bcc3e4b70a5f746494a3de25a59c6e33974ff90734639386dca649a6
Instruction Fuzzy Hash: 3A916562F443143AF631A9B74D4FF6B6D9CCB86B94F01093EB648BA1C3E4F99D0481A5

Uniqueness

Uniqueness Score: -1.00%

Function 024342F5 Relevance: .4, Instructions: 364COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2022153806.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23d0000_app.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27dae6e5d347201161d1f48871aa2031abd2871c2aef02778c7b687a45e2e89a
Instruction ID: a1f7bea0ffaadcb8f3824f538276a98eba8f0a45ecf2b62f4da3ac04e49eb4c1
Opcode Fuzzy Hash: 27dae6e5d347201161d1f48871aa2031abd2871c2aef02778c7b687a45e2e89a
Instruction Fuzzy Hash: FDD1057160C3818FD7268F24D1A47EBBFE2AF9A214F49485FE5C547382D775898ACB02

Uniqueness

Uniqueness Score: -1.00%

Function 0242E030 Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2022153806.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23d0000_app.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91f3f4f3f91e0a299479e9d33da5dc594ee6be22d33c7d9bf62cc4125c6458ae
Instruction ID: 5c7cc5257db7e28197463b5b007f55a3a2c3327ed1ee0db37ffcae841957f125
Opcode Fuzzy Hash: 91f3f4f3f91e0a299479e9d33da5dc594ee6be22d33c7d9bf62cc4125c6458ae
Instruction Fuzzy Hash: 11719F32F187614BD71A463E9C112B67A969FE6185F45D73BFC88BB781FB3498024244

Uniqueness

Uniqueness Score: -1.00%

Function 023DB1F0 Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2022153806.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23d0000_app.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e3bdc5cb01f0384dd9a402c98660f9e2c8c7a44b0abf8fad3ac0e47564171e4
Instruction ID: 03831d3d43ac36ebc31d8acea66d62db31a5562e3cc9f4767db367288cedcd15
Opcode Fuzzy Hash: 3e3bdc5cb01f0384dd9a402c98660f9e2c8c7a44b0abf8fad3ac0e47564171e4
Instruction Fuzzy Hash: A671C2337183158BD708CE2DCC9132EB6D6ABC8764F1A862DE8A9C73D1D674DD058B81

Uniqueness

Uniqueness Score: -1.00%

Function 023D3130 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2022153806.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23d0000_app.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb6238e08bbc7c977b868ba4e7edb95d29e3eb53f8d5529b3a271579b4cb53a7
Instruction ID: b68176595adfae18e444fe684b535e3b1c4f89ed67688f78b7c2f0ce10c608af
Opcode Fuzzy Hash: bb6238e08bbc7c977b868ba4e7edb95d29e3eb53f8d5529b3a271579b4cb53a7
Instruction Fuzzy Hash: 22812432B043559FD718CF58D4A036AB7D2ABC5314F1982ADD99A5B386DF309C09CB82

Uniqueness

Uniqueness Score: -1.00%

Function 024420E3 Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2022153806.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23d0000_app.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 998677bf26be223f5bce6a2b86f89a1f9df7ccf45b26c7b66d4fc4a99f3cffc7
Instruction ID: e6ca0ff7ee17061f193253442d8836db43d505256236eb5091f5a146ff36181a
Opcode Fuzzy Hash: 998677bf26be223f5bce6a2b86f89a1f9df7ccf45b26c7b66d4fc4a99f3cffc7
Instruction Fuzzy Hash: D9912C72A087019FD318CF6AC88035BF7E2AFC8710F1AC93EA599D7754DA74A8519B81

Uniqueness

Uniqueness Score: -1.00%

Function 0241628E Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2022153806.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23d0000_app.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: 598ce0ca1441d7efcde6be279de89b3a1d4a545b8d0407afb86f90a24f7ee830
Instruction ID: 896b64c4825de9011dd21e82a63407a31bd01a51de25a262a0e5f6b6fafbe15b
Opcode Fuzzy Hash: 598ce0ca1441d7efcde6be279de89b3a1d4a545b8d0407afb86f90a24f7ee830
Instruction Fuzzy Hash: 78412371F047811BE3089A79D852366B7D6FBD8308F04963EEAC9C6781FB74D8A18B51

Uniqueness

Uniqueness Score: -1.00%

Function 0244D3C0 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2022153806.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23d0000_app.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30bc2c7a4d68d0212d6293902854fcbefbd6b1e392bebafcbc4498d0f6901e01
Instruction ID: 16b1ffe6904467bb76c4f94a5d9be491e8c56437dfc3a7d5ed9a65479a5f3b46
Opcode Fuzzy Hash: 30bc2c7a4d68d0212d6293902854fcbefbd6b1e392bebafcbc4498d0f6901e01
Instruction Fuzzy Hash: B9415A76A187159FD708DE29C89025FFBE2AFC8350F15CA2DE999D7351DA30D805CB82

Uniqueness

Uniqueness Score: -1.00%

Function 00407DBE Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa6128884ea52e64c76ff3e3364ef09faa5366da33f3e04718ef87ad060ba4cb
Instruction ID: bea78ab49d568d8cc68ab5b9c56c3e372d34a610e398940364b997e8bf37097f
Opcode Fuzzy Hash: fa6128884ea52e64c76ff3e3364ef09faa5366da33f3e04718ef87ad060ba4cb
Instruction Fuzzy Hash: E331B873F5A3859EC305CA6884401D97F619B7A208B6CC6EED4445F383C2B79A07C766

Uniqueness

Uniqueness Score: -1.00%

Function 00407703 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8f59f7a406eb4b85d93dfd7fae9637fb6621cf33be82f32cec578064e2cccf9
Instruction ID: 5f762f80975287f2da4cc5c3f4db9215d90f79417d5e070c4ca66a264b4d2add
Opcode Fuzzy Hash: f8f59f7a406eb4b85d93dfd7fae9637fb6621cf33be82f32cec578064e2cccf9
Instruction Fuzzy Hash: 14313C35624B545FD750EE7688C0D3B77E9BB88B243400C2EE943D3691DABAF8014A65

Uniqueness

Uniqueness Score: -1.00%

Function 004077F6 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae75250db23d3f65a106ccb7db6d0b7db7673aad107e272ec9e65786d8c8dc3a
Instruction ID: a28aa33132646e52dc6174b08334311de5fd8f37993466fb3b074f5a633b62d4
Opcode Fuzzy Hash: ae75250db23d3f65a106ccb7db6d0b7db7673aad107e272ec9e65786d8c8dc3a
Instruction Fuzzy Hash: 74313C35624B545FD750EE7688C0D3B77E9BB88B243400C2EE943D3691DABAF8014A55

Uniqueness

Uniqueness Score: -1.00%

Function 00409127 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80dc16c4b31a12e895f4eb3d02c2bf18cd06df24083ebb6c5dcc11986d386e4b
Instruction ID: 9fae89fed201fb87603fd6b142b5de75446cc31e3fa449c8e06de045bb1d32cf
Opcode Fuzzy Hash: 80dc16c4b31a12e895f4eb3d02c2bf18cd06df24083ebb6c5dcc11986d386e4b
Instruction Fuzzy Hash: D4214AB1D04609AEEB24CF5AD8405AEFBF4FF84360F20462FE455B7291D7395A02CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00409A38 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 471361ffd1135b2c1fce0387e3c50f122f3eba086dcd4d0d050b43a0f3504bdb
Instruction ID: 2a7c390b1601eb7402f742876ed82ff69b70e3e7b876b19d7b158a76fac5e0c4
Opcode Fuzzy Hash: 471361ffd1135b2c1fce0387e3c50f122f3eba086dcd4d0d050b43a0f3504bdb
Instruction Fuzzy Hash: 09212D72B146489FC740CF69C48079ABBF1AF8A358B6985AAC454AF383D276D907CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0040941D Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 329905633bc8b0a94ac0c240274939d2d8898a23d6a58f63f4b797b9910009b9
Instruction ID: 47aef34c857a658a6300e4a75fbe3735692d0a3d265a10cf1240a7a73e3e61bd
Opcode Fuzzy Hash: 329905633bc8b0a94ac0c240274939d2d8898a23d6a58f63f4b797b9910009b9
Instruction Fuzzy Hash: 6B1151156092C82FDF094A6C84B62EE7FA18FA7250F48D1DDADD997383C06C860ED764

Uniqueness

Uniqueness Score: -1.00%

Function 004092DE Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 028772365812209ae3b034f4d7fb155149baea42fefa9e56ea01cf4f30ab10be
Instruction ID: 9134e66de6b4e5ea04456834c8a1a991d62c2b8f5af9fc7be7d8a5352cf769b0
Opcode Fuzzy Hash: 028772365812209ae3b034f4d7fb155149baea42fefa9e56ea01cf4f30ab10be
Instruction Fuzzy Hash: F41196162451886FDF0D496D84F73DE2FA1CBA7240F48919A989987783C02D811FE764

Uniqueness

Uniqueness Score: -1.00%

Function 00408FF2 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69f6bb77fbef33ec5531855511c1a3eb96a541a6779409ec123430190a6b4409
Instruction ID: 45a5f8739c1aa389b1f2b86d6161cac0944a6aa1e8b0d199d8837934870e1e0a
Opcode Fuzzy Hash: 69f6bb77fbef33ec5531855511c1a3eb96a541a6779409ec123430190a6b4409
Instruction Fuzzy Hash: 41F06272E102289BCF14DFA9CD416CDFBF1AF88724F25821AE514B3291CA7959049B68

Uniqueness

Uniqueness Score: -1.00%

Function 00403B02 Relevance: 49.4, APIs: 23, Strings: 5, Instructions: 357fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00403B07
GetModuleFileNameA.KERNEL32(00400000,?,00000104,?), ref: 00403B29

Part of subcall function 00401FE9: lstrlenA.KERNEL32(?,?,?,?,00402E72,?), ref: 00402008

Part of subcall function 00402FCE: __EH_prolog.LIBCMT ref: 00402FD3

CharLowerA.USER32(?,?,00000004,?), ref: 00403B60

Part of subcall function 004033FA: __EH_prolog.LIBCMT ref: 004033FF

_strcat.LIBCMT ref: 00403C80
CoInitialize.OLE32(00000000), ref: 00403C90
CoUninitialize.OLE32 ref: 00403CAD
_strcat.LIBCMT ref: 00403CBF
GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00403D01
CreateFileA.KERNEL32(C0000000,00000003,00000000,00000002,00000090,00000000), ref: 00403D3C
WriteFile.KERNEL32(00000000,0042FA48,00001270,?,00000000), ref: 00403D60
CloseHandle.KERNEL32(00000000), ref: 00403D6A
DeleteFileA.KERNEL32(00447800), ref: 00403DE2

Part of subcall function 0040251B: CharNextA.USER32(?,?,00000000,00000000,00402825,?,?,?,00000000,?), ref: 00402548

_strcat.LIBCMT ref: 00403F8B
DeleteFileA.KERNEL32(00446BF0), ref: 00403F98

Part of subcall function 00402C6D: __EH_prolog.LIBCMT ref: 00402C72
Part of subcall function 00402C6D: _strcat.LIBCMT ref: 00402C97
Part of subcall function 00402C6D: _strcat.LIBCMT ref: 00402CBA
Part of subcall function 00402C6D: MessageBoxA.USER32(00000000,?,00000000,00000030), ref: 00402D19

Part of subcall function 0040A0A4: _strcat.LIBCMT ref: 0040A0BD
Part of subcall function 0040A0A4: GetVersionExA.KERNEL32(?), ref: 0040A0E9

Strings

\\.\, xrefs: 00403D7F
%s%s%s, xrefs: 00403D18
.dll, xrefs: 00403B66
temp0921.vxd, xrefs: 00403D07
%s%s, xrefs: 00403D84

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: _strcat$File$H_prolog$CharDelete$CloseCreateDirectoryHandleInitializeLowerMessageModuleNameNextSystemUninitializeVersionWritelstrlen
String ID: %s%s$%s%s%s$.dll$\\.\$temp0921.vxd
API String ID: 1494161966-1906822863
Opcode ID: 0d65bbf1805183a64baca0f02ee02aa9a5489940a6456a861ec73bf611a059c0
Instruction ID: 408f333712ebdddcccb1fd84654ab834d5505da6427f59c8e72a8d2f52c591c3
Opcode Fuzzy Hash: 0d65bbf1805183a64baca0f02ee02aa9a5489940a6456a861ec73bf611a059c0
Instruction Fuzzy Hash: D5C1D331904209AADB15AFA1DC86EEE7B38EF11319F20407FF401B10E1DB799E45CA6D

Uniqueness

Uniqueness Score: -1.00%

Function 0042C019 Relevance: 42.0, APIs: 12, Strings: 12, Instructions: 44registryclipboardCOMMON

Download Yara Rule

APIs

RegisterClipboardFormatA.USER32(Native), ref: 0042C028
RegisterClipboardFormatA.USER32(OwnerLink), ref: 0042C031
RegisterClipboardFormatA.USER32(ObjectLink), ref: 0042C03B
RegisterClipboardFormatA.USER32(Embedded Object), ref: 0042C045
RegisterClipboardFormatA.USER32(Embed Source), ref: 0042C04F
RegisterClipboardFormatA.USER32(Link Source), ref: 0042C059
RegisterClipboardFormatA.USER32(Object Descriptor), ref: 0042C063
RegisterClipboardFormatA.USER32(Link Source Descriptor), ref: 0042C06D
RegisterClipboardFormatA.USER32(FileName), ref: 0042C077
RegisterClipboardFormatA.USER32(FileNameW), ref: 0042C081
RegisterClipboardFormatA.USER32(Rich Text Format), ref: 0042C08B
RegisterClipboardFormatA.USER32(RichEdit Text and Objects), ref: 0042C095

Strings

Embed Source, xrefs: 0042C047
FileName, xrefs: 0042C06F
Native, xrefs: 0042C021
ObjectLink, xrefs: 0042C033
RichEdit Text and Objects, xrefs: 0042C08D
Object Descriptor, xrefs: 0042C05B
Embedded Object, xrefs: 0042C03D
OwnerLink, xrefs: 0042C02A
Link Source, xrefs: 0042C051
Rich Text Format, xrefs: 0042C083
FileNameW, xrefs: 0042C079
Link Source Descriptor, xrefs: 0042C065

Memory Dump Source

Source File: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: ClipboardFormatRegister
String ID: Embed Source$Embedded Object$FileName$FileNameW$Link Source$Link Source Descriptor$Native$Object Descriptor$ObjectLink$OwnerLink$Rich Text Format$RichEdit Text and Objects
API String ID: 1228543026-2889995556
Opcode ID: 6b5a084f798606625df073df63a90125f29f45b26c0b684456c2d3012832e5f7
Instruction ID: 353324ec1318cbb582c5df8b14f60fd4019d8d1e18631fe9f1ac3c0909de5a58
Opcode Fuzzy Hash: 6b5a084f798606625df073df63a90125f29f45b26c0b684456c2d3012832e5f7
Instruction Fuzzy Hash: 7B013571A407446A8B30BF769C0AD4BBAE4EEC9B107625D2FE09597650DAF89841CF88

Uniqueness

Uniqueness Score: -1.00%

Function 00429F0B Relevance: 38.7, APIs: 17, Strings: 5, Instructions: 169registrylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00429F31
GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 00429F3C
ConvertDefaultLocale.KERNEL32(?), ref: 00429F6D
ConvertDefaultLocale.KERNEL32(?), ref: 00429F75
GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 00429F82
ConvertDefaultLocale.KERNEL32(?), ref: 00429F9C
ConvertDefaultLocale.KERNEL32(000003FF), ref: 00429FA2
GetVersion.KERNEL32 ref: 00429FB0
RegOpenKeyExA.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,00020019,?), ref: 00429FD5
RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,?), ref: 00429FFB
ConvertDefaultLocale.KERNEL32(?), ref: 0042A047
ConvertDefaultLocale.KERNEL32(75920A60), ref: 0042A04D
RegCloseKey.ADVAPI32(?), ref: 0042A058

Strings

GetSystemDefaultUILanguage, xrefs: 00429F77
Control Panel\Desktop\ResourceLocale, xrefs: 00429FC8
ntdll.dll, xrefs: 0042A060
GetUserDefaultUILanguage, xrefs: 00429F33
kernel32.dll, xrefs: 00429F24

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: ConvertDefaultLocale$AddressProc$CloseHandleModuleOpenQueryValueVersion
String ID: Control Panel\Desktop\ResourceLocale$GetSystemDefaultUILanguage$GetUserDefaultUILanguage$kernel32.dll$ntdll.dll
API String ID: 780041395-483790700
Opcode ID: 203f824ac1d43bbac6753af98df5ecf5df3a10049759535824241b98e85e0784
Instruction ID: b78f76d465d7b8429b50d250dff1f3f1b8a90edccc9fbb2a61dff07a2d830dcb
Opcode Fuzzy Hash: 203f824ac1d43bbac6753af98df5ecf5df3a10049759535824241b98e85e0784
Instruction Fuzzy Hash: 155195B1F00228AFDB20DFE5DC85AAFBBB8FB08314F90447BE901E3140D67899449B55

Uniqueness

Uniqueness Score: -1.00%

Function 004257B5 Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 169stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0042BADF: __EH_prolog.LIBCMT ref: 0042BAE4

CallNextHookEx.USER32(?,00000003,?,?), ref: 004257ED
GetClassLongA.USER32(?,000000E6), ref: 00425832
GlobalGetAtomNameA.KERNEL32(?,00000000,00000005), ref: 0042585E
lstrcmpiA.KERNEL32(?,ime), ref: 0042586D
SetWindowLongA.USER32(?,000000FC,Function_00024DF1), ref: 004258A7
CallNextHookEx.USER32(?,00000003,?,?), ref: 004259A2
UnhookWindowsHookEx.USER32(?), ref: 004259B3

Strings

AfxOldWndProc423, xrefs: 00425959, 0042595E, 0042596B, 00425975, 00425980
ime, xrefs: 00425867
#32768, xrefs: 004258DF, 004258E4, 00425934

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: Hook$CallLongNext$AtomClassGlobalH_prologNameUnhookWindowWindowslstrcmpi
String ID: #32768$AfxOldWndProc423$ime
API String ID: 3204395069-4034971020
Opcode ID: 07b41bb835b3f37ab2ea62d7d951dc66333286f1985a8da89310b5e237e0c8ee
Instruction ID: 57621b77eae36dfeccc30f2fe0fb6956200ccb49a91ce200666df048497e576e
Opcode Fuzzy Hash: 07b41bb835b3f37ab2ea62d7d951dc66333286f1985a8da89310b5e237e0c8ee
Instruction Fuzzy Hash: 8D519F71600225EBCF21AF50EC08B9A3B75EF09325F904136F814962A0CB79C951CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0040CEAB Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 78libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(USER32,?,?,?,0040CFFC), ref: 0040CED4
GetProcAddress.KERNEL32(00000000,GetSystemMetrics), ref: 0040CEF0
GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 0040CF01
GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 0040CF12
GetProcAddress.KERNEL32(00000000,MonitorFromPoint), ref: 0040CF23
GetProcAddress.KERNEL32(00000000,EnumDisplayMonitors), ref: 0040CF34
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 0040CF45
GetProcAddress.KERNEL32(00000000,EnumDisplayDevicesA), ref: 0040CF56

Strings

EnumDisplayDevicesA, xrefs: 0040CF50
EnumDisplayMonitors, xrefs: 0040CF2E
MonitorFromRect, xrefs: 0040CF0C
USER32, xrefs: 0040CECA
GetMonitorInfoA, xrefs: 0040CF3F
GetSystemMetrics, xrefs: 0040CEEA
MonitorFromPoint, xrefs: 0040CF1D
MonitorFromWindow, xrefs: 0040CEFB

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: EnumDisplayDevicesA$EnumDisplayMonitors$GetMonitorInfoA$GetSystemMetrics$MonitorFromPoint$MonitorFromRect$MonitorFromWindow$USER32
API String ID: 667068680-68207542
Opcode ID: 4079817142a34cec938b4e8f1ad559f573af29b2feabc9793cceecdad33a04ac
Instruction ID: d1c05c8d3ab6442c21aa33543c3d481af1cb9795c094473826c90fb8c1184408
Opcode Fuzzy Hash: 4079817142a34cec938b4e8f1ad559f573af29b2feabc9793cceecdad33a04ac
Instruction Fuzzy Hash: 7A214FB8A84641DBC3019F65ACC092ABAE2F64EB41750097FE214E26E0CB3860569B1F

Uniqueness

Uniqueness Score: -1.00%

Function 0040B5F9 Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 52libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll.dll,RtlInitUnicodeString,?,?,?,0040B8FD), ref: 0040B60D
GetProcAddress.KERNEL32(00000000), ref: 0040B616
GetModuleHandleA.KERNEL32(ntdll.dll,NtUnmapViewOfSection,?,?,?,0040B8FD), ref: 0040B62B
GetProcAddress.KERNEL32(00000000), ref: 0040B62E
GetModuleHandleA.KERNEL32(ntdll.dll,NtOpenSection,?,?,?,0040B8FD), ref: 0040B63F
GetProcAddress.KERNEL32(00000000), ref: 0040B642
GetModuleHandleA.KERNEL32(ntdll.dll,NtMapViewOfSection,?,?,?,0040B8FD), ref: 0040B653
GetProcAddress.KERNEL32(00000000), ref: 0040B656
GetModuleHandleA.KERNEL32(ntdll.dll,RtlNtStatusToDosError,?,?,?,0040B8FD), ref: 0040B667
GetProcAddress.KERNEL32(00000000), ref: 0040B66A

Strings

RtlNtStatusToDosError, xrefs: 0040B661
RtlInitUnicodeString, xrefs: 0040B602
NtMapViewOfSection, xrefs: 0040B64D
NtOpenSection, xrefs: 0040B639
ntdll.dll, xrefs: 0040B607, 0040B60C, 0040B62A, 0040B63E, 0040B652, 0040B666
NtUnmapViewOfSection, xrefs: 0040B625

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: NtMapViewOfSection$NtOpenSection$NtUnmapViewOfSection$RtlInitUnicodeString$RtlNtStatusToDosError$ntdll.dll
API String ID: 1646373207-1987783197
Opcode ID: 03ece5295bc5d19dd18cc425d4baeeadd3cb99d471744734dea2df15ba55ecb3
Instruction ID: 970ede4e035025aba40728b845774641aeb06da0a28e5589127ba931f0dc7916
Opcode Fuzzy Hash: 03ece5295bc5d19dd18cc425d4baeeadd3cb99d471744734dea2df15ba55ecb3
Instruction Fuzzy Hash: 5CF062E6A4431576DB306B795C85E572EDCE9497907102C73A804E3191DB7DC801EABC

Uniqueness

Uniqueness Score: -1.00%

Function 0041A758 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 116fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,00000000,00000000), ref: 0041A7D1
_strcat.LIBCMT ref: 0041A7E7
_strlen.LIBCMT ref: 0041A7FB
_strlen.LIBCMT ref: 0041A80E
_strncpy.LIBCMT ref: 0041A828
_strlen.LIBCMT ref: 0041A831
_strlen.LIBCMT ref: 0041A83E
_strcat.LIBCMT ref: 0041A85C
_strlen.LIBCMT ref: 0041A8A1
GetStdHandle.KERNEL32(000000F4,0043A928,00000000,?,00000000,00000000,00000000,00000000), ref: 0041A8AC
WriteFile.KERNEL32(00000000), ref: 0041A8B3

Strings

..., xrefs: 0041A822
<program name unknown>, xrefs: 0041A7E1
Microsoft Visual C++ Runtime Library, xrefs: 0041A884
Runtime Error!Program: , xrefs: 0041A856

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: _strlen$File_strcat$HandleModuleNameWrite_strncpy
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 3601721357-4022980321
Opcode ID: 5eb8b9adc66271577908d0f2b30b26b3f93ca16067fc2b3402f50ca97e530117
Instruction ID: 873bd3f0479595d816e6d3d2c3c66433944047767b5fc083997a35eeea225ff6
Opcode Fuzzy Hash: 5eb8b9adc66271577908d0f2b30b26b3f93ca16067fc2b3402f50ca97e530117
Instruction Fuzzy Hash: 51314572540204ABD720EB70CC82FEA33B89F4A314F11492BF566E2182DA3CE9D1CA5D

Uniqueness

Uniqueness Score: -1.00%

Function 00402214 Relevance: 24.8, APIs: 13, Strings: 1, Instructions: 270stringCOMMON

Download Yara Rule

APIs

CharNextA.USER32(?,?,00000000,004462BC,?,004462BC,%s%s%s,?,00430E68,temp0921.vxd), ref: 0040224A
CharNextA.USER32(00000000,?,004462BC,%s%s%s,?,00430E68,temp0921.vxd), ref: 0040228E
CharNextA.USER32(00000000,?,004462BC,%s%s%s,?,00430E68,temp0921.vxd), ref: 004022BB
CharNextA.USER32(00000000), ref: 004022D0
CharNextA.USER32(00000000), ref: 004022E4
CharNextA.USER32(00000000), ref: 00402305
CharNextA.USER32(00000000), ref: 00402361
lstrlenA.KERNEL32(-00010073), ref: 00402438
OutputDebugStringA.KERNEL32(Floating point (%%e, %%f, %%g, and %%G) is not supported by the WTL::CMyString class.), ref: 0040246B
DebugBreak.KERNEL32 ref: 00402471
CharNextA.USER32(?,?,00000000,004462BC,?,004462BC,%s%s%s,?,00430E68,temp0921.vxd), ref: 004024BD
CharNextA.USER32(?,?,004462BC,%s%s%s,?,00430E68,temp0921.vxd), ref: 004024C6
wvsprintfA.USER32(?,?,?), ref: 004024ED

Strings

Floating point (%%e, %%f, %%g, and %%G) is not supported by the WTL::CMyString class., xrefs: 00402466

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: CharNext$Debug$BreakOutputStringlstrlenwvsprintf
String ID: Floating point (%%e, %%f, %%g, and %%G) is not supported by the WTL::CMyString class.
API String ID: 3364312739-4257885759
Opcode ID: a824a2b543f5762c82e423326e6c2dab26c1ef602594b2f11e18d853935b28d7
Instruction ID: 0eedb994684fcdbb03af904bb600abb34cd9bd0cefedc73d8d84e7d0e4219dbe
Opcode Fuzzy Hash: a824a2b543f5762c82e423326e6c2dab26c1ef602594b2f11e18d853935b28d7
Instruction Fuzzy Hash: 0081E1715082425ADB319E388F4C23BBBD4AB55354F58057FE8C0F22D5D6FCCA8A865E

Uniqueness

Uniqueness Score: -1.00%

Function 00414B8A Relevance: 22.9, APIs: 15, Instructions: 354windowkeyboardCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00414B8F
GetFocus.USER32 ref: 00414BB8
GetParent.USER32(?), ref: 00414C0D
GetParent.USER32(?), ref: 00414C1D
GetKeyState.USER32(00000012), ref: 00414CD3
IsDialogMessageA.USER32(?,?,?,?,?,00000000), ref: 00414D82
GetFocus.USER32 ref: 00414D94
GetFocus.USER32 ref: 00414DA1
IsWindow.USER32(?), ref: 00414DB9
GetFocus.USER32 ref: 00414DC5
IsWindow.USER32(?), ref: 00414DDB
GetFocus.USER32 ref: 00414DE1
GetKeyState.USER32(00000010), ref: 00414E12
MessageBeep.USER32(00000000), ref: 00414EFB
SendMessageA.USER32(?,000000F1,00000001,00000000), ref: 00414FE0

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: Focus$Message$ParentStateWindow$BeepDialogH_prologSend
String ID:
API String ID: 2408959702-0
Opcode ID: 29edca6921028beb0b146ee492515b4863a2a01fbf38321ee019951345c7bbf6
Instruction ID: b7f21489c7d6d74e7554cfe8760b2d28968a599f813f330fded3cbbafc593dd2
Opcode Fuzzy Hash: 29edca6921028beb0b146ee492515b4863a2a01fbf38321ee019951345c7bbf6
Instruction Fuzzy Hash: FDC1BF35A00215AADF20AF65D844AFFBBB5EFC4758F55402BE811A7250DB3C9CC2CA9D

Uniqueness

Uniqueness Score: -1.00%

Function 0041C8D8 Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 98COMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,00000000,00000104,0043B1D8,00000118,004177DE,00000001,00000000,0043A508,00000008,0041A8CA,00000000,00000000,00000000), ref: 0041C956
_strcat.LIBCMT ref: 0041C96C
_strlen.LIBCMT ref: 0041C980
_strlen.LIBCMT ref: 0041C995
_strncpy.LIBCMT ref: 0041C9AF
_strlen.LIBCMT ref: 0041C9B8
_strcat.LIBCMT ref: 0041C9D4

Strings

Unknown security failure detected!, xrefs: 0041C922
..., xrefs: 0041C9A9
Buffer overrun detected!, xrefs: 0041C935, 0041C9D2
Program: , xrefs: 0041C9E5
<program name unknown>, xrefs: 0041C960
Microsoft Visual C++ Runtime Library, xrefs: 0041CA0C

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: _strlen$_strcat$FileModuleName_strncpy
String ID: ...$<program name unknown>$Buffer overrun detected!$Microsoft Visual C++ Runtime Library$Program: $Unknown security failure detected!
API String ID: 3058806289-1673886896
Opcode ID: afbd14b618276193030e3c0af5201b55a9026821446303c7d5f8591930f4bbdf
Instruction ID: f9b76a29898f58c7373b8753ea105286733a2ff1b2e8d5243023788ac5f4ec33
Opcode Fuzzy Hash: afbd14b618276193030e3c0af5201b55a9026821446303c7d5f8591930f4bbdf
Instruction Fuzzy Hash: CA31B7719412186BCB11EB61CC82FDE37789F09368F11415FF118B6182DB7CDA918BAD

Uniqueness

Uniqueness Score: -1.00%

Function 0041E5CA Relevance: 22.8, APIs: 6, Strings: 7, Instructions: 90libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(user32.dll,0043A978,0000000C,?), ref: 0041E5E2
GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 0041E5FE
GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 0041E60F
GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 0041E61C
GetProcAddress.KERNEL32(00000000,GetUserObjectInformationA), ref: 0041E632
GetProcAddress.KERNEL32(00000000,GetProcessWindowStation), ref: 0041E643

Strings

MessageBoxA, xrefs: 0041E5F8
GetProcessWindowStation, xrefs: 0041E63D
GetUserObjectInformationA, xrefs: 0041E62C
user32.dll, xrefs: 0041E5DD
, xrefs: 0041E67F
GetLastActivePopup, xrefs: 0041E611
GetActiveWindow, xrefs: 0041E609

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: $GetActiveWindow$GetLastActivePopup$GetProcessWindowStation$GetUserObjectInformationA$MessageBoxA$user32.dll
API String ID: 2238633743-752805172
Opcode ID: 3d8efab7ff49af663c91057f34e0c8ce06715d0f196f9146fd83b2926ff60567
Instruction ID: a1566a43e676663f77566d211b6d4cd8a5d02c20358371a1fa29f3d6f93bbe0d
Opcode Fuzzy Hash: 3d8efab7ff49af663c91057f34e0c8ce06715d0f196f9146fd83b2926ff60567
Instruction Fuzzy Hash: 7F219938B00305FADB119FB69C45FAB7AA8EB55784F84013ABD05D1150EB78C881DFAD

Uniqueness

Uniqueness Score: -1.00%

Function 00424031 Relevance: 19.7, APIs: 13, Instructions: 174windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0042663C: GetWindowLongA.USER32(?,000000F0), ref: 00426648

GetParent.USER32(?), ref: 0042405C
SendMessageA.USER32(00000000,0000036B,00000000,00000000), ref: 0042407F
GetWindowRect.USER32(?,?), ref: 00424098
GetWindowLongA.USER32(00000000,000000F0), ref: 004240AB
CopyRect.USER32(?,?), ref: 004240F8
CopyRect.USER32(?,?), ref: 00424102
GetWindowRect.USER32(00000000,?), ref: 0042410B
CopyRect.USER32(?,?), ref: 00424127

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: Rect$Window$Copy$Long$MessageParentSend
String ID:
API String ID: 808654186-0
Opcode ID: 5c1e3401e94f9ddfb7b0304fefac56a9f4397806790fe2ce614e2b01d900ef57
Instruction ID: 208623173516fe0c4c79c90a83d200c0856f8fa8b1e61f7fada478de943c47ba
Opcode Fuzzy Hash: 5c1e3401e94f9ddfb7b0304fefac56a9f4397806790fe2ce614e2b01d900ef57
Instruction Fuzzy Hash: 31518771A00229ABDB10DBA8DC85EEF77B9EF84314F554125F601F3280D774A9468B58

Uniqueness

Uniqueness Score: -1.00%

Function 0042D2FB Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 182memorystringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,00439AF0), ref: 0042D37B
SysAllocString.OLEAUT32(?), ref: 0042D3A1
lstrlenA.KERNEL32(?,00439AF0), ref: 0042D3B9
SysAllocString.OLEAUT32(00000000), ref: 0042D3DD
lstrlenA.KERNEL32(?,0000F108,?,00000100,d}C,00439AF0), ref: 0042D42E
SysAllocString.OLEAUT32(00000000), ref: 0042D454
lstrlenA.KERNEL32(?), ref: 0042D474
SysAllocString.OLEAUT32(00000000), ref: 0042D498
lstrlenA.KERNEL32(?), ref: 0042D4C1
SysAllocString.OLEAUT32(00000000), ref: 0042D4E2

Strings

d}C, xrefs: 0042D3E8

Memory Dump Source

Source File: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: AllocStringlstrlen
String ID: d}C
API String ID: 98960487-3319508351
Opcode ID: 66b24d67ede51495c4957cf5ca69243bc8b93e62e85c6dcf95a10c59674b6767
Instruction ID: 185ff175cf529db1f2f1588e15c7f847109819f6a9f20bd73b9045780a2bba21
Opcode Fuzzy Hash: 66b24d67ede51495c4957cf5ca69243bc8b93e62e85c6dcf95a10c59674b6767
Instruction Fuzzy Hash: 7451A376A00219ABCB10EF75DD45A9ABBB8EF05314F508527F815D7241D738E990CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 024442C4 Relevance: 18.4, APIs: 1, Strings: 11, Instructions: 353COMMON

Download Yara Rule

Strings

assertion failed: next.is_notified()/registry\src\index.crates.io-1cd66030c949c28d\tokio-1.37.0\src\runtime\task\state.rs, xrefs: 02445208
attempt to divide by zero, xrefs: 0244521C
assertion failed: self.ref_count() > 0, xrefs: 02445230
assertion failed: curr.is_join_waker_set(), xrefs: 024454B4
n failed: prev.ref_count() >= 2, xrefs: 024457BF
assertion failed: snapshot.is_complete()/registry\src\index.crates.io-1cd66030c949c28d\tokio-1.37.0\src\runtime\task\harness.rs, xrefs: 024454F2
cannot access a Thread Local Storage value during or after destruction/rustc/25ef9e3d85d934b27d9dada2f9dd52b1dc63bb04\library\std\src\thread\local.rs, xrefs: 02445325
Invalid, xrefs: 0244528D, 024454DE
[internal exception] blocking task ran twice./registry\src\index.crates.io-1cd66030c949c28d\tokio-1.37.0\src\runtime\blocking\task.rs, xrefs: 024452C9
assertion failed: prev.ref_count() >= 1, xrefs: 02445582, 024455B5, 0244561A
assertion failed: curr.is_join_interested(), xrefs: 024454A0, 0244556E

Memory Dump Source

Source File: 00000000.00000002.2022153806.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23d0000_app.jbxd

Similarity

API ID:
String ID: Invalid$[internal exception] blocking task ran twice./registry\src\index.crates.io-1cd66030c949c28d\tokio-1.37.0\src\runtime\blocking\task.rs$assertion failed: curr.is_join_interested()$assertion failed: curr.is_join_waker_set()$assertion failed: next.is_notified()/registry\src\index.crates.io-1cd66030c949c28d\tokio-1.37.0\src\runtime\task\state.rs$assertion failed: prev.ref_count() >= 1$assertion failed: self.ref_count() > 0$assertion failed: snapshot.is_complete()/registry\src\index.crates.io-1cd66030c949c28d\tokio-1.37.0\src\runtime\task\harness.rs$attempt to divide by zero$cannot access a Thread Local Storage value during or after destruction/rustc/25ef9e3d85d934b27d9dada2f9dd52b1dc63bb04\library\std\src\thread\local.rs$n failed: prev.ref_count() >= 2
API String ID: 0-2035208961
Opcode ID: 65cb96d1c78d92a81dad463c925b7a7438302cb44d87c85a8bf3d341dd9ea1fd
Instruction ID: 3b9cf43a97d6100b9063ddd46997b4135e0e93f822d9514b2ef1db4dcc757455
Opcode Fuzzy Hash: 65cb96d1c78d92a81dad463c925b7a7438302cb44d87c85a8bf3d341dd9ea1fd
Instruction Fuzzy Hash: 9DD104706102418BEB14EF28C84076FB7E2EF95318F64855FE89A9B391DBB1DC42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0042D5D5 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 245stringCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0042D5DA
lstrlenA.KERNEL32(?,?,?), ref: 0042D614

Strings

`)u, xrefs: 0042D927

Memory Dump Source

Source File: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: H_prologlstrlen
String ID: `)u
API String ID: 2133942097-4279031584
Opcode ID: ac1b358337dca50b234fc3dc3a64ea0e40d9c39c4fce7a5d9b49bc41b1c3f848
Instruction ID: 47f9f9a9bf0d79d52291fec9dc3460f5edb29a58d4097f6a8864e100f0027ea6
Opcode Fuzzy Hash: ac1b358337dca50b234fc3dc3a64ea0e40d9c39c4fce7a5d9b49bc41b1c3f848
Instruction Fuzzy Hash: 2191A371E00219DFDF20EFA4D844BEEBBB4FF04314F94452AE551A7290D7789946CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0042D76F Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 179memorystringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?), ref: 0042D780
SysAllocString.OLEAUT32 ref: 0042D7A9
VariantClear.OLEAUT32(?), ref: 0042D8B2
VariantClear.OLEAUT32(?), ref: 0042D8D9

Strings

`)u, xrefs: 0042D927

Memory Dump Source

Source File: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: ClearVariant$AllocStringlstrlen
String ID: `)u
API String ID: 3271446295-4279031584
Opcode ID: 6282ef1ab9a2c62f5340b2b8bd7b05e750a85b2b0af811c20b1538a789a0357b
Instruction ID: cdccc334731853226970ff56d724ea0fd08195d0ec7bcfd3a5b41d5743917be6
Opcode Fuzzy Hash: 6282ef1ab9a2c62f5340b2b8bd7b05e750a85b2b0af811c20b1538a789a0357b
Instruction Fuzzy Hash: 90617E71E00219EFCF10EFA4DC85AEEBBB5BF04300F94452AF555A7250D7789985CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0240A370 Relevance: 16.8, APIs: 10, Strings: 1, Instructions: 347memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0243FEC0: HeapFree.KERNEL32(00000000,?), ref: 02440037
Part of subcall function 0243FEC0: HeapFree.KERNEL32(00000000,?), ref: 0244004C

HeapFree.KERNEL32(00000000,?), ref: 0240A574
HeapFree.KERNEL32(00000000,?), ref: 0240A58F

Strings

Invalid, xrefs: 0240A4D4, 0240A6CF

Memory Dump Source

Source File: 00000000.00000002.2022153806.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23d0000_app.jbxd

Similarity

API ID: FreeHeap
String ID: Invalid
API String ID: 3298025750-874791708
Opcode ID: 782edc6403cb8378555677b73cbbbda5e5a899c9173173948703f5e7d7b3d86f
Instruction ID: db57fdf6435308d82b6c0bf22e6f953a3b995a00cfce941db4ae1d6138e37734
Opcode Fuzzy Hash: 782edc6403cb8378555677b73cbbbda5e5a899c9173173948703f5e7d7b3d86f
Instruction Fuzzy Hash: D5D16F71A083509BD725DF25D884B6FBBE2BFC8304F10482EE69997390DB359986CF42

Uniqueness

Uniqueness Score: -1.00%

Function 0041D66E Relevance: 16.8, APIs: 11, Instructions: 299COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,00000100,0043A9D4,00000001,00000000,00000000,0043B208,00000038,00417C80,00000100,00000020,00000100,?,00000100,00000000,00000001), ref: 0041D695
GetLastError.KERNEL32 ref: 0041D6A7
MultiByteToWideChar.KERNEL32(?,00000000,00417F33,?,00000000,00000000,0043B208,00000038,00417C80,00000100,00000020,00000100,?,00000100,00000000,00000001), ref: 0041D72E
MultiByteToWideChar.KERNEL32(?,00000001,00417F33,?,?,00000000), ref: 0041D7AF
LCMapStringW.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 0041D7C9
LCMapStringW.KERNEL32(00000000,00000000,?,00000000,?,?), ref: 0041D804

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: String$ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1775797328-0
Opcode ID: 4e68df62db2da08941074baaceedf4420aa6fcb3e7720cbc62ad2245d21ccbe8
Instruction ID: f05e7c59ad7515b7832d4e1e93c16c6c87d040a29f1d2ebd5c0f6427fa4a6e31
Opcode Fuzzy Hash: 4e68df62db2da08941074baaceedf4420aa6fcb3e7720cbc62ad2245d21ccbe8
Instruction Fuzzy Hash: C0B139B2D00219EFCF21AFA4DC859EE7B75FF08354F14412AF925A2260D7398DA1DB58

Uniqueness

Uniqueness Score: -1.00%

Function 00422FFC Relevance: 16.6, APIs: 11, Instructions: 120COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00423001
FindResourceA.KERNEL32(?,00000000,00000005), ref: 00423039
LoadResource.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00423041

Part of subcall function 004247EA: UnhookWindowsHookEx.USER32(?), ref: 0042480F

LockResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 00423053
GetDesktopWindow.USER32 ref: 00423080
IsWindowEnabled.USER32(00000000), ref: 0042308E
EnableWindow.USER32(00000000,00000000), ref: 0042309D
EnableWindow.USER32(00000000,00000001), ref: 0042312C
GetActiveWindow.USER32 ref: 00423137
SetActiveWindow.USER32(00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 00423145
FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 00423161

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: Window$Resource$ActiveEnable$DesktopEnabledFindFreeH_prologHookLoadLockUnhookWindows
String ID:
API String ID: 833315621-0
Opcode ID: 23e7f65befa7440df8e79eeea8a432c85f5a5959caccd24c17b927ce82f2994f
Instruction ID: 44036482665cc7e11abf287e92ecc354a93a460278f6ee91648675104effe8f1
Opcode Fuzzy Hash: 23e7f65befa7440df8e79eeea8a432c85f5a5959caccd24c17b927ce82f2994f
Instruction Fuzzy Hash: F241A531700625DBCB21AFA5E94977FBBB4EF44716F90003FE501A22A1C7BC5E45CA69

Uniqueness

Uniqueness Score: -1.00%

Function 0243C1E0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 165memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0243BCE0: AcquireSRWLockExclusive.KERNEL32(00000008), ref: 0243BD39
Part of subcall function 0243BCE0: HeapFree.KERNEL32(00000000,00000000), ref: 0243BDE9
Part of subcall function 0243BCE0: HeapFree.KERNEL32(00000000,?), ref: 0243BDFA
Part of subcall function 0243BCE0: ReleaseSRWLockExclusive.KERNEL32(?), ref: 0243BE0C

Part of subcall function 0242FE20: TlsGetValue.KERNEL32(00000000,00000000,0243C23F), ref: 0242FE2C
Part of subcall function 0242FE20: TlsGetValue.KERNEL32(00000000), ref: 0242FE4A
Part of subcall function 0242FE20: TlsSetValue.KERNEL32(00000000,00000000), ref: 0242FE8A

AcquireSRWLockExclusive.KERNEL32(00000000), ref: 0243C276
HeapFree.KERNEL32(00000000,?), ref: 0243C328
HeapFree.KERNEL32(00000000,00000004), ref: 0243C339
ReleaseSRWLockExclusive.KERNEL32(?), ref: 0243C352
HeapFree.KERNEL32(00000000,00000003), ref: 0243C41D
HeapFree.KERNEL32(00000000,?), ref: 0243C42E

Strings

lock count overflow in reentrant mutexlibrary\std\src\sync\remutex.rs, xrefs: 0243C25B
cannot access a Thread Local Storage value during or after destruction/rustc/25ef9e3d85d934b27d9dada2f9dd52b1dc63bb04\library\std\src\thread\local.rs, xrefs: 0243C37B
stdoutstderrlibrary\std\src\io\mod.rs, xrefs: 0243C211

Memory Dump Source

Source File: 00000000.00000002.2022153806.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23d0000_app.jbxd

Similarity

API ID: FreeHeap$ExclusiveLock$Value$AcquireRelease
String ID: cannot access a Thread Local Storage value during or after destruction/rustc/25ef9e3d85d934b27d9dada2f9dd52b1dc63bb04\library\std\src\thread\local.rs$lock count overflow in reentrant mutexlibrary\std\src\sync\remutex.rs$stdoutstderrlibrary\std\src\io\mod.rs
API String ID: 3691851813-1631872077
Opcode ID: bc1b89cbef2241430fc01a15de2b9c8a6f79bade4cdc7707e2d4242d672118e3
Instruction ID: 5649fa014906793884eddd0de70283e8d8368fd477438606d2f0b0a9a9352823
Opcode Fuzzy Hash: bc1b89cbef2241430fc01a15de2b9c8a6f79bade4cdc7707e2d4242d672118e3
Instruction Fuzzy Hash: 986152B1E00208DFDB15DF94D888BAEBBB2FB18314F00442AE905BB391D7B59859CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0042D740 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 161memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 0042D74B
VariantClear.OLEAUT32(?), ref: 0042D8B2
VariantClear.OLEAUT32(?), ref: 0042D8D9
SysFreeString.OLEAUT32(?), ref: 0042D93D
SysFreeString.OLEAUT32(?), ref: 0042D952
SysFreeString.OLEAUT32(?), ref: 0042D967
VariantChangeType.OLEAUT32(?,?,00000000,?), ref: 0042D9A2
VariantClear.OLEAUT32(?), ref: 0042D9B2

Strings

`)u, xrefs: 0042D927

Memory Dump Source

Source File: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: StringVariant$ClearFree$AllocChangeType
String ID: `)u
API String ID: 984216764-4279031584
Opcode ID: f945ae4cef94d89ca0ab2fcfcb01154a0f7e82251910b561d33c7f77115089c5
Instruction ID: 88606afa4f30e9e75de13378e47aca7ec09a9b99aa19c6302e81d3cbef9f0d5a
Opcode Fuzzy Hash: f945ae4cef94d89ca0ab2fcfcb01154a0f7e82251910b561d33c7f77115089c5
Instruction Fuzzy Hash: 89517E71E00319EFDF20EFA4E884AEEBBB9BF04300F90452AF555A7151D7789A45CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0042565D Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 99COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00425662
GetPropA.USER32(?,AfxOldWndProc423), ref: 0042567A
CallWindowProcA.USER32(?,?,00000110,?,00000000), ref: 004256D8

Part of subcall function 00424C8B: GetWindowRect.USER32(?,00424DAD), ref: 00424CB0
Part of subcall function 00424C8B: GetWindow.USER32(?,00000004), ref: 00424CCD

SetWindowLongA.USER32(?,000000FC,?), ref: 00425708
RemovePropA.USER32(?,AfxOldWndProc423), ref: 00425710
GlobalFindAtomA.KERNEL32(AfxOldWndProc423), ref: 00425717
GlobalDeleteAtom.KERNEL32(00000000), ref: 0042571E

Part of subcall function 00423DB0: GetWindowRect.USER32(?,?), ref: 00423DBC

CallWindowProcA.USER32(?,?,?,?,00000000), ref: 00425772

Strings

AfxOldWndProc423, xrefs: 00425673, 00425678, 0042570E, 00425716

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: Window$AtomCallGlobalProcPropRect$DeleteFindH_prologLongRemove
String ID: AfxOldWndProc423
API String ID: 2397448395-1060338832
Opcode ID: 10d2a5aec3b997577270dab6d298fc0b9cd5d1bcd177ddbbb5c5fac6d3cc76f4
Instruction ID: c58938d15ef85ceb471def29655ae59a85cb9400ae0611950666c80f8e2187a5
Opcode Fuzzy Hash: 10d2a5aec3b997577270dab6d298fc0b9cd5d1bcd177ddbbb5c5fac6d3cc76f4
Instruction Fuzzy Hash: E1318332A0012AEBCB11AFA5ED49DBF7B78FF89310F80012AF511A2150D7789911DB69

Uniqueness

Uniqueness Score: -1.00%

Function 0040309E Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 281COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004030A3

Part of subcall function 00401FE9: lstrlenA.KERNEL32(?,?,?,?,00402E72,?), ref: 00402008

Part of subcall function 00401F77: InterlockedDecrement.KERNEL32(?), ref: 00401F8B

Strings

(1D, xrefs: 004030E9, 004031EC

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: DecrementH_prologInterlockedlstrlen
String ID: (1D
API String ID: 2818505249-2129874033
Opcode ID: bd28ca77c038792ffbe5868c204803e66c6c098a52fe2d6f0d143d211d85f30c
Instruction ID: 858d2aefe05a656e08fe5f4863ded23aa7559c905939fa8f8aa05e635d827225
Opcode Fuzzy Hash: bd28ca77c038792ffbe5868c204803e66c6c098a52fe2d6f0d143d211d85f30c
Instruction Fuzzy Hash: AEB14871C00119AEDB01EBE5CD86EEEBBB8AF19304F50416EF501B31D2DB785A09DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040C9F9 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 249memoryCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040C9FE
MapDialogRect.USER32(?,?), ref: 0040CA8F
SysAllocStringLen.OLEAUT32(?,00000000), ref: 0040CAB0
CLSIDFromString.OLE32(?,?), ref: 0040CBAE
CLSIDFromProgID.OLE32(?,?), ref: 0040CBB6
SetWindowPos.USER32(00000004,?,00000000,00000000,00000000,00000000,00000013,00000001,00000000,?,00000000,?,?,?,0000FC84,00000000), ref: 0040CC52
SysFreeString.OLEAUT32(?), ref: 0040CCA5

Strings

`)u, xrefs: 0040CCA5

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: String$From$AllocDialogFreeH_prologProgRectWindow
String ID: `)u
API String ID: 493809305-4279031584
Opcode ID: b6569829184fb42d57513ac240686ddfc2199f8f1beda4693de8370a87d1c167
Instruction ID: b945ffafd8d0b2f29bc3912b9e04def262169b811155d546c73b7a037650a840
Opcode Fuzzy Hash: b6569829184fb42d57513ac240686ddfc2199f8f1beda4693de8370a87d1c167
Instruction Fuzzy Hash: 85B1397190021ADFCB04DFA5D884AEEB7B4FF08304F10463AE819A7391D778A955CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 00420386 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 230COMMON

Download Yara Rule

APIs

_strcat.LIBCMT ref: 00420461
_strcat.LIBCMT ref: 0042047E
___shr_12.LIBCMT ref: 00420547

Strings

?, xrefs: 004203DE
1#QNAN, xrefs: 00420475
1#INF, xrefs: 00420458
1#IND, xrefs: 00420447
1#SNAN, xrefs: 0042042D

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: _strcat$___shr_12
String ID: 1#IND$1#INF$1#QNAN$1#SNAN$?
API String ID: 1152255961-4131533671
Opcode ID: 5aa3ecb09af4b3a94d3f2d9835869e186dd5ee770025c3904ead7b432b13b458
Instruction ID: 16df6c63b7a150186b903f00fb97da5ef5e8eb5c8611f92a14905fa3948d0dbe
Opcode Fuzzy Hash: 5aa3ecb09af4b3a94d3f2d9835869e186dd5ee770025c3904ead7b432b13b458
Instruction Fuzzy Hash: 85814531A002AA9ACF11DF68D4447EF7BF4AF15314F84849BD940DB283D37C9686C7A9

Uniqueness

Uniqueness Score: -1.00%

Function 00422DEF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00422DF4
GetSystemMetrics.USER32(0000002A), ref: 00422EB8
GlobalLock.KERNEL32(00000000,?,?,?,?), ref: 00422F23
CreateDialogIndirectParamA.USER32(?,?,?,Function_0002288B,00000000), ref: 00422F52

Strings

MS Shell Dlg, xrefs: 00422EC2

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: CreateDialogGlobalH_prologIndirectLockMetricsParamSystem
String ID: MS Shell Dlg
API String ID: 2364537584-76309092
Opcode ID: 152948b375090ba3bf973604bc07184c04cab0d5ef470bd3cd5d12d947ef66b1
Instruction ID: ca2fc6de147dc94a796e69e52f3573e941c4428df88ff4a11067891bc5981fc6
Opcode Fuzzy Hash: 152948b375090ba3bf973604bc07184c04cab0d5ef470bd3cd5d12d947ef66b1
Instruction Fuzzy Hash: CE51F131B00225EFCB11EF64EA459EEBBB0EF44314F95066AF801E7251D7B88940DB99

Uniqueness

Uniqueness Score: -1.00%

Function 0042D7DA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 0042D8B2
VariantClear.OLEAUT32(?), ref: 0042D8D9
SysFreeString.OLEAUT32(?), ref: 0042D93D
SysFreeString.OLEAUT32(?), ref: 0042D952
SysFreeString.OLEAUT32(?), ref: 0042D967

Strings

`)u, xrefs: 0042D927

Memory Dump Source

Source File: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: FreeString$ClearVariant
String ID: `)u
API String ID: 3349467263-4279031584
Opcode ID: c99945b730b1963bc2476f908b4b7e966ae24083794790fc4a804f60559a5f7f
Instruction ID: deba55917dce0b94424f7e82dae8a9b9b47db0b8bf94c504a8a5c0270682857a
Opcode Fuzzy Hash: c99945b730b1963bc2476f908b4b7e966ae24083794790fc4a804f60559a5f7f
Instruction Fuzzy Hash: 2C519072D00319EFDF21EFA4D884AEEBBB5BF04310F90452AF511A7150D774A945CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0042D6E6 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 158COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 0042D8B2
VariantClear.OLEAUT32(?), ref: 0042D8D9
SysFreeString.OLEAUT32(?), ref: 0042D93D
SysFreeString.OLEAUT32(?), ref: 0042D952
SysFreeString.OLEAUT32(?), ref: 0042D967

Strings

`)u, xrefs: 0042D927

Memory Dump Source

Source File: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: FreeString$ClearVariant
String ID: `)u
API String ID: 3349467263-4279031584
Opcode ID: 21f38ccec4fa0e8b30d552f577ba58be143ccf844956009ce64557762c5bc80d
Instruction ID: 03b0e499ed1856b55c8dcbea2a45d420b7c6c419c53f8268e212c6394d836cd7
Opcode Fuzzy Hash: 21f38ccec4fa0e8b30d552f577ba58be143ccf844956009ce64557762c5bc80d
Instruction Fuzzy Hash: 22516D71E00319EFDF20EFA4E884AEEBBB5BF08300F90452AF555A7251D7789945CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0042D803 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 158COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 0042D8B2
VariantClear.OLEAUT32(?), ref: 0042D8D9
SysFreeString.OLEAUT32(?), ref: 0042D93D
SysFreeString.OLEAUT32(?), ref: 0042D952
SysFreeString.OLEAUT32(?), ref: 0042D967

Strings

`)u, xrefs: 0042D927

Memory Dump Source

Source File: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: FreeString$ClearVariant
String ID: `)u
API String ID: 3349467263-4279031584
Opcode ID: 0f93b15981eb83b0008622cebca6e7edd8fc0778c5b73fd08b63520a5e626df8
Instruction ID: 6e50089abeb2bdf91b19714a5c651368d8dc676127325ce66d1f1f29e3b16f1f
Opcode Fuzzy Hash: 0f93b15981eb83b0008622cebca6e7edd8fc0778c5b73fd08b63520a5e626df8
Instruction Fuzzy Hash: 69517D71E00319EFDF24EFA4E884AEEBBB9BF04300F90452AF551A7250D7789945CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0042D72A Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 156COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 0042D8B2
VariantClear.OLEAUT32(?), ref: 0042D8D9
SysFreeString.OLEAUT32(?), ref: 0042D93D
SysFreeString.OLEAUT32(?), ref: 0042D952
SysFreeString.OLEAUT32(?), ref: 0042D967

Strings

`)u, xrefs: 0042D927

Memory Dump Source

Source File: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: FreeString$ClearVariant
String ID: `)u
API String ID: 3349467263-4279031584
Opcode ID: 827ef1f6ee7b75c145e33e34f9742a54bc848cad72a190445feeb5b0033f898c
Instruction ID: f237654dfe9b0de4e7d9c7904e21352c824fde659a4a83de7e0f8eff9bac242a
Opcode Fuzzy Hash: 827ef1f6ee7b75c145e33e34f9742a54bc848cad72a190445feeb5b0033f898c
Instruction Fuzzy Hash: D3516F71E00319EFDF20EFA4D884ADEBBB9BF08300F90452AF555A7250D7749945CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0042D7CA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 156COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 0042D8B2
VariantClear.OLEAUT32(?), ref: 0042D8D9
SysFreeString.OLEAUT32(?), ref: 0042D93D
SysFreeString.OLEAUT32(?), ref: 0042D952
SysFreeString.OLEAUT32(?), ref: 0042D967

Strings

`)u, xrefs: 0042D927

Memory Dump Source

Source File: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: FreeString$ClearVariant
String ID: `)u
API String ID: 3349467263-4279031584
Opcode ID: 4a061ed6ea16155ebb7b5c787c568175eb317ebc6f7b48173005574961f5fb9e
Instruction ID: 58d113b5c7ff70747419b4c64d9a6ceb5b586f213f15031ce77f902832e347a1
Opcode Fuzzy Hash: 4a061ed6ea16155ebb7b5c787c568175eb317ebc6f7b48173005574961f5fb9e
Instruction Fuzzy Hash: 11518F71E00319EFDF20EFA4E884AEEBBB9BF04300F90452AF555A7151D7789A45CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0042D704 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 0042D8B2
VariantClear.OLEAUT32(?), ref: 0042D8D9
SysFreeString.OLEAUT32(?), ref: 0042D93D
SysFreeString.OLEAUT32(?), ref: 0042D952
SysFreeString.OLEAUT32(?), ref: 0042D967

Strings

`)u, xrefs: 0042D927

Memory Dump Source

Source File: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: FreeString$ClearVariant
String ID: `)u
API String ID: 3349467263-4279031584
Opcode ID: 4a58fbb225a2fce4e96c6b3d3fef4f7e5c10f5cde4fd159727c4ed86734b3cd6
Instruction ID: d151c50cc6bd0b404945a1303f62b0d198eee01f47ec1073862221912eaef73a
Opcode Fuzzy Hash: 4a58fbb225a2fce4e96c6b3d3fef4f7e5c10f5cde4fd159727c4ed86734b3cd6
Instruction Fuzzy Hash: 2F515D71E00319EFDF20EFA4E884AEEBBB9BF08300F90452AF555A7150D7789955CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0042D717 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 0042D8B2
VariantClear.OLEAUT32(?), ref: 0042D8D9
SysFreeString.OLEAUT32(?), ref: 0042D93D
SysFreeString.OLEAUT32(?), ref: 0042D952
SysFreeString.OLEAUT32(?), ref: 0042D967

Strings

`)u, xrefs: 0042D927

Memory Dump Source

Source File: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: FreeString$ClearVariant
String ID: `)u
API String ID: 3349467263-4279031584
Opcode ID: f8144347606935d44715553dcabef8512d41d4be27142094d4e387c2cc9881f5
Instruction ID: 53aae2873ea59daa80941dbbe4e8aa903fbf7bb4d0a1552b06bc64d0b7892529
Opcode Fuzzy Hash: f8144347606935d44715553dcabef8512d41d4be27142094d4e387c2cc9881f5
Instruction Fuzzy Hash: 8D515D71E00319EFDF20EFA4E884AEEBBB9BF08300F90452AF555A7150D7789955CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0042D6D6 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 153COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 0042D8B2
VariantClear.OLEAUT32(?), ref: 0042D8D9
SysFreeString.OLEAUT32(?), ref: 0042D93D
SysFreeString.OLEAUT32(?), ref: 0042D952
SysFreeString.OLEAUT32(?), ref: 0042D967

Strings

`)u, xrefs: 0042D927

Memory Dump Source

Source File: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: FreeString$ClearVariant
String ID: `)u
API String ID: 3349467263-4279031584
Opcode ID: 7face730e7ea03213b5efd70eacd7ec68c2f0d51a1f73f596c044cdcc9c12fd8
Instruction ID: 78637e40a941fc69885a3deb517414403bef0f341df32ec1c30b1b6a81e673a2
Opcode Fuzzy Hash: 7face730e7ea03213b5efd70eacd7ec68c2f0d51a1f73f596c044cdcc9c12fd8
Instruction Fuzzy Hash: A2517F71E00319EFDF20EFA4E884AEEBBB9BF04300F90452AF555A7150D7749A45CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0042D6F6 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 153COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 0042D8B2
VariantClear.OLEAUT32(?), ref: 0042D8D9
SysFreeString.OLEAUT32(?), ref: 0042D93D
SysFreeString.OLEAUT32(?), ref: 0042D952
SysFreeString.OLEAUT32(?), ref: 0042D967

Strings

`)u, xrefs: 0042D927

Memory Dump Source

Source File: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: FreeString$ClearVariant
String ID: `)u
API String ID: 3349467263-4279031584
Opcode ID: 84b6905a04f3cbe8a5a89647b25fc7c97e8888fb23e746bbd921fa75cfd3bebd
Instruction ID: ac7c056ca3fef7ea1f7cd9142080b8837a63ee409403f1a6f7d78ffac25b1746
Opcode Fuzzy Hash: 84b6905a04f3cbe8a5a89647b25fc7c97e8888fb23e746bbd921fa75cfd3bebd
Instruction Fuzzy Hash: 4A519F71E00319EFCF20EFA4E884AEEBBB9BF04300F90452AF551A7151D7789945CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00427B2C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

GetStockObject.GDI32(00000011), ref: 00427B53
GetStockObject.GDI32(0000000D), ref: 00427B5B
GetObjectA.GDI32(00000000,0000003C,?), ref: 00427B68
GetDC.USER32(00000000), ref: 00427B77
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00427B8B
MulDiv.KERNEL32(00000000,00000048,00000000), ref: 00427B97
ReleaseDC.USER32(00000000,00000000), ref: 00427BA2

Strings

System, xrefs: 00427B4E, 00427BB8

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: Object$Stock$CapsDeviceRelease
String ID: System
API String ID: 46613423-3470857405
Opcode ID: 3618959336a5d2387a8584dc03d5aa96b6a4e2ba3ebebbc47e731d6b0f56e9d2
Instruction ID: 7761e190ee946e44623cd7a4fdd5fc82f47dd554012855bd1365dda4637adce3
Opcode Fuzzy Hash: 3618959336a5d2387a8584dc03d5aa96b6a4e2ba3ebebbc47e731d6b0f56e9d2
Instruction Fuzzy Hash: F5115471B00218EBDB10EBA0ED45F9E3B74EF14745F904035F605AA190D7B4AD46CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00423CB8 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 42libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(COMCTL32.DLL,00008000,00000000,00000400,00424635,?,00040000), ref: 00423CC1
LoadLibraryA.KERNEL32(COMCTL32.DLL), ref: 00423CCA
GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00423CDE
#17.COMCTL32 ref: 00423CF9
#17.COMCTL32 ref: 00423D15
FreeLibrary.KERNEL32(00000000), ref: 00423D22

Strings

COMCTL32.DLL, xrefs: 00423CBB, 00423CC0, 00423CC7
InitCommonControlsEx, xrefs: 00423CD6

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: Library$AddressFreeHandleLoadModuleProc
String ID: COMCTL32.DLL$InitCommonControlsEx
API String ID: 1437655972-4218389149
Opcode ID: bf34ed095592dcafb683c73bd76fb3753a0aa3a0d8d12ebda3a1314fc7045279
Instruction ID: d616edb962f15808b37bc422b71edd0b26b380362643589d42d25bf3a016dfe7
Opcode Fuzzy Hash: bf34ed095592dcafb683c73bd76fb3753a0aa3a0d8d12ebda3a1314fc7045279
Instruction Fuzzy Hash: 72F0F936B143229797219FE0BC4891BB6B8AF95722B814436F801E3211CF2CCD0B467D

Uniqueness

Uniqueness Score: -1.00%

Function 023EF106 Relevance: 13.9, APIs: 7, Strings: 2, Instructions: 397memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0243FEC0: HeapFree.KERNEL32(00000000,?), ref: 02440037
Part of subcall function 0243FEC0: HeapFree.KERNEL32(00000000,?), ref: 0244004C

HeapFree.KERNEL32(00000000,?), ref: 023EF462
HeapFree.KERNEL32(00000000,?), ref: 023EF481

Strings

, xrefs: 023EF608
a Display implementation returned an error unexpectedly, xrefs: 023EF6F1

Memory Dump Source

Source File: 00000000.00000002.2022153806.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23d0000_app.jbxd

Similarity

API ID: FreeHeap
String ID: $a Display implementation returned an error unexpectedly
API String ID: 3298025750-229198390
Opcode ID: 4a989ce1d8dce06fcdaf41c967ec7213b86f68a563cd465c162be1f405d4bd94
Instruction ID: 414625c5c3d1399458f8c89da763baf47f40f36e75fea8c771f5cbffe84e1d8f
Opcode Fuzzy Hash: 4a989ce1d8dce06fcdaf41c967ec7213b86f68a563cd465c162be1f405d4bd94
Instruction Fuzzy Hash: F0F19171A08350ABDB25DF25D884B6BB7E2BFC8304F50492EF98997291DB719909CF43

Uniqueness

Uniqueness Score: -1.00%

Function 023EC31D Relevance: 13.8, APIs: 4, Strings: 5, Instructions: 294memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 024404D0: TlsGetValue.KERNEL32(00000000), ref: 024404E9
Part of subcall function 024404D0: TlsGetValue.KERNEL32(00000000), ref: 02440510
Part of subcall function 024404D0: TlsSetValue.KERNEL32(00000000,00000000), ref: 0244055E
Part of subcall function 024404D0: BCryptGenRandom.BCRYPT(00000000,?,00000010,00000002), ref: 02440574

HeapFree.KERNEL32(00000000,?), ref: 023EC4B0
HeapFree.KERNEL32(00000000,?), ref: 023EC64B
HeapFree.KERNEL32(00000000,?), ref: 023EC6DF
HeapFree.KERNEL32(00000000,?), ref: 023EC71B

Strings

path*fatal runtime error: I/O error: operation failed to complete synchronously, xrefs: 023EC3CD
cannot access a Thread Local Storage value during or after destruction/rustc/25ef9e3d85d934b27d9dada2f9dd52b1dc63bb04\library\std\src\thread\local.rs, xrefs: 023EC744
Invalid, xrefs: 023EC6C0
nametitlebodystruct RecvSfilemaster_keyprofileslocal_statelogin_datacookieshistorycreditcardslocalstate_cachelogins_master_keyextensionsFailed building the Runtime, xrefs: 023EC3A0
APPDATA, xrefs: 023EC521

Memory Dump Source

Source File: 00000000.00000002.2022153806.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23d0000_app.jbxd

Similarity

API ID: FreeHeap$Value$CryptRandom
String ID: APPDATA$Invalid$cannot access a Thread Local Storage value during or after destruction/rustc/25ef9e3d85d934b27d9dada2f9dd52b1dc63bb04\library\std\src\thread\local.rs$nametitlebodystruct RecvSfilemaster_keyprofileslocal_statelogin_datacookieshistorycreditcardslocalstate_cachelogins_master_keyextensionsFailed building the Runtime$path*fatal runtime error: I/O error: operation failed to complete synchronously
API String ID: 740635937-1962946080
Opcode ID: bbd61a22c7b981d7e19bc2c1bd071b76b30ae9db0207ab81e83c3df0b9f282c0
Instruction ID: 1b05087313058ca5069b1b75cd19e9d0c43e086d7020d250b943a53ccb92dcc2
Opcode Fuzzy Hash: bbd61a22c7b981d7e19bc2c1bd071b76b30ae9db0207ab81e83c3df0b9f282c0
Instruction Fuzzy Hash: 73C12A75A083509FD714DF25C880A5FB7E2BFC8314F04892EE99997291EB74D909CF82

Uniqueness

Uniqueness Score: -1.00%

Function 00420A21 Relevance: 13.8, APIs: 9, Instructions: 293COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(00000000,00000000,0043A9D4,00000001,0043A9D4,00000001,0043B4A8,00000040,00420655,?,00000001,?,00000000,?,00000000,?), ref: 00420A50
GetLastError.KERNEL32(?,0041FB6C,00000000,00000000,00000000,00000000,00000000,?,0041DD55,00000007,?,?,00000000,00000006,00000006), ref: 00420A62
GetCPInfo.KERNEL32(00000000,0041509C,0043B4A8,00000040,00420655,?,00000001,?,00000000,?,00000000,?,?,0041FB6C,00000000,00000000), ref: 00420B0C
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000004,00000000,00000000,?,0041FB6C,00000000,00000000,00000000,00000000,00000000,?,0041DD55,00000007), ref: 00420B9A
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000004,00000064,00000000,?,0041FB6C,00000000,00000000,00000000,00000000,00000000,?,0041DD55,00000007), ref: 00420C13
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,004151C7,00000000,00000000,?,0041FB6C,00000000,00000000,00000000,00000000,00000000,?,0041DD55,00000007), ref: 00420C30
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,004151C7,?,00000000,?,0041FB6C,00000000,00000000,00000000,00000000,00000000,?,0041DD55,00000007), ref: 00420CA6

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: ByteCharMultiWide$CompareErrorInfoLastString
String ID:
API String ID: 1773772771-0
Opcode ID: edf37570b9a6133125698eafa9279b85b7ab7cef9f5632037470c00f62594779
Instruction ID: 81078ee3ce04f899a7a6ce9267cfb065c325f8bad144afdf8676d079718d4fdb
Opcode Fuzzy Hash: edf37570b9a6133125698eafa9279b85b7ab7cef9f5632037470c00f62594779
Instruction Fuzzy Hash: 33B19C71A00229EBCF21CF95EC81AEF7BF5EF45314FA4012BF810A6262D7799851CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0041829A Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 228COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00418352
__allrem.LIBCMT ref: 0041836A
__allrem.LIBCMT ref: 00418386
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004183C1
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004183DD
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004183F4

Part of subcall function 0041E2CF: __lock.LIBCMT ref: 0041E2DA

Strings

E, xrefs: 00418318

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@$__lock
String ID: E
API String ID: 4106114094-3568589458
Opcode ID: 40e9ca99cd16e90638289c3b0e916505e15a49d27cb8c4a42bceb70da9c6c163
Instruction ID: b1dc9613c2a7d863b46b9fc589b77863b1e0655e39923395906f12520c05418b
Opcode Fuzzy Hash: 40e9ca99cd16e90638289c3b0e916505e15a49d27cb8c4a42bceb70da9c6c163
Instruction Fuzzy Hash: 7F718071E00619BFDB14DFA9CC81BDEB7B6EB44314F14816EE514E7281EB789A808B58

Uniqueness

Uniqueness Score: -1.00%

Function 00414111 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00414116
VariantClear.OLEAUT32(?), ref: 004141BB
SysFreeString.OLEAUT32(?), ref: 00414238
SysFreeString.OLEAUT32(?), ref: 00414246
SysFreeString.OLEAUT32(?), ref: 00414254
VariantClear.OLEAUT32(?), ref: 00414269

Part of subcall function 00413BE3: __EH_prolog.LIBCMT ref: 00413BE8
Part of subcall function 00413BE3: VariantClear.OLEAUT32(?), ref: 00413C4D

Part of subcall function 004150C1: VariantCopy.OLEAUT32(?,?), ref: 004150C9

Strings

`)u, xrefs: 00414238, 00414246, 00414254

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: Variant$ClearFreeString$H_prolog$Copy
String ID: `)u
API String ID: 3098219910-4279031584
Opcode ID: 07ac1883145407bfd2158c196e3fcb000a03d1c9a0b2083fd5ca9be8544c246f
Instruction ID: 42ef2da4cf5b7abc8d447338bc900a50df6f05a4ba720132606da66aa4bd1274
Opcode Fuzzy Hash: 07ac1883145407bfd2158c196e3fcb000a03d1c9a0b2083fd5ca9be8544c246f
Instruction Fuzzy Hash: E65107B190020AEFCB14CFE4C9849EEBBB9FF88304F64456EE516A7251D734A985CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0042BE69 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 94stringCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(?,?,00000104), ref: 0042BEA5
PathFindExtensionA.SHLWAPI(?), ref: 0042BEB2

Part of subcall function 0042BE3A: PathFindFileNameA.SHLWAPI(?,00427185,?,?,?), ref: 0042BE3E
Part of subcall function 0042BE3A: lstrlenA.KERNEL32(00000000), ref: 0042BE4C

lstrcpyA.KERNEL32(?,.HLP,?,?,00000104), ref: 0042BF3D
lstrcatA.KERNEL32(?,.INI,?,?,00000104), ref: 0042BF6A

Part of subcall function 00417838: _strlen.LIBCMT ref: 00417842
Part of subcall function 00417838: _strcat.LIBCMT ref: 00417856

Strings

.HLP, xrefs: 0042BF35
.CHM, xrefs: 0042BF2E
.INI, xrefs: 0042BF5E

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: FileFindNamePath$ExtensionModule_strcat_strlenlstrcatlstrcpylstrlen
String ID: .CHM$.HLP$.INI
API String ID: 4056043433-4017452060
Opcode ID: 5208ab65a18fcb4c340f3c54e1a250997058e9b9430b917999dc72298521812a
Instruction ID: f23bd32b8940e093c85a1fee808d6a361bb9d4e487b19eb4f682e07407b9da65
Opcode Fuzzy Hash: 5208ab65a18fcb4c340f3c54e1a250997058e9b9430b917999dc72298521812a
Instruction Fuzzy Hash: 76314D71A447289FCB21DB65ED44ADAB7F8FB18304F9048ABE586D7240D7B8E980CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00402C6D Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 79windowCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00402C72
_strcat.LIBCMT ref: 00402C97
_strcat.LIBCMT ref: 00402CBA

Part of subcall function 00401FE9: lstrlenA.KERNEL32(?,?,?,?,00402E72,?), ref: 00402008

Part of subcall function 00402B19: __EH_prolog.LIBCMT ref: 00402B1E

Part of subcall function 00402B19: _strcat.LIBCMT ref: 00402C03
Part of subcall function 00402B19: _strcat.LIBCMT ref: 00402C32

MessageBoxA.USER32(00000000,?,00000000,00000030), ref: 00402D19

Part of subcall function 00401F77: InterlockedDecrement.KERNEL32(?), ref: 00401F8B

Strings

7096E8DFB9895410E31C2B9366BC3029, xrefs: 00402C91
20000921, xrefs: 00402CC2
F7046D1D86401363B3A65AD1DF955C613B5580562C80305B0E0429C491B9426B72F255A74DBED86AE98221EB993227B1317D2C85EE62773CE31C2B9366BC3029, xrefs: 00402CB2

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: _strcat$H_prolog$DecrementInterlockedMessagelstrlen
String ID: 20000921$7096E8DFB9895410E31C2B9366BC3029$F7046D1D86401363B3A65AD1DF955C613B5580562C80305B0E0429C491B9426B72F255A74DBED86AE98221EB993227B1317D2C85EE62773CE31C2B9366BC3029
API String ID: 1506073452-3646279038
Opcode ID: f1907d0cb0e8ebf3db968acc4532da3dd8ba0aae87a28045fc38d5a49be86aa8
Instruction ID: be63b5ce1a2537a5fc28513cc38743cb582c7cc1474271a0e0f7679b016a2b72
Opcode Fuzzy Hash: f1907d0cb0e8ebf3db968acc4532da3dd8ba0aae87a28045fc38d5a49be86aa8
Instruction Fuzzy Hash: 51219231E4022976DB157BE29D47EEF7A3CBF4574CF40012AB110710E2CABD8511C6A9

Uniqueness

Uniqueness Score: -1.00%

Function 004109F8 Relevance: 12.3, APIs: 8, Instructions: 303memoryCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004109FD

Part of subcall function 0040F320: CoGetClassObject.OLE32(?,?,00000000,0043B5B0,?), ref: 0040F340

Part of subcall function 0042909A: __EH_prolog.LIBCMT ref: 0042909F

Part of subcall function 0042917F: __EH_prolog.LIBCMT ref: 00429184

CreateILockBytesOnHGlobal.OLE32(00000000,00000001,?), ref: 00410B86
StgCreateDocfileOnILockBytes.OLE32(?,00001012,00000000,?), ref: 00410BA7
GlobalAlloc.KERNEL32(00000000,00000000), ref: 00410BFA
GlobalLock.KERNEL32(00000000), ref: 00410C08
GlobalUnlock.KERNEL32(?), ref: 00410C20
CreateILockBytesOnHGlobal.OLE32(?,00000001,?), ref: 00410C43
StgOpenStorageOnILockBytes.OLE32(?,00000000,00000012,00000000,00000000,?), ref: 00410C5F

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: GlobalLock$Bytes$CreateH_prolog$AllocClassDocfileObjectOpenStorageUnlock
String ID:
API String ID: 645133905-0
Opcode ID: b2b2bea8cbad52ffde94552cb1eeef876acfceeb8123a82e964a875202a98a95
Instruction ID: afee7d1c3fb3890a556bcd0f298f766d1f0dc21064698dd4bbe6f21a1270b98b
Opcode Fuzzy Hash: b2b2bea8cbad52ffde94552cb1eeef876acfceeb8123a82e964a875202a98a95
Instruction Fuzzy Hash: 92C11C70A00209EFCB14DF55C988AAFBBB9FF89704B20455AF811DB250D7B5D981CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 023F562F Relevance: 12.2, APIs: 7, Strings: 1, Instructions: 174memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(00000000), ref: 023F58DF
HeapFree.KERNEL32(00000000,?), ref: 023F5969
HeapFree.KERNEL32(00000000,?,02470458,024703AC,02470574), ref: 023F60B5
HeapFree.KERNEL32(00000000,?,02470458,024703AC,02470574), ref: 023F60D2
HeapFree.KERNEL32(00000000,?,02470458,024703AC,02470574), ref: 023F6105
CloseHandle.KERNEL32(?), ref: 023F632F

Strings

nullfalsetrue\"\\\b\f\n\r\t0123456789abcdef[],{ ,, xrefs: 023F563C

Memory Dump Source

Source File: 00000000.00000002.2022153806.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23d0000_app.jbxd

Similarity

API ID: FreeHeap$CloseHandle
String ID: nullfalsetrue\"\\\b\f\n\r\t0123456789abcdef[],{ ,
API String ID: 1910495013-2124985433
Opcode ID: 213e072e91dfbc19a7160789e1a5c2c9518edb55bdc86bbf031dea40a92bcd53
Instruction ID: 7aad55eeb7b9d74892f852fd875dde128042270181ec50cff2d15b3cf423887e
Opcode Fuzzy Hash: 213e072e91dfbc19a7160789e1a5c2c9518edb55bdc86bbf031dea40a92bcd53
Instruction Fuzzy Hash: E4819F34608341EFDB69CF20D484BDABBE2BF99304F04496DDA994B3A1C771A895CF42

Uniqueness

Uniqueness Score: -1.00%

Function 0041E74E Relevance: 12.2, APIs: 8, Instructions: 171COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,?,0043B308,00000038,0041B383,?,00000000,00000000,00417F33,00000000,00000000,0043A9D8,0000001C,00417C5C,00000001,00000020), ref: 0041E78F
GetCPInfo.KERNEL32(00000000,00000001), ref: 0041E7A2
_strlen.LIBCMT ref: 0041E7C6
MultiByteToWideChar.KERNEL32(00000000,00000001,00417F33,?,00000000,00000000), ref: 0041E7E7

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: Info$ByteCharMultiWide_strlen
String ID:
API String ID: 1335377746-0
Opcode ID: d74cba8254ec2bfd0c144a8bf9bd115fbbb8afc32ca4826cef1f7a671004a385
Instruction ID: fc1a395a9e190c6ff5981a5420c4fd796a0b1c48162dbb2f99a844a39120510b
Opcode Fuzzy Hash: d74cba8254ec2bfd0c144a8bf9bd115fbbb8afc32ca4826cef1f7a671004a385
Instruction Fuzzy Hash: 5D516B75900218EBCF219F56CC449DFBBB8EF89764F24412AF825A6290D7399C81CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0041ADAA Relevance: 12.1, APIs: 8, Instructions: 131COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(75920A60,00000000,?,?,?,?,00415EF3,?,0043A478,00000060), ref: 0041ADC6
GetLastError.KERNEL32(?,?,?,?,00415EF3,?,0043A478,00000060), ref: 0041ADDA
GetEnvironmentStringsW.KERNEL32(75920A60,00000000,?,?,?,?,00415EF3,?,0043A478,00000060), ref: 0041ADFC
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,75920A60,00000000,?,?,?,?,00415EF3), ref: 0041AE30
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,?,?,00415EF3,?,0043A478,00000060), ref: 0041AE52
FreeEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,00415EF3,?,0043A478,00000060), ref: 0041AE6B
GetEnvironmentStrings.KERNEL32(75920A60,00000000,?,?,?,?,00415EF3,?,0043A478,00000060), ref: 0041AE81
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 0041AEBD

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: EnvironmentStrings$ByteCharFreeMultiWide$ErrorLast
String ID:
API String ID: 883850110-0
Opcode ID: 5d9af8b0ec94a11fde1199224c6a39cf95f31cea720f82314cb6ac7f0f98ace0
Instruction ID: 7296914fd50a4553077de3f83afbd56d29e7c3b49a51b8de6ea79e60193acd72
Opcode Fuzzy Hash: 5d9af8b0ec94a11fde1199224c6a39cf95f31cea720f82314cb6ac7f0f98ace0
Instruction Fuzzy Hash: 60315772646318AFDB306F759C848BBB6ACEB55358B55083FF441C3301D7698CE682AB

Uniqueness

Uniqueness Score: -1.00%

Function 0042340F Relevance: 12.1, APIs: 8, Instructions: 71registryCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00423414
GetClassInfoA.USER32(?,?,?), ref: 0042342F
RegisterClassA.USER32(00000004), ref: 00423442

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: Class$H_prologInfoRegister
String ID:
API String ID: 3715460918-0
Opcode ID: ae984635e655e5db520392ed793df418be20265cf8730173f5c4cd27a1fe2e35
Instruction ID: 0db0b4e4c4e337a484aff126d2be670c2f0469505d5c1c4381f3c1d533b8c960
Opcode Fuzzy Hash: ae984635e655e5db520392ed793df418be20265cf8730173f5c4cd27a1fe2e35
Instruction Fuzzy Hash: 8A21D831600214EFCB11EF61DD44BAE7BF8EF44715F80456AF84692150C738E606DB69

Uniqueness

Uniqueness Score: -1.00%

Function 00421C7B Relevance: 12.1, APIs: 8, Instructions: 65memorystringCOMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32(?), ref: 00421C98
lstrcmpA.KERNEL32(?,?), ref: 00421CA4
OpenPrinterA.WINSPOOL.DRV(?,?,00000000), ref: 00421CB6
DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 00421CD6
GlobalAlloc.KERNEL32(00000042,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 00421CDE
GlobalLock.KERNEL32(00000000), ref: 00421CE8
DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000002), ref: 00421CF5
ClosePrinter.WINSPOOL.DRV(?,00000000,?,?,00000000,00000000,00000002), ref: 00421D0D

Part of subcall function 00428D39: GlobalFlags.KERNEL32(?), ref: 00428D43
Part of subcall function 00428D39: GlobalUnlock.KERNEL32(?,00000000,?,00421D07,?,00000000,?,?,00000000,00000000,00000002), ref: 00428D54
Part of subcall function 00428D39: GlobalFree.KERNEL32(?), ref: 00428D5F

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: Global$DocumentLockProperties$AllocCloseFlagsFreeOpenPrinterPrinter.Unlocklstrcmp
String ID:
API String ID: 168474834-0
Opcode ID: 7520906973776876a09beb12d5341ab987b3d81d92ef3fb3478fec3813e9e38f
Instruction ID: ec8fd795588025b9ef10f7e2b5649213c33d9538cf3f0e4b05607c2785a29bd5
Opcode Fuzzy Hash: 7520906973776876a09beb12d5341ab987b3d81d92ef3fb3478fec3813e9e38f
Instruction Fuzzy Hash: F3119176300114FEDB216F66EC45D6FBABCEB95744B90442EBA01D2221D639DD41EB38

Uniqueness

Uniqueness Score: -1.00%

Function 023EC2A1 Relevance: 10.8, APIs: 3, Strings: 4, Instructions: 295COMMON

Download Yara Rule

Strings

a Display implementation returned an error unexpectedly, xrefs: 023EC303
path*fatal runtime error: I/O error: operation failed to complete synchronously, xrefs: 023EC3CD
nametitlebodystruct RecvSfilemaster_keyprofileslocal_statelogin_datacookieshistorycreditcardslocalstate_cachelogins_master_keyextensionsFailed building the Runtime, xrefs: 023EC3A0
APPDATA, xrefs: 023EC521

Memory Dump Source

Source File: 00000000.00000002.2022153806.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23d0000_app.jbxd

Similarity

API ID:
String ID: APPDATA$a Display implementation returned an error unexpectedly$nametitlebodystruct RecvSfilemaster_keyprofileslocal_statelogin_datacookieshistorycreditcardslocalstate_cachelogins_master_keyextensionsFailed building the Runtime$path*fatal runtime error: I/O error: operation failed to complete synchronously
API String ID: 0-422089487
Opcode ID: a2a214908cc5acbe45a39a0f7ebe55ba1d50722805ec73687bf0249711f25dfd
Instruction ID: ba9bfeeaf3e4ef2416528a9b8e12dae614cc88b378d20b19b8b4643a325354f6
Opcode Fuzzy Hash: a2a214908cc5acbe45a39a0f7ebe55ba1d50722805ec73687bf0249711f25dfd
Instruction Fuzzy Hash: 09C15BB1A083519FD714DF19C480A5AF7E2BFC8314F04892EE99997391EB70D949CF82

Uniqueness

Uniqueness Score: -1.00%

Function 0042CFDA Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 206stringCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0042CFDF
lstrlenA.KERNEL32(?,?,00000000), ref: 0042D00A
VariantClear.OLEAUT32(0000000C), ref: 0042D122

Strings

`)u, xrefs: 0042D226

Memory Dump Source

Source File: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: ClearH_prologVariantlstrlen
String ID: `)u
API String ID: 2416264355-4279031584
Opcode ID: efe1f8e2d027bb539b6952ef50c248406a08c1723eab44b7f766eecb89339f4a
Instruction ID: f3a95c8978b032038e64618ba00bdc82d4aaf35a1c96e633dbad15f413149c7c
Opcode Fuzzy Hash: efe1f8e2d027bb539b6952ef50c248406a08c1723eab44b7f766eecb89339f4a
Instruction Fuzzy Hash: D6711531E0062AEBCB10DFA5F8856AEBBB0FF04310F90855BF81597240D738D951DBA9

Uniqueness

Uniqueness Score: -1.00%

Function 02437320 Relevance: 10.7, APIs: 7, Instructions: 169filememoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00120114,000000EF,E8F289D9,?,00000000,00000000), ref: 0243747B
GetLastError.KERNEL32 ref: 02437498
SetFileInformationByHandle.KERNEL32(00000000,00000006,00000000,00000008), ref: 024374C3
GetLastError.KERNEL32 ref: 024374E1
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,0243A785,?), ref: 02437501
GetLastError.KERNEL32 ref: 0243750C
CloseHandle.KERNEL32(00000000), ref: 02437519

Memory Dump Source

Source File: 00000000.00000002.2022153806.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23d0000_app.jbxd

Similarity

API ID: ErrorLast$FileHandle$CloseCreateFreeHeapInformation
String ID:
API String ID: 4103088332-0
Opcode ID: 8bbdf7f1ffe66e20568519836f744a1aace010d2cc9e0da640b9fad22ebf7b86
Instruction ID: 65b9b44db5af6d8ed83bd6ff14bf5e946a998d082677f809394db6bb9f309cf0
Opcode Fuzzy Hash: 8bbdf7f1ffe66e20568519836f744a1aace010d2cc9e0da640b9fad22ebf7b86
Instruction Fuzzy Hash: 815192B0948340AFEB26CF24C48476BBBE1AF89314F14895EEDD94B386D3B4D455CB52

Uniqueness

Uniqueness Score: -1.00%

Function 02450340 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 02450377
___except_validate_context_record.LIBVCRUNTIME ref: 0245037F
_ValidateLocalCookies.LIBCMT ref: 02450408
__IsNonwritableInCurrentImage.LIBCMT ref: 02450433
_ValidateLocalCookies.LIBCMT ref: 02450488

Strings

csm, xrefs: 0245041D

Memory Dump Source

Source File: 00000000.00000002.2022153806.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23d0000_app.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 0c56793029708be8824af12130febfc077099aaa37c45b8c95daaa3983a67d38
Instruction ID: e336628c473c398a678b9a76be0190dac008de3a45946b7a388a6e534f821772
Opcode Fuzzy Hash: 0c56793029708be8824af12130febfc077099aaa37c45b8c95daaa3983a67d38
Instruction Fuzzy Hash: 1841A538A00228ABCF10DF69C884A9EBFB5AF49318F14819BEC599B353D771D915CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0040E4FD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 116comstringCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040E502
GetObjectA.GDI32(0040D840,0000003C,?), ref: 0040E574
lstrlenA.KERNEL32(?), ref: 0040E585
GetDeviceCaps.GDI32(?,0000005A), ref: 0040E5F9
OleCreateFontIndirect.OLEAUT32(00000020,0043B660,?), ref: 0040E625

Strings

, xrefs: 0040E57E

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: CapsCreateDeviceFontH_prologIndirectObjectlstrlen
String ID:
API String ID: 4082312370-3916222277
Opcode ID: 9d852aacc324d793c307b9bc4f5cb1ae80cc7621a4b1ed0e7d4aaa0040eccceb
Instruction ID: 28e09a9122b547e86938a5d239e18cad7ca67ec09992f0ac5eed7e9960d5d504
Opcode Fuzzy Hash: 9d852aacc324d793c307b9bc4f5cb1ae80cc7621a4b1ed0e7d4aaa0040eccceb
Instruction Fuzzy Hash: 32417A71E00219EFCB20DFA6D885AEEBBB4BF18308F50452EE415E3291E7789A45CF54

Uniqueness

Uniqueness Score: -1.00%

Function 004241E6 Relevance: 10.6, APIs: 7, Instructions: 115windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00424214
PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 0042423B
UpdateWindow.USER32(?), ref: 00424255
SendMessageA.USER32(?,00000121,00000000,?), ref: 00424279
SendMessageA.USER32(?,0000036A,00000000,00000004), ref: 00424293
UpdateWindow.USER32(?), ref: 004242D9
PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 0042430D

Part of subcall function 0042663C: GetWindowLongA.USER32(?,000000F0), ref: 00426648

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: Message$Window$PeekSendUpdate$LongParent
String ID:
API String ID: 2853195852-0
Opcode ID: 443e82fd054304042dfa914eb5858c3173381fb830609d78dbd8dc54ea1c93a7
Instruction ID: 89365fabb3662f47a8456e8abc8f74eacdd1bee40569780c245ffab03503297d
Opcode Fuzzy Hash: 443e82fd054304042dfa914eb5858c3173381fb830609d78dbd8dc54ea1c93a7
Instruction Fuzzy Hash: 5941E430304360DFD721DF22EC44A2BBAF4FFD1B98F90097EF481921A1C7699849C62A

Uniqueness

Uniqueness Score: -1.00%

Function 0042A65A Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 107registryCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0042A65F
RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 0042A71B
RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 0042A735
RegCloseKey.ADVAPI32(?,?,?,?,Software\), ref: 0042A74F
RegQueryValueA.ADVAPI32(80000001,?,?,?), ref: 0042A765

Strings

Software\, xrefs: 0042A6B4

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: CloseEnumH_prologOpenQueryValue
String ID: Software\
API String ID: 2161548231-964853688
Opcode ID: 9845bd2fcb0797600897e3fcf3e96c38015a830924c55a3160526b0b273f9273
Instruction ID: 60a233a4efbdb4d877ad5cbd16216c248d17419bcb0c5f4008330a88f52c4ae4
Opcode Fuzzy Hash: 9845bd2fcb0797600897e3fcf3e96c38015a830924c55a3160526b0b273f9273
Instruction Fuzzy Hash: 3341A031A00119ABCF11DBA0DC85EEFB7B9FF88304F50012AF511B3291DB389A15CB69

Uniqueness

Uniqueness Score: -1.00%

Function 004040E3 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 93COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004040E8
GetModuleFileNameA.KERNEL32(00400000,?,00000104,?), ref: 0040410A

Part of subcall function 00401FE9: lstrlenA.KERNEL32(?,?,?,?,00402E72,?), ref: 00402008

Part of subcall function 00402FCE: __EH_prolog.LIBCMT ref: 00402FD3

CharLowerA.USER32(?,?,00000004,?), ref: 00404141

Part of subcall function 004033FA: __EH_prolog.LIBCMT ref: 004033FF

_strcat.LIBCMT ref: 004041D4

Part of subcall function 00402C6D: __EH_prolog.LIBCMT ref: 00402C72
Part of subcall function 00402C6D: _strcat.LIBCMT ref: 00402C97
Part of subcall function 00402C6D: _strcat.LIBCMT ref: 00402CBA
Part of subcall function 00402C6D: MessageBoxA.USER32(00000000,?,00000000,00000030), ref: 00402D19

Strings

(1D, xrefs: 00404173
.dll, xrefs: 00404147

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: H_prolog$_strcat$CharFileLowerMessageModuleNamelstrlen
String ID: (1D$.dll
API String ID: 1009733722-1666350075
Opcode ID: 5e346a47d57f0f3e063833318336f299f633875872b39283794376379ce5ba2e
Instruction ID: 03a9ba815adcd8ec93f3d37bde2f3f8c5eec0943ace6b228f8ee0bf5dcf52d0d
Opcode Fuzzy Hash: 5e346a47d57f0f3e063833318336f299f633875872b39283794376379ce5ba2e
Instruction Fuzzy Hash: EB31A171904249AEDB01EFA1CD46EEEBB78AF24308F10007EF155B21D2DB785B48CB69

Uniqueness

Uniqueness Score: -1.00%

Function 004019F0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91windowCOMMON

Download Yara Rule

APIs

GetSystemMenu.USER32(?,00000000,?,?,?,?,?,0042DD38,000000FF), ref: 00401A16
AppendMenuA.USER32(?,00000800,00000000,00000000), ref: 00401A7D
AppendMenuA.USER32(?,00000000,00000010,00000010), ref: 00401A88

Part of subcall function 00401820: FindResourceA.KERNEL32(?,?,00000006), ref: 0040183A

SendMessageA.USER32(?,00000080,00000001,?), ref: 00401AC5
SendMessageA.USER32(?,00000080,00000000,?), ref: 00401AD9

Strings

user-12345678, xrefs: 00401ADB

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: Menu$AppendMessageSend$FindResourceSystem
String ID: user-12345678
API String ID: 858472958-2755188220
Opcode ID: c756d84365dae25f8462fd63b73cac35b8282b64e018d40d228abaed280fe13c
Instruction ID: 3b30e15d64c7f474da2be64c65720a04101d9d6b3a2cd516c52670f7795c8fad
Opcode Fuzzy Hash: c756d84365dae25f8462fd63b73cac35b8282b64e018d40d228abaed280fe13c
Instruction Fuzzy Hash: 84317E71340701AFD320EF65CC45F17B3A8EF88710F508A2AF5519B2D1CBB8E8058B68

Uniqueness

Uniqueness Score: -1.00%

Function 004145C5 Relevance: 10.6, APIs: 7, Instructions: 86windowCOMMON

Download Yara Rule

APIs

GetWindow.USER32(?,00000002), ref: 004145E0
GetParent.USER32(?), ref: 004145F1
GetWindow.USER32(?,00000002), ref: 00414614
GetWindow.USER32(?,00000002), ref: 00414626
GetWindowLongA.USER32(?,000000EC), ref: 00414635
IsWindowVisible.USER32(?), ref: 0041464F
GetTopWindow.USER32(?), ref: 00414675

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: Window$LongParentVisible
String ID:
API String ID: 506644340-0
Opcode ID: 45eadc8b458de43bde7c9e092fd1932caba4420e0a9f48f5c06109cc70392342
Instruction ID: ebd6f0984fa48f2bf8ba37bc0dad7d39dec8952187d8cbd4be4ea4dd5bc4bcd7
Opcode Fuzzy Hash: 45eadc8b458de43bde7c9e092fd1932caba4420e0a9f48f5c06109cc70392342
Instruction Fuzzy Hash: 6121F5317007216BC7306B659C09FAB77ACEFC2798F45053ABA41DB251C72CDC4686AC

Uniqueness

Uniqueness Score: -1.00%

Function 0042BC08 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000001,software,00000000,0002001F,?,?,00000000), ref: 0042BC36
RegCreateKeyExA.ADVAPI32(?,00000000,00000000,00000000,00000000,0002001F,00000000,?,?,?,00000000), ref: 0042BC59
RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?,?,00000000), ref: 0042BC75
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0042BC85
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0042BC8F

Strings

software, xrefs: 0042BC1E

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: CloseCreate$Open
String ID: software
API String ID: 1740278721-2010147023
Opcode ID: a07ef03d32e418125c98845893222a59e1d7b78c696368899b11d02bf983a4c5
Instruction ID: 64b97b5fe25ac38e929414c9c763e2fcce4b8d3dd38ef5aad07515420139dc36
Opcode Fuzzy Hash: a07ef03d32e418125c98845893222a59e1d7b78c696368899b11d02bf983a4c5
Instruction Fuzzy Hash: 0411CB76A00258FB9B21DF9ADD84CDFBFBCEF85700B5000BAA504A2111D7719A45DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040D05C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 61stringCOMMON

Download Yara Rule

APIs

SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0040D09A
GetSystemMetrics.USER32(00000000), ref: 0040D0B2
GetSystemMetrics.USER32(00000001), ref: 0040D0B9
lstrcpyA.KERNEL32(?,DISPLAY), ref: 0040D0DD

Strings

DISPLAY, xrefs: 0040D0D4
B, xrefs: 0040D079

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: System$Metrics$InfoParameterslstrcpy
String ID: B$DISPLAY
API String ID: 1409579217-3316187204
Opcode ID: aa875fb899d8b8cdc6035337f91c3cfdfa7e814ee4d75c511dac12003764187e
Instruction ID: 7d79b360eed3925eabdee55bcf9e6e46b2a378b8c0ece8e258d689888b9aa654
Opcode Fuzzy Hash: aa875fb899d8b8cdc6035337f91c3cfdfa7e814ee4d75c511dac12003764187e
Instruction Fuzzy Hash: 3211C671A00224DBCF219FA4DC8095BBBB8EF05744F408077FD09BA141C274D916CBE9

Uniqueness

Uniqueness Score: -1.00%

Function 0042BF90 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 38libraryloaderCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000000,00000000,004282FD,?,?,?,?), ref: 0042BF99
SetErrorMode.KERNEL32(00000000), ref: 0042BFA1
GetModuleHandleA.KERNEL32(user32.dll), ref: 0042BFEC
GetProcAddress.KERNEL32(00000000,NotifyWinEvent), ref: 0042BFFC

Part of subcall function 0042BE69: GetModuleFileNameA.KERNEL32(?,?,00000104), ref: 0042BEA5
Part of subcall function 0042BE69: PathFindExtensionA.SHLWAPI(?), ref: 0042BEB2
Part of subcall function 0042BE69: lstrcpyA.KERNEL32(?,.HLP,?,?,00000104), ref: 0042BF3D
Part of subcall function 0042BE69: lstrcatA.KERNEL32(?,.INI,?,?,00000104), ref: 0042BF6A

Strings

NotifyWinEvent, xrefs: 0042BFF6
user32.dll, xrefs: 0042BFE7

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: ErrorModeModule$AddressExtensionFileFindHandleNamePathProclstrcatlstrcpy
String ID: NotifyWinEvent$user32.dll
API String ID: 4004864024-597752486
Opcode ID: c693ce6a2e765cc9099c900ab09abb04ea83f55a69a3113b2ed044f042921076
Instruction ID: 8050f7acd3555061b9cb0811210370212b3dde1f57db23d13128c8b76d78117c
Opcode Fuzzy Hash: c693ce6a2e765cc9099c900ab09abb04ea83f55a69a3113b2ed044f042921076
Instruction Fuzzy Hash: 89016D75B40260DFC720EF65E904A5A3BA4EF04700F8684AFF944D7362DB78D840CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 00426E74 Relevance: 10.5, APIs: 7, Instructions: 29COMMON

Download Yara Rule

APIs

GetSysColor.USER32(0000000F), ref: 00426E80
GetSysColor.USER32(00000010), ref: 00426E87
GetSysColor.USER32(00000014), ref: 00426E8E
GetSysColor.USER32(00000012), ref: 00426E95
GetSysColor.USER32(00000006), ref: 00426E9C
GetSysColorBrush.USER32(0000000F), ref: 00426EA9
GetSysColorBrush.USER32(00000006), ref: 00426EB0

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: Color$Brush
String ID:
API String ID: 2798902688-0
Opcode ID: 217f39869b888a1c3749961ae9e7e8c44d1ab5d44a913a51842b180abdde359a
Instruction ID: 849f2a7d79a27e67f6fb90856910374a9d4c7919ec4fb8f2b3bca5a51304e481
Opcode Fuzzy Hash: 217f39869b888a1c3749961ae9e7e8c44d1ab5d44a913a51842b180abdde359a
Instruction Fuzzy Hash: D6F0F871A407489BD730BB729D09B47BAE1FFC4B10F42093EE2818BA90E6B6E0419F44

Uniqueness

Uniqueness Score: -1.00%

Function 00413BE3 Relevance: 9.4, APIs: 6, Instructions: 386COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00413BE8
VariantClear.OLEAUT32(?), ref: 00413C4D
VariantClear.OLEAUT32(00000007), ref: 00413F7B
VariantClear.OLEAUT32(?), ref: 004140F0

Part of subcall function 004150C1: VariantCopy.OLEAUT32(?,?), ref: 004150C9

Part of subcall function 0041068B: SystemTimeToVariantTime.OLEAUT32(?), ref: 004106D9

VariantClear.OLEAUT32(?), ref: 004140D0

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: Variant$Clear$Time$CopyH_prologSystem
String ID:
API String ID: 2075586698-0
Opcode ID: 5fca67dab6d645ae0528530928cc235c45b69b13cbb83de34b48013661cf2efe
Instruction ID: e55dc214bb347d680c00c7b0307744ac7d9360fc785a26e3059a799186a01771
Opcode Fuzzy Hash: 5fca67dab6d645ae0528530928cc235c45b69b13cbb83de34b48013661cf2efe
Instruction Fuzzy Hash: 94E16F7090011CEACF15DBA5C890AFEBBB9FF48304F14809BE855A7291DB385A89DB65

Uniqueness

Uniqueness Score: -1.00%

Function 024381C2 Relevance: 9.4, APIs: 6, Instructions: 379memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 02437530: GetFileInformationByHandle.KERNEL32(?,?), ref: 02437559
Part of subcall function 02437530: GetFileInformationByHandleEx.KERNEL32(?,00000009,?,00000008), ref: 0243758C

SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001), ref: 0243825E
HeapFree.KERNEL32(00000000,00000000), ref: 024382DF
HeapFree.KERNEL32(00000000,?), ref: 024382F0

Memory Dump Source

Source File: 00000000.00000002.2022153806.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23d0000_app.jbxd

Similarity

API ID: File$FreeHandleHeapInformation$Pointer
String ID:
API String ID: 1293978381-0
Opcode ID: 57a04430a03d45499c31ec2d176c1c24efa1bab72bef6d5882bf7c2dfaf04d01
Instruction ID: 176b6d1b2aa94fc6fa432c7dd8508b7628c94099bc27611184ad89b00467bc9b
Opcode Fuzzy Hash: 57a04430a03d45499c31ec2d176c1c24efa1bab72bef6d5882bf7c2dfaf04d01
Instruction Fuzzy Hash: 06F1E175600B008FD725CF29C584B66FBF2BB48314F148A2EE99A8BBA1D771F845CB40

Uniqueness

Uniqueness Score: -1.00%

Function 004184F8 Relevance: 9.2, APIs: 6, Instructions: 195COMMON

Download Yara Rule

APIs

Part of subcall function 0041DAF6: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0041DB68

Part of subcall function 0041E2FD: __lock.LIBCMT ref: 0041E300

__allrem.LIBCMT ref: 004185FC
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0041861C
__allrem.LIBCMT ref: 00418638
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0041865B
__allrem.LIBCMT ref: 00418678
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0041869D

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$__allrem$__lock
String ID:
API String ID: 1282128132-0
Opcode ID: 0fb219234647b93d8b01825728a114d084ae9b401ab119cd8ae1faaea6db2d43
Instruction ID: f419132dcab6dfd70cd12f22c7f43fc679e4fc93515c74a5e268615851bf5e5b
Opcode Fuzzy Hash: 0fb219234647b93d8b01825728a114d084ae9b401ab119cd8ae1faaea6db2d43
Instruction Fuzzy Hash: A16190B1A01605AFDB24CF6ACD81BAEB7F5EF44324F14812EE555D3291EB389D818B48

Uniqueness

Uniqueness Score: -1.00%

Function 0041F78D Relevance: 9.2, APIs: 6, Instructions: 168COMMON

Download Yara Rule

APIs

GetStringTypeW.KERNEL32(00000001,0043A9D4,00000001,?,0043B460,00000024,0041C7B7,00000001,00000100,00000001,00000000,00000000,?,?,?,004175A9), ref: 0041F7B1
GetLastError.KERNEL32(?,?,004175A9,?,00000000,00000008), ref: 0041F7C3
GetStringTypeW.KERNEL32(?,00000100,?,?,0043B460,00000024,0041C7B7,00000001,00000100,00000001,00000000,00000000,?,?,?,004175A9), ref: 0041F7ED
WideCharToMultiByte.KERNEL32(?,00000000,00000100,?,00000000,00000000,00000000,00000000,0043B460,00000024,0041C7B7,00000001,00000100,00000001,00000000,00000000), ref: 0041F845
WideCharToMultiByte.KERNEL32(00000000,00000000,00000100,00000000,?,00000000,00000000,00000000), ref: 0041F8C8
GetStringTypeA.KERNEL32(?,?,?,00000000,?), ref: 0041F95A

Part of subcall function 0041D4E0: __lock.LIBCMT ref: 0041D524
Part of subcall function 0041D4E0: HeapAlloc.KERNEL32(00000008,?,0043B1F8,00000010,00419D17,00000001,00000088,?,00418843,?,?,?,0041540F,00000004,0043A458,0000000C), ref: 0041D562

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: StringType$ByteCharMultiWide$AllocErrorHeapLast__lock
String ID:
API String ID: 892864237-0
Opcode ID: b1f97acda3f09c8697856c99fe5127e31a16a89ed682065aa7c50ce2c0f9515f
Instruction ID: a57df6695b7da8b7aa1c592e969f3bb102772f76e478128afaf792e3acbf193c
Opcode Fuzzy Hash: b1f97acda3f09c8697856c99fe5127e31a16a89ed682065aa7c50ce2c0f9515f
Instruction Fuzzy Hash: 40517F71910219EBCF21AFA5DC45AEE7BB4FF05764B60413BF814A2260C3388996DB98

Uniqueness

Uniqueness Score: -1.00%

Function 0041B200 Relevance: 9.1, APIs: 6, Instructions: 145COMMONLIBRARYCODE

Download Yara Rule

APIs

GetStringTypeW.KERNEL32(00000001,0043A9D4,00000001,?,0043A9D8,0000001C,00417C5C,00000001,00000020,00000100,?,00000000), ref: 0041B224
GetLastError.KERNEL32 ref: 0041B236
MultiByteToWideChar.KERNEL32(?,00000000,00000000,00417F33,00000000,00000000,0043A9D8,0000001C,00417C5C,00000001,00000020,00000100,?,00000000), ref: 0041B298
MultiByteToWideChar.KERNEL32(?,00000001,00000000,00417F33,?,00000000), ref: 0041B316
GetStringTypeW.KERNEL32(00000000,?,00000000,?,?,00000000), ref: 0041B328

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: ByteCharMultiStringTypeWide$ErrorLast
String ID:
API String ID: 3581945363-0
Opcode ID: 9575601df985ec698041be843986eb33e77f2bc8172fa7f9b26e48780cd960a8
Instruction ID: 9f9fa65cc8421391b8d21a05cfa14ba1f88a212ef66fffe92425adc452bd7f2d
Opcode Fuzzy Hash: 9575601df985ec698041be843986eb33e77f2bc8172fa7f9b26e48780cd960a8
Instruction Fuzzy Hash: 7C419271900618EBCB218F55DC45AEF3B75FF49760F15012AFC20A62A0C739C9A1CBE9

Uniqueness

Uniqueness Score: -1.00%

Function 0042B8F8 Relevance: 9.1, APIs: 6, Instructions: 80memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

TlsGetValue.KERNEL32(0044AED8,00000000,?,00000000,0042BB47,?,00000000,?,?,?,?,0042B380,00429E06,0040C70D), ref: 0042B8FF
EnterCriticalSection.KERNEL32(0044AEF4,00000010,?,00000000,0042BB47,?,00000000,?,?,?,?,0042B380,00429E06,0040C70D), ref: 0042B948
LeaveCriticalSection.KERNEL32(0044AEF4,?,00000000,0042BB47,?,00000000,?,?,?,?,0042B380,00429E06,0040C70D), ref: 0042B95B
LocalAlloc.KERNEL32(00000000,00000003,?,00000000,0042BB47,?,00000000,?,?,?,?,0042B380,00429E06,0040C70D), ref: 0042B972
LocalReAlloc.KERNEL32(?,00000003,00000002,?,00000000,0042BB47,?,00000000,?,?,?,?,0042B380,00429E06,0040C70D), ref: 0042B984
TlsSetValue.KERNEL32(0044AED8,00000000), ref: 0042B9BB

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: AllocCriticalLocalSectionValue$EnterLeave
String ID:
API String ID: 4117633390-0
Opcode ID: 425f8b4d3ef0bcdaa6e9ca825a8bff2006c201a408e1851a73cd36e6840e37b7
Instruction ID: a6b77f6463ff9e4dcbf2f81cc0fabf44c3931403c77961276365c9ec7d0f809c
Opcode Fuzzy Hash: 425f8b4d3ef0bcdaa6e9ca825a8bff2006c201a408e1851a73cd36e6840e37b7
Instruction Fuzzy Hash: E2215CB1600622EFC324DF65E884C26B7E8FF48310790893EE55AC3610D734EC95CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 004292DB Relevance: 9.1, APIs: 6, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000F0), ref: 0042930D
GetParent.USER32(?), ref: 0042931B
GetParent.USER32(?), ref: 0042932E
GetLastActivePopup.USER32(?), ref: 0042933D
IsWindowEnabled.USER32(?), ref: 00429352
EnableWindow.USER32(?,00000000), ref: 00429365

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: Window$Parent$ActiveEnableEnabledLastLongPopup
String ID:
API String ID: 670545878-0
Opcode ID: 1a1af78537e06c800fa254dbed7e3f0734006fd546e1ad9da5c44e88e9679358
Instruction ID: 80255c199b8a0bdecbbc8602bee05c6d705c4b7d3c7af4284fa55a0f5ebffd36
Opcode Fuzzy Hash: 1a1af78537e06c800fa254dbed7e3f0734006fd546e1ad9da5c44e88e9679358
Instruction Fuzzy Hash: B011A332B0123157C631AA6A7C44B6BB2AC9F6DB60FD50177ED04D3391DB68CC02469D

Uniqueness

Uniqueness Score: -1.00%

Function 00428DBA Relevance: 9.0, APIs: 6, Instructions: 45COMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00428DC9
GetDlgCtrlID.USER32(00000000), ref: 00428DDD
GetWindowLongA.USER32(00000000,000000F0), ref: 00428DEB
GetWindowRect.USER32(00000000,?), ref: 00428DFD
PtInRect.USER32(?,?,?), ref: 00428E0D
GetWindow.USER32(?,00000005), ref: 00428E1A

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: Window$Rect$ClientCtrlLongScreen
String ID:
API String ID: 1315500227-0
Opcode ID: bddc417178efcb5005f3e382842a7ec5c5d359559d9cbc29fe9ccca2d6545a96
Instruction ID: 86bcff5dc365ccf3970e8e5ad6cd2e1a487aebd333d05296c5cf9a855bdfcbb6
Opcode Fuzzy Hash: bddc417178efcb5005f3e382842a7ec5c5d359559d9cbc29fe9ccca2d6545a96
Instruction Fuzzy Hash: 46014F36301229ABDB21AF54AC08EAF3B78AF55B51FC14039FD11D6164DB3499168A98

Uniqueness

Uniqueness Score: -1.00%

Function 004130C1 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 282memoryCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004130C6
CoTaskMemAlloc.OLE32(?,?,?,00000000), ref: 004131DF
CoTaskMemFree.OLE32(?,?,00000000), ref: 004133C4

Strings

, xrefs: 0041329E
(, xrefs: 004133B8

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: Task$AllocFreeH_prolog
String ID: $(
API String ID: 1522537378-55695022
Opcode ID: a16237aa7a8ee13bba94a7bacb18d3f117483b94c8521d500b5fd6c296647487
Instruction ID: 7e24ac4c9d61eba3cdab13b1e29302fb200f62294913ba54403eba2bb913f085
Opcode Fuzzy Hash: a16237aa7a8ee13bba94a7bacb18d3f117483b94c8521d500b5fd6c296647487
Instruction Fuzzy Hash: 7BB14D70A003099FCB14DFA9C884AAEB7F5FF88704F24495EE416EB351DB74A985CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00424887 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,00000405,00000000,?), ref: 0042493D
GetWindowLongA.USER32(?,000000FC), ref: 0042494F
GetWindowLongA.USER32(?,000000FC), ref: 00424960
SetWindowLongA.USER32(?,000000FC,?), ref: 0042497C

Strings

(, xrefs: 00424933

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID: (
API String ID: 2178440468-3887548279
Opcode ID: e0b753035cb70a9a5eef04e921d7a8f31782a4019434a00ab1b1827a1127cb12
Instruction ID: 3707caef856736254b48c76daa378133d04f0dbce0ae591b3731a783b4f3e6c9
Opcode Fuzzy Hash: e0b753035cb70a9a5eef04e921d7a8f31782a4019434a00ab1b1827a1127cb12
Instruction Fuzzy Hash: A531D2747006209FCB20BF79E884A6BB7B4FF84314F94062EE54197791DB78E845CB98

Uniqueness

Uniqueness Score: -1.00%

Function 004112D3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 100COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00411346
SysFreeString.OLEAUT32(?), ref: 004113B5
SysFreeString.OLEAUT32(?), ref: 004113BF
SysFreeString.OLEAUT32(?), ref: 004113C9

Strings

`)u, xrefs: 004113A7

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: FreeString$ClearVariant
String ID: `)u
API String ID: 3349467263-4279031584
Opcode ID: d9906cbb21440189adeb46f65e4d7491ee8ad9fd862cf020c2635eacfbbe87dd
Instruction ID: 33bf42000e96db952560971249c255832eb346404390c0d155027bceb8e5320a
Opcode Fuzzy Hash: d9906cbb21440189adeb46f65e4d7491ee8ad9fd862cf020c2635eacfbbe87dd
Instruction Fuzzy Hash: FB313C71A11219FFDB10DFA5C884ADEBBB8FF08714F10812BFA15A6250D774A984CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00403FCF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 87COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00403FD4
GetModuleFileNameA.KERNEL32(00400000,?,00000104,?), ref: 00403FF6

Part of subcall function 00401FE9: lstrlenA.KERNEL32(?,?,?,?,00402E72,?), ref: 00402008

Part of subcall function 00402FCE: __EH_prolog.LIBCMT ref: 00402FD3

CharLowerA.USER32(?,?,00000004,?), ref: 0040402F

Part of subcall function 004033FA: __EH_prolog.LIBCMT ref: 004033FF

_strcat.LIBCMT ref: 00404096

Part of subcall function 00402C6D: __EH_prolog.LIBCMT ref: 00402C72
Part of subcall function 00402C6D: _strcat.LIBCMT ref: 00402C97
Part of subcall function 00402C6D: _strcat.LIBCMT ref: 00402CBA
Part of subcall function 00402C6D: MessageBoxA.USER32(00000000,?,00000000,00000030), ref: 00402D19

Strings

.dll, xrefs: 00404035

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: H_prolog$_strcat$CharFileLowerMessageModuleNamelstrlen
String ID: .dll
API String ID: 1009733722-2738580789
Opcode ID: 7ee78063d823e0c6d8b8f1480ed479fa6a1540bc085ae308c9012322817352e7
Instruction ID: e6b5aef0d27c6589e7d05cc20d88ea959a984bc3c2dd37e4e74a46bfd1a24eba
Opcode Fuzzy Hash: 7ee78063d823e0c6d8b8f1480ed479fa6a1540bc085ae308c9012322817352e7
Instruction Fuzzy Hash: DC31A2B1900109ABDB11EBE1D942AEEB778EF15319F10403FF215F21D1EB784A08CB69

Uniqueness

Uniqueness Score: -1.00%

Function 02455119 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

C:\Users\user\Desktop\app.exe, xrefs: 02455135

Memory Dump Source

Source File: 00000000.00000002.2022153806.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23d0000_app.jbxd

Similarity

API ID:
String ID: C:\Users\user\Desktop\app.exe
API String ID: 0-886552919
Opcode ID: 7c01ad36a9aa9e960dfb344aad36173a23e37e2c4c4eb63aa145beb64ed7efdf
Instruction ID: 7765748ef32f953cd3ba879f85d68af2871f773c670c70959fc3ae041dd2bc2d
Opcode Fuzzy Hash: 7c01ad36a9aa9e960dfb344aad36173a23e37e2c4c4eb63aa145beb64ed7efdf
Instruction Fuzzy Hash: 3B219271A00225BF9B22AF62CC40A7B7BAAAF41364750451BEDA5DB642E730E851CF90

Uniqueness

Uniqueness Score: -1.00%

Function 00403A0A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00403A0F
GetModuleFileNameA.KERNEL32(00400000,?,00000104,?), ref: 00403A31

Part of subcall function 00401FE9: lstrlenA.KERNEL32(?,?,?,?,00402E72,?), ref: 00402008

Part of subcall function 00402FCE: __EH_prolog.LIBCMT ref: 00402FD3

CharLowerA.USER32(?,?,00000004,?), ref: 00403A67

Part of subcall function 004033FA: __EH_prolog.LIBCMT ref: 004033FF

_strcat.LIBCMT ref: 00403AE9

Part of subcall function 00402C6D: __EH_prolog.LIBCMT ref: 00402C72
Part of subcall function 00402C6D: _strcat.LIBCMT ref: 00402C97
Part of subcall function 00402C6D: _strcat.LIBCMT ref: 00402CBA
Part of subcall function 00402C6D: MessageBoxA.USER32(00000000,?,00000000,00000030), ref: 00402D19

Strings

.dll, xrefs: 00403A6D

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: H_prolog$_strcat$CharFileLowerMessageModuleNamelstrlen
String ID: .dll
API String ID: 1009733722-2738580789
Opcode ID: bb160a83ece6b52ad72d685bd7d2f3ba3769fc739be267bbfaec33bc36789f92
Instruction ID: 1cad220353df42b9fe3cb840776f885c9a0654f48a55dcbb27447a2c56b74ffd
Opcode Fuzzy Hash: bb160a83ece6b52ad72d685bd7d2f3ba3769fc739be267bbfaec33bc36789f92
Instruction Fuzzy Hash: 7A219231A00119AADB15FBA1DD47BEEBB68AF11709F10013BF501B10E2DBB95B058AA9

Uniqueness

Uniqueness Score: -1.00%

Function 0243D340 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 69libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32), ref: 0243D3E5
GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 0243D3F5

Strings

kernel32, xrefs: 0243D3E0
GetSystemTimePreciseAsFileTime, xrefs: 0243D3EF
Invalid, xrefs: 0243D3C2

Memory Dump Source

Source File: 00000000.00000002.2022153806.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23d0000_app.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetSystemTimePreciseAsFileTime$Invalid$kernel32
API String ID: 1646373207-2690871627
Opcode ID: 26d222e3857e9fcc337dd8c9e94f4dad00813671a282671d421dbddebe2e1eda
Instruction ID: e2192c2e89da6f8e0b8e0a8812839b865c0c12e2fb4663098920789b974f310c
Opcode Fuzzy Hash: 26d222e3857e9fcc337dd8c9e94f4dad00813671a282671d421dbddebe2e1eda
Instruction Fuzzy Hash: C011C4B1F443009BD30D9E19DD4831A77E6AB88394F4AD92EE84EDB344D3759C44CB92

Uniqueness

Uniqueness Score: -1.00%

Function 004120BA Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 66COMMONLIBRARYCODE

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32 ref: 004120D9
CoTaskMemFree.OLE32(?), ref: 00412155

Strings

`)u, xrefs: 00412138

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: ArrayDestroyFreeSafeTask
String ID: `)u
API String ID: 3253174383-4279031584
Opcode ID: 5c80eacd3d21a3520f2eedc2b141da2997b8ba1f6184b55e1f1dc4efe2ab2cb9
Instruction ID: 92880c54d83cef890ef01a83bb49db2f2e97ba72a390528555b3e8eed935738a
Opcode Fuzzy Hash: 5c80eacd3d21a3520f2eedc2b141da2997b8ba1f6184b55e1f1dc4efe2ab2cb9
Instruction Fuzzy Hash: 9E118130300206BBCB24DF24DE88BE677A4BF01350F54442BFE85D6260D7B9D9A1CA18

Uniqueness

Uniqueness Score: -1.00%

Function 00422A0B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000F0), ref: 00422A4C
GetDlgItem.USER32(?,00000002), ref: 00422A6B
IsWindowEnabled.USER32(00000000), ref: 00422A76
SendMessageA.USER32(?,00000111,00000002,00000000), ref: 00422A8C

Strings

Edit, xrefs: 00422A56

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: Window$EnabledItemLongMessageSend
String ID: Edit
API String ID: 3499652902-554135844
Opcode ID: 66f3ca61536d6a4b5c74c82b61e0e054e33ba564fb4b2e00f887f035e959c592
Instruction ID: 6ee10451ae2c8e78b307aaf30a1710947c025f2baedac84a9ff3f14969e02c54
Opcode Fuzzy Hash: 66f3ca61536d6a4b5c74c82b61e0e054e33ba564fb4b2e00f887f035e959c592
Instruction Fuzzy Hash: 18018E303003327AEA306A66AE05F6BAAA49B54714FD4493BA441D2AA0DFE8DC42C56C

Uniqueness

Uniqueness Score: -1.00%

Function 02452608 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,71AAEBF7,?,?,00000000,0246197B,000000FF,?,024525E4,024526C8,?,024525B8,00000000), ref: 0245263D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0245264F
FreeLibrary.KERNEL32(00000000,?,?,00000000,0246197B,000000FF,?,024525E4,024526C8,?,024525B8,00000000), ref: 02452671

Strings

mscoree.dll, xrefs: 02452636
CorExitProcess, xrefs: 02452647

Memory Dump Source

Source File: 00000000.00000002.2022153806.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23d0000_app.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: df5a577e1ff92f6254b382a7e70710acb5764547e1ecd3c9e352576966873383
Instruction ID: dd54422631482a06da65a0d756644d6e34bc06bd3224b4aa3de2bc208069d730
Opcode Fuzzy Hash: df5a577e1ff92f6254b382a7e70710acb5764547e1ecd3c9e352576966873383
Instruction Fuzzy Hash: 14016731954665BBDB16DB50DC09FAE77F8FB04B15F004526FC12A2290DBB59904CA51

Uniqueness

Uniqueness Score: -1.00%

Function 0042A1F7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35stringCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(?,?,00000104), ref: 0042A21C
PathFindExtensionA.SHLWAPI(?), ref: 0042A229
lstrcpyA.KERNEL32(?,00000000), ref: 0042A23F
lstrcpyA.KERNEL32(00000000,%s.dll), ref: 0042A247

Part of subcall function 00429F0B: GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00429F31
Part of subcall function 00429F0B: GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 00429F3C
Part of subcall function 00429F0B: ConvertDefaultLocale.KERNEL32(?), ref: 00429F6D
Part of subcall function 00429F0B: ConvertDefaultLocale.KERNEL32(?), ref: 00429F75
Part of subcall function 00429F0B: GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 00429F82
Part of subcall function 00429F0B: ConvertDefaultLocale.KERNEL32(?), ref: 00429F9C
Part of subcall function 00429F0B: ConvertDefaultLocale.KERNEL32(000003FF), ref: 00429FA2

Strings

%s.dll, xrefs: 0042A241

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: ConvertDefaultLocale$AddressModuleProclstrcpy$ExtensionFileFindHandleNamePath
String ID: %s.dll
API String ID: 2054749690-3668843792
Opcode ID: 82a8751b84f09603ba11f481d45c7ea045fa609579e678804dedf504626bede6
Instruction ID: 7c4c11a2dddb72ba6e02242f47b30f39fdadc108ab8537c06b584eb29b98c2af
Opcode Fuzzy Hash: 82a8751b84f09603ba11f481d45c7ea045fa609579e678804dedf504626bede6
Instruction Fuzzy Hash: E4F04FB9900218EBCB10EBA0ED49DDE7BBCEB48744F5000B6F945D7150DA74AE46CF54

Uniqueness

Uniqueness Score: -1.00%

Function 004251E5 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0042BD48: EnterCriticalSection.KERNEL32(0044AF54,?,00000000,?,00000000,0042B7B5,00000010,?,?,00000000,?,?,0042B396,0042B349,00429E06,0040C70D), ref: 0042BD76
Part of subcall function 0042BD48: InitializeCriticalSection.KERNEL32(00000000,?,00000000,?,00000000,0042B7B5,00000010,?,?,00000000,?,?,0042B396,0042B349,00429E06,0040C70D), ref: 0042BD88
Part of subcall function 0042BD48: LeaveCriticalSection.KERNEL32(0044AF54,?,00000000,?,00000000,0042B7B5,00000010,?,?,00000000,?,?,0042B396,0042B349,00429E06,0040C70D), ref: 0042BD91
Part of subcall function 0042BD48: EnterCriticalSection.KERNEL32(00000000,00000000,?,00000000,0042B7B5,00000010,?,?,00000000,?,?,0042B396,0042B349,00429E06,0040C70D), ref: 0042BDA3

Part of subcall function 0042B794: __EH_prolog.LIBCMT ref: 0042B799

LoadLibraryA.KERNEL32(hhctrl.ocx,0042AFC8,0000000C), ref: 00425209
GetProcAddress.KERNEL32(00000000,HtmlHelpA), ref: 0042521C
FreeLibrary.KERNEL32(?), ref: 0042522C

Strings

HtmlHelpA, xrefs: 00425216
hhctrl.ocx, xrefs: 00425204

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: CriticalSection$EnterLibrary$AddressFreeH_prologInitializeLeaveLoadProc
String ID: HtmlHelpA$hhctrl.ocx
API String ID: 813623328-63838506
Opcode ID: 3235c455f9abb7d201993a8a1dfe31dcfc0dd767c571edfdb62f33c42e434520
Instruction ID: 01c63ba424afe4957a6b3b467abc3637d649f32ce2fea976250ac632f5fbc3be
Opcode Fuzzy Hash: 3235c455f9abb7d201993a8a1dfe31dcfc0dd767c571edfdb62f33c42e434520
Instruction Fuzzy Hash: 90F08130744721EBD7209F61E90AB07B7E1AF54B06F80883EF046A20A0C73998148B2A

Uniqueness

Uniqueness Score: -1.00%

Function 0041722A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 13libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(mscoree.dll,004173A1,?,?,004173C2,?,00000001,00000000,0041CA21,00000003), ref: 0041722F
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0041723F
ExitProcess.KERNEL32 ref: 00417253

Strings

CorExitProcess, xrefs: 00417239
mscoree.dll, xrefs: 0041722A

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: AddressExitHandleModuleProcProcess
String ID: CorExitProcess$mscoree.dll
API String ID: 75539706-1276376045
Opcode ID: 646f169376bb85f1c7a0c0c6dfab7f1782379c0f79f95e05adf5e4d60cba3fd9
Instruction ID: 6d5ffb320b5c84a2b93882608c5028e86e814d1ab6817c3f9ce84d69c9d90742
Opcode Fuzzy Hash: 646f169376bb85f1c7a0c0c6dfab7f1782379c0f79f95e05adf5e4d60cba3fd9
Instruction Fuzzy Hash: 96D0C7303C4200EBD6201B71DD0DE1B3A74AE61F01B84D479B851D1161CB75DC15992D

Uniqueness

Uniqueness Score: -1.00%

Function 0041DAF6 Relevance: 7.7, APIs: 5, Instructions: 216COMMON

Download Yara Rule

APIs

Part of subcall function 00419CEF: GetLastError.KERNEL32(?,76EAFC30,0041821A,004187D7,75920A60,?,?,00418843,?,?,?,0041540F,00000004,0043A458,0000000C,00418764), ref: 00419CF1
Part of subcall function 00419CEF: TlsGetValue.KERNEL32(?,00418843,?,?,?,0041540F,00000004,0043A458,0000000C,00418764,75920A60,?,00419CD6,00419D7E,00415EBE), ref: 00419CFF
Part of subcall function 00419CEF: TlsSetValue.KERNEL32(00000000,?,00418843,?,?,?,0041540F,00000004,0043A458,0000000C,00418764,75920A60,?,00419CD6,00419D7E,00415EBE), ref: 00419D26
Part of subcall function 00419CEF: GetCurrentThreadId.KERNEL32 ref: 00419D3E
Part of subcall function 00419CEF: SetLastError.KERNEL32(00000000,?,00418843,?,?,?,0041540F,00000004,0043A458,0000000C,00418764,75920A60,?,00419CD6,00419D7E,00415EBE), ref: 00419D55

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0041DB68
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0041DC65
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0041DCBE
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0041DCDB
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0041DCFE

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$ErrorLastValue$CurrentThread
String ID:
API String ID: 223281555-0
Opcode ID: 05e8b8897f4b181438ff9bc0053149d3a265bc6d3251127156bf3e4e24a99172
Instruction ID: 58033983c75ecd830641dd42448beea8d89667ef0108bf7b7aa9bdb8a646cbba
Opcode Fuzzy Hash: 05e8b8897f4b181438ff9bc0053149d3a265bc6d3251127156bf3e4e24a99172
Instruction Fuzzy Hash: 2561F5B6E00305AFDB14DF99CC41BEAB3B6EB84314F25452FF51197281E7B9A980CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004179A3 Relevance: 7.6, APIs: 5, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c779fbf1088b840c6c03c0dc0acbad526ece5f4033377c3f113236f91995333
Instruction ID: eea7fb83b8746fab3f457500bfe6ffd8c160dddb31b64f3f28a7c8d6f048db1b
Opcode Fuzzy Hash: 8c779fbf1088b840c6c03c0dc0acbad526ece5f4033377c3f113236f91995333
Instruction Fuzzy Hash: 6C41B0B1D081269BCF20AF669C848EFBA74EF057A8710413FF925A6251D73C4EC1CA9D

Uniqueness

Uniqueness Score: -1.00%

Function 0040C6F0 Relevance: 7.6, APIs: 5, Instructions: 131COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(?,?,000000F0), ref: 0040C719
LoadResource.KERNEL32(?,00000000), ref: 0040C725
LockResource.KERNEL32(00000000), ref: 0040C73A
FreeResource.KERNEL32(00000000), ref: 0040C76C
GetDlgItem.USER32(?,00000001), ref: 0040C810

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: Resource$FindFreeItemLoadLock
String ID:
API String ID: 996205394-0
Opcode ID: 933fe36362147815a0cb829be6fd4c4082cb2c7b05a93c302a9bad478cfa2e61
Instruction ID: 9a54128b345b6d8dc0d7652822505e1427a01eb8725f7af53416f086ccaa2b8d
Opcode Fuzzy Hash: 933fe36362147815a0cb829be6fd4c4082cb2c7b05a93c302a9bad478cfa2e61
Instruction Fuzzy Hash: C6511835A0020AEFCB10DF59C484A9EBBB1FF48311F54857AE815AB391D774DA51CF98

Uniqueness

Uniqueness Score: -1.00%

Function 0040EBCB Relevance: 7.6, APIs: 5, Instructions: 126windowthreadCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040EBD0
SendMessageA.USER32(?,00000138,?,?), ref: 0040EC54
GetBkColor.GDI32(?), ref: 0040EC5D
GetTextColor.GDI32(?), ref: 0040EC69
GetThreadLocale.KERNEL32(0000F1C0), ref: 0040ECFB

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: Color$H_prologLocaleMessageSendTextThread
String ID:
API String ID: 741590120-0
Opcode ID: 484771c05116640de967fef7a7e48f7ab1b85b90a13ca1846e652b4cbef55775
Instruction ID: 0dba9dad94b3284ecc1784028ad6a283dd36c6a39298d9c5ccd4b4294a9626ec
Opcode Fuzzy Hash: 484771c05116640de967fef7a7e48f7ab1b85b90a13ca1846e652b4cbef55775
Instruction Fuzzy Hash: 1C51C074600716CFCB10DF26C4449AEB3B0FF04314F10896EE892AB3A1E778E855DB5A

Uniqueness

Uniqueness Score: -1.00%

Function 023F566D Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 104memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(00000000,?,02470458,024703AC,02470574), ref: 023F60B5
HeapFree.KERNEL32(00000000,?,02470458,024703AC,02470574), ref: 023F60D2
HeapFree.KERNEL32(00000000,?,02470458,024703AC,02470574), ref: 023F6105
CloseHandle.KERNEL32(?), ref: 023F632F

Part of subcall function 0242B345: __aulldiv.LIBCMT ref: 0242B383

Strings

nullfalsetrue\"\\\b\f\n\r\t0123456789abcdef[],{ ,, xrefs: 023F563C

Memory Dump Source

Source File: 00000000.00000002.2022153806.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23d0000_app.jbxd

Similarity

API ID: FreeHeap$CloseHandle__aulldiv
String ID: nullfalsetrue\"\\\b\f\n\r\t0123456789abcdef[],{ ,
API String ID: 2268332173-2124985433
Opcode ID: 46942d692adc7f1de910be34ddbe49004717958fff8c07d2b5d21ad0f8aef44e
Instruction ID: cfd6bd4d09efabc8773a227ac59a84d02b71d7e60fcf9d5b5395a2278e816a62
Opcode Fuzzy Hash: 46942d692adc7f1de910be34ddbe49004717958fff8c07d2b5d21ad0f8aef44e
Instruction Fuzzy Hash: B8410431A04200DFDF65DF20E884BDA7BA6FF94304F184969DE994F296DB319846CF92

Uniqueness

Uniqueness Score: -1.00%

Function 00429379 Relevance: 7.6, APIs: 5, Instructions: 100windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004292DB: GetParent.USER32(?), ref: 0042932E
Part of subcall function 004292DB: GetLastActivePopup.USER32(?), ref: 0042933D
Part of subcall function 004292DB: IsWindowEnabled.USER32(?), ref: 00429352
Part of subcall function 004292DB: EnableWindow.USER32(?,00000000), ref: 00429365

EnableWindow.USER32(?,00000001), ref: 004293B2
SendMessageA.USER32(?,00000376,00000000,00000000), ref: 004293C6
GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,?,00000000), ref: 00429437
MessageBoxA.USER32(?,?,?,?), ref: 00429445
EnableWindow.USER32(00000000,00000001), ref: 00429461

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: Window$Enable$Message$ActiveEnabledFileLastModuleNameParentPopupSend
String ID:
API String ID: 489645344-0
Opcode ID: e5219f551e2044f1e9824b379428219b61050e8523d1673e1e04a8c83f224b8f
Instruction ID: b24da1c36bf129903a3f53721541c8c3187d1228906e7f3a5e596f08f38fdc97
Opcode Fuzzy Hash: e5219f551e2044f1e9824b379428219b61050e8523d1673e1e04a8c83f224b8f
Instruction Fuzzy Hash: 5D318771B00128ABCB20EFA5EC85EEFB7B5EF48700F94456AE551E7280C7759D41CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0241C263 Relevance: 7.6, APIs: 6, Instructions: 91memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(00000000,?,?,02425E00), ref: 0241C2D6
HeapFree.KERNEL32(00000000,?,?,02425E00), ref: 0241C2F1
HeapFree.KERNEL32(00000000,?,?,02425E00), ref: 0241C2FD
HeapFree.KERNEL32(00000000,?,?,02425E00), ref: 0241C309
HeapFree.KERNEL32(00000000,?,?,02425E00), ref: 0241C313
HeapFree.KERNEL32(00000000,?,?,02425E00), ref: 0241C325

Memory Dump Source

Source File: 00000000.00000002.2022153806.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23d0000_app.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 8c1840e74e9ed29f21e3420353721e0e6ff53c76a136968d9343fb36fb41b006
Instruction ID: 3adfe82fcdb9811cd279489284fc3a5cc42fc0c482cd5a5abd19271812cba669
Opcode Fuzzy Hash: 8c1840e74e9ed29f21e3420353721e0e6ff53c76a136968d9343fb36fb41b006
Instruction Fuzzy Hash: 3A31E431A80204AFD7299F55DC84E1A7BF2FB84708F10492FE94546360D731ACA1CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0042A57A Relevance: 7.6, APIs: 5, Instructions: 71registryCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0042A57F
RegOpenKeyA.ADVAPI32(?,?,?), ref: 0042A5A3
RegEnumKeyA.ADVAPI32(?,00000000,?,000000FF), ref: 0042A60B
RegDeleteKeyA.ADVAPI32(?,?), ref: 0042A62D
RegCloseKey.ADVAPI32(?), ref: 0042A638

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: CloseDeleteEnumH_prologOpen
String ID:
API String ID: 3131381098-0
Opcode ID: 030e9521213b5cec4a943126c4209cfb504d0090493e7cce31642c1ea77828a9
Instruction ID: 74490a7ce1c544a02dbf4f80efdb720ef59ca58dfc40bea8b14ed366bb9d3a97
Opcode Fuzzy Hash: 030e9521213b5cec4a943126c4209cfb504d0090493e7cce31642c1ea77828a9
Instruction Fuzzy Hash: CA216B72E0012AAFCB21DB94D851BEEB7B4EF08314F444176FD11A72A0CB389E568B95

Uniqueness

Uniqueness Score: -1.00%

Function 0040A38B Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

_strcat.LIBCMT ref: 0040A3A0
_strcat.LIBCMT ref: 0040A3B9
_strcat.LIBCMT ref: 0040A3F6
_strcat.LIBCMT ref: 0040A409
_strcat.LIBCMT ref: 0040A440

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: _strcat
String ID:
API String ID: 1765576173-0
Opcode ID: 458841bfa4412d0987e54f94bc18dc31fcc139bb07e64035214e5041e318658b
Instruction ID: 4d4309227c65d941d0923993ef45c8ee1175764ee62a210df3ff9fbdc7f6413c
Opcode Fuzzy Hash: 458841bfa4412d0987e54f94bc18dc31fcc139bb07e64035214e5041e318658b
Instruction Fuzzy Hash: EF11A37554835835EB3176625C4AFEB2A5C9B0175CF54007BFA18B40C2DABCDA6181AF

Uniqueness

Uniqueness Score: -1.00%

Function 00429CB3 Relevance: 7.6, APIs: 5, Instructions: 58COMMON

Download Yara Rule

APIs

GetMapMode.GDI32(?,?,?,?,?,?,0040F257,?,00000000,?,75A8E800), ref: 00429CC3
GetDeviceCaps.GDI32(?,00000058), ref: 00429CFD
GetDeviceCaps.GDI32(?,0000005A), ref: 00429D06

Part of subcall function 0042873E: MulDiv.KERNEL32(?,00000000,00000000), ref: 0042877B
Part of subcall function 0042873E: MulDiv.KERNEL32(00000000,00000000,00000000), ref: 00428796

MulDiv.KERNEL32(?,000009EC,00000060), ref: 00429D2A
MulDiv.KERNEL32(00000000,000009EC,75A8E800), ref: 00429D35

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: CapsDevice$Mode
String ID:
API String ID: 696222070-0
Opcode ID: 8d1704f2616a026b9f43863089cc8eee421a8b68ef1a552184c7b2fb0bd61b6a
Instruction ID: 6e1b7dccc2bf6b9828f3aa7ea2882f5d8b0ed906ddf1c8cc2095083f4007e547
Opcode Fuzzy Hash: 8d1704f2616a026b9f43863089cc8eee421a8b68ef1a552184c7b2fb0bd61b6a
Instruction Fuzzy Hash: DD110235700610AFCB219F55DC44C1EBBF9EF89310BA1443AF98697320C7759C029F94

Uniqueness

Uniqueness Score: -1.00%

Function 00429D41 Relevance: 7.6, APIs: 5, Instructions: 58COMMON

Download Yara Rule

APIs

GetMapMode.GDI32(?,00000000,?,?,?,?,0040F28B,?), ref: 00429D51
GetDeviceCaps.GDI32(?,00000058), ref: 00429D8B
GetDeviceCaps.GDI32(?,0000005A), ref: 00429D94

Part of subcall function 004286DB: MulDiv.KERNEL32(0040F28B,00000000,00000000), ref: 00428718
Part of subcall function 004286DB: MulDiv.KERNEL32(4689EC45,00000000,00000000), ref: 00428733

MulDiv.KERNEL32(0040F28B,00000060,000009EC), ref: 00429DB8
MulDiv.KERNEL32(4689EC45,?,000009EC), ref: 00429DC3

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: CapsDevice$Mode
String ID:
API String ID: 696222070-0
Opcode ID: 0b9c2ff3e9452577eaa4e4a24d119cdaa1b7e241cf6bc29e48a8d0425e4ee19a
Instruction ID: b40078db713edfd21a9873406d00821ab7b1675308a8c764c818c18d3d9003fc
Opcode Fuzzy Hash: 0b9c2ff3e9452577eaa4e4a24d119cdaa1b7e241cf6bc29e48a8d0425e4ee19a
Instruction Fuzzy Hash: 79110E35700610AFDB21AF15DC44C1EBBFAEF89710B91442AF98697320CB75EC02DB88

Uniqueness

Uniqueness Score: -1.00%

Function 00419CEF Relevance: 7.5, APIs: 5, Instructions: 37threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,76EAFC30,0041821A,004187D7,75920A60,?,?,00418843,?,?,?,0041540F,00000004,0043A458,0000000C,00418764), ref: 00419CF1
TlsGetValue.KERNEL32(?,00418843,?,?,?,0041540F,00000004,0043A458,0000000C,00418764,75920A60,?,00419CD6,00419D7E,00415EBE), ref: 00419CFF
SetLastError.KERNEL32(00000000,?,00418843,?,?,?,0041540F,00000004,0043A458,0000000C,00418764,75920A60,?,00419CD6,00419D7E,00415EBE), ref: 00419D55

Part of subcall function 0041D4E0: __lock.LIBCMT ref: 0041D524
Part of subcall function 0041D4E0: HeapAlloc.KERNEL32(00000008,?,0043B1F8,00000010,00419D17,00000001,00000088,?,00418843,?,?,?,0041540F,00000004,0043A458,0000000C), ref: 0041D562

TlsSetValue.KERNEL32(00000000,?,00418843,?,?,?,0041540F,00000004,0043A458,0000000C,00418764,75920A60,?,00419CD6,00419D7E,00415EBE), ref: 00419D26
GetCurrentThreadId.KERNEL32 ref: 00419D3E

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: ErrorLastValue$AllocCurrentHeapThread__lock
String ID:
API String ID: 3368326513-0
Opcode ID: c0dde2ab6abc5d13967d72fca5861c1375e6e24a54f52db835ed15053f81b895
Instruction ID: 9c9c253482250aba246a1314c7731adacca6fb7c4ca25a5bf85d0a0605742cb6
Opcode Fuzzy Hash: c0dde2ab6abc5d13967d72fca5861c1375e6e24a54f52db835ed15053f81b895
Instruction Fuzzy Hash: 0FF0C271701B119FE7301BA0FC097967BB0EF02B65B90463AE941DA2A0CBB88C458798

Uniqueness

Uniqueness Score: -1.00%

Function 0042BB89 Relevance: 7.5, APIs: 5, Instructions: 35COMMON

Download Yara Rule

APIs

TlsFree.KERNEL32(00835BF8,?,?,0042BC00,00000000,00000001), ref: 0042BBAF
GlobalHandle.KERNEL32(00801ED0), ref: 0042BBBD
GlobalUnlock.KERNEL32(00000000,?,?,0042BC00,00000000,00000001), ref: 0042BBC6
GlobalFree.KERNEL32(00000000), ref: 0042BBCD
DeleteCriticalSection.KERNEL32(0044AEBC,?,?,0042BC00,00000000,00000001), ref: 0042BBD7

Part of subcall function 0042B9F1: EnterCriticalSection.KERNEL32(?), ref: 0042BA4E
Part of subcall function 0042B9F1: LeaveCriticalSection.KERNEL32(?,?), ref: 0042BA5E
Part of subcall function 0042B9F1: LocalFree.KERNEL32(?), ref: 0042BA67
Part of subcall function 0042B9F1: TlsSetValue.KERNEL32(?,00000000), ref: 0042BA79

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: CriticalFreeGlobalSection$DeleteEnterHandleLeaveLocalUnlockValue
String ID:
API String ID: 1549993015-0
Opcode ID: 42da1f527a2b0c3e69970945b8ac3fb8113e542abeed7d7280077cbdc7271ade
Instruction ID: c978259d00606411c06b9666accebdfa32c1b0646b29e90d722105786fdf7326
Opcode Fuzzy Hash: 42da1f527a2b0c3e69970945b8ac3fb8113e542abeed7d7280077cbdc7271ade
Instruction Fuzzy Hash: 72F090313006209BC6319B28FC08E6B37B9DF847253D50639F915D3655D728EC0686AC

Uniqueness

Uniqueness Score: -1.00%

Function 004033FA Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 384COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004033FF

Part of subcall function 00403039: __EH_prolog.LIBCMT ref: 0040303E

Part of subcall function 00401F77: InterlockedDecrement.KERNEL32(?), ref: 00401F8B

Part of subcall function 00402F54: __EH_prolog.LIBCMT ref: 00402F59

Part of subcall function 00402065: InterlockedIncrement.KERNEL32(-000000F4), ref: 004020A8

Part of subcall function 004026DF: __EH_prolog.LIBCMT ref: 004026E4
Part of subcall function 004026DF: _strcat.LIBCMT ref: 0040275F

Part of subcall function 00401FE9: lstrlenA.KERNEL32(?,?,?,?,00402E72,?), ref: 00402008

Part of subcall function 00409BA2: __EH_prolog.LIBCMT ref: 00409BA7

Strings

(1D, xrefs: 0040340A, 004034F6, 00403565, 00403708
B75630F848913FC0F8D618CD4D66F881, xrefs: 00403764
~#@^&*%Xy, xrefs: 00403677

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: H_prolog$Interlocked$DecrementIncrement_strcatlstrlen
String ID: (1D$B75630F848913FC0F8D618CD4D66F881$~#@^&*%Xy
API String ID: 3563784522-3627518113
Opcode ID: 8dc799b0bdd2e0e285bd4d34ca76e88ad679a91fdd7a6ac2db35d914667f3017
Instruction ID: 0945acecc41c1119d48bf44f991538611cc363480de23803dbd87cf349209659
Opcode Fuzzy Hash: 8dc799b0bdd2e0e285bd4d34ca76e88ad679a91fdd7a6ac2db35d914667f3017
Instruction Fuzzy Hash: C5E16071C01249AADB05EBE5C945EEEBBB8AF19304F10417EF505B31D2DB786B08CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0040278B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 234COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00402790

Part of subcall function 004020B5: lstrlenA.KERNEL32(?,00000000,(1D,00402EEF,0042F876,0040B70B,000F0000,0040BC1E,?,00000000,?,0000FFFF,?), ref: 004020C6

Part of subcall function 0040251B: CharNextA.USER32(?,?,00000000,00000000,00402825,?,?,?,00000000,?), ref: 00402548

_strcat.LIBCMT ref: 00402A1D

Strings

(1D, xrefs: 004027ED
65537, xrefs: 00402997

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: CharH_prologNext_strcatlstrlen
String ID: (1D$65537
API String ID: 2760170439-1037882189
Opcode ID: 6a4b3a02a9cf60cb97a4501062da0c4dfd334f7a98ec0f36bd57107b71411774
Instruction ID: e5f733e029df9b5a9eae3ff9d69496733049a8e8ae7aa611352d67588041cb91
Opcode Fuzzy Hash: 6a4b3a02a9cf60cb97a4501062da0c4dfd334f7a98ec0f36bd57107b71411774
Instruction Fuzzy Hash: B4A17C318051599ACB15EBA5C995BEEB778AF11308F1080FFA406721C2EF781B49CF6A

Uniqueness

Uniqueness Score: -1.00%

Function 0041084F Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00410854
VariantClear.OLEAUT32(?), ref: 004109E1

Strings

@, xrefs: 004108A1
@, xrefs: 004108F6

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: ClearH_prologVariant
String ID: @$@
API String ID: 1166855276-149943524
Opcode ID: 54e3d7c58431ed1a8a2faafa339e1a674b98199fcfceda2c24aa9145b0b1d073
Instruction ID: 7d4217390c867d17d4dff42acfee68232351a7b4ec1a73aaeb500dadfbc22095
Opcode Fuzzy Hash: 54e3d7c58431ed1a8a2faafa339e1a674b98199fcfceda2c24aa9145b0b1d073
Instruction Fuzzy Hash: 8C51A6B1A002199FDB04CF99C8849EEBBF5FF48314F14456EE506E7251E774A945CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00402B19 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 113COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00402B1E

Part of subcall function 004020B5: lstrlenA.KERNEL32(?,00000000,(1D,00402EEF,0042F876,0040B70B,000F0000,0040BC1E,?,00000000,?,0000FFFF,?), ref: 004020C6

Part of subcall function 00401F77: InterlockedDecrement.KERNEL32(?), ref: 00401F8B

_strcat.LIBCMT ref: 00402C03
_strcat.LIBCMT ref: 00402C32

Strings

(1D, xrefs: 00402B2E

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: _strcat$DecrementH_prologInterlockedlstrlen
String ID: (1D
API String ID: 180800019-2129874033
Opcode ID: 4c3c853e3a3fc5663014bbe5f81a09a6e4498b27ab9f7d68c9925f13518fe297
Instruction ID: 93546b8d2cc75717105ed71affc76308f90ab1b3b0f93c10bf84eb1c8738cbfc
Opcode Fuzzy Hash: 4c3c853e3a3fc5663014bbe5f81a09a6e4498b27ab9f7d68c9925f13518fe297
Instruction Fuzzy Hash: 4841C331900119ABCB11EF66CD4AEEEBB74EF45318F50416EF408B62D1DBB86E44CB69

Uniqueness

Uniqueness Score: -1.00%

Function 004038D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00400000,?,00000104), ref: 004038F6

Part of subcall function 00401FE9: lstrlenA.KERNEL32(?,?,?,?,00402E72,?), ref: 00402008

Part of subcall function 00402FCE: __EH_prolog.LIBCMT ref: 00402FD3

CharLowerA.USER32(?,?,00000004,?), ref: 00403924

Part of subcall function 004033FA: __EH_prolog.LIBCMT ref: 004033FF

_strcat.LIBCMT ref: 004039BD

Part of subcall function 00402C6D: __EH_prolog.LIBCMT ref: 00402C72
Part of subcall function 00402C6D: _strcat.LIBCMT ref: 00402C97
Part of subcall function 00402C6D: _strcat.LIBCMT ref: 00402CBA
Part of subcall function 00402C6D: MessageBoxA.USER32(00000000,?,00000000,00000030), ref: 00402D19

Strings

.dll, xrefs: 0040392A

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: H_prolog_strcat$CharFileLowerMessageModuleNamelstrlen
String ID: .dll
API String ID: 100667255-2738580789
Opcode ID: ed755644410f0a6ee9be1c8b2e18ebcf4b444024a13bcd5a83e04fb954c330c4
Instruction ID: e925d1146906c940dbfae2266fa14a7952d3259283bc435cb66516965c737666
Opcode Fuzzy Hash: ed755644410f0a6ee9be1c8b2e18ebcf4b444024a13bcd5a83e04fb954c330c4
Instruction Fuzzy Hash: 50319372A041195BDB15BBA19D42EEF375C6F00709F60013BF911B21E2DE7C9A05869D

Uniqueness

Uniqueness Score: -1.00%

Function 0042A830 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 86windowCOMMON

Download Yara Rule

APIs

GetMenuCheckMarkDimensions.USER32 ref: 0042A849
CreateBitmap.GDI32(?,?,00000001,00000001,?), ref: 0042A8EB
LoadBitmapA.USER32(00000000,00007FE3), ref: 0042A903

Strings

, xrefs: 0042A855

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: Bitmap$CheckCreateDimensionsLoadMarkMenu
String ID:
API String ID: 2596413745-3916222277
Opcode ID: 99db48da26093b3bdc554be9bc4593ed5dd0760363e891f11716091b9abc253a
Instruction ID: 45e3c292e12f698ac8c395a513a2079db83a3a86b63308657ad0fa06f736e0d9
Opcode Fuzzy Hash: 99db48da26093b3bdc554be9bc4593ed5dd0760363e891f11716091b9abc253a
Instruction Fuzzy Hash: 9421E172A403188FEB20DF78EC88AAE7BA9EF44304F540526FD15CB292D674D446CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0041E3E2 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 29libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,0043B298,00000010,00418723,00000000,00000FA0,75920A60,00000000,00419D65,00415EBE,?,0043A478,00000060), ref: 0041E405
GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionAndSpinCount), ref: 0041E415

Strings

kernel32.dll, xrefs: 0041E400
InitializeCriticalSectionAndSpinCount, xrefs: 0041E40F

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: InitializeCriticalSectionAndSpinCount$kernel32.dll
API String ID: 1646373207-3733552308
Opcode ID: 5c0e4825627cfcbdc909d80ba72f3c4140fdd93ae8b2e26b687a80bbd9fc07fd
Instruction ID: 02de6b7c6dcb1b4e2d62259ca00e2439f61271760f3b7c106522406a4349fe20
Opcode Fuzzy Hash: 5c0e4825627cfcbdc909d80ba72f3c4140fdd93ae8b2e26b687a80bbd9fc07fd
Instruction Fuzzy Hash: 5FF0903C640206EBDB208F66AC0978E37B0FB09788F60417BA824D52A1D738D581DB5C

Uniqueness

Uniqueness Score: -1.00%

Function 0041C5DA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32,004170FA), ref: 0041C5DF
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 0041C5EF

Strings

IsProcessorFeaturePresent, xrefs: 0041C5E9
KERNEL32, xrefs: 0041C5DA

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: c5423254268babc4adbeec866d4f3c3d1c9d9504704e86636f1309afa355d0fc
Instruction ID: b5510b1185d0b5d4b1d73177c6ffc23074c4178150c12f31e18a4bcac3e4c917
Opcode Fuzzy Hash: c5423254268babc4adbeec866d4f3c3d1c9d9504704e86636f1309afa355d0fc
Instruction Fuzzy Hash: 48C012703C0712B6DA281BB11C8AB6B226AAB48F02F9014B66622E1180CF99E149A03D

Uniqueness

Uniqueness Score: -1.00%

Function 004138D5 Relevance: 6.2, APIs: 4, Instructions: 181COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004138DA
VariantClear.OLEAUT32(?), ref: 0041398C
CoTaskMemFree.OLE32(?), ref: 00413A29
CoTaskMemFree.OLE32(?), ref: 00413A37

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: FreeTask$ClearH_prologVariant
String ID:
API String ID: 82050969-0
Opcode ID: 767c01379b479576acc13118c83d9bf4fc42745ff4993b0e5fb18cae07862a33
Instruction ID: d5802aa01d6b65e6a7d5b3cfdb68997afd41ca415ad1b5d610f95376a237b252
Opcode Fuzzy Hash: 767c01379b479576acc13118c83d9bf4fc42745ff4993b0e5fb18cae07862a33
Instruction Fuzzy Hash: F9616A71600605DFCB20DFA5C9C48AAB7F1BF88309754096EE1869B761CB79ED82CB58

Uniqueness

Uniqueness Score: -1.00%

Function 023E62AE Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 176memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(00000000,?), ref: 023E6500

Strings

nown, xrefs: 023E645C

Memory Dump Source

Source File: 00000000.00000002.2022153806.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23d0000_app.jbxd

Similarity

API ID: FreeHeap
String ID: nown
API String ID: 3298025750-1933733983
Opcode ID: 4c6569f7ca7a56fbd58a0a90c434ee649684ff9a1ef119b28302fbd69edc1b45
Instruction ID: 78559ef2e29bfc3206ad9ad4228c90b16a0dd264507371cd5a9b78b6579152c0
Opcode Fuzzy Hash: 4c6569f7ca7a56fbd58a0a90c434ee649684ff9a1ef119b28302fbd69edc1b45
Instruction Fuzzy Hash: 3A914774908781CFD725CF24C540B9AFBF1BF99304F14896EE98A5B2A1D770A589CF81

Uniqueness

Uniqueness Score: -1.00%

Function 0041B6D9 Relevance: 6.2, APIs: 4, Instructions: 167fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(-0000003C,?,00000000,-0000003C,00000000,0043A978,?,?,?,?,?,0043A478,00000060), ref: 0041B74E
GetLastError.KERNEL32(?,?,?,0043A478,00000060), ref: 0041B758
ReadFile.KERNEL32(-00000031,-00000031,00000001,-0000003C,00000000,?,?,?,0043A478,00000060), ref: 0041B818
GetLastError.KERNEL32(?,?,?,0043A478,00000060), ref: 0041B822

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: ErrorFileLastRead
String ID:
API String ID: 1948546556-0
Opcode ID: 06390da874683060d690ec748a49b226ab513b879b92b8ba4dd51f48b54eaf61
Instruction ID: 8fb20b34bd6ea9d508b8a2884fa3a7e9fde291ada00aec3394d86df409821bcf
Opcode Fuzzy Hash: 06390da874683060d690ec748a49b226ab513b879b92b8ba4dd51f48b54eaf61
Instruction Fuzzy Hash: DE51C534A04385DFDF219F58C8807EA7BB4FF52704F5444ABE8618B391D3789986CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 004134B5 Relevance: 6.2, APIs: 4, Instructions: 165windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 004134D3
GetDesktopWindow.USER32 ref: 004134E6
GetWindowRect.USER32(?,?), ref: 004134F9
GetWindowRect.USER32(?,?), ref: 00413506

Part of subcall function 004266AC: MoveWindow.USER32(?,?,?,00000000,?,?,?,00413647,?,?,?,?,00000000), ref: 004266C8

Part of subcall function 004266EA: ShowWindow.USER32(?,?,00413650,00000000,?,?,?,?,00000000), ref: 004266F8

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: Window$Rect$DesktopMoveShowVisible
String ID:
API String ID: 3835705305-0
Opcode ID: 88f95af8812bf0e386d89e0ec780856ec7b40cbd2bc964ae238ea1be644fa563
Instruction ID: 292b2c97d4d6e5fe8d50f3415b5a10e4331aa721d6f93604126fae14dd501043
Opcode Fuzzy Hash: 88f95af8812bf0e386d89e0ec780856ec7b40cbd2bc964ae238ea1be644fa563
Instruction Fuzzy Hash: A3511C75A0020AEFCB10DFA8C994DAEB7BAFF88705B544469F506E7250CB35EE41CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0041BAB2 Relevance: 6.1, APIs: 4, Instructions: 146fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,00419F5B,00000000,?,?,00000001), ref: 0041BB86

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: c01c61b8bf44389ea94e83f765c07d573316c3af947ce38cddeea1b46c53af0d
Instruction ID: 3e9d655b9880f60b5f09cf0eebf124177ec1137a07b6d6433de88475768fccef
Opcode Fuzzy Hash: c01c61b8bf44389ea94e83f765c07d573316c3af947ce38cddeea1b46c53af0d
Instruction Fuzzy Hash: AF51A371900209DFCB11CFA9C980AEEBBF4FF45304F5041ABE911AB255DB349A81CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 023EE26F Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 120memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 023EE83F: HeapFree.KERNEL32(00000000), ref: 023EE8A4
Part of subcall function 023EE83F: CloseHandle.KERNEL32(?,023EDC7E), ref: 023EE98C

HeapFree.KERNEL32(00000000,?), ref: 023EE2E2
HeapFree.KERNEL32(00000000,?), ref: 023EE5E3
HeapFree.KERNEL32(00000000,?), ref: 023EE645

Strings

filezillasignal::, xrefs: 023EE279

Memory Dump Source

Source File: 00000000.00000002.2022153806.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23d0000_app.jbxd

Similarity

API ID: FreeHeap$CloseHandle
String ID: filezillasignal::
API String ID: 1910495013-924609054
Opcode ID: e1e3461ec048acccc6db94e319ea6975a1cac35a00cda1c39ff662ae98d4b83f
Instruction ID: 7f7eb509a604af9883ca17ec0be1240b3b35e2de98834dd4f523755ac884d792
Opcode Fuzzy Hash: e1e3461ec048acccc6db94e319ea6975a1cac35a00cda1c39ff662ae98d4b83f
Instruction Fuzzy Hash: BE513871608380DFDB34DF14D584B9ABBE1BB98314F10891EE58E97291DB319949CF83

Uniqueness

Uniqueness Score: -1.00%

Function 023EE2FC Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 120memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 023EE83F: HeapFree.KERNEL32(00000000), ref: 023EE8A4
Part of subcall function 023EE83F: CloseHandle.KERNEL32(?,023EDC7E), ref: 023EE98C

HeapFree.KERNEL32(00000000,?), ref: 023EE36F
HeapFree.KERNEL32(00000000,?), ref: 023EE5E3
HeapFree.KERNEL32(00000000,?), ref: 023EE645

Strings

signaltox::, xrefs: 023EE306

Memory Dump Source

Source File: 00000000.00000002.2022153806.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23d0000_app.jbxd

Similarity

API ID: FreeHeap$CloseHandle
String ID: signaltox::
API String ID: 1910495013-1483858761
Opcode ID: 15be2f4a1fa95feb8d4c4e6949a45dddcd814e981d206dd06c4bf4f52ce7352e
Instruction ID: d91a5943569f9849c13dc976c21d67f36c4ee8b08c668fb145cd61bddbfce2ad
Opcode Fuzzy Hash: 15be2f4a1fa95feb8d4c4e6949a45dddcd814e981d206dd06c4bf4f52ce7352e
Instruction Fuzzy Hash: 42512671608380DFDB34DF14D584B9ABBE1BB88314F10895DE98A57291DB71A949CF83

Uniqueness

Uniqueness Score: -1.00%

Function 023EE389 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 120memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 023EE83F: HeapFree.KERNEL32(00000000), ref: 023EE8A4
Part of subcall function 023EE83F: CloseHandle.KERNEL32(?,023EDC7E), ref: 023EE98C

HeapFree.KERNEL32(00000000,?), ref: 023EE3FC
HeapFree.KERNEL32(00000000,?), ref: 023EE5E3
HeapFree.KERNEL32(00000000,?), ref: 023EE645

Strings

toxpidgin::, xrefs: 023EE393

Memory Dump Source

Source File: 00000000.00000002.2022153806.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23d0000_app.jbxd

Similarity

API ID: FreeHeap$CloseHandle
String ID: toxpidgin::
API String ID: 1910495013-2736818546
Opcode ID: d8bb5b0cdd6ac1928590da3a01d2649f3d1db1a3dfa24d0b8d3a66ca3bee3b86
Instruction ID: 5654aaa719a7c179ead0c1411c16b018ca57b49ecda13c234795c720d1de1bc5
Opcode Fuzzy Hash: d8bb5b0cdd6ac1928590da3a01d2649f3d1db1a3dfa24d0b8d3a66ca3bee3b86
Instruction Fuzzy Hash: 22513871608380DFD734DF14D584B9AB7E1BF88314F10895DE58A57291DB319949CF83

Uniqueness

Uniqueness Score: -1.00%

Function 023EE1E2 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 120memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 023EE83F: HeapFree.KERNEL32(00000000), ref: 023EE8A4
Part of subcall function 023EE83F: CloseHandle.KERNEL32(?,023EDC7E), ref: 023EE98C

HeapFree.KERNEL32(00000000,?), ref: 023EE255
HeapFree.KERNEL32(00000000,?), ref: 023EE5E3
HeapFree.KERNEL32(00000000,?), ref: 023EE645

Strings

anydeskfilezilla::, xrefs: 023EE1EC

Memory Dump Source

Source File: 00000000.00000002.2022153806.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23d0000_app.jbxd

Similarity

API ID: FreeHeap$CloseHandle
String ID: anydeskfilezilla::
API String ID: 1910495013-2519904345
Opcode ID: 039f19c315aebd36b4a6d14abcff934e01d7438df32077a21c76c995650bed7d
Instruction ID: a43ff5d0b8361c34d3e143cb6ddabbd3ad6600bed08ceb411e750d088946f174
Opcode Fuzzy Hash: 039f19c315aebd36b4a6d14abcff934e01d7438df32077a21c76c995650bed7d
Instruction Fuzzy Hash: DC513771608380DFDB34DF14D584B9ABBE1BB98314F10895EE58E57291DB31A949CF83

Uniqueness

Uniqueness Score: -1.00%

Function 00427FD8 Relevance: 6.1, APIs: 4, Instructions: 103stringtimeCOMMON

Download Yara Rule

APIs

lstrcpynA.KERNEL32(?,?,00000104), ref: 00428003
GetFileTime.KERNEL32(?,?,?,?), ref: 00428025
GetFileSize.KERNEL32(?,00000000), ref: 00428033
GetFileAttributesA.KERNEL32(?), ref: 0042805D

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: File$AttributesSizeTimelstrcpyn
String ID:
API String ID: 1499663573-0
Opcode ID: 8ed929e8840cf0571f25e06b926dfc94d164733cbe60adf04c0cc376b6f90c85
Instruction ID: 0f9157c03447155b879e481d300035be14b4a7e9415b58b015406b8be03fdab5
Opcode Fuzzy Hash: 8ed929e8840cf0571f25e06b926dfc94d164733cbe60adf04c0cc376b6f90c85
Instruction Fuzzy Hash: C0415E75600614AFC724DF64E880CABB7F4FF083103508A2EE1A693691EB34F949CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00420BD0 Relevance: 6.1, APIs: 4, Instructions: 94COMMON

Download Yara Rule

APIs

Part of subcall function 0041E91D: VirtualQuery.KERNEL32(?,?,0000001C), ref: 0041E937
Part of subcall function 0041E91D: GetSystemInfo.KERNEL32(?,?,?,0000001C), ref: 0041E948
Part of subcall function 0041E91D: VirtualQuery.KERNEL32(?,?,0000001C,?,?,0000001C), ref: 0041E98E

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000004,00000064,00000000,?,0041FB6C,00000000,00000000,00000000,00000000,00000000,?,0041DD55,00000007), ref: 00420C13
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,004151C7,00000000,00000000,?,0041FB6C,00000000,00000000,00000000,00000000,00000000,?,0041DD55,00000007), ref: 00420C30
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,004151C7,?,00000000,?,0041FB6C,00000000,00000000,00000000,00000000,00000000,?,0041DD55,00000007), ref: 00420CA6
CompareStringW.KERNEL32(?,?,00000064,00000000,?,00000000,?,00000000,?,0041FB6C,00000000,00000000,00000000,00000000,00000000), ref: 00420CBC

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: ByteCharMultiWide$QueryVirtual$CompareInfoStringSystem
String ID:
API String ID: 1997773198-0
Opcode ID: b5c51588650a37d4d1cb3d5db00bbc7826fd7714118cecf2b9c72995b1b9842b
Instruction ID: 03b7f2b66f2d75cf62d1d1e7f9f5aea8b6d3942825eff640f69c1656141198f9
Opcode Fuzzy Hash: b5c51588650a37d4d1cb3d5db00bbc7826fd7714118cecf2b9c72995b1b9842b
Instruction Fuzzy Hash: C431BC72900218EBCF25DF91DD45BDEBBB5FF08714FA0021AF814A62A1C7399992DB58

Uniqueness

Uniqueness Score: -1.00%

Function 00426AEC Relevance: 6.1, APIs: 4, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,000000F0,00000000,00000000), ref: 00426B1D
SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 00426B60
SendMessageA.USER32(00000000,000000F0,00000000,00000000), ref: 00426B95
SendMessageA.USER32(00000000,000000F1,00000000,00000000), ref: 00426BB9

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: d1cd1edd8aebf657208b84a0c5c289419f7b47b2a8eecfcaa9bf4f1bc9fb4320
Instruction ID: 3f5e675f55d4a702bf8c1dec3373815d05f2456b451231204fc43b2a1b7b8f7a
Opcode Fuzzy Hash: d1cd1edd8aebf657208b84a0c5c289419f7b47b2a8eecfcaa9bf4f1bc9fb4320
Instruction Fuzzy Hash: D0215331740239EBCA219E06ECC0F277F6DEB45744F97446BF941A7351CA26BC40D6A9

Uniqueness

Uniqueness Score: -1.00%

Function 0041AAD5 Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

___initmbctable.LIBCMT ref: 0041AAE2
_strlen.LIBCMT ref: 0041AAFB
_strlen.LIBCMT ref: 0041AB34
_strcat.LIBCMT ref: 0041AB51

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: _strlen$___initmbctable_strcat
String ID:
API String ID: 109824703-0
Opcode ID: b66f0f1f44d3e18dccc17556631110f1c47ce8ced5cbe7ee97567bf552962841
Instruction ID: edfa828b84deb13965c1780a4a3bc283f2788126ec868cd6f67e178d54800aad
Opcode Fuzzy Hash: b66f0f1f44d3e18dccc17556631110f1c47ce8ced5cbe7ee97567bf552962841
Instruction Fuzzy Hash: 2A113A7640E088DDD720AF35AC509DA3796EB023B4725023FE6A583151DB7D68D2C78E

Uniqueness

Uniqueness Score: -1.00%

Function 00411044 Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00411049
GetDC.USER32(?), ref: 00411082
CreateRectRgnIndirect.GDI32(?), ref: 004110C5

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: CreateH_prologIndirectRect
String ID:
API String ID: 2123978231-0
Opcode ID: 2569996c3e6fedae5f4997debf53dedfd3a986ba6360513663fe455394ac179b
Instruction ID: d54e3d1473b0d2deaccf452e2b84d05e55222552c863c9364fff6d2750bb1f43
Opcode Fuzzy Hash: 2569996c3e6fedae5f4997debf53dedfd3a986ba6360513663fe455394ac179b
Instruction Fuzzy Hash: 01214B71E00229DFCB11DFA4D9849DEB7B8EB08744F50806AE901AB251C774AE85CFB5

Uniqueness

Uniqueness Score: -1.00%

Function 0042A0ED Relevance: 6.1, APIs: 4, Instructions: 71registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000001,00443500,00000000,00000001,?), ref: 0042A130
RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,00000004), ref: 0042A150
RegCloseKey.ADVAPI32(?), ref: 0042A194
RegCloseKey.ADVAPI32(00000000), ref: 0042A1AA

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: Close$OpenQueryValue
String ID:
API String ID: 1607946009-0
Opcode ID: e01145a01794671db8f5410ae6055daedd9c25c5f260b156cd7b5aa0a6d2c763
Instruction ID: dc5cdb4f54a3a496b110042336def724de51f15833206d37b3068f0c10fa97b6
Opcode Fuzzy Hash: e01145a01794671db8f5410ae6055daedd9c25c5f260b156cd7b5aa0a6d2c763
Instruction Fuzzy Hash: 07215C71E00214EFDB21CF95EC44ABEFBB8EF50314F9040AAE905A6211D3745A25DF6A

Uniqueness

Uniqueness Score: -1.00%

Function 0041118C Relevance: 6.1, APIs: 4, Instructions: 65COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00411191
GetRgnBox.GDI32(?,?), ref: 004111D2
IntersectRect.USER32(?,?,?), ref: 004111E7
EqualRect.USER32(?,?), ref: 004111F5

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: Rect$EqualH_prologIntersect
String ID:
API String ID: 2227276553-0
Opcode ID: 8049af2c9bc39f3b1f89f76f96636985975a8951ba38d7189fc57d12bef8085b
Instruction ID: 4f953d2f79d3e31144268cefd0878d26dd0bbf6767da500f2c2b2cfc2fc991a2
Opcode Fuzzy Hash: 8049af2c9bc39f3b1f89f76f96636985975a8951ba38d7189fc57d12bef8085b
Instruction Fuzzy Hash: F92115B2A01219EFCB11EFA1D984DDEBBB8FF08354B50816AF911E3210D734AE45CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00422D1A Relevance: 6.1, APIs: 4, Instructions: 57COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(?,00000000,00000005), ref: 00422D40
LoadResource.KERNEL32(?,00000000), ref: 00422D48
LockResource.KERNEL32(00000000), ref: 00422D5A
FreeResource.KERNEL32(00000000), ref: 00422DA4

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: 0603fb92bcd478c8b805d9f6208dcb30c6965e4ad22ab062ac3084de4d362369
Instruction ID: 37e77f0d580c985eccbe4e444c991a434d904d033160aeb73e9ee784c397293c
Opcode Fuzzy Hash: 0603fb92bcd478c8b805d9f6208dcb30c6965e4ad22ab062ac3084de4d362369
Instruction Fuzzy Hash: 4E118279611722FFC7309F54EA48AABB774FF04755F80406AE80253750D7B8AD45C7A8

Uniqueness

Uniqueness Score: -1.00%

Function 0042728D Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 004272C1
GetCurrentProcess.KERNEL32(?,00000000), ref: 004272C7
DuplicateHandle.KERNEL32(00000000), ref: 004272CA
GetLastError.KERNEL32(?), ref: 004272E5

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: CurrentProcess$DuplicateErrorHandleLast
String ID:
API String ID: 3907606552-0
Opcode ID: 61c7e7d9b6b474a063e6b9c6d7eaf6789762496f64cb53e64a4fe5b19839d303
Instruction ID: 46fbf665e5fe45f0ecf4fbdd7c511345cd6b3779fbaa23856ba3fec1c6fd91d8
Opcode Fuzzy Hash: 61c7e7d9b6b474a063e6b9c6d7eaf6789762496f64cb53e64a4fe5b19839d303
Instruction Fuzzy Hash: 4101B131704210ABDB209BA5ED4AF1A7BA9EF84320F904566FA05CB281DA75DC01C774

Uniqueness

Uniqueness Score: -1.00%

Function 00425AE3 Relevance: 6.1, APIs: 4, Instructions: 52windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000001F,00000000,00000000), ref: 00425B0D
SendMessageA.USER32(?,0000001F,00000000,00000000), ref: 00425B2F
GetCapture.USER32 ref: 00425B41
SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 00425B50

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: MessageSend$Capture
String ID:
API String ID: 1665607226-0
Opcode ID: 41ba8c012cf105ab7cfabcbff710673018262f8e0ce4aae3eb8d127922dae7ed
Instruction ID: 30d2a2513be581f839b2656ca0720de834e8737dd73f72248518bd740216b687
Opcode Fuzzy Hash: 41ba8c012cf105ab7cfabcbff710673018262f8e0ce4aae3eb8d127922dae7ed
Instruction Fuzzy Hash: 2F016D703407187FFA302B15ACC9FBB76ADDB88788F914039F341EA1D2C6A59C055A64

Uniqueness

Uniqueness Score: -1.00%

Function 00429689 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON

Download Yara Rule

APIs

RegSetValueExA.ADVAPI32(00000000,?,00000000,00000004,?,00000004,?,?), ref: 004296C0
RegCloseKey.ADVAPI32(00000000,?,?), ref: 004296C9
wsprintfA.USER32 ref: 004296E5
WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 004296FB

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: ClosePrivateProfileStringValueWritewsprintf
String ID:
API String ID: 1902064621-0
Opcode ID: 927a4f46756840b7d5d769d63706027d2597c3eeb89ddb1f9a2eacf531248ca7
Instruction ID: a5194eaa5d267bfce1f697c3276f513d5c4f67dce319ffc6cf3dff497de3ed65
Opcode Fuzzy Hash: 927a4f46756840b7d5d769d63706027d2597c3eeb89ddb1f9a2eacf531248ca7
Instruction Fuzzy Hash: D3018B32600219FBCB11DFA4ED05F9F7BB9BF48708F90403AFA11AA150DB75DA119B98

Uniqueness

Uniqueness Score: -1.00%

Function 00424FBF Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

GetTopWindow.USER32(?), ref: 00424FCD
GetTopWindow.USER32(00000000), ref: 0042500C
GetWindow.USER32(00000000,00000002), ref: 0042502A

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 6642e3dc04a849abbdc9febbdb983b15e036c38badf80aee8fee512f8d387543
Instruction ID: e8fda6cfe15639f69245f96e4c32ccf3e247865d1e166a8c34f89f462bfd62a7
Opcode Fuzzy Hash: 6642e3dc04a849abbdc9febbdb983b15e036c38badf80aee8fee512f8d387543
Instruction Fuzzy Hash: 4501003220152ABBCF226F91ED09E9F3B25EF89350F854025FE1055161D73AC932EBE9

Uniqueness

Uniqueness Score: -1.00%

Function 00424A31 Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00424A3C
GetTopWindow.USER32(00000000), ref: 00424A4F

Part of subcall function 00424A31: GetWindow.USER32(00000000,00000002), ref: 00424A96

GetTopWindow.USER32(?), ref: 00424A7F

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: Window$Item
String ID:
API String ID: 369458955-0
Opcode ID: b9f3f23133e0281108d4f9682040040fb4f1f4bc896dd1d0bc87f1e1c94142e9
Instruction ID: 24d9463ce005fff643b8f741c0515ee5154fda0862fcd9038226e8ac00ae5952
Opcode Fuzzy Hash: b9f3f23133e0281108d4f9682040040fb4f1f4bc896dd1d0bc87f1e1c94142e9
Instruction Fuzzy Hash: 37014432381536BB8F326B52AC04E9F3A69DFD53A4BD14036FE1055211E739C921969D

Uniqueness

Uniqueness Score: -1.00%

Function 0042B50D Relevance: 6.0, APIs: 4, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

SysStringLen.OLEAUT32(?), ref: 0042B521
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,0042CE8B,00000000), ref: 0042B537
SysAllocStringByteLen.OLEAUT32(00000000,00000000), ref: 0042B53F
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,00000000,?,00000000,00000000,?,?,?,?,0042CE8B,00000000), ref: 0042B554

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: Byte$CharMultiStringWide$Alloc
String ID:
API String ID: 3384502665-0
Opcode ID: ebc8b17013044a55624bf79895947c7aba81f2b12cff67d93ce8b63f0bf7c138
Instruction ID: 753ad0f5e46b68682b0d373a57b70d68207eba0a8fe5c42bdb6e2b9dfc4e7a6e
Opcode Fuzzy Hash: ebc8b17013044a55624bf79895947c7aba81f2b12cff67d93ce8b63f0bf7c138
Instruction Fuzzy Hash: 11F0B471207234BF92209B669C48CABBFACFE8B3A4B50453AF544C2100C3755801CBF9

Uniqueness

Uniqueness Score: -1.00%

Function 0040905D Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

QueryPerformanceFrequency.KERNEL32(?), ref: 00409067
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00409081
QueryPerformanceCounter.KERNEL32(?,00000000,?,?,00000000,?,?,000003E8,00000000), ref: 004090A0
QueryPerformanceCounter.KERNEL32(?,?,?,00000000,?,?,000003E8,00000000), ref: 004090A6

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: PerformanceQuery$Counter$FrequencyUnothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 4274601313-0
Opcode ID: 173bd0ea550015c7c751bb5befa3e646e50c54cb8a35351780cf122b793eb8bc
Instruction ID: 9b00112076147fc073e2cec24ef5242f1fd16e6971c6a05a11b588fc8eba46da
Opcode Fuzzy Hash: 173bd0ea550015c7c751bb5befa3e646e50c54cb8a35351780cf122b793eb8bc
Instruction Fuzzy Hash: 6FF06D76A00208BBCF10ABE9DC85EEF7BBDEB84710F100476A600F3181D675A9458AA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041111A Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

IntersectRect.USER32(?,00000000,?), ref: 0041114B
EqualRect.USER32(?,00000000), ref: 00411158
IsRectEmpty.USER32(?), ref: 00411162
InvalidateRect.USER32(?,?,?), ref: 0041117F

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: Rect$EmptyEqualIntersectInvalidate
String ID:
API String ID: 3354205298-0
Opcode ID: b96f505ea3630a247bd448bdacb66984f0b113bced7556e7e02f6fbeb0dcfbd3
Instruction ID: 4fe3f08868a5226f7d3e4c173db8bd2c93613d59b8a0c76e427b94b244e74582
Opcode Fuzzy Hash: b96f505ea3630a247bd448bdacb66984f0b113bced7556e7e02f6fbeb0dcfbd3
Instruction Fuzzy Hash: 49010C71A0011AEBCF11DFA4DC48E9BB7BDFF09314F808472FA15D6110D275A51A8B64

Uniqueness

Uniqueness Score: -1.00%

Function 004090C3 Relevance: 6.0, APIs: 4, Instructions: 43COMMON

Download Yara Rule

APIs

QueryPerformanceFrequency.KERNEL32(?), ref: 004090CD
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004090E7
QueryPerformanceCounter.KERNEL32(?,00000000,?,?,00000000,?,?,000003E8,00000000), ref: 00409106
QueryPerformanceCounter.KERNEL32(?,?,?,00000000,?,?,000003E8,00000000), ref: 0040910C

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: PerformanceQuery$Counter$FrequencyUnothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 4274601313-0
Opcode ID: 6be7badd7bad8b08e9e2c94143a38613ba85cc63ccc8eb43999f4e61355f9fc2
Instruction ID: 871cbde0123bd9a00944affa39dc517997de1d643d08efdba11b3d0f97e0b9e4
Opcode Fuzzy Hash: 6be7badd7bad8b08e9e2c94143a38613ba85cc63ccc8eb43999f4e61355f9fc2
Instruction Fuzzy Hash: 56F06D36A0021DBBDF10EBE8CC85EEF7B7DEB84350F500476E200E6180D674A9458BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0042633E Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(?,?,000000F0), ref: 00426360
LoadResource.KERNEL32(?,00000000,?,?,?,?,00422CD3,?,?,00401A10,?,?,?,?,?,0042DD38), ref: 0042636C
LockResource.KERNEL32(00000000,?,?,?,?,00422CD3,?,?,00401A10,?,?,?,?,?,0042DD38,000000FF), ref: 00426379
FreeResource.KERNEL32(00000000,?,?,?,?,00422CD3,?,?,00401A10,?,?,?,?,?,0042DD38,000000FF), ref: 00426394

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: 4c303f29aad7c5551cea9d80b4e0defa102d9efb6e724846d62db9275e0aa396
Instruction ID: 76cf06ceb5d42f02d60e4406da92eb06dd1ed344124334fc899015a258015dc8
Opcode Fuzzy Hash: 4c303f29aad7c5551cea9d80b4e0defa102d9efb6e724846d62db9275e0aa396
Instruction Fuzzy Hash: 40F0F63A3012229B83205FA66C4497BB7ACEFC67627C6007AFD08C2211DF258C06857C

Uniqueness

Uniqueness Score: -1.00%

Function 004226AE Relevance: 6.0, APIs: 4, Instructions: 41windowCOMMON

Download Yara Rule

APIs

EnableMenuItem.USER32(?,?,?), ref: 004226D9
GetFocus.USER32 ref: 004226EC
GetParent.USER32(?), ref: 004226FA
SendMessageA.USER32(?,00000028,00000000,00000000), ref: 0042270F

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: EnableFocusItemMenuMessageParentSend
String ID:
API String ID: 2297321873-0
Opcode ID: d719d4f1826348346d23ac329250c9ff44aabbd6e9454e1dd4734ed6490b57f8
Instruction ID: 617dea23d70acb73f8f92018a64976e9019581151da9ed12eae54fe0019a468e
Opcode Fuzzy Hash: d719d4f1826348346d23ac329250c9ff44aabbd6e9454e1dd4734ed6490b57f8
Instruction Fuzzy Hash: 0E015E31204610ABDB389F10ED49F56BBB0EF90755F90863EF142921E0CBB4A895CA48

Uniqueness

Uniqueness Score: -1.00%

Function 00426BC2 Relevance: 6.0, APIs: 4, Instructions: 40stringCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00426BC7
GetWindowTextA.USER32(?,?,?), ref: 00426BDF
lstrcpynA.KERNEL32(?,?,?), ref: 00426C15
lstrlenA.KERNEL32(?), ref: 00426C1E

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: H_prologTextWindowlstrcpynlstrlen
String ID:
API String ID: 3022380644-0
Opcode ID: c2260954adad8a7ac6653c1720aaf20a11d8d94ac19766ad48223eb80a2c8fb0
Instruction ID: 92ca4580e9c1d62aa3d8050f9c04bbde3212ba858a07986cc1264f4f20614cf9
Opcode Fuzzy Hash: c2260954adad8a7ac6653c1720aaf20a11d8d94ac19766ad48223eb80a2c8fb0
Instruction Fuzzy Hash: A9019E35610228EFCF119FA4DC08AAEBBB1FF08314F408969F5169B261CB35A910DF94

Uniqueness

Uniqueness Score: -1.00%

Function 0041FDAF Relevance: 6.0, APIs: 4, Instructions: 38COMMON

Download Yara Rule

APIs

___addl.LIBCMT ref: 0041FDBE
___addl.LIBCMT ref: 0041FDD2
___addl.LIBCMT ref: 0041FDEA
___addl.LIBCMT ref: 0041FE02

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: ___addl
String ID:
API String ID: 2260456530-0
Opcode ID: 840ca81f9e954cee5d234986506e41ea314501c8c1644bea52ef9ccbba36ec9c
Instruction ID: 619351973d3273d478a4b8b93c8570466528139478c8ccff69c0fcdedee7c080
Opcode Fuzzy Hash: 840ca81f9e954cee5d234986506e41ea314501c8c1644bea52ef9ccbba36ec9c
Instruction Fuzzy Hash: 8DF04F76500102AFDA115B52EC01DE7B7A9EF48304B04447AFD9B82132E722E8AECB55

Uniqueness

Uniqueness Score: -1.00%

Function 00428CB2 Relevance: 6.0, APIs: 4, Instructions: 35stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?), ref: 00428CCA
GetWindowTextA.USER32(?,?,00000100), ref: 00428CE6
lstrcmpA.KERNEL32(?,?), ref: 00428CFA
SetWindowTextA.USER32(?,?), ref: 00428D0A

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: TextWindow$lstrcmplstrlen
String ID:
API String ID: 330964273-0
Opcode ID: e7043af6485233e72652ee463e779a3a2077c7ee8e68495221b17dea8af2fa28
Instruction ID: ab625cd30283d468c6a5a3a0154dbe0d4626f66796105f6a39e5641a5fe47872
Opcode Fuzzy Hash: e7043af6485233e72652ee463e779a3a2077c7ee8e68495221b17dea8af2fa28
Instruction Fuzzy Hash: 35F06D75600018EBCF21AF60ED449CE7BB9EF18358F808072F909D62A0DB74DE59DB48

Uniqueness

Uniqueness Score: -1.00%

Function 0042C0F6 Relevance: 6.0, APIs: 4, Instructions: 21COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0042C118
GetTickCount.KERNEL32 ref: 0042C125
CoFreeUnusedLibraries.OLE32 ref: 0042C134
GetTickCount.KERNEL32 ref: 0042C13A

Part of subcall function 0042C09F: CoFreeUnusedLibraries.OLE32(00000000,0042C17F,00000000,?,?,004119DD), ref: 0042C0E3
Part of subcall function 0042C09F: OleUninitialize.OLE32(?,?,004119DD), ref: 0042C0E9

Memory Dump Source

Source File: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: CountTick$FreeLibrariesUnused$Uninitialize
String ID:
API String ID: 685759847-0
Opcode ID: b5874d32bad5070bf434eb1db7257aa41fe591bf19fa899e05926cb079051f1c
Instruction ID: fa01731afa84a5c76d3ef70e4e48df64ef66ba0b78331b06acedfa9e6f689827
Opcode Fuzzy Hash: b5874d32bad5070bf434eb1db7257aa41fe591bf19fa899e05926cb079051f1c
Instruction Fuzzy Hash: C9E0E534A04224DAE724AF74FC8932D7AA4EB56311FD1883BD041A2162C73858D5CE9E

Uniqueness

Uniqueness Score: -1.00%

Function 0245317D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0245320D

Strings

pow, xrefs: 024531E5, 02453202

Memory Dump Source

Source File: 00000000.00000002.2022153806.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23d0000_app.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 93dfda981a4b14004b6ff15b32cc37b99e3d8104a58dd699a4615b721fda016b
Instruction ID: eb3fa6981009fdcfd8a069672bf6ce298922626ad84c794e9e64b91dbdf8603f
Opcode Fuzzy Hash: 93dfda981a4b14004b6ff15b32cc37b99e3d8104a58dd699a4615b721fda016b
Instruction Fuzzy Hash: 8D514961E1492196CB167F18CD4136F2FA4EB40785F208D9FECD5463ABEF3484D6CA46

Uniqueness

Uniqueness Score: -1.00%

Function 0042CD81 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 162COMMON

Download Yara Rule

APIs

VariantChangeType.OLEAUT32(?,?,00000000,00000008), ref: 0042CE4E
SysFreeString.OLEAUT32(00000000), ref: 0042CE7B

Strings

`)u, xrefs: 0042CE7B

Memory Dump Source

Source File: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: ChangeFreeStringTypeVariant
String ID: `)u
API String ID: 396703022-4279031584
Opcode ID: 22381c88c2993f67874b90b8de5b1c7ed24da80b6e180f483c99e3a72345c273
Instruction ID: 40dcccd1e1420cb51b3b7de2da0c674f284437aff5cc691cd8ccc4e40ea488f4
Opcode Fuzzy Hash: 22381c88c2993f67874b90b8de5b1c7ed24da80b6e180f483c99e3a72345c273
Instruction Fuzzy Hash: 8E519170A0026ADBCB20DF14E5C07AE7BB1EF04350F95806AE95A9B391D37CDD81CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00417BB3 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 126COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 00417BD2

Strings

, xrefs: 00417BF9
, xrefs: 00417C20

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: Info
String ID: $
API String ID: 1807457897-3032137957
Opcode ID: ea25d807aac96f0c9d0dd241a4ad9b12794653fbfb175f80958580c13e1a6fab
Instruction ID: 25a5130d2be980f96d16b4b058943b934398b817a05338b1aaa33722a9e7f48b
Opcode Fuzzy Hash: ea25d807aac96f0c9d0dd241a4ad9b12794653fbfb175f80958580c13e1a6fab
Instruction Fuzzy Hash: FD41563110929C9FEB519B28DC99BFB3BF8EF06304F2808E2D545CB192D72849C59BD8

Uniqueness

Uniqueness Score: -1.00%

Function 00406638 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 86COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040663D

Part of subcall function 004065A1: __EH_prolog.LIBCMT ref: 004065A6

Part of subcall function 0041608F: RaiseException.KERNEL32(?,?,0043F8F0,0043BD04,?,?,?,?,?,00421222,0043F8F0), ref: 004160BD

Strings

@, xrefs: 004066F7
FileCrypt ERROR: in CSHA::AddData(), Data Length should be > 0!, xrefs: 00406652

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: H_prolog$ExceptionRaise
String ID: @$FileCrypt ERROR: in CSHA::AddData(), Data Length should be > 0!
API String ID: 2062786585-1065258333
Opcode ID: 0781dca04871273c85f8855a6e1c48621275807cf1f6e6bfa0d3047ba581c293
Instruction ID: 997981e73dc8d4110a09ec7aad4227e8c5bcdd091e05a99c1524a72cbd23f3f4
Opcode Fuzzy Hash: 0781dca04871273c85f8855a6e1c48621275807cf1f6e6bfa0d3047ba581c293
Instruction Fuzzy Hash: 34212EB2900204ABCB149B66CC81EAE7764FB5435CF01053FF907A61D1D73ADA65C75C

Uniqueness

Uniqueness Score: -1.00%

Function 0041C271 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

__shift.LIBCMT ref: 0041C294

Part of subcall function 0041C254: _strlen.LIBCMT ref: 0041C25C

_strcat.LIBCMT ref: 0041C2D1

Strings

e+000, xrefs: 0041C2C3

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: __shift_strcat_strlen
String ID: e+000
API String ID: 208078240-1027065040
Opcode ID: cd828e09e77ec3b97e28114ddc337a5d9a52fed1df3e5244fcbc15e30809a79e
Instruction ID: 38f90e8ae88eef296e2822a328e7788b1c4cd163f5aa6413e82ee0272c96d7f9
Opcode Fuzzy Hash: cd828e09e77ec3b97e28114ddc337a5d9a52fed1df3e5244fcbc15e30809a79e
Instruction Fuzzy Hash: 5121C0322883948FD71A5E789CD07E63BD05B07758F1C84EFE489CA292D679C885C759

Uniqueness

Uniqueness Score: -1.00%

Function 0041AD08 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

___initmbctable.LIBCMT ref: 0041AD1A
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\app.exe,00000104,75920A60,00000000,?,?,?,?,00415EFD,?,0043A478,00000060), ref: 0041AD32

Strings

C:\Users\user\Desktop\app.exe, xrefs: 0041AD2B, 0041AD30

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: FileModuleName___initmbctable
String ID: C:\Users\user\Desktop\app.exe
API String ID: 767393020-886552919
Opcode ID: 66673b88aeac30b5862c7f19f0dfac2f7032082bc53584202ad8921e1cff1ff6
Instruction ID: 614c3b4fec6d9241ade8c6b785d03dc512eb996b59ee3b151466fb442cd8355e
Opcode Fuzzy Hash: 66673b88aeac30b5862c7f19f0dfac2f7032082bc53584202ad8921e1cff1ff6
Instruction Fuzzy Hash: 7711E3B6A05204AFDB11CBA5AC819DB3BB8EB56361B10017BF905D3241DB74AD84CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0040A0A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

_strcat.LIBCMT ref: 0040A0BD
GetVersionExA.KERNEL32(?), ref: 0040A0E9

Part of subcall function 00409F46: CreateFileA.KERNEL32(?,00000000,00000003,00000000,00000003,00000000,00000000), ref: 00409F80
Part of subcall function 00409F46: DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00002710,?,00000000), ref: 00409FD6
Part of subcall function 00409F46: _strcat.LIBCMT ref: 00409FFC
Part of subcall function 00409F46: _strcat.LIBCMT ref: 0040A03C
Part of subcall function 00409F46: CloseHandle.KERNEL32(00000000), ref: 0040A044

Strings

WD-W, xrefs: 0040A10B

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: _strcat$CloseControlCreateDeviceFileHandleVersion
String ID: WD-W
API String ID: 1168194892-3576189859
Opcode ID: 6485ba225224145f7282db6a22674a520dc022f6170582840d3fcbc66630374b
Instruction ID: 02ce6297c30ed129adb8a0b18ce49833eff85ca45758082e872317efe92cca16
Opcode Fuzzy Hash: 6485ba225224145f7282db6a22674a520dc022f6170582840d3fcbc66630374b
Instruction Fuzzy Hash: 1701A271D0031466DB30A760AD06BCE76689B0631CF5040F6E588B62C2E77C9E98C79E

Uniqueness

Uniqueness Score: -1.00%

Function 00402EF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31stringCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00402EF5
lstrlenA.KERNEL32(?,?,0040311A,?,00430E0C,00000000,?,00000008,?,?,?), ref: 00402F14

Strings

(1D, xrefs: 00402F00

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: H_prologlstrlen
String ID: (1D
API String ID: 2133942097-2129874033
Opcode ID: 498eaf7c655ea821dde00ffa2611ecd78ada88d880f139fa2e0e9697808eeb0f
Instruction ID: c5187753b58a16d9c3fce4efe3554a6c0a3d2b53ae8d320a7dd5f9bf66fc5ee2
Opcode Fuzzy Hash: 498eaf7c655ea821dde00ffa2611ecd78ada88d880f139fa2e0e9697808eeb0f
Instruction Fuzzy Hash: 1BF0EC7590021AEFCF04DFA0C955DAEB775FB58348F00853EB825A7690DB759A14CF14

Uniqueness

Uniqueness Score: -1.00%

Function 0040B4CB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23windowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNEL32(00001100,00000000,00000000), ref: 0040B4ED
LocalFree.KERNEL32(?), ref: 0040B509

Strings

%s: %s, xrefs: 0040B4F9

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: FormatFreeLocalMessage
String ID: %s: %s
API String ID: 1427518018-482213395
Opcode ID: cb34f2c211801dad6e02dc7f0dafd164b821e9fb1e5606d2b24e1b197d6c7187
Instruction ID: 35399d86799f3bd421e0b29904ac2acc2a0d57492efff96d11af9728831ada6b
Opcode Fuzzy Hash: cb34f2c211801dad6e02dc7f0dafd164b821e9fb1e5606d2b24e1b197d6c7187
Instruction Fuzzy Hash: A1E04F75680208FBEB115BC0ED07FDE7B38EB09745F600070FB00A80E1D6B26A14AB6D

Uniqueness

Uniqueness Score: -1.00%

Function 0041BA0E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17COMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 0041BA2B

Part of subcall function 0041882A: EnterCriticalSection.KERNEL32(?,?,?,0041540F,00000004,0043A458,0000000C,00418764,75920A60,?,00419CD6,00419D7E,00415EBE,?,0043A478,00000060), ref: 00418852

EnterCriticalSection.KERNEL32(?,004168F0,?,?,?,?,?,?,?,0043A4D0,0000000C), ref: 0041BA36

Strings

XID, xrefs: 0041BA12

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: CriticalEnterSection$__lock
String ID: XID
API String ID: 3410214836-3454326751
Opcode ID: d75ff1193b72c636b3f216a0aadf09c9e39ff4a5fc81b7c8c8ee2b59ae0aedc0
Instruction ID: 5e82b271eee8a0f74b3b7c1547633c1310f9165c1a2d30d2714a1c7388a6a4bf
Opcode Fuzzy Hash: d75ff1193b72c636b3f216a0aadf09c9e39ff4a5fc81b7c8c8ee2b59ae0aedc0
Instruction Fuzzy Hash: 71D022B360038283EF286671CE8974E2358EA803423A94C7FF041C2281DB3CEDD0C00C

Uniqueness

Uniqueness Score: -1.00%

Function 0243A3F0 Relevance: 5.2, APIs: 4, Instructions: 152memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0243A710: CloseHandle.KERNEL32(?), ref: 0243A7A6

HeapFree.KERNEL32(00000000,00000000), ref: 0243A5D0
HeapFree.KERNEL32(00000000,?), ref: 0243A5E1
HeapFree.KERNEL32(00000000,00000000), ref: 0243A615
HeapFree.KERNEL32(00000000,?), ref: 0243A626

Part of subcall function 0243A710: FindFirstFileW.KERNEL32(?,?), ref: 0243A8CD
Part of subcall function 0243A710: FindClose.KERNEL32(00000000), ref: 0243A8E0
Part of subcall function 0243A710: HeapFree.KERNEL32(00000000,?), ref: 0243A9F0
Part of subcall function 0243A710: HeapFree.KERNEL32(00000000,?), ref: 0243AA01

Memory Dump Source

Source File: 00000000.00000002.2022153806.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23d0000_app.jbxd

Similarity

API ID: FreeHeap$CloseFind$FileFirstHandle
String ID:
API String ID: 1603849924-0
Opcode ID: 2272c71ac61a3dd81031130a97738d95f861bb584f5e815ece5f17e9109c71b1
Instruction ID: b472764d3a8358d8f2d6ebe99d808aada89a7685a38fddc544ad086f4c0bb779
Opcode Fuzzy Hash: 2272c71ac61a3dd81031130a97738d95f861bb584f5e815ece5f17e9109c71b1
Instruction Fuzzy Hash: 0F71E571944B40DFE325CF29C948B52BBE0FF19318F009A5DE9DA8BA62D771B994CB40

Uniqueness

Uniqueness Score: -1.00%

Function 023F204D Relevance: 5.1, APIs: 4, Instructions: 67memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 023F224A: HeapFree.KERNEL32(00000000,?), ref: 023F22AD
Part of subcall function 023F224A: HeapFree.KERNEL32(00000000,?), ref: 023F22C7

HeapFree.KERNEL32(00000000,?), ref: 023F2137
HeapFree.KERNEL32(00000000,?), ref: 023F2154
HeapFree.KERNEL32(00000000,?), ref: 023F2187
CloseHandle.KERNEL32(?), ref: 023F219E

Part of subcall function 023F2374: HeapFree.KERNEL32(00000000,?,?,?,023FC1F4), ref: 023F2393

Memory Dump Source

Source File: 00000000.00000002.2022153806.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23d0000_app.jbxd

Similarity

API ID: FreeHeap$CloseHandle
String ID:
API String ID: 1910495013-0
Opcode ID: 7436d47da2220bba85a84bbd463799655207c145791b6b4c7c0d85b92ba03481
Instruction ID: 1896d00ba270a19b16913f86b694f6d46ecb0b351bdf2c94a838da824d152561
Opcode Fuzzy Hash: 7436d47da2220bba85a84bbd463799655207c145791b6b4c7c0d85b92ba03481
Instruction Fuzzy Hash: 4531DC71549B80DEEBBADB34E818BD7BBA16B12308F04081DD6EB051E5CBB42599CB02

Uniqueness

Uniqueness Score: -1.00%

Function 023F203F Relevance: 5.1, APIs: 4, Instructions: 65memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 023EC781: HeapFree.KERNEL32(00000000,?), ref: 023ED2DD
Part of subcall function 023EC781: HeapFree.KERNEL32(00000000,?), ref: 023ED32E

HeapFree.KERNEL32(00000000,?), ref: 023F2137
HeapFree.KERNEL32(00000000,?), ref: 023F2154
HeapFree.KERNEL32(00000000,?), ref: 023F2187
CloseHandle.KERNEL32(?), ref: 023F219E

Part of subcall function 023F2374: HeapFree.KERNEL32(00000000,?,?,?,023FC1F4), ref: 023F2393

Memory Dump Source

Source File: 00000000.00000002.2022153806.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23d0000_app.jbxd

Similarity

API ID: FreeHeap$CloseHandle
String ID:
API String ID: 1910495013-0
Opcode ID: 4bef0ae31bae90502e3c81627d86f792bbee16bd51f9c5fa7e4bedc45fcd1624
Instruction ID: 4e1cab68a044a973f37367e612ef4a5fa3dbc95667f0eb30c9ac6abeddb8c61c
Opcode Fuzzy Hash: 4bef0ae31bae90502e3c81627d86f792bbee16bd51f9c5fa7e4bedc45fcd1624
Instruction Fuzzy Hash: D731CD71549B80DEEBBADB34E818BD7BBE16B12308F04081DD6EB051E5CBB42559CF12

Uniqueness

Uniqueness Score: -1.00%

Function 023F2062 Relevance: 5.1, APIs: 4, Instructions: 65memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(00000000,?), ref: 023F2137
HeapFree.KERNEL32(00000000,?), ref: 023F2154
HeapFree.KERNEL32(00000000,?), ref: 023F2187
CloseHandle.KERNEL32(?), ref: 023F219E

Part of subcall function 023F2374: HeapFree.KERNEL32(00000000,?,?,?,023FC1F4), ref: 023F2393

Memory Dump Source

Source File: 00000000.00000002.2022153806.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23d0000_app.jbxd

Similarity

API ID: FreeHeap$CloseHandle
String ID:
API String ID: 1910495013-0
Opcode ID: e745eb650ba646566093b5f7d73ef7789397434affd1eb23f7e964ebcdd8a884
Instruction ID: fd15bdd9aa005943877665a3f5680d7856295188ddec097554bb816b97fb8cce
Opcode Fuzzy Hash: e745eb650ba646566093b5f7d73ef7789397434affd1eb23f7e964ebcdd8a884
Instruction Fuzzy Hash: A031CD71149B80DEEBBADB34E818BD7BBE16B12308F04081DD6EB051E5CBB42559CF12

Uniqueness

Uniqueness Score: -1.00%

Function 023F206F Relevance: 5.1, APIs: 4, Instructions: 64memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 023F2324: HeapFree.KERNEL32(00000000,?), ref: 023F234F
Part of subcall function 023F2324: HeapFree.KERNEL32(00000000,?), ref: 023F236C

HeapFree.KERNEL32(00000000,?), ref: 023F2137
HeapFree.KERNEL32(00000000,?), ref: 023F2154
HeapFree.KERNEL32(00000000,?), ref: 023F2187
CloseHandle.KERNEL32(?), ref: 023F219E

Part of subcall function 023F2374: HeapFree.KERNEL32(00000000,?,?,?,023FC1F4), ref: 023F2393

Memory Dump Source

Source File: 00000000.00000002.2022153806.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23d0000_app.jbxd

Similarity

API ID: FreeHeap$CloseHandle
String ID:
API String ID: 1910495013-0
Opcode ID: 0e1be897eb2b979f4619b931c69b15e2d75d0dbb8599f427f24b576f73885b9a
Instruction ID: 5f9f3e5d9b978b7c67123fc3d96fd29e55f5fd6ef7817cc22c06374003340da7
Opcode Fuzzy Hash: 0e1be897eb2b979f4619b931c69b15e2d75d0dbb8599f427f24b576f73885b9a
Instruction Fuzzy Hash: 9C31CD71549B80DEEBBADB34E818BD7BBE16B12308F44081DD6EB051E1CBB42559CB12

Uniqueness

Uniqueness Score: -1.00%

Function 023F201D Relevance: 5.1, APIs: 4, Instructions: 62memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 023F224A: HeapFree.KERNEL32(00000000,?), ref: 023F22AD
Part of subcall function 023F224A: HeapFree.KERNEL32(00000000,?), ref: 023F22C7

HeapFree.KERNEL32(00000000,?), ref: 023F2137
HeapFree.KERNEL32(00000000,?), ref: 023F2154
HeapFree.KERNEL32(00000000,?), ref: 023F2187
CloseHandle.KERNEL32(?), ref: 023F219E

Part of subcall function 023F2374: HeapFree.KERNEL32(00000000,?,?,?,023FC1F4), ref: 023F2393

Memory Dump Source

Source File: 00000000.00000002.2022153806.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23d0000_app.jbxd

Similarity

API ID: FreeHeap$CloseHandle
String ID:
API String ID: 1910495013-0
Opcode ID: 1b4cf0c473667cd3cf5f7651b7a0c9f76b8aaa1960cbe61811149101673fdb4d
Instruction ID: ad7c1167e65541759ee2451eafeed1161f2f217116b70be60a7503f53d6dda6a
Opcode Fuzzy Hash: 1b4cf0c473667cd3cf5f7651b7a0c9f76b8aaa1960cbe61811149101673fdb4d
Instruction Fuzzy Hash: 3A31BB71545B80DFEBBADB74E818BD7BBA1AB12308F04081DD6EB051E5CBB42599CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0042B9F1 Relevance: 5.1, APIs: 4, Instructions: 60COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 0042BA4E
LeaveCriticalSection.KERNEL32(?,?), ref: 0042BA5E
LocalFree.KERNEL32(?), ref: 0042BA67
TlsSetValue.KERNEL32(?,00000000), ref: 0042BA79

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: CriticalSection$EnterFreeLeaveLocalValue
String ID:
API String ID: 2949335588-0
Opcode ID: adc86d93950956f94ff1fa4b69a28a4dbd768d562191854466258b1d3a764b62
Instruction ID: c8599666faf44035fd4f326778121f3d69334d8a3193f5103dac8be459df7837
Opcode Fuzzy Hash: adc86d93950956f94ff1fa4b69a28a4dbd768d562191854466258b1d3a764b62
Instruction Fuzzy Hash: 3D116731700214EFD720CF54E884F6AB3B4FF05315F90802EE142876A1CB79AD51CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 023F2032 Relevance: 5.1, APIs: 4, Instructions: 60memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(00000000,?), ref: 023F2137
HeapFree.KERNEL32(00000000,?), ref: 023F2154
HeapFree.KERNEL32(00000000,?), ref: 023F2187
CloseHandle.KERNEL32(?), ref: 023F219E

Part of subcall function 023F2374: HeapFree.KERNEL32(00000000,?,?,?,023FC1F4), ref: 023F2393

Memory Dump Source

Source File: 00000000.00000002.2022153806.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23d0000_app.jbxd

Similarity

API ID: FreeHeap$CloseHandle
String ID:
API String ID: 1910495013-0
Opcode ID: d3b465360c70f5d90105b13eac8df75a8dbfd0673567532b97f0d7afc173ad74
Instruction ID: 2207acdc337426607fa903bf74583d4a54d7202cb19bdef86e22fba1a6ae6023
Opcode Fuzzy Hash: d3b465360c70f5d90105b13eac8df75a8dbfd0673567532b97f0d7afc173ad74
Instruction Fuzzy Hash: B331CE71145B80DEEBBADB74E818BD7BBE1AB12308F04081DD6EB051E5CBB42559DF06

Uniqueness

Uniqueness Score: -1.00%

Function 023F200F Relevance: 5.1, APIs: 4, Instructions: 60memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 023EC781: HeapFree.KERNEL32(00000000,?), ref: 023ED2DD
Part of subcall function 023EC781: HeapFree.KERNEL32(00000000,?), ref: 023ED32E

HeapFree.KERNEL32(00000000,?), ref: 023F2137
HeapFree.KERNEL32(00000000,?), ref: 023F2154
HeapFree.KERNEL32(00000000,?), ref: 023F2187
CloseHandle.KERNEL32(?), ref: 023F219E

Part of subcall function 023F2374: HeapFree.KERNEL32(00000000,?,?,?,023FC1F4), ref: 023F2393

Memory Dump Source

Source File: 00000000.00000002.2022153806.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23d0000_app.jbxd

Similarity

API ID: FreeHeap$CloseHandle
String ID:
API String ID: 1910495013-0
Opcode ID: 3edb992a036c607d52959a7bb1903dfdde0df26b3d1bb48f73844fb4779decd5
Instruction ID: 9bfc8a2c38376e65e0000ee6c471bb5a26487f03223951a50fbce02619006e3a
Opcode Fuzzy Hash: 3edb992a036c607d52959a7bb1903dfdde0df26b3d1bb48f73844fb4779decd5
Instruction Fuzzy Hash: EE31CC71545B80DEEBBADB74E818BD7BBA1AB12308F04081DD6EB051E5CB742559CB02

Uniqueness

Uniqueness Score: -1.00%

Function 00418C51 Relevance: 5.1, APIs: 4, Instructions: 57memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapReAlloc.KERNEL32(00000000,00000050,75920A60,00419242,75920A60,?,76EAFC30), ref: 00418C78
HeapAlloc.KERNEL32(00000008,000041C4,00000000,75920A60,00419242,75920A60,?,76EAFC30), ref: 00418CB1
VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004), ref: 00418CCF
HeapFree.KERNEL32(00000000,?), ref: 00418CE6

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: AllocHeap$FreeVirtual
String ID:
API String ID: 3499195154-0
Opcode ID: 781063ac87fbfd1d4cad2045dae12bfd37df52046da3970f80f829b7a7e5edd2
Instruction ID: 00585c3f01842366698a5c53355d7c0cceb2ecdc2162a53b836031793970d5b4
Opcode Fuzzy Hash: 781063ac87fbfd1d4cad2045dae12bfd37df52046da3970f80f829b7a7e5edd2
Instruction Fuzzy Hash: E9116D742426029FDB718F28FC85D627BB6F7927607A4463EF252C21B0E7709846CF68

Uniqueness

Uniqueness Score: -1.00%

Function 023F21B2 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(00000000,?), ref: 023F2137
HeapFree.KERNEL32(00000000,?), ref: 023F2154
HeapFree.KERNEL32(00000000,?), ref: 023F2187
CloseHandle.KERNEL32(?), ref: 023F219E

Part of subcall function 023F2374: HeapFree.KERNEL32(00000000,?,?,?,023FC1F4), ref: 023F2393

Memory Dump Source

Source File: 00000000.00000002.2022153806.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23d0000_app.jbxd

Similarity

API ID: FreeHeap$CloseHandle
String ID:
API String ID: 1910495013-0
Opcode ID: f7a47db7c4b0d72e15771584b05b7481132e94a4049a2523eea03c4eb2d64e67
Instruction ID: b95b0be40eea4950a52bfab261929e224fe13ea64ffb0be7a1260ec612d41926
Opcode Fuzzy Hash: f7a47db7c4b0d72e15771584b05b7481132e94a4049a2523eea03c4eb2d64e67
Instruction Fuzzy Hash: EC21F731145B40EFEBBA9B74E808BD7BBA1BF12308F04081DD6DB051E1CB75255ADB56

Uniqueness

Uniqueness Score: -1.00%

Function 023ED055 Relevance: 5.0, APIs: 4, Instructions: 50memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(00000000,?), ref: 023ED098
HeapFree.KERNEL32(00000000,?), ref: 023ED0B5
HeapFree.KERNEL32(00000000,?), ref: 023ED0FF
HeapFree.KERNEL32(00000000,?), ref: 023ED118

Memory Dump Source

Source File: 00000000.00000002.2022153806.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 023D0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_23d0000_app.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 9f523c772d66fdd4040073545b0759b3dec112a99356eec2c930289ab06d40bb
Instruction ID: bb58cab6707e048af81e2b881ee3f4db6801c06fc6ddfe818c3de45ceffee36b
Opcode Fuzzy Hash: 9f523c772d66fdd4040073545b0759b3dec112a99356eec2c930289ab06d40bb
Instruction Fuzzy Hash: AB11E731100654EBEBB99B24DC08B9677E6FF14309F180C1DE58B150E4CBB27896CF01

Uniqueness

Uniqueness Score: -1.00%

Function 0042BD48 Relevance: 5.0, APIs: 4, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(0044AF54,?,00000000,?,00000000,0042B7B5,00000010,?,?,00000000,?,?,0042B396,0042B349,00429E06,0040C70D), ref: 0042BD76
InitializeCriticalSection.KERNEL32(00000000,?,00000000,?,00000000,0042B7B5,00000010,?,?,00000000,?,?,0042B396,0042B349,00429E06,0040C70D), ref: 0042BD88
LeaveCriticalSection.KERNEL32(0044AF54,?,00000000,?,00000000,0042B7B5,00000010,?,?,00000000,?,?,0042B396,0042B349,00429E06,0040C70D), ref: 0042BD91
EnterCriticalSection.KERNEL32(00000000,00000000,?,00000000,0042B7B5,00000010,?,?,00000000,?,?,0042B396,0042B349,00429E06,0040C70D), ref: 0042BDA3

Part of subcall function 0042BCDF: InitializeCriticalSection.KERNEL32(0044AF54,0042BD56,0042B7B5,00000010,?,?,00000000,?,?,0042B396,0042B349,00429E06,0040C70D), ref: 0042BCF7

Memory Dump Source

Source File: 00000000.00000002.2021489881.0000000000401000.00000080.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2021478663.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021509523.000000000042C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021520408.000000000042D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021531365.000000000042F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021547346.0000000000442000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021558438.000000000044A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2021581427.000000000047A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_app.jbxd

Similarity

API ID: CriticalSection$EnterInitialize$Leave
String ID:
API String ID: 713024617-0
Opcode ID: 2f1b24a4f239d3e7a57dd448b17dc9936c7578022bdd4031e6a5dfacb9bda7aa
Instruction ID: f612f0568f59398d43542fae4ddb9eea5b0bce547e4844d3ce0b5f2d18dd5514
Opcode Fuzzy Hash: 2f1b24a4f239d3e7a57dd448b17dc9936c7578022bdd4031e6a5dfacb9bda7aa
Instruction Fuzzy Hash: 10F06D7A11022AEFE7109F94FC84BA2B3ACFB11316FC0043BE50482011D738A869CAEC

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.
Tactics:	Defense Evasion, Persistence
Data Sources:	Drive: Drive Modification
Platforms:	Linux, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report app.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: app.exePID: 5348, Parent PID: 1028

General

Chronological Activities

Analysis Process: conhost.exePID: 6568, Parent PID: 5348

Windows Analysis Report
app.exe

Function 0242E5F7 Relevance: 23.1, APIs: 9, Strings: 4, Instructions: 345
memorylibraryloaderCOMMON

Function 0042C59F Relevance: 19.6, APIs: 4, Strings: 7, Instructions: 331
memorylibraryloaderCOMMON

Function 024302D0 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 272
filenativesynchronizationCOMMON

Function 023DEAC0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 177
memorythreadCOMMON

Function 024404D0 Relevance: 10.6, APIs: 7, Instructions: 142
memoryCOMMON

Function 00415DDE Relevance: 10.6, APIs: 7, Instructions: 132
COMMON

Function 024491D2 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 235
memoryCOMMON

Function 0042C5FF Relevance: 19.6, APIs: 4, Strings: 7, Instructions: 311
memoryCOMMON

Function 0042B64B Relevance: 15.1, APIs: 10, Instructions: 101
memoryCOMMONLIBRARYCODE

Function 0243CCC0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 98
memorythreadCOMMON

Function 00426EB8 Relevance: 12.0, APIs: 8, Instructions: 38
COMMON

Function 0042C6B6 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 239
memorylibraryloaderCOMMONLIBRARYCODE

Function 0242E597 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 203
COMMON

Function 023F1C36 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 146
COMMON

Function 0041AECC Relevance: 7.7, APIs: 5, Instructions: 172
COMMON