Edit tour

Windows Analysis Report
signed.exe

Overview

General Information

Sample name:	signed.exe
Analysis ID:	1445853
MD5:	adac67fa4e7fbd2c7de600768c40ad69
SHA1:	c79c40e5272ac11180cf90715156e0538336fdbf
SHA256:	3904b06e1150e4e9e167eb1b63a877ed00c08320c637396f12b98e9f14d71010
Infos:

Detection

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Contains functionality for read data from the clipboard

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Contains functionality to modify clipboard data

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Stores files to the Windows start menu directory

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

signed.exe (PID: 5872 cmdline: "C:\Users\user\Desktop\signed.exe" MD5: ADAC67FA4E7FBD2C7DE600768C40AD69)

cleanup

Code function: 0_2_0041DB44 __EH_prolog,GlobalAlloc,GlobalLock,lstrlenA,lstrlenA,lstrlenA,lstrlenA,lstrlenA,GlobalUnlock,GlobalReAlloc,GlobalAlloc,GlobalLock,lstrlenA,lstrlenA,GlobalUnlock,GlobalLock,GlobalUnlock,GlobalReAlloc,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0041DB44

Source: C:\Users\user\Desktop\signed.exe

0_2_0041DB44

Source: C:\Users\user\Desktop\signed.exe

File created: C:\Windows\etrnview.exe

Jump to behavior

Source: C:\Users\user\Desktop\signed.exe	Code function: 0_2_00420400	0_2_00420400
Source: C:\Users\user\Desktop\signed.exe	Code function: 0_2_0042E502	0_2_0042E502
Source: C:\Users\user\Desktop\signed.exe	Code function: 0_2_00423591	0_2_00423591
Source: C:\Users\user\Desktop\signed.exe	Code function: 0_2_00433975	0_2_00433975
Source: C:\Users\user\Desktop\signed.exe	Code function: 0_2_0041C9DD	0_2_0041C9DD
Source: C:\Users\user\Desktop\signed.exe	Code function: 0_2_0041DB44	0_2_0041DB44
Source: C:\Users\user\Desktop\signed.exe	Code function: 0_2_0040EC34	0_2_0040EC34

Source: C:\Users\user\Desktop\signed.exe	Code function: String function: 00429E18 appears 80 times
Source: C:\Users\user\Desktop\signed.exe	Code function: String function: 00429182 appears 35 times
Source: C:\Users\user\Desktop\signed.exe	Code function: String function: 00435B40 appears 31 times
Source: C:\Users\user\Desktop\signed.exe	Code function: String function: 0040AC84 appears 84 times
Source: C:\Users\user\Desktop\signed.exe	Code function: String function: 0040ABFB appears 85 times

Source: signed.exe, 00000000.00000000.2044838263.0000000000449000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameENVELOPE.EXE: vs signed.exe
Source: signed.exe	Binary or memory string: OriginalFilenameENVELOPE.EXE: vs signed.exe

Source: signed.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal72.winEXE@1/3@1/0

Source: C:\Users\user\Desktop\signed.exe

Code function: 0_2_004278A6 GetPrivateProfileStringA,GetLastError,FormatMessageA,LocalFree,

0_2_004278A6

Source: C:\Users\user\Desktop\signed.exe

Code function: 0_2_00405D5A MessageBoxA,LoadStringA,CoInitialize,SHGetMalloc,SHGetSpecialFolderLocation,SHGetSpecialFolderLocation,SHGetSpecialFolderLocation,SHGetPathFromIDListA,SHGetPathFromIDListA,SHGetSpecialFolderLocation,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoCreateInstance,lstrlenA,lstrcatA,lstrcatA,lstrcatA,SHChangeNotify,SHChangeNotify,LoadStringA,LoadStringA,LoadStringA,lstrlenA,lstrlenA,lstrlenA,SHChangeNotify,MessageBoxA,CoUninitialize,

0_2_00405D5A

Source: C:\Users\user\Desktop\signed.exe

Code function: 0_2_00409099 FindResourceA,LoadResource,LockResource,FreeResource,

0_2_00409099

Source: C:\Users\user\Desktop\signed.exe

File created: C:\Users\Public\Desktop\RealLegal E-Transcript Viewer.lnk

Jump to behavior

Source: signed.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\signed.exe

File read: C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\signed.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: signed.exe

ReversingLabs: Detection: 86%

Source: signed.exe	String found in binary or memory: This E-Transcript file is in a temporary folder. Do you want to save it to a different folder? If you choose Yes, you will be prompted for a save location, and the transcript will be automatically re-launched from there.
Source: signed.exe	String found in binary or memory: This E-Transcript file is in a temporary folder. Do you want to save it to a different folder?If you choose Yes, you will be prompted for a save location, and the transcript will be automatically re-launched from there.
Source: signed.exe	String found in binary or memory: If you choose Yes, you will be prompted for a save location, and the transcript will be automatically re-launched from there.
Source: signed.exe	String found in binary or memory: If you choose Yes, you will be prompted for a save location, and the transcript will be automatically re-launched from there.Could not open this E-Transcript file for reading.Could not create the destination E-Transcript file for writing.Could not launch the new copy of the E-Transcript file, will run from the temporary folder instead.c:\pnxtrvu.ini.fts.gidFileOpenLocationTempSaveLocationDisplayBottomDisplayRightDisplayTopDisplayLeftSaveToKeychainDisplayValidShowWordIndexRICHED32.DLLMainWndClassWISplit - \ .ptxTMPTEMPAM PM 0: at /Could not find the transcript file.BININC\viewhelp.hlp~ehRealLegal E-Transcript Viewer.lnkNo main application icon (or file) was defined.Setuppnxbndr.exeptxfile\shell\open\command\StringFileInfo\%04x%04x\FileVersion\VarFileInfo\TranslationA file association could not be created. Contact your system administrator for assistance." %1"ContentType\shell\open\command\ContentTypeptxfileE-Transcript Fileapplication/x-etranscript\etrnview.exeDraftFinalSealedUnsealedSignedUnsigned%s %ld%s %ld - %ld2KWd}

Source: C:\Users\user\Desktop\signed.exe

File read: C:\Users\user\Desktop\signed.exe

Jump to behavior

Source: C:\Users\user\Desktop\signed.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\signed.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\signed.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\signed.exe	Section loaded: riched32.dll	Jump to behavior
Source: C:\Users\user\Desktop\signed.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\signed.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\signed.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\signed.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\signed.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\signed.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\signed.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\signed.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\signed.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\signed.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\signed.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\signed.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\signed.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\signed.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\signed.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\signed.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\signed.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\Desktop\signed.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\signed.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\signed.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\signed.exe	Section loaded: cscapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\signed.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: RealLegal E-Transcript Viewer.lnk.0.dr	LNK file: ..\..\..\..\..\..\Windows\etrnview.exe
Source: RealLegal E-Transcript Viewer.lnk0.0.dr	LNK file: ..\..\..\Windows\etrnview.exe

Source: C:\Users\user\Desktop\signed.exe

File opened: C:\Windows\SysWOW64\RICHED32.DLL

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: signed.exe	Static PE information: section name: RT_CURSOR
Source: signed.exe	Static PE information: section name: RT_BITMAP
Source: signed.exe	Static PE information: section name: RT_ICON
Source: signed.exe	Static PE information: section name: RT_MENU
Source: signed.exe	Static PE information: section name: RT_DIALOG
Source: signed.exe	Static PE information: section name: RT_STRING
Source: signed.exe	Static PE information: section name: RT_ACCELERATOR
Source: signed.exe	Static PE information: section name: RT_GROUP_ICON

Source: C:\Users\user\Desktop\signed.exe

Code function: 0_2_00433794 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00433794

Source: C:\Users\user\Desktop\signed.exe	Code function: 0_2_0042BE00 push eax; ret		0_2_0042BE2E
Source: C:\Users\user\Desktop\signed.exe	Code function: 0_2_00429E18 push eax; ret		0_2_00429E36

Source: C:\Users\user\Desktop\signed.exe

File created: C:\Windows\etrnview.exe

Jump to dropped file

Source: C:\Users\user\Desktop\signed.exe

File created: C:\Windows\etrnview.exe

Jump to dropped file

Source: C:\Users\user\Desktop\signed.exe

Code function: 0_2_004017EE __EH_prolog,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,lstrlenA,MessageBoxA,GetPrivateProfileStringA,GetPrivateProfileStringA,GetPrivateProfileStringA,MessageBoxA,EnableWindow,UpdateWindow,lstrcpyA,lstrcatA,lstrcatA,lstrcmpiA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,MessageBoxA,EnableWindow,

0_2_004017EE

Source: C:\Users\user\Desktop\signed.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RealLegal E-Transcript Viewer			Jump to behavior
Source: C:\Users\user\Desktop\signed.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RealLegal E-Transcript Viewer\RealLegal E-Transcript Viewer.lnk			Jump to behavior

Source: C:\Users\user\Desktop\signed.exe

Code function: 0_2_00405155 IsWindowVisible,WinHelpA,GetWindowPlacement,CopyRect,IsZoomed,GetClientRect,PostQuitMessage,IsWindowVisible,IsIconic,GetClientRect,DefWindowProcA,SetWindowLongA,

0_2_00405155

Source: C:\Users\user\Desktop\signed.exe

Dropped PE file which has not been started: C:\Windows\etrnview.exe

Jump to dropped file

Source: C:\Users\user\Desktop\signed.exe

Code function: 0_2_0042A31A FindFirstFileA,GetLastError,

0_2_0042A31A

Source: signed.exe, 00000000.00000002.3284717083.0000000000619000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\signed.exe

API call chain: ExitProcess graph end node

graph_0-21390

Source: C:\Users\user\Desktop\signed.exe

Code function: 0_2_00433794 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00433794

Source: C:\Users\user\Desktop\signed.exe	Code function: 0_2_00431CEA SetUnhandledExceptionFilter,		0_2_00431CEA
Source: C:\Users\user\Desktop\signed.exe	Code function: 0_2_00431CFC SetUnhandledExceptionFilter,		0_2_00431CFC

Source: C:\Users\user\Desktop\signed.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\signed.exe

Code function: 0_2_0042BB27 GetLocalTime,GetSystemTime,GetTimeZoneInformation,

0_2_0042BB27

Source: C:\Users\user\Desktop\signed.exe

Code function: 0_2_00430499 GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,

0_2_00430499

Source: C:\Users\user\Desktop\signed.exe

Code function: 0_2_0042A6BB EntryPoint,GetVersion,GetCommandLineA,GetStartupInfoA,GetModuleHandleA,

0_2_0042A6BB

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 Registry Run Keys / Startup Folder	1 Registry Run Keys / Startup Folder	21 Masquerading	OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	11 Security Software Discovery	Remote Desktop Protocol	2 Clipboard Data	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	2 Obfuscated Files or Information	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	2 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	13 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
signed.exe	87%	ReversingLabs	Win32.Trojan.Ymacco
signed.exe	100%	Avira	TR/Agent.396616

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Windows\etrnview.exe	100%	Avira	TR/Agent.396616
C:\Windows\etrnview.exe	62%	ReversingLabs	Win32.Trojan.Scar

Source	Detection	Scanner	Label
http://www.reallegal.com/binderpull.asp	0%	Avira URL Cloud	safe
http://www.deposchedule.com/	0%	Avira URL Cloud	safe
http://www.reallegal.com	0%	Avira URL Cloud	safe
http://www.reallegal.com/binderpull.asp.http://www.deposchedule.com/By	0%	Avira URL Cloud	safe
http://www.reallegal.com/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
206.23.85.13.in-addr.arpa	unknown	unknown	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.reallegal.com/	signed.exe, etrnview.exe.0.dr	false	Avira URL Cloud: safe	unknown
http://www.reallegal.com/binderpull.asp	signed.exe, etrnview.exe.0.dr	false	Avira URL Cloud: safe	unknown
http://www.reallegal.com/binderpull.asp.http://www.deposchedule.com/By	signed.exe, etrnview.exe.0.dr	false	Avira URL Cloud: safe	unknown
http://www.deposchedule.com/	signed.exe, etrnview.exe.0.dr	false	Avira URL Cloud: safe	unknown
http://www.reallegal.com	signed.exe	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1445853
Start date and time:	2024-05-22 17:14:34 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 6s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	signed.exe
Detection:	MAL
Classification:	mal72.winEXE@1/3@1/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 75 Number of non-executed functions: 219
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: signed.exe

Process:	C:\Users\user\Desktop\signed.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Archive, ctime=Wed May 22 14:15:38 2024, mtime=Wed May 22 14:15:38 2024, atime=Wed May 22 14:15:38 2024, length=380928, window=hide
Category:	dropped
Size (bytes):	897
Entropy (8bit):	4.629970644384975
Encrypted:	false
SSDEEP:	24:8tzhEpwA/APglh8Z+IYA82+J2bTGPqygm:8hhzPgAxdMETRyg
MD5:	156293BF19D4183D208CC6AFECC124CE
SHA1:	4BD8CACA39E1EB5CD569611513F81406FDF702AE
SHA-256:	2E883DB7578228D8256EC350F8BC9ECD75D620759DEC3929242873E342267AC4
SHA-512:	013955A1A05C2B5129800971B09A2F9293A485371C33CC4323FDB16353F4B33F2B2012966B31907A65275815A15AA5D238E00A2BCDB2303086EADCABBB5318F6
Malicious:	false
Reputation:	low
Preview:	L..................F.... ...%.d.Z...%.d.Z...%.d.Z................................P.O. .:i.....+00.../C:\...................V.1.....EW.5..Windows.@......OwH.X.y....3......................7..W.i.n.d.o.w.s.....f.2......X.y .etrnview.exe..J......X.y.X.y.............................e.t.r.n.v.i.e.w...e.x.e.......F...............-.......E..............d.....C:\Windows\etrnview.exe....R.e.a.l.L.e.g.a.l. .E.-.T.r.a.n.s.c.r.i.p.t. .V.i.e.w.e.r.&.....\.....\.....\.....\.....\.....\.W.i.n.d.o.w.s.\.e.t.r.n.v.i.e.w...e.x.e...C.:.\.W.i.n.d.o.w.s.........$..................C..B..g..(.#....`.......X.......301389...........hT..CrF.f4... .y...Jc...-...-$..hT..CrF.f4... .y...Jc...-...-$.............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.3.........9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

C:\Users\Public\Desktop\RealLegal E-Transcript Viewer.lnk

Download File

Process:	C:\Users\user\Desktop\signed.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Archive, ctime=Wed May 22 14:15:38 2024, mtime=Wed May 22 14:15:38 2024, atime=Wed May 22 14:15:38 2024, length=380928, window=hide
Category:	dropped
Size (bytes):	879
Entropy (8bit):	4.649885728909304
Encrypted:	false
SSDEEP:	24:8tzhEpwA/APglh8Mv+IYA82+J2bTGPqygm:8hhzPgAM3dMETRyg
MD5:	E76367F2F85A37FA1DBDA6970844E916
SHA1:	C71E648A86B6E3EFE0D9B25CFC18C9ECED551376
SHA-256:	6D05301D63937AD01E1798FCE3B79EA46736151667BE7C8AC098966889465853
SHA-512:	67570F6F2D306065C5181E084BEF3693FC1E5C3202F272C73DD4DC3E9D04F6EFB000F6319A643AAC06E40225467A7D636211D3831D14DA3E1CB1F6A12B840F61
Malicious:	false
Reputation:	low
Preview:	L..................F.... ...%.d.Z...%.d.Z...%.d.Z................................P.O. .:i.....+00.../C:\...................V.1.....EW.5..Windows.@......OwH.X.y....3......................7..W.i.n.d.o.w.s.....f.2......X.y .etrnview.exe..J......X.y.X.y.............................e.t.r.n.v.i.e.w...e.x.e.......F...............-.......E..............d.....C:\Windows\etrnview.exe....R.e.a.l.L.e.g.a.l. .E.-.T.r.a.n.s.c.r.i.p.t. .V.i.e.w.e.r.......\.....\.....\.W.i.n.d.o.w.s.\.e.t.r.n.v.i.e.w...e.x.e...C.:.\.W.i.n.d.o.w.s.........$..................C..B..g..(.#....`.......X.......301389...........hT..CrF.f4... .y...Jc...-...-$..hT..CrF.f4... .y...Jc...-...-$.............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.3.........9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

C:\Windows\etrnview.exe

Download File

Process:	C:\Users\user\Desktop\signed.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	380928
Entropy (8bit):	6.1734613399593
Encrypted:	false
SSDEEP:	6144:AKHQypT6oiKpsoQEX6npbWdhlG8dj61M65PZDeC2TqI6/qygKjJVLesH7uCicrPW:PHQypT6oiKpsoQEX6npbWdhlG8dj6h56
MD5:	F70D964D36EA0D4BFE8F1106BCD6D9BE
SHA1:	6B98EF8904948AF07757688EEAE3036A10C03A98
SHA-256:	6953A607F4219659C440D016C4C4CD2AEF5A9945085A4ABF7537A868D1219C62
SHA-512:	EF8A2725D3113BA68774A026E65A49A21B1E2CAB3437ADF6B649B2B013C8DE578976BAE3C5982BA532ECBEA457631E1D57D6FAC7D9CFB0F8A6293732C6DE4CE1
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 62%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......O.....w...w...w.p.{...w.V.\|...w.V.}.s.w...y...w.T.}...w...\|...w.].d...w...w...w.i.d...w...v.H.w.T.\|.4.w...q...w.Rich..w.........................PE..L....v.=.................`...................p....@.........................................................................,...........(t...........................................................................p.. ...P...@....................text....T.......`.................. ..`.rdata..6H...p...P...p..............@..@.data...D...........................@....rsrc...(t...........P..............@..@................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.2783295761255555
TrID:	Win32 Executable (generic) a (10002005/4) 99.84% RealLegal E-Transcript (12004/3) 0.12% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	signed.exe
File size:	396'616 bytes
MD5:	adac67fa4e7fbd2c7de600768c40ad69
SHA1:	c79c40e5272ac11180cf90715156e0538336fdbf
SHA256:	3904b06e1150e4e9e167eb1b63a877ed00c08320c637396f12b98e9f14d71010
SHA512:	ea4cda9dc74b67e1a73915184be4e3161000b64de3d77af37735875b0764677a6e5938c1b8138a016c99cad582873380bc9ab05f4a2f4548db59c4b1cad19b33
SSDEEP:	12288:PHQypT6oiKpsoQEX6npbWdhlG8dj6h5PZDeCcq/qybjJVLesH7uCicrPYyr2ac85:PHQypT6oiKpsoQEX6npbWdhlG8dj6rci
TLSH:	A184AF127BE08823E4F386311E656B75FB79FA162E78C68B53C46A5EFC31542CE25305
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......O.....w...w...w.p.{...w.V.\|...w.V.}.s.w...y...w.T.}...w...\|...w.].d...w...w...w.i.d...w...v.H.w.T.\|.4.w...q...w.Rich..w........

File Icon


Icon Hash:	2d4e5e70faca82b8

Static PE Info

General

Entrypoint:	0x42a6bb
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x3DFB76EC [Sat Dec 14 18:22:36 2002 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	b6aeefc612e58a3beaa47c456a910042

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 00438238h
push 0042FF90h
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 58h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
call dword ptr [00437214h]
xor edx, edx
mov dl, ah
mov dword ptr [00446F00h], edx
mov ecx, eax
and ecx, 000000FFh
mov dword ptr [00446EFCh], ecx
shl ecx, 08h
add ecx, edx
mov dword ptr [00446EF8h], ecx
shr eax, 10h
mov dword ptr [00446EF4h], eax
xor esi, esi
push esi
call 00007F275081125Fh
pop ecx
test eax, eax
jne 00007F275080DD2Ah
push 0000001Ch
call 00007F275080DDD5h
pop ecx
mov dword ptr [ebp-04h], esi
call 00007F27508133D2h
call dword ptr [00437218h]
mov dword ptr [00448740h], eax
call 00007F2750813290h
mov dword ptr [00446EA4h], eax
call 00007F2750813039h
call 00007F2750812F7Bh
call 00007F2750810F4Eh
mov dword ptr [ebp-30h], esi
lea eax, dword ptr [ebp-5Ch]
push eax
call dword ptr [0043721Ch]
call 00007F2750812F0Ch
mov dword ptr [ebp-64h], eax
test byte ptr [ebp-30h], 00000001h
je 00007F275080DD28h
movzx eax, word ptr [ebp-2Ch]
jmp 00007F275080DD25h
push 0000000Ah
pop eax
push eax
push dword ptr [ebp-64h]
push esi
push esi
call dword ptr [00437220h]

Rich Headers

Programming Language:

[C++] VS98 (6.0) build 8168
[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x39d2c	0xf0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x49000	0x17428	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x37000	0x520	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x39b50	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x354f5	0x36000	6a5a5fae276ae0a2c23cd1235b3ec3fb	False	0.5645164207175926	data	6.5194046239212335	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x37000	0x4836	0x5000	38460c6c358985e4dd49abf01f00a90d	False	0.355126953125	data	5.086068831149444	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3c000	0xc744	0x9000	9ddf77fe13cf57aeb2ab4654f7f8670a	False	0.4037543402777778	data	4.893839902601005	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x49000	0x17428	0x18000	e3eae7483518ebcb4c553808f1b31ad4	False	0.43975830078125	data	5.123736066627297	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
BININC	0x49c70	0x9cf	ASCII text, with CRLF line terminators	English	United States	0.3819195539625647
BININC	0x4a640	0x9d71	MS Windows 3.1 help, Thu Dec 5 18:59:46 2002, 40305 bytes	English	United States	0.6649299094405161
RT_CURSOR	0x5ed88	0x134	data	English	United States	0.37337662337662336
RT_CURSOR	0x5eed8	0x134	data	English	United States	0.2922077922077922
RT_BITMAP	0x5b020	0x568	Device independent bitmap graphic, 160 x 16 x 4, image size 1280	English	United States	0.4147398843930636
RT_BITMAP	0x5ae90	0xc8	Device independent bitmap graphic, 12 x 12 x 4, image size 96	English	United States	0.495
RT_BITMAP	0x5af58	0xc8	Device independent bitmap graphic, 12 x 12 x 4, image size 96	English	United States	0.385
RT_BITMAP	0x5b7e0	0x288	Device independent bitmap graphic, 32 x 34 x 4, image size 544	English	United States	0.25462962962962965
RT_BITMAP	0x56580	0x4848	Device independent bitmap graphic, 400 x 299 x 8, 1 compression, image size 17440	English	United States	0.25810635538262
RT_BITMAP	0x5adc8	0xc8	Device independent bitmap graphic, 12 x 12 x 4, image size 96	English	United States	0.385
RT_BITMAP	0x564b8	0xc8	Device independent bitmap graphic, 12 x 12 x 4, image size 96	English	United States	0.45
RT_BITMAP	0x5b588	0xc8	Device independent bitmap graphic, 12 x 12 x 4, image size 96	English	United States	0.34
RT_BITMAP	0x5b650	0xc8	Device independent bitmap graphic, 12 x 12 x 4, image size 96	English	United States	0.415
RT_BITMAP	0x5b718	0xc8	Device independent bitmap graphic, 12 x 12 x 4, image size 96	English	United States	0.465
RT_BITMAP	0x5e9d8	0x3b0	Device independent bitmap graphic, 112 x 15 x 4, image size 840	English	United States	0.2521186440677966
RT_ICON	0x561b8	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	English	United States	0.21236559139784947
RT_MENU	0x543b8	0x5ec	data	English	United States	0.3449868073878628
RT_DIALOG	0x54a28	0xd6	data	English	United States	0.6728971962616822
RT_DIALOG	0x55a08	0x28a	data	English	United States	0.48307692307692307
RT_DIALOG	0x54b00	0x3f6	data	English	United States	0.4408284023668639
RT_DIALOG	0x55108	0x406	data	English	United States	0.4553398058252427
RT_DIALOG	0x54ef8	0x20a	data	English	United States	0.5440613026819924
RT_DIALOG	0x55548	0x4bc	data	English	United States	0.4249174917491749
RT_DIALOG	0x55510	0x36	data	English	United States	0.7962962962962963
RT_DIALOG	0x55c98	0x36c	data	English	United States	0.4554794520547945
RT_DIALOG	0x56008	0x1b0	data	English	United States	0.5879629629629629
RT_DIALOG	0x5bce0	0x1b6	data	English	United States	0.5662100456621004
RT_DIALOG	0x5e3f0	0x5e6	data	English	United States	0.4112582781456954
RT_DIALOG	0x5be98	0x538	data	English	United States	0.46107784431137727
RT_DIALOG	0x5e0b0	0x33e	data	English	United States	0.46265060240963857
RT_DIALOG	0x5c6b8	0x6e	data	English	United States	0.8
RT_DIALOG	0x5c3d0	0x2e2	data	English	United States	0.5094850948509485
RT_DIALOG	0x5d4a0	0xd6	data	English	United States	0.6822429906542056
RT_DIALOG	0x5d578	0x4fc	data	English	United States	0.45141065830721006
RT_DIALOG	0x5da78	0x2dc	data	English	United States	0.48633879781420764
RT_DIALOG	0x5ba68	0x272	data	English	United States	0.5223642172523961
RT_DIALOG	0x5c728	0x556	data	English	United States	0.44875549048316254
RT_DIALOG	0x5dd58	0x352	data	English	United States	0.4682352941176471
RT_DIALOG	0x5cc80	0x40a	data	English	United States	0.49806576402321084
RT_DIALOG	0x5d090	0x40a	data	English	United States	0.4874274661508704
RT_STRING	0x5fbf0	0x37a	data	English	United States	0.3382022471910112
RT_STRING	0x5ff70	0xa0	data	English	United States	0.64375
RT_STRING	0x5f878	0x1ee	Matlab v4 mat-file (little endian) h, numeric, rows 0, columns 0	English	United States	0.4493927125506073
RT_STRING	0x5f840	0x32	data	English	United States	0.56
RT_STRING	0x5f800	0x3c	data	English	United States	0.7
RT_STRING	0x5f3c8	0x436	Matlab v4 mat-file (little endian) F, numeric, rows 0, columns 0	English	United States	0.2884972170686456
RT_STRING	0x5f318	0xac	data	English	United States	0.5465116279069767
RT_STRING	0x5faa8	0xd2	data	English	United States	0.6142857142857143
RT_STRING	0x5fa68	0x3a	data	English	United States	0.6379310344827587
RT_STRING	0x5fb80	0x6c	data	English	United States	0.7037037037037037
RT_STRING	0x60010	0x48	data	English	United States	0.6944444444444444
RT_STRING	0x603b0	0x78	data	English	United States	0.6833333333333333
RT_STRING	0x60058	0xa6	data	English	United States	0.572289156626506
RT_STRING	0x60100	0xb6	data	English	United States	0.6538461538461539
RT_STRING	0x601b8	0x1f8	data	English	United States	0.4503968253968254
RT_ACCELERATOR	0x549a8	0x80	data	English	United States	0.7265625
RT_GROUP_CURSOR	0x5f010	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x5eec0	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_ICON	0x564a0	0x14	data	English	United States	1.2
RT_VERSION	0x5f028	0x2ec	data	English	United States	0.4679144385026738

Imports

DLL	Import
KERNEL32.dll	FreeLibrary, lstrlenA, GetTempPathA, GetTempFileNameA, lstrcpyA, GetPrivateProfileStringA, GetModuleFileNameA, LoadLibraryA, WaitForSingleObject, SetEvent, ResetEvent, CreateEventA, FormatMessageA, LocalFree, GetLastError, GetProfileStringA, GetVersionExA, lstrcpynA, GetTickCount, CopyFileA, GlobalReAlloc, WritePrivateProfileStringA, GetPrivateProfileIntA, CreateFileA, ReadFile, CloseHandle, _llseek, GlobalAlloc, GlobalLock, _hread, GlobalHandle, GlobalUnlock, GlobalFree, MultiByteToWideChar, FindResourceA, SizeofResource, LoadResource, LockResource, _hwrite, FreeResource, SystemTimeToFileTime, FileTimeToLocalFileTime, FileTimeToSystemTime, GetTimeZoneInformation, GetWindowsDirectoryA, _lopen, _lcreat, _lread, _lwrite, _lclose, lstrcatA, lstrcmpiA, GetEnvironmentStringsW, FreeEnvironmentStringsW, FreeEnvironmentStringsA, UnhandledExceptionFilter, LCMapStringW, LCMapStringA, IsBadWritePtr, VirtualAlloc, VirtualFree, HeapCreate, HeapDestroy, GetEnvironmentVariableA, HeapSize, GetCurrentProcess, TerminateProcess, WriteFile, GetLocalTime, GetSystemTime, HeapValidate, HeapReAlloc, ExitProcess, GetVersion, GetCommandLineA, GetStartupInfoA, GetModuleHandleA, CreateDirectoryA, RemoveDirectoryA, FindClose, FindFirstFileA, HeapAlloc, HeapFree, RtlUnwind, DeleteFileA, GetFileAttributesA, SetFileAttributesA, WideCharToMultiByte, RaiseException, InterlockedExchange, LocalAlloc, GetEnvironmentStrings, GetProcAddress, SetHandleCount, GetStdHandle, GetFileType, WinExec, CompareStringA, SetFilePointer, SetUnhandledExceptionFilter, SetStdHandle, FlushFileBuffers, IsBadReadPtr, IsBadCodePtr, GetCPInfo, SetEndOfFile, CompareStringW, GetACP, GetOEMCP, SetEnvironmentVariableA, GetStringTypeA, GetStringTypeW
USER32.dll	LoadAcceleratorsA, SetWindowsHookA, OffsetRect, GetSystemMetrics, GetMessageA, RegisterClassA, TranslateAcceleratorA, TranslateMessage, DispatchMessageA, UnhookWindowsHook, LoadStringA, ShowWindow, GetWindowRect, MoveWindow, SendDlgItemMessageA, SetWindowTextA, GetWindow, GetDlgItemTextA, CharLowerA, SetDlgItemTextA, GetDlgItemInt, PostQuitMessage, IsZoomed, GetWindowPlacement, PtInRect, CheckDlgButton, SetDlgItemInt, InvalidateRect, LoadIconA, GetDlgItem, EndDialog, CopyRect, SetWindowPos, CreateWindowExA, SetWindowLongA, GetParent, GetWindowLongA, SetRect, DrawTextA, BeginPaint, GetPropA, RemovePropA, SetPropA, GetClassNameA, GetKeyState, IsDialogMessageA, GetFocus, IsWindowEnabled, EmptyClipboard, SetClipboardData, EndPaint, GetMenu, GetSubMenu, EnableWindow, UpdateWindow, DialogBoxParamA, MessageBoxA, SendMessageA, SetRectEmpty, DefWindowProcA, IsIconic, IsDlgButtonChecked, CheckRadioButton, LoadBitmapA, CloseClipboard, SetTimer, KillTimer, GetScrollRange, CharUpperBuffA, GetScrollInfo, LoadCursorA, SetCursor, GetCapture, GetClientRect, IsWindowVisible, WinHelpA, InvertRect, EnableScrollBar, SetActiveWindow, ReleaseCapture, SetCapture, ClientToScreen, GetDesktopWindow, PeekMessageA, CreateDialogParamA, GetScrollPos, ScrollWindow, SetScrollPos, GetDC, ReleaseDC, InflateRect, DrawTextExA, GetCursor, DestroyWindow, IsRectEmpty, SetScrollRange, DestroyCursor, GetWindowTextA, IsCharAlphaA, CharUpperA, IsCharAlphaNumericA, IsCharLowerA, IsCharUpperA, CallWindowProcA, GetCursorPos, ScreenToClient, GetSysColor, GetWindowTextLengthA, FillRect, wsprintfA, GetActiveWindow, PostMessageA, CallNextHookEx, CheckMenuItem, GetMenuItemCount, GetMenuItemInfoA, EnableMenuItem, MessageBeep, SetFocus, IsWindow, OpenClipboard, DrawMenuBar, SetMenu, wsprintfW
GDI32.dll	SetBkMode, BitBlt, SelectObject, CreateCompatibleDC, GetStockObject, DeleteObject, GetObjectA, TextOutA, SetBkColor, SetTextColor, SetTextAlign, CreatePalette, CreateFontIndirectA, SetWindowOrgEx, CreateSolidBrush, SetRectRgn, ExtTextOutA, SelectClipRgn, CreateRectRgn, GetTextExtentPointA, GetTextMetricsA, PatBlt, CreatePatternBrush, CreateBitmap, SetViewportOrgEx, GetWindowOrgEx, LPtoDP, SetViewportExtEx, GetWindowExtEx, SetMapMode, GetDeviceCaps, EnumFontFamiliesA, CreatePen, RealizePalette, SelectPalette, LineTo, MoveToEx, CreateFontA, GetCharWidthA, CreateICA, EndPage, StartPage, StartDocA, EndDoc, AbortDoc, DeleteDC, CreateDCA, GetTextAlign
WINSPOOL.DRV	OpenPrinterA, DeviceCapabilitiesA, GetPrinterA, ClosePrinter, DocumentPropertiesA
comdlg32.dll	GetOpenFileNameA, GetSaveFileNameA, CommDlgExtendedError, PrintDlgA
ADVAPI32.dll	RegCloseKey, RegQueryValueExA, RegOpenKeyExA, RegQueryValueA, RegSetValueExA, RegCreateKeyExA, RegDeleteKeyA
SHELL32.dll	SHGetMalloc, SHGetSpecialFolderLocation, SHGetPathFromIDListA, SHChangeNotify, ShellExecuteA
ole32.dll	CoCreateInstance, CoInitialize, OleSetMenuDescriptor, StgCreateDocfile, CoUninitialize
RPCRT4.dll	UuidToStringA, RpcStringFreeA
COMCTL32.dll	InitCommonControlsEx, CreateToolbarEx
VERSION.dll	VerQueryValueA, GetFileVersionInfoA, GetFileVersionInfoSizeA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 22, 2024 17:15:54.234720945 CEST	53	61696	162.159.36.2	192.168.2.6
May 22, 2024 17:15:54.782475948 CEST	58276	53	192.168.2.6	1.1.1.1
May 22, 2024 17:15:54.820730925 CEST	53	58276	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
May 22, 2024 17:15:54.782475948 CEST	192.168.2.6	1.1.1.1	0x7cfb	Standard query (0)	206.23.85.13.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
May 22, 2024 17:15:54.820730925 CEST	1.1.1.1	192.168.2.6	0x7cfb	Name error (3)	206.23.85.13.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

Target ID:	0
Start time:	11:15:16
Start date:	22/05/2024
Path:	C:\Users\user\Desktop\signed.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\signed.exe"
Imagebase:	0x400000
File size:	396'616 bytes
MD5 hash:	ADAC67FA4E7FBD2C7DE600768C40AD69
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	10.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	6.8%
Total number of Nodes:	1497
Total number of Limit Nodes:	122

Executed Functions

Function 00405D5A Relevance: 44.0, APIs: 21, Strings: 4, Instructions: 226
stringcomwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitialize.OLE32(00000000), ref: 00405D78
SHGetMalloc.SHELL32(00000001), ref: 00405D8A
SHGetSpecialFolderLocation.SHELL32(00000000,00000017,00000000), ref: 00405DA5
SHGetSpecialFolderLocation.SHELL32(00000000,00000002,00000000), ref: 00405DB2
SHGetPathFromIDListA.SHELL32(00000000,?), ref: 00405DC4
SHGetSpecialFolderLocation.SHELL32(00000000,00000019,00000000), ref: 00405DD9
SHGetSpecialFolderLocation.SHELL32(00000000,00000010,00000000), ref: 00405DE6
SHGetPathFromIDListA.SHELL32(00000000,?), ref: 00405DF2
CoCreateInstance.OLE32(004381A0,00000000,00000001,004381B0,?), ref: 00405E1A
lstrlenA.KERNEL32(?), ref: 00405E48
lstrcatA.KERNEL32(?,0043C984), ref: 00405E6A
lstrcatA.KERNEL32(?,?), ref: 00405E76
SHChangeNotify.SHELL32(00001000,00000001,?,00000000), ref: 00405EA8
LoadStringA.USER32(00001000,00000001,?,00000000), ref: 00405EBF
LoadStringA.USER32(?,00000010,?,00000040), ref: 00405ED5
LoadStringA.USER32(?,00000011,?,00000040), ref: 00405EE5
lstrlenA.KERNEL32(?), ref: 00405EF4
lstrlenA.KERNEL32(?), ref: 00405F05
SHChangeNotify.SHELL32(00000002,00000001,?,00000000), ref: 00405F98
MessageBoxA.USER32(00000000,No main application icon (or file) was defined.,Setup,00000030), ref: 00405FCA
CoUninitialize.OLE32 ref: 00405FD0

Strings

Setup, xrefs: 00405FBF
RealLegal E-Transcript Viewer Install, xrefs: 00405D5A
The RealLegal E-Transcript Viewer was successfully installed., xrefs: 00405D64
No main application icon (or file) was defined., xrefs: 00405FC4

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: FolderLocationSpecial$LoadStringlstrlen$ChangeFromListNotifyPathlstrcat$CreateInitializeInstanceMallocMessageUninitialize
String ID: No main application icon (or file) was defined.$RealLegal E-Transcript Viewer Install$Setup$The RealLegal E-Transcript Viewer was successfully installed.
API String ID: 3836796150-3807052405
Opcode ID: 19bc78f4910e6d3d16f85c807fa2d8c77126bf2b70f5d72acaaabe778beb7bba
Instruction ID: 19968b255a16cf6a8ff6855e1ed1463cca4e2faa328a0df4e7b52c4ea43722da
Opcode Fuzzy Hash: 19bc78f4910e6d3d16f85c807fa2d8c77126bf2b70f5d72acaaabe778beb7bba
Instruction Fuzzy Hash: E681CAB190021EABDF11DF91CC85EEFB77DEB08704F1044A6BA05E6190DB789A859FA4

Function 00405155 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 204
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsWindowVisible.USER32(?), ref: 004051CB
WinHelpA.USER32(?,?,00000002,00000000), ref: 004051FF
GetWindowPlacement.USER32(?,?), ref: 00405216
CopyRect.USER32(?,?), ref: 00405227
IsZoomed.USER32(?), ref: 0040523C
GetClientRect.USER32(?,?), ref: 00405250
PostQuitMessage.USER32(00000000), ref: 00405277
IsWindowVisible.USER32(?), ref: 00405299
IsIconic.USER32(?), ref: 004052B8
GetClientRect.USER32(?,?), ref: 004052CD
DefWindowProcA.USER32(?,?,?,?), ref: 0040536D
SetWindowLongA.USER32(?,00000000), ref: 00405386

Strings

,, xrefs: 00405208

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Window$Rect$ClientVisible$CopyHelpIconicLongMessagePlacementPostProcQuitZoomed
String ID: ,
API String ID: 2686395615-3772416878
Opcode ID: f025bf0775d7a5bd94bd0aad572074f3dfc87b59ac4718fae0f309a79208f9e8
Instruction ID: 6bf64b7b95b5316567acb7e5c215c2bec90c90c8f69f41078e825b0e9e6328e0
Opcode Fuzzy Hash: f025bf0775d7a5bd94bd0aad572074f3dfc87b59ac4718fae0f309a79208f9e8
Instruction Fuzzy Hash: 59714C31600A059BDB249F75C849BAB7BA5FF08740F08453EED46E62E1D778A850DF58

Function 00430499 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 196timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNELBASE(00447080,?,0042A3A1,?,?,?,00430492,0042F47B,00000000,00000000,?,?,0042A45D,?,?,?), ref: 004304D1
WideCharToMultiByte.KERNEL32(00000220,Eastern Standard Time,?,0000003F,00000000,0042F47B,?,?,?,00430492,0042F47B,00000000,00000000,?,?,0042A45D), ref: 00430566
WideCharToMultiByte.KERNEL32(00000220,Eastern Summer Time,?,0000003F,00000000,0042F47B,?,?,?,00430492,0042F47B,00000000,00000000,?,?,0042A45D), ref: 004305A0

Strings

Eastern Summer Time, xrefs: 00430594
Eastern Standard Time, xrefs: 0043055A
LCD, xrefs: 00430572, 0043057D, 00430622

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: ByteCharMultiWide$InformationTimeZone
String ID: Eastern Standard Time$Eastern Summer Time$LCD
API String ID: 1904278450-1330890189
Opcode ID: 8598809a5e4cc310df250b891d10739c63dada0275e479ac6226318a1bc521d3
Instruction ID: c3f2083e397b4043048c74a044e82b18ac0b8e637bc12766523476965d4cbb8a
Opcode Fuzzy Hash: 8598809a5e4cc310df250b891d10739c63dada0275e479ac6226318a1bc521d3
Instruction Fuzzy Hash: 756125767042505BD7209F69FC62B563BA4E78BB44F54263FF880872A1C7788862CB5D

Function 00409099 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(?,?,BININC), ref: 004090AC
LoadResource.KERNEL32(?,00000000,?,00000000,00408FF8,?,?,?,00000000,769500C0,?,00404571,?,?,?,00000FAA), ref: 004090BB
LockResource.KERNEL32(00000000,?,00000000,00408FF8,?,?,?,00000000,769500C0,?,00404571,?,?,?,00000FAA,00000000), ref: 004090CC
FreeResource.KERNEL32(00000000,00000000,?,00000000,00408FF8,?,?,?,00000000,769500C0,?,00404571,?,?,?,00000FAA), ref: 004090DB

Strings

BININC, xrefs: 004090A0

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID: BININC
API String ID: 1078018258-589224732
Opcode ID: 60e8a604e9bc041296d714d14623a2cb34d1aea6fcce6ff74d7e15d7b0b55e5b
Instruction ID: c4065e69d9dc2593a232fc237e1f855dbdb486a4f9bff0b5dff7dae611ea6463
Opcode Fuzzy Hash: 60e8a604e9bc041296d714d14623a2cb34d1aea6fcce6ff74d7e15d7b0b55e5b
Instruction Fuzzy Hash: 61E065B32092127BDB311B219C09E7F3A98AF85751B051436F981E1291CB38CC41D769

Function 0042A31A Relevance: 3.1, APIs: 2, Instructions: 62fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNELBASE(?,?), ref: 0042A32E
GetLastError.KERNEL32 ref: 0042A33B

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: ErrorFileFindFirstLast
String ID:
API String ID: 873889042-0
Opcode ID: 0cf9ad153b762093c5c83fcc5747b0b405db8a926fc29fe6ae9c541ce82133e6
Instruction ID: 8d12b03f4c7f16013eecf5d2e46e070b495039219a5f9b17fdede5a9170fbbba
Opcode Fuzzy Hash: 0cf9ad153b762093c5c83fcc5747b0b405db8a926fc29fe6ae9c541ce82133e6
Instruction Fuzzy Hash: D711E472A002288BCB20DF69EC44ACE77E8FB05314F5446ABED55C3251D778DA94CB5A

Function 00406252 Relevance: 66.7, APIs: 30, Strings: 8, Instructions: 223
registrystringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcpyA.KERNEL32(?,?,76934D90,The RealLegal E-Transcript Viewer was successfully installed.,76990660), ref: 00406275
lstrcatA.KERNEL32(?,\ContentType), ref: 00406283
RegDeleteKeyA.ADVAPI32(80000000,?), ref: 0040629C
RegDeleteKeyA.ADVAPI32(80000000,?), ref: 004062A2
lstrcpyA.KERNEL32(?,?), ref: 004062AE
lstrcatA.KERNEL32(?,\shell\open\command), ref: 004062BC
RegDeleteKeyA.ADVAPI32(80000000,?), ref: 004062CA
RegDeleteKeyA.ADVAPI32(80000000,?), ref: 004062E8
RegDeleteKeyA.ADVAPI32(80000000,?), ref: 00406304
RegDeleteKeyA.ADVAPI32(80000000,?), ref: 00406320
RegCreateKeyExA.KERNELBASE(80000000,?,00000000,00000000,00000000,00020006,00000000,?,00000000), ref: 0040633D
lstrlenA.KERNEL32(?), ref: 0040634A
RegSetValueExA.KERNELBASE(?,00000000,00000000,00000001,?,00000001), ref: 00406362
lstrlenA.KERNEL32(?), ref: 0040636B
RegSetValueExA.KERNELBASE(?,ContentType,00000000,00000001,?,00000001), ref: 00406381
RegCloseKey.KERNELBASE(?), ref: 0040639A
RegCreateKeyExA.KERNELBASE(80000000,?,00000000,00000000,00000000,00020006,00000000,?,00000000), ref: 004063B3
lstrlenA.KERNEL32(00000001), ref: 004063C0
RegSetValueExA.KERNELBASE(?,00000000,00000000,00000001,00000001,00000001), ref: 004063D2
RegCloseKey.ADVAPI32(?), ref: 004063E9
lstrcpyA.KERNEL32(?,?), ref: 004063F5
lstrcatA.KERNEL32(?,\shell\open\command), ref: 0040640D
RegCreateKeyExA.KERNELBASE(80000000,?,00000000,00000000,00000000,00020006,00000000,?,00000000), ref: 0040642A
lstrcpyA.KERNEL32(?,0043CB2C), ref: 00406447
lstrcatA.KERNEL32(?,004454E4), ref: 00406457
lstrcatA.KERNEL32(?," %1), ref: 00406465
lstrlenA.KERNEL32(?), ref: 00406472
RegSetValueExA.KERNELBASE(?,00000000,00000000,00000001,?,00000001), ref: 0040648A
RegCloseKey.ADVAPI32(?), ref: 0040649D
MessageBoxA.USER32(00000000,A file association could not be created. Contact your system administrator for assistance.,Setup,00000030), ref: 004064B5

Strings

\shell\open\command, xrefs: 004062B6, 00406407
Setup, xrefs: 004064AA
A file association could not be created. Contact your system administrator for assistance., xrefs: 004064AF
RealLegal E-Transcript Viewer Install, xrefs: 00406252
" %1, xrefs: 0040645F
The RealLegal E-Transcript Viewer was successfully installed., xrefs: 00406262
\ContentType, xrefs: 0040627D
ContentType, xrefs: 00406379

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Delete$lstrcat$Valuelstrcpylstrlen$CloseCreate$Message
String ID: " %1$A file association could not be created. Contact your system administrator for assistance.$ContentType$RealLegal E-Transcript Viewer Install$Setup$The RealLegal E-Transcript Viewer was successfully installed.$\ContentType$\shell\open\command
API String ID: 3247419236-4163030435
Opcode ID: f673c64fefed62b2609caf6e637651c02320746ac1c787cb49172d8e5ee5d4fc
Instruction ID: d19d96705eeb10c1627119a2be9fd073207e01e6ddea2a4a54b2a104d5f7aed4
Opcode Fuzzy Hash: f673c64fefed62b2609caf6e637651c02320746ac1c787cb49172d8e5ee5d4fc
Instruction Fuzzy Hash: 83711EB690021CBEDF219F90DC85EEF7B7CEB04344F0000A6FA55A2160D6749E95DF68

Function 004022EE Relevance: 65.0, APIs: 35, Strings: 2, Instructions: 265
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserCallbackDispatcher.NTDLL(?,?), ref: 00402323
LoadBitmapA.USER32(000000F6), ref: 00402339
GetObjectA.GDI32(00000000,00000018,?), ref: 00402348
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000012), ref: 00402380
DeleteObject.GDI32(00000000), ref: 00402387
CreateWindowExA.USER32(00000000,BUTTON,?,50010000,0000012A,00000065,0000004B,00000017,?,00000001,00000000), ref: 004023C8
GetStockObject.GDI32(0000000C), ref: 004023DF
SendMessageA.USER32(?,00000030,00000000), ref: 004023E7
CreateWindowExA.USER32(00000000,BUTTON,?,50010000,0000012A,00000080,0000004B,00000017,?,00000002,00000000), ref: 00402425
GetStockObject.GDI32(0000000C), ref: 00402435
SendMessageA.USER32(00000000,00000030,00000000), ref: 0040243B
SetWindowLongA.USER32(?,00000008,?), ref: 00402449
GetParent.USER32(?), ref: 00402452
LoadBitmapA.USER32(000000F6), ref: 00402473
GetWindowLongA.USER32(?,00000008), ref: 00402481
GetClientRect.USER32(?,?), ref: 00402491
CreateCompatibleDC.GDI32(?), ref: 0040249B
SelectObject.GDI32(00000000,?), ref: 004024AE
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 004024C8
BitBlt.GDI32(?,00000000,?,?,00000033,?,00000000,?,00CC0020), ref: 00402507
GetStockObject.GDI32(0000000C), ref: 0040250F
SelectObject.GDI32(?,00000000), ref: 00402517
SetRect.USER32(?,00000037,00000063,00000124,000000CC), ref: 0040252E
SetBkMode.GDI32(?,00000001), ref: 00402537
DrawTextA.USER32(?,By opening this document I consent to the use of the electronic signature(s) attached to it pursuant to applicable uniform acts and statutory provisions.,000000FF,?,00000C10), ref: 0040255A
DrawTextA.USER32(?,By opening this document I consent to the use of the electronic signature(s) attached to it pursuant to applicable uniform acts and statutory provisions.,000000FF,?,00000810), ref: 00402571
SetRect.USER32(?,00000037,0000004F,00000168,000000CA), ref: 0040259D
BeginPaint.USER32(?,?), ref: 004025EB
EndPaint.USER32(?,?), ref: 004025F8

Strings

BUTTON, xrefs: 004023C2, 0040241F
By opening this document I consent to the use of the electronic signature(s) attached to it pursuant to applicable uniform acts and statutory provisions., xrefs: 00402554, 0040256B

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Object$Window$CreateRectStock$BitmapDrawLoadLongMessagePaintSelectSendText$BeginCallbackClientCompatibleDeleteDispatcherModeParentUser
String ID: BUTTON$By opening this document I consent to the use of the electronic signature(s) attached to it pursuant to applicable uniform acts and statutory provisions.
API String ID: 3957135676-3782638498
Opcode ID: 682f53377e00b1476d638103522fbc37b61f4b67a8ecab7e08f8f9de9f8b152b
Instruction ID: 46a8299b59ca5f2d52fe9694b68183f30cf76ed508ae767f3d35ca551449e2dd
Opcode Fuzzy Hash: 682f53377e00b1476d638103522fbc37b61f4b67a8ecab7e08f8f9de9f8b152b
Instruction Fuzzy Hash: BC918B71544208FFEB219FA0ED49EEE3F78FB08750F105025FA45AA1E1CBB59950EB68

Function 004172E4 Relevance: 46.7, APIs: 31, Instructions: 249
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

BeginPaint.USER32(?,?), ref: 0041731A
EndPaint.USER32(?,?), ref: 00417327
SetWindowLongA.USER32(?,00000000,00000000), ref: 00417359
SetWindowLongA.USER32(?,00000000), ref: 00417372
GetClientRect.USER32(?,?), ref: 00417390
GetSysColor.USER32(00000010), ref: 0041739E
CreateSolidBrush.GDI32(00000000), ref: 004173A7
GetSysColor.USER32(0000000F), ref: 004173AE
CreateSolidBrush.GDI32(00000000), ref: 004173B1
GetSysColor.USER32(00000014), ref: 004173B8
CreateSolidBrush.GDI32(00000000), ref: 004173BB
GetSysColor.USER32(00000006), ref: 004173C2
CreateSolidBrush.GDI32(00000000), ref: 004173C5
FillRect.USER32(?,?,?), ref: 004173E9
FillRect.USER32(?,?,?), ref: 004173FE
FillRect.USER32(?,?,?), ref: 00417413
FillRect.USER32(?,?,?), ref: 00417428
FillRect.USER32(?,?,?), ref: 0041749E
DeleteObject.GDI32(?), ref: 004174A9
DeleteObject.GDI32(?), ref: 004174AE
DeleteObject.GDI32(00000007), ref: 004174B3
DeleteObject.GDI32(?), ref: 004174B8
ReleaseCapture.USER32 ref: 004174EB
DefWindowProcA.USER32(?,?,?,?), ref: 0041758B
LoadCursorA.USER32(00000000,00007F84), ref: 004175AA
SetCursor.USER32(00000000), ref: 004175B1

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Rect$Fill$BrushColorCreateDeleteObjectSolid$Window$CursorLongPaint$BeginCaptureClientLoadProcRelease
String ID:
API String ID: 883540964-0
Opcode ID: c79bfe37afebe15f637ce10081867b1b18701a15dcd387a7b52a74b6bfa383c3
Instruction ID: d20049629060191ea648a1a447417fe6170934e05eb3a2e7258110c2b6df4aad
Opcode Fuzzy Hash: c79bfe37afebe15f637ce10081867b1b18701a15dcd387a7b52a74b6bfa383c3
Instruction Fuzzy Hash: D691357180420DBFDF219FA1CC44AEF7FBAFB48340F10442AF855A6260D7759A91DBA5

Function 00404056 Relevance: 36.9, APIs: 17, Strings: 4, Instructions: 191
registrylibrarywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 0040405B
LoadIconA.USER32(00400000,00000070), ref: 00404088
LoadCursorA.USER32(00000000,00007F00), ref: 00404097
GetStockObject.GDI32(00000002), ref: 004040A2
RegisterClassA.USER32(?), ref: 004040BE
LoadAcceleratorsA.USER32(00000066), ref: 004040CC
SetWindowsHookA.USER32(000000FF,00405789), ref: 004040DF
LoadLibraryA.KERNELBASE(RICHED32.DLL,?,(uC), ref: 004040F0
InitCommonControlsEx.COMCTL32(?,?,(uC), ref: 0040410A
GetSystemMetrics.USER32(00000001), ref: 00404121
GetSystemMetrics.USER32(00000000), ref: 00404143
CreateWindowExA.USER32(00000000,MainWndClass,00000000,00CF0000,?,?,?,?,00000000,00000000), ref: 00404192
GetWindowRect.USER32(00000000,?), ref: 004041A3
GetSystemMetrics.USER32(00000001), ref: 004041AB
OffsetRect.USER32(?,00000000,000000D8), ref: 004041C2
OffsetRect.USER32(?,00000000,?), ref: 004041D4
ShowWindow.USER32(?,?,00000000,?,?,?,?,?,?,(uC), ref: 004042A3

Part of subcall function 0040459A: __EH_prolog.LIBCMT ref: 0040459F
Part of subcall function 0040459A: lstrlenA.KERNEL32(00000000,00000001,?,00000000,?,?,?,(uC), ref: 004045BE
Part of subcall function 0040459A: lstrlenA.KERNEL32(?,?,00000000,?,?,?,(uC), ref: 004045C7
Part of subcall function 0040459A: lstrcpyA.KERNEL32(00000000,?,?,00000000,?,?,?,(uC), ref: 004045DD
Part of subcall function 0040459A: lstrcatA.KERNEL32(?, - ,?,00000000,?,?,?,(uC), ref: 004045F1
Part of subcall function 0040459A: lstrcatA.KERNEL32(?,00000000,?,00000000,?,?,?,(uC), ref: 004045FC
Part of subcall function 0040459A: SetWindowTextA.USER32(?,?), ref: 00404607
Part of subcall function 0040459A: SetRectEmpty.USER32(?), ref: 0040466F
Part of subcall function 0040459A: GetWindowLongA.USER32(?,000000EC), ref: 004046AB
Part of subcall function 0040459A: SetWindowLongA.USER32(?,000000EC,00000000), ref: 004046C3

Strings

RICHED32.DLL, xrefs: 004040E5
(uC, xrefs: 00404069
e, xrefs: 004040B4
MainWndClass, xrefs: 004040AE, 0040418E

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Window$LoadRect$MetricsSystem$H_prologLongOffsetlstrcatlstrlen$AcceleratorsClassCommonControlsCreateCursorEmptyHookIconInitLibraryObjectRegisterShowStockTextWindowslstrcpy
String ID: (uC$MainWndClass$RICHED32.DLL$e
API String ID: 115372367-4190344493
Opcode ID: a61262daf2d872b9cc46e6bec7715bd6e3bf4ed6c98d121de5907a68f250aef2
Instruction ID: bf204241300b57b385898991d815b5d9074a285952339ff7a11d9fd72f2741ac
Opcode Fuzzy Hash: a61262daf2d872b9cc46e6bec7715bd6e3bf4ed6c98d121de5907a68f250aef2
Instruction Fuzzy Hash: F1713DB1A00609AFDB10DFB4DD85AEEBBF4EB48310F10452EF655E6290DB745940CF58

Function 004064C3 Relevance: 33.4, APIs: 11, Strings: 8, Instructions: 151
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(?,?,00000104,?,(uC), ref: 004064E0
GetWindowsDirectoryA.KERNEL32(?,00000104,?,(uC), ref: 00406508
lstrcatA.KERNEL32(?,\etrnview.exe,?,(uC), ref: 0040651B
LoadStringA.USER32(?,00000001,RealLegal E-Transcript Viewer Install,00000040), ref: 0040654E
LoadStringA.USER32(?,00000002,The RealLegal E-Transcript Viewer was successfully installed.,00000400), ref: 0040655E
MessageBoxA.USER32(00000000,The RealLegal E-Transcript Viewer was successfully installed.,RealLegal E-Transcript Viewer Install,00000043), ref: 0040656C

Part of subcall function 0040E06C: __EH_prolog.LIBCMT ref: 0040E071
Part of subcall function 0040E06C: _lopen.KERNEL32(?,00000020), ref: 0040E094
Part of subcall function 0040E06C: _llseek.KERNEL32(00000000,000000F4,00000002), ref: 0040E0B0
Part of subcall function 0040E06C: _hread.KERNEL32(00000000,?,00000004), ref: 0040E0BF
Part of subcall function 0040E06C: _lclose.KERNEL32(00000000), ref: 0040E0F0

Part of subcall function 00405FDE: RegOpenKeyExA.KERNELBASE(80000000,?,00000000,00020019,?,76934D90,The RealLegal E-Transcript Viewer was successfully installed.), ref: 00406001
Part of subcall function 00405FDE: lstrcpyA.KERNEL32(?,ptxfile\shell\open\command), ref: 00406020
Part of subcall function 00405FDE: RegQueryValueA.ADVAPI32(80000000,?,?,?), ref: 00406040
Part of subcall function 00405FDE: RegCloseKey.ADVAPI32(?), ref: 00406068

LoadStringA.USER32(?,00000010,?,000000FF), ref: 00406628
LoadStringA.USER32(?,00000013,The RealLegal E-Transcript Viewer was successfully installed.,00000400), ref: 00406668
MessageBoxA.USER32(00000000,The RealLegal E-Transcript Viewer was successfully installed.,RealLegal E-Transcript Viewer Install,00000010), ref: 00406670

Part of subcall function 00406252: lstrcpyA.KERNEL32(?,?,76934D90,The RealLegal E-Transcript Viewer was successfully installed.,76990660), ref: 00406275
Part of subcall function 00406252: lstrcatA.KERNEL32(?,\ContentType), ref: 00406283
Part of subcall function 00406252: RegDeleteKeyA.ADVAPI32(80000000,?), ref: 0040629C
Part of subcall function 00406252: RegDeleteKeyA.ADVAPI32(80000000,?), ref: 004062A2
Part of subcall function 00406252: lstrcpyA.KERNEL32(?,?), ref: 004062AE
Part of subcall function 00406252: lstrcatA.KERNEL32(?,\shell\open\command), ref: 004062BC
Part of subcall function 00406252: RegDeleteKeyA.ADVAPI32(80000000,?), ref: 004062CA
Part of subcall function 00406252: RegDeleteKeyA.ADVAPI32(80000000,?), ref: 004062E8
Part of subcall function 00406252: RegDeleteKeyA.ADVAPI32(80000000,?), ref: 00406304
Part of subcall function 00406252: RegDeleteKeyA.ADVAPI32(80000000,?), ref: 00406320
Part of subcall function 00406252: RegCreateKeyExA.KERNELBASE(80000000,?,00000000,00000000,00000000,00020006,00000000,?,00000000), ref: 0040633D
Part of subcall function 00406252: lstrlenA.KERNEL32(?), ref: 0040634A
Part of subcall function 00406252: RegSetValueExA.KERNELBASE(?,00000000,00000000,00000001,?,00000001), ref: 00406362

LoadStringA.USER32(?,00000003,The RealLegal E-Transcript Viewer was successfully installed.,00000400), ref: 00406688
MessageBoxA.USER32(00000000,The RealLegal E-Transcript Viewer was successfully installed.,RealLegal E-Transcript Viewer Install,00000040), ref: 00406690

Strings

E-Transcript File, xrefs: 004065BE
application/x-etranscript, xrefs: 004065B8
(uC, xrefs: 004064D6
.ptx, xrefs: 004065C8
RealLegal E-Transcript Viewer Install, xrefs: 00406543, 0040654A, 00406568, 0040666C, 0040668C
The RealLegal E-Transcript Viewer was successfully installed., xrefs: 00406550, 0040655A, 00406569, 004065E2, 0040665C, 0040666D, 0040668D
\etrnview.exe, xrefs: 00406515
ptxfile, xrefs: 004065C3

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Delete$LoadString$Messagelstrcatlstrcpy$Value$CloseCreateDirectoryFileH_prologModuleNameOpenQueryWindows_hread_lclose_llseek_lopenlstrlen
String ID: (uC$.ptx$E-Transcript File$RealLegal E-Transcript Viewer Install$The RealLegal E-Transcript Viewer was successfully installed.$\etrnview.exe$application/x-etranscript$ptxfile
API String ID: 2986426987-4010483303
Opcode ID: 8f2b9ae228a92477411b36f6f1161f09f44504757b52a5ada00e0ef66e776029
Instruction ID: ec2467e6fed3bc082d484739e17270f646fdb0c9dadba4c6736b0b0164260be2
Opcode Fuzzy Hash: 8f2b9ae228a92477411b36f6f1161f09f44504757b52a5ada00e0ef66e776029
Instruction Fuzzy Hash: CB41D4712443057BE630EB61DC86FDB7A9CEF85704F00083AF645E61D1DAB9E544CBA9

Function 0040E06C Relevance: 31.6, APIs: 16, Strings: 2, Instructions: 137
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 0040E071
_lopen.KERNEL32(?,00000020), ref: 0040E094
_llseek.KERNEL32(00000000,000000F4,00000002), ref: 0040E0B0
_hread.KERNEL32(00000000,?,00000004), ref: 0040E0BF
_lclose.KERNEL32(00000000), ref: 0040E0F0
_lclose.KERNEL32(00000000), ref: 0040E11C
_llseek.KERNEL32(00000000,000000FC,00000002), ref: 0040E12E
_hread.KERNEL32(00000000,?,00000004), ref: 0040E137
_llseek.KERNEL32(00000000,00000000,00000000), ref: 0040E143
GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 0040E151
lstrcatA.KERNEL32(?,\etrnview.exe), ref: 0040E163
_lcreat.KERNEL32(?,00000000), ref: 0040E171
_lclose.KERNEL32(00000000), ref: 0040E19B
_lclose.KERNEL32(?), ref: 0040E1A3
_lclose.KERNEL32(00000000), ref: 0040E1BE
_lclose.KERNEL32(00000000), ref: 0040E1C1

Part of subcall function 0040947B: __EH_prolog.LIBCMT ref: 00409480
Part of subcall function 0040947B: GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00409498
Part of subcall function 0040947B: lstrcatA.KERNEL32(?,\pnxetkey.dat), ref: 004094AA
Part of subcall function 0040947B: _lopen.KERNEL32(?,00000020), ref: 004094B9

Strings

The RealLegal E-Transcript Viewer was successfully installed., xrefs: 0040E080
\etrnview.exe, xrefs: 0040E15D

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: _lclose$_llseek$DirectoryH_prologWindows_hread_lopenlstrcat$_lcreat
String ID: The RealLegal E-Transcript Viewer was successfully installed.$\etrnview.exe
API String ID: 1059618082-2991720876
Opcode ID: 4c7ac7ec25cebd994ff741a60d78fa12d4221c47a7a7b2fc1f40c2a953a00aea
Instruction ID: c2eae2b909f08feef4a4fb04d1f61ae7f3e898ba86927335f0dbd577fefcc626
Opcode Fuzzy Hash: 4c7ac7ec25cebd994ff741a60d78fa12d4221c47a7a7b2fc1f40c2a953a00aea
Instruction Fuzzy Hash: D341E572900218ABDF109B65DC85DFF7B7CEF44724F10062AFA11A62D1DB385E51DB58

Function 00403447 Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 158
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SendDlgItemMessageA.USER32(?,00000421,00000190,00000000,00000000), ref: 004034B0
SendMessageA.USER32(?,00000111,00000001,00000000), ref: 004034C2
SendDlgItemMessageA.USER32(?,00000421,00000190,00000000,00000000), ref: 004034E3
GetDlgItem.USER32(?,00000001), ref: 004034F2
EnableWindow.USER32(00000000), ref: 004034F9
SendDlgItemMessageA.USER32(?,00000421,0000018B,00000000,00000000), ref: 0040351E
SendDlgItemMessageA.USER32(?,00000421,00000187,00000000,00000000), ref: 00403536
SendDlgItemMessageA.USER32(?,00000421,00000199,00000000,00000000), ref: 00403548
KiUserCallbackDispatcher.NTDLL(?,00000001), ref: 00403567
GetParent.USER32(?), ref: 00403578
lstrlenA.KERNEL32(?), ref: 004035B8
SendDlgItemMessageA.USER32(?,00000421,00000180,00000000,?), ref: 004035D0
SendDlgItemMessageA.USER32(?,00000421,0000019A,00000000,?), ref: 004035E1
GetDlgItem.USER32(?,00000001), ref: 00403600
KiUserCallbackDispatcher.NTDLL(00000000), ref: 00403607

Strings

0, xrefs: 004035EE

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Item$MessageSend$CallbackDispatcherUser$EnableParentWindowlstrlen
String ID: 0
API String ID: 709524723-4108050209
Opcode ID: a33417acd069d6afb9f91f758300136241cd1b3d541addab7db64fa68345f898
Instruction ID: 084e3a3b4b1065fb99b7651f1b8691f2abf2612b421d36e11ce0787ed86c8ec5
Opcode Fuzzy Hash: a33417acd069d6afb9f91f758300136241cd1b3d541addab7db64fa68345f898
Instruction Fuzzy Hash: 3C41C071208206BFEB208F65DC45D6B7FACEB44785F00093AFA84A61F1C6768E01DB59

Function 00408027 Relevance: 26.6, APIs: 13, Strings: 2, Instructions: 301
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolbarEx.COMCTL32(?,40800900,00000001,0000000B,0000006D,?,00000012,00000010,00000010,00000010,00000010,00000014,00000001,?,00000000), ref: 00408381
SendMessageA.USER32(00000000,00000439,00000000,00000000), ref: 00408397
SendMessageA.USER32(?,00000438,00000000,00000000), ref: 004083A5
SendMessageA.USER32(?,00000442,00001BD3,?), ref: 004083E7
SendMessageA.USER32(?,00000442,00001BD2,00000020), ref: 00408405
SendMessageA.USER32(?,00000442,00001BD4,00000020), ref: 0040841A
SendMessageA.USER32(?,0000041D,00000007,?), ref: 0040842C

Part of subcall function 00416F2A: CreateWindowExA.USER32(00000000,00001BD3,?,?,?,?,?,?,00444FE8,?,00408461,?), ref: 00416F5E

GetStockObject.GDI32(0000000C), ref: 0040846A
SendMessageA.USER32(?,00000030,00000000), ref: 00408476

Part of subcall function 00408570: SendMessageA.USER32(?,0000014B,00000000,00000000), ref: 00408590
Part of subcall function 00408570: lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,00408481), ref: 004085D3
Part of subcall function 00408570: SendMessageA.USER32(?,00000143,00000000,00000025), ref: 004085F1
Part of subcall function 00408570: SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00408603

GetWindowLongA.USER32(?,000000FC), ref: 00408485
SetWindowLongA.USER32(?,000000EB,?), ref: 0040849B
SetWindowLongA.USER32(?,000000FC,004086D5), ref: 004084A6
ShowWindow.USER32(?,00000005), ref: 004084AC

Strings

, xrefs: 004083D0
COMBOBOX, xrefs: 00408457

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: MessageSend$Window$Long$Create$ObjectShowStockToolbarlstrlen
String ID: $COMBOBOX
API String ID: 2731565370-1431761349
Opcode ID: 3d3c08455f83a6a9f35ed959743dd9b1025f83cef7d52c02410d8808be8d7c6f
Instruction ID: 2ed4a14c6884161277c877569c65893aeabfd8037dbb8755a4da4773a56a0fe5
Opcode Fuzzy Hash: 3d3c08455f83a6a9f35ed959743dd9b1025f83cef7d52c02410d8808be8d7c6f
Instruction Fuzzy Hash: FFD13DB1949398EEEB21CB68CC44BCDFFB1AB25304F4444D9D688B7251D7B50A88CF66

Function 0040459A Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 237
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 0040459F
lstrlenA.KERNEL32(00000000,00000001,?,00000000,?,?,?,(uC), ref: 004045BE
lstrlenA.KERNEL32(?,?,00000000,?,?,?,(uC), ref: 004045C7
lstrcpyA.KERNEL32(00000000,?,?,00000000,?,?,?,(uC), ref: 004045DD
lstrcatA.KERNEL32(?, - ,?,00000000,?,?,?,(uC), ref: 004045F1
lstrcatA.KERNEL32(?,00000000,?,00000000,?,?,?,(uC), ref: 004045FC
SetWindowTextA.USER32(?,?), ref: 00404607
SetRectEmpty.USER32(?), ref: 0040466F
GetWindowLongA.USER32(?,000000EC), ref: 004046AB
SetWindowLongA.USER32(?,000000EC,00000000), ref: 004046C3
GetWindowLongA.USER32(?,000000EC), ref: 0040472F
SetWindowLongA.USER32(?,000000EC,00000000), ref: 00404743

Part of subcall function 0041704A: CreateWindowExA.USER32(00000000,PaneSplitter,00444FE8,40000000,00000000,00000000,0000000A,0000000A,?,00000000,00000000), ref: 0041709D

Part of subcall function 0040AFAF: lstrcpyA.KERNEL32 ref: 0040B043
Part of subcall function 0040AFAF: lstrcpyA.KERNEL32(0000016C,Times New Roman), ref: 0040B05D

Strings

- , xrefs: 004045E9
WISplit, xrefs: 004047DA

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Window$Long$lstrcpy$lstrcatlstrlen$CreateEmptyH_prologRectText
String ID: - $WISplit
API String ID: 1986124246-3494287041
Opcode ID: 0573ae1ae8bba00b71459d67ffe5f971d477a6e4b1d82c7eb99fd13b5e9554f9
Instruction ID: 1b8ef5a6a4d552c069e3143d7b4b420e03039cf1bc30cc464c583b85bd5af3ad
Opcode Fuzzy Hash: 0573ae1ae8bba00b71459d67ffe5f971d477a6e4b1d82c7eb99fd13b5e9554f9
Instruction Fuzzy Hash: 1691A171600704ABDB15ABB4CC45AEFB7E5FF48310F104A2EF16AA32E1DB786900DB18

Function 00405BDA Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 106
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcpyA.KERNEL32(?,?,76BD33A0,0040664E,00000000), ref: 00405BFD
lstrlenA.KERNEL32(?), ref: 00405C0C
lstrcatA.KERNEL32(?,0043C984), ref: 00405C2A
lstrcatA.KERNEL32(?,?), ref: 00405C36
lstrcpyA.KERNEL32(?,?), ref: 00405C82
lstrlenA.KERNEL32(?), ref: 00405C8B
lstrcatA.KERNEL32(?,0043C984), ref: 00405CA3
lstrcatA.KERNEL32(?,?), ref: 00405CAF
lstrcatA.KERNEL32(?,.lnk), ref: 00405CBD
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 00405CD8
SHChangeNotify.SHELL32(00000002,00000001,?,00000000), ref: 00405CFE

Strings

.lnk, xrefs: 00405CB7

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: lstrcat$lstrcpylstrlen$ByteChangeCharMultiNotifyWide
String ID: .lnk
API String ID: 336434414-24824748
Opcode ID: fa98a6fc926722ddb662e9b4d369429eb08c57859182e1180d3d43129ca1d0e1
Instruction ID: 34de60236627501390b1431574186aeeabc5537727148d75cdbee9748cad4786
Opcode Fuzzy Hash: fa98a6fc926722ddb662e9b4d369429eb08c57859182e1180d3d43129ca1d0e1
Instruction Fuzzy Hash: 964149B690421DABDF10DFA4CC88FDA7BBCEF18318F1044A6F584E7180DAB49A858F54

Function 00407B70 Relevance: 21.1, APIs: 14, Instructions: 82
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SendMessageA.USER32(?,00000404,00000003,?), ref: 00407B9F
GetStockObject.GDI32(0000000C), ref: 00407BA5
SendMessageA.USER32(?,00000030,00000000), ref: 00407BB1
LoadBitmapA.USER32(000000F7), ref: 00407BC4
LoadBitmapA.USER32(0000010E), ref: 00407BD8
LoadBitmapA.USER32(00000085), ref: 00407BEB
LoadBitmapA.USER32(0000010E), ref: 00407BFA
LoadBitmapA.USER32(0000007C), ref: 00407C0A
LoadBitmapA.USER32(0000010F), ref: 00407C1D
LoadBitmapA.USER32(000000F9), ref: 00407C30
LoadBitmapA.USER32(00000110), ref: 00407C43
SendMessageA.USER32(?,00000401,00001001), ref: 00407C61
SendMessageA.USER32(?,00000401,00001002), ref: 00407C6D
SendMessageA.USER32(?,00000401,00000000,00000000), ref: 00407C76

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: BitmapLoad$MessageSend$ObjectStock
String ID:
API String ID: 1752246037-0
Opcode ID: 1e996521f3300ccd2710ed96b73126bee02a32571e6ef873ee8a342eb2037846
Instruction ID: e98203713f164199a056f04980e6dbb322ccdfef782da7b6ceab7ab3d63a2609
Opcode Fuzzy Hash: 1e996521f3300ccd2710ed96b73126bee02a32571e6ef873ee8a342eb2037846
Instruction Fuzzy Hash: 182139B1140B48EFEB316F21DC46FA7BBE5EB86B00F004539F6894A1B0C6B26851DB18

Function 00432D3B Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 221
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CompareStringW.KERNEL32(00000000,00000000,004384E4,00000001,004384E4,00000001,00000000,?,0000005C,0000005C,00000000,?,?,762283C0,00404932,TEMP), ref: 00432D79
CompareStringA.KERNEL32(00000000,00000000,004384E0,00000001,004384E0,00000001,?,?,762283C0,00404932,TEMP,?), ref: 00432D96
CompareStringA.KERNEL32(?,?,?,?,?,2I@,00000000,?,0000005C,0000005C,00000000,?,?,762283C0,00404932,TEMP), ref: 00432DF4
GetCPInfo.KERNEL32(762283C0,00000000,00000000,?,0000005C,0000005C,00000000,?,?,762283C0,00404932,TEMP,?), ref: 00432E45
MultiByteToWideChar.KERNEL32(762283C0,00000009,00000000,2I@,00000000,00000000,?,?,762283C0,00404932,TEMP,?), ref: 00432EC4
MultiByteToWideChar.KERNEL32(?,00000001,?,2I@,?,2I@,?,?,762283C0,00404932,TEMP,?), ref: 00432F25
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000,?,?,762283C0,00404932,TEMP,?), ref: 00432F38
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000,?,?,762283C0,00404932,TEMP,?), ref: 00432F84
CompareStringW.KERNEL32(?,?,?,?,?,00000000,?,00000000,?,?,762283C0,00404932,TEMP,?), ref: 00432F9C

Strings

2I@, xrefs: 00432F11
2I@, xrefs: 00432E21, 00432DE4, 00432DCA, 00432EBB, 00432F17

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: ByteCharCompareMultiStringWide$Info
String ID: 2I@$2I@
API String ID: 1651298574-2381108387
Opcode ID: b566e0df5a59d2c4e580c43b062ca2c40d6eb2565a7de76551b8d9e98eeb5dea
Instruction ID: 10c11a2cb1f1521fbab9ed2ff6cf20fbb0bc193c85100dfcf4886bf7556be001
Opcode Fuzzy Hash: b566e0df5a59d2c4e580c43b062ca2c40d6eb2565a7de76551b8d9e98eeb5dea
Instruction Fuzzy Hash: 2F71AE72904249AFCF219F54DE42AEF7BB6FF09314F14212BF951A2260C3B98C51DB99

Function 00403A45 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 207
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00403F44: __EH_prolog.LIBCMT ref: 00403F49
Part of subcall function 00403F44: GetModuleFileNameA.KERNEL32(?,00000104,?,?,(uC), ref: 00403F9A
Part of subcall function 00403F44: lstrlenA.KERNEL32(00000000,?,?,(uC), ref: 00403FC1
Part of subcall function 00403F44: lstrlenA.KERNEL32(00000000,?,?,(uC), ref: 00403FCB

KiUserCallbackDispatcher.NTDLL(00000000,00000000,00000000,00000000), ref: 00403AAC
TranslateAcceleratorA.USER32(?,?,00000000,?,00000000,?,00000000,00000000,0042A789,00000000), ref: 00403AF0
TranslateMessage.USER32(00000000), ref: 00403AFE
DispatchMessageA.USER32(00000000), ref: 00403B08
UnhookWindowsHook.USER32(000000FF,00405789), ref: 00403B46
lstrlenA.KERNEL32(?,?,00000000,?,00000000,00000000,0042A789,00000000), ref: 00403B7F
lstrcpyA.KERNEL32(?,.gid,?,00000000,?,00000000,00000000,0042A789,00000000), ref: 00403B9D
lstrcpyA.KERNEL32(?,?,?,00000000,?,00000000,00000000,0042A789,00000000), ref: 00403BBC
_lclose.KERNEL32(?), ref: 00403BF3

Part of subcall function 00404056: __EH_prolog.LIBCMT ref: 0040405B
Part of subcall function 00404056: LoadIconA.USER32(00400000,00000070), ref: 00404088
Part of subcall function 00404056: LoadCursorA.USER32(00000000,00007F00), ref: 00404097
Part of subcall function 00404056: GetStockObject.GDI32(00000002), ref: 004040A2
Part of subcall function 00404056: RegisterClassA.USER32(?), ref: 004040BE
Part of subcall function 00404056: LoadAcceleratorsA.USER32(00000066), ref: 004040CC
Part of subcall function 00404056: SetWindowsHookA.USER32(000000FF,00405789), ref: 004040DF
Part of subcall function 00404056: LoadLibraryA.KERNELBASE(RICHED32.DLL,?,(uC), ref: 004040F0
Part of subcall function 00404056: InitCommonControlsEx.COMCTL32(?,?,(uC), ref: 0040410A
Part of subcall function 00404056: GetSystemMetrics.USER32(00000001), ref: 00404121
Part of subcall function 00404056: GetSystemMetrics.USER32(00000000), ref: 00404143
Part of subcall function 00404056: CreateWindowExA.USER32(00000000,MainWndClass,00000000,00CF0000,?,?,?,?,00000000,00000000), ref: 00404192
Part of subcall function 00404056: GetWindowRect.USER32(00000000,?), ref: 004041A3
Part of subcall function 00404056: GetSystemMetrics.USER32(00000001), ref: 004041AB

FreeLibrary.KERNEL32(?,?,00000000,?,00000000,00000000,0042A789,00000000), ref: 00403C95

Part of subcall function 0041677F: LoadCursorA.USER32(00000000,00007F00), ref: 004167B1
Part of subcall function 0041677F: RegisterClassA.USER32(00000002), ref: 004167CB

Part of subcall function 004043E3: DialogBoxParamA.USER32(000000F8,?,004022EE,?), ref: 00404414

Part of subcall function 004064C3: GetModuleFileNameA.KERNEL32(?,?,00000104,?,(uC), ref: 004064E0
Part of subcall function 004064C3: GetWindowsDirectoryA.KERNEL32(?,00000104,?,(uC), ref: 00406508
Part of subcall function 004064C3: lstrcatA.KERNEL32(?,\etrnview.exe,?,(uC), ref: 0040651B
Part of subcall function 004064C3: LoadStringA.USER32(?,00000001,RealLegal E-Transcript Viewer Install,00000040), ref: 0040654E
Part of subcall function 004064C3: LoadStringA.USER32(?,00000002,The RealLegal E-Transcript Viewer was successfully installed.,00000400), ref: 0040655E
Part of subcall function 004064C3: MessageBoxA.USER32(00000000,The RealLegal E-Transcript Viewer was successfully installed.,RealLegal E-Transcript Viewer Install,00000043), ref: 0040656C
Part of subcall function 004064C3: LoadStringA.USER32(?,00000013,The RealLegal E-Transcript Viewer was successfully installed.,00000400), ref: 00406668
Part of subcall function 004064C3: MessageBoxA.USER32(00000000,The RealLegal E-Transcript Viewer was successfully installed.,RealLegal E-Transcript Viewer Install,00000010), ref: 00406670

Strings

.gid, xrefs: 00403B93

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Load$Message$MetricsStringSystemWindowslstrlen$ClassCursorFileH_prologHookLibraryModuleNameRegisterTranslateWindowlstrcpy$AcceleratorAcceleratorsCallbackCommonControlsCreateDialogDirectoryDispatchDispatcherFreeIconInitObjectParamRectStockUnhookUser_lcloselstrcat
String ID: .gid
API String ID: 2299049595-3536957211
Opcode ID: dd647b51120259aa538dcc84a98db34668c4e4c38780463c5392c6b6a52c4b1f
Instruction ID: 4879c7a06dcdb6b8a2154e505c8b452992afc31afa14b979292a5385b3814d02
Opcode Fuzzy Hash: dd647b51120259aa538dcc84a98db34668c4e4c38780463c5392c6b6a52c4b1f
Instruction Fuzzy Hash: C67192313046059FDB29AF75D885EAB7BBCAF45305F00446EF466E72A1CB38AD01DB18

Function 00403D7C Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 143COMMON

Download Yara Rule

APIs

Part of subcall function 0040ABC4: lstrcpyA.KERNEL32(?,00000000,00423BAE,?,?,00423084,00000000,?,00000000,00414FF9,00000000,00000000,?,76937CE0,?,0040477E), ref: 0040ABCC

Part of subcall function 0040ABFB: GetPrivateProfileIntA.KERNEL32(00000000,?,00423084,00000000), ref: 0040AC0D

Part of subcall function 0040AC1C: GetPrivateProfileStringA.KERNEL32(00000000,?,?,?,00403E0F,DisplayLeft), ref: 0040AC4F

KiUserCallbackDispatcher.NTDLL(00000000), ref: 00403E62
GetSystemMetrics.USER32(00000001), ref: 00403E69

Strings

DisplayRight, xrefs: 00403E37
ShowWordIndex, xrefs: 00403DBA
DisplayValid, xrefs: 00403DD3
DisplayTop, xrefs: 00403E1E
DisplayLeft, xrefs: 00403E05
SaveToKeychain, xrefs: 00403DEC
FileOpenLocation, xrefs: 00403F2E
TempSaveLocation, xrefs: 00403F19
DisplayBottom, xrefs: 00403E50

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: PrivateProfile$CallbackDispatcherMetricsStringSystemUserlstrcpy
String ID: DisplayBottom$DisplayLeft$DisplayRight$DisplayTop$DisplayValid$FileOpenLocation$SaveToKeychain$ShowWordIndex$TempSaveLocation
API String ID: 1289276032-535980166
Opcode ID: 6f84648534c24bc131a8e5844af410069b58d54b9e8bd5b06bebbffe05749eef
Instruction ID: cd56a0561d9fea1cff796f42b8fa2852033300da32d32409b278d31d07ec47a5
Opcode Fuzzy Hash: 6f84648534c24bc131a8e5844af410069b58d54b9e8bd5b06bebbffe05749eef
Instruction Fuzzy Hash: 4551AC71200B09AFCB20DF79C881BABBBE9EF44359F10052AF559A7391D734AA41CF95

Function 0040E538 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 174stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?), ref: 0040E57B
_llseek.KERNEL32(?,000000F4,00000002), ref: 0040E5A0
_hread.KERNEL32(?,?,00000004), ref: 0040E5AE
lstrcmpiA.KERNEL32(?,.exe), ref: 0040E5F7
_llseek.KERNEL32(?,000000FC,00000002), ref: 0040E60B
_hread.KERNEL32(?,?,00000004), ref: 0040E61C
_llseek.KERNEL32(?,00000000,00000000), ref: 0040E63B
_lclose.KERNEL32(?), ref: 0040E72E

Strings

.exe, xrefs: 0040E5ED

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: _llseek$_hread$_lcloselstrcmpilstrlen
String ID: .exe
API String ID: 2741372863-4119554291
Opcode ID: c04ddb5b69b99185e2f446263c4618e52dcbbf07eb4a045f661936eb7bae2441
Instruction ID: 4e35055330286a5e269bdc807592a93e8fc894a0d84ba33c2de1c2cbcde85148
Opcode Fuzzy Hash: c04ddb5b69b99185e2f446263c4618e52dcbbf07eb4a045f661936eb7bae2441
Instruction Fuzzy Hash: 3C519E71600300AFDB25DF76CC85A9AB7E9EB04314F648D6EF11AE72D0DB34EA118B08

Function 0042286E Relevance: 15.1, APIs: 10, Instructions: 129COMMON

Download Yara Rule

APIs

SelectObject.GDI32(00000000,?), ref: 004228AC
GetTextMetricsA.GDI32(00000000,?), ref: 004228BA
SelectObject.GDI32(00000000,00000000), ref: 004229B8

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: ObjectSelect$MetricsText
String ID:
API String ID: 3697559710-0
Opcode ID: 3dc56056ade3532b2c7686109d15c217af6e6edfb4cb3710820858a812c289ff
Instruction ID: b01e8a755bf65807b3fcdfa86c729c1f9a2de025772d906cff938ad2f1c8ac2b
Opcode Fuzzy Hash: 3dc56056ade3532b2c7686109d15c217af6e6edfb4cb3710820858a812c289ff
Instruction Fuzzy Hash: 1C4168B5600208BFDB158F94DC84EBE7BB9EF48310F008069FA599A2A1C775EA41DF65

Function 00405FDE Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 76registrystringCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(80000000,?,00000000,00020019,?,76934D90,The RealLegal E-Transcript Viewer was successfully installed.), ref: 00406001
lstrcpyA.KERNEL32(?,ptxfile\shell\open\command), ref: 00406020
RegQueryValueA.ADVAPI32(80000000,?,?,?), ref: 00406040
RegCloseKey.ADVAPI32(?), ref: 00406068

Strings

ptxfile\shell\open\command, xrefs: 0040601A
RealLegal E-Transcript Viewer Install, xrefs: 00405FDE
pnxbndr.exe, xrefs: 00406083
The RealLegal E-Transcript Viewer was successfully installed., xrefs: 00405FE7

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: CloseOpenQueryValuelstrcpy
String ID: RealLegal E-Transcript Viewer Install$The RealLegal E-Transcript Viewer was successfully installed.$pnxbndr.exe$ptxfile\shell\open\command
API String ID: 534897748-1579285423
Opcode ID: 240fb1b81427238e12100aec325a614c9271439868a8927a6763b9ea8eba27be
Instruction ID: ba681b6ad867ce1f19bc7d91e4d736aacc32262078af9e648ea5c6875347564d
Opcode Fuzzy Hash: 240fb1b81427238e12100aec325a614c9271439868a8927a6763b9ea8eba27be
Instruction Fuzzy Hash: 6111A5B79442286ADB25D660EC49FDB77BCDB04729F1011B6FA81F70C0DA345E458B98

Function 00404E7C Relevance: 13.7, APIs: 9, Instructions: 219windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,004042B0), ref: 00404EBE
IsWindowVisible.USER32(?), ref: 00404F03
ShowWindow.USER32(?,00000000), ref: 00404F1C
ShowWindow.USER32(?,00000000), ref: 00404F46

Part of subcall function 004086AB: GetWindowRect.USER32(?,?), ref: 004086C0

Part of subcall function 00416DD6: GetParent.USER32(00000001), ref: 00416DE1
Part of subcall function 00416DD6: GetWindowRect.USER32(00000001,?), ref: 00416DF0
Part of subcall function 00416DD6: ScreenToClient.USER32(00000000,?), ref: 00416E01
Part of subcall function 00416DD6: ScreenToClient.USER32(00000000,00000001), ref: 00416E08
Part of subcall function 00416DD6: MoveWindow.USER32(00000001,00000000,?,?,?,?,00000000,00000001,?,004042B0,?,?,(uC), ref: 00416E41

ShowWindow.USER32(?,00000005,?,?,?,00000000,00000001,?,004042B0,?,?,(uC), ref: 00404F8C

Part of subcall function 00417754: IsWindow.USER32(?), ref: 00417760
Part of subcall function 00417754: GetWindowRect.USER32(?,?), ref: 00417771

ShowWindow.USER32(?,00000005,?,?,?,?,?,?,?,?,?,00000000,00000001,?,004042B0), ref: 00404FCD
ShowWindow.USER32(?,00000005,00000005), ref: 00405030
ShowWindow.USER32(?,00000000,00000000), ref: 0040511A
InvalidateRect.USER32(?,00000000,00000001), ref: 00405142

Part of subcall function 0041AFAA: IsWindowVisible.USER32(?), ref: 0041AFBA

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Window$Show$Rect$Client$ScreenVisible$InvalidateMoveParent
String ID:
API String ID: 1827169823-0
Opcode ID: 8dbc4e43ee33deb8703ec956f4bbd684fa720736d3b19e6e75986452ff1a1319
Instruction ID: 54133d3cf169c1b40941a69a410454258e75e41fc89676e1e5454e5ac3734fef
Opcode Fuzzy Hash: 8dbc4e43ee33deb8703ec956f4bbd684fa720736d3b19e6e75986452ff1a1319
Instruction Fuzzy Hash: 33918D71600604AFCB15EFA4CD85FEAB7F6FF48304F010469F29AAB2A1C675A950DF54

Function 0041B308 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 0041B3AF
BeginPaint.USER32(?,?), ref: 0041B3BA
EnableScrollBar.USER32(?,00000003,00000000), ref: 0041B3F1
EndPaint.USER32(?,?), ref: 0041B437
SetWindowLongA.USER32(?,00000000,00000000), ref: 0041B45B
SetWindowLongA.USER32(?,00000000), ref: 0041B477
SetScrollRange.USER32(?,00000001,00000000,?,00000001), ref: 0041B49A
DefWindowProcA.USER32(?,?,?,?,?,00000000,?,?,?), ref: 0041B54A

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Window$LongPaintScroll$BeginClientEnableProcRangeRect
String ID:
API String ID: 442844283-0
Opcode ID: 697040efc620e2dcd8296adde87b2f4248d3417e591baae1321e9c57940ff506
Instruction ID: 44a9bf6e730fdd6a0686a52d8e452182f1a763ede5e09e6cc0b541e5afdd195f
Opcode Fuzzy Hash: 697040efc620e2dcd8296adde87b2f4248d3417e591baae1321e9c57940ff506
Instruction Fuzzy Hash: 4F718EB0200619ABDB24CF28CD84EFF77B9FB48305F14441AF95696252D738ED91CBA9

Function 004060AE Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 110COMMON

Download Yara Rule

APIs

Part of subcall function 00429FC1: GetFileAttributesA.KERNELBASE(?,00404538,?,00000004,?,?,?,?,0040403F), ref: 00429FC5
Part of subcall function 00429FC1: GetLastError.KERNEL32(?,?,?,?,0040403F), ref: 00429FD0

GetFileVersionInfoSizeA.VERSION(?,?,?,00000104), ref: 004060D4
GetFileVersionInfoA.VERSION(?,?,00000000,00000000,?,?,?,00000104), ref: 004060EC
VerQueryValueA.VERSION(00000000,\VarFileInfo\Translation,?,?,?,?,00000000,00000000,?,?,?,00000104), ref: 004060FF
wsprintfA.USER32 ref: 0040611C
VerQueryValueA.VERSION(00000000,?,?,?), ref: 00406135

Strings

\StringFileInfo\%04x%04x\FileVersion, xrefs: 00406116
\VarFileInfo\Translation, xrefs: 004060F9

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: File$InfoQueryValueVersion$AttributesErrorLastSizewsprintf
String ID: \StringFileInfo\%04x%04x\FileVersion$\VarFileInfo\Translation
API String ID: 565145844-2452293203
Opcode ID: 1c72906ce5f70d1cdaac773cc935b5745ffe15ef496a4fe3887fc67f4ddc3cf5
Instruction ID: d87d2e4f855fa1b631cdff149ed34cf789144a51da829ee04967547f002b616e
Opcode Fuzzy Hash: 1c72906ce5f70d1cdaac773cc935b5745ffe15ef496a4fe3887fc67f4ddc3cf5
Instruction Fuzzy Hash: C73199726002157BEB15AB66FC46EFB376CDF45364F10406BFC05DA181DB389E5086A5

Function 00405B55 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 41stringCOMMON

Download Yara Rule

APIs

lstrcpyA.KERNEL32(?,00000000,0040664E), ref: 00405B69
lstrlenA.KERNEL32(?), ref: 00405B76
lstrcatA.KERNEL32(?,0043C984), ref: 00405B98
lstrcatA.KERNEL32(?,00000001), ref: 00405BA4
lstrcatA.KERNEL32(?,.lnk), ref: 00405BB2
SHChangeNotify.SHELL32(00000004,00000001,?,00000000), ref: 00405BCE

Strings

.lnk, xrefs: 00405BAC

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: lstrcat$ChangeNotifylstrcpylstrlen
String ID: .lnk
API String ID: 4094561717-24824748
Opcode ID: 02e5742214da59737a7f7e3541aff5ef7191977486fd5d22329adc4e81cdf6e9
Instruction ID: 63b3a713fabc1856149cf88b15b68c63adba66d56408c9ad7a6c66f2cf59cbc5
Opcode Fuzzy Hash: 02e5742214da59737a7f7e3541aff5ef7191977486fd5d22329adc4e81cdf6e9
Instruction Fuzzy Hash: 3801C7F790421DABDF209BA0DD89FDA7B7CDB14714F1004A2B745E7180D6B4A6C48F54

Function 0040E753 Relevance: 12.1, APIs: 8, Instructions: 128COMMON

Download Yara Rule

APIs

Part of subcall function 0040E4EF: _lopen.KERNEL32(?,00000020), ref: 0040E505

_llseek.KERNEL32(?,?,00000000), ref: 0040E797
_hread.KERNEL32(?,?,00000008), ref: 0040E7A1
_llseek.KERNEL32(?,?,00000000), ref: 0040E7FA
_hread.KERNEL32(?,?,00000000), ref: 0040E80B
_llseek.KERNEL32(?,?,00000000), ref: 0040E851
_hread.KERNEL32(?,?,00000008), ref: 0040E85B
_llseek.KERNEL32(?,?,00000000), ref: 0040E894
_hread.KERNEL32(?,?,?), ref: 0040E8AF

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: _hread_llseek$_lopen
String ID:
API String ID: 3438067751-0
Opcode ID: 24b8f67a362a5211d220f2c52b4f717716d945a9a4cb0782d3db7b7ea144ac8a
Instruction ID: 8c7f17635c438269cffa7f3692c0b865f63ec70450139364a9f6d707b60108c8
Opcode Fuzzy Hash: 24b8f67a362a5211d220f2c52b4f717716d945a9a4cb0782d3db7b7ea144ac8a
Instruction Fuzzy Hash: B8412272A00209EFDF11DFA9CD45ADEBBB9FF04314F108926F954A7260D735AA20DB94

Function 004142F5 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 113COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004142FA
IsRectEmpty.USER32(?), ref: 0041437D
GetClientRect.USER32(?,?), ref: 0041438B
CreateWindowExA.USER32(00000000,PNX_TranscriptWnd,00444FE8,?,?,000000FF,?,?,?,00000000), ref: 004143C4
SetScrollRange.USER32(?,00000001,00000000,?,00000001), ref: 004143FC

Strings

PNX_TranscriptWnd, xrefs: 004143BE

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Rect$ClientCreateEmptyH_prologRangeScrollWindow
String ID: PNX_TranscriptWnd
API String ID: 1809096462-3827740301
Opcode ID: de6fef5168b4be06d5031f48075a5cd7f7bd949f5f8ff3a8a8ccef95e545961c
Instruction ID: a66d93e97a7cf2d2ae6e935c8b7d314457c1743442ba4c2010f4119e52bdc619
Opcode Fuzzy Hash: de6fef5168b4be06d5031f48075a5cd7f7bd949f5f8ff3a8a8ccef95e545961c
Instruction Fuzzy Hash: B9414775300605EFC724DF69C884D6ABBF9FF88315B10852EB86697690CB38EC55CB64

Function 0041B6FC Relevance: 10.6, APIs: 7, Instructions: 80COMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 0041B70D
ScreenToClient.USER32(?,?), ref: 0041B71A
GetDC.USER32(?), ref: 0041B723
GetClientRect.USER32(?,?), ref: 0041B733
ReleaseDC.USER32(?,?), ref: 0041B7A2
LoadCursorA.USER32(00000000,00007F00), ref: 0041B7C2
SetCursor.USER32(00000000), ref: 0041B7C9

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Cursor$Client$LoadRectReleaseScreen
String ID:
API String ID: 1605034846-0
Opcode ID: ac1d8afaa0a9374c6351483f0a9659f8acd03095297734b3d24eb2c31d4a0610
Instruction ID: aacc33ff21c216cabc79b5876419e6b335a14b3da2e9cb55cbac20a3d3e8fb5d
Opcode Fuzzy Hash: ac1d8afaa0a9374c6351483f0a9659f8acd03095297734b3d24eb2c31d4a0610
Instruction Fuzzy Hash: 5E316F71A04109EFDF119FA0CC88EEEBBB9FF44311F10442AE956A6190C775A945DB98

Function 00408570 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 59windowstringCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000014B,00000000,00000000), ref: 00408590
lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,00408481), ref: 004085D3
SendMessageA.USER32(?,00000143,00000000,00000025), ref: 004085F1
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00408603

Strings

%, xrefs: 004085D9
COMBOBOX, xrefs: 00408609

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: MessageSend$lstrlen
String ID: %$COMBOBOX
API String ID: 1172434978-3011459713
Opcode ID: 61f3743742f239b2060d7553fdffbc79df53ba5e35cbf7830979cb6b92648cde
Instruction ID: 2574df086ced9fcb7bdaa7721be193362f74b764a5da0e09c49c01ec765c725a
Opcode Fuzzy Hash: 61f3743742f239b2060d7553fdffbc79df53ba5e35cbf7830979cb6b92648cde
Instruction Fuzzy Hash: 4F1124B1900208FFDB10DB54DD85BEEBBB8EB14304F10807AEA44B61D0D7B49E84CB95

Function 004176A4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 004176B5
CreateWindowExA.USER32(00000000,msctls_statusbar32,00000000,54000100,00000000,00000000,00000000,00000000,?,000001F5,00000000), ref: 004176DC
GetWindowLongA.USER32(?,000000FC), ref: 004176FC
SetWindowLongA.USER32(?,000000EB,00000000), ref: 00417711
SetWindowLongA.USER32(?,000000FC,00417785), ref: 0041771D

Strings

msctls_statusbar32, xrefs: 004176D6

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Window$Long$ClientCreateRect
String ID: msctls_statusbar32
API String ID: 1831954240-4095915827
Opcode ID: 31d9196a9476e0ed3aecbfcbe5b0ee3e5acf628eafe5a9fe42df231ab9a1fa1c
Instruction ID: 133f01e66d392785ce0270dbbeb7573eaf74c49f28aa8c4f6b2e78d5d219c5bb
Opcode Fuzzy Hash: 31d9196a9476e0ed3aecbfcbe5b0ee3e5acf628eafe5a9fe42df231ab9a1fa1c
Instruction Fuzzy Hash: 8601F131004204BBCB201F16DC49CABBFB9EFC6B20B204129F9B2921B0C730A480EA24

Function 00410E4D Relevance: 9.0, APIs: 6, Instructions: 33memoryCOMMON

Download Yara Rule

APIs

GlobalHandle.KERNEL32(?), ref: 00410E5F
GlobalUnlock.KERNEL32(00000000,?,?,0040907F,?,?,00404571,?,?,?,00000FAA,00000000,00000001), ref: 00410E62
GlobalHandle.KERNEL32(?), ref: 00410E6B
GlobalFree.KERNEL32(00000000), ref: 00410E6E
GlobalAlloc.KERNELBASE(00000042,?,?,0040907F,?,?,00404571,?,?,?,00000FAA,00000000,00000001), ref: 00410E82
GlobalLock.KERNEL32(00000000,?,00404571,?,?,?,00000FAA,00000000,00000001,?,?,?,?,0040403F), ref: 00410E89

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Global$Handle$AllocFreeLockUnlock
String ID:
API String ID: 1825700950-0
Opcode ID: 94fc04a8adbfeb9f0156175f711719a3c129d1b35bcfae1951cd842f4ff17436
Instruction ID: e65621c49f7ec37acc8d42cf6ee7aab23bc114c0964e244b8c33374ec4d32316
Opcode Fuzzy Hash: 94fc04a8adbfeb9f0156175f711719a3c129d1b35bcfae1951cd842f4ff17436
Instruction Fuzzy Hash: 00F0A9B2504704AFDB209FA5DC4DD57BBE8EF493117058829F596C2760C7B4E841CF64

Function 00403F44 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 89stringCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00403F49
GetModuleFileNameA.KERNEL32(?,00000104,?,?,(uC), ref: 00403F9A
lstrlenA.KERNEL32(00000000,?,?,(uC), ref: 00403FC1
lstrlenA.KERNEL32(00000000,?,?,(uC), ref: 00403FCB

Strings

(uC, xrefs: 00403F54

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: lstrlen$FileH_prologModuleName
String ID: (uC
API String ID: 3080448448-1954698195
Opcode ID: 2a6894e96b703455fba84965f5202a9066b9c4cea7ee5ab0439728f48cf279ff
Instruction ID: 3c03b709c43d1fe92fd87e6278d4adeb60bf3d5bbf290fc3ee41ae2b03071535
Opcode Fuzzy Hash: 2a6894e96b703455fba84965f5202a9066b9c4cea7ee5ab0439728f48cf279ff
Instruction Fuzzy Hash: 8331F4B1A047119FDB24EB71D806BBAB7E89F44319F14047FE246E32D2DB7C99408B29

Function 00422802 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

SelectObject.GDI32(?,?), ref: 0042281D
GetStockObject.GDI32(0000000C), ref: 00422836
SelectObject.GDI32(?,00000000), ref: 00422840
SelectObject.GDI32(?,?), ref: 00422863

Strings

%)B, xrefs: 00422822

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Object$Select$Stock
String ID: %)B
API String ID: 3337941649-492036686
Opcode ID: 1fe0efa1890147aab53662c54ec436134ee563e770b15ad44649372330bdd513
Instruction ID: 6c2500861503ddf15cac87258eda2838cd352eaffe210e3a15567ed5bbf7a8b2
Opcode Fuzzy Hash: 1fe0efa1890147aab53662c54ec436134ee563e770b15ad44649372330bdd513
Instruction Fuzzy Hash: C101C472A00209BFDF029FA5CC459AEBF76FF49354F004064FA05AA260D7729A61DBE4

Function 004229C8 Relevance: 7.6, APIs: 5, Instructions: 114stringCOMMON

Download Yara Rule

APIs

SelectObject.GDI32(?,?), ref: 00422A11
GetTextMetricsA.GDI32(?,?), ref: 00422A21
lstrlenA.KERNEL32(?,?), ref: 00422A62
GetTextExtentPointA.GDI32(?,?,00000000), ref: 00422A6D
SelectObject.GDI32(?,?), ref: 00422AFB

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: ObjectSelectText$ExtentMetricsPointlstrlen
String ID:
API String ID: 912969315-0
Opcode ID: 2df8dde9ec9cd3ef897e5176192f3daa0dd4c397abbdced6d8ba138da9cf6506
Instruction ID: b7549949c3b6b3c79e6b5a9cfa994c88eaa9e6ec38042759e775692101465ac1
Opcode Fuzzy Hash: 2df8dde9ec9cd3ef897e5176192f3daa0dd4c397abbdced6d8ba138da9cf6506
Instruction Fuzzy Hash: 6B41F7B5600219EFDB20CF64D984AAABBF9FF48340F40442AF90697250D7B4ED51CFA4

Function 004086D5 Relevance: 7.6, APIs: 5, Instructions: 77windowCOMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000EB), ref: 004086E2
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 0040872A
SendMessageA.USER32(?,00000148,00000000,00000111), ref: 0040873D
CallWindowProcA.USER32(?,00000111,?,?), ref: 0040877F
DefWindowProcA.USER32(?,00000111,?,?), ref: 00408793

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Window$MessageProcSend$CallLong
String ID:
API String ID: 1824273765-0
Opcode ID: eb1dbc8e2b99fe1fbfc1574d86cf169a670de4a8122aae0d4cdb016d4b67bf63
Instruction ID: aa3bf40774003cf60c1397c897ed6a5ac558c973aefac35051768658fea54dbf
Opcode Fuzzy Hash: eb1dbc8e2b99fe1fbfc1574d86cf169a670de4a8122aae0d4cdb016d4b67bf63
Instruction Fuzzy Hash: 3D21C272500209BBDF216F50EE05FAB3B65EB04700F60452AFE91A61E4DB749920DB59

Function 004044C4 Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004044C9

Part of subcall function 00404D6D: MessageBoxA.USER32(00000000,Could not find the transcript file.,00000000,00000000), ref: 00404D9D

LoadCursorA.USER32(00000000,00007F02), ref: 004044ED
SetCursor.USER32(00000000,?,?,?,0040403F), ref: 004044F0
LoadCursorA.USER32(00000000,00007F00), ref: 00404581
SetCursor.USER32(00000000,?,?,?,?,0040403F), ref: 00404584

Part of subcall function 00408F11: __EH_prolog.LIBCMT ref: 00408F16

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Cursor$H_prologLoad$Message
String ID:
API String ID: 2952540675-0
Opcode ID: 714ded94b08ce969e81e956868885d0acf085cd951f0081ba309c6fe598af14e
Instruction ID: 72563bcb97c58fe7d55b507de3bb900896c1f4e7f3dc346156463005fb6f21b0
Opcode Fuzzy Hash: 714ded94b08ce969e81e956868885d0acf085cd951f0081ba309c6fe598af14e
Instruction Fuzzy Hash: 7E11D671B08602BBEB155BB1ED06BEAB794EF84314F00017AFB14A72E1CB7C9C40D668

Function 0041B689 Relevance: 7.5, APIs: 5, Instructions: 42COMMON

Download Yara Rule

APIs

GetCapture.USER32(?), ref: 0041B69E
PtInRect.USER32(?,?,?), ref: 0041B6C5
GetDC.USER32(?), ref: 0041B6DE
InvertRect.USER32(00000000,?), ref: 0041B6E8
ReleaseDC.USER32(?,00000000), ref: 0041B6F0

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Rect$CaptureInvertRelease
String ID:
API String ID: 4065165932-0
Opcode ID: d5d4b3ba8b8c3ad663f66e3d036b2942416ad00448b2237414c651b434af793c
Instruction ID: 5c1d04f7933f34a263db4bc2d4c2d69b9469ace0df957da546946e3413d7d294
Opcode Fuzzy Hash: d5d4b3ba8b8c3ad663f66e3d036b2942416ad00448b2237414c651b434af793c
Instruction Fuzzy Hash: 3D014FB11042019FD7209F35DC88EEB7BACEB95352F00182DF586C3151D7746C85DBA9

Function 0041FC3F Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 260COMMON

Download Yara Rule

APIs

GetCharWidthA.GDI32(?,00000020,0000003A,?), ref: 0041FC79
GetTextExtentPointA.GDI32(?,0043C988,00000001,?), ref: 0041FC8D
GetTextMetricsA.GDI32(?,?), ref: 0041FCA3

Strings

:, xrefs: 0041FE5E

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Text$CharExtentMetricsPointWidth
String ID: :
API String ID: 3532046770-336475711
Opcode ID: dcc100d475c2a6795ce0eb472e99a4a223a2ddefd0824d41f38c5e259796557d
Instruction ID: 37b66b582fd913823aee7c5ab000b657429dafb5b5d202062ef3ce0c8fbe910c
Opcode Fuzzy Hash: dcc100d475c2a6795ce0eb472e99a4a223a2ddefd0824d41f38c5e259796557d
Instruction Fuzzy Hash: BEB10671A0020AEFCF15CFA8C844AEEBBB5FF48304F00416AF915A7261D7359A95DFA4

Function 00417785 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000EB), ref: 00417791
CallWindowProcA.USER32(?,?,00000005,?,?), ref: 0041780D
DefWindowProcA.USER32(?,?,?,?), ref: 0041781F

Strings

, xrefs: 004177A6

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Window$Proc$CallLong
String ID:
API String ID: 2055830364-3916222277
Opcode ID: 11a8489ee6bbac07b44f30430c3202c69938baeca75465e2318ddaa5fceb6066
Instruction ID: efe8d479153d74b1eb93242798843a3203c7acc84f3c989134863f18a22a9990
Opcode Fuzzy Hash: 11a8489ee6bbac07b44f30430c3202c69938baeca75465e2318ddaa5fceb6066
Instruction Fuzzy Hash: CE11A271208204FFDB288F19EC58DAB7BB9EB48321B10891EF95796291C739D850DB74

Function 0040C76C Relevance: 6.7, APIs: 1, Strings: 2, Instructions: 1480COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040C771

Part of subcall function 0040E4EF: _lopen.KERNEL32(?,00000020), ref: 0040E505

Part of subcall function 0040E753: _llseek.KERNEL32(?,?,00000000), ref: 0040E797
Part of subcall function 0040E753: _hread.KERNEL32(?,?,00000008), ref: 0040E7A1
Part of subcall function 0040E753: _llseek.KERNEL32(?,?,00000000), ref: 0040E7FA
Part of subcall function 0040E753: _hread.KERNEL32(?,?,00000000), ref: 0040E80B
Part of subcall function 0040E753: _llseek.KERNEL32(?,?,00000000), ref: 0040E851
Part of subcall function 0040E753: _hread.KERNEL32(?,?,00000008), ref: 0040E85B

Part of subcall function 0040E753: _llseek.KERNEL32(?,?,00000000), ref: 0040E894

Part of subcall function 0040A03B: __EH_prolog.LIBCMT ref: 0040A040

Part of subcall function 0040E753: _hread.KERNEL32(?,?,?), ref: 0040E8AF

Strings

, xrefs: 0040D581
, xrefs: 0040D591

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: _hread_llseek$H_prolog$_lopen
String ID: $
API String ID: 268418082-227171996
Opcode ID: e75626bdf0a74a079772c2a0c647ced207303e03ce3cb5cd6564eb7ebd888624
Instruction ID: 6c5bf20ad51c07ba8991f788f40827b4a4e8d76b34ce36524fe9d827596026f6
Opcode Fuzzy Hash: e75626bdf0a74a079772c2a0c647ced207303e03ce3cb5cd6564eb7ebd888624
Instruction Fuzzy Hash: 3FD249B1A00219ABCF10DF99C845BBEB7F9BF04348F00882EF959E7291D7B89954DB54

Function 004147A5 Relevance: 6.2, APIs: 4, Instructions: 193COMMON

Download Yara Rule

APIs

BeginPaint.USER32(?,?), ref: 00414849
EndPaint.USER32(?,?), ref: 00414856

Part of subcall function 00414610: GetClientRect.USER32(?,?), ref: 00414620

SetWindowLongA.USER32(?,00000000), ref: 004148DC
DefWindowProcA.USER32(?,00000204,?,?,?,?,?), ref: 0041498E

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: PaintWindow$BeginClientLongProcRect
String ID:
API String ID: 865218549-0
Opcode ID: 9fbf1f6014f0232a31bf79793e3d8100a579a9cfe78c8afc67bd677972b66934
Instruction ID: 4309b52966b526d5507a8302203597ad347ea2452557b074d461f058ff702d38
Opcode Fuzzy Hash: 9fbf1f6014f0232a31bf79793e3d8100a579a9cfe78c8afc67bd677972b66934
Instruction Fuzzy Hash: 9B6180B52102199FCB149F69C9449BF7BE9FF88700B40091EF986C76A0CB38DC91DB69

Function 0040EA3E Relevance: 6.0, APIs: 4, Instructions: 38COMMON

Download Yara Rule

APIs

_lopen.KERNEL32(?,00000020), ref: 0040EA47
_llseek.KERNEL32(00000000,000000F8,00000002), ref: 0040EA5E
_hread.KERNEL32(00000000,?,00000004), ref: 0040EA6D
_lclose.KERNEL32(00000000), ref: 0040EA8A

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: _hread_lclose_llseek_lopen
String ID:
API String ID: 2871481721-0
Opcode ID: 07509e6602f5172d4890714b736107504931cc63c6ee02dcc99abc7e9c0ffd5e
Instruction ID: 4097e9e951a3c37468946dc9094f05b8ea49518b7076fbf7f07266acb909ad2e
Opcode Fuzzy Hash: 07509e6602f5172d4890714b736107504931cc63c6ee02dcc99abc7e9c0ffd5e
Instruction Fuzzy Hash: 3EF0E9732042247BDB302735AC0DFDB3A58DF85771F104631FE15D52D0DA34891186AC

Function 0040EA96 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

_lopen.KERNEL32(?,00000020), ref: 0040EA9F
_llseek.KERNEL32(00000000,000000F4,00000002), ref: 0040EAB8
_hread.KERNEL32(00000000,?,00000004), ref: 0040EAC5
_lclose.KERNEL32(00000000), ref: 0040EAD8

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: _hread_lclose_llseek_lopen
String ID:
API String ID: 2871481721-0
Opcode ID: f90605a875fae5a12d4933e633e59a31af9a948f614269269f53a588c4952398
Instruction ID: 4be1b228064665f771d478218c218ad7b7dd45d57dd76f62795053804bef5480
Opcode Fuzzy Hash: f90605a875fae5a12d4933e633e59a31af9a948f614269269f53a588c4952398
Instruction Fuzzy Hash: A4F0A7763451147BDF301B2ADC4DF9B3B58EF85371F004631FB55A52D0C77448429AA8

Function 0041F961 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 95COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041F966

Part of subcall function 0041E653: __EH_prolog.LIBCMT ref: 0041E658

Part of subcall function 00409A82: __EH_prolog.LIBCMT ref: 00409A87

Part of subcall function 0040A12F: lstrcpyA.KERNEL32(?,?,?,?,00000001), ref: 0040A1D9
Part of subcall function 0040A12F: lstrcpyA.KERNEL32(?,?,?,00000001), ref: 0040A1E1
Part of subcall function 0040A12F: lstrcpyA.KERNEL32(?,?,?,00000001), ref: 0040A257

Part of subcall function 004096EC: lstrcpyA.KERNEL32(?,pN@,?,?,?,00000001,0040A1CD,?,?,00000001), ref: 00409715
Part of subcall function 004096EC: lstrcpyA.KERNEL32(?,?,?,00000001,0040A1CD,?,?,00000001), ref: 0040971C
Part of subcall function 004096EC: lstrcpyA.KERNEL32(?,?,?,00000001,0040A1CD,?,?,00000001), ref: 00409724

Strings

<~C, xrefs: 0041F9B7
OD, xrefs: 0041FA43

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: lstrcpy$H_prolog
String ID: <~C$OD
API String ID: 2362665282-1514879436
Opcode ID: 2302317cbfecaa1d4f7c9f9e88f7d3761da239f1167550235cbde3c01a9fb921
Instruction ID: 30a45ee1fe4e084395d3635c72acf3e9684d059a668f946fe5a159bb89bbb5d6
Opcode Fuzzy Hash: 2302317cbfecaa1d4f7c9f9e88f7d3761da239f1167550235cbde3c01a9fb921
Instruction Fuzzy Hash: 05412EB1600705DFCB14DFA5C880BDABBF5BF18318F00482EE55A97682D778AA54CBA5

Function 0040EB65 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

_llseek.KERNEL32(00000000,?,00000000), ref: 0040EB86
_hread.KERNEL32(00000000,?,bN@), ref: 0040EBB9

Strings

bN@, xrefs: 0040EB95, 0040EB9C, 0040EBB2, 0040EBC5

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: _hread_llseek
String ID: bN@
API String ID: 2197572648-2889147719
Opcode ID: 95365312d3ca06ca33f022f51094f3059b40b58a2dc0ce5da7a7abeabe544158
Instruction ID: ef1a61392e420452b3d19739a14879bd11bac54eb63a483c6cba528f42d7d4d4
Opcode Fuzzy Hash: 95365312d3ca06ca33f022f51094f3059b40b58a2dc0ce5da7a7abeabe544158
Instruction Fuzzy Hash: 0301AD32900219FBDF209F92DC4AECF7F79EF40368F10046AF405A2191D774AAA0DB98

Function 0040DEDE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

_hread.KERNEL32(00000000,?,00002000), ref: 0040DF02
_hwrite.KERNEL32(00000000,00000000,00000000), ref: 0040DF28

Strings

RealLegal E-Transcript Viewer Install, xrefs: 0040DEDE

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: _hread_hwrite
String ID: RealLegal E-Transcript Viewer Install
API String ID: 194656443-3710306150
Opcode ID: 81f3e4f6cdb809b66747332f0e4a63e80fc687fda4ce8723ef085f00a8e79811
Instruction ID: 8269314856bf3be40fe330200955806573622d5ce6a324e6792731fbe027a216
Opcode Fuzzy Hash: 81f3e4f6cdb809b66747332f0e4a63e80fc687fda4ce8723ef085f00a8e79811
Instruction Fuzzy Hash: 7E01D832E04229ABCB206ED9DC8499FBB64EB41360B114136FC15A2290C7354D149698

Function 0041AEC8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40COMMON

Download Yara Rule

APIs

CreateWindowExA.USER32(00000000,WordIndexWndClass,00446E6C,40200000,?,?,?,?,?,00000000,00000000,!G@), ref: 0041AF25

Strings

!G@, xrefs: 0041AEE6
WordIndexWndClass, xrefs: 0041AF1E

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: CreateWindow
String ID: !G@$WordIndexWndClass
API String ID: 716092398-4205693341
Opcode ID: 8edfc44dda15191c573665cc21bb3cacd565817b40c62c73b2cbb14a0acc71f8
Instruction ID: ad2a11c1c474bbefdcc0e58c724daee6ebf47de5e192c417e9ad2bfe9d5f49f1
Opcode Fuzzy Hash: 8edfc44dda15191c573665cc21bb3cacd565817b40c62c73b2cbb14a0acc71f8
Instruction Fuzzy Hash: 6A016DB6204701AFD7008F68CC45F5ABBE9EF8D304F10846AF645DB162D775A810DF19

Function 0040176B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,?,(uC,?,?,00404435,?), ref: 0040178A
DialogBoxParamA.USER32(000000F9,?,00403447,00000000), ref: 004017BE

Strings

(uC, xrefs: 0040176D

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: DialogParamlstrlen
String ID: (uC
API String ID: 1571052787-1954698195
Opcode ID: 6dbd295494a7faea673cf2db529a920d0a1b1bfccf1c2402a3acfab037afa664
Instruction ID: 687dd06b1c96e774bec4d6b9d909f408b869314ef2045d4c42f027970047ffda
Opcode Fuzzy Hash: 6dbd295494a7faea673cf2db529a920d0a1b1bfccf1c2402a3acfab037afa664
Instruction Fuzzy Hash: 61F0E9762443056BD3300FA19C80B63B7A8E740B55F11443FFB91A61F0DBB55842D26C

Function 004175C1 Relevance: 4.5, APIs: 3, Instructions: 26COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,00000000), ref: 004175C9
KiUserCallbackDispatcher.NTDLL(?,00000001,?,?), ref: 004175EC
DefWindowProcA.USER32(?,00000001,?,?), ref: 004175FB

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Window$CallbackDispatcherLongProcUser
String ID:
API String ID: 797415794-0
Opcode ID: c8d70d0d43468735419ef05e54e672bfb9afd19233664a4c761a4f561bb1ee74
Instruction ID: f56cc0022f88a09734dc35a7786333bb78138a3f3b347c8af0f6610fcc095ef5
Opcode Fuzzy Hash: c8d70d0d43468735419ef05e54e672bfb9afd19233664a4c761a4f561bb1ee74
Instruction Fuzzy Hash: CDF09271104209FFDF1A9F50DC48AAA3B76FB44351F108069FD158A660D772EDA1EB58

Function 0041BB0A Relevance: 4.5, APIs: 3, Instructions: 26COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,00000000), ref: 0041BB12
KiUserCallbackDispatcher.NTDLL(?,00000001,?,?), ref: 0041BB35
DefWindowProcA.USER32(?,00000001,?,?), ref: 0041BB44

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Window$CallbackDispatcherLongProcUser
String ID:
API String ID: 797415794-0
Opcode ID: f3042c3cca19e3b2f464abfd0c78f9288d40e38440ebfc52de53269582223329
Instruction ID: b6a47510e421a6e1cf5dbd0fbbf1843a6417f8ee51c65cd6279e99ed2b6e6624
Opcode Fuzzy Hash: f3042c3cca19e3b2f464abfd0c78f9288d40e38440ebfc52de53269582223329
Instruction Fuzzy Hash: C4F0F230108209FFDF068F50DC48EAA3B26FB04311F108068FD164A660C772EDA1EB94

Function 00404D6D Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 86windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0042A31A: FindFirstFileA.KERNELBASE(?,?), ref: 0042A32E
Part of subcall function 0042A31A: GetLastError.KERNEL32 ref: 0042A33B

MessageBoxA.USER32(00000000,Could not find the transcript file.,00000000,00000000), ref: 00404D9D

Part of subcall function 0040A12F: lstrcpyA.KERNEL32(?,?,?,?,00000001), ref: 0040A1D9
Part of subcall function 0040A12F: lstrcpyA.KERNEL32(?,?,?,00000001), ref: 0040A1E1
Part of subcall function 0040A12F: lstrcpyA.KERNEL32(?,?,?,00000001), ref: 0040A257

Strings

Could not find the transcript file., xrefs: 00404D96

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: lstrcpy$ErrorFileFindFirstLastMessage
String ID: Could not find the transcript file.
API String ID: 972712470-2730970783
Opcode ID: f906ce63834cf53842c5016992f54ca838108cfe550a93c2a616c4fe05663032
Instruction ID: be8b35c85bd14a2021a7efc39d98dc4165e9b75d2b6cb32d52bbf258afbf4c6a
Opcode Fuzzy Hash: f906ce63834cf53842c5016992f54ca838108cfe550a93c2a616c4fe05663032
Instruction Fuzzy Hash: 6D3143B1200B019FD7259B35DC45BA7B7E9BF84309F10483EFA5AD72E1DA38A8118B55

Function 0041704A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

CreateWindowExA.USER32(00000000,PaneSplitter,00444FE8,40000000,00000000,00000000,0000000A,0000000A,?,00000000,00000000), ref: 0041709D

Strings

PaneSplitter, xrefs: 00417097

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: CreateWindow
String ID: PaneSplitter
API String ID: 716092398-3269436181
Opcode ID: 1a4e63c30599adcd5f812bf31eafc6b18b8497f23a7d5595e2f25d950b68d17b
Instruction ID: c3c03cca90ebc5c1d46dc3f58836131a9e1c01800cc1965434c8b6205ee7fc99
Opcode Fuzzy Hash: 1a4e63c30599adcd5f812bf31eafc6b18b8497f23a7d5595e2f25d950b68d17b
Instruction Fuzzy Hash: 9D012CB5600704AFDB109F699C41FE7BBE8FB58710F10442AB999D3240D774A8508BA8

Function 004043E3 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

DialogBoxParamA.USER32(000000F8,?,004022EE,?), ref: 00404414

Strings

(uC, xrefs: 004043E3

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: DialogParam
String ID: (uC
API String ID: 665744214-1954698195
Opcode ID: a919cd84638df5159dd8d02379736436ef95dbf36aeda7232c7b611555fe19f3
Instruction ID: 4e3397f2d70fd232ee8da22ae9736a3c919a495e40c64348713e6660186778e3
Opcode Fuzzy Hash: a919cd84638df5159dd8d02379736436ef95dbf36aeda7232c7b611555fe19f3
Instruction Fuzzy Hash: 47F02930000B2847CA7A1720AA087CA2BC2AB62701F0009AEFDA1602E08BB80881BA48

Function 0040ABFB Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 11COMMON

Download Yara Rule

APIs

GetPrivateProfileIntA.KERNEL32(00000000,?,00423084,00000000), ref: 0040AC0D

Strings

~G@, xrefs: 0040AC05

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: PrivateProfile
String ID: ~G@
API String ID: 1469295129-1758069786
Opcode ID: 8c9aaecc1a1871f9471b769789b773779c6c2bdf68af43e4f3a7a843698fc1d1
Instruction ID: 60f3ab326f9e9d45cc2ef7eb4a765bf708ae5e8376d68ef9226c0a8dcf74aab3
Opcode Fuzzy Hash: 8c9aaecc1a1871f9471b769789b773779c6c2bdf68af43e4f3a7a843698fc1d1
Instruction Fuzzy Hash: 22D09276004300EFC701CFA0C848C0ABBB9BF89315B24886CB199C6230C732D451DB11

Function 00410C0A Relevance: 3.0, APIs: 2, Instructions: 41COMMON

Download Yara Rule

APIs

CharUpperA.USER32(?,?,00000000,?,769500C0,00410BAA,00000000,00408F3F,?,?,?,00404510,?,?,?,0040403F), ref: 00410C1F
IsCharUpperA.USER32(?,?,00000000,?,769500C0,00410BAA,00000000,00408F3F,?,?,?,00404510,?,?,?,0040403F), ref: 00410C2D

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: CharUpper
String ID:
API String ID: 9403516-0
Opcode ID: 21f2db89e7cff287d7e86b0cb4164838744303e37b170a41f84cc5335c72bc03
Instruction ID: 25b49c83920bee2d409bbcb160b0cd97dfa0d82cf68c65d24e56e75f32e7e093
Opcode Fuzzy Hash: 21f2db89e7cff287d7e86b0cb4164838744303e37b170a41f84cc5335c72bc03
Instruction Fuzzy Hash: 1AF0F63215431A9BD3295F5598886F5B7ACFF12315B10022BD8D2C6150E76594C68BA8

Function 004146CC Relevance: 3.0, APIs: 2, Instructions: 34COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 004146DD
SetScrollRange.USER32(?,00000000,00000000,?,00000001), ref: 004146FE

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: ClientRangeRectScroll
String ID:
API String ID: 3038720056-0
Opcode ID: 0ac5641296253ddd73ab2ca188b6622546eb4e47a3772b3a225856b030744ab8
Instruction ID: 9d42f98e1c6debfbeb579549ab2ca386cb1926d11964cf21566695908306b3cb
Opcode Fuzzy Hash: 0ac5641296253ddd73ab2ca188b6622546eb4e47a3772b3a225856b030744ab8
Instruction Fuzzy Hash: DAF089326001056BD7209629DC45FAA7BF9EBC1754F100039F856D3591E7B4BD81C654

Function 0042DC54 Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,0042A71A,00000000), ref: 0042DC65

Part of subcall function 0042DB0C: GetVersionExA.KERNEL32 ref: 0042DB2B

HeapDestroy.KERNEL32 ref: 0042DCA4

Part of subcall function 0042DCB1: HeapAlloc.KERNEL32(00000000,00000140,0042DC8D,000003F8), ref: 0042DCBE

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Heap$AllocCreateDestroyVersion
String ID:
API String ID: 2507506473-0
Opcode ID: 5bccde47b6a80811c0778e14b265928de686f81d935374520ff0f5494c346cec
Instruction ID: fb73888decbd61c8c28ecc952754cf69c7bf3cca5934a0d68b529cc4474c8ed9
Opcode Fuzzy Hash: 5bccde47b6a80811c0778e14b265928de686f81d935374520ff0f5494c346cec
Instruction Fuzzy Hash: B1F06D71F583229ADF206F32BD0576A2A94DB44792FA0043BF801C82A4EFE88581E51D

Function 00414B66 Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,00000000), ref: 00414B6E
DefWindowProcA.USER32(?,00000001,?,?), ref: 00414BA0

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Window$LongProc
String ID:
API String ID: 2275667008-0
Opcode ID: 6ffbfbbf9215fae5bbc311e932aaa529867a4a807736b1810ea018d519e79186
Instruction ID: b2e9d4a4cc949bd3e5d4e4995dafcc8b75801e1b9f5f9f7bbddba06a75663a8a
Opcode Fuzzy Hash: 6ffbfbbf9215fae5bbc311e932aaa529867a4a807736b1810ea018d519e79186
Instruction Fuzzy Hash: 13F09271104209FFDF159F50DC49EAA3B66FB84351F108069FD194A2A0D772EDA1EB58

Function 00405AEC Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,00000000), ref: 00405AF4
DefWindowProcA.USER32(?,00000001,?,?), ref: 00405B1C

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Window$LongProc
String ID:
API String ID: 2275667008-0
Opcode ID: b52b44acfaf4f21e8866eb7ea3b19e8afec42441bdcec9cb1700d6922e875bcc
Instruction ID: 2fdc80527f9dc36831961c4a266e882665d52c5f78dd78b0ae35b060e403a6e6
Opcode Fuzzy Hash: b52b44acfaf4f21e8866eb7ea3b19e8afec42441bdcec9cb1700d6922e875bcc
Instruction Fuzzy Hash: FBE01A30200208EBDF11AF61DC45AAA3B76EB00310F008029FC159A2A0C736B820EF29

Function 00429FC1 Relevance: 3.0, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(?,00404538,?,00000004,?,?,?,?,0040403F), ref: 00429FC5
GetLastError.KERNEL32(?,?,?,?,0040403F), ref: 00429FD0

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: AttributesErrorFileLast
String ID:
API String ID: 1799206407-0
Opcode ID: a37868556188085a1429a1d7ec4d7dd442e9543b7afd19f2da831cd039d79e48
Instruction ID: 8f7e3b2d29783edd4ffee9cbd32c55157d345e5fbbc69805c6ca78973d4d7330
Opcode Fuzzy Hash: a37868556188085a1429a1d7ec4d7dd442e9543b7afd19f2da831cd039d79e48
Instruction Fuzzy Hash: E8E08CB520821086DB519B31FD4D72B7A90AF4633DFA54A5AE5B1C02F0C7BD8C80DB1A

Function 0042A491 Relevance: 3.0, APIs: 2, Instructions: 17COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNELBASE(00405E94,00000000,00405E94,?), ref: 0042A497
GetLastError.KERNEL32 ref: 0042A4A1

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 5dab0b315b93ced53bad613e2951897686ad1719da0e997485323b7a008e8818
Instruction ID: 0ae6552368d2725078b731d81be7d7cd8a3b7d533250617484903f895d653ed2
Opcode Fuzzy Hash: 5dab0b315b93ced53bad613e2951897686ad1719da0e997485323b7a008e8818
Instruction Fuzzy Hash: 66D0C970315A1297DB613B31BC1C71B36A86B40371FE45E76F955C01E1EBACC852E51A

Function 00429610 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNELBASE(?,00403B78,?,?,00000000,?,00000000,00000000,0042A789,00000000), ref: 00429614
GetLastError.KERNEL32(?,00000000,?,00000000,00000000,0042A789,00000000), ref: 0042961E

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: DeleteErrorFileLast
String ID:
API String ID: 2018770650-0
Opcode ID: 5c7f5a35e9dfd7cb4a33c0d9065ded68faccf4a2e57a0bc607a81a4ab2324032
Instruction ID: b4d14a654ed61d25caae9c5828fb1986df6fdc94a7973387793da2011ef9090a
Opcode Fuzzy Hash: 5c7f5a35e9dfd7cb4a33c0d9065ded68faccf4a2e57a0bc607a81a4ab2324032
Instruction Fuzzy Hash: 33D01270715521968F652B317C0812B76D86F40771FE45A76F491C01E0EF7CCC41E51D

Function 0041AFAA Relevance: 3.0, APIs: 2, Instructions: 16windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0041AFBA
ShowWindow.USER32(?,?,?,0040510C,00000000), ref: 0041AFD3

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Window$ShowVisible
String ID:
API String ID: 4185057100-0
Opcode ID: 6a7d95c4f6af5aa3ae6f0030c9bba397042efa6bfcbe1aeda28a93b4873b0dd8
Instruction ID: 4cb15370ff1c795c69b82dce76708b47fc792b7541c9c834c750a131ab696f41
Opcode Fuzzy Hash: 6a7d95c4f6af5aa3ae6f0030c9bba397042efa6bfcbe1aeda28a93b4873b0dd8
Instruction Fuzzy Hash: FAD05EB500D601EBCA220B10DD48AC7BBA5AB54316F01482AF586D5036D675A8E2EE9A

Function 0040679C Relevance: 1.6, APIs: 1, Instructions: 110COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004067A1

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 2a175606592bfddce753c927e1dc46651a864069ee682a6a0c02803d049c27f5
Instruction ID: d26dbaa2eaea290c5234648ca9e0c1d993cdd0ac5a13eb55e49ce92b2ce44e45
Opcode Fuzzy Hash: 2a175606592bfddce753c927e1dc46651a864069ee682a6a0c02803d049c27f5
Instruction Fuzzy Hash: F341B232A013019FD714EFB98485B6FB7E5AB84314F61853FA16AE72C2CB385C018B18

Function 0040C2C4 Relevance: 1.6, APIs: 1, Instructions: 79COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040C2C9

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 8695873d75d10c7fdc6422bd6650c0dce6971785f575d71bc5be1f44a78602ad
Instruction ID: 38eb0a89bc66ad18077ea20fd2e7e50b8ae894f7f0e93fc7e68d4a6000117d10
Opcode Fuzzy Hash: 8695873d75d10c7fdc6422bd6650c0dce6971785f575d71bc5be1f44a78602ad
Instruction Fuzzy Hash: 86215E32A0021ADFCB14DFA5C8809BEB7B9FB08314F10867EE916A7291DB389D45CB54

Function 0042A043 Relevance: 1.5, APIs: 1, Instructions: 46memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00000000,0042A027,000000E0,0042A014,?,0042FDED,00000100,?,00000000), ref: 0042A0AF

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: e2559b4b67ad8614711f96623b1c3d152e1585f8ba113e0d55f7cbda39b3536f
Instruction ID: 3a4d0f77509a1556849982ea1207527f438265e3c721326ddeb57b1b6d1f460b
Opcode Fuzzy Hash: e2559b4b67ad8614711f96623b1c3d152e1585f8ba113e0d55f7cbda39b3536f
Instruction Fuzzy Hash: 06F0D632B042319BEA30AF25BC40B9B73949B05760F960157FD40AB2E0D728EC6182CF

Function 00404442 Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00404447

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: cd91f8ea1b2572835c49def8369b513bbab53a743d5bf8fd447aa9b9410a398d
Instruction ID: 6e6b7a912517eaa88a846602e8807d90943062f5d3c67b7d121932b09db4b6b2
Opcode Fuzzy Hash: cd91f8ea1b2572835c49def8369b513bbab53a743d5bf8fd447aa9b9410a398d
Instruction Fuzzy Hash: BC01A770A45614DBDB58DBB8D4067EEB7F0AF44314F10466FA526E33C0DB784E408A1D

Function 00421FDA Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00421FDF

Part of subcall function 00421E0E: __EH_prolog.LIBCMT ref: 00421E13

Part of subcall function 0041F961: __EH_prolog.LIBCMT ref: 0041F966

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 67afcc3148bdc1968779cb25345c203602c0672ca23bff4ef6a460de1a726a30
Instruction ID: 3dcbd8e6ccfcdc8859afa58fcef45ce339e59e0d7d49e7b978fa22512d2ce857
Opcode Fuzzy Hash: 67afcc3148bdc1968779cb25345c203602c0672ca23bff4ef6a460de1a726a30
Instruction Fuzzy Hash: 710117B2610745EFCB218F41C804BCBBFB1FB48319F01841EF5992A250C7BA9568DF94

Function 00416F2A Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

CreateWindowExA.USER32(00000000,00001BD3,?,?,?,?,?,?,00444FE8,?,00408461,?), ref: 00416F5E

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 134dd62796002e5ac5eecb9f9c224b62899fa5e9ff08203941239c55897835b9
Instruction ID: 7cccc1f4fff1d57d560581a2fa812e4590f35e5f0a9d9046823eb9c8ac1e1a8a
Opcode Fuzzy Hash: 134dd62796002e5ac5eecb9f9c224b62899fa5e9ff08203941239c55897835b9
Instruction Fuzzy Hash: AFF0AE36100119AFDF018F98DC09DAA7FAAEB89360B058164FE0857221C672EC20EBA0

Function 0040C116 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

_lopen.KERNEL32(00000000,00000020), ref: 0040C12D

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: _lopen
String ID:
API String ID: 2515328373-0
Opcode ID: 875d917a98fb82b6327eee410863569cb98c1937698f1e7aabca0fa5cd70f8fe
Instruction ID: 7bd8b6fe991cf8b1ac1e11391fc93663aa35514ccc7d192c762940acc18f5224
Opcode Fuzzy Hash: 875d917a98fb82b6327eee410863569cb98c1937698f1e7aabca0fa5cd70f8fe
Instruction Fuzzy Hash: 06E08C710287108AEA30AB78B845792B3D9AB00720F004BAAF0A2991C2DB7499808B10

Function 0040E4EF Relevance: 1.5, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

_lopen.KERNEL32(?,00000020), ref: 0040E505

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: _lopen
String ID:
API String ID: 2515328373-0
Opcode ID: 401e21e218df1f18b43a4b0760b4a785a0d1df5ea7ac69831b7d43e41cdbf28a
Instruction ID: 201f5b03e974bde6cb47365d82c4e648cc976b82063b17eb90b9d2e1e0eb8ace
Opcode Fuzzy Hash: 401e21e218df1f18b43a4b0760b4a785a0d1df5ea7ac69831b7d43e41cdbf28a
Instruction Fuzzy Hash: FAD01271409B105BDA325B39BD446D6B6DAAF04334F144BEBF579D32D1CB70AD009744

Function 0040ABD8 Relevance: 1.5, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

GetPrivateProfileStringA.KERNEL32(00000000), ref: 0040ABF2

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: PrivateProfileString
String ID:
API String ID: 1096422788-0
Opcode ID: 6bd72ed59be75fa3143a0b6d4729ee0d4690fad286b1c16e44fc49ee7d0e4531
Instruction ID: 942b10e3fef31b2b5d26d24638871de5b830a519770576d55cbb21ebdaf08ff2
Opcode Fuzzy Hash: 6bd72ed59be75fa3143a0b6d4729ee0d4690fad286b1c16e44fc49ee7d0e4531
Instruction Fuzzy Hash: 9FD09272008201AFCB02CF90DA48C0ABBA9BF99301F044858B28586031C332C825EB22

Function 00414480 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,?), ref: 00414487

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 55f1cc977c1804cb32af06252afc665be73505a954de3a178f5a3f4893b49610
Instruction ID: 1063762d0947083ad72b53c2ab4eab20586950372e3cfcebfa4311967dfb8868
Opcode Fuzzy Hash: 55f1cc977c1804cb32af06252afc665be73505a954de3a178f5a3f4893b49610
Instruction Fuzzy Hash: 34A001B6508104ABCA129B51DE0880ABA62ABA5705B1594A9AA8E44036C7738962FB19

Function 0040AD6C Relevance: 1.3, APIs: 1, Instructions: 69stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00429FC1: GetFileAttributesA.KERNELBASE(?,00404538,?,00000004,?,?,?,?,0040403F), ref: 00429FC5
Part of subcall function 00429FC1: GetLastError.KERNEL32(?,?,?,?,0040403F), ref: 00429FD0

lstrcmpiA.KERNEL32(?,?), ref: 0040ADA3

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: AttributesErrorFileLastlstrcmpi
String ID:
API String ID: 1106042219-0
Opcode ID: 7e1bb381b1c078ef6440124218e7368bd0cad2b0bdc9fbc783219d4c65f1f542
Instruction ID: 65417771eef056f906e94e0cb2904578e7ab69722811862f914ecdfc3c9b565c
Opcode Fuzzy Hash: 7e1bb381b1c078ef6440124218e7368bd0cad2b0bdc9fbc783219d4c65f1f542
Instruction Fuzzy Hash: 18217CB1600716AFDB218F59C884AABBBE6FF04355F04457FE805A7780DB349D60DB92

Non-executed Functions

Function 004017EE Relevance: 79.1, APIs: 21, Strings: 24, Instructions: 372registrywindowstringCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004017F3
RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Internet Explorer,00000000,00000001,?), ref: 00401828
RegQueryValueExA.ADVAPI32(?,Version,00000000,00000000,00000000,?), ref: 0040184B
RegCloseKey.ADVAPI32(?), ref: 00401854
lstrlenA.KERNEL32(00000000), ref: 0040185E
MessageBoxA.USER32(?,Internet Explorer 4.0x or later must be installed for this operation to function correctly.,Newer Internet Explorer version required,00000040), ref: 0040187A
GetPrivateProfileStringA.KERNEL32(Defaults,SignServer,sign.reallegal.com,?,00000104,00000000), ref: 004018D8
GetPrivateProfileStringA.KERNEL32(Defaults,SignAppPath,/signatures/api/trancert.dll,?,00000104,00000000), ref: 004018FB
MessageBoxA.USER32(?,?,Internet Connection Failed,00000030), ref: 00401948

Strings

Defaults, xrefs: 004018D3, 004018F6
SignServer, xrefs: 004018CE
sign.reallegal.com, xrefs: 004018C9
uC, xrefs: 00401BE9
SignAppPath, xrefs: 004018F1
uC, xrefs: 00401C17
/signatures/api/trancert.dll, xrefs: 004018EC
Signature Successfully Verified, xrefs: 00401C93
Verify transcript signature..., xrefs: 00401ABA
rB, xrefs: 0040196B
uC, xrefs: 00401BBC
Version, xrefs: 0040183C
Verification Failed, xrefs: 00401BC3
(now , xrefs: 00401C2E
Software\Microsoft\Internet Explorer, xrefs: 0040181E
Verification successful: This transcript was signed by , xrefs: 00401BD3
Internet Explorer 4.0x or later must be installed for this operation to function correctly., xrefs: 0040186F
Newer Internet Explorer version required, xrefs: 0040186A
on , xrefs: 00401C63
Internet Connection Failed, xrefs: 0040193C
uC, xrefs: 00401C08
uC, xrefs: 00401935
uC, xrefs: 00401C40
uC, xrefs: 00401AFA

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: MessagePrivateProfileString$CloseH_prologOpenQueryValuelstrlen
String ID: (now $ on $ uC$ uC$ uC$ uC$ uC$ uC$ uC$/signatures/api/trancert.dll$Defaults$Internet Connection Failed$Internet Explorer 4.0x or later must be installed for this operation to function correctly.$Newer Internet Explorer version required$SignAppPath$SignServer$Signature Successfully Verified$Software\Microsoft\Internet Explorer$Verification Failed$Verification successful: This transcript was signed by $Verify transcript signature...$Version$rB$sign.reallegal.com
API String ID: 2286048586-3131112528
Opcode ID: d3f4ab8c882afc22c593aa11bd93015e9442679859b2e1e44c9ef8daf6ef04fb
Instruction ID: d780b94586076183d68e8054b5892907ab0e404010299b72a43029478c52ac70
Opcode Fuzzy Hash: d3f4ab8c882afc22c593aa11bd93015e9442679859b2e1e44c9ef8daf6ef04fb
Instruction Fuzzy Hash: 1AE18372900118ABDB249F61DC85FEE7778EF14304F1041BBF909B6191DB78AA44DF68

Function 0041DB44 Relevance: 46.0, APIs: 22, Strings: 4, Instructions: 512stringmemoryclipboardCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041DB49

Part of subcall function 00409A82: __EH_prolog.LIBCMT ref: 00409A87

GlobalAlloc.KERNEL32(00000042,00000400), ref: 0041DBD3
GlobalLock.KERNEL32(00000000), ref: 0041DBE0
lstrlenA.KERNEL32(00000000), ref: 0041DBFA
lstrlenA.KERNEL32(?), ref: 0041DC78
lstrlenA.KERNEL32(?), ref: 0041DCB2
lstrlenA.KERNEL32(?), ref: 0041DCFD
lstrlenA.KERNEL32(?), ref: 0041DD37
GlobalUnlock.KERNEL32(?), ref: 0041DD62
GlobalReAlloc.KERNEL32(?,?,00000000), ref: 0041DE9E
GlobalAlloc.KERNEL32(00000042,?), ref: 0041DEA9
GlobalLock.KERNEL32(?), ref: 0041DEB5
lstrlenA.KERNEL32(?), ref: 0041DF10
lstrlenA.KERNEL32(?), ref: 0041DF85
GlobalUnlock.KERNEL32(?), ref: 0041E048
GlobalLock.KERNEL32(?), ref: 0041E087
GlobalUnlock.KERNEL32(?), ref: 0041E093
GlobalReAlloc.KERNEL32(?,00000001,00000000), ref: 0041E09D
OpenClipboard.USER32(?), ref: 0041E0A8
EmptyClipboard.USER32 ref: 0041E0B2
SetClipboardData.USER32(00000001,00000000), ref: 0041E0BB
CloseClipboard.USER32 ref: 0041E0C1

Strings

, xrefs: 0041DFD0
, xrefs: 0041DF9E
, xrefs: 0041DF29
, xrefs: 0041E015

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Global$lstrlen$AllocClipboard$LockUnlock$H_prolog$CloseDataEmptyOpen
String ID: $ $ $
API String ID: 1835066233-2376886710
Opcode ID: 232d832d711d011b7f4f77c1e36939fc2345e4f3dd64ddfa6c60efd51b34d0dd
Instruction ID: 9c5d54bb23a88c19fae39e92cb4b060821be47d956a995abf7bada3b60bb4752
Opcode Fuzzy Hash: 232d832d711d011b7f4f77c1e36939fc2345e4f3dd64ddfa6c60efd51b34d0dd
Instruction Fuzzy Hash: 1512D175D0065ADFCB14CFA8C844BEEBBB1BF19304F14416AE882E7341D7799982CBA4

Function 00433975 Relevance: 26.7, Strings: 21, Instructions: 417COMMON

Download Yara Rule

Strings

1, xrefs: 00433BBA
0, xrefs: 00433BE3
9, xrefs: 00433C06
9, xrefs: 00433A8A
C, xrefs: 00433A56
0, xrefs: 00433C14
9, xrefs: 004339E4
0, xrefs: 00433A51
1, xrefs: 00433BED
0, xrefs: 00433B16
E, xrefs: 00433A5F
c, xrefs: 00433A64
-, xrefs: 00433B73
9, xrefs: 00433BC2
+, xrefs: 00433A47
0, xrefs: 00433A9F
+, xrefs: 00433B6A
9, xrefs: 00433BF6
e, xrefs: 00433A6D
-, xrefs: 00433A4C
9, xrefs: 00433A36

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID:
String ID: +$+$-$-$0$0$0$0$0$1$1$9$9$9$9$9$9$C$E$c$e
API String ID: 0-1157002505
Opcode ID: d0758f8472a48ed155376429091c4924b3e1f4c6e552f701cab51d0ea80a1612
Instruction ID: f0b2a16d38fa3b2b65a7a0edc1cd84576c94820ad742522e86fff75013237da0
Opcode Fuzzy Hash: d0758f8472a48ed155376429091c4924b3e1f4c6e552f701cab51d0ea80a1612
Instruction Fuzzy Hash: 12E1E271E44209DEEB258F54D8153FABBB1BB48307F28602BD441A6282C77D9B82CB5D

Function 00420400 Relevance: 21.6, APIs: 7, Strings: 5, Instructions: 562stringCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00420405
lstrlenA.KERNEL32(?,Pages %d to %d,?,?), ref: 00420628
wsprintfA.USER32 ref: 00420636
lstrlenA.KERNEL32(?,Page %d,?), ref: 00420650
wsprintfA.USER32 ref: 0042065E
lstrlenA.KERNEL32(?), ref: 00420673
InflateRect.USER32(?,00000000,00000000), ref: 004208E5

Strings

Page %d, xrefs: 0042064A
(, xrefs: 00420609
), xrefs: 00420679
Pages %d to %d, xrefs: 00420622
}C, xrefs: 00420424

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: lstrlen$wsprintf$H_prologInflateRect
String ID: }C$($)$Page %d$Pages %d to %d
API String ID: 3032067897-2537692890
Opcode ID: 4029a5e5bdd8b1796f08f0337ed68f94d2ba3b91b9c406e3b03bc4fa6d670910
Instruction ID: 150d9fe5cf0456880231a3234b20e0c1b9b99202e93c5178613dab9eb28655ba
Opcode Fuzzy Hash: 4029a5e5bdd8b1796f08f0337ed68f94d2ba3b91b9c406e3b03bc4fa6d670910
Instruction Fuzzy Hash: D3324471A00229DFCF18DF94D884AEEBBF5FF58300F5540AAE805AB262D7759990CF94

Function 00433794 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 50libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(user32.dll,?,00000000,?,004301C5,?,Microsoft Visual C++ Runtime Library,00012010,?,00438764,?,004387B4,?,?,?,Runtime Error!Program: ), ref: 004337A6
GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 004337BE
GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 004337CF
GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 004337DC

Strings

GetLastActivePopup, xrefs: 004337D1
MessageBoxA, xrefs: 004337B8
user32.dll, xrefs: 004337A1
GetActiveWindow, xrefs: 004337C9

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
API String ID: 2238633743-4044615076
Opcode ID: 64e646348fbe36ad6605484b99d6e611229bf3472f0f8026a0e3ae6980e8c4d5
Instruction ID: 122f229e88054660c53af26d7f5052591d0a647276e724a8007236748e2a9a5a
Opcode Fuzzy Hash: 64e646348fbe36ad6605484b99d6e611229bf3472f0f8026a0e3ae6980e8c4d5
Instruction Fuzzy Hash: 5D0184B5608311AF9710AFF59CC0A277EE8AA4D751B14203FF501C2361DB798D029B6D

Function 00423591 Relevance: 9.2, APIs: 2, Strings: 3, Instructions: 459windowCOMMON

Download Yara Rule

APIs

AbortDoc.GDI32(?), ref: 00423A84

Part of subcall function 0042355C: StartDocA.GDI32(?,?), ref: 00423566

MessageBoxA.USER32(?,Insufficient disk space or memory to complete the print job, or the printer is not available.,00000000,00000010), ref: 00423AD1

Part of subcall function 0042343E: StartPage.GDI32(?), ref: 00423448
Part of subcall function 0042343E: SetBkColor.GDI32(?,00FFFFFF), ref: 0042345F
Part of subcall function 0042343E: SetBkColor.GDI32(?,00000000), ref: 00423468
Part of subcall function 0042343E: MoveToEx.GDI32(?,00000200,00000200,00000000), ref: 00423479
Part of subcall function 0042343E: EndPage.GDI32(?), ref: 00423485

Strings

Insufficient disk space or memory to complete the print job, or the printer is not available., xrefs: 00423ACB
Printing Progress, xrefs: 00423632
IXA, xrefs: 004235A7, 004239DA, 0042362E, 004235E1, 004235E6, 00423631, 004239DF

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: ColorPageStart$AbortMessageMove
String ID: IXA$Insufficient disk space or memory to complete the print job, or the printer is not available.$Printing Progress
API String ID: 269022264-3254887256
Opcode ID: 52be44b295bc38b9768fd93eeb844fa071d4fcfff18f220b3e8b7be1b43e5d08
Instruction ID: ea3dd72d55957b563064cae2e364e0010e3a9c22850906b5deb7f6fc51011b57
Opcode Fuzzy Hash: 52be44b295bc38b9768fd93eeb844fa071d4fcfff18f220b3e8b7be1b43e5d08
Instruction Fuzzy Hash: 0C0289B0B0022A9FCF24CE25E8417EB77F5BB44746F90442FE85686240D7BC9B91CB99

Function 0042A6BB Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetVersion.KERNEL32 ref: 0042A6E1

Part of subcall function 0042DC54: HeapCreate.KERNELBASE(00000000,00001000,00000000,0042A71A,00000000), ref: 0042DC65
Part of subcall function 0042DC54: HeapDestroy.KERNEL32 ref: 0042DCA4

GetCommandLineA.KERNEL32 ref: 0042A72F
GetStartupInfoA.KERNEL32(?), ref: 0042A75A
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 0042A77D

Part of subcall function 0042A7D6: ExitProcess.KERNEL32 ref: 0042A7F3

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Heap$CommandCreateDestroyExitHandleInfoLineModuleProcessStartupVersion
String ID:
API String ID: 2057626494-0
Opcode ID: e13db3058914ef47dd28965904fa4bf95fbe4d8e42b712fd361810e52b4e8ce8
Instruction ID: 131b8be7f7895522cbf016825cfd1d68cef6411212f25d8c920cb024130d1c1a
Opcode Fuzzy Hash: e13db3058914ef47dd28965904fa4bf95fbe4d8e42b712fd361810e52b4e8ce8
Instruction Fuzzy Hash: A82191B5A40725AFD718AFA6EC45A6E7BB8EF45704F90013EF80196251DB384440CB5A

Function 0040EC34 Relevance: 5.3, Strings: 2, Instructions: 2798COMMON

Download Yara Rule

Strings

%A, xrefs: 0040FBC2, 0040FBCD, 0040FCA3, 0040FCAE, 0040FD88, 0040FDA1, 0040FE86, 0040FE9F, 0040FF84, 0040FF9D, 00410082, 00410098, 0041016D, 00410183, 00410256, 0041026E, 00410343, 00410359, 0041043E, 00410458, 0041053D, 00410557, 0041063C, 00410656, 00410718, 0041072A, 004107E0, 004107F2, 004108A8, 004108BA
%A, xrefs: 0040EC4F, 0040FB0E, 0040FB19, 0040FBEF, 0040FBFA, 0040FCD0, 0040FCDB, 0040FDBC, 0040FDD5, 0040FEBA, 0040FED8, 0040FFB6, 0040FFD1, 004100B1, 004100C7, 0041019C, 004101B2, 00410287, 0041029D, 00410372, 0041038C, 00410471, 0041048B, 00410570, 0041058A, 0041066F, 00410689, 00410740, 00410754, 00410808, 0041081C, 004108D0, 004108E4, 00410910, 0041096D

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID:
String ID: %A$%A
API String ID: 0-771997236
Opcode ID: 4d30150291c585049d34f858fdc1f55b082d48571674e25fa1048565be8b1a2a
Instruction ID: d9d46b8fe31024697e16007a11e18458155e38551520b9e79fe0b9069e3ceacb
Opcode Fuzzy Hash: 4d30150291c585049d34f858fdc1f55b082d48571674e25fa1048565be8b1a2a
Instruction Fuzzy Hash: C5231D37F0062A5BDB44CE9ECC8458DB7E3AEC825475F8265D958F7309DAB4A906CBC0

Function 0041C9DD Relevance: 4.6, APIs: 3, Instructions: 131COMMON

Download Yara Rule

APIs

SetRect.USER32(00000000,?,?,?,?), ref: 0041CB2B
OffsetRect.USER32(00000000,?,00000000), ref: 0041CB3D
InvertRect.USER32(?,00000000), ref: 0041CB4A

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Rect$InvertOffset
String ID:
API String ID: 2623992382-0
Opcode ID: 74887ee90fc1d80d049fdc3ff6929172383bbf849936580e142921a1e5960529
Instruction ID: db4033acade29116473c5c3521cacd81856ac0a9dfd74115f613a0f02b264598
Opcode Fuzzy Hash: 74887ee90fc1d80d049fdc3ff6929172383bbf849936580e142921a1e5960529
Instruction Fuzzy Hash: 604190326401198FCB00EF69DA918EE77B5FF45304B40816AF941AB291DB38EE42CBE4

Function 0042BB27 Relevance: 4.6, APIs: 3, Instructions: 75timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(00000000), ref: 0042BB34
GetSystemTime.KERNEL32(?), ref: 0042BB3E
GetTimeZoneInformation.KERNEL32(?), ref: 0042BB93

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Time$InformationLocalSystemZone
String ID:
API String ID: 2475273158-0
Opcode ID: 4ef28894d85a66bda80c8c806d90468cda7214237df601577fc9bc939ef3f68a
Instruction ID: 9e4567db341d279894edfb089a13d3346da8b67130aea19029d49a2569f6c860
Opcode Fuzzy Hash: 4ef28894d85a66bda80c8c806d90468cda7214237df601577fc9bc939ef3f68a
Instruction Fuzzy Hash: 2521836DA0002995CF21EB95E804AFF7BB9EB0A711FD00152FD5096694E3785D82C7BD

Function 004278A6 Relevance: 4.5, APIs: 3, Instructions: 45windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(7622B530,?,?,?,00426EC9,CPnxHttp::Register: ,Mozilla/4.0,00000001,?,00000000,?,00000000,?,?,00401927,?), ref: 004278AE
FormatMessageA.KERNEL32(00001300,00000000,00000000,00000400,?,00000000,00000000,?,00426EC9,CPnxHttp::Register: ,Mozilla/4.0,00000001,?,00000000,?,00000000), ref: 004278C8
LocalFree.KERNEL32(?,00000001,0000000A,?,00000000,?,00000000,?,00426EC9,CPnxHttp::Register: ,Mozilla/4.0,00000001,?,00000000,?,00000000), ref: 0042790B

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: ErrorFormatFreeLastLocalMessage
String ID:
API String ID: 1365068426-0
Opcode ID: 7620e9e43ada411c712d2bdb30aeea8c990387936da00f48b276cb13bc234963
Instruction ID: 20f77c273b67142822ff5a2df9a85729255ec7758e889dff177201e4741a158a
Opcode Fuzzy Hash: 7620e9e43ada411c712d2bdb30aeea8c990387936da00f48b276cb13bc234963
Instruction Fuzzy Hash: 1DF022B2300224BBEB246B56EC0AEAF7A7CDFC5B54F10001EFA0166190CAB56E40D66C

Function 00431CEA Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00031CA4), ref: 00431CEF

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 7a618fbbd621babe4e52636bd9b2981cd7550640ca02ba5a72cba714587a07d1
Instruction ID: a0055cf314bd699d22cb9754580d76a5e67e708bc1c17937d6ce8e54b1934621
Opcode Fuzzy Hash: 7a618fbbd621babe4e52636bd9b2981cd7550640ca02ba5a72cba714587a07d1
Instruction Fuzzy Hash: 19A022F888A200CF8B000F30AC080803AA0AA0C302B3030B3B800C0330CB3000808A0F

Function 00431CFC Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 00431D01

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 0c5aaebbdc85b76dbea66b17ceabaa393c5522c44036e98c775b97d5ea99131b
Instruction ID: 4bae409e9d055402e5a7eed040250b5add0c7384a1e94dc6e178a5d5eb562287
Opcode Fuzzy Hash: 0c5aaebbdc85b76dbea66b17ceabaa393c5522c44036e98c775b97d5ea99131b
Instruction Fuzzy Hash:

Function 0042E502 Relevance: .3, Instructions: 259COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc60ecf50bd115ca0c6ea2745a91e2bccda0b72c85d336beea95e2ba67d1c3a9
Instruction ID: 060a6a2fc18f42bce9a06cb540b4bc12b1296e78fd29bc8969e391bdccc8cdfa
Opcode Fuzzy Hash: fc60ecf50bd115ca0c6ea2745a91e2bccda0b72c85d336beea95e2ba67d1c3a9
Instruction Fuzzy Hash: 0FB19E35A0021ADFDB15CF05D5D0AA9BBA1FF98318F64C19ED80A4B382D735EE42CB94

Function 00402C8E Relevance: 172.0, APIs: 75, Strings: 23, Instructions: 471stringCOMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,00000008), ref: 00402C9F
EndDialog.USER32(?,00000002), ref: 00402CEF
GetParent.USER32(?), ref: 00402CF6
EndDialog.USER32(?,00000002), ref: 00402D0B
GetParent.USER32(?), ref: 00402D1C
SetWindowLongA.USER32(?,00000008,?), ref: 00402D36
lstrcpyA.KERNEL32(?,Properties of ), ref: 00402D49
lstrcatA.KERNEL32(?,?), ref: 00402D63
SetWindowTextA.USER32(?,?), ref: 00402D6E
SetDlgItemTextA.USER32(?,0000040E,Deposition), ref: 00402DA6
lstrcatA.KERNEL32(?,0043C494), ref: 00402DCE
lstrlenA.KERNEL32(?,0000000A), ref: 00402DDD
lstrcatA.KERNEL32(?,0043C494), ref: 00402E02
lstrlenA.KERNEL32(?,0000000A), ref: 00402E0B
lstrcatA.KERNEL32(00000000, at ), ref: 00402E44
lstrlenA.KERNEL32(00000000,0000000A), ref: 00402E70
lstrcatA.KERNEL32(?,0043C4A0), ref: 00402E8D
lstrcatA.KERNEL32(?,0043C4AC), ref: 00402EAD
lstrlenA.KERNEL32(?,0000000A), ref: 00402EB6
lstrcatA.KERNEL32(?, AM), ref: 00402EEB
SetDlgItemTextA.USER32(?,00000412,?), ref: 00402EF8
lstrlenA.KERNEL32(?), ref: 00402F04
GetDlgItem.USER32(?,0000040F), ref: 00402F20
GetWindow.USER32(00000000), ref: 00402F23
EnableWindow.USER32(00000000), ref: 00402F2A
SetDlgItemTextA.USER32(?,0000040F,?), ref: 00402F3A
lstrlenA.KERNEL32(?), ref: 00402F46
GetDlgItem.USER32(?,0000040B), ref: 00402F59
GetWindow.USER32(00000000), ref: 00402F5C
EnableWindow.USER32(00000000), ref: 00402F63
SetDlgItemTextA.USER32(?,0000040B,?), ref: 00402F73
lstrlenA.KERNEL32(?), ref: 00402F7F
GetDlgItem.USER32(?,00000411), ref: 00402F92
GetWindow.USER32(00000000), ref: 00402F95
EnableWindow.USER32(00000000), ref: 00402F9C
SetDlgItemTextA.USER32(?,00000411,?), ref: 00402FAC
lstrlenA.KERNEL32(?), ref: 00402FB8
GetDlgItem.USER32(?,0000040C), ref: 00402FCB
GetWindow.USER32(00000000), ref: 00402FCE
EnableWindow.USER32(00000000), ref: 00402FD5
SetDlgItemTextA.USER32(?,0000040C,?), ref: 00402FE5
lstrlenA.KERNEL32(?), ref: 00402FF1
GetDlgItem.USER32(?,00000410), ref: 00403004
GetWindow.USER32(00000000), ref: 00403007
EnableWindow.USER32(00000000), ref: 0040300E
SetDlgItemTextA.USER32(?,00000410,?), ref: 0040301E
lstrcpyA.KERNEL32(?,Final transcript), ref: 0040304A
lstrcatA.KERNEL32(?, (sealed)), ref: 00403063
SetDlgItemTextA.USER32(?,0000040D,?), ref: 00403074
GetDlgItem.USER32(?,0000041A), ref: 0040308B
EnableWindow.USER32(00000000), ref: 0040308E
UuidToStringA.RPCRT4(?,?), ref: 0040309C
SetDlgItemTextA.USER32(?,0000041E,?), ref: 004030AC
RpcStringFreeA.RPCRT4(?), ref: 004030B7
lstrcpyA.KERNEL32(?,Locked out: ), ref: 004030FF
lstrcatA.KERNEL32(?,printing), ref: 00403119
lstrcatA.KERNEL32(?,0043C56C), ref: 0040314A
lstrcatA.KERNEL32(?,copying), ref: 0040315A
lstrcatA.KERNEL32(?, and ), ref: 00403184
lstrcatA.KERNEL32(?,save as), ref: 00403194
SetDlgItemTextA.USER32(?,00000415,No features are locked out), ref: 004031AC
lstrcpyA.KERNEL32(?,Compressed only. No password needed.), ref: 004031C8
lstrcpyA.KERNEL32(?,Compressed and encrypted. ), ref: 004031DD
lstrcatA.KERNEL32(?,Password not saved.), ref: 00403200
SetDlgItemTextA.USER32(?,00000416,?), ref: 00403214
lstrlenA.KERNEL32(?), ref: 00403220
GetDlgItem.USER32(?,00000413), ref: 00403233
GetWindow.USER32(00000000), ref: 00403236
EnableWindow.USER32(00000000), ref: 0040323D
SetDlgItemTextA.USER32(?,00000413,?), ref: 0040324D
lstrlenA.KERNEL32(?), ref: 00403259
GetDlgItem.USER32(?,00000414), ref: 0040326C
GetWindow.USER32(00000000), ref: 0040326F
EnableWindow.USER32(00000000), ref: 00403276

Part of subcall function 00401ECD: DialogBoxParamA.USER32(00000074,,@,Function_000037AC,?,00402CEB), ref: 00401EE4

SetDlgItemTextA.USER32(?,00000414,?), ref: 00403286

Strings

(sealed), xrefs: 0040305D
No features are locked out, xrefs: 004031A1
AM, xrefs: 00402EE1
Other, xrefs: 00402D86
Expert witness, xrefs: 00402D8D
Final signed transcript, xrefs: 00403039
Final transcript, xrefs: 00403040
at , xrefs: 00402E3E
Deposition, xrefs: 00402D9B
PM, xrefs: 00402EDA
Password not saved., xrefs: 004031F3
Compressed only. No password needed., xrefs: 004031C2
Courtroom transcript, xrefs: 00402D94
(uC, xrefs: 00402CE1, 00402CFD
Draft copy only, xrefs: 0040302E
save as, xrefs: 0040318E
Locked out: , xrefs: 004030F9
printing, xrefs: 00403113
and , xrefs: 00403139, 0040317E
Password in local keychain., xrefs: 004031EC
Properties of , xrefs: 00402D43
Compressed and encrypted. , xrefs: 004031D7
copying, xrefs: 00403154

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Item$Window$Textlstrcat$lstrlen$Enable$lstrcpy$Dialog$LongParentString$FreeParamUuid
String ID: (sealed)$ AM$ PM$ and $ at $(uC$Compressed and encrypted. $Compressed only. No password needed.$Courtroom transcript$Deposition$Draft copy only$Expert witness$Final signed transcript$Final transcript$Locked out: $No features are locked out$Other$Password in local keychain.$Password not saved.$Properties of $copying$printing$save as
API String ID: 139631933-3304502761
Opcode ID: d70486849f59e5db39cd2bd40fb5981e7ec0217644d71e155969778cb29102cb
Instruction ID: 8b7e2c0f39d1b8b3a6bd6ef97a85192763a179fe3d10ad8957463b31546e1a82
Opcode Fuzzy Hash: d70486849f59e5db39cd2bd40fb5981e7ec0217644d71e155969778cb29102cb
Instruction Fuzzy Hash: F2F1B2B1148305BBDA219F70DC89FAB7BECAB48B41F00183AF685E10D1D7B8A645DB5D

Function 004136AC Relevance: 96.7, APIs: 49, Strings: 6, Instructions: 427windowstringCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 004136C6
GetWindowLongA.USER32(?,00000008), ref: 004136D5
IsDlgButtonChecked.USER32(?,00001ABA), ref: 00413741
GetDlgItem.USER32(?,00001AB5), ref: 0041374E
EnableWindow.USER32(00000000), ref: 00413755
GetDlgItem.USER32(00000000,00000470), ref: 0041377C
SendMessageA.USER32(00000000), ref: 00413783
IsDlgButtonChecked.USER32(?,00001A8C), ref: 004137B0
GetDlgItem.USER32(?,00001AB0), ref: 004137BF
EnableWindow.USER32(00000000), ref: 004137C2
IsDlgButtonChecked.USER32(?,00001A8C), ref: 004137CA
GetDlgItem.USER32(?,00001AB7), ref: 004137D3
SendDlgItemMessageA.USER32(?,00001AAA,00000143,00000000,0043E7FC), ref: 00413809
SendDlgItemMessageA.USER32(?,00001AAA,0000014E,00000000), ref: 00413835
SendDlgItemMessageA.USER32(?,00001AB5,00000143,00000000,On left), ref: 00413887
SendDlgItemMessageA.USER32(?,00001AB5,00000143,00000000,On right), ref: 00413896
SendDlgItemMessageA.USER32(?,00001AB7,00000143,00000000,?), ref: 004138C0
SendDlgItemMessageA.USER32(?,00001AB3,00000143,00000000,?), ref: 004138F1
SendDlgItemMessageA.USER32(?,00001AB6,00000143,00000000,?), ref: 00413926
GetDlgItem.USER32(00000000,00000470), ref: 00413972
SendMessageA.USER32(00000000), ref: 00413975
GetDlgItem.USER32(?,0000047C), ref: 00413988
IsWindowVisible.USER32(00000000), ref: 0041398B
GetDlgItemTextA.USER32(?,?,?,00000104), ref: 004139B2
lstrcpyA.KERNEL32(00000000,.xml), ref: 004139E7
SetDlgItemTextA.USER32(?,0000047C,?), ref: 004139FD
GetWindowTextA.USER32(?,?,000000FF), ref: 00413A11
GetDlgItem.USER32(?,00000470), ref: 00413A24
SendMessageA.USER32(00000000), ref: 00413A27
SetWindowTextA.USER32(?,?), ref: 00413A86
GetDlgItem.USER32(?,00001AAA), ref: 00413A9E
EnableWindow.USER32(00000000), ref: 00413AA7
GetDlgItem.USER32(?,00001AEC), ref: 00413AB0
EnableWindow.USER32(00000000), ref: 00413AB3
GetWindowRect.USER32(00000000,?), ref: 00413AC6
GetWindowRect.USER32(?,?), ref: 00413ACE
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000012), ref: 00413AEA
SendDlgItemMessageA.USER32(?,00001AAA,00000147,00000000,00000000), ref: 00413B0B
IsDlgButtonChecked.USER32(?,00001A8C), ref: 00413B18
SendDlgItemMessageA.USER32(?,00001AB7,00000147,00000000,00000000), ref: 00413B2C
SendDlgItemMessageA.USER32(?,00001A88,00000147,00000000,00000000), ref: 00413B3F
IsDlgButtonChecked.USER32(?,00001AB9), ref: 00413B4C
IsDlgButtonChecked.USER32(?,00001AAF), ref: 00413B5D
IsDlgButtonChecked.USER32(?,00001ABA), ref: 00413B6E
SendDlgItemMessageA.USER32(?,00001AB5,00000147,00000000,00000000), ref: 00413B82
SendDlgItemMessageA.USER32(?,00001AB3,00000147,00000000,00000000), ref: 00413B97
SendDlgItemMessageA.USER32(?,00001AB6,00000147,00000000,00000000), ref: 00413BA7
IsDlgButtonChecked.USER32(?,00001ACF), ref: 00413BBD
IsDlgButtonChecked.USER32(?,00001ACE), ref: 00413BCA

Strings

XML, xrefs: 00413A57, 00413A62
.xml, xrefs: 004139E1
On left, xrefs: 0041387A
.txt, xrefs: 004139D3
ASCII, xrefs: 00413A46, 00413A73
On right, xrefs: 00413889

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Item$MessageSend$Window$ButtonChecked$EnableText$Rect$LongParentVisiblelstrcpy
String ID: .txt$.xml$ASCII$On left$On right$XML
API String ID: 844279928-1151373293
Opcode ID: 2659b0a74333dc56bb6ffe02777bdaded2538b60f0fa90323d9be9ab5b631417
Instruction ID: 931925bea3ce4ad55ea7a9aa2122c0c1aa72fc46cdb7296278621326c2d49eec
Opcode Fuzzy Hash: 2659b0a74333dc56bb6ffe02777bdaded2538b60f0fa90323d9be9ab5b631417
Instruction Fuzzy Hash: 3FD1F7B1609308BFE610EF65DC49DAB7BECEF46749F00042AF980D21D1D7789A45CB6A

Function 00413BE0 Relevance: 87.7, APIs: 49, Strings: 1, Instructions: 230windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageA.USER32(?,00001AAA,00000147,00000000,00000000), ref: 00413BF7
CheckDlgButton.USER32(?,00001A8C,00446CE8), ref: 00413C3A
GetDlgItem.USER32(?,00001A8C), ref: 00413C49
EnableWindow.USER32(00000000), ref: 00413C52
IsDlgButtonChecked.USER32(?,00001A8C), ref: 00413C5A
GetDlgItem.USER32(?,00001AB0), ref: 00413C79
EnableWindow.USER32(00000000), ref: 00413C7C
IsDlgButtonChecked.USER32(?,00001A8C), ref: 00413C84
GetDlgItem.USER32(?,00001AB7), ref: 00413CA3
EnableWindow.USER32(00000000), ref: 00413CA6
GetDlgItem.USER32(?,00001AAE), ref: 00413CB2
EnableWindow.USER32(00000000), ref: 00413CB5
GetDlgItem.USER32(?,00001AED), ref: 00413CC1
EnableWindow.USER32(00000000), ref: 00413CC4
SendDlgItemMessageA.USER32(?,00001AB7,0000014E,?,00000000), ref: 00413CDA
SendDlgItemMessageA.USER32(?,00001A88,0000014E,?,00000000), ref: 00413CF0
GetDlgItem.USER32(?,00001A88), ref: 00413D00
EnableWindow.USER32(00000000), ref: 00413D03
CheckDlgButton.USER32(?,00001AB9,?), ref: 00413D0E
CheckDlgButton.USER32(?,00001AAF,?), ref: 00413D1D
CheckDlgButton.USER32(?,00001ABA,?), ref: 00413D2C
GetDlgItem.USER32(?,00001AB1), ref: 00413D3C
EnableWindow.USER32(00000000), ref: 00413D3F
GetDlgItem.USER32(?,00001AEE), ref: 00413D4B
EnableWindow.USER32(00000000), ref: 00413D4E
GetDlgItem.USER32(?,00001AEF), ref: 00413D5A
EnableWindow.USER32(00000000), ref: 00413D5D
GetDlgItem.USER32(?,00001ABA), ref: 00413D69
EnableWindow.USER32(00000000), ref: 00413D6C
GetDlgItem.USER32(?,00001AB9), ref: 00413D78
EnableWindow.USER32(00000000), ref: 00413D7B
GetDlgItem.USER32(?,00001AAF), ref: 00413D87
EnableWindow.USER32(00000000), ref: 00413D8A
IsDlgButtonChecked.USER32(?,00001ABA), ref: 00413D92
GetDlgItem.USER32(?,00001AB5), ref: 00413DB1
EnableWindow.USER32(00000000), ref: 00413DB4
SendDlgItemMessageA.USER32(?,00001AB5,0000014E,00000000,00000000), ref: 00413DCC
SendDlgItemMessageA.USER32(?,00001AB3,0000014E,?,00000000), ref: 00413DE2
SendDlgItemMessageA.USER32(?,00001AB6,0000014E,?,00000000), ref: 00413DFC
GetDlgItem.USER32(?,00001AB3), ref: 00413E0C
EnableWindow.USER32(00000000), ref: 00413E0F
GetDlgItem.USER32(?,00001AB6), ref: 00413E1B
EnableWindow.USER32(00000000), ref: 00413E1E
CheckDlgButton.USER32(?,00001ACF,?), ref: 00413E29
GetDlgItem.USER32(?,00001ACF), ref: 00413E39
EnableWindow.USER32(00000000), ref: 00413E3C
CheckDlgButton.USER32(?,00001ACE,?), ref: 00413E48
GetDlgItem.USER32(?,00001ACE), ref: 00413E54
EnableWindow.USER32(00000000), ref: 00413E57

Strings

lD, xrefs: 00413C1F

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Item$EnableWindow$Button$CheckMessageSend$Checked
String ID: lD
API String ID: 2518239980-1556624830
Opcode ID: 9d50df5108195a62a0a2077ea9272697aa7e6536d26ef07a3d46963df11b1e4f
Instruction ID: 5c5be1a0b0880e3ec663877240cfab64cb792540ed80ac42dad9f312dd60d2df
Opcode Fuzzy Hash: 9d50df5108195a62a0a2077ea9272697aa7e6536d26ef07a3d46963df11b1e4f
Instruction Fuzzy Hash: 2A5172B1745309BAEA20AFB19D4DE9F3E9DEF85B51F001C15BE46A60D1CA78C400DB76

Function 004191C5 Relevance: 84.2, APIs: 56, Instructions: 206windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageA.USER32(?,00001A4E,00000147,00000000,00000000), ref: 004191EE
CheckDlgButton.USER32(?,00001A5A,00000000), ref: 0041921E
GetDlgItem.USER32(?,00001A5A), ref: 0041922B
EnableWindow.USER32(00000000), ref: 0041922E
GetDlgItem.USER32(?,00001A82), ref: 00419242
EnableWindow.USER32(00000000), ref: 00419245
GetDlgItem.USER32(?,00001A85), ref: 0041924E
EnableWindow.USER32(00000000), ref: 00419251
GetDlgItem.USER32(?,00001A83), ref: 0041925A
EnableWindow.USER32(00000000), ref: 0041925D
GetDlgItem.USER32(?,00001A86), ref: 00419266
EnableWindow.USER32(00000000), ref: 00419269
GetDlgItem.USER32(?,00001A84), ref: 00419272
EnableWindow.USER32(00000000), ref: 00419275
IsDlgButtonChecked.USER32(?,00001AA0), ref: 0041927D
GetDlgItem.USER32(?,00001AA8), ref: 0041928C
EnableWindow.USER32(00000000), ref: 0041928F
GetDlgItem.USER32(?,00001AA9), ref: 00419298
EnableWindow.USER32(00000000), ref: 0041929B
GetDlgItem.USER32(?,00001A9D), ref: 004192A4
EnableWindow.USER32(00000000), ref: 004192A7
GetDlgItem.USER32(?,00001A5D), ref: 004192C4
EnableWindow.USER32(00000000), ref: 004192CD
GetDlgItem.USER32(?,00001A5A), ref: 004192D6
EnableWindow.USER32(00000000), ref: 004192D9
GetDlgItem.USER32(?,00001A82), ref: 004192E2
EnableWindow.USER32(00000000), ref: 004192E5
GetDlgItem.USER32(?,00001A85), ref: 004192EE
EnableWindow.USER32(00000000), ref: 004192F1
GetDlgItem.USER32(?,00001A83), ref: 004192FA
EnableWindow.USER32(00000000), ref: 004192FD
GetDlgItem.USER32(?,00001A86), ref: 00419306
EnableWindow.USER32(00000000), ref: 00419309
GetDlgItem.USER32(?,00001A84), ref: 00419312
EnableWindow.USER32(00000000), ref: 00419315
GetDlgItem.USER32(?,00001A9C), ref: 0041931E
EnableWindow.USER32(00000000), ref: 00419321
GetDlgItem.USER32(?,00001A9D), ref: 0041932A
EnableWindow.USER32(00000000), ref: 0041932D
GetDlgItem.USER32(?,00001A9E), ref: 00419336
EnableWindow.USER32(00000000), ref: 00419339
GetDlgItem.USER32(?,00001AA0), ref: 00419342
EnableWindow.USER32(00000000), ref: 00419345
GetDlgItem.USER32(?,00001A9F), ref: 0041934E
EnableWindow.USER32(00000000), ref: 00419351
GetDlgItem.USER32(?,00001AA8), ref: 0041935A
EnableWindow.USER32(00000000), ref: 0041935D
GetDlgItem.USER32(?,00001AA9), ref: 00419366
EnableWindow.USER32(00000000), ref: 00419369
IsDlgButtonChecked.USER32(?,00001AA2), ref: 00419371
GetDlgItem.USER32(?,00001A98), ref: 00419380
EnableWindow.USER32(00000000), ref: 00419383
GetDlgItem.USER32(?,00001A99), ref: 0041938C
EnableWindow.USER32(00000000), ref: 0041938F
GetDlgItem.USER32(?,00001A94), ref: 00419398
EnableWindow.USER32(00000000), ref: 0041939B

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Item$EnableWindow$Button$Checked$CheckMessageSend
String ID:
API String ID: 199739482-0
Opcode ID: 6a4071a59f59b0b12b4a2e91610088505c64ed9c6ad61da6ed027ecee70f8ced
Instruction ID: d161bd5de37eb5cd76efaa5d7cd849550d549306266b8dcc70f93eb32d4af069
Opcode Fuzzy Hash: 6a4071a59f59b0b12b4a2e91610088505c64ed9c6ad61da6ed027ecee70f8ced
Instruction Fuzzy Hash: FC419AF0F4535D7AE520B7B39C4DC9B3D5CDF86BA5B022912B60AA61C28D79E440C9B2

Function 00405493 Relevance: 78.3, APIs: 52, Instructions: 295windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 0040549F
GetSubMenu.USER32(00000000,00000000), ref: 004054B5

Part of subcall function 0040540C: GetMenuItemCount.USER32(?), ref: 00405424
Part of subcall function 0040540C: GetMenuItemInfoA.USER32(?,00000000,00000001,?), ref: 00405450
Part of subcall function 0040540C: EnableMenuItem.USER32(?,00000000,00000000), ref: 0040547E
Part of subcall function 0040540C: GetMenuItemCount.USER32(?), ref: 00405486

EnableMenuItem.USER32(00000000,00000FC9,00000000), ref: 004054D7
EnableMenuItem.USER32(00000000,00000FA3,00000000), ref: 004054E0
CheckMenuItem.USER32(00000000,00000FA7,00000000), ref: 004054F4
CheckMenuItem.USER32(00000000,00000FC0,00000000), ref: 004054FD
CheckMenuItem.USER32(00000000,00000FAD,00000000), ref: 00405506
EnableMenuItem.USER32(00000000,00000FBF,00000001), ref: 0040551F
CheckMenuItem.USER32(00000000,00000FA8,00000000), ref: 00405529
EnableMenuItem.USER32(00000000,00000FA5,00000001), ref: 0040554A
EnableMenuItem.USER32(00000000,00000FB1,00000001), ref: 0040556B
IsWindowVisible.USER32(?), ref: 0040558A
CheckMenuItem.USER32(00000000,00000FAD,00000008), ref: 004055B9
EnableMenuItem.USER32(00000000,00000FBB,00000000), ref: 004055C3
EnableMenuItem.USER32(00000000,00000FBA,00000001), ref: 004055CF
EnableMenuItem.USER32(00000000,00000FC3,00000001), ref: 004055D8
EnableMenuItem.USER32(00000000,00000FA7,00000001), ref: 004055E1
EnableMenuItem.USER32(00000000,00000FC0,00000001), ref: 004055EA
CheckMenuItem.USER32(00000000,00000FC0,00000008), ref: 0040560C
EnableMenuItem.USER32(00000000,00000FC3,00000000), ref: 00405616
EnableMenuItem.USER32(00000000,00000FBA,00000001), ref: 00405622
EnableMenuItem.USER32(00000000,00000FBB,00000001), ref: 0040562B
EnableMenuItem.USER32(00000000,00000FAD,00000001), ref: 00405634
CheckMenuItem.USER32(00000000,00000FA7,00000008), ref: 00405646
EnableMenuItem.USER32(00000000,00000FBA,00000000), ref: 00405650
EnableMenuItem.USER32(00000000,00000FC3,00000001), ref: 0040565C
EnableMenuItem.USER32(00000000,00000FBB,00000001), ref: 00405665
EnableMenuItem.USER32(00000000,00000FAD,00000001), ref: 0040566E
EnableMenuItem.USER32(00000000,00000FC2,00000001), ref: 00405677
EnableMenuItem.USER32(00000000,00000FAE,00000001), ref: 00405681
EnableMenuItem.USER32(00000000,00000FA8,00000001), ref: 0040568D
EnableMenuItem.USER32(00000000,00000FC6,00000001), ref: 00405696
EnableMenuItem.USER32(00000000,00000FB1,00000001), ref: 0040569F
EnableMenuItem.USER32(00000000,00000FA4,00000001), ref: 004056A8
EnableMenuItem.USER32(00000000,00000FA5,00000001), ref: 004056B1
EnableMenuItem.USER32(00000000,00000FAF,00000001), ref: 004056BA
EnableMenuItem.USER32(00000000,00000FB2,00000001), ref: 004056C3
CheckMenuItem.USER32(00000000,00000FA9,00000000), ref: 004056EA
EnableMenuItem.USER32(00000000,00000FBA,00000000), ref: 004056F5
EnableMenuItem.USER32(00000000,00000FC3,00000000), ref: 004056FE
EnableMenuItem.USER32(00000000,00000FBB,00000000), ref: 00405707
EnableMenuItem.USER32(00000000,00000FAD,00000000), ref: 00405710
EnableMenuItem.USER32(00000000,00000FA7,00000000), ref: 00405719
EnableMenuItem.USER32(00000000,00000FC0,00000000), ref: 00405722
EnableMenuItem.USER32(00000000,00000FC6,00000000), ref: 00405733
EnableMenuItem.USER32(00000000,00000FC6,00000001), ref: 00405740
EnableMenuItem.USER32(00000000,00000FD2,00000001), ref: 0040574A
EnableMenuItem.USER32(00000000,00000FA4,00000000), ref: 00405753
EnableMenuItem.USER32(00000000,00000FAF,00000000), ref: 0040575C
EnableMenuItem.USER32(00000000,00000FB2,00000000), ref: 00405765
EnableMenuItem.USER32(00000000,00000FAB,00000000), ref: 0040576E
EnableMenuItem.USER32(00000000,00000FB3,00000000), ref: 00405782

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Menu$Item$Enable$Check$Count$InfoVisibleWindow
String ID:
API String ID: 3442356617-0
Opcode ID: 70dd4b841acff169e03c04094d6e356d4e92d95cba25740eedd6ababfc7cef3d
Instruction ID: b0f3fd078a628ab9d7628502ee20a543090f25d858496b899951d15df7caa482
Opcode Fuzzy Hash: 70dd4b841acff169e03c04094d6e356d4e92d95cba25740eedd6ababfc7cef3d
Instruction Fuzzy Hash: 9B711E6078971E7AF53156228CCAF7F2D2CDB43F98F01003AB6496D5C18AE95842BDB6

Function 0041BD31 Relevance: 68.5, APIs: 38, Strings: 1, Instructions: 288windowstringCOMMON

Download Yara Rule

APIs

SendDlgItemMessageA.USER32(?,00001AC6,000000B0,00000000,00000000), ref: 0041BDB0
GetDlgItemTextA.USER32(?,00001AC6,?,00000020), ref: 0041BDBD
lstrlenA.KERNEL32(?), ref: 0041BDC7
CharUpperA.USER32(?), ref: 0041BDDA
SetDlgItemTextA.USER32(?,00001AC6,?), ref: 0041BDE6
SendDlgItemMessageA.USER32(?,00001AC9,000000B0,00000000,00000000), ref: 0041BE15
GetDlgItemTextA.USER32(?,00001AC9,?,00000020), ref: 0041BE22
lstrlenA.KERNEL32(?), ref: 0041BE2C
CharUpperA.USER32(?), ref: 0041BE3F
SetDlgItemTextA.USER32(?,00001AC9,?), ref: 0041BE4B
SendDlgItemMessageA.USER32(?,00001AC8,000000B0,00000000,00000000), ref: 0041BE7A
GetDlgItemTextA.USER32(?,00001AC8,?,00000020), ref: 0041BE87
lstrlenA.KERNEL32(?), ref: 0041BE91
CharUpperA.USER32(?), ref: 0041BEA0
SetDlgItemTextA.USER32(?,00001AC8,?), ref: 0041BEAC
SendDlgItemMessageA.USER32(?,00001AC9,000000B1,00000000,000000FF), ref: 0041BEC9
GetDlgItem.USER32(?,00001AC9), ref: 0041BECD
SetFocus.USER32(00000000), ref: 0041BED4
SendDlgItemMessageA.USER32(?,00001AC8,000000B1,00000003,00000003), ref: 0041BEE9
EndDialog.USER32(?,00000001), ref: 0041BF0D
GetDlgItemTextA.USER32(?,00001AC8,?,00000020), ref: 0041BF2C
lstrcatA.KERNEL32(?,0043F7DC), ref: 0041BF3D
lstrlenA.KERNEL32(?), ref: 0041BF49
lstrlenA.KERNEL32(?,00000020), ref: 0041BF55
GetDlgItemTextA.USER32(?,00001AC9,?), ref: 0041BF64
lstrcatA.KERNEL32(?,0043F7DC), ref: 0041BF6F
lstrlenA.KERNEL32(?), ref: 0041BF75
lstrlenA.KERNEL32(?,00000020), ref: 0041BF81
GetDlgItemTextA.USER32(?,00001ACA,?), ref: 0041BF91
GetWindowLongA.USER32(?,00000008), ref: 0041BF9A
MessageBoxA.USER32(?,This unlock code will not work with this transcript.,00000000,00000000), ref: 0041BFD6
SendDlgItemMessageA.USER32(?,00001AC8,000000C5,00000003,00000000), ref: 0041C011
SendDlgItemMessageA.USER32(?,00001AC9,000000C5,00000006,00000000), ref: 0041C020
SendDlgItemMessageA.USER32(?,00001ACA,000000C5,00000004,00000000), ref: 0041C030
SetDlgItemTextA.USER32(?,00001ACD,?), ref: 0041C03E
SetWindowLongA.USER32(?,00000008,?), ref: 0041C048
GetDlgItem.USER32(?,00001AC8), ref: 0041C050
SetFocus.USER32(00000000), ref: 0041C057

Strings

This unlock code will not work with this transcript., xrefs: 0041BFD0

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Item$Text$Message$Send$lstrlen$CharUpper$FocusLongWindowlstrcat$Dialog
String ID: This unlock code will not work with this transcript.
API String ID: 4244035017-3487098618
Opcode ID: c71c76a250e866b9f3f98c7cca8f7451ab87ccd154b56e7cc27cd3eaa6aeed6a
Instruction ID: 5c1f33ad567d80f93d87b2db7a0c59ba62d55a57a66f05e12a278adc547a1406
Opcode Fuzzy Hash: c71c76a250e866b9f3f98c7cca8f7451ab87ccd154b56e7cc27cd3eaa6aeed6a
Instruction Fuzzy Hash: 86915FB154421DBBDB20AFA0DC89FEF3BACFB04750F145426FA05E6191D7B89941CBA8

Function 00402686 Relevance: 66.8, APIs: 35, Strings: 3, Instructions: 332windowstringCOMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,00000008), ref: 00402698
GetDlgItemTextA.USER32(?,00000418,00000000,00000104), ref: 00402729
lstrcpyA.KERNEL32(00000000,c:\commwrds.txt), ref: 00402748
lstrcpyA.KERNEL32(00000000,00000000), ref: 00402750
GetOpenFileNameA.COMDLG32(?), ref: 004027B8
CharLowerA.USER32(00000000,?), ref: 004027C2
SetDlgItemTextA.USER32(?,00000418,00000000), ref: 004027D1
EndDialog.USER32(?,00000002), ref: 004027F5
GetDlgItemInt.USER32(?,000003FB,?,00000000), ref: 0040280D
IsDlgButtonChecked.USER32(?,000003F8), ref: 00402834
IsDlgButtonChecked.USER32(00000000,00000416), ref: 00402847
GetDlgItemTextA.USER32(00000000,00000418,?,00000104), ref: 0040285D
MessageBoxA.USER32(00000000,The common word file you have entered does not exist or cannot be accessed.,00000000,00000030), ref: 00402887
IsDlgButtonChecked.USER32(00000000,000003F7), ref: 004028AB
IsDlgButtonChecked.USER32(00000000,000003F8), ref: 004028BF
IsDlgButtonChecked.USER32(00000000,00000417), ref: 004028CF
GetDlgItemTextA.USER32(00000000,00000418,?,00000104), ref: 004028EE
LoadCursorA.USER32(00000000,00007F02), ref: 004028FB
SetCursor.USER32(00000000), ref: 00402902
LoadCursorA.USER32(00000000,00007F00), ref: 0040295D
SetCursor.USER32(00000000), ref: 00402964
IsDlgButtonChecked.USER32(00000000,000003EB), ref: 00402972
GetClientRect.USER32(?,?), ref: 0040298A
MessageBeep.USER32(00000000), ref: 004029CC
GetDlgItem.USER32(?,000003FB), ref: 004029D4
SetFocus.USER32(00000000), ref: 004029DB
GetParent.USER32(?), ref: 004029E7
SetWindowLongA.USER32(?,00000008,?), ref: 004029FD
CheckDlgButton.USER32(?,000003F7,00000000), ref: 00402A27
SetDlgItemInt.USER32(?,000003FB,00000064,00000000), ref: 00402A3E
CheckDlgButton.USER32(?,000003F8,?), ref: 00402A57
CheckDlgButton.USER32(?,00000416,00000001), ref: 00402A72
SetDlgItemTextA.USER32(?,00000418,00000000), ref: 00402A7D
CheckDlgButton.USER32(?,00000417,00000001), ref: 00402A8F

Part of subcall function 00429FC1: GetFileAttributesA.KERNELBASE(?,00404538,?,00000004,?,?,?,?,0040403F), ref: 00429FC5
Part of subcall function 00429FC1: GetLastError.KERNEL32(?,?,?,?,0040403F), ref: 00429FD0

CheckRadioButton.USER32(?,000003EB,000003EC,?), ref: 00402AB5

Strings

The common word file you have entered does not exist or cannot be accessed., xrefs: 0040287F
L, xrefs: 00402784
c:\commwrds.txt, xrefs: 00402742

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Button$Item$Checked$CheckText$Cursor$FileLoadLongMessageWindowlstrcpy$AttributesBeepCharClientDialogErrorFocusLastLowerNameOpenParentRadioRect
String ID: L$The common word file you have entered does not exist or cannot be accessed.$c:\commwrds.txt
API String ID: 415849218-450716407
Opcode ID: daea60ae2705087c673bff1a8d8ccf97dfe6a58bc209333f2d11efafd16767ea
Instruction ID: 6243c0221269db8f1f464d9dc555854f1d1665a8b01080a7124acd7f0003860a
Opcode Fuzzy Hash: daea60ae2705087c673bff1a8d8ccf97dfe6a58bc209333f2d11efafd16767ea
Instruction Fuzzy Hash: 69B1E771644209BBEB259F60DD89FEE7B68EF04705F10403AFA45A61D1CBB89D40DBAC

Function 0041A402 Relevance: 66.5, APIs: 44, Instructions: 454windowCOMMON

Download Yara Rule

APIs

GetDlgItemTextA.USER32(0043F624,00001A6F,?,00000021), ref: 0041A563
GetDlgItemInt.USER32(0043F624,00001A6E,0043F628,00000000), ref: 0041A575
IsDlgButtonChecked.USER32(0043F624,00001A70), ref: 0041A599
IsDlgButtonChecked.USER32(0043F624,00001ADF), ref: 0041A5AD
IsDlgButtonChecked.USER32(0043F624,00001AE0), ref: 0041A5C1
SendDlgItemMessageA.USER32(0043F624,00001A5C,00000147,00000000,00000000), ref: 0041A5DE
IsDlgButtonChecked.USER32(0043F624,00001A72), ref: 0041A5F7
IsDlgButtonChecked.USER32(0043F624,00001A94), ref: 0041A60B
IsDlgButtonChecked.USER32(0043F624,00001AD9), ref: 0041A61F
IsDlgButtonChecked.USER32(0043F624,00001AD4), ref: 0041A633

Part of subcall function 00418478: GetDlgItem.USER32(?,00000004), ref: 00425C25
Part of subcall function 00418478: EnableWindow.USER32(00000000), ref: 00425C2C

Part of subcall function 0041A35B: SendDlgItemMessageA.USER32(?,00001A4D,0000014E,00000000,00000000), ref: 0041A3EE

GetDlgItemInt.USER32(0043F624,00001A6E,0043F628,00000000), ref: 0041A656
LoadStringA.USER32(00001A74,?,00000100,000002A1), ref: 0041A68E
MessageBoxA.USER32(00003531,?,00000000,00000000), ref: 0041A6A8
GetDlgItem.USER32(0043F624,00001A6E), ref: 0041A6B2
SetFocus.USER32(00000000), ref: 0041A6B9
SetWindowLongA.USER32(0043F624,00000000,00000001), ref: 0041A6C5
IsDlgButtonChecked.USER32(0043F624,00001AD9), ref: 0041A77B
GetDlgItem.USER32(0043F624,00001AD4), ref: 0041A786
EnableWindow.USER32(00000000), ref: 0041A78D
IsDlgButtonChecked.USER32(0043F624,00001AD9), ref: 0041A797
GetDlgItem.USER32(0043F624,00001AD5), ref: 0041A7A2
EnableWindow.USER32(00000000), ref: 0041A7A9
SetWindowLongA.USER32(0043F624,00000008), ref: 0041A7C4
CheckDlgButton.USER32(0043F624,00001AD9,?), ref: 0041A83B
GetDlgItem.USER32(0043F624,00001AD9), ref: 0041A858
EnableWindow.USER32(00000000), ref: 0041A85F
SendMessageA.USER32(0043F624,00000111,00001AD9,00000000), ref: 0041A872
CheckRadioButton.USER32(0043F624,00001AD4,00001AD5,00000000), ref: 0041A898
CheckDlgButton.USER32(0043F624,00001A94,?), ref: 0041A8B0
CheckDlgButton.USER32(0043F624,00001A72,?), ref: 0041A8C8
SendMessageA.USER32(0043F624,00000111,00001AD4,00000000), ref: 0041A8DB
SendDlgItemMessageA.USER32(0043F624,00001A5C,0000014E,?,00000000), ref: 0041A8F8
SendDlgItemMessageA.USER32(0043F624,00001A2C,00000143,00000000,0043F624), ref: 0041A970
SetDlgItemInt.USER32(0043F624,00001A2C,?,00000001), ref: 0041A994
CheckDlgButton.USER32(0043F624,00001ADF,?), ref: 0041A9B2
CheckDlgButton.USER32(0043F624,00001AE0,?), ref: 0041A9C6
GetParent.USER32(0043F624), ref: 0041A9D2
GetDlgItem.USER32(0043F624,00001A6F), ref: 0041AA01
EnumFontFamiliesA.GDI32(00000004,00000000,0041AAD4,00000000), ref: 0041AA12
DeleteDC.GDI32(00000004), ref: 0041AA21
SetDlgItemTextA.USER32(0043F624,00001A6F,?), ref: 0041AA42
CheckDlgButton.USER32(0043F624,00001A70,?), ref: 0041AA5A

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Button$Item$Checked$CheckMessage$SendWindow$Enable$LongText$DeleteEnumFamiliesFocusFontLoadParentRadioString
String ID:
API String ID: 1080528936-0
Opcode ID: 9d1a83699b5303c37cd4f2e4d7fd4bc2ef95ed4a5167a562158c58f5c592edab
Instruction ID: 608f66b9288e58e5495c80fdfd4f670594e21ead6fdbe4b4d7b903d11b3a192a
Opcode Fuzzy Hash: 9d1a83699b5303c37cd4f2e4d7fd4bc2ef95ed4a5167a562158c58f5c592edab
Instruction Fuzzy Hash: 03F1B4B0305304BFEB209F61DD49FEB3BA9EF45700F04542AFA469A2D1C7789991CB5A

Function 004185BE Relevance: 65.1, APIs: 35, Strings: 2, Instructions: 337windowstringCOMMON

Download Yara Rule

APIs

SendDlgItemMessageA.USER32(?,00001A53,00000147,00000000,00000000), ref: 0041864E
GetDlgItemInt.USER32(?,00001AA7,?,00000000), ref: 00418673
GetDlgItemTextA.USER32(?,00001AA6,?,00000021), ref: 004186A0
IsDlgButtonChecked.USER32(?,00001AA4), ref: 004186AE
GetDlgItemInt.USER32(?,00001AA0,?,00000000), ref: 004186FE
GetDlgItemInt.USER32(?,00001AA7,?,00000000), ref: 0041871C
MessageBoxA.USER32(?,Please enter a valid starting page number for the word index.,00000000,00000000), ref: 0041874F
GetDlgItem.USER32(?,00001AA0), ref: 00418759
SetFocus.USER32(00000000), ref: 00418760
SetWindowLongA.USER32(?,00000000,00000001), ref: 0041876C
GetDlgItem.USER32(?,00001AA0), ref: 00418810
EnableWindow.USER32(00000000), ref: 00418817
SetWindowLongA.USER32(?,00000008), ref: 00418825
lstrlenA.KERNEL32(?,0000000A), ref: 00418849
lstrcatA.KERNEL32(?,0043F464), ref: 00418864
lstrlenA.KERNEL32(?), ref: 0041886E
LoadStringA.USER32(-00001A5F,?,00000020), ref: 00418890
SendDlgItemMessageA.USER32(?,00001A53,00000143,00000000,?), ref: 004188A8
SendDlgItemMessageA.USER32(?,00001A53,0000014E,?,00000000), ref: 004188D3
GetParent.USER32(?), ref: 004188E3
GetDC.USER32(?), ref: 00418905
GetDlgItem.USER32(?,00001AA6), ref: 00418917
EnumFontFamiliesA.GDI32(0000000C,00000000,0041AAD4,00000000), ref: 00418927
SetDlgItemTextA.USER32(?,00001AA6,?), ref: 0041893D
DeleteDC.GDI32(0000000C), ref: 0041894B
ReleaseDC.USER32(?,0000000C), ref: 00418956
SendDlgItemMessageA.USER32(?,00001AA7,00000143,00000000,0043F4DC), ref: 00418977
SetDlgItemInt.USER32(?,00001AA7,?,00000001), ref: 004189B7
CheckRadioButton.USER32(?,00001AA4,00001AA5,00001AA4), ref: 004189D7
SetDlgItemInt.USER32(?,00001AA0,00000001,00000000), ref: 004189E9
GetDlgItem.USER32(?,00001AA0), ref: 004189F4
EnableWindow.USER32(00000000), ref: 004189FB
CheckRadioButton.USER32(?,00001AA4,00001AA5,00001AA5), ref: 00418A12
SetDlgItemInt.USER32(?,00001AA0,000000FF,00000000), ref: 00418A2D

Strings

Please enter a valid font-size for the word index., xrefs: 00418744
Please enter a valid starting page number for the word index., xrefs: 0041878E

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Item$Message$SendWindow$Button$CheckEnableLongRadioTextlstrlen$CheckedDeleteEnumFamiliesFocusFontLoadParentReleaseStringlstrcat
String ID: Please enter a valid font-size for the word index.$Please enter a valid starting page number for the word index.
API String ID: 2491663591-761849350
Opcode ID: 4e22128d0bbde42c83c8d21dbccc64bb8bace4178c42d5121b2756857872819d
Instruction ID: 2b07d98027ca414efd2d6d22ac5640c4fd5ebf1faf39d4f87a198b5166c8f751
Opcode Fuzzy Hash: 4e22128d0bbde42c83c8d21dbccc64bb8bace4178c42d5121b2756857872819d
Instruction Fuzzy Hash: BBC1BFB1600209FFEB249F54DC48EEA3B69FF04394F14813AFD558A1A0CB798D91DB5A

Function 00411737 Relevance: 65.0, APIs: 33, Strings: 4, Instructions: 282stringCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 00411782
lstrlenA.KERNEL32(00000025), ref: 0041179B
lstrlenA.KERNEL32(0000002E,0043E368,?), ref: 004117AA
wsprintfA.USER32 ref: 004117B1
lstrcatA.KERNEL32(00000025,ld), ref: 004117C3
wsprintfA.USER32 ref: 004117F5
lstrlenA.KERNEL32(?), ref: 00411805
_hwrite.KERNEL32(?,?,00000000), ref: 00411812
_hwrite.KERNEL32(?,0043E364,00000002), ref: 00411824
_hwrite.KERNEL32(?,0043E364,00000002), ref: 00411830
_hwrite.KERNEL32(?,0043E364,00000002), ref: 0041183C
lstrlenA.KERNEL32(00000000), ref: 0041184B
lstrlenA.KERNEL32(00000000), ref: 00411871
lstrlenA.KERNEL32(00000000), ref: 0041188E
_hwrite.KERNEL32(?, ,00000020), ref: 004118A8
lstrlenA.KERNEL32(00000000), ref: 004118AD
_hwrite.KERNEL32(?,00000000,00000000), ref: 004118B6
_hwrite.KERNEL32(?,0043E364,00000002), ref: 004118C2
_hwrite.KERNEL32(?,0043E364,00000002), ref: 004118D4
lstrlenA.KERNEL32(?), ref: 00411923
_hwrite.KERNEL32(?,0043E364,00000002), ref: 0041193D
lstrlenA.KERNEL32(?), ref: 0041195B
lstrlenA.KERNEL32(?), ref: 00411978
_hwrite.KERNEL32(?, ,00000020), ref: 00411992
lstrlenA.KERNEL32(?), ref: 00411997
_hwrite.KERNEL32(?,?,00000000), ref: 004119A0
_hwrite.KERNEL32(?,0043E364,00000002), ref: 004119AC
_hwrite.KERNEL32(?,0043E364,00000002), ref: 004119BE
wsprintfA.USER32 ref: 004119E6
lstrlenA.KERNEL32(?), ref: 004119F6
_hwrite.KERNEL32(?,?,00000000), ref: 00411A03
_hwrite.KERNEL32(?,0043E364,00000002), ref: 00411A15
_hwrite.KERNEL32(?,0043E398,00000003), ref: 00411A27

Strings

, xrefs: 004118A0, 0041198A
hC, xrefs: 0041176C
., xrefs: 004117A0
ld, xrefs: 004117BD

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: _hwrite$lstrlen$wsprintf$lstrcat
String ID: $.$hC$ld
API String ID: 582996436-585884313
Opcode ID: 403eefb4ccd8de8a00557337420d3532a48febf51d8b325e07f35d9ed32249af
Instruction ID: d02100119290ebf565840d2e8c6751da56235e71669aa8a91989d4c1c86be7d4
Opcode Fuzzy Hash: 403eefb4ccd8de8a00557337420d3532a48febf51d8b325e07f35d9ed32249af
Instruction Fuzzy Hash: 16A15C71600209BBDF15DF64CD49FEE7BA9BF08344F044126FA08A61A0D779DE94CB99

Function 00417C56 Relevance: 63.4, APIs: 33, Strings: 3, Instructions: 421COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00417C5B
GetDeviceCaps.GDI32(?,00000058), ref: 00417DDA
GetDeviceCaps.GDI32(?,0000005A), ref: 00417DF0
GetDeviceCaps.GDI32(?,00000058), ref: 00417E0E
GetDeviceCaps.GDI32(?,00000058), ref: 00417E21
GetDeviceCaps.GDI32(?,0000005A), ref: 00417E34
GetDeviceCaps.GDI32(?,0000005A), ref: 00417E47
__ftol.LIBCMT ref: 00417E62
__ftol.LIBCMT ref: 00417E70
__ftol.LIBCMT ref: 00417E7D
__ftol.LIBCMT ref: 00417E8A
__ftol.LIBCMT ref: 00417EA2
__ftol.LIBCMT ref: 00417EB0
__ftol.LIBCMT ref: 00417EBD
__ftol.LIBCMT ref: 00417ECA
SetMapMode.GDI32(?,00000007), ref: 00417ED9

Strings

RTFPrint, xrefs: 00417FD7
RichEdit, xrefs: 00417FDC
}C, xrefs: 00417C7A

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: __ftol$CapsDevice$H_prologMode
String ID: }C$RTFPrint$RichEdit
API String ID: 163115433-967111206
Opcode ID: c7c3cb28dda2b06237653fb52b4f48e5e416df35bb0f0ceeefc343e54e9f8a29
Instruction ID: 71540f94fe857b33089e10f207fca19ad3528c6dcb7f1614c0685310fb4efcd3
Opcode Fuzzy Hash: c7c3cb28dda2b06237653fb52b4f48e5e416df35bb0f0ceeefc343e54e9f8a29
Instruction Fuzzy Hash: FFF1A770A04218EFDF159F61DC85AEE7FB5FF08300F2180AAF905AA256D7758994CF98

Function 0041C1C1 Relevance: 63.3, APIs: 29, Strings: 7, Instructions: 319stringCOMMON

Download Yara Rule

APIs

CreateFontA.GDI32(00000090,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000012,Times New Roman), ref: 0041C22D
SelectObject.GDI32(?,00000000), ref: 0041C240
GetTextMetricsA.GDI32(?,?), ref: 0041C24F
SelectObject.GDI32(?,?), ref: 0041C25B
SelectObject.GDI32(?,?), ref: 0041C26B
GetTextMetricsA.GDI32(?,?), ref: 0041C277
SelectObject.GDI32(?,?), ref: 0041C283
SetBkMode.GDI32(?,00000001), ref: 0041C28A
SelectObject.GDI32(?,?), ref: 0041C391
SetTextColor.GDI32(?,00C0C0C0), ref: 0041C39E
TextOutA.GDI32(?,?,?,Demo,00000004), ref: 0041C3BB
TextOutA.GDI32(?,?,?,Only,00000004), ref: 0041C3DD
SetTextColor.GDI32(?,00000000), ref: 0041C3EA
SelectObject.GDI32(?,?), ref: 0041C3F6
SelectObject.GDI32(?,?), ref: 0041C443
SetTextColor.GDI32(?,00CEF5B1), ref: 0041C450
lstrlenA.KERNEL32(This transcript has been,?,?), ref: 0041C461
TextOutA.GDI32(?,?,?,This transcript has been,00000000), ref: 0041C479
lstrlenA.KERNEL32(electronically signed using,?,?), ref: 0041C480

Part of subcall function 0041C583: GetStockObject.GDI32(00000007), ref: 0041C58E
Part of subcall function 0041C583: SelectObject.GDI32(?,00000000), ref: 0041C598
Part of subcall function 0041C583: MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 0041C5C0
Part of subcall function 0041C583: LineTo.GDI32(?,?,?), ref: 0041C5CA
Part of subcall function 0041C583: MoveToEx.GDI32(?,?,00000000,00000000), ref: 0041C5E1
Part of subcall function 0041C583: LineTo.GDI32(?,?,?), ref: 0041C5EB
Part of subcall function 0041C583: SelectObject.GDI32(?,?), ref: 0041C64A

TextOutA.GDI32(?,?,?,electronically signed using,00000000), ref: 0041C49E
lstrlenA.KERNEL32(RealLegal technology.,?,?), ref: 0041C4A5
TextOutA.GDI32(?,?,?,RealLegal technology.,00000000), ref: 0041C4C4
lstrlenA.KERNEL32(Click to display signature details.,?,?), ref: 0041C4CB
TextOutA.GDI32(?,?,?,Click to display signature details.,00000000), ref: 0041C4EA
SetTextColor.GDI32(?,00000000), ref: 0041C4F7
SelectObject.GDI32(?,?), ref: 0041C503
MoveToEx.GDI32(?,?,?,00000000), ref: 0041C51E

Part of subcall function 0041CC69: GetDC.USER32(?), ref: 0041CC77
Part of subcall function 0041CC69: SelectObject.GDI32(00000000,?), ref: 0041CC89
Part of subcall function 0041CC69: GetTextMetricsA.GDI32(00000000,?), ref: 0041CC93
Part of subcall function 0041CC69: SelectObject.GDI32(00000000,?), ref: 0041CC9D
Part of subcall function 0041CC69: ReleaseDC.USER32(?,00000000), ref: 0041CCA3

LineTo.GDI32(?,?,?), ref: 0041C544
DeleteObject.GDI32(?), ref: 0041C579

Strings

Only, xrefs: 0041C3D0
Demo, xrefs: 0041C3AC
electronically signed using, xrefs: 0041C47B, 0041C48D
This transcript has been, xrefs: 0041C459, 0041C468
RealLegal technology., xrefs: 0041C4A0, 0041C4B2
Times New Roman, xrefs: 0041C211
Click to display signature details., xrefs: 0041C4C6, 0041C4DB

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Object$Text$Select$Colorlstrlen$LineMetricsMove$CreateDeleteFontModeReleaseStock
String ID: Click to display signature details.$Demo$Only$RealLegal technology.$This transcript has been$Times New Roman$electronically signed using
API String ID: 1693882499-3944422226
Opcode ID: ac84feeefb11ee00bfe2cda9785f081f7e639cfd137de18021b1b8a62eec0760
Instruction ID: 72f174f23d25b4884f32a8bb1faa6668aad9517e4f4d2897bbdbb2a486bbebdb
Opcode Fuzzy Hash: ac84feeefb11ee00bfe2cda9785f081f7e639cfd137de18021b1b8a62eec0760
Instruction Fuzzy Hash: D2C10571A00209EFDF15DFA4CD85EAEBBB9FF08300F105069F906A6260DB75AA91DF54

Function 00420AD1 Relevance: 58.0, APIs: 28, Strings: 5, Instructions: 259stringCOMMON

Download Yara Rule

APIs

UuidToStringA.RPCRT4(?,?), ref: 00420B31
SelectObject.GDI32(?,?), ref: 00420B75
SelectObject.GDI32(?,?), ref: 00420B80
GetTextMetricsA.GDI32(?,?), ref: 00420B8C
SetTextAlign.GDI32(?,0000000A), ref: 00420B9A
GetDeviceCaps.GDI32(?,00000070), ref: 00420BBC
GetDeviceCaps.GDI32(?,00000071), ref: 00420BC6
lstrlenA.KERNEL32(?), ref: 00420BD0
TextOutA.GDI32(?,00000000), ref: 00420C17
RpcStringFreeA.RPCRT4(?), ref: 00420C21
SetTextAlign.GDI32(?,00000008), ref: 00420C48
lstrcatA.KERNEL32(?,Electronically signed by ,?,?,?,?,?,?,00000000,?,?,?,00000000), ref: 00420C9F
lstrcatA.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?,?,00000000), ref: 00420CAB
lstrcatA.KERNEL32(?,0043C680,?,?,?,?,?,?,00000000,?,?,?,00000000), ref: 00420CB9
lstrcatA.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?,?,00000000), ref: 00420CC5
lstrcatA.KERNEL32(?,0043C1A0,?,?,?,?,?,?,00000000,?,?,?,00000000), ref: 00420CD3
lstrlenA.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,?,00000000), ref: 00420CD8
lstrcatA.KERNEL32(?, for ,?,?,?,?,?,?,00000000,?,?,?,00000000), ref: 00420CEE
lstrcatA.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?,?,00000000), ref: 00420CFA
lstrlenA.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,?,00000000), ref: 00420D05
lstrlenA.KERNEL32(0000000A,?,?,?,?,?,?,00000000,?,?,?,00000000), ref: 00420D2B
lstrlenA.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,?,00000000), ref: 00420D3C
TextOutA.GDI32(?,00000000), ref: 00420D8C
SetTextAlign.GDI32(?,?), ref: 00420DC0
SelectObject.GDI32(?,?), ref: 00420DEE
SelectObject.GDI32(?,?), ref: 00420DF6
DeleteObject.GDI32(?), ref: 00420E01
DeleteObject.GDI32(?), ref: 00420E06

Strings

Electronically signed by , xrefs: 00420C99
0, xrefs: 00420D9E
for , xrefs: 00420CE8
0000000000000000, xrefs: 00420AE9
Arial, xrefs: 00420B42

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: lstrcat$ObjectText$lstrlen$Select$Align$CapsDeleteDeviceString$FreeMetricsUuid
String ID: for $0$0000000000000000$Arial$Electronically signed by
API String ID: 1162253022-2159187401
Opcode ID: 320e45d8491939b9f274710b93d4c97ef1ede94632edaa668320429dd8faad65
Instruction ID: cb46d312d46b917c22ea441eaa2e4fcb2f1d9d80f644cdf64fd90b732a686d22
Opcode Fuzzy Hash: 320e45d8491939b9f274710b93d4c97ef1ede94632edaa668320429dd8faad65
Instruction Fuzzy Hash: 16A16DB1900609EFCB209FA5DD84EAABBF9FF04304F40486AF685A2561D774F954CF58

Function 004048CF Relevance: 56.2, APIs: 25, Strings: 7, Instructions: 234stringwindowprocessCOMMON

Download Yara Rule

APIs

lstrcpyA.KERNEL32(?,?), ref: 004048FD
lstrcmpiA.KERNEL32(?,00000000), ref: 00404941
lstrcmpiA.KERNEL32(?,00000000), ref: 00404962
GetWindowsDirectoryA.KERNEL32(00000000,00000104), ref: 0040497D
lstrcmpiA.KERNEL32(?,?), ref: 0040498D
MessageBoxA.USER32(00000000,This E-Transcript file is in a temporary folder. Do you want to save it to a different folder?If you choose Yes, you will be prompted for a save location, and the transcript will be automatically re-launched from there.,00000000,00000024), ref: 004049C7
lstrcpyA.KERNEL32(?,00000001), ref: 004049EE
GetSaveFileNameA.COMDLG32(?), ref: 00404A59
_lopen.KERNEL32(?,00000020), ref: 00404A6A
MessageBoxA.USER32(00000000,Could not create the destination E-Transcript file for writing.,00000000,00000000), ref: 00404A87
_lcreat.KERNEL32(?,00000000), ref: 00404AA0
_lclose.KERNEL32(00000000), ref: 00404AB0
_lopen.KERNEL32(?,00000012), ref: 00404AB7
_hread.KERNEL32(00000000,?,00002000), ref: 00404AD9
_hwrite.KERNEL32(000000FF,?,00000000), ref: 00404AEA
_lclose.KERNEL32(00000000), ref: 00404AF5
_lclose.KERNEL32(000000FF), ref: 00404AFA
lstrcmpiA.KERNEL32(00000000,.ptx), ref: 00404B11
GetModuleFileNameA.KERNEL32(?,00000104), ref: 00404B2F
lstrcatA.KERNEL32(?,0043C988), ref: 00404B3D
lstrcatA.KERNEL32(?,?), ref: 00404B4D
lstrlenA.KERNEL32(?), ref: 00404B61
lstrcatA.KERNEL32(?,0043C984), ref: 00404B74
lstrcpyA.KERNEL32(?,?), ref: 00404B80
WinExec.KERNEL32(?,00000001), ref: 00404B98

Strings

Could not create the destination E-Transcript file for writing., xrefs: 00404ACB
TMP, xrefs: 0040494B
.ptx, xrefs: 00404AFC
Could not launch the new copy of the E-Transcript file, will run from the temporary folder instead., xrefs: 00404BAB
Could not open this E-Transcript file for reading., xrefs: 00404A80
TEMP, xrefs: 00404928
This E-Transcript file is in a temporary folder. Do you want to save it to a different folder?If you choose Yes, you will be prompted for a save location, and the transcript will be automatically re-launched from there., xrefs: 004049C0

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: lstrcmpi$_lcloselstrcatlstrcpy$FileMessageName_lopen$DirectoryExecModuleSaveWindows_hread_hwrite_lcreatlstrlen
String ID: .ptx$Could not create the destination E-Transcript file for writing.$Could not launch the new copy of the E-Transcript file, will run from the temporary folder instead.$Could not open this E-Transcript file for reading.$TEMP$TMP$This E-Transcript file is in a temporary folder. Do you want to save it to a different folder?If you choose Yes, you will be prompted for a save location, and the transcript will be automatically re-launched from there.
API String ID: 3857194745-1328242039
Opcode ID: e04b5b963f0610cd5d5123759aa1f9081de37f6501343eaa4406d45fd10ef82e
Instruction ID: 55973cf1991970337339a9de769cd823522cd193e05cba747d8d951cad8a8efc
Opcode Fuzzy Hash: e04b5b963f0610cd5d5123759aa1f9081de37f6501343eaa4406d45fd10ef82e
Instruction Fuzzy Hash: BD8150B1A44208AFEF21AFA1EC49F9E7BB9EF44315F10506AF601B51E1DB785D409F18

Function 00434D1B Relevance: 54.5, APIs: 7, Strings: 24, Instructions: 299stringCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00434D20

Part of subcall function 00409A82: __EH_prolog.LIBCMT ref: 00409A87

lstrlenA.KERNEL32(?), ref: 00434E8F
lstrlenA.KERNEL32(?), ref: 00434ECE
lstrlenA.KERNEL32(?), ref: 00434F0D
lstrlenA.KERNEL32(?), ref: 00434F4C
lstrlenA.KERNEL32(?), ref: 00434F8B
lstrlenA.KERNEL32(?), ref: 00434FCA

Strings

<JobNumber>, xrefs: 00434F22
</Witness>, xrefs: 00434F7C
<GUID>, xrefs: 00435024
</Examiner>, xrefs: 00434FBB
%d-%d-%d, xrefs: 00434DC4
<Date>, xrefs: 00434D9C
</GUID>, xrefs: 0043503C
<Reporter>, xrefs: 00434EA4
</DeposedBy>, xrefs: 00434FFA
<Title>, xrefs: 00434D6B
<Flags IsDraft=", xrefs: 00434E34
</Date>, xrefs: 00434E1D
"/>, xrefs: 00434E80
</Reporter>, xrefs: 00434EBF
<Witness>, xrefs: 00434F61
<Examiner>, xrefs: 00434FA0
<DeposedBy>, xrefs: 00434FDF
%d:%02d, xrefs: 00434E00
Yes, xrefs: 00434E48, 00434E6E
</JobNumber>, xrefs: 00434F3D
<Company>, xrefs: 00434EE3
" IsSealed=", xrefs: 00434E5A
</Title>, xrefs: 00434D86
</Company>, xrefs: 00434EFE

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: lstrlen$H_prolog
String ID: %d:%02d$" IsSealed="$"/>$%d-%d-%d$</Company>$</Date>$</DeposedBy>$</Examiner>$</GUID>$</JobNumber>$</Reporter>$</Title>$</Witness>$<Company>$<Date>$<DeposedBy>$<Examiner>$<Flags IsDraft="$<GUID>$<JobNumber>$<Reporter>$<Title>$<Witness>$Yes
API String ID: 3834905643-3426121586
Opcode ID: e949730e05c6bdc6c9331859356f62878caeaf6ce2d99b01e225a12e38bea80f
Instruction ID: 54079bf5cd07254208df97e6c5623e5c062ab4a72bfd0be04f1b5d100e9490fc
Opcode Fuzzy Hash: e949730e05c6bdc6c9331859356f62878caeaf6ce2d99b01e225a12e38bea80f
Instruction Fuzzy Hash: FEA15830704514AFDB29AF64C88AEED77B5EF89710B20018AF456972E0DF38AE41CF58

Function 0040B70B Relevance: 54.5, APIs: 2, Strings: 29, Instructions: 217stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040ABFB: GetPrivateProfileIntA.KERNEL32(00000000,?,00423084,00000000), ref: 0040AC0D

GetWindowsDirectoryA.KERNEL32(?,00000104,ExpandBy,?,?,CentreNotesColumn,?,?,NotesMode,?,?,EndFullSized,?,?,StartFullSized,?), ref: 0040B897
lstrcatA.KERNEL32(?,\tximpwiz.ini), ref: 0040B8A9

Strings

PrintUniqueID, xrefs: 0040B9E8
NotesMode, xrefs: 0040B84F
\tximpwiz.ini, xrefs: 0040B8A3
CondensedPageNum, xrefs: 0040B984
DoubleSpacing, xrefs: 0040B8D8
CondensedPageRange, xrefs: 0040B99D
PageLayoutOrder, xrefs: 0040B791
LineToTextSpaces, xrefs: 0040B93C
PrintSigDetails, xrefs: 0040BA01
ExpandBy, xrefs: 0040B881
TextBold, xrefs: 0040B9CF
CondensedFont, xrefs: 0040B969
PrintTimeStamps, xrefs: 0040B7AA
AppendWordIndex, xrefs: 0040B7F5
AnnotColorPrint, xrefs: 0040BA18
FullPageHeight, xrefs: 0040B8F1
CondensedPagePos, xrefs: 0040B9B6
StartFullSized, xrefs: 0040B81D
TranscriptColumns, xrefs: 0040B738
TimeStampMode, xrefs: 0040B7C3
FirstPageFullSize, xrefs: 0040B80E
NoHdrFirstPage, xrefs: 0040B90A
ActiveIssuesOnly, xrefs: 0040BA33
TranscriptRows, xrefs: 0040B76D
MarginTimeStamps, xrefs: 0040B7DC
CentreNotesColumn, xrefs: 0040B868
EndFullSized, xrefs: 0040B836
PrintPitch, xrefs: 0040B955
MarginLineNums, xrefs: 0040B923

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: DirectoryPrivateProfileWindowslstrcat
String ID: ActiveIssuesOnly$AnnotColorPrint$AppendWordIndex$CentreNotesColumn$CondensedFont$CondensedPageNum$CondensedPagePos$CondensedPageRange$DoubleSpacing$EndFullSized$ExpandBy$FirstPageFullSize$FullPageHeight$LineToTextSpaces$MarginLineNums$MarginTimeStamps$NoHdrFirstPage$NotesMode$PageLayoutOrder$PrintPitch$PrintSigDetails$PrintTimeStamps$PrintUniqueID$StartFullSized$TextBold$TimeStampMode$TranscriptColumns$TranscriptRows$\tximpwiz.ini
API String ID: 2855693836-404429783
Opcode ID: 4645d0017d9fad7f14806bfe5c57ea3c090f76b3d884e2570a7273e394aeadcb
Instruction ID: 7d62884cc5e7efbefc462f8ed5384ea69059e4bb2f2f78c09a81e5462072155d
Opcode Fuzzy Hash: 4645d0017d9fad7f14806bfe5c57ea3c090f76b3d884e2570a7273e394aeadcb
Instruction Fuzzy Hash: 5781C77024070BAFDE306A31DC99FE77BBAEB44718F10082FB59A621D0CA78B855D759

Function 0041588C Relevance: 52.8, APIs: 35, Instructions: 250COMMON

Download Yara Rule

APIs

OffsetRect.USER32(?,?,?), ref: 004158C7
GetStockObject.GDI32(00000000), ref: 004158D5
FillRect.USER32(?,?,00000000), ref: 004158E5
GetClientRect.USER32(?,?), ref: 004158F1
GetStockObject.GDI32(00000002), ref: 004158FF
FillRect.USER32(?,?,00000000), ref: 00415909
GetClientRect.USER32(?,?), ref: 00415915
GetStockObject.GDI32(00000002), ref: 00415923
FillRect.USER32(?,?,00000000), ref: 0041592D
GetClientRect.USER32(?,?), ref: 00415939
GetStockObject.GDI32(00000002), ref: 00415947
FillRect.USER32(?,?,00000000), ref: 00415951
GetClientRect.USER32(?,?), ref: 0041595D
GetStockObject.GDI32(00000002), ref: 0041596B
FillRect.USER32(?,?,00000000), ref: 00415975
CreateSolidBrush.GDI32(007F0000), ref: 0041597C
SelectObject.GDI32(?,00000000), ref: 00415989
SetRect.USER32(?,?,?,?,?), ref: 004159AC
FillRect.USER32(?,?,?), ref: 004159BC
SetRect.USER32(?,?,?,?,?), ref: 004159D8
FillRect.USER32(?,?,?), ref: 004159E8
SetRect.USER32(?,?,?,?,?), ref: 00415A04
FillRect.USER32(?,?,?), ref: 00415A14
SetRect.USER32(?,?,?,?,?), ref: 00415A30
FillRect.USER32(?,?,?), ref: 00415A40
SelectObject.GDI32(?,?), ref: 00415A48
DeleteObject.GDI32(?), ref: 00415A51
SetRect.USER32(?,?,?,?,?), ref: 00415A70
GetStockObject.GDI32(00000004), ref: 00415A78
FillRect.USER32(?,?,00000000), ref: 00415A82
SetRect.USER32(?,?,?,?,?), ref: 00415A9D
GetStockObject.GDI32(00000004), ref: 00415AA5
FillRect.USER32(?,?,00000000), ref: 00415AB0
SetWindowOrgEx.GDI32(?,?,?,?), ref: 00415AC9
SetWindowOrgEx.GDI32(?,?,?,00000000), ref: 00415B14

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Rect$Fill$Object$Stock$Client$SelectWindow$BrushCreateDeleteOffsetSolid
String ID:
API String ID: 4095045003-0
Opcode ID: 11759709e9ab6428dca135873744e62ec9845900b8eebb10513d5ea20cf31f2c
Instruction ID: b207d0c41b7c02ce6281d8eb41a69d9b78cd382846ec68e7022d47cb2798c47e
Opcode Fuzzy Hash: 11759709e9ab6428dca135873744e62ec9845900b8eebb10513d5ea20cf31f2c
Instruction Fuzzy Hash: 2E91B2B2904119BFDF019FA4DD85EEEBBBDFF48300F044126FA05E6261D635AA11DB64

Function 00424B07 Relevance: 51.1, APIs: 26, Strings: 3, Instructions: 325COMMON

Download Yara Rule

APIs

GetDeviceCaps.GDI32(?,0000005A), ref: 00424B48
CreateFontA.GDI32(?,?,?,0041E984,?,00000000,00000001,00000000,?,?,00000000,?,?,?), ref: 00424B58
GetDeviceCaps.GDI32(?,0000005A), ref: 00424B82
__ftol.LIBCMT ref: 00424B90
CreateFontA.GDI32(00000000,?,?,0041E984,?,00000000,00000001,00000000,?,?,00000000,?,?,?), ref: 00424B96
GetDeviceCaps.GDI32(?,0000005A), ref: 00424BBB
__ftol.LIBCMT ref: 00424BCC
CreateFontA.GDI32(00000000,?,?,0041E984,?,00000000,00000001,00000000,?,?,00000000,?,?,?), ref: 00424BD2

Part of subcall function 00425609: SelectObject.GDI32(?,?), ref: 0042564A
Part of subcall function 00425609: SelectObject.GDI32(?,?), ref: 00425653
Part of subcall function 00425609: GetTextMetricsA.GDI32(?,?), ref: 0042565D
Part of subcall function 00425609: SelectObject.GDI32(?,?), ref: 0042568D
Part of subcall function 00425609: SelectObject.GDI32(?,?), ref: 00425693
Part of subcall function 00425609: DeleteObject.GDI32(?), ref: 0042569E
Part of subcall function 00425609: DeleteObject.GDI32(0041E984), ref: 004256A3

SelectObject.GDI32(?,?), ref: 00424BE1
SetBkMode.GDI32(?,00000001), ref: 00424D43
SelectObject.GDI32(?,?), ref: 00424D52
SelectObject.GDI32(?,?), ref: 00424D5C
GetTextMetricsA.GDI32(?,?), ref: 00424D6C
SetTextColor.GDI32(?,00C0C0C0), ref: 00424D78
SetTextAlign.GDI32(?,0000000E), ref: 00424D81
TextOutA.GDI32(?,00000000), ref: 00424DCE
SetTextAlign.GDI32(?,00000006), ref: 00424DD7

Part of subcall function 004244D3: GetDeviceCaps.GDI32(?,0000005A), ref: 004244ED
Part of subcall function 004244D3: GetDeviceCaps.GDI32(?,0000005A), ref: 00424503
Part of subcall function 004244D3: __ftol.LIBCMT ref: 00424514

Part of subcall function 0042448A: GetDeviceCaps.GDI32(?,00000058), ref: 004244A4
Part of subcall function 0042448A: GetDeviceCaps.GDI32(?,00000058), ref: 004244BA
Part of subcall function 0042448A: __ftol.LIBCMT ref: 004244CB

TextOutA.GDI32(?,00000000), ref: 00424E24
SetTextAlign.GDI32(?,00000000), ref: 00424E2C
SetTextColor.GDI32(?,00000000), ref: 00424E34
SelectObject.GDI32(?,?), ref: 00424E3E
SetBkMode.GDI32(?,?), ref: 00424E48
SelectObject.GDI32(?,00000000), ref: 00424E54
DeleteObject.GDI32(?), ref: 00424E63
DeleteObject.GDI32(?), ref: 00424E6D
DeleteObject.GDI32(?), ref: 00424E72

Strings

Only, xrefs: 00424DE5
Demo, xrefs: 00424D8F
Times New Roman, xrefs: 00424B66, 00424B9C

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Object$SelectText$CapsDevice$Delete$__ftol$AlignCreateFont$ColorMetricsMode
String ID: Demo$Only$Times New Roman
API String ID: 3298159434-1972234888
Opcode ID: eee2e0f64833130068292bc7b8f3c5efe328d38b8b4884d20801310f16f9708a
Instruction ID: 879d4dc82af2a8654992256667a09c3d0f98d52e7a2edaf122d2d30b9ae388eb
Opcode Fuzzy Hash: eee2e0f64833130068292bc7b8f3c5efe328d38b8b4884d20801310f16f9708a
Instruction Fuzzy Hash: E2B157B2500209FFDF21AFA5DC85E9B3FB9EF48310F44856AFA4999161C3359920DF64

Function 004354BF Relevance: 51.0, APIs: 17, Strings: 12, Instructions: 229stringCOMMON

Download Yara Rule

APIs

lstrcatA.KERNEL32(?,<Line ID="), ref: 00435568
lstrcatA.KERNEL32(?,00000000), ref: 00435579
lstrcatA.KERNEL32(?,<Line ID="Line), ref: 0043558E
lstrlenA.KERNEL32(?,0043CE98,?), ref: 004355A2
lstrlenA.KERNEL32(?,%02d,?), ref: 004355C5
lstrcatA.KERNEL32(?," Number="), ref: 004355E9
lstrlenA.KERNEL32(?,0043CE98,?), ref: 004355FB
lstrcatA.KERNEL32(?,0043CB2C), ref: 00435619
lstrcatA.KERNEL32(?, Indent="), ref: 0043562D
lstrlenA.KERNEL32(?,0043CE98,00000000), ref: 0043563A
lstrcatA.KERNEL32(?,0043CB2C), ref: 00435658
lstrcatA.KERNEL32(?,>), ref: 00435666
lstrcatA.KERNEL32(?,<SpanRef IDREF="), ref: 004356C6
lstrcatA.KERNEL32(?,00000000), ref: 004356D8
lstrcatA.KERNEL32(?,<SpanRef IDREF="Span), ref: 004356ED
lstrlenA.KERNEL32(?,0043CE98,?), ref: 004356FC
lstrcatA.KERNEL32(?,"/>), ref: 0043571A

Strings

<SpanRef IDREF=", xrefs: 004356C0
"/>, xrefs: 00435714
%02d, xrefs: 004355BF
</Line>, xrefs: 00435745
<Line ID=", xrefs: 00435562
" Number=", xrefs: 004355E3
Line, xrefs: 0043557B
>, xrefs: 00435660
Span, xrefs: 004356DA
<Line ID="Line, xrefs: 00435582
<SpanRef IDREF="Span, xrefs: 004356E1
Indent=", xrefs: 00435627

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: lstrcat$lstrlen
String ID: Indent="$" Number="$"/>$%02d$</Line>$<Line ID="$<Line ID="Line$<SpanRef IDREF="$<SpanRef IDREF="Span$>$Line$Span
API String ID: 751011610-1510624088
Opcode ID: f9de3dc4ff7337d9a1349b4b99bce8ca460acf392e194106b8f7a47d9f13e2ff
Instruction ID: e603c647a8063dc4bc4fdc983b0959d14e7643cc67babce5ddc1eb732ce76daf
Opcode Fuzzy Hash: f9de3dc4ff7337d9a1349b4b99bce8ca460acf392e194106b8f7a47d9f13e2ff
Instruction Fuzzy Hash: B781FFB190021CAFDB10DFA4DC85FDE7BB8AF48304F1444AAE605E7151DB799A85CFA8

Function 00419DE4 Relevance: 49.8, APIs: 33, Instructions: 265windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageA.USER32(?,00001A59,00000147,00000000,00000000), ref: 00419E67
IsDlgButtonChecked.USER32(?,00001AD9), ref: 00419E7D
IsDlgButtonChecked.USER32(?,00001ADA), ref: 00419E89
IsDlgButtonChecked.USER32(?,00001ADB), ref: 00419E95
IsDlgButtonChecked.USER32(?,00001ADC), ref: 00419EA1
GetDlgItem.USER32(?,00001A57), ref: 00419EAB
EnableWindow.USER32(00000000), ref: 00419EB2
GetDlgItem.USER32(?,00001A57), ref: 00419EBD
EnableWindow.USER32(00000000), ref: 00419EC4
CheckDlgButton.USER32(?,00001A57,00000000), ref: 00419ECD
IsDlgButtonChecked.USER32(?,00001ADD), ref: 00419ED9
GetDlgItem.USER32(?,00001ADE), ref: 00419EE2
EnableWindow.USER32(00000000), ref: 00419EE9
SendDlgItemMessageA.USER32(?,00001A59,00000147,00000000,00000000), ref: 00419F0E
SendDlgItemMessageA.USER32(?,00001A54,00000147,00000000,00000000), ref: 00419F27
IsDlgButtonChecked.USER32(?,00001A57), ref: 00419F41
IsDlgButtonChecked.USER32(?,00001AD9), ref: 00419F55
IsDlgButtonChecked.USER32(?,00001ADA), ref: 00419F69
IsDlgButtonChecked.USER32(?,00001ADB), ref: 00419F7D
IsDlgButtonChecked.USER32(?,00001ADC), ref: 00419F91
IsDlgButtonChecked.USER32(?,00001ADD), ref: 00419FA6
IsDlgButtonChecked.USER32(?,00001ADD), ref: 00419FB6
IsDlgButtonChecked.USER32(?,00001ADE), ref: 00419FC2
SetWindowLongA.USER32(?,00000008,00000000), ref: 00419FE8
SendDlgItemMessageA.USER32(?,00001A59,0000014E,?,00000000), ref: 0041A041
SendDlgItemMessageA.USER32(?,0000195E,0000014E,?,00000000), ref: 0041A082
CheckDlgButton.USER32(?,00001A57,?), ref: 0041A09C
CheckDlgButton.USER32(?,00001AD9,?), ref: 0041A0B0
CheckDlgButton.USER32(?,00001ADA,?), ref: 0041A0C4
CheckDlgButton.USER32(?,00001ADB,?), ref: 0041A0D8
CheckDlgButton.USER32(?,00001ADC,?), ref: 0041A0EC
CheckDlgButton.USER32(?,00001ADD,?), ref: 0041A100
CheckDlgButton.USER32(?,00001ADE,00000000), ref: 0041A11A

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Button$Checked$CheckItem$MessageSend$Window$Enable$Long
String ID:
API String ID: 1585499299-0
Opcode ID: ff85b821639fa201847d1ece775bcd9c907d6c04c24db4e9d0bbffb4944e3307
Instruction ID: ddde208727fd3d138f35d8ebd16280d84c14fc3c2cefd1271f27270d9ab8ad2b
Opcode Fuzzy Hash: ff85b821639fa201847d1ece775bcd9c907d6c04c24db4e9d0bbffb4944e3307
Instruction Fuzzy Hash: 9C81E1713057047BE620AB66DC85FFB72EDEF4AB04F050429F7469B2D1CB689842962B

Function 0042610E Relevance: 49.7, APIs: 33, Instructions: 192stringCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000014), ref: 0042611F
CreateSolidBrush.GDI32(00000000), ref: 00426128
GetSysColor.USER32(0000000F), ref: 0042612F
CreateSolidBrush.GDI32(00000000), ref: 00426132
GetSysColor.USER32(00000010), ref: 00426139
CreateSolidBrush.GDI32(00000000), ref: 0042613C
GetSysColor.USER32(00000006), ref: 00426143
CreateSolidBrush.GDI32(00000000), ref: 00426146
SetBkMode.GDI32(?,00000001), ref: 00426151
GetStockObject.GDI32(0000000C), ref: 00426159
SelectObject.GDI32(?,00000000), ref: 00426161
GetTextMetricsA.GDI32(?,?), ref: 0042616F
SetRect.USER32(?,?,?,?,?), ref: 00426193
FillRect.USER32(?,?,?), ref: 004261A3
SetRect.USER32(?,00000000,?,00000001,?), ref: 004261B6
FillRect.USER32(?,?,?), ref: 004261C2
SetRect.USER32(?,00000001,?,00000002,?), ref: 004261D8
FillRect.USER32(?,?,?), ref: 004261E4
SetRect.USER32(?,?,?,?,?), ref: 004261FC
FillRect.USER32(?,?,?), ref: 00426208
SetRect.USER32(?,?,?,?,?), ref: 0042621D
FillRect.USER32(?,?,?), ref: 00426229
SetRect.USER32(?,?,?,?,?), ref: 00426242
FillRect.USER32(?,?,?), ref: 0042624E
lstrlenA.KERNEL32(?,?), ref: 0042625D
GetTextExtentPointA.GDI32(?,?,00000000), ref: 00426266
lstrlenA.KERNEL32(?), ref: 0042627E
TextOutA.GDI32(?,?,?,?,00000000), ref: 00426293
SelectObject.GDI32(?,?), ref: 0042629F
DeleteObject.GDI32(?), ref: 004262AE
DeleteObject.GDI32(?), ref: 004262B3
DeleteObject.GDI32(?), ref: 004262B8
DeleteObject.GDI32(?), ref: 004262BD

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Rect$Object$Fill$BrushColorCreateDeleteSolid$Text$Selectlstrlen$ExtentMetricsModePointStock
String ID:
API String ID: 4026687699-0
Opcode ID: 33c5a2ff70db28bebb1589a38cea260a43f57ce428e1b822b75dc70f15f3179b
Instruction ID: d1225fda91c24d7519caef32439965cfc1f691d64e781327742231fdab307d56
Opcode Fuzzy Hash: 33c5a2ff70db28bebb1589a38cea260a43f57ce428e1b822b75dc70f15f3179b
Instruction Fuzzy Hash: 815193B1900209BFDB159FA9CC88DAFBBBDEF48314B008529F559A3160DA31E915DF64

Function 00427058 Relevance: 47.7, APIs: 4, Strings: 23, Instructions: 430COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0042705D
wsprintfA.USER32 ref: 004270E2
wsprintfA.USER32 ref: 00427129
wsprintfA.USER32 ref: 0042733F

Strings

$uC, xrefs: 0042716F
uC, xrefs: 0042717F
uC, xrefs: 00427293
&Record=, xrefs: 004274D4, 004274D9, 004274E1
uC, xrefs: 004271DB
%lu, xrefs: 004270DC, 00427123, 00427339
&NDTCANum=, xrefs: 00427260, 0042726C
&Recipient=, xrefs: 004272BC, 004272C8
uC, xrefs: 004272EF
&AppID=, xrefs: 00427102, 0042710E
&Guid=, xrefs: 00427363, 0042736F
&Locality=, xrefs: 00427204, 00427210
@, xrefs: 0042706F
uC, xrefs: 004273DD
&Title=, xrefs: 004273AA, 004273B6
?ValidateHash, xrefs: 0042709E, 004270A3, 004270AB
&Signer=, xrefs: 00427149, 0042714E, 00427156
&TimeStamp=, xrefs: 00427406, 00427412
?VendorID=, xrefs: 004270B6, 004270BB, 004270C3
&Hash=, xrefs: 00427475, 0042747A, 00427482
&Pages=, xrefs: 00427318, 00427324
&FullName=, xrefs: 004271A8, 004271B4
uC, xrefs: 00427237

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: wsprintf$H_prolog
String ID: uC$ uC$ uC$ uC$ uC$ uC$$uC$%lu$&AppID=$&FullName=$&Guid=$&Hash=$&Locality=$&NDTCANum=$&Pages=$&Recipient=$&Record=$&Signer=$&TimeStamp=$&Title=$?ValidateHash$?VendorID=$@
API String ID: 3352209545-2383976072
Opcode ID: 3c9d0c42c43d0bcf5444b85aaf77e9e6ec3f9e0f7ae0b46fadcf635e09600e39
Instruction ID: f2247941286c01c99e5c1b056066fd9bc09b4ffb08d3c3de2fea96c35d16af16
Opcode Fuzzy Hash: 3c9d0c42c43d0bcf5444b85aaf77e9e6ec3f9e0f7ae0b46fadcf635e09600e39
Instruction Fuzzy Hash: EBE170B2B002246ADF14ABA6DC86EBF77ADAF08304F40505FF545A7181DB7CAD458B6C

Function 004247F8 Relevance: 47.5, APIs: 25, Strings: 2, Instructions: 266COMMON

Download Yara Rule

APIs

SetRect.USER32(?,?,?,?,?), ref: 00424848
GetStockObject.GDI32(00000001), ref: 0042485C

Part of subcall function 0042451C: FillRect.USER32(?,0041E984,?), ref: 00424532

SetRect.USER32(?,?,?,?,?), ref: 00424891
GetStockObject.GDI32(00000001), ref: 004248A5
GetDeviceCaps.GDI32(0041E984,0000005A), ref: 004249C6
__ftol.LIBCMT ref: 004249D4
CreateFontA.GDI32(00000000), ref: 004249DA
GetDeviceCaps.GDI32(?,0000005A), ref: 004249FF
__ftol.LIBCMT ref: 00424A10
CreateFontA.GDI32(00000000), ref: 00424A16
SelectObject.GDI32(0041E984,0041EDB8), ref: 00424A2B
SelectObject.GDI32(?,?), ref: 00424A36
SetBkMode.GDI32(?,00000001), ref: 00424A40
GetTextAlign.GDI32(?), ref: 00424A4C
SetTextAlign.GDI32(?,0000000E), ref: 00424A5A
SetTextColor.GDI32(?,00E0E0E0), ref: 00424A68
GetTextMetricsA.GDI32(0041E984,?), ref: 00424A75
TextOutA.GDI32(?,00000000), ref: 00424AC2
SetTextColor.GDI32(?,00000000), ref: 00424ACA
SetBkMode.GDI32(?,?), ref: 00424AD4
SetTextAlign.GDI32(?,?), ref: 00424ADE
SelectObject.GDI32(?,00000000), ref: 00424AE8
SelectObject.GDI32(0041E984,?), ref: 00424AF0
DeleteObject.GDI32(0041EDB8), ref: 00424AFB
DeleteObject.GDI32(?), ref: 00424B00

Strings

Times New Roman, xrefs: 004249A4, 004249E0
Draft Copy, xrefs: 00424A83

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Object$Text$Select$AlignRect$CapsColorCreateDeleteDeviceFontModeStock__ftol$FillMetrics
String ID: Draft Copy$Times New Roman
API String ID: 2482175906-1289951107
Opcode ID: 7df5f444f9c5d9bd80a5ea9f62c1877b29fbf069aeb30e9d83a157bba8d7775a
Instruction ID: 7afa8ace8cfd55d5bc44881c520b8bf11e76a53b64976226fb30a89123e17e80
Opcode Fuzzy Hash: 7df5f444f9c5d9bd80a5ea9f62c1877b29fbf069aeb30e9d83a157bba8d7775a
Instruction Fuzzy Hash: 0DA133B2900209EFCF119FA1DC45EEB7BB9FF48300F00852AFA599A161D7359960DFA4

Function 0041F111 Relevance: 46.9, APIs: 31, Instructions: 407COMMON

Download Yara Rule

APIs

SetBkMode.GDI32(?,00000001), ref: 0041F149
SelectObject.GDI32(?,?), ref: 0041F161
SelectObject.GDI32(?,?), ref: 0041F172
GetTextMetricsA.GDI32(?,?), ref: 0041F181
SetRect.USER32(?,00000000,00000000,?,00000000), ref: 0041F201
SelectObject.GDI32(?,?), ref: 0041F22B
SelectObject.GDI32(?,?), ref: 0041F239
__ftol.LIBCMT ref: 0041F2B8

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: ObjectSelect$MetricsModeRectText__ftol
String ID:
API String ID: 3342210841-0
Opcode ID: 68f6a0c2d7f310cb1c33bbc51772365a8c17c7013220bf7582e931136526d987
Instruction ID: 6a4abab4b5c29f4ab656ea7dc226153ce07f6539cda743fb427a293a42baf7e9
Opcode Fuzzy Hash: 68f6a0c2d7f310cb1c33bbc51772365a8c17c7013220bf7582e931136526d987
Instruction Fuzzy Hash: A3027EB1A00A05EFCB21CF65CC85BDABBF5FF44304F11482DE6AA92261D734A995CF58

Function 00414C2F Relevance: 44.0, APIs: 11, Strings: 14, Instructions: 225windowCOMMON

Download Yara Rule

APIs

CreateToolbarEx.COMCTL32(?,40802900,00000385,00000007,000002AE,?,0000000A,00000010,0000000F,00000010,0000000F,00000014,00000000,?,00000000), ref: 00414E25
SendMessageA.USER32(00000000,00000439,00000000,00000000), ref: 00414E3B
SendMessageA.USER32(00000000,00000438,00000000,00000000), ref: 00414E49
SendMessageA.USER32(00000000,00000442,0000003C,?), ref: 00414E81
SendMessageA.USER32(00000000,00000442,00000034,00000020), ref: 00414E9B
SendMessageA.USER32(00000000,00000442,0000003B,00000020), ref: 00414EB5
SendMessageA.USER32(00000000,00000442,0000003D,00000020), ref: 00414EC9
SendMessageA.USER32(00000000,0000041D,00000004,?), ref: 00414EDB

Part of subcall function 00416F2A: CreateWindowExA.USER32(00000000,00001BD3,?,?,?,?,?,?,00444FE8,?,00408461,?), ref: 00416F5E

GetStockObject.GDI32(0000000C), ref: 00414F16
SendMessageA.USER32(?,00000030,00000000), ref: 00414F22

Part of subcall function 0041669F: SendMessageA.USER32(?,0000014B,00000000,00000000), ref: 004166BF
Part of subcall function 0041669F: lstrlenA.KERNEL32(?), ref: 00416702
Part of subcall function 0041669F: SendMessageA.USER32(?,00000143,00000000,00000025), ref: 00416720
Part of subcall function 0041669F: SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00416732
Part of subcall function 0041669F: SetFocus.USER32(?), ref: 00416744

ShowWindow.USER32(00000000,00000005,00000064,?,?,?,?,?,?,00000000), ref: 00414F31

Strings

4, xrefs: 00414CC1
3, xrefs: 00414C8A
, xrefs: 00414E68
=, xrefs: 00414D59
5, xrefs: 00414D7C
7, xrefs: 00414DC0
`, xrefs: 00414E71
8, xrefs: 00414DE2
COMBOBOX, xrefs: 00414F03
;, xrefs: 00414CF4
(, xrefs: 00414E89
<, xrefs: 00414D28
2, xrefs: 00414C53
6, xrefs: 00414D99

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: MessageSend$CreateWindow$FocusObjectShowStockToolbarlstrlen
String ID: $($2$3$4$5$6$7$8$;$<$=$COMBOBOX$`
API String ID: 2642459248-3785508575
Opcode ID: 8d36ddb7ca6e0b4d38678c9fa93a6d5006abf8ef9db36969d0f2a1b35305589f
Instruction ID: 0c9d42c106007b87d28a1c790e24833c5a27b45b9b558b20a1a642b3297f2fef
Opcode Fuzzy Hash: 8d36ddb7ca6e0b4d38678c9fa93a6d5006abf8ef9db36969d0f2a1b35305589f
Instruction Fuzzy Hash: 3C9150B1945398EEFB218B64CC05BDEBFB4AB15304F4044DAE6887B291C7B51A48CF26

Function 004169F8 Relevance: 38.6, APIs: 21, Strings: 1, Instructions: 121stringCOMMON

Download Yara Rule

APIs

GetStockObject.GDI32(0000000C), ref: 00416A03
SelectObject.GDI32(00000000,00000000), ref: 00416A0E
GetClientRect.USER32(00000064,00000000), ref: 00416A1E
wsprintfA.USER32 ref: 00416A47
lstrlenA.KERNEL32(?,004168D1,?,?,?,?,?,?,?,?,?,?,004169DF,00000064,00000000,00000000), ref: 00416A5E
GetTextExtentPointA.GDI32(00000000,?,00000000), ref: 00416A66
SetTextColor.GDI32(00000000,00FFFFFF), ref: 00416A80
SetBkColor.GDI32(00000000,00808080), ref: 00416A8C
CreateRectRgn.GDI32(00000000,00000000,00000001,?), ref: 00416A9C
SelectClipRgn.GDI32(00000000,00000000), ref: 00416AAD
lstrlenA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,004169DF,00000064,00000000,00000000), ref: 00416AB5
ExtTextOutA.GDI32(00000000,00000064,00000001,00000002,00000000,?,00000000), ref: 00416AC8
SetTextColor.GDI32(00000000,00000000), ref: 00416AD1
SetBkColor.GDI32(00000000,00FFFFFF), ref: 00416ADD
SetRectRgn.GDI32(00000000,00000001,00000000,?,?), ref: 00416AF1
SelectClipRgn.GDI32(00000000,00000000), ref: 00416AFB
lstrlenA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,004169DF,00000064,00000000,00000000), ref: 00416B03
ExtTextOutA.GDI32(00000000,00000064,00000001,00000002,00000000,?,00000000), ref: 00416B16
SelectClipRgn.GDI32(00000000,00000000), ref: 00416B1F
DeleteObject.GDI32(00000000), ref: 00416B24
SelectObject.GDI32(00000000,00000064), ref: 00416B2E

Strings

%d%%, xrefs: 00416A41

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: SelectText$ColorObject$ClipRectlstrlen$ClientCreateDeleteExtentPointStockwsprintf
String ID: %d%%
API String ID: 2865496221-1518462796
Opcode ID: 3d968922300f418df847fed0c8980a71a3afe2a193457f1f9b9116db752874c5
Instruction ID: cff0e54426bbbf73b45997a5710a2c95f46dffb4b447c2c6cf1e8a5455d02124
Opcode Fuzzy Hash: 3d968922300f418df847fed0c8980a71a3afe2a193457f1f9b9116db752874c5
Instruction Fuzzy Hash: 4741F8B2944108FBDB12AFE0DD49EDF7BBCEF08301F105122FA41A21A0D775A6559BA8

Function 00425FD7 Relevance: 36.1, APIs: 24, Instructions: 143COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000014), ref: 00425FE8
CreateSolidBrush.GDI32(00000000), ref: 00425FF1
GetSysColor.USER32(0000000F), ref: 00425FF8
CreateSolidBrush.GDI32(00000000), ref: 00425FFB
GetSysColor.USER32(00000010), ref: 00426002
CreateSolidBrush.GDI32(00000000), ref: 00426005
GetSysColor.USER32(00000006), ref: 0042600C
CreateSolidBrush.GDI32(00000000), ref: 0042600F
SetRect.USER32(?,00000000,?,00000001,?), ref: 00426030
FillRect.USER32(?,?,?), ref: 00426042
SetRect.USER32(?,00000001,?,00000002,?), ref: 00426059
FillRect.USER32(?,?,?), ref: 00426065
SetRect.USER32(?,?,?,?,?), ref: 0042607F
FillRect.USER32(?,?,?), ref: 0042608B
SetRect.USER32(?,?,?,?,?), ref: 0042609C
FillRect.USER32(?,?,?), ref: 004260A8
SetRect.USER32(?,?,?,?,?), ref: 004260C1
FillRect.USER32(?,?,?), ref: 004260CD
SetRect.USER32(?,?,?,?,?), ref: 004260DF
FillRect.USER32(?,?,?), ref: 004260EB
DeleteObject.GDI32(?), ref: 004260F6
DeleteObject.GDI32(?), ref: 004260FB
DeleteObject.GDI32(?), ref: 00426100
DeleteObject.GDI32(?), ref: 00426105

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Rect$Fill$BrushColorCreateDeleteObjectSolid
String ID:
API String ID: 622882046-0
Opcode ID: d4275754b8307398141af0c0cd801566837b536f23d823f5fd03c9c4beb7d31c
Instruction ID: 5528af2a12715f4b21404a2deeb21a6d9c4b2cf2b2d91ea9e8b4ed57378980eb
Opcode Fuzzy Hash: d4275754b8307398141af0c0cd801566837b536f23d823f5fd03c9c4beb7d31c
Instruction Fuzzy Hash: 5C4192B290061DBFDF25ABA5CC88CAEBBBDFF48310B04451AF955A3160DA35E914DF60

Function 00404BBD Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 159stringtimeCOMMON

Download Yara Rule

APIs

SystemTimeToFileTime.KERNEL32(00000080,?,76936C10,?,?), ref: 00404C26
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00404C34
FileTimeToSystemTime.KERNEL32(?,00000080), ref: 00404C42
lstrcatA.KERNEL32(?,0043C9B8), ref: 00404C72
lstrlenA.KERNEL32(?,0000000A), ref: 00404C7D
lstrcatA.KERNEL32(?,0043C9B8), ref: 00404C95
lstrlenA.KERNEL32(?,0000000A), ref: 00404C9A
lstrcatA.KERNEL32(?, at ), ref: 00404CB2
lstrlenA.KERNEL32(?,0000000A), ref: 00404CD1
lstrcatA.KERNEL32(?,0043C9AC), ref: 00404CE7
lstrcatA.KERNEL32(?,0043C9A8), ref: 00404CF6
lstrlenA.KERNEL32(?,0000000A), ref: 00404CFB
lstrcatA.KERNEL32(?,AM ), ref: 00404D21
GetTimeZoneInformation.KERNEL32(?), ref: 00404D2A
lstrlenA.KERNEL32(?), ref: 00404D36
lstrlenA.KERNEL32(?), ref: 00404D49
lstrlenA.KERNEL32(?,?,00000080), ref: 00404D59

Strings

AM , xrefs: 00404D1B
at , xrefs: 00404CAC
PM , xrefs: 00404D14

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Timelstrlen$lstrcat$File$System$InformationLocalZone
String ID: at $AM $PM
API String ID: 2690676821-1610600608
Opcode ID: 2aa1b82b81b0096be6b4d80b57b48bf17cdfd07854c87379716d09f22f45368b
Instruction ID: 24c1420c19963992ba76b5113ba5a4835d19fa9558da8bb8dea9a1b088805d93
Opcode Fuzzy Hash: 2aa1b82b81b0096be6b4d80b57b48bf17cdfd07854c87379716d09f22f45368b
Instruction Fuzzy Hash: 1B5144B2D0021CBADF10ABB4CC86EEE777CAF18304F01142BF602B6181E678D544CBA9

Function 00415193 Relevance: 33.5, APIs: 15, Strings: 4, Instructions: 220windowCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00415198
CopyRect.USER32(?,?), ref: 004151CC
CreateWindowExA.USER32(00000000,PnxPreviewCtrWnd,00444FE8,50000000,?,?,?,?,?,00000000), ref: 00415217
ShowWindow.USER32(?,00000000), ref: 00415232
CreateWindowExA.USER32(00000000,PnxPreviewWnd,00444FE8,50300000,?,00000000,?,?,?,00000000,?,?), ref: 004152FF
GetWindowLongA.USER32(?,000000EC), ref: 0041530D
SetWindowLongA.USER32(?,000000EC,00000000), ref: 0041531F
MessageBoxA.USER32(?,Nothing to preview.,00000000,00000040), ref: 00415381

Part of subcall function 004154D2: ShowWindow.USER32(?,00000000,?,?,00000000,00415390,00000001), ref: 004154EA
Part of subcall function 004154D2: DestroyWindow.USER32(?,?,00000000,00415390,00000001), ref: 004154F2
Part of subcall function 004154D2: DeleteDC.GDI32(?), ref: 00415558

Part of subcall function 00415B1D: GetWindowRect.USER32(?,?), ref: 00415B3C
Part of subcall function 00415B1D: OffsetRect.USER32(?,?,?), ref: 00415B52
Part of subcall function 00415B1D: GetDC.USER32 ref: 00415B68
Part of subcall function 00415B1D: ReleaseDC.USER32(?,00000000), ref: 00415BEA

Part of subcall function 00415F64: InvalidateRect.USER32(?,00000000,00000001,?,00000000,?,?,004153AC,?,00000001,00000001), ref: 00415FA4
Part of subcall function 00415F64: SendMessageA.USER32(?,00000401,00000035,00000000), ref: 00415FC9
Part of subcall function 00415F64: SendMessageA.USER32(?,00000401,00000036,00000001), ref: 00415FF5
Part of subcall function 00415F64: SendMessageA.USER32(?,00000401,00000038,00000000), ref: 00416012
Part of subcall function 00415F64: SendMessageA.USER32(?,00000401,00000037,00000001), ref: 00416033

ShowWindow.USER32(?,00000005,?,00000001,00000001), ref: 004153D2
SetFocus.USER32(?,00000005,?,00000001,00000001), ref: 004153E7
GetWindowRect.USER32(?,?), ref: 004153F7
InflateRect.USER32(?,000000FB,000000FB), ref: 0041540B
SetWindowPos.USER32(?,00000000,?,?,?,?,00000014), ref: 00415430
InflateRect.USER32(?,00000005,00000005), ref: 0041543A
SetWindowPos.USER32(?,00000000,?,?,?,?,00000014), ref: 0041545A

Strings

Nothing to preview., xrefs: 00415376
DfA, xrefs: 0041540D, 0041543C
PnxPreviewCtrWnd, xrefs: 00415211
PnxPreviewWnd, xrefs: 004152F9

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Window$Rect$Message$Send$Show$CreateInflateLong$CopyDeleteDestroyFocusH_prologInvalidateOffsetRelease
String ID: DfA$Nothing to preview.$PnxPreviewCtrWnd$PnxPreviewWnd
API String ID: 3594346115-4265431829
Opcode ID: 39116ff1f062a7a87724aecae253c8d5d0f7610c3d10ce20d19b6fa839223191
Instruction ID: 1228dcd2d7c0d7446a12312ee2fc665df48d1f51d7e1e6b9ea5fd8dfc558da70
Opcode Fuzzy Hash: 39116ff1f062a7a87724aecae253c8d5d0f7610c3d10ce20d19b6fa839223191
Instruction Fuzzy Hash: 7E91BE71A00A09EFDB11DFA4CC85FEFBBB5FB48300F10452AF566962A0CB796880DB54

Function 0040DCE6 Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 181stringCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040DCEB
_lopen.KERNEL32(?,00000020), ref: 0040DD10
_llseek.KERNEL32(00000000,000000F4,00000002), ref: 0040DD2C
_hread.KERNEL32(00000000,?,00000004), ref: 0040DD3B
_lclose.KERNEL32(00000000), ref: 0040DD6F
_llseek.KERNEL32(00000000,000000FC,00000002), ref: 0040DD9B
_hread.KERNEL32(00000000,?,00000004), ref: 0040DDA4
_llseek.KERNEL32(00000000,?,00000000), ref: 0040DDB5
_lcreat.KERNEL32(?,00000000), ref: 0040DDBC
lstrcpyA.KERNEL32(00000000,?), ref: 0040DDF0
_llseek.KERNEL32(00000000,000000F8,00000002), ref: 0040DE43
_llseek.KERNEL32(00000000,000000F8,00000002), ref: 0040DE59
_hwrite.KERNEL32(00000000,?,00000004), ref: 0040DE68
_hwrite.KERNEL32(00000000,?,00000004), ref: 0040DE71
_lclose.KERNEL32(00000000), ref: 0040DE7A
_lclose.KERNEL32(00000000), ref: 0040DE7D
_lclose.KERNEL32(00000000), ref: 0040DEC2
_lclose.KERNEL32(?), ref: 0040DECE

Part of subcall function 0040947B: __EH_prolog.LIBCMT ref: 00409480
Part of subcall function 0040947B: GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00409498
Part of subcall function 0040947B: lstrcatA.KERNEL32(?,\pnxetkey.dat), ref: 004094AA
Part of subcall function 0040947B: _lopen.KERNEL32(?,00000020), ref: 004094B9

Strings

.exe, xrefs: 0040DE2A

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: _lclose_llseek$H_prolog_hread_hwrite_lopen$DirectoryWindows_lcreatlstrcatlstrcpy
String ID: .exe
API String ID: 1991261225-4119554291
Opcode ID: 5b6aa85ead4fa1dfbb8d812f5e1fa48be58523a0ee55287d5684b9ac5f04f5e9
Instruction ID: 153fa918a569d8b250a03cc3f442de2539f8883686dceef6548ba4e3fe181119
Opcode Fuzzy Hash: 5b6aa85ead4fa1dfbb8d812f5e1fa48be58523a0ee55287d5684b9ac5f04f5e9
Instruction Fuzzy Hash: 5351C3B2900219BBDF219FA4DC41EBF7B78EF18324F10012AFA11B62D1D7389955DB98

Function 0041BB6F Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 134stringwindowCOMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,00000008), ref: 0041BB9C
EndDialog.USER32(?,00000002), ref: 0041BBB5
GetDlgItemTextA.USER32(?,00001A2F,?,00000020), ref: 0041BBCD
lstrlenA.KERNEL32(?), ref: 0041BBD7
CharUpperBuffA.USER32(?,00000000), ref: 0041BBE2
EndDialog.USER32(?,00000001), ref: 0041BBFC
lstrcpyA.KERNEL32(00000000,?), ref: 0041BC08
IsDlgButtonChecked.USER32(?,00001ABB), ref: 0041BC1A
SetWindowLongA.USER32(?,00000008,?), ref: 0041BC6E
GetDlgItem.USER32(?,00001ABB), ref: 0041BC83
ShowWindow.USER32(00000000), ref: 0041BC8A
CheckDlgButton.USER32(?,00001ABB,00000000), ref: 0041BC9D
SendDlgItemMessageA.USER32(?,00001A2F,000000C5,00000010,00000000), ref: 0041BCC3

Strings

This password is incorrect., xrefs: 0041BC2F

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: ItemWindow$ButtonDialogLong$BuffCharCheckCheckedMessageSendShowTextUpperlstrcpylstrlen
String ID: This password is incorrect.
API String ID: 996582372-1489494177
Opcode ID: 1a112a29db745adec74337517ccf72a1212084756c20f3bf8cd91636ad677c8c
Instruction ID: 30cd563a730d07ae0787e74a56d03a0964538ec7b8ef3a8853bf8a6a341015f6
Opcode Fuzzy Hash: 1a112a29db745adec74337517ccf72a1212084756c20f3bf8cd91636ad677c8c
Instruction Fuzzy Hash: 094141B5248209BBDB205B60DC8DFDB7B6CFB08711F145425F952A62D1EB789840DBA8

Function 00419B28 Relevance: 33.2, APIs: 22, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetDlgItemInt.USER32(?,00001AD6,?,00000000), ref: 00419BCA
GetDlgItemInt.USER32(?,00001AD7,?,00000000), ref: 00419BEC
IsDlgButtonChecked.USER32(?,00001AD2), ref: 00419C15
IsDlgButtonChecked.USER32(?,00001AD5), ref: 00419C25
GetDlgItemInt.USER32(?,00001AD6,?,00000000), ref: 00419C41
GetDlgItemInt.USER32(?,00001AD7,?,00000000), ref: 00419C6D
LoadStringA.USER32(00001A77,?,0000007F,00000000), ref: 00419CA7
MessageBoxA.USER32(?,?,00000000,00000000), ref: 00419CBE
GetDlgItem.USER32(?,00001AD6), ref: 00419CCA
SetFocus.USER32(00000000), ref: 00419CD1
SetWindowLongA.USER32(?,00000000,00000001), ref: 00419CDB
LoadStringA.USER32(00001A75,?,0000007F,00000000), ref: 00419D0A
MessageBoxA.USER32(?,?,00000000,00000000), ref: 00419D21
SetWindowLongA.USER32(?,00000008), ref: 00419D32
SetDlgItemInt.USER32(?,00001AD6,?,00000001), ref: 00419D52
SetDlgItemInt.USER32(?,00001AD7,?,00000001), ref: 00419D68
CheckDlgButton.USER32(?,00001AD2,?), ref: 00419D82
CheckDlgButton.USER32(?,00001AD5,?), ref: 00419D96
GetDlgItem.USER32(?,00001ADC), ref: 00419DB5
ShowWindow.USER32(00000000), ref: 00419DB8
GetDlgItem.USER32(?,00001AD5), ref: 00419DC5
ShowWindow.USER32(00000000), ref: 00419DC8

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Item$ButtonWindow$CheckCheckedLoadLongMessageShowString$Focus
String ID:
API String ID: 3523526359-0
Opcode ID: 6df30e4fa625007df4867ec6d3b5c87256652b0a63125a793279ab8f0356808e
Instruction ID: 406f244cd65ebf10b605174561cc92ad8b6d0f49c6bf466f67d982f0a081030b
Opcode Fuzzy Hash: 6df30e4fa625007df4867ec6d3b5c87256652b0a63125a793279ab8f0356808e
Instruction Fuzzy Hash: 5F71A471204604AFEB20DFA5DCD9EFA37B8FB09704F04042EFA4686691D778AC40DB69

Function 004032B8 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 125stringwindowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageA.USER32(?,00000426,00000188,00000000,00000000), ref: 00403314
SendDlgItemMessageA.USER32(?,00000426,00000199,00000000,00000000), ref: 00403321

Part of subcall function 004017D0: DialogBoxParamA.USER32(0000006A,?,Function_00003628,?,00403331), ref: 004017E5

EndDialog.USER32(?,00000001), ref: 00403338
GetParent.USER32(?), ref: 00403348
lstrlenA.KERNEL32(?), ref: 00403392
lstrcpyA.KERNEL32(?,Signed for ), ref: 004033A8
lstrcatA.KERNEL32(?,?), ref: 004033B8
lstrcatA.KERNEL32(?, by ), ref: 004033CA
lstrcpyA.KERNEL32(?,Signed by ), ref: 004033DE
lstrcatA.KERNEL32(?,?), ref: 004033EE
SendDlgItemMessageA.USER32(?,00000426,00000180,00000000,?), ref: 00403406
SendDlgItemMessageA.USER32(?,00000426,0000019A,00000000,?), ref: 00403415

Strings

(uC, xrefs: 00403324
0, xrefs: 00403421
Signed by , xrefs: 004033D8
Signed for , xrefs: 004033A2
by , xrefs: 004033C4

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: ItemMessageSend$lstrcat$Dialoglstrcpy$ParamParentlstrlen
String ID: by $(uC$0$Signed by $Signed for
API String ID: 323108182-1896351627
Opcode ID: 1a8c814712f961737fa23e8d62605076036394fc947f9720ee532e43a0624a65
Instruction ID: a3d7154f3dad905bd73629a7a7ff75ca80e37c191bde18937e171c347050de86
Opcode Fuzzy Hash: 1a8c814712f961737fa23e8d62605076036394fc947f9720ee532e43a0624a65
Instruction Fuzzy Hash: F441CFB6504209BFDF209F65DC84EAA3F6CFB04345F404036FA04A61A0CB789A52DBAC

Function 004170DB Relevance: 28.6, APIs: 19, Instructions: 122windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 004170E9
GetClientRect.USER32(00000000,?), ref: 004170F9
ClientToScreen.USER32(00000000,?), ref: 0041710A
ClientToScreen.USER32(00000000,?), ref: 00417111
ScreenToClient.USER32(?,?), ref: 00417120
ScreenToClient.USER32(?,?), ref: 00417129
GetWindowRect.USER32(?,?), ref: 00417162
ScreenToClient.USER32(00000000,?), ref: 0041716D
ScreenToClient.USER32(00000000,?), ref: 00417174
OffsetRect.USER32(?,?,00000000), ref: 0041719B
CreateBitmap.GDI32(00000008,00000008,00000001,00000001,0043F354), ref: 004171AE
CreatePatternBrush.GDI32(00000000), ref: 004171B8
GetDC.USER32(00000000), ref: 004171C2
SelectObject.GDI32(00000000,?), ref: 004171D4
PatBlt.GDI32(00000000,?,?,?,?,005A0049), ref: 004171F3
SelectObject.GDI32(00000000,?), ref: 004171FD
ReleaseDC.USER32(?,00000000), ref: 00417203
DeleteObject.GDI32(?), ref: 00417212
DeleteObject.GDI32(?), ref: 00417217

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Client$Screen$Object$Rect$CreateDeleteSelect$BitmapBrushOffsetParentPatternReleaseWindow
String ID:
API String ID: 3741250897-0
Opcode ID: 2de595ec7c9e3290537cea3232778c3785c994b91922d9be0454a48ecbc1f078
Instruction ID: 3519ec13be64195fc3c5eb20ccfeb6de7fd462301c94ca64868b0c7f95a5900a
Opcode Fuzzy Hash: 2de595ec7c9e3290537cea3232778c3785c994b91922d9be0454a48ecbc1f078
Instruction Fuzzy Hash: E541E6B290410EBFDB149FA4DC849EEBBBCFB08350F009026BA15E6250D774AA45CFA4

Function 00435772 Relevance: 28.2, APIs: 10, Strings: 6, Instructions: 174stringCOMMON

Download Yara Rule

APIs

lstrcatA.KERNEL32(?,<Span ID="), ref: 0043583F
lstrcatA.KERNEL32(?,00000000), ref: 00435850
lstrcatA.KERNEL32(?,<Span ID="Span), ref: 00435865
lstrlenA.KERNEL32(?,0043CE98,?), ref: 00435878
lstrcatA.KERNEL32(?,0043CB2C), ref: 0043589A
lstrlenA.KERNEL32(00000000), ref: 004358AD
lstrcatA.KERNEL32(?, Begin="), ref: 004358BF
lstrcatA.KERNEL32(?,00000000), ref: 004358CE
lstrcatA.KERNEL32(?,0043CB2C), ref: 004358DC
lstrcatA.KERNEL32(?,>), ref: 004358EA

Strings

<Span ID=", xrefs: 00435839
<Span ID="Span, xrefs: 00435859
>, xrefs: 004358E4
Begin=", xrefs: 004358B9
Span, xrefs: 00435852
</Span>, xrefs: 0043593D

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: lstrcat$lstrlen
String ID: Begin="$</Span>$<Span ID="$<Span ID="Span$>$Span
API String ID: 751011610-611911509
Opcode ID: 02b12add5068419ddf1520399584627900d298e47e0c1db433cfcec06fea279f
Instruction ID: e0b0373ca92cdbe17ddfb4729c658e612dbdd5c874192605a9e865af488eb491
Opcode Fuzzy Hash: 02b12add5068419ddf1520399584627900d298e47e0c1db433cfcec06fea279f
Instruction Fuzzy Hash: 53614A71A0021CAFCF04DFA4C985BDEBBB8AF88310F1040A6F505A7251D778EA54CF69

Function 00403628 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 131stringCOMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,00000008), ref: 0040366D

Part of subcall function 004017EE: __EH_prolog.LIBCMT ref: 004017F3
Part of subcall function 004017EE: RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Internet Explorer,00000000,00000001,?), ref: 00401828
Part of subcall function 004017EE: RegQueryValueExA.ADVAPI32(?,Version,00000000,00000000,00000000,?), ref: 0040184B
Part of subcall function 004017EE: RegCloseKey.ADVAPI32(?), ref: 00401854
Part of subcall function 004017EE: lstrlenA.KERNEL32(00000000), ref: 0040185E
Part of subcall function 004017EE: MessageBoxA.USER32(?,Internet Explorer 4.0x or later must be installed for this operation to function correctly.,Newer Internet Explorer version required,00000040), ref: 0040187A

EndDialog.USER32(?,00000002), ref: 00403687
EndDialog.USER32(?,00000002), ref: 004036AA
GetParent.USER32(?), ref: 004036BE
SetWindowLongA.USER32(?,00000008,?), ref: 004036D4
lstrcpyA.KERNEL32(?,?), ref: 004036F0
lstrcatA.KERNEL32(?,0043C680), ref: 00403708
lstrcatA.KERNEL32(?,?), ref: 00403714
lstrcatA.KERNEL32(?,0043C1A0), ref: 00403722
SetDlgItemTextA.USER32(?,000004BA,?), ref: 00403737
UuidToStringA.RPCRT4(004453E0,?), ref: 00403742
SetDlgItemTextA.USER32(?,0000041E,?), ref: 00403751
RpcStringFreeA.RPCRT4(?), ref: 00403757
SetDlgItemTextA.USER32(?,0000041B,?), ref: 00403766
SetDlgItemTextA.USER32(?,000004BB,?), ref: 0040378C

Strings

(uC, xrefs: 00403674, 00403775

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: ItemText$lstrcat$DialogLongStringWindow$CloseFreeH_prologMessageOpenParentQueryUuidValuelstrcpylstrlen
String ID: (uC
API String ID: 3442865328-1954698195
Opcode ID: 88207d4260244c7a395d9a9e7c502c6eaebcd107da65464754800c3bca5b9f0d
Instruction ID: ab5a52c7e141ec66af67e48fa5a07a10a0f02d1afa51a8703077517d517da458
Opcode Fuzzy Hash: 88207d4260244c7a395d9a9e7c502c6eaebcd107da65464754800c3bca5b9f0d
Instruction Fuzzy Hash: 784192B6500209BBDB209F64DC89FEA3B6CEB48701F104476FA45E6190C779EA84DF68

Function 00413345 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 198windowCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041334A
_lcreat.KERNEL32(00000000,00000000), ref: 00413446
LoadStringA.USER32(00001A4E,00000000,00000100), ref: 00413472
MessageBoxA.USER32(?,?,00000000,00000000), ref: 00413485
LoadCursorA.USER32(00000000,00007F02), ref: 004134A2
SetCursor.USER32(00000000), ref: 004134A9
_hwrite.KERNEL32(?,?,?), ref: 00413542
LoadCursorA.USER32(00000000,00007F00), ref: 00413561
SetCursor.USER32(00000000), ref: 00413568
_lclose.KERNEL32(?), ref: 0041359A

Strings

.xml, xrefs: 0041342F
$uC, xrefs: 0041350D
txt, xrefs: 004133F9
QAA, xrefs: 00413358
ASCII, xrefs: 004133DE

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Cursor$Load$H_prologMessageString_hwrite_lclose_lcreat
String ID: $uC$.xml$ASCII$QAA$txt
API String ID: 3339625415-1214683660
Opcode ID: c3a0fb705bc7c662d2417e517959ef31b83e1ba8a100156cf789d024aa48c10e
Instruction ID: daa04e774fec3ee4cf8ec01445659955fbee6087791f082c9a03d7f30201a3a6
Opcode Fuzzy Hash: c3a0fb705bc7c662d2417e517959ef31b83e1ba8a100156cf789d024aa48c10e
Instruction Fuzzy Hash: 1361A2B2904215BEDF16AFA5EC459EEBF75FF09314F10002EF500A21A1DB794A50DB6D

Function 004351E2 Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 180stringCOMMON

Download Yara Rule

APIs

lstrcatA.KERNEL32(?,<Page ID="), ref: 0043523A
lstrcatA.KERNEL32(?,00000000), ref: 0043524B
lstrcatA.KERNEL32(?,<Page ID="Page), ref: 0043526D
lstrlenA.KERNEL32(?,0043CE98,?), ref: 00435283
lstrcatA.KERNEL32(?," Number="), ref: 004352A5
lstrlenA.KERNEL32(?,%ld,?), ref: 004352B6
lstrcatA.KERNEL32(?,">), ref: 004352D8
lstrcatA.KERNEL32(?,</Page>), ref: 004353D1

Strings

%ld, xrefs: 004352B0
Page, xrefs: 00435253
<Page ID=", xrefs: 00435234
<Page ID="Page, xrefs: 00435267
</Page>, xrefs: 004353CB
" Number=", xrefs: 0043529F
">, xrefs: 004352D2

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: lstrcat$lstrlen
String ID: " Number="$">$%ld$</Page>$<Page ID="$<Page ID="Page$Page
API String ID: 751011610-1038023677
Opcode ID: 7538abce6769529743090ccf1b676293e1bff2e955329daeec99ad1219b1f6bd
Instruction ID: efc91013a1c2cb6ffb2d753c3036ab306e4d61c960a4002010f73389565069d5
Opcode Fuzzy Hash: 7538abce6769529743090ccf1b676293e1bff2e955329daeec99ad1219b1f6bd
Instruction Fuzzy Hash: 896183B1A0020DABCF10DF64CD44BDE7BB8BF88314F1484AAE94597251D778DA45CF69

Function 00411CA5 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 148stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,?,7626F720,76230440), ref: 00411CD6
_hwrite.KERNEL32(?,00000001,00000000), ref: 00411CDF
lstrlenA.KERNEL32(?,?,7626F720,76230440), ref: 00411CE4
wsprintfA.USER32 ref: 00411D0F
lstrcpyA.KERNEL32(?,0043E3A0,?,7626F720,76230440), ref: 00411D23
lstrlenA.KERNEL32(?,?,7626F720,76230440), ref: 00411D2D
_hwrite.KERNEL32(?,?,00000000), ref: 00411D37
_hwrite.KERNEL32(00000000,?,00000000), ref: 00411D79
lstrlenA.KERNEL32(?,?,7626F720,76230440), ref: 00411DB0
_hwrite.KERNEL32(00000000,00000001,00000000), ref: 00411DB9
_hwrite.KERNEL32(00000045,0043E39C,00000002), ref: 00411DD1
_hwrite.KERNEL32(00000045,0043E39C,00000002), ref: 00411E06
_hwrite.KERNEL32(00000045,0043E39C,00000002), ref: 00411E1A

Strings

%2d, xrefs: 00411D09
E, xrefs: 00411D4B

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: _hwrite$lstrlen$lstrcpywsprintf
String ID: %2d$E
API String ID: 4055534068-765546502
Opcode ID: 890aa773619f9c2e4001bb816b42cb70ef45db9bd100c044819f547f26e6f62d
Instruction ID: ab0618835452fe394f7a98805db70394503ed6dfaf02b9d545979d36c420cbb8
Opcode Fuzzy Hash: 890aa773619f9c2e4001bb816b42cb70ef45db9bd100c044819f547f26e6f62d
Instruction Fuzzy Hash: 95516A71904208AFDF249FA5DC44AEE7BB9EF48304F14802BFE0597261D739A991CF98

Function 00427D34 Relevance: 26.4, APIs: 6, Strings: 9, Instructions: 138synchronizationCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00427D39
WaitForSingleObject.KERNEL32(?,?,?), ref: 00427D6E
ResetEvent.KERNEL32(?,?,?), ref: 00427D84
GetLastError.KERNEL32 ref: 00427D9D
SetEvent.KERNEL32(?), ref: 00427DC9
SetEvent.KERNEL32(?), ref: 00427E95

Strings

(, xrefs: 00427E2A
@, xrefs: 00427DE9
Downloading data..., xrefs: 00427DAE
Read %lu bytes., xrefs: 00427E58
Read request timed out., xrefs: 00427EBD
$uC, xrefs: 00427D5E
Download complete., xrefs: 00427EC4
Download request timed out., xrefs: 00427E9B
Downloaded %lu bytes., xrefs: 00427DDA

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Event$ErrorH_prologLastObjectResetSingleWait
String ID: $uC$($@$Download complete.$Download request timed out.$Downloaded %lu bytes.$Downloading data...$Read %lu bytes.$Read request timed out.
API String ID: 2931931884-3240048064
Opcode ID: bf06ae5918019cd186faeabdcf95a3eca333ee51cfaa85c5fa6b7084e0cdc1b9
Instruction ID: a5cb610f12decfd1d7c19ca3b8eb8ae89cff26e48d34e1f68463e81f73022d68
Opcode Fuzzy Hash: bf06ae5918019cd186faeabdcf95a3eca333ee51cfaa85c5fa6b7084e0cdc1b9
Instruction Fuzzy Hash: B751CFB1E04228ABDB219F96EC459AFFBF9FF94700F60455FE011A2250C7794E01CBA9

Function 0041C69A Relevance: 25.8, APIs: 17, Instructions: 292stringCOMMON

Download Yara Rule

APIs

SelectObject.GDI32(?,?), ref: 0041C6E9
SetTextColor.GDI32(?,00000080), ref: 0041C6F3
lstrlenA.KERNEL32(?,?,751E5070,0041C161,?,?,00000000,?,?,?,?), ref: 0041C6FC
TextOutA.GDI32(?,?,?,?,00000000), ref: 0041C715
SetTextColor.GDI32(?,00000000), ref: 0041C726
MoveToEx.GDI32(?,00000000,?,00000000), ref: 0041C747
LineTo.GDI32(?,?,?), ref: 0041C75C
wsprintfA.USER32 ref: 0041C775
SelectObject.GDI32(?,?), ref: 0041C790
SetTextColor.GDI32(?,00808080), ref: 0041C7A0
TextOutA.GDI32(?,?,?,?,?), ref: 0041C7F6
SetTextColor.GDI32(?,00000000), ref: 0041C80D
SelectObject.GDI32(?,?), ref: 0041C835
SelectObject.GDI32(?,?), ref: 0041C866
SetTextColor.GDI32(?,00000000), ref: 0041C8B0
TextOutA.GDI32(?,00000000,?,?,?), ref: 0041C937
SetTextColor.GDI32(?,?), ref: 0041C95C

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Text$Color$ObjectSelect$LineMovelstrlenwsprintf
String ID:
API String ID: 2827444756-0
Opcode ID: c37553a410788ad529cce8f1ae87cb2851dd7232fcff5e18a76f528f0d667a3b
Instruction ID: ccf717027397931fe39301c1cfef318ffdf5eb5095be8366e25a64bd9951c44d
Opcode Fuzzy Hash: c37553a410788ad529cce8f1ae87cb2851dd7232fcff5e18a76f528f0d667a3b
Instruction Fuzzy Hash: C4C10171600109EFDF159FA4CD88DAEBBB6FF08344B144069F98596260C736EDA1DFA4

Function 00425293 Relevance: 25.7, APIs: 17, Instructions: 186stringCOMMON

Download Yara Rule

APIs

SelectObject.GDI32(?,00000000), ref: 00425315
SelectObject.GDI32(?,?), ref: 00425320
GetTextMetricsA.GDI32(?,?), ref: 0042532C
lstrlenA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00000000,?,00000000), ref: 00425355
TextOutA.GDI32(?,00000000), ref: 0042538D
SetTextAlign.GDI32(?,00000006), ref: 004253A8
lstrlenA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00000000,?,00000000), ref: 004253AD
TextOutA.GDI32(?,00000000), ref: 004253EE
SetTextAlign.GDI32(?,00000000), ref: 004253F7
SetTextAlign.GDI32(?,00000002), ref: 00425408
lstrlenA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00000000,?,00000000), ref: 0042540D
TextOutA.GDI32(?,00000000), ref: 00425446
SetTextAlign.GDI32(?,00000000), ref: 0042544F
SelectObject.GDI32(00000000,00000000), ref: 0042546E
SelectObject.GDI32(?,?), ref: 00425474
DeleteObject.GDI32(00000000), ref: 0042547F
DeleteObject.GDI32(00000000), ref: 00425484

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Text$Object$AlignSelect$lstrlen$Delete$Metrics
String ID:
API String ID: 3220575052-0
Opcode ID: 026936b2c214f907f64c630d94bc111119127e4da2fd46c056303ad521412fad
Instruction ID: 040977616e85c5dc81fcf48d798b33672e0b02798d3005b60c5682c405e9d253
Opcode Fuzzy Hash: 026936b2c214f907f64c630d94bc111119127e4da2fd46c056303ad521412fad
Instruction Fuzzy Hash: 9C6156B1900219FFDF11AFA4DC44AAEBF79FF08314F00945AF955A6161C3399960DFA4

Function 0041312F Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 141windowCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00413134

Part of subcall function 00412D66: __EH_prolog.LIBCMT ref: 00412D6B

_lcreat.KERNEL32(00000000,00000000), ref: 004131DC
LoadStringA.USER32(00001A4E,00000000,00000100), ref: 0041320C
MessageBoxA.USER32(?,?,00000000,00000000), ref: 0041321F
LoadCursorA.USER32(00000000,00007F02), ref: 00413239
SetCursor.USER32(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00413240
_hwrite.KERNEL32(00437AD8,?,?), ref: 00413284
LoadCursorA.USER32(00000000,?), ref: 004132A5
SetCursor.USER32(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004132AC
_lclose.KERNEL32(00437AD8), ref: 004132DE

Strings

XML, xrefs: 004131AE
$uC, xrefs: 0041326A, 00413275
xml, xrefs: 004131B5
QAA, xrefs: 00413142

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Cursor$Load$H_prolog$MessageString_hwrite_lclose_lcreat
String ID: $uC$QAA$XML$xml
API String ID: 2483342114-55689072
Opcode ID: c36d8f33dc90289c73cd4a63ca794faa3e9a8c9bdf027c31a09bf46383bfa1b7
Instruction ID: 5db12b73e01885e2e35476b4ab30db883e22f0c8aa02d947a8bdf4df18fb3de9
Opcode Fuzzy Hash: c36d8f33dc90289c73cd4a63ca794faa3e9a8c9bdf027c31a09bf46383bfa1b7
Instruction Fuzzy Hash: FE516FB1904219AEDB12AFA5EC469EEBB74FF08308F10416EF54472191CB790A50DB69

Function 00428105 Relevance: 24.6, APIs: 3, Strings: 11, Instructions: 90COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?), ref: 0042818C
ResetEvent.KERNEL32(?), ref: 0042819C

Part of subcall function 00427F30: SetEvent.KERNEL32(?), ref: 00427F42

Strings

Sending request..., xrefs: 0042816E
Connecting to server: %s, xrefs: 00428145
Resolving name: %s, xrefs: 00428159
Connection closed, xrefs: 0042820D
Receiving response..., xrefs: 004281A2
Response received, xrefs: 00428192
Request sent, xrefs: 004281A9
Connected to server: %s, xrefs: 0042813B
Redirected: %s, xrefs: 004281D8
Name resolved: %s, xrefs: 0042814F
Closing connection..., xrefs: 004281B0

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Event$Reset
String ID: Closing connection...$Connected to server: %s$Connecting to server: %s$Connection closed$Name resolved: %s$Receiving response...$Redirected: %s$Request sent$Resolving name: %s$Response received$Sending request...
API String ID: 926831536-1001971985
Opcode ID: 0e71bb2c99253dc93235dddde105b4b4895623fbd705bd72109f34d4453b29eb
Instruction ID: 9da0cb78b6b988e8dca5bcba4910bf5fbd83613957a2a1234452315cacaad0f5
Opcode Fuzzy Hash: 0e71bb2c99253dc93235dddde105b4b4895623fbd705bd72109f34d4453b29eb
Instruction Fuzzy Hash: 8A21E632386A34E6DA310EA8BA0DA3E3650F701700FF4464FF501556D6CDBD9933AA6E

Function 004057D7 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 70stringCOMMON

Download Yara Rule

APIs

GetTempPathA.KERNEL32(00000104,?), ref: 004057FF
GetTempFileNameA.KERNEL32(?,~eh,00000000,00000000), ref: 00405824

Part of subcall function 00429610: DeleteFileA.KERNELBASE(?,00403B78,?,?,00000000,?,00000000,00000000,0042A789,00000000), ref: 00429614
Part of subcall function 00429610: GetLastError.KERNEL32(?,00000000,?,00000000,00000000,0042A789,00000000), ref: 0042961E

lstrcatA.KERNEL32(?,\viewhelp.hlp), ref: 00405852
FindResourceA.KERNEL32(00000FB7,BININC), ref: 00405868
SizeofResource.KERNEL32(00000000), ref: 00405877
LoadResource.KERNEL32(00000000), ref: 00405887
LockResource.KERNEL32(00000000), ref: 00405891
_lcreat.KERNEL32(?,00000000), ref: 004058A4
_hwrite.KERNEL32(00000000,00000000,?), ref: 004058B1
_lclose.KERNEL32(00000000), ref: 004058B8
FreeResource.KERNEL32(?), ref: 004058C1

Strings

\viewhelp.hlp, xrefs: 00405847
BININC, xrefs: 00405858
~eh, xrefs: 0040581E

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Resource$FileTemp$DeleteErrorFindFreeLastLoadLockNamePathSizeof_hwrite_lclose_lcreatlstrcat
String ID: BININC$\viewhelp.hlp$~eh
API String ID: 3757150938-2111237349
Opcode ID: d387f53957bc613beb618b68f1b97a07e346e02b4aa38e34aa4e4e1957720b53
Instruction ID: 8061c85e01139017e390883415c01a312aaf2cc0ccd9768a4c7d4a3c751c8ee5
Opcode Fuzzy Hash: d387f53957bc613beb618b68f1b97a07e346e02b4aa38e34aa4e4e1957720b53
Instruction Fuzzy Hash: 48215BB2504208FFDB216FB4EC4AE9B7BBDFB49301F00547AF592A2261DBB51950DB18

Function 00415BFE Relevance: 24.2, APIs: 16, Instructions: 152COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00415C26
OffsetRect.USER32(?,?,?), ref: 00415C3C
GetDC.USER32(?), ref: 00415C48

Part of subcall function 004251B1: GetDeviceCaps.GDI32(?,00000070), ref: 004251C6
Part of subcall function 004251B1: GetDeviceCaps.GDI32(?,00000071), ref: 004251CE
Part of subcall function 004251B1: GetDeviceCaps.GDI32(?,00000058), ref: 004251D8
Part of subcall function 004251B1: GetDeviceCaps.GDI32(?,00000008), ref: 004251DF
Part of subcall function 004251B1: GetDeviceCaps.GDI32(?,00000058), ref: 004251E7
Part of subcall function 004251B1: GetDeviceCaps.GDI32(?,0000005A), ref: 004251F8
Part of subcall function 004251B1: GetDeviceCaps.GDI32(?,0000000A), ref: 004251FF
Part of subcall function 004251B1: GetDeviceCaps.GDI32(?,0000005A), ref: 00425207
Part of subcall function 004251B1: GetDeviceCaps.GDI32(?,00000058), ref: 00425218
Part of subcall function 004251B1: GetDeviceCaps.GDI32(?,00000058), ref: 00425223
Part of subcall function 004251B1: GetDeviceCaps.GDI32(?,0000005A), ref: 00425233
Part of subcall function 004251B1: GetDeviceCaps.GDI32(?,0000005A), ref: 00425241
Part of subcall function 004251B1: __ftol.LIBCMT ref: 00425260
Part of subcall function 004251B1: __ftol.LIBCMT ref: 0042527B
Part of subcall function 004251B1: SetRect.USER32(00000000,00000000,00000000,00000000,00000000), ref: 00425288

GetSystemMetrics.USER32(00000003), ref: 00415C7B
GetSystemMetrics.USER32(00000003), ref: 00415C97
SetScrollRange.USER32(00000000,00000001,00000000,?,00000001), ref: 00415CC3
SetScrollPos.USER32(?,00000001,00000000,00000001), ref: 00415CD1
GetSystemMetrics.USER32(00000002), ref: 00415CE0
GetSystemMetrics.USER32(00000002), ref: 00415CFE
SetScrollRange.USER32(?,00000000,00000000,?,00000001), ref: 00415D23
SetScrollPos.USER32(?,00000000,00000000,00000001), ref: 00415D2F
OffsetRect.USER32(?,?,?), ref: 00415D8F
__ftol.LIBCMT ref: 00415DA1
ReleaseDC.USER32(?,?), ref: 00415DBB
GetClientRect.USER32(?,?), ref: 00415DCD
InvalidateRect.USER32(?,?,00000001), ref: 00415DDB

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: CapsDevice$Rect$MetricsScrollSystem$__ftol$OffsetRange$ClientInvalidateReleaseWindow
String ID:
API String ID: 2336511427-0
Opcode ID: 0c4ffa5e758ee966805b9285d8fcaa85fd0184d84fb296698e8c2918906d2328
Instruction ID: a5b95174432240b8b3e253331b135cc095a1aa5e7ce80584f7e368a7bc8fd308
Opcode Fuzzy Hash: 0c4ffa5e758ee966805b9285d8fcaa85fd0184d84fb296698e8c2918906d2328
Instruction Fuzzy Hash: 2351487160060AEFEB20DFB8CD89FEBBBB9EF44300F01055DE59AA6090DB71A951CB54

Function 00407D7D Relevance: 24.1, APIs: 16, Instructions: 133windowstringCOMMON

Download Yara Rule

APIs

CreateCompatibleDC.GDI32(?), ref: 00407E1B
CreateCompatibleDC.GDI32(?), ref: 00407E22
SetTextAlign.GDI32(?,00000000), ref: 00407E2B
SetTextColor.GDI32(?,00000000), ref: 00407E36
GetSysColor.USER32(0000000F), ref: 00407E3E
SetBkColor.GDI32(?,00000000), ref: 00407E48
SelectObject.GDI32(00000000,?), ref: 00407E56
BitBlt.GDI32(?,?,?,0000000C,0000000C,00000000,00000000,00000000,008800C6), ref: 00407E79
SelectObject.GDI32(00000000,?), ref: 00407E84
BitBlt.GDI32(?,?,?,0000000C,0000000C,00000000,00000000,00000000,00660046), ref: 00407EA7
lstrlenA.KERNEL32(?), ref: 00407EB1
TextOutA.GDI32(?,?,?,?,00000000), ref: 00407ECC
SelectObject.GDI32(00000000,?), ref: 00407ED7
SelectObject.GDI32(00000000,0043CBB0), ref: 00407EDE
DeleteDC.GDI32(00000000), ref: 00407EE7
DeleteDC.GDI32(00000000), ref: 00407EEA

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: ObjectSelect$ColorText$CompatibleCreateDelete$Alignlstrlen
String ID:
API String ID: 1840064652-0
Opcode ID: 743870f9f7ffb7350370d919c4362007d7c22cdf2152485cf9f4788e75e2ed31
Instruction ID: 12e35cb120f04205a42c445f84f6ac682e9fc988de9aa44ae05a1a5f146908ce
Opcode Fuzzy Hash: 743870f9f7ffb7350370d919c4362007d7c22cdf2152485cf9f4788e75e2ed31
Instruction Fuzzy Hash: 4D415E71508300AFE7209F14DC44F67BBB9FF48744F244969F586AB2A2C736AC068BA5

Function 00402AD3 Relevance: 24.1, APIs: 16, Instructions: 130COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,00000008), ref: 00402ADF
IsDlgButtonChecked.USER32(?,00000409), ref: 00402B26
IsDlgButtonChecked.USER32(?,00000408), ref: 00402B3A
IsDlgButtonChecked.USER32(?,000003F4), ref: 00402B4E
IsDlgButtonChecked.USER32(?,0000042E), ref: 00402BAF
IsDlgButtonChecked.USER32(?,0000042F), ref: 00402BC3
EndDialog.USER32(?,00000001), ref: 00402BD4
GetParent.USER32(?), ref: 00402BE2
SetWindowLongA.USER32(?,00000008,?), ref: 00402BF8
CheckDlgButton.USER32(?,00000409,?), ref: 00402C16
CheckDlgButton.USER32(?,00000408,?), ref: 00402C2A
CheckRadioButton.USER32(?,000003F4,000003F7,?), ref: 00402C47
CheckDlgButton.USER32(?,0000042E,?), ref: 00402C5F
CheckDlgButton.USER32(?,0000042F,?), ref: 00402C73

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Button$CheckChecked$LongWindow$DialogParentRadio
String ID:
API String ID: 1571229196-0
Opcode ID: e826e94c418414652f907fb115532933dcbd00bd55324dea295e742eb101d5da
Instruction ID: 62329dda35ad1ec153886648e45f8e56960f1ada57f075b1b3a8c6356c467a2f
Opcode Fuzzy Hash: e826e94c418414652f907fb115532933dcbd00bd55324dea295e742eb101d5da
Instruction Fuzzy Hash: 004177B1644309BFE7149F34CD49FE677ACFB08700F044476BB49AB2D1DAB8A8419BA4

Function 00423F04 Relevance: 22.7, APIs: 15, Instructions: 191memorystringCOMMON

Download Yara Rule

APIs

lstrcpyA.KERNEL32(?,?,00000000,?,00000008,?,?,?,?,00000000,?,?,?,?,?,004157C5), ref: 00423F29
GetPrinterA.WINSPOOL.DRV(00000000,00000002,00000000,00000000,?,?,?,?,?,?,004157C5,?,?,00000000), ref: 00423F3A
GetPrinterA.WINSPOOL.DRV(00000000,00000002,00000000,00000000,00000000,00000000,00000002,00000000,00000000,?,?,?,?,?,?,004157C5), ref: 00423F57
GetLastError.KERNEL32 ref: 00423F6A
GlobalUnlock.KERNEL32(00000000), ref: 00423F85
GlobalFree.KERNEL32(00000002), ref: 00423F92
DeviceCapabilitiesA.WINSPOOL.DRV(00000000,?,0000000B,00000000,00000000,00000000,00000002,00000000,00000000,00000000,00000000,00000002,00000000,00000000,?), ref: 00423FBF
DeviceCapabilitiesA.WINSPOOL.DRV(00000001,?,00000001,00000000,00000000,?,?,?,?,?,004157C5,?,?,00000000), ref: 00423FCB
DeviceCapabilitiesA.WINSPOOL.DRV(00000007,?,00000007,00000000,00000000,?,?,?,?,?,004157C5,?,?,00000000), ref: 00423FE6
DeviceCapabilitiesA.WINSPOOL.DRV(00000012,?,00000012,00000000,00000000,?,?,?,?,?,004157C5,?,?,00000000), ref: 00424011
DeviceCapabilitiesA.WINSPOOL.DRV(00000016,?,00000016,00000000,00000000,?,?,?,?,?,004157C5,?,?,00000000), ref: 0042403D
DocumentPropertiesA.WINSPOOL.DRV(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,004157C5,?,?,00000000), ref: 00424060
GlobalAlloc.KERNEL32(00000042,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,004157C5,?,?), ref: 0042406C
GlobalLock.KERNEL32(00000000,?,?,?,?,?,004157C5,?,?,00000000), ref: 00424075
DocumentPropertiesA.WINSPOOL.DRV(00000000,00000000,00000000,00000000,00000000,00000002,?,?,?,?,?,004157C5,?,?,00000000), ref: 0042409C

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: CapabilitiesDevice$Global$DocumentPrinterProperties$AllocErrorFreeLastLockUnlocklstrcpy
String ID:
API String ID: 564296290-0
Opcode ID: ec6995a2a3b92ace4afa875e852458d0071410c0afedda6bf9cec7282132193b
Instruction ID: 0b3d78b63394f3326d9f17508e8b1788662855d8580b5a0b6ec0937a34edafa1
Opcode Fuzzy Hash: ec6995a2a3b92ace4afa875e852458d0071410c0afedda6bf9cec7282132193b
Instruction Fuzzy Hash: 8161AE71A00219EFCF228F51EC45EAB7BB5FF88700F50806AFA049B260C7799991DF64

Function 0042548B Relevance: 22.6, APIs: 15, Instructions: 150stringCOMMON

Download Yara Rule

APIs

GetDeviceCaps.GDI32(00000000,0000005A), ref: 004254E5
CreateFontA.GDI32(?,?,?,?,?,?,?,?,?,?,?,00424C59,?,?), ref: 004254F2
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00425510
__ftol.LIBCMT ref: 00425524
CreateFontA.GDI32(00000000,?,?,?,?,?,?,?,?,?,?,00424C59,?,?), ref: 0042552A
SelectObject.GDI32(?,?), ref: 00425539
lstrlenA.KERNEL32(?,?), ref: 0042554E
GetTextExtentPointA.GDI32(?,?,00000000), ref: 0042555B
lstrlenA.KERNEL32(?,?), ref: 0042556D
GetTextExtentPointA.GDI32(?,?,00000000), ref: 0042557A
lstrlenA.KERNEL32(?,?), ref: 0042558C
GetTextExtentPointA.GDI32(?,?,00000000), ref: 00425599
SelectObject.GDI32(?,?), ref: 004255A5
DeleteObject.GDI32(?), ref: 004255E5
DeleteObject.GDI32(?), ref: 004255F0

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Object$ExtentPointTextlstrlen$CapsCreateDeleteDeviceFontSelect$__ftol
String ID:
API String ID: 2432609737-0
Opcode ID: 092537acc6b95a41e6f62ff6ff07cf5cab0fd3c62867a36c3ab7bdeffce1519a
Instruction ID: ba7b4a8b3251d1563631fb66c3886072b01a3a7a90e8f038e2f22817f73fc5b5
Opcode Fuzzy Hash: 092537acc6b95a41e6f62ff6ff07cf5cab0fd3c62867a36c3ab7bdeffce1519a
Instruction Fuzzy Hash: 71512571A01129EFCF159FA9DC498EE7FB9FF08310F508166FA09A6260C7309950DF94

Function 004251B1 Relevance: 22.6, APIs: 15, Instructions: 99COMMON

Download Yara Rule

APIs

GetDeviceCaps.GDI32(?,00000070), ref: 004251C6
GetDeviceCaps.GDI32(?,00000071), ref: 004251CE
GetDeviceCaps.GDI32(?,00000058), ref: 004251D8
GetDeviceCaps.GDI32(?,00000008), ref: 004251DF
GetDeviceCaps.GDI32(?,00000058), ref: 004251E7
GetDeviceCaps.GDI32(?,0000005A), ref: 004251F8
GetDeviceCaps.GDI32(?,0000000A), ref: 004251FF
GetDeviceCaps.GDI32(?,0000005A), ref: 00425207
GetDeviceCaps.GDI32(?,00000058), ref: 00425218
GetDeviceCaps.GDI32(?,00000058), ref: 00425223
GetDeviceCaps.GDI32(?,0000005A), ref: 00425233
GetDeviceCaps.GDI32(?,0000005A), ref: 00425241
__ftol.LIBCMT ref: 00425260
__ftol.LIBCMT ref: 0042527B
SetRect.USER32(00000000,00000000,00000000,00000000,00000000), ref: 00425288

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: CapsDevice$__ftol$Rect
String ID:
API String ID: 1629992435-0
Opcode ID: d300e145ff3e847a4a56723d3578cee4c6f066ebe1dbf33598ba7999064cc0f7
Instruction ID: 0b257455a3ffcf16e9d6c16a8bcac9f05029ff1ba85f9534597f075744d7ba5a
Opcode Fuzzy Hash: d300e145ff3e847a4a56723d3578cee4c6f066ebe1dbf33598ba7999064cc0f7
Instruction Fuzzy Hash: 32314670B003187BDB149F79CC45B6E7FF9EF45701F105026BA05E61E1DAB499548F80

Function 00412F5B Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 159filewindowCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00412F60
LoadCursorA.USER32(00000000,00007F02), ref: 0041305B
SetCursor.USER32(00000000), ref: 00413062
CopyFileA.KERNEL32(?,00000000,00000000), ref: 004130BB
MessageBoxA.USER32(?,00000000,00000000), ref: 004130D0
LoadCursorA.USER32(00000000,00007F00), ref: 004130DC
SetCursor.USER32(00000000), ref: 004130E3

Strings

.exe, xrefs: 00413040
.ptx, xrefs: 00413080
ptx, xrefs: 00412FFD
E-Transcript, xrefs: 00412FF2
QAA, xrefs: 00412F6E

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Cursor$Load$CopyFileH_prologMessage
String ID: .exe$.ptx$E-Transcript$QAA$ptx
API String ID: 289754539-245839904
Opcode ID: 00fe2a13d27fcdcb5a82e2e7a2e4a34c805cad06f15a701202ed7a1410b938eb
Instruction ID: f5477b3f0f7b9b5ba19a5e115c8a98553a1d80041f2c7e1200364890c5f9b007
Opcode Fuzzy Hash: 00fe2a13d27fcdcb5a82e2e7a2e4a34c805cad06f15a701202ed7a1410b938eb
Instruction Fuzzy Hash: E941F772A05215BEDB15AFB1AC46DEF7BA8EF09744F10406FF400A21C1DA794E94CBAD

Function 004135CD Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 68windowstringCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 004135E1
GetWindowLongA.USER32(?,00000008), ref: 004135EE
GetDlgItem.USER32(00000000,00000470), ref: 00413624
SendMessageA.USER32(00000000), ref: 00413627
GetDlgItem.USER32(00000000,0000047C), ref: 00413636
IsWindowVisible.USER32(00000000), ref: 00413639
GetDlgItemTextA.USER32(00000000,0000047C,?,00000104), ref: 0041365B
lstrcpyA.KERNEL32(00000000,.exe), ref: 0041368E
SetDlgItemTextA.USER32(00000000,0000047C,?), ref: 0041369F

Strings

.exe, xrefs: 00413688
.ptx, xrefs: 0041367B
N, xrefs: 004135F4

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Item$TextWindow$LongMessageParentSendVisiblelstrcpy
String ID: .exe$.ptx$N
API String ID: 1615166204-2053508879
Opcode ID: 0f6509b9d2162ae89601cf4a7000b984d5b6f18018abb6a717c70218fe7c5602
Instruction ID: ae8ddf97aff42a4b5ec22b0f42b8bdad17ad67bf4480ef262c1f420b3647cadb
Opcode Fuzzy Hash: 0f6509b9d2162ae89601cf4a7000b984d5b6f18018abb6a717c70218fe7c5602
Instruction Fuzzy Hash: 7E2199B1544308FBEF309F60DC49BDA3BACEB14715F109055FA85A6190C7788A80DF58

Function 00424346 Relevance: 19.6, APIs: 13, Instructions: 124COMMON

Download Yara Rule

APIs

GetDeviceCaps.GDI32(?,0000005A), ref: 0042437A
__ftol.LIBCMT ref: 0042438D
CreateFontA.GDI32(00000000), ref: 00424393
SelectObject.GDI32(?,00000000), ref: 004243A5
GetTextMetricsA.GDI32(?,?), ref: 004243B1
SelectObject.GDI32(?,?), ref: 004243BD
DeleteObject.GDI32(?), ref: 0042440C
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0042442B
__ftol.LIBCMT ref: 0042443F
CreateFontA.GDI32(00000000), ref: 00424445
SelectObject.GDI32(?,00000000), ref: 0042445A
GetTextMetricsA.GDI32(00000000,00001FFF), ref: 00424466
SelectObject.GDI32(00000000,?), ref: 00424472

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Object$Select$CapsCreateDeviceFontMetricsText__ftol$Delete
String ID:
API String ID: 414540973-0
Opcode ID: 11e630ff0be1bf7c8dac9a0cb3ec7d327cfe411d7be4efbb06315e3f2c253e4d
Instruction ID: 5ab5940efb1c77819722d37c0d245fca02efa066f53940e958e84d62726a1437
Opcode Fuzzy Hash: 11e630ff0be1bf7c8dac9a0cb3ec7d327cfe411d7be4efbb06315e3f2c253e4d
Instruction Fuzzy Hash: 5D414471200219EFDF21AF61EC099DE7FB9FF48364F424229F948A6260C7319861CFA4

Function 0041C0BC Relevance: 19.6, APIs: 13, Instructions: 102windowCOMMON

Download Yara Rule

APIs

SelectPalette.GDI32(?,00000000), ref: 0041C0D3
RealizePalette.GDI32(?), ref: 0041C0DD
CreatePen.GDI32(00000000,00000001,00000000), ref: 0041C0F4
SelectObject.GDI32(?,00000000), ref: 0041C105
SelectObject.GDI32(?,?), ref: 0041C10E
GetTextMetricsA.GDI32(?,?), ref: 0041C118
GetClientRect.USER32(?,?), ref: 0041C125
GetStockObject.GDI32(00000000), ref: 0041C12D
FillRect.USER32(?,?,00000000), ref: 0041C139

Part of subcall function 0041C1C1: CreateFontA.GDI32(00000090,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000012,Times New Roman), ref: 0041C22D
Part of subcall function 0041C1C1: SelectObject.GDI32(?,00000000), ref: 0041C240
Part of subcall function 0041C1C1: GetTextMetricsA.GDI32(?,?), ref: 0041C24F
Part of subcall function 0041C1C1: SelectObject.GDI32(?,?), ref: 0041C25B
Part of subcall function 0041C1C1: SelectObject.GDI32(?,?), ref: 0041C26B
Part of subcall function 0041C1C1: GetTextMetricsA.GDI32(?,?), ref: 0041C277
Part of subcall function 0041C1C1: SelectObject.GDI32(?,?), ref: 0041C283
Part of subcall function 0041C1C1: SetBkMode.GDI32(?,00000001), ref: 0041C28A

SelectPalette.GDI32(?,00000000,00000001), ref: 0041C19F
SelectObject.GDI32(?,?), ref: 0041C1A9
SelectObject.GDI32(?,?), ref: 0041C1AF
DeleteObject.GDI32(?), ref: 0041C1B4

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: ObjectSelect$MetricsPaletteText$CreateRect$ClientDeleteFillFontModeRealizeStock
String ID:
API String ID: 1328710672-0
Opcode ID: 0edcf21d4a33b2af0069cebb717d7df16684823be1a18f773de713fe441d1c2b
Instruction ID: 341e597bceb0c826d6bfd4c072fd7dd45564d6cbba575cc4f18e11a816148989
Opcode Fuzzy Hash: 0edcf21d4a33b2af0069cebb717d7df16684823be1a18f773de713fe441d1c2b
Instruction Fuzzy Hash: 34310BB1940208FFDB249FA5CC88EAEBBBDFF48301F10546AF54696261D735AA40CF64

Function 00423C60 Relevance: 19.6, APIs: 13, Instructions: 96COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,00000008), ref: 00423C93
IsDlgButtonChecked.USER32(?,00001A75), ref: 00423CB4
IsDlgButtonChecked.USER32(?,00001A80), ref: 00423CC4
IsDlgButtonChecked.USER32(?,00000411), ref: 00423CD4
GetDlgItemInt.USER32(?,00000482,00000000,00000000), ref: 00423CE6
SetWindowLongA.USER32(?,00000008,?), ref: 00423D03
CheckDlgButton.USER32(?,00001A75,?), ref: 00423D27
CheckDlgButton.USER32(?,00001A80,?), ref: 00423D37
GetDlgItem.USER32(?,0000043E), ref: 00423D41
GetClientRect.USER32(00000000,?), ref: 00423D4E
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000088,00000030,00000006), ref: 00423D61

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Button$CheckedWindow$CheckItemLong$ClientRect
String ID:
API String ID: 1193344014-0
Opcode ID: 15bcf9d2e7a9e07156967ebd8b91076a136c79b5158892fafb142bd5f4be1f85
Instruction ID: e3df07052ca5829c0ffd7f260aa397de357a9076b5737e6fd197f82f7a261cb7
Opcode Fuzzy Hash: 15bcf9d2e7a9e07156967ebd8b91076a136c79b5158892fafb142bd5f4be1f85
Instruction Fuzzy Hash: 2E3193B1244718BFEB216F60DC49DEA3FB9FB04791F404025FE855A1A0CB749E51EB98

Function 004167D4 Relevance: 19.6, APIs: 13, Instructions: 90COMMON

Download Yara Rule

APIs

CreateDialogParamA.USER32(000002A4,?,00416C18,00000000,00000001), ref: 004167F2
SetWindowTextA.USER32(00000000,?), ref: 004167FE

Part of subcall function 00416C80: CreateWindowExA.USER32(00000000,ProgressBar,00444FE8,40800000,00000000,00000000,00000064,0000000A,00000000,00000000,00000000,0041680A), ref: 00416CA4

SetWindowLongA.USER32(00000000,00000008,00000000), ref: 00416821
GetClientRect.USER32(00000000,?), ref: 0041682C

Part of subcall function 00416CAB: GetDC.USER32(00000001), ref: 00416CB7
Part of subcall function 00416CAB: GetStockObject.GDI32(0000000C), ref: 00416CC1
Part of subcall function 00416CAB: SelectObject.GDI32(00000000,00000000), ref: 00416CCF
Part of subcall function 00416CAB: GetTextMetricsA.GDI32(00000000,?), ref: 00416CD8
Part of subcall function 00416CAB: SelectObject.GDI32(00000000,00000000), ref: 00416CE0
Part of subcall function 00416CAB: ReleaseDC.USER32(00000001,00000000), ref: 00416CE6

MoveWindow.USER32(00000000,0000000D,0000000D,?,00000000,00000001), ref: 00416848
GetWindowRect.USER32(00000000,?), ref: 00416857
ScreenToClient.USER32(00000000,?), ref: 00416868
ScreenToClient.USER32(00000000,?), ref: 0041686F
GetDlgItem.USER32(00000000,00000002), ref: 00416877
ShowWindow.USER32(00000000), ref: 0041687E
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000006), ref: 00416894
ShowWindow.USER32(00000000,00000005), ref: 0041689D
EnableWindow.USER32(?,00000000), ref: 004168A8

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Window$ClientObject$CreateRectScreenSelectShowText$DialogEnableItemLongMetricsMoveParamReleaseStock
String ID:
API String ID: 2661066160-0
Opcode ID: bb838de29b57716b4f365bb420b6d019c17c893efce7c3751de21d1ea97a4988
Instruction ID: bad35cc999d98f5015c273db8bf913a3cf941fd92d73c7ddfbc3c4fdbf35ac52
Opcode Fuzzy Hash: bb838de29b57716b4f365bb420b6d019c17c893efce7c3751de21d1ea97a4988
Instruction Fuzzy Hash: B521B2B2204208BFE7216FA0DC8AFEF3BACEF05715F000025FE4196191D7749901DB68

Function 004256AA Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 128stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00425686,?,751E6BA0,?,&MB,00425686,?,?), ref: 004256C2
wsprintfA.USER32 ref: 004256FA
lstrcatA.KERNEL32(00000000,00425686,?,751E6BA0,?,&MB,00425686), ref: 00425709
__ftol.LIBCMT ref: 00425718
GetTextAlign.GDI32(?), ref: 0042573D
SetTextAlign.GDI32(?,00000008), ref: 0042579B
lstrlenA.KERNEL32(?), ref: 004257A0
TextOutA.GDI32(?,00000000), ref: 004257D8
SetTextAlign.GDI32(?,?), ref: 004257E2

Strings

&MB, xrefs: 004256AA
Page %d, xrefs: 004256ED

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Text$Align$lstrlen$__ftollstrcatwsprintf
String ID: &MB$Page %d
API String ID: 3812932771-3192165671
Opcode ID: 0c7e8d1d21fc2f61d08a37514f71001cb0c667218290739cd32bf55dde9566cb
Instruction ID: 6f200f62604ca965986fa25c5e90bfecd7df350c7f9a23ac0d89f4c41ab57567
Opcode Fuzzy Hash: 0c7e8d1d21fc2f61d08a37514f71001cb0c667218290739cd32bf55dde9566cb
Instruction Fuzzy Hash: 93412672204615EFCB204F24EC49AAF3BB8FF88324F55411AFD5952250D7789C11DF99

Function 004037AC Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 87COMMON

Download Yara Rule

APIs

EndDialog.USER32(?,00000001), ref: 004037DF
GetParent.USER32(?), ref: 004037EE
SetDlgItemTextA.USER32(?,00000406,Version 5.0 (Build 5.0.0.241)), ref: 0040380E
GetDlgItem.USER32(?,0000041F), ref: 00403824
ShowWindow.USER32(00000000), ref: 0040382B
SetDlgItemTextA.USER32(?,0000040C,?), ref: 00403838

Strings

Version 5.0 (Build 5.0.0.241), xrefs: 00403803

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Item$Text$DialogParentShowWindow
String ID: Version 5.0 (Build 5.0.0.241)
API String ID: 4122412837-1328025431
Opcode ID: 81df99500b43e2bd1d03d8d61752c38d07b79a942647ea9fad55a8acf3a6d9ad
Instruction ID: 51c09e2c9ec49d48eee0688086f2fb9f45cecc320d641cc3e5ec1135a186865c
Opcode Fuzzy Hash: 81df99500b43e2bd1d03d8d61752c38d07b79a942647ea9fad55a8acf3a6d9ad
Instruction Fuzzy Hash: 22216DB2504109BBEB11AFA49C89EBF3BBCEB05701F00406AFE41F6191D778D901EB69

Function 00428F60 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,0000043C,00000000,00447224), ref: 00428F85
MessageBoxA.USER32(00000000,No OLE interface!,00000000,00000000), ref: 00428F93
DestroyWindow.USER32(?,?,?,?), ref: 00428FA2
MessageBoxA.USER32(00000000,No Storage!,00000000,00000000), ref: 00428FE0
DestroyWindow.USER32(00000000,?,?,?), ref: 00428FEF

Strings

No OLE interface!, xrefs: 00428F8D
No Storage!, xrefs: 00428FD9
No callback object!, xrefs: 00429026

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Message$DestroyWindow$Send
String ID: No OLE interface!$No Storage!$No callback object!
API String ID: 2941936996-2742020762
Opcode ID: b3e9351e4a16e4b710579b0b209128ecb8de58b26d5eaa7adc9232f9adc55ede
Instruction ID: a100ff8c7f993d5c3f6a56220065350773848748251f5e44a0638a5726fa5dcb
Opcode Fuzzy Hash: b3e9351e4a16e4b710579b0b209128ecb8de58b26d5eaa7adc9232f9adc55ede
Instruction Fuzzy Hash: A2310AB8784200AFE710DF78ED85F9677E9AB4D704F10486AF804DB3A0CB74A841DB58

Function 00426B88 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 69windowCOMMON

Download Yara Rule

APIs

GetPropA.USER32(?,DlgKeyProc), ref: 00426B97
GetWindowLongA.USER32(?,000000F4), ref: 00426BAE
SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00426BC5
GetParent.USER32(?), ref: 00426BD0
SendDlgItemMessageA.USER32(00000000), ref: 00426BD7
GetWindowLongA.USER32(?,000000F4), ref: 00426BE2
GetParent.USER32(?), ref: 00426BFA
SendDlgItemMessageA.USER32(00000000), ref: 00426C01
SendMessageA.USER32(?,000000F4,00000001,00000001), ref: 00426C0B
CallWindowProcA.USER32(?,?,?,?,?), ref: 00426C1E

Strings

DlgKeyProc, xrefs: 00426B91

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: MessageSend$Window$ItemLongParent$CallProcProp
String ID: DlgKeyProc
API String ID: 3584994089-1425268092
Opcode ID: e0b08de99952cfbe3bef5a3f16ddad881fcbb36e8da00c533f09e0a8984efea6
Instruction ID: a49f2fbb3a9f93b409aed4cda880b13b12c46731a0167dc3f22d7a3c783d3f02
Opcode Fuzzy Hash: e0b08de99952cfbe3bef5a3f16ddad881fcbb36e8da00c533f09e0a8984efea6
Instruction Fuzzy Hash: DE1173B2204254BBD7301B66ECCCE9B3F2CFB85B61F141535FE65951A1CA398440EB78

Function 0040939C Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 67stringCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004093A1
GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 004093B9
lstrcatA.KERNEL32(?,\pnxetkey.dat), ref: 004093CB
_lopen.KERNEL32(?,00000011), ref: 004093DA
_lcreat.KERNEL32(?,00000000), ref: 004093F0
_llseek.KERNEL32(00000000,00000000,00000002), ref: 00409402
lstrcpyA.KERNEL32(?,?), ref: 0040940F
_hwrite.KERNEL32(00000000,?,00000010), ref: 00409455
_lclose.KERNEL32(00000000), ref: 0040945C

Strings

\pnxetkey.dat, xrefs: 004093C5
Invalid password., xrefs: 00409421

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: DirectoryH_prologWindows_hwrite_lclose_lcreat_llseek_lopenlstrcatlstrcpy
String ID: Invalid password.$\pnxetkey.dat
API String ID: 629292376-808593213
Opcode ID: 32223d4f8b2c6bb80f580ec1b655d209bef510204d0cb2b50b656b0524fa1261
Instruction ID: 02644b2fc5b040a5a2cf4de716e8784822419a78c4745abf4ad1778e079812bb
Opcode Fuzzy Hash: 32223d4f8b2c6bb80f580ec1b655d209bef510204d0cb2b50b656b0524fa1261
Instruction Fuzzy Hash: F9212C7280461DABCF20EBA0DC49FEDB77CBB08314F104666E655B31D1D7785A45CB68

Function 00424207 Relevance: 19.3, APIs: 4, Strings: 7, Instructions: 54stringCOMMON

Download Yara Rule

APIs

lstrcatA.KERNEL32(?,0043CB2C,?,00000000,?,00424306,00000000,00000000,?,00423395,?,?,?,00000008,?,?), ref: 0042424D
lstrcpyA.KERNEL32(?,Printer cannot fulfill request for duplexing. Check printer settings through Control Panel: ",00000000,?,00424306,00000000,00000000,?,00423395,?,?,?,00000008,?,?,?), ref: 00424233

Part of subcall function 004242A6: lstrcatA.KERNEL32(?,?,?,?,00000008,0042427D,?,00000001,?,00424306,00000000,00000000,?,00423395,?,?), ref: 004242BC
Part of subcall function 004242A6: lstrcatA.KERNEL32(?,Windows error code: ,?,00424306,00000000,00000000,?,00423395,?,?,?,00000008,?), ref: 004242CB
Part of subcall function 004242A6: lstrlenA.KERNEL32(?,0000000A,?,00424306,00000000,00000000,?,00423395,?,?,?,00000008,?), ref: 004242D0

lstrcpyA.KERNEL32(?,Could not access the selected printer: ,00000000,?,00424306,00000000,00000000,?,00423395,?,?,?,00000008,?,?,?), ref: 0042426B
lstrcpyA.KERNEL32(?,An unknown problem was encountered while printing.Please check your printer configuration before trying again.,00000000,?,00424306,00000000,00000000,?,00423395,?,?,?,00000008,?,?,?), ref: 00424295

Strings

Could not get information for the selected printer: , xrefs: 00424263
Could not access the selected printer: , xrefs: 0042427F
An unknown problem was encountered while printing.Please check your printer configuration before trying again., xrefs: 0042428D
Could not create device context for the selected printer: , xrefs: 00424255
Printer cannot fulfill request for duplexing. Check printer settings through Control Panel: ", xrefs: 0042422B
Could not retrieve properties for the selected printer: , xrefs: 0042425C
There is no default printer.Please select a default printer before trying again., xrefs: 00424286

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: lstrcatlstrcpy$lstrlen
String ID: An unknown problem was encountered while printing.Please check your printer configuration before trying again.$Could not access the selected printer: $Could not create device context for the selected printer: $Could not get information for the selected printer: $Could not retrieve properties for the selected printer: $Printer cannot fulfill request for duplexing. Check printer settings through Control Panel: "$There is no default printer.Please select a default printer before trying again.
API String ID: 3791037945-3258598027
Opcode ID: b97472a1f79bd5ab3bc709651b2f32049b35809a58455a907c0549d1a902c4f9
Instruction ID: 03f82ad25f52303a30a52891a8092300a0dfb001286ead4ff868159ffd9eb721
Opcode Fuzzy Hash: b97472a1f79bd5ab3bc709651b2f32049b35809a58455a907c0549d1a902c4f9
Instruction Fuzzy Hash: 1F018431354238E6CF116B56FC15F6A3E11FB987C0FA450A7F409942A0C6A99841D6BD

Function 004077EA Relevance: 18.1, APIs: 12, Instructions: 109windowCOMMON

Download Yara Rule

APIs

EndDialog.USER32(?,00000002), ref: 00407827
GetDlgItemTextA.USER32(?,000003E8,?,000000FF), ref: 00407841
GetWindowLongA.USER32(?,00000008), ref: 0040784A
EndDialog.USER32(?,00000001), ref: 0040789F
GetDlgItem.USER32(?,000003E8), ref: 004078B2
GetWindowTextLengthA.USER32(00000000), ref: 004078B5
GetDlgItem.USER32(?,00000001), ref: 004078C5
EnableWindow.USER32(00000000), ref: 004078C8
GetParent.USER32(?), ref: 004078D5
SetWindowLongA.USER32(?,00000008,?), ref: 004078F1
GetDlgItem.USER32(?,000003E8), ref: 004078FD
SetFocus.USER32(00000000), ref: 00407904

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: ItemWindow$DialogLongText$EnableFocusLengthParent
String ID:
API String ID: 4141629138-0
Opcode ID: e5740bfe2a3d29cfa1c9aa2b6ba6342c0dc42924713fd53624468ee8ac3d6a85
Instruction ID: fea88311845ed8c3331738205e9d0832e5b1a74791e961f4ff371a91dbda9cb5
Opcode Fuzzy Hash: e5740bfe2a3d29cfa1c9aa2b6ba6342c0dc42924713fd53624468ee8ac3d6a85
Instruction Fuzzy Hash: 0731B8B1A48205BBEB216B74DC49FAB375CFF04701F044425FA46E61D1DA78E901D769

Function 00428926 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 187librarymemoryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?), ref: 004289CC
GetLastError.KERNEL32 ref: 004289D8
RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 00428A0B
InterlockedExchange.KERNEL32(?,00000000), ref: 00428A1D
LocalAlloc.KERNEL32(00000040,00000008), ref: 00428A31
FreeLibrary.KERNEL32(00000000), ref: 00428A4E
GetProcAddress.KERNEL32(?,?), ref: 00428AAF
GetLastError.KERNEL32 ref: 00428ABB
RaiseException.KERNEL32(C06D007F,00000000,00000001,?), ref: 00428AED

Strings

$, xrefs: 00428942

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: ErrorExceptionLastLibraryRaise$AddressAllocExchangeFreeInterlockedLoadLocalProc
String ID: $
API String ID: 991255547-3993045852
Opcode ID: 41eecfc474d57d30347f4751eadd9466f905363e9c37dd936cc3951ed87e3f19
Instruction ID: 4e8fcd1747a392daeef56547cb26cbff807dc2390ac49720ebf4b1f81848843b
Opcode Fuzzy Hash: 41eecfc474d57d30347f4751eadd9466f905363e9c37dd936cc3951ed87e3f19
Instruction Fuzzy Hash: B06159B5B012159FDB24CF98E880AAEB7F5AB58300B50802EE909E7350DFB4ED45CB59

Function 0042F5A4 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 177COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,00000100,004384E4,00000001,00000000,00000000,00000103,00000001,00000000,?,00432C63,00200020,00000000,?,00000000,00000000), ref: 0042F5E6
LCMapStringA.KERNEL32(00000000,00000100,004384E0,00000001,00000000,00000000,?,00432C63,00200020,00000000,?,00000000,00000000,00000001), ref: 0042F602
LCMapStringA.KERNEL32(?,?,?,?,c,C ,?,00000103,00000001,00000000,?,00432C63,00200020,00000000,?,00000000,00000000), ref: 0042F64B
MultiByteToWideChar.KERNEL32(00000000,00000002,00000000,00200020,00000000,00000000,00000103,00000001,00000000,?,00432C63,00200020,00000000,?,00000000,00000000), ref: 0042F683
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00200020,?,00000000,?,00432C63,00200020,00000000,?,00000000), ref: 0042F6DB
LCMapStringW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,?,00432C63,00200020,00000000,?,00000000), ref: 0042F6F1
LCMapStringW.KERNEL32(?,?,?,00000000,c,C ,?,?,00432C63,00200020,00000000,?,00000000), ref: 0042F724
LCMapStringW.KERNEL32(00000000,?,?,?,?,00000000,?,00432C63,00200020,00000000,?,00000000), ref: 0042F78C

Strings

c,C , xrefs: 0042F7A4, 0042F717, 0042F63C

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: String$ByteCharMultiWide
String ID: c,C
API String ID: 352835431-3652846715
Opcode ID: 72f36d60a6d2c84034f3f1747701f024d88e4efed3a95f5e4d112b0e98198997
Instruction ID: e32dc69c9671cbcdbcb10640ec50af657ca95fc296c381d37e97438666379813
Opcode Fuzzy Hash: 72f36d60a6d2c84034f3f1747701f024d88e4efed3a95f5e4d112b0e98198997
Instruction Fuzzy Hash: 82519C72600259BFCF218F54ED45AAFBBB5FB89740FA0413AF850A1260C3398C16DB69

Function 0040947B Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 93stringCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00409480
GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00409498
lstrcatA.KERNEL32(?,\pnxetkey.dat), ref: 004094AA
_lopen.KERNEL32(?,00000020), ref: 004094B9
_hread.KERNEL32(00000000,?,00000010), ref: 004094E7
_lclose.KERNEL32(00000000), ref: 0040954F
lstrcpyA.KERNEL32(00000000,?), ref: 00409562

Strings

\pnxetkey.dat, xrefs: 004094A4
Invalid password., xrefs: 004094EE

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: DirectoryH_prologWindows_hread_lclose_lopenlstrcatlstrcpy
String ID: Invalid password.$\pnxetkey.dat
API String ID: 2903039819-808593213
Opcode ID: 11cab952260e8ff0a96d4bf48d71f9f84189edd3b1406db242c1afbed9f0f71b
Instruction ID: 08a6bbcb9f20983b4f3ca6d4aac48a7c911f5427e6f5084c53ff7d228f7938e0
Opcode Fuzzy Hash: 11cab952260e8ff0a96d4bf48d71f9f84189edd3b1406db242c1afbed9f0f71b
Instruction Fuzzy Hash: 6E318C7290421DABDF11DBA1DC85EEEB37CBB08314F10452AF616B21D1D7789A46CB68

Function 00414A1C Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 93stringCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(?), ref: 00414A37
DeleteObject.GDI32(000000FF), ref: 00414A44
DeleteObject.GDI32(?), ref: 00414A51
CreateFontIndirectA.GDI32(?), ref: 00414AB4
CreateFontIndirectA.GDI32(?), ref: 00414AC4
lstrcpyA.KERNEL32(?,Arial,?,00000000,?,?,?,0040465D), ref: 00414AD2
CreateFontIndirectA.GDI32(?), ref: 00414B01

Strings

Courier New, xrefs: 00414A83
", xrefs: 00414AEB
Arial, xrefs: 00414ACC

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: CreateDeleteFontIndirectObject$lstrcpy
String ID: "$Arial$Courier New
API String ID: 3480263671-80687389
Opcode ID: ac3c6643e187f9982b36884cb111c3b3f35abd0f6d372a1ed13923ea5194315d
Instruction ID: ba082012dc07d1887c9b3f65399759ecdb24a0dacc16255ce6940463a892acba
Opcode Fuzzy Hash: ac3c6643e187f9982b36884cb111c3b3f35abd0f6d372a1ed13923ea5194315d
Instruction Fuzzy Hash: 493129B2D043589ADB05DFE9D885ACEBBF9AF58300F14445BE800F7292D7B898048F68

Function 0041D21F Relevance: 16.7, APIs: 11, Instructions: 186COMMON

Download Yara Rule

APIs

Part of subcall function 0041CC69: GetDC.USER32(?), ref: 0041CC77
Part of subcall function 0041CC69: SelectObject.GDI32(00000000,?), ref: 0041CC89
Part of subcall function 0041CC69: GetTextMetricsA.GDI32(00000000,?), ref: 0041CC93
Part of subcall function 0041CC69: SelectObject.GDI32(00000000,?), ref: 0041CC9D
Part of subcall function 0041CC69: ReleaseDC.USER32(?,00000000), ref: 0041CCA3

ScrollWindow.USER32(?,00000000,?,00000000,00000000), ref: 0041D324
ScrollWindow.USER32(?,00000000,?,00000000,00000000), ref: 0041D35C
GetDC.USER32(?), ref: 0041D365
GetClientRect.USER32(?,?), ref: 0041D374
GetStockObject.GDI32(00000006), ref: 0041D37C
SelectObject.GDI32(00000000,00000000), ref: 0041D384
MoveToEx.GDI32(00000000,00000000,-00000001,00000000), ref: 0041D398
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0041D3AE
LineTo.GDI32(00000000,0041D89C,?), ref: 0041D3C0
SelectObject.GDI32(00000000,00000001), ref: 0041D3CA
ReleaseDC.USER32(?,00000000), ref: 0041D3D0

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Object$Select$MoveReleaseScrollWindow$ClientLineMetricsRectStockText
String ID:
API String ID: 2824592151-0
Opcode ID: 4b9d958f099fa5ff065021d68f029a852c315e61ac82fcc09a496e68de46ee08
Instruction ID: ef6513da22c04e324ec97ae149ba5bdf5b7b82c1bdd6099cfd5bba4f647d1530
Opcode Fuzzy Hash: 4b9d958f099fa5ff065021d68f029a852c315e61ac82fcc09a496e68de46ee08
Instruction Fuzzy Hash: FA515DB1A00609AFDB149F65CC889AFBBF9FF48310710956EF85AC7660DB34E981CB54

Function 0042451C Relevance: 16.6, APIs: 11, Instructions: 95COMMON

Download Yara Rule

APIs

FillRect.USER32(?,0041E984,?), ref: 00424532
GetDeviceCaps.GDI32(?,00000058), ref: 00424547
GetDeviceCaps.GDI32(?,00000058), ref: 00424551
GetDeviceCaps.GDI32(?,0000005A), ref: 00424559
GetDeviceCaps.GDI32(?,0000005A), ref: 00424563
__ftol.LIBCMT ref: 00424589
__ftol.LIBCMT ref: 0042459B
__ftol.LIBCMT ref: 004245AD
__ftol.LIBCMT ref: 004245BE
SetRect.USER32(?,00000000,00000000,00000000,00000000), ref: 004245D2
FillRect.USER32(?,?,?), ref: 00424605

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: CapsDevice__ftol$Rect$Fill
String ID:
API String ID: 2525312796-0
Opcode ID: 8ebe54039b715d0932cf9d79e48d64c482fff485075102fd628c3f80e954a39c
Instruction ID: 671caa5031e7ad66a59f9b656ff71211a0358be7238f5132d4e408ea14dfb869
Opcode Fuzzy Hash: 8ebe54039b715d0932cf9d79e48d64c482fff485075102fd628c3f80e954a39c
Instruction Fuzzy Hash: F331C4B1E04109BFCB02AF51E8458EE7FF9FF00391B618845FA56A2161E73099A4DFD4

Function 004090E9 Relevance: 16.6, APIs: 11, Instructions: 61memoryCOMMON

Download Yara Rule

APIs

_lopen.KERNEL32(?,00000020), ref: 004090FF
_llseek.KERNEL32(00000000,00000000,00000002), ref: 0040911E
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00409125
GlobalLock.KERNEL32(00000000), ref: 0040912C
_llseek.KERNEL32(00000000,00000000,00000000), ref: 00409139
_hread.KERNEL32(00000000,00000000,00000000), ref: 0040913E
_lclose.KERNEL32(00000000), ref: 00409145
GlobalHandle.KERNEL32(00000000), ref: 0040915C
GlobalUnlock.KERNEL32(00000000), ref: 0040915F
GlobalHandle.KERNEL32(00000000), ref: 00409166
GlobalFree.KERNEL32(00000000), ref: 00409169

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Global$Handle_llseek$AllocFreeLockUnlock_hread_lclose_lopen
String ID:
API String ID: 1832429640-0
Opcode ID: 0a66339510434a3036e7f3f7b552dafaf9ef7b28daef536b6bb8735fc6c250a0
Instruction ID: 9d54758384bff08165c24f7a86e83a77af390a586e7a09bcf592ffb991273a1a
Opcode Fuzzy Hash: 0a66339510434a3036e7f3f7b552dafaf9ef7b28daef536b6bb8735fc6c250a0
Instruction Fuzzy Hash: FF01A1B32042057BE62067B49C4DF6B7BACDF8A761F000425F641963D1CB785C01962D

Function 0041E0E8 Relevance: 16.2, APIs: 7, Strings: 2, Instructions: 447stringwindowCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041E0ED
lstrlenA.KERNEL32(?), ref: 0041E12F

Part of subcall function 0041AC92: LoadCursorA.USER32(00000000,00007F02), ref: 0041ACA2
Part of subcall function 0041AC92: SetCursor.USER32(00000000,?,004184F0), ref: 0041ACA9

lstrcpyA.KERNEL32(?,?), ref: 0041E215
lstrlenA.KERNEL32(?), ref: 0041E302
GetParent.USER32(?), ref: 0041E597
MessageBoxA.USER32(00000000), ref: 0041E59E
SetCursor.USER32(?), ref: 0041E5C9

Strings

4}C, xrefs: 0041E5BF
No more matches in this transcript., xrefs: 0041E58F

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Cursor$lstrlen$H_prologLoadMessageParentlstrcpy
String ID: 4}C$No more matches in this transcript.
API String ID: 2158622280-337844737
Opcode ID: e3933e0a9353b2019b75a5b7be2fc02e4f0224afdd83e382504b8e725e2d8efc
Instruction ID: 3515a9fd9b02753e221e3b902a804fb154ee1bc86befeb27103fd8d700130452
Opcode Fuzzy Hash: e3933e0a9353b2019b75a5b7be2fc02e4f0224afdd83e382504b8e725e2d8efc
Instruction Fuzzy Hash: 7502AD75900219EFCF04DFA5D890AEEBBB5BF08304F14406EF845A7291DB389E45CBA8

Function 004222E8 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 243windowCOMMON

Download Yara Rule

APIs

GetDeviceCaps.GDI32(?,00000070), ref: 00422300
GetDeviceCaps.GDI32(?,00000071), ref: 00422307
GetDeviceCaps.GDI32(?,0000000A), ref: 0042230F
GetDeviceCaps.GDI32(?,00000008), ref: 00422315
SetRect.USER32(?,00000000,00000000,00000000), ref: 00422320
GetDeviceCaps.GDI32(?,00000058), ref: 00422329
GetDeviceCaps.GDI32(?,0000005A), ref: 00422331
MessageBoxA.USER32(00000000,The margins need to be adjusted for this document to print properlyWould you like them to be automatically adjusted?,00000000,00000004), ref: 004223C6

Strings

The margins need to be adjusted for this document to print properlyWould you like them to be automatically adjusted?, xrefs: 004223BB

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: CapsDevice$MessageRect
String ID: The margins need to be adjusted for this document to print properlyWould you like them to be automatically adjusted?
API String ID: 1536503368-1457703030
Opcode ID: 6805e2b4bb12f2735742023f628e817b627b9aad4684505a1ede3177f319d4d0
Instruction ID: c411e7e3ad33479ed00f6f9dbc5a01308d21ce15c864674253cdd3a233393345
Opcode Fuzzy Hash: 6805e2b4bb12f2735742023f628e817b627b9aad4684505a1ede3177f319d4d0
Instruction Fuzzy Hash: 40A10570E0161AEFCB14CFA9DA84AEEB7F5BF48318F50402EE805E7250D778AA41CB54

Function 00423D97 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 110stringCOMMON

Download Yara Rule

APIs

lstrcpyA.KERNEL32(?,00000008,00000000,?,00000008,?,?,?,00423379,?,00000008,00000000), ref: 00423DC2
OpenPrinterA.WINSPOOL.DRV(00000008,00000000,00000000,?,?,?,00423379,?,00000008,00000000,?,?,?,?,?,004157C5), ref: 00423DD0
GetLastError.KERNEL32(00000000,00000008,?,?,?,?,00000008,00000000,00000000,?,?,?,00423379,?,00000008,00000000), ref: 00423EE1
ClosePrinter.WINSPOOL.DRV(00000000,00423379,?,00000008,00000000,?,?,?,?,?,004157C5,?), ref: 00423EF8

Strings

y3B, xrefs: 00423E81
winspool, xrefs: 00423EBB

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: CloseErrorLastOpenPrinterPrinter.lstrcpy
String ID: winspool$y3B
API String ID: 1746316384-1788438815
Opcode ID: 4c3f8d61a42dc8fe718ce8d908495f15ddfc1f78b9f82f9f831358cce63458b4
Instruction ID: 0831c5d1214fde62080665f9605ba784b323e0bdaab6601efab447c50c044bfd
Opcode Fuzzy Hash: 4c3f8d61a42dc8fe718ce8d908495f15ddfc1f78b9f82f9f831358cce63458b4
Instruction Fuzzy Hash: 67413671A00618EBCF22CFA1D8459EFBBB5FF48311F50842BEA5A92220D7395A45DF94

Function 00409890 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 105stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,?,?,00000000,?,00000000,?), ref: 004098C5
lstrlenA.KERNEL32(00000000,?,?,?,?,?,00000000,?), ref: 00409942
lstrlenA.KERNEL32(00000000,?,?,?,?,?,00000000,?), ref: 0040994A
lstrcatA.KERNEL32(00000000,?,?,?,?,?,?,00000000,?), ref: 0040995D
lstrcatA.KERNEL32(00000000,?,?,?,?,?,?,00000000,?), ref: 0040997B
lstrlenA.KERNEL32(00000000,?,?,00000000,?,00000000,?), ref: 00409984
lstrlenA.KERNEL32(00000000,?,?,00000000,?,00000000,?), ref: 0040998C

Strings

PAGEFTR, xrefs: 00409900
PAGEHDR, xrefs: 004098DB

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: lstrlen$lstrcat
String ID: PAGEFTR$PAGEHDR
API String ID: 493641738-2355702794
Opcode ID: 2180068e0beb9791e2ac4a443f00bf21af2cf07f73fdfdfb628ca65703aff3bb
Instruction ID: 1ebf632b8b531be8fbda1eae75bb3d7936d346521cc399574c1b6aa7ad1feaf8
Opcode Fuzzy Hash: 2180068e0beb9791e2ac4a443f00bf21af2cf07f73fdfdfb628ca65703aff3bb
Instruction Fuzzy Hash: 0531E2B1A08249ABDF109F64DC81BAE7FA8EF05354F24802FF84566383D7789E50CB94

Function 00416E49 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 93stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?), ref: 00416E5D
GetTextExtentPointA.GDI32(?,?,?,?), ref: 00416E77
GetTextExtentPointA.GDI32(?,...,00000003,?), ref: 00416E91
GetTextExtentPointA.GDI32(?,?,?,?), ref: 00416EAF
TextOutA.GDI32(?,?,?,?,?), ref: 00416ECA
GetTextExtentPointA.GDI32(?,...,00000002,?), ref: 00416EF7
TextOutA.GDI32(?,?,?,...,00000003), ref: 00416F10
TextOutA.GDI32(?,?,?,?,?), ref: 00416F1F

Strings

..., xrefs: 00416E8B, 00416EEF, 00416F02

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Text$ExtentPoint$lstrlen
String ID: ...
API String ID: 245376094-440645147
Opcode ID: cc7fde59bf66b94163dc9af0493985185caea5a7276833f4454ddbb1953985a9
Instruction ID: 875607988f7ea5593c2337b50de0164662598d0d4ce7b88e6c28b8beb2e5dbaf
Opcode Fuzzy Hash: cc7fde59bf66b94163dc9af0493985185caea5a7276833f4454ddbb1953985a9
Instruction Fuzzy Hash: 6231E27660020EAFDF019F98DC81DEE7BB9EB08350F104126F914A2160D775EDA59FA5

Function 004230D8 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 88stringCOMMON

Download Yara Rule

APIs

GetProfileStringA.KERNEL32(windows,device,,,,,?,00000100), ref: 004230FF
lstrcpyA.KERNEL32(?,00000000), ref: 0042312E
lstrcpyA.KERNEL32(?,00000000), ref: 0042314B
lstrcpyA.KERNEL32(00423283,00000000), ref: 0042317B
lstrcpyA.KERNEL32(?,?), ref: 00423198
CreateICA.GDI32(?,?,00000000,00000000), ref: 004231A3

Strings

,,,, xrefs: 004230F0
windows, xrefs: 004230FA
device, xrefs: 004230F5

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: lstrcpy$CreateProfileString
String ID: ,,,$device$windows
API String ID: 3493348800-1718292371
Opcode ID: 12f82045bebbcebffd2088a2130ff7171cb1c0b0b236a6ac190206007245042e
Instruction ID: 4d1fb9ec66fb6529cefa9a71c0b8f950bad8fb6eef94b3fc7384b6973bb5ead9
Opcode Fuzzy Hash: 12f82045bebbcebffd2088a2130ff7171cb1c0b0b236a6ac190206007245042e
Instruction Fuzzy Hash: B921C772700229BFDF214F61AC80BBB7779FB04755F54443BF91885250C77C9A658B58

Function 0041EBAF Relevance: 15.2, APIs: 10, Instructions: 192COMMON

Download Yara Rule

APIs

Part of subcall function 0041EE34: DeleteObject.GDI32(?), ref: 0041EE4D
Part of subcall function 0041EE34: DeleteObject.GDI32(?), ref: 0041EE5A
Part of subcall function 0041EE34: DeleteObject.GDI32(?), ref: 0041EE67
Part of subcall function 0041EE34: DeleteObject.GDI32(?), ref: 0041EE7A

GetDeviceCaps.GDI32(?,00000058), ref: 0041EBDD
GetDeviceCaps.GDI32(?,00000058), ref: 0041EBED
GetDeviceCaps.GDI32(?,0000005A), ref: 0041EBF8
GetDeviceCaps.GDI32(?,0000005A), ref: 0041EC08

Part of subcall function 00424346: GetDeviceCaps.GDI32(?,0000005A), ref: 0042437A
Part of subcall function 00424346: __ftol.LIBCMT ref: 0042438D
Part of subcall function 00424346: CreateFontA.GDI32(00000000), ref: 00424393
Part of subcall function 00424346: SelectObject.GDI32(?,00000000), ref: 004243A5
Part of subcall function 00424346: GetTextMetricsA.GDI32(?,?), ref: 004243B1
Part of subcall function 00424346: SelectObject.GDI32(?,?), ref: 004243BD
Part of subcall function 00424346: DeleteObject.GDI32(?), ref: 0042440C
Part of subcall function 00424346: GetDeviceCaps.GDI32(00000000,0000005A), ref: 0042442B
Part of subcall function 00424346: __ftol.LIBCMT ref: 0042443F
Part of subcall function 00424346: CreateFontA.GDI32(00000000), ref: 00424445

Part of subcall function 00424346: SelectObject.GDI32(?,00000000), ref: 0042445A
Part of subcall function 00424346: GetTextMetricsA.GDI32(00000000,00001FFF), ref: 00424466
Part of subcall function 00424346: SelectObject.GDI32(00000000,?), ref: 00424472

SelectObject.GDI32(?,?), ref: 0041ECA2
GetTextMetricsA.GDI32(?,?), ref: 0041ECB7
SelectObject.GDI32(?,?), ref: 0041ECC5
GetTextMetricsA.GDI32(?,?), ref: 0041ECD4
SelectObject.GDI32(?,?), ref: 0041ECDF

Part of subcall function 004222E8: GetDeviceCaps.GDI32(?,00000070), ref: 00422300
Part of subcall function 004222E8: GetDeviceCaps.GDI32(?,00000071), ref: 00422307
Part of subcall function 004222E8: GetDeviceCaps.GDI32(?,0000000A), ref: 0042230F
Part of subcall function 004222E8: GetDeviceCaps.GDI32(?,00000008), ref: 00422315
Part of subcall function 004222E8: SetRect.USER32(?,00000000,00000000,00000000), ref: 00422320
Part of subcall function 004222E8: GetDeviceCaps.GDI32(?,00000058), ref: 00422329
Part of subcall function 004222E8: GetDeviceCaps.GDI32(?,0000005A), ref: 00422331
Part of subcall function 004222E8: MessageBoxA.USER32(00000000,The margins need to be adjusted for this document to print properlyWould you like them to be automatically adjusted?,00000000,00000004), ref: 004223C6

Part of subcall function 00424B07: GetDeviceCaps.GDI32(?,0000005A), ref: 00424B48
Part of subcall function 00424B07: CreateFontA.GDI32(?,?,?,0041E984,?,00000000,00000001,00000000,?,?,00000000,?,?,?), ref: 00424B58
Part of subcall function 00424B07: GetDeviceCaps.GDI32(?,0000005A), ref: 00424B82
Part of subcall function 00424B07: __ftol.LIBCMT ref: 00424B90
Part of subcall function 00424B07: CreateFontA.GDI32(00000000,?,?,0041E984,?,00000000,00000001,00000000,?,?,00000000,?,?,?), ref: 00424B96
Part of subcall function 00424B07: GetDeviceCaps.GDI32(?,0000005A), ref: 00424BBB
Part of subcall function 00424B07: __ftol.LIBCMT ref: 00424BCC
Part of subcall function 00424B07: CreateFontA.GDI32(00000000,?,?,0041E984,?,00000000,00000001,00000000,?,?,00000000,?,?,?), ref: 00424BD2
Part of subcall function 00424B07: SelectObject.GDI32(?,?), ref: 00424BE1

GetDeviceCaps.GDI32(?,00000058), ref: 0041ED5F

Part of subcall function 004247F8: SetRect.USER32(?,?,?,?,?), ref: 00424848
Part of subcall function 004247F8: GetStockObject.GDI32(00000001), ref: 0042485C
Part of subcall function 004247F8: SetRect.USER32(?,?,?,?,?), ref: 00424891
Part of subcall function 004247F8: GetStockObject.GDI32(00000001), ref: 004248A5

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: CapsDevice$Object$Select$CreateDeleteFont$MetricsText__ftol$Rect$Stock$Message
String ID:
API String ID: 916549427-0
Opcode ID: 594a183f743e857ec615f93076ebb4fac22f1077c7575e6da97de7be37c00a9a
Instruction ID: d571530a2defc87fde04ba22b2593bc46b0e6baef042487ac714b4abcef0bf35
Opcode Fuzzy Hash: 594a183f743e857ec615f93076ebb4fac22f1077c7575e6da97de7be37c00a9a
Instruction Fuzzy Hash: 5F7126B2601104AFCB44DF55CC84FEA7BA9EF49310F0840BABE4C9F15AD7716814CB69

Function 00423221 Relevance: 15.2, APIs: 10, Instructions: 163COMMON

Download Yara Rule

APIs

DeleteDC.GDI32(00000000), ref: 0042328F
OpenPrinterA.WINSPOOL.DRV(?,?,00000000,?,?,?,?,?,004157C5,?,?,00000000), ref: 0042329D
DeleteDC.GDI32(?), ref: 004233DC
GlobalFree.KERNEL32(?), ref: 004233EA
ClosePrinter.WINSPOOL.DRV(00000000,?,?,00000000,?,?,?,?,?,004157C5,?,?), ref: 004233F9

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Delete$CloseFreeGlobalOpenPrinterPrinter.
String ID:
API String ID: 3978192-0
Opcode ID: 72a0de2412829a8b20a445a3e398767db6a07593bd71bced010400514bfd3ce9
Instruction ID: 99c49e006c1686d729b5217b208a564c3e609b0f4bd6589bb662c3bd3a09d943
Opcode Fuzzy Hash: 72a0de2412829a8b20a445a3e398767db6a07593bd71bced010400514bfd3ce9
Instruction Fuzzy Hash: 00518070B00225ABDF11DFA5D885BAEBBB9FF44305F80406EF80592251DB7C9B51CB99

Function 00422D2E Relevance: 15.1, APIs: 10, Instructions: 101windowstringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,?,?,00000001,?), ref: 00422D3C
GetFocus.USER32 ref: 00422D66
IsWindowEnabled.USER32(?), ref: 00422D7A
EnableWindow.USER32(?,00000000), ref: 00422D8F
GetOpenFileNameA.COMDLG32(?), ref: 00422DF1
GetSaveFileNameA.COMDLG32(?), ref: 00422DF8
CommDlgExtendedError.COMDLG32(?), ref: 00422E04
EnableWindow.USER32(?,00000001), ref: 00422E2C
IsWindow.USER32(?), ref: 00422E35
SetFocus.USER32(?), ref: 00422E45

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Window$EnableFileFocusName$CommEnabledErrorExtendedOpenSavelstrlen
String ID:
API String ID: 3637205778-0
Opcode ID: c73776788646221eebc8e70ae43ac326f259ed3c43ebb15588acd5f10faa40cb
Instruction ID: 6007d7533e797549320ca866547d720159e316dda3e66b7ad0bed19dd889a73b
Opcode Fuzzy Hash: c73776788646221eebc8e70ae43ac326f259ed3c43ebb15588acd5f10faa40cb
Instruction Fuzzy Hash: E53167B0600714AFDB309F66ED85B5BBBF8EF04704F40842EF98692651DBB8A940DF19

Function 00424703 Relevance: 15.1, APIs: 10, Instructions: 93COMMON

Download Yara Rule

APIs

GetDeviceCaps.GDI32(?,00000058), ref: 0042472C
GetDeviceCaps.GDI32(?,00000058), ref: 00424736
GetDeviceCaps.GDI32(?,0000005A), ref: 0042473E
GetDeviceCaps.GDI32(?,0000005A), ref: 00424748
__ftol.LIBCMT ref: 00424775
__ftol.LIBCMT ref: 0042478A
__ftol.LIBCMT ref: 004247AA
__ftol.LIBCMT ref: 004247BE
SetRect.USER32(00000000,00000000,?,751E5E50,00000000), ref: 004247DF
FillRect.USER32(?,?,?), ref: 004247ED

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: CapsDevice__ftol$Rect$Fill
String ID:
API String ID: 2525312796-0
Opcode ID: c02e70ab824a8ce39b4823e0dd0d2a8536047c7cfaffea09e126c36d4215a6c7
Instruction ID: ad0c057a0d649c8e3a54c6f5167b674d09d5a6ba51180a702f96ae595f9a8cbf
Opcode Fuzzy Hash: c02e70ab824a8ce39b4823e0dd0d2a8536047c7cfaffea09e126c36d4215a6c7
Instruction Fuzzy Hash: A4315CB2A0421AAFCF11AF22E9454DE7FB8EF44390F628515F92566261E7308A608FD4

Function 0042460F Relevance: 15.1, APIs: 10, Instructions: 92COMMON

Download Yara Rule

APIs

GetDeviceCaps.GDI32(?,00000058), ref: 00424638
GetDeviceCaps.GDI32(?,00000058), ref: 00424642
GetDeviceCaps.GDI32(?,0000005A), ref: 0042464A
GetDeviceCaps.GDI32(?,0000005A), ref: 00424654
__ftol.LIBCMT ref: 00424679
__ftol.LIBCMT ref: 0042468F
__ftol.LIBCMT ref: 004246B1
__ftol.LIBCMT ref: 004246C4
SetRect.USER32(00000000,00000000,00000000,?,?), ref: 004246EA
FillRect.USER32(?,?,?), ref: 004246F8

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: CapsDevice__ftol$Rect$Fill
String ID:
API String ID: 2525312796-0
Opcode ID: a494ef988297137668e6d27a539e1aa040e49343e968926d9bb9a42914baf6b3
Instruction ID: bb302e4c109a6a06e445c18b595e0cf4a3707985abc3fc4812c39ac0202716ae
Opcode Fuzzy Hash: a494ef988297137668e6d27a539e1aa040e49343e968926d9bb9a42914baf6b3
Instruction Fuzzy Hash: 813169B2A0021ABFCF019F22E8494DE7BB8FF04350F628555F915A6261EB34DA648FD0

Function 00402608 Relevance: 15.1, APIs: 10, Instructions: 51COMMON

Download Yara Rule

APIs

IsDlgButtonChecked.USER32(?,000003F8), ref: 0040261C
IsDlgButtonChecked.USER32(?,00000416), ref: 0040262A
GetDlgItem.USER32(?,00000417), ref: 0040264C
EnableWindow.USER32(00000000), ref: 00402655
GetDlgItem.USER32(?,00000416), ref: 0040265E
EnableWindow.USER32(00000000), ref: 00402661
GetDlgItem.USER32(?,00000418), ref: 0040266D
EnableWindow.USER32(00000000), ref: 00402670
GetDlgItem.USER32(?,00000419), ref: 0040267C
EnableWindow.USER32(00000000), ref: 0040267F

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: EnableItemWindow$ButtonChecked
String ID:
API String ID: 3954683629-0
Opcode ID: 9d5f5ffa5ca4c6b4c3ad5eb2c9e76fa1412e347f109f37f6799fafc1ab145c10
Instruction ID: 739fdbe556b6e8ab5cdea735b5e5acf9f2e5f976447424d18cbcc18a727432b1
Opcode Fuzzy Hash: 9d5f5ffa5ca4c6b4c3ad5eb2c9e76fa1412e347f109f37f6799fafc1ab145c10
Instruction Fuzzy Hash: 59F0A4F294431D77D5206BF29C48E4B3E9CDB84751F015826B740A70C1C9B9D8019BB5

Function 004300A1 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 100fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000), ref: 0043010E
GetStdHandle.KERNEL32(000000F4,00438764,00000000,?,00000000,00000000), ref: 004301E4
WriteFile.KERNEL32(00000000), ref: 004301EB

Strings

Microsoft Visual C++ Runtime Library, xrefs: 004301BA
<program name unknown>, xrefs: 0043011E
@CD, xrefs: 004300BC
..., xrefs: 00430160
Runtime Error!Program: , xrefs: 00430174

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: File$HandleModuleNameWrite
String ID: ...$<program name unknown>$@CD$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 3784150691-2176660801
Opcode ID: 1bcdaebf59f84367be6de6d35beb18c97fc9ea4bde34cb40d6d79ff1e4bead78
Instruction ID: a9aa04fbbaf0d01640efa1aeaf180f73b793c624644bf311a12322081829590d
Opcode Fuzzy Hash: 1bcdaebf59f84367be6de6d35beb18c97fc9ea4bde34cb40d6d79ff1e4bead78
Instruction Fuzzy Hash: 5D31C672B40228AFDF25DB61DC86F9A73ADEF89304F60116BF544D6140E6B8DA80CA5D

Function 00425609 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00424346: GetDeviceCaps.GDI32(?,0000005A), ref: 0042437A
Part of subcall function 00424346: __ftol.LIBCMT ref: 0042438D
Part of subcall function 00424346: CreateFontA.GDI32(00000000), ref: 00424393
Part of subcall function 00424346: SelectObject.GDI32(?,00000000), ref: 004243A5
Part of subcall function 00424346: GetTextMetricsA.GDI32(?,?), ref: 004243B1
Part of subcall function 00424346: SelectObject.GDI32(?,?), ref: 004243BD
Part of subcall function 00424346: DeleteObject.GDI32(?), ref: 0042440C
Part of subcall function 00424346: GetDeviceCaps.GDI32(00000000,0000005A), ref: 0042442B
Part of subcall function 00424346: __ftol.LIBCMT ref: 0042443F
Part of subcall function 00424346: CreateFontA.GDI32(00000000), ref: 00424445

SelectObject.GDI32(?,?), ref: 0042564A
SelectObject.GDI32(?,?), ref: 00425653
GetTextMetricsA.GDI32(?,?), ref: 0042565D

Part of subcall function 004256AA: lstrlenA.KERNEL32(00425686,?,751E6BA0,?,&MB,00425686,?,?), ref: 004256C2
Part of subcall function 004256AA: wsprintfA.USER32 ref: 004256FA
Part of subcall function 004256AA: lstrcatA.KERNEL32(00000000,00425686,?,751E6BA0,?,&MB,00425686), ref: 00425709
Part of subcall function 004256AA: __ftol.LIBCMT ref: 00425718
Part of subcall function 004256AA: GetTextAlign.GDI32(?), ref: 0042573D
Part of subcall function 004256AA: SetTextAlign.GDI32(?,00000008), ref: 0042579B
Part of subcall function 004256AA: lstrlenA.KERNEL32(?), ref: 004257A0
Part of subcall function 004256AA: TextOutA.GDI32(?,00000000), ref: 004257D8

SelectObject.GDI32(?,?), ref: 0042568D
SelectObject.GDI32(?,?), ref: 00425693
DeleteObject.GDI32(?), ref: 0042569E
DeleteObject.GDI32(0041E984), ref: 004256A3

Strings

&MB, xrefs: 00425663

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Object$Select$Text$Delete__ftol$AlignCapsCreateDeviceFontMetricslstrlen$lstrcatwsprintf
String ID: &MB
API String ID: 1195503182-512029364
Opcode ID: ac8c39113270ada40330ce255f9a61d4c6801bde46b40726d15c07a460e0325b
Instruction ID: 17cab159f1a8c6e134c4d18b0320ab5e180165e088e46693c72468efc571ff6b
Opcode Fuzzy Hash: ac8c39113270ada40330ce255f9a61d4c6801bde46b40726d15c07a460e0325b
Instruction Fuzzy Hash: 8111907250015CBBCF12AFA1DC84CEE3FB9EB4C254F06555AFA4962120D63AD860EFA5

Function 00421A0F Relevance: 13.8, APIs: 9, Instructions: 329COMMON

Download Yara Rule

APIs

SetRect.USER32(?,00000000,?,00000000,?), ref: 00421BD6
GetStockObject.GDI32(00000004), ref: 00421BE4
SetRect.USER32(?,?,?,?,?), ref: 00421C37
GetStockObject.GDI32(00000004), ref: 00421C45
SetRect.USER32(?,?,?,00000000,00000000), ref: 00421CA6
GetStockObject.GDI32(00000004), ref: 00421CB4
SetRect.USER32(?,?,?,00000000,?), ref: 00421D18
GetStockObject.GDI32(00000004), ref: 00421D26
InflateRect.USER32(?,00000000,00000000), ref: 00421D59

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Rect$ObjectStock$Inflate
String ID:
API String ID: 2526234015-0
Opcode ID: 33b227b7a03702bdaa137684d78ae70c091bf8d0b673154ef2e337bdfadfabbb
Instruction ID: ef156a17290e8674bbc6f8942ea16ae88faa7c5b64370e6de0524274d9028a04
Opcode Fuzzy Hash: 33b227b7a03702bdaa137684d78ae70c091bf8d0b673154ef2e337bdfadfabbb
Instruction Fuzzy Hash: 38C18972A00119EFCF00CF98D985A9A7BB5FF58304F6540AAF808AB261D735EE51CF94

Function 00407407 Relevance: 13.8, APIs: 9, Instructions: 270windowCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040740C

Part of subcall function 0040E26F: IsCharAlphaNumericA.USER32(?,00000000,?,?,?,?,00409327,?,?,?,00000000,00000000,00000000,?,?), ref: 0040E28C

MessageBoxA.USER32(?,00000000,00000002,00000000), ref: 0040757E
MessageBoxA.USER32(?,00000000,00000002,00000000), ref: 004075C4
MessageBoxA.USER32(?,00000000,00000002,00000000), ref: 00407606
MessageBoxA.USER32(?,00000000,00000002,00000000), ref: 0040764C
wsprintfA.USER32 ref: 004076E0
wsprintfA.USER32 ref: 00407719

Part of subcall function 004038B4: LoadStringA.USER32(00407701,00000000,00000200,00000000), ref: 004038DD

MessageBoxA.USER32(?,00000000,00000000,00000000), ref: 00407736

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Message$wsprintf$AlphaCharH_prologLoadNumericString
String ID:
API String ID: 2055882333-0
Opcode ID: abfc3aafcb0e5276000c5bfbbb17331fc34b5d54aca13bb8cc946a39967670e8
Instruction ID: b60b7355a9b7871d9f037f6ac890e3e77b5a04b1b6dd452a735a5404c680b650
Opcode Fuzzy Hash: abfc3aafcb0e5276000c5bfbbb17331fc34b5d54aca13bb8cc946a39967670e8
Instruction Fuzzy Hash: 7791BF71A04109ABDF10AF91DC06BDE3B79EF04304F1440B6FA05BB1D2D739AA14DB6A

Function 0042189F Relevance: 13.6, APIs: 9, Instructions: 145COMMON

Download Yara Rule

APIs

CreateFontA.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000002,?,?), ref: 004218DD
CreateFontA.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000002,?,?), ref: 00421907
SelectObject.GDI32(?,?), ref: 00421918
GetTextMetricsA.GDI32(?,?), ref: 00421923
GetCharWidthA.GDI32(?,00000000,000000FF,0000003C), ref: 00421935
SelectObject.GDI32(?,?), ref: 0042197F
SelectObject.GDI32(?,?), ref: 004219F3
DeleteObject.GDI32(?), ref: 004219FE
DeleteObject.GDI32(?), ref: 00421A03

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Object$Select$CreateDeleteFont$CharMetricsTextWidth
String ID:
API String ID: 2467450592-0
Opcode ID: d4ff7e78498e7c87d9d9aba877603b88378dc3d918b341d16abc8c1733714d10
Instruction ID: d0e8f86dcb5f4fab6d1018306c97d5015a415d340f1c179e51821d2631f840dc
Opcode Fuzzy Hash: d4ff7e78498e7c87d9d9aba877603b88378dc3d918b341d16abc8c1733714d10
Instruction Fuzzy Hash: 495143B1601229AFCF25CF05DC98DEF3F6AEF59364F60815AF8055A260C235DDA1CBA4

Function 00414000 Relevance: 13.6, APIs: 9, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetDlgItemInt.USER32(?,00001A8E,?,00000000), ref: 00414047
EndDialog.USER32(?,00000001), ref: 0041408D
MessageBeep.USER32(00000000), ref: 004140B6
GetParent.USER32(?), ref: 004140C5
SetDlgItemTextA.USER32(?,00001A8E,?), ref: 004140F7
GetDlgItem.USER32(?,00001A8E), ref: 0041410E
SendMessageA.USER32(00000000), ref: 00414111
GetDlgItem.USER32(?,00001A8E), ref: 00414119
SetFocus.USER32(00000000), ref: 0041411C

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Item$Message$BeepDialogFocusParentSendText
String ID:
API String ID: 3410869093-0
Opcode ID: 06a01f961192865feace7ae765d6857ac101aa30a9a0acd6df9780c88eaedd4b
Instruction ID: ff12eeef55ec85fff4b6ba6dc2d621c65ddabb3d7a9b19d41f49c35e92c7f4d1
Opcode Fuzzy Hash: 06a01f961192865feace7ae765d6857ac101aa30a9a0acd6df9780c88eaedd4b
Instruction Fuzzy Hash: 1831C475504205ABCB10AF75DC49DAB7FA9FB89320B10462AF915C61E1D7788881CBAD

Function 00425CC9 Relevance: 13.6, APIs: 9, Instructions: 92windowkeyboardCOMMON

Download Yara Rule

APIs

IsDialogMessageA.USER32(?,?,?,?,?,?,00420176,?), ref: 00425D9B

Part of subcall function 00425DB3: GetParent.USER32(?), ref: 00425DC1
Part of subcall function 00425DB3: GetWindowLongA.USER32(?,000000F0), ref: 00425DCC

PostMessageA.USER32(00000000,00000111,00000002,00000000), ref: 00425D17
GetDlgItem.USER32(00000000,00000004), ref: 00425D32
GetWindowLongA.USER32(00000000), ref: 00425D3B
GetDlgItem.USER32(00000000,00000002), ref: 00425D4B
GetWindowLongA.USER32(00000000), ref: 00425D4E
GetFocus.USER32 ref: 00425D5E
GetKeyState.USER32(00000010), ref: 00425D78
SetFocus.USER32(00000000,?,?,?,?,00420176,?), ref: 00425D8F

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: LongWindow$FocusItemMessage$DialogParentPostState
String ID:
API String ID: 1773305422-0
Opcode ID: 1ebb01ee611d4028fd4b16693ec4cefe584df0861a35489039b8b5e899cfd8c5
Instruction ID: 95877db6b4158007b1e67bf11e40f84382fe3d97911a428788155fe9f0149ccc
Opcode Fuzzy Hash: 1ebb01ee611d4028fd4b16693ec4cefe584df0861a35489039b8b5e899cfd8c5
Instruction Fuzzy Hash: A7214270328A28B7DA3026A5BC8CF6B3A5DEB92350F908413F640E6290CA789C01952D

Function 0041C583 Relevance: 13.6, APIs: 9, Instructions: 81COMMON

Download Yara Rule

APIs

GetStockObject.GDI32(00000007), ref: 0041C58E
SelectObject.GDI32(?,00000000), ref: 0041C598
MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 0041C5C0
LineTo.GDI32(?,?,?), ref: 0041C5CA
MoveToEx.GDI32(?,?,00000000,00000000), ref: 0041C5E1
LineTo.GDI32(?,?,?), ref: 0041C5EB
MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 0041C631
LineTo.GDI32(?,?,?), ref: 0041C63B
SelectObject.GDI32(?,?), ref: 0041C64A

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: LineMoveObject$Select$Stock
String ID:
API String ID: 1481511353-0
Opcode ID: 949efa462af52156028e5b650fc389073a17fc5365be12959b388a5b76631432
Instruction ID: 248c154eee89aa0c74b3e4143629953eca43aa3124f5c643bc721ec8f5dfdb2c
Opcode Fuzzy Hash: 949efa462af52156028e5b650fc389073a17fc5365be12959b388a5b76631432
Instruction Fuzzy Hash: 5A3104B5200208EFDB219F54DC85EAABBB6FF08350F108055F9858A2A0C771ADA1DFA4

Function 004084F1 Relevance: 13.6, APIs: 9, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,00000401,00000FD3,?), ref: 00408510
SendMessageA.USER32(?,00000401,00000FB1,?), ref: 0040851B
SendMessageA.USER32(?,00000401,00000FA7,?), ref: 00408526
SendMessageA.USER32(?,00000401,00000FC1,?), ref: 00408531
SendMessageA.USER32(?,00000401,00000FA4,?), ref: 0040853C
SendMessageA.USER32(?,00000401,00000FA6,?), ref: 00408547
SendMessageA.USER32(?,00000401,00000FA5,?), ref: 00408552
SendMessageA.USER32(?,00000401,00000FA8,?), ref: 0040855D
EnableWindow.USER32(?,?), ref: 00408563

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: MessageSend$EnableWindow
String ID:
API String ID: 1554173715-0
Opcode ID: 79ac5b0106efcc32768ab9ff4fb8030141635a3cf7eb24a22b5c96e4b5982c43
Instruction ID: e849c737a530f37984822f58e3ba88e864b4ad5e3efc1b1c2414276c901ab2d0
Opcode Fuzzy Hash: 79ac5b0106efcc32768ab9ff4fb8030141635a3cf7eb24a22b5c96e4b5982c43
Instruction Fuzzy Hash: 9C01BBB524424DBFF6312B12DC49D27BE9DDFC27D9B124435F6C4154A48AA32C20EA35

Function 00424E79 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 179COMMON

Download Yara Rule

APIs

GetTextExtentPointA.GDI32(?,...,00000003,00000000), ref: 00424ECD
GetDeviceCaps.GDI32(?,00000058), ref: 00424EFE
__ftol.LIBCMT ref: 00424F13
ExtTextOutA.GDI32(00000001,00000000,?,?,?,00000000,?,?), ref: 00424FAD
ExtTextOutA.GDI32(00000001,00000000,?,?,?,00000000,00000000,...), ref: 00424FF8
ExtTextOutA.GDI32(00000001,00000000,?,?,?,00000000,00000000,?), ref: 00425037

Strings

..., xrefs: 00424EC7, 00424FC0

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Text$CapsDeviceExtentPoint__ftol
String ID: ...
API String ID: 2574158308-440645147
Opcode ID: 3f546ea0640dddd2614b9e7f7eeef0fd3adfb1e52661245687f4d8e497d51ce2
Instruction ID: 3eb12728856b874d3b579ff7eec7eac513c5a283012a69722a0932c2ae4208a3
Opcode Fuzzy Hash: 3f546ea0640dddd2614b9e7f7eeef0fd3adfb1e52661245687f4d8e497d51ce2
Instruction Fuzzy Hash: 665166B1A00119EFDF11AF95DC449EE7BB8FF48348F42815AFC58A2150C3399A61DFA8

Function 0042A13D Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 153COMMON

Download Yara Rule

Strings

cM@, xrefs: 0042A2B0, 0042A1F4, 0042A247, 0042A1B8, 0042A1BB, 0042A1FD, 0042A24A, 0042A2B3
cM@, xrefs: 0042A145, 0042A282, 0042A1BE, 0042A200

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID:
String ID: cM@$cM@
API String ID: 0-2597188917
Opcode ID: c55bb7b5f45767b37ce55672006cbb5b6df7fa2e36a9bf73a047a8e860e46f08
Instruction ID: 6c0e8ae59b2c8617950338ab192a9e9e9c4fe04410a4eda50d48c8a708108cc8
Opcode Fuzzy Hash: c55bb7b5f45767b37ce55672006cbb5b6df7fa2e36a9bf73a047a8e860e46f08
Instruction Fuzzy Hash: 4651C47160412AFFDF219F40BC808BE3765EB02314BA085BBFD5192391D6369DA5DB2E

Function 004014A9 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 151processwindowCOMMON

Download Yara Rule

APIs

GetTempPathA.KERNEL32(00000104,?,?), ref: 00401570
GetTempFileNameA.KERNEL32(?,~es,00000000,?), ref: 00401585
WinExec.KERNEL32(?,00000001), ref: 0040160E
MessageBoxA.USER32(00000000,00000000,00000000), ref: 0040162C

Part of subcall function 00429610: DeleteFileA.KERNELBASE(?,00403B78,?,?,00000000,?,00000000,00000000,0042A789,00000000), ref: 00429614
Part of subcall function 00429610: GetLastError.KERNEL32(?,00000000,?,00000000,00000000,0042A789,00000000), ref: 0042961E

Strings

.rtf, xrefs: 00401599
~es, xrefs: 0040157F
write.exe , xrefs: 00401557

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: FileTemp$DeleteErrorExecLastMessageNamePath
String ID: .rtf$write.exe $~es
API String ID: 1272379566-1990357642
Opcode ID: 20bde1e0d29d4a2a2daa1d98bde50545b36f832021ad86216e0223bc718d43c0
Instruction ID: 0e5168aed16c78cb3ecbc5e303b4e02c7600c868f5b4dc9feaab0f2a951fcea4
Opcode Fuzzy Hash: 20bde1e0d29d4a2a2daa1d98bde50545b36f832021ad86216e0223bc718d43c0
Instruction Fuzzy Hash: F44150726092906FE712A770AC96FE67FB4DF0A324F1C00DFF481AA093DA7C49858755

Function 00433609 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 117COMMONLIBRARYCODE

Download Yara Rule

APIs

GetStringTypeW.KERNEL32(00000001,004384E4,00000001,00000000,00000103,00000001,00000000,00432C63,00200020,00000000,?,00000000,00000000,00000001), ref: 00433648
GetStringTypeA.KERNEL32(00000000,00000001,004384E0,00000001,?,?,00000000,00000000,00000001), ref: 00433662
GetStringTypeA.KERNEL32(00000000,00000000,?,00000000,00200020,00000103,00000001,00000000,00432C63,00200020,00000000,?,00000000,00000000,00000001), ref: 00433696
MultiByteToWideChar.KERNEL32(c,C ,00000002,?,00000000,00000000,00000000,00000103,00000001,00000000,00432C63,00200020,00000000,?,00000000,00000000,00000001), ref: 004336CE
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000001), ref: 00433724
GetStringTypeW.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000001), ref: 00433736

Strings

c,C , xrefs: 004336CB

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: StringType$ByteCharMultiWide
String ID: c,C
API String ID: 3852931651-3652846715
Opcode ID: 01873c333122844c1c9623a54caa0a109afb65acc8b0e82712b0bb36b8482594
Instruction ID: 56f2bc46d07a090098222533fac3a7c04484f36e681cad45039ecff5e90e18e6
Opcode Fuzzy Hash: 01873c333122844c1c9623a54caa0a109afb65acc8b0e82712b0bb36b8482594
Instruction Fuzzy Hash: 1D419FB2600219BFCF218F95DC86EAF7F79FB09725F10552AF911D2260C3399A50DB98

Function 00401528 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 96processwindowCOMMON

Download Yara Rule

APIs

GetTempPathA.KERNEL32(00000104,?,?), ref: 00401570
GetTempFileNameA.KERNEL32(?,~es,00000000,?), ref: 00401585
WinExec.KERNEL32(?,00000001), ref: 0040160E
MessageBoxA.USER32(00000000,00000000,00000000), ref: 0040162C

Part of subcall function 00429610: DeleteFileA.KERNELBASE(?,00403B78,?,?,00000000,?,00000000,00000000,0042A789,00000000), ref: 00429614
Part of subcall function 00429610: GetLastError.KERNEL32(?,00000000,?,00000000,00000000,0042A789,00000000), ref: 0042961E

Strings

.rtf, xrefs: 00401599
~es, xrefs: 0040157F
write.exe , xrefs: 00401557

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: FileTemp$DeleteErrorExecLastMessageNamePath
String ID: .rtf$write.exe $~es
API String ID: 1272379566-1990357642
Opcode ID: 7f640dc2ee8656bccc0ea9f5ae422c780feec7d3facbb68349470f10e415a245
Instruction ID: 89bb8e5d18483cf0ad5e32162d70871aa6a4d41981e303e79834bb1060342ad6
Opcode Fuzzy Hash: 7f640dc2ee8656bccc0ea9f5ae422c780feec7d3facbb68349470f10e415a245
Instruction Fuzzy Hash: 15210772B002147AEB21B761AC86FEB33ACDB48714F50006FF541F60C2EAB85D848B6C

Function 0041669F Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 61windowstringCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000014B,00000000,00000000), ref: 004166BF
lstrlenA.KERNEL32(?), ref: 00416702
SendMessageA.USER32(?,00000143,00000000,00000025), ref: 00416720
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00416732
SetFocus.USER32(?), ref: 00416744

Strings

%, xrefs: 00416708
Page %d of %d, xrefs: 00416738

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: MessageSend$Focuslstrlen
String ID: Page %d of %d$%
API String ID: 2565912116-1893957304
Opcode ID: 8974fca64ede159e9ee7721eeb9e7aabbacf9bc444e83687fba543ee410ccd8a
Instruction ID: ca278bff00f2b2b1b663b81af0082864a3f1f400b062a2674e89f7e03e558202
Opcode Fuzzy Hash: 8974fca64ede159e9ee7721eeb9e7aabbacf9bc444e83687fba543ee410ccd8a
Instruction Fuzzy Hash: 3A1124B1900208FFDB10DF94DD85BEEBFB8EB14305F104076E905A6190D7B49E95DB95

Function 00414F45 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

GetStockObject.GDI32(0000000C), ref: 00414F7E
SelectObject.GDI32(00000385,00000000), ref: 00414F8E
SetBkMode.GDI32(00000385,00000001), ref: 00414F97
SetTextColor.GDI32(00000385,00000000), ref: 00414FA2
DrawTextExA.USER32(00000385,&Close,00000006,?,00000001,00000000), ref: 00414FBE
SelectObject.GDI32(00000385,00000000), ref: 00414FC8

Strings

&Close, xrefs: 00414FB6

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Object$SelectText$ColorDrawModeStock
String ID: &Close
API String ID: 2841674865-1960123989
Opcode ID: 0260ac72d5c9dfdd76815dc53d0bb2b0eebab436897c2a045f91f2102fb86215
Instruction ID: f1fe4e8140b0158f4c4efc02e008f2098ea084485be8a7f418e3145803faec5b
Opcode Fuzzy Hash: 0260ac72d5c9dfdd76815dc53d0bb2b0eebab436897c2a045f91f2102fb86215
Instruction Fuzzy Hash: D611A031208700AFE7345F24DC09FA777B4FB88750F10093AF282856E0C6B5AC96DB29

Function 0042FCAA Relevance: 12.1, APIs: 8, Instructions: 132COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,0042A73F), ref: 0042FCC5
GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,0042A73F), ref: 0042FCD9
GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,0042A73F), ref: 0042FD05
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,0042A73F), ref: 0042FD3D
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,0042A73F), ref: 0042FD5F
FreeEnvironmentStringsW.KERNEL32(00000000,?,00000000,?,?,?,?,0042A73F), ref: 0042FD78
GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,0042A73F), ref: 0042FD8B
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 0042FDC9

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: EnvironmentStrings$ByteCharFreeMultiWide
String ID:
API String ID: 1823725401-0
Opcode ID: b6fc58de17fe3cce5aea74dd43253c492548af9d8d7631a3f3ede5445292ae59
Instruction ID: 30c928e22e57fe89dd39ea785f6119240fdda97fc49dfef4933bea914b54fd48
Opcode Fuzzy Hash: b6fc58de17fe3cce5aea74dd43253c492548af9d8d7631a3f3ede5445292ae59
Instruction Fuzzy Hash: FD31D4B37182396F97202FB57C8483BBABCEA453587D5043BF583C3301E6295C4986AD

Function 00434AF0 Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 97stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?), ref: 00434B02

Strings

&#x%2.2X;, xrefs: 00434B90
 , xrefs: 00434B79
&, xrefs: 00434B62
', xrefs: 00434B59
", xrefs: 00434B6B
<, xrefs: 00434B50
>, xrefs: 00434B47

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: lstrlen
String ID: &#x%2.2X;$&$'$>$<$ $"
API String ID: 1659193697-2875783524
Opcode ID: 0788ff829e3c5a41d336be006852dd68b3de3753396b669678eb789436281c62
Instruction ID: f48624fb74ec0349d219cd0ef29b45ab6f78a5c58dd65b2d168ab5e264da2f92
Opcode Fuzzy Hash: 0788ff829e3c5a41d336be006852dd68b3de3753396b669678eb789436281c62
Instruction Fuzzy Hash: E1218D212045199BEB349E58C8C9BF6F7A4EFC8301F64254BE581C72A5D65CFC818A5E

Function 00425F1E Relevance: 12.1, APIs: 8, Instructions: 62stringCOMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00425F2C
GetStockObject.GDI32(0000000C), ref: 00425F37
SelectObject.GDI32(?,00000000), ref: 00425F41
GetTextMetricsA.GDI32(?,?), ref: 00425F51
lstrlenA.KERNEL32(?,?), ref: 00425F78
GetTextExtentPointA.GDI32(?,?,00000000), ref: 00425F89
SelectObject.GDI32(?,?), ref: 00425FBE
ReleaseDC.USER32(?,?), ref: 00425FCA

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Object$SelectText$ExtentMetricsPointReleaseStocklstrlen
String ID:
API String ID: 2128506940-0
Opcode ID: 2e01e1100cfdbaff37b6518e83b5abc97a2743edecaf31b76ef52c78f0a22f21
Instruction ID: cbd107bdaa16140d7727be117c50493f5690b156e25805ba2791cbcc93628729
Opcode Fuzzy Hash: 2e01e1100cfdbaff37b6518e83b5abc97a2743edecaf31b76ef52c78f0a22f21
Instruction Fuzzy Hash: 9E2177B1900605EFCB21DF98DD89C9EBBF4FF08304B008469F68A93620C730AA50DF94

Function 004262C6 Relevance: 12.0, APIs: 8, Instructions: 44COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000014), ref: 004262D7
CreateSolidBrush.GDI32(00000000), ref: 004262E0
GetSysColor.USER32(00000010), ref: 004262E6
CreateSolidBrush.GDI32(00000000), ref: 004262E9
SetRect.USER32(?,?,?,?,?), ref: 00426301
FillRect.USER32(?,?,00000000), ref: 0042630F
DeleteObject.GDI32(00000000), ref: 0042631C
DeleteObject.GDI32(00000000), ref: 0042631F

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: BrushColorCreateDeleteObjectRectSolid$Fill
String ID:
API String ID: 3072689239-0
Opcode ID: 1d4366469e48f6ea5d14516b072ac24cf878326ee6ff1d058b48c5a8fb8379be
Instruction ID: 310a8944cad25787f3cf70a30e52ee2f2541f8dfdc6d3694031826c785698fe8
Opcode Fuzzy Hash: 1d4366469e48f6ea5d14516b072ac24cf878326ee6ff1d058b48c5a8fb8379be
Instruction Fuzzy Hash: F0F04FB290421E7FDF10ABA4DC88DAF7BACEB88354B040426FA45D3251DA75AC01DBB4

Function 00407C7F Relevance: 12.0, APIs: 8, Instructions: 26COMMONLIBRARYCODE

Download Yara Rule

APIs

DeleteObject.GDI32(?), ref: 00407C95
DeleteObject.GDI32(?), ref: 00407C9D
DeleteObject.GDI32(?), ref: 00407CA5
DeleteObject.GDI32(?), ref: 00407CAD
DeleteObject.GDI32(?), ref: 00407CB5
DeleteObject.GDI32(?), ref: 00407CBD
DeleteObject.GDI32(?), ref: 00407CC5
DeleteObject.GDI32(?), ref: 00407CCD

Part of subcall function 00417744: DestroyWindow.USER32(?,00407CD6,?,?,00407B5C), ref: 0041774D

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: DeleteObject$DestroyWindow
String ID:
API String ID: 409195656-0
Opcode ID: 9f2fb235cc912e1f8a2d11801da08a3c9604fc29b34a4ac1d48ebfd100617dcb
Instruction ID: cca48cdd7ecf649fc893a852a754ed195b5b3104443d766d383f853376f26377
Opcode Fuzzy Hash: 9f2fb235cc912e1f8a2d11801da08a3c9604fc29b34a4ac1d48ebfd100617dcb
Instruction Fuzzy Hash: 7CE07D31105A58ABCB763B36DC09ECFBFA6FFC5310F16586DE0AA511308A752851EE54

Function 00432110 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 230fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000001,80000000,?,0000000C,00000001,00000080,00000000,?,00000000,00000000), ref: 004322BC
GetFileType.KERNEL32(00000000), ref: 004322C9
CloseHandle.KERNEL32(00000000), ref: 004322D4
GetLastError.KERNEL32 ref: 004322DA

Strings

@, xrefs: 004322F3
H, xrefs: 00432329

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: File$CloseCreateErrorHandleLastType
String ID: @$H
API String ID: 1809617866-104103126
Opcode ID: 6e331775426153c9deff17774ffe4d19269ef410aadfa8cebad1db2a694c2385
Instruction ID: 8460b7c5a24d20f1e3a3b0a76cae69dc2bcd326aad5ccde95073623bade7673a
Opcode Fuzzy Hash: 6e331775426153c9deff17774ffe4d19269ef410aadfa8cebad1db2a694c2385
Instruction Fuzzy Hash: B0812B7190820557EF208F68CF847AF7B60AB0A324F24625BEE51663D1C3FC8945DB5E

Function 004162C9 Relevance: 10.7, APIs: 7, Instructions: 175windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00416343
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00416399
SendMessageA.USER32(?,00000148,00000000,?), ref: 004163B7
__ftol.LIBCMT ref: 004163D1
GetParent.USER32(?), ref: 004164B4
SetWindowLongA.USER32(?,00000000), ref: 004164E4
DefWindowProcA.USER32(?,?,?,?), ref: 004164F4

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: MessageParentSendWindow$LongProc__ftol
String ID:
API String ID: 15107494-0
Opcode ID: acd5bf23037317a709aced391d83ae9e94d0c1328b026325243307a12e43e015
Instruction ID: a9c46a17e9371baf6d6d911bbb9b7c31d75b9327cc1b4ae2ae2e75e01433c5e8
Opcode Fuzzy Hash: acd5bf23037317a709aced391d83ae9e94d0c1328b026325243307a12e43e015
Instruction Fuzzy Hash: FD51B071604605EBCB21DF69DC44AEB7BB4FF88314F11442EF95A87290CB38D981DB59

Function 0041B7D9 Relevance: 10.6, APIs: 7, Instructions: 89COMMON

Download Yara Rule

APIs

GetClientRect.USER32(000000FF,?), ref: 0041B7EE
GetDC.USER32(000000FF), ref: 0041B806
GetStockObject.GDI32(0000000C), ref: 0041B811
SelectObject.GDI32(?,00000000), ref: 0041B81B
GetTextMetricsA.GDI32(?,?), ref: 0041B82B
SelectObject.GDI32(?,?), ref: 0041B8AC
ReleaseDC.USER32(000000FF,?), ref: 0041B8B8

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Object$Select$ClientMetricsRectReleaseStockText
String ID:
API String ID: 706300301-0
Opcode ID: d6e33794777ba345fd1ad6e05c1daa43772e7954820377a3e40a992f0afe70ec
Instruction ID: 0569c2cfd69772c965fb7d890686f781837987bea099bfcb7fc1540d2c61c6c6
Opcode Fuzzy Hash: d6e33794777ba345fd1ad6e05c1daa43772e7954820377a3e40a992f0afe70ec
Instruction Fuzzy Hash: C331D675900209EFDF15DFA8D888EDEBBB8FF08310F10816AF915AB260D734AA44DB54

Function 00415F64 Relevance: 10.6, APIs: 7, Instructions: 84windowCOMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000000,?,?,004153AC,?,00000001,00000001), ref: 00415FA4
SendMessageA.USER32(?,00000401,00000035,00000000), ref: 00415FC9
SendMessageA.USER32(?,00000401,00000035,00000001), ref: 00415FE6
SendMessageA.USER32(?,00000401,00000036,00000001), ref: 00415FF5
SendMessageA.USER32(?,00000401,00000038,00000000), ref: 00416012
SendMessageA.USER32(?,00000401,00000038,00000001), ref: 00416024
SendMessageA.USER32(?,00000401,00000037,00000001), ref: 00416033

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: MessageSend$InvalidateRect
String ID:
API String ID: 2778011698-0
Opcode ID: 54e288feebe3c5e9f92f7bd3396928d28a1cbe5f23bb86f537fdde348f858e18
Instruction ID: 631a0fd93663b0705f56bb5366e976c3a96a86e74947a2826b69b9343d830a03
Opcode Fuzzy Hash: 54e288feebe3c5e9f92f7bd3396928d28a1cbe5f23bb86f537fdde348f858e18
Instruction Fuzzy Hash: 8F217C71248B08AFD6319A20CC84FE7B7E9EB98744F01082DF65A9B1A0CB72BC45DB14

Function 00425E5A Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 77stringCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00425E6F
GetParent.USER32(?), ref: 00425E7C
GetClassNameA.USER32(00000000), ref: 00425E7F
lstrcmpiA.KERNEL32(?,combobox), ref: 00425E8E
GetParent.USER32(?), ref: 00425E99

Part of subcall function 00425DE6: GetClassNameA.USER32(?,?,00000040), ref: 00425E09
Part of subcall function 00425DE6: lstrcmpiA.KERNEL32(?,combobox), ref: 00425E18
Part of subcall function 00425DE6: GetWindow.USER32(?,00000005), ref: 00425E2D

Strings

combobox, xrefs: 00425E88

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Parent$ClassNamelstrcmpi$Window
String ID: combobox
API String ID: 178677527-2240613097
Opcode ID: ea4036fd5ae7d6f0f5769ff36ddb2c7a2d85dd31077794934471c72e60dac867
Instruction ID: 059ebc30956034494f68d514db3f62cbbe3d1778279c4ac6d8ffa5ae89bf58f1
Opcode Fuzzy Hash: ea4036fd5ae7d6f0f5769ff36ddb2c7a2d85dd31077794934471c72e60dac867
Instruction Fuzzy Hash: D2215071B00628BB8B10AFA6ED85D9FBBADEB44740B918027F805E3241D778DE01CB58

Function 004184D7 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 76COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004184DC

Part of subcall function 0041AC92: LoadCursorA.USER32(00000000,00007F02), ref: 0041ACA2
Part of subcall function 0041AC92: SetCursor.USER32(00000000,?,004184F0), ref: 0041ACA9

SetActiveWindow.USER32(?), ref: 004184FF
ShowWindow.USER32(?,00000005), ref: 00418593
SetCursor.USER32 ref: 004185A6

Strings

Page Setup, xrefs: 00418549
4}C, xrefs: 0041859F

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Cursor$Window$ActiveH_prologLoadShow
String ID: 4}C$Page Setup
API String ID: 330486087-996107671
Opcode ID: c044b952e357edcb600b8e785996c61028e5a572559f6a996658c80f1565d911
Instruction ID: 9462e64c956223d759c1d1a6a7e20c83cb72b2f8fb6c2671323e5be1824a0aed
Opcode Fuzzy Hash: c044b952e357edcb600b8e785996c61028e5a572559f6a996658c80f1565d911
Instruction Fuzzy Hash: 7C219F71600605EFCB259F65D885AAEBBE1EF08304F10886FF556972A1DB789D40CB49

Function 004038F2 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 70stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00409A82: __EH_prolog.LIBCMT ref: 00409A87

lstrcpyA.KERNEL32(?,pnxtrvu.ini), ref: 004039CF
SetRect.USER32(?,00000014,00000014,000002A8,00000230), ref: 004039E6
lstrcpyA.KERNEL32(?,c:\), ref: 00403A25

Strings

(uC, xrefs: 004038F2
c:\, xrefs: 00403A0D
pnxtrvu.ini, xrefs: 0040395D

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: lstrcpy$H_prologRect
String ID: (uC$c:\$pnxtrvu.ini
API String ID: 803513713-3135303394
Opcode ID: f8d2f1af00016c7ee3cf5159b72ddca493d38c7a6f1ae303e572e522fc400986
Instruction ID: 8c9a99b68a2ff0b48c35676d132d424013bfd4e2934dc67910cef919350e0e15
Opcode Fuzzy Hash: f8d2f1af00016c7ee3cf5159b72ddca493d38c7a6f1ae303e572e522fc400986
Instruction Fuzzy Hash: B931F1B1901B00AFD3248F6A88817D3FBE8FB49312F90592ED2EE92290D7743200CF54

Function 00432EF6 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000001,?,2I@,?,2I@,?,?,762283C0,00404932,TEMP,?), ref: 00432F25
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000,?,?,762283C0,00404932,TEMP,?), ref: 00432F38
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000,?,?,762283C0,00404932,TEMP,?), ref: 00432F84
CompareStringW.KERNEL32(?,?,?,?,?,00000000,?,00000000,?,?,762283C0,00404932,TEMP,?), ref: 00432F9C

Strings

2I@, xrefs: 00432F11
2I@, xrefs: 00432F17

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: ByteCharMultiWide$CompareString
String ID: 2I@$2I@
API String ID: 376665442-2381108387
Opcode ID: 82a3a9a73cc9a7a3da8ed9652f34ac39311b7852f960ad7dd02b139364fe7aac
Instruction ID: b1f2d485d2a4e32e7d271f44cd4ef87812363634610574d76781a31cd7d910bb
Opcode Fuzzy Hash: 82a3a9a73cc9a7a3da8ed9652f34ac39311b7852f960ad7dd02b139364fe7aac
Instruction Fuzzy Hash: CB211572900259EFCF218F94CD419DEBFB5FF48364F14426AFA1062260C3769962EFA4

Function 00423497 Relevance: 10.6, APIs: 7, Instructions: 66COMMON

Download Yara Rule

APIs

StartPage.GDI32(?), ref: 004234A3
SetBkMode.GDI32(?,00000001), ref: 004234B1
SetTextColor.GDI32(?,00FFFFFF), ref: 004234E6
MoveToEx.GDI32(?,00000200,00000200,00000000), ref: 004234F9
LineTo.GDI32(?,00000201,00000201), ref: 0042350C
SetTextColor.GDI32(?,00000000), ref: 00423519

Part of subcall function 00416935: GetTickCount.KERNEL32 ref: 00416943
Part of subcall function 00416935: GetTickCount.KERNEL32 ref: 00416952
Part of subcall function 00416935: PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 0041696A
Part of subcall function 00416935: TranslateMessage.USER32(?), ref: 00416974
Part of subcall function 00416935: DispatchMessageA.USER32(?), ref: 0041697E

EndPage.GDI32(?), ref: 00423526

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Message$ColorCountPageTextTick$DispatchLineModeMovePeekStartTranslate
String ID:
API String ID: 3563606782-0
Opcode ID: 9130891bf321b2f6d68826f019438c830dbf39de67e2ef88db08618055b3ab32
Instruction ID: a0fa751b28921e40663687ac8e6466d5e69a5af2f35a17b41ed743fb20c3fbd8
Opcode Fuzzy Hash: 9130891bf321b2f6d68826f019438c830dbf39de67e2ef88db08618055b3ab32
Instruction Fuzzy Hash: A8118E71204604BFDB215F64EC48FEBBBB9EF18310F000429F9DA92270CBB5AC919B64

Function 0041AD0D Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 61registryCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041AD12
GetStockObject.GDI32(00000000), ref: 0041AD83
RegisterClassA.USER32(00000002), ref: 0041AD9A
LoadCursorA.USER32(000002A7), ref: 0041ADAB

Strings

WordIndexWndClass, xrefs: 0041AD93
8}C, xrefs: 0041AD52

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: ClassCursorH_prologLoadObjectRegisterStock
String ID: 8}C$WordIndexWndClass
API String ID: 1816707620-85494816
Opcode ID: a989f0260ded16845653d9a8d50730a0a0e117fd57fe0fd30b3228d5cf04906d
Instruction ID: 30045d4f7855c4e443dff4b4acfbd4e33d460d0f1e317b5c45f94d962b703601
Opcode Fuzzy Hash: a989f0260ded16845653d9a8d50730a0a0e117fd57fe0fd30b3228d5cf04906d
Instruction Fuzzy Hash: 092104F19007049FC720DFAAD98569EFBF8EF99304F00842FE699A6211D7B81504CF69

Function 0040EAE4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 52stringCOMMON

Download Yara Rule

APIs

_lopen.KERNEL32(?,00000020), ref: 0040EAF0
_llseek.KERNEL32(00000000,000000E4,00000002), ref: 0040EB10
_hread.KERNEL32(00000000,?,00000010), ref: 0040EB1D
lstrcmpiA.KERNEL32(?,?), ref: 0040EB4B
_lclose.KERNEL32(00000000), ref: 0040EB59

Strings

p"v, xrefs: 0040EB02

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: _hread_lclose_llseek_lopenlstrcmpi
String ID: p"v
API String ID: 2166762341-2250726858
Opcode ID: 292c57e4bbb89982ccf9aae78dd83483d0dc7ca8d46a05ac606b4e005b4a332b
Instruction ID: 51761b51d829a774e3632983badfc7ff792bfde4628411bdf2fbcd0a1cc891b5
Opcode Fuzzy Hash: 292c57e4bbb89982ccf9aae78dd83483d0dc7ca8d46a05ac606b4e005b4a332b
Instruction Fuzzy Hash: 4801F57380411CBBDF10EBA4DC0DEEE77BCDB05324F004226FA12E21A1D7349A009768

Function 0041652D Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 51registryCOMMON

Download Yara Rule

APIs

LoadCursorA.USER32(00000000,00007F00), ref: 00416566
RegisterClassA.USER32(?), ref: 0041657C
LoadCursorA.USER32(00000000,00007F00), ref: 004165A7
RegisterClassA.USER32(?), ref: 004165BD

Strings

PnxPreviewCtrWnd, xrefs: 004165B6
PnxPreviewWnd, xrefs: 00416575

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: ClassCursorLoadRegister
String ID: PnxPreviewCtrWnd$PnxPreviewWnd
API String ID: 1693014935-539333512
Opcode ID: e94e8c8f186db150047ebe0808545dbcb41bad766446233f727865f120973706
Instruction ID: 265b8aa65efa0d16e62fd0588d125000d89b880cb039d572952bac5b1397038d
Opcode Fuzzy Hash: e94e8c8f186db150047ebe0808545dbcb41bad766446233f727865f120973706
Instruction Fuzzy Hash: 0C119CB1D11228ABCB10CFDAE885ACEBBF8FB49710F10512BE604A6250D7B455458FA8

Function 00416080 Relevance: 9.2, APIs: 6, Instructions: 172windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0041614F
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00416198
SendMessageA.USER32(?,00000148,00000000,?), ref: 004161B6
__ftol.LIBCMT ref: 004161D0
SetWindowLongA.USER32(?,00000000), ref: 00416281
DefWindowProcA.USER32(?,?,?,?), ref: 00416291

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: MessageSendWindow$LongParentProc__ftol
String ID:
API String ID: 3478141048-0
Opcode ID: b03fd6988ae861b6986e0d2ceda455f4d52d9cc88354b442719dd0420bc3a400
Instruction ID: 8ccba7718bdc44415d320d32a75501a2a096f5b78ad4a7539c39ab1feec2f2a1
Opcode Fuzzy Hash: b03fd6988ae861b6986e0d2ceda455f4d52d9cc88354b442719dd0420bc3a400
Instruction Fuzzy Hash: B951A072204615EFDB21DF64DC44EFB77A8FB48304F05091AF95AC6291CB38E891DB59

Function 0041DA04 Relevance: 9.1, APIs: 6, Instructions: 115COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 0041DA2A
GetDC.USER32(?), ref: 0041DA33
SelectObject.GDI32(00000000,?), ref: 0041DA40
GetTextMetricsA.GDI32(?,?), ref: 0041DA50
SelectObject.GDI32(?,?), ref: 0041DB2B
ReleaseDC.USER32(?,?), ref: 0041DB37

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: ObjectSelect$ClientMetricsRectReleaseText
String ID:
API String ID: 3867337699-0
Opcode ID: 32a30d3cff92dd6975636e27bfcf35d0179d615ddfa8e0b2cf30ecae60008dc2
Instruction ID: daca1f2b99feeac109d88a535b67dff082b9a8570e26b87c365701f483ecbcfd
Opcode Fuzzy Hash: 32a30d3cff92dd6975636e27bfcf35d0179d615ddfa8e0b2cf30ecae60008dc2
Instruction Fuzzy Hash: 3E4149B1D04209EFCF11DFA4C8449FEBBB9FF48344F10846AE556A7260D735AA45CBA4

Function 00416D18 Relevance: 9.1, APIs: 6, Instructions: 84COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000000), ref: 00416D29
GetSystemMetrics.USER32(00000001), ref: 00416D30
GetDesktopWindow.USER32 ref: 00416D3B
GetWindowRect.USER32(?,?), ref: 00416D51
GetWindowRect.USER32(00000000,?), ref: 00416D66
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00416DCB

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Window$MetricsRectSystem$DesktopMove
String ID:
API String ID: 1445645410-0
Opcode ID: 7541982c7b9581dd7087a64f86910e52b7f4c9e2cf818646124077db85a8bb75
Instruction ID: 6e6b27899317e0736f14ab92190a4db21f219cf176277ebf8c48fd9c9733da6a
Opcode Fuzzy Hash: 7541982c7b9581dd7087a64f86910e52b7f4c9e2cf818646124077db85a8bb75
Instruction Fuzzy Hash: C2214C75B0020AAFCF04CEB9DD84AEE7BB5EB88315F158039E909E7244DA74E9818B54

Function 0041BA52 Relevance: 9.1, APIs: 6, Instructions: 75COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 0041BA64
InvalidateRect.USER32(?,00000000,00000001), ref: 0041BAA2
SetScrollPos.USER32(?,00000001,00000000,00000001), ref: 0041BAAF
SetScrollPos.USER32(?,00000001,?,00000001), ref: 0041BACD
InvalidateRect.USER32(?,00000000,00000001), ref: 0041BADF
UpdateWindow.USER32(?), ref: 0041BAFB

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Rect$InvalidateScroll$ClientUpdateWindow
String ID:
API String ID: 2610322746-0
Opcode ID: 5e976f881fbfd72b37f8274cadf0f16dd3249562eae8fd7308e452870158ea3f
Instruction ID: 4dcbc449fa691a7750499e2077c2e711c9dd26452e32f1dbea7e52cb17fcd9d2
Opcode Fuzzy Hash: 5e976f881fbfd72b37f8274cadf0f16dd3249562eae8fd7308e452870158ea3f
Instruction Fuzzy Hash: 8921B4B0294705AFEB209B64CC89FFB76ACFF00791F540416B656D51D1C7F8A880D6AD

Function 0042698F Relevance: 9.1, APIs: 6, Instructions: 63windowCOMMON

Download Yara Rule

APIs

CreateDialogParamA.USER32(?,?,?,?,00000000), ref: 004269BF
GetClientRect.USER32(?,?), ref: 004269D5
MoveWindow.USER32(00000000,00000011,?,?,?,00000001), ref: 004269F7
ShowWindow.USER32(00000000,00000005,00000000,?,00000000,000002A5), ref: 00426A0C
ShowWindow.USER32(?,00000000), ref: 00426A18
SetFocus.USER32(00000000), ref: 00426A1E

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Window$Show$ClientCreateDialogFocusMoveParamRect
String ID:
API String ID: 711945400-0
Opcode ID: 58aad92e4b91ab8750a4a1b11ffe64da12abdcfa380bc2ef3f1c645f1495a0ff
Instruction ID: 0268c966e1009368f878f118b1a4abb31f96858f235ec859a5005231e1c68273
Opcode Fuzzy Hash: 58aad92e4b91ab8750a4a1b11ffe64da12abdcfa380bc2ef3f1c645f1495a0ff
Instruction Fuzzy Hash: EF11C4B2200304AFD7209F69DC85E6BBBEDEF58710B05052AFA47D3262D670EC00CB28

Function 00410EA8 Relevance: 9.1, APIs: 6, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

GlobalHandle.KERNEL32(?), ref: 00410EC5
GlobalUnlock.KERNEL32(00000000,?,?,00410F52,?), ref: 00410EC8
GlobalHandle.KERNEL32(?), ref: 00410EDA
GlobalReAlloc.KERNEL32(00000000), ref: 00410EDD
GlobalLock.KERNEL32(00000000,?,?,00410F52,?), ref: 00410EE4
CharUpperA.USER32(?,?,?,00410F52,?), ref: 00410EFC

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Global$Handle$AllocCharLockUnlockUpper
String ID:
API String ID: 4211404105-0
Opcode ID: cb886916f7c55d1133f19df2847b9bf95eaa6f10f5d22f08c19a85a9ec6ae0a0
Instruction ID: cf67e8a809c4ace78b47eea1217399f5bf0e94b19664466342913ab8ef342d57
Opcode Fuzzy Hash: cb886916f7c55d1133f19df2847b9bf95eaa6f10f5d22f08c19a85a9ec6ae0a0
Instruction Fuzzy Hash: EB1114B15007029FD7308F2AD884A53BBF5EB44315B10896EE49A87B61C7B8E886CF94

Function 00418381 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 54stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004182F4: LoadStringA.USER32(00001A64,?,00000020), ref: 0041832C
Part of subcall function 004182F4: LoadStringA.USER32(00001A66,?,00000020), ref: 0041833F

lstrcpyA.KERNEL32(?,Layout,?), ref: 004183A9
lstrcpyA.KERNEL32(?,Text), ref: 004183B4
lstrcpyA.KERNEL32(?,Advanced), ref: 004183C5

Strings

Text, xrefs: 004183AE
Layout, xrefs: 004183A3
Advanced, xrefs: 004183BC

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: lstrcpy$LoadString
String ID: Advanced$Layout$Text
API String ID: 2270206385-1855523771
Opcode ID: b9a18a27a3aa8b406a097278ab7523e9960c51094846cd18b8f6274b83933ffe
Instruction ID: e505fab056386b24d75c996278c193c7f718295b096bc15464968ed3b490a53b
Opcode Fuzzy Hash: b9a18a27a3aa8b406a097278ab7523e9960c51094846cd18b8f6274b83933ffe
Instruction Fuzzy Hash: 5511E4B1A01B05AFC711DF6AC9C8986FBE8BF58308710882FD14A8B611D7B5F459CB94

Function 0041426E Relevance: 9.0, APIs: 6, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00414273
DeleteObject.GDI32(?), ref: 004142AC
DeleteObject.GDI32(?), ref: 004142B1
DeleteObject.GDI32(?), ref: 004142B6
DeleteObject.GDI32(?), ref: 004142BB
DestroyCursor.USER32(?), ref: 004142C0

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: DeleteObject$CursorDestroyH_prolog
String ID:
API String ID: 434556251-0
Opcode ID: cacf921051ad3a6b1d7240a0e6d9e5033b88e6646d266a44c0c9e3a6157d7f54
Instruction ID: 0e7361507eb8628596049cf1a290dba374992760773ff85ae41c74426b0d83b7
Opcode Fuzzy Hash: cacf921051ad3a6b1d7240a0e6d9e5033b88e6646d266a44c0c9e3a6157d7f54
Instruction Fuzzy Hash: AF01A130610754DFCB25AF66C809A9FBBB5EFC4314F10496EE092976A0CBB8AC41CF54

Function 00407A8D Relevance: 9.0, APIs: 6, Instructions: 41stringCOMMON

Download Yara Rule

APIs

lstrcpyA.KERNEL32(?,?), ref: 00407AA4
lstrlenA.KERNEL32(?), ref: 00407AB7
lstrlenA.KERNEL32(?), ref: 00407AC4
lstrlenA.KERNEL32(?), ref: 00407AD7
lstrlenA.KERNEL32(?), ref: 00407AEA
SetWindowTextA.USER32(?,?), ref: 00407B0A

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: lstrlen$TextWindowlstrcpy
String ID:
API String ID: 3464547807-0
Opcode ID: c96d02368233a5eee18a3ad5d71173254907aaefab841d4ec7b1fb2a3e36b98a
Instruction ID: d32f8d357c40824f46a0e9f09ee775353c0a8c075854890c43b68d75eba4cf46
Opcode Fuzzy Hash: c96d02368233a5eee18a3ad5d71173254907aaefab841d4ec7b1fb2a3e36b98a
Instruction Fuzzy Hash: 95012575D0821D6ADF61E7A4DC08BEE7BECBB44310F1484B69584D2140DA74AA4DCFE5

Function 00428B50 Relevance: 9.0, APIs: 6, Instructions: 36memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000042,00000010,76933EB0,0042900B,00447200,00000000,00000010,?,?,?), ref: 00428B55
GlobalLock.KERNEL32(00000000,?,?,?), ref: 00428B5C

Part of subcall function 00428DB0: GlobalAlloc.KERNEL32(00000042,00000010,00428B82,?,?,?,?), ref: 00428DB4
Part of subcall function 00428DB0: GlobalLock.KERNEL32(00000000,?,?,?), ref: 00428DBB

GlobalHandle.KERNEL32(00000000), ref: 00428B94
GlobalUnlock.KERNEL32(00000000,?,?,?,?), ref: 00428B97
GlobalHandle.KERNEL32(00000000), ref: 00428B9E
GlobalFree.KERNEL32(00000000), ref: 00428BA1

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Global$AllocHandleLock$FreeUnlock
String ID:
API String ID: 2354309331-0
Opcode ID: b4a9161a6d891504c437656afe67022b6c244ba79bf2ae6472b2a11918f1b97c
Instruction ID: 51703ef101f8e7dbffef4280d6a027348968e82bd0fb4a51e81ceb0c886a8664
Opcode Fuzzy Hash: b4a9161a6d891504c437656afe67022b6c244ba79bf2ae6472b2a11918f1b97c
Instruction Fuzzy Hash: 9BF030F26057215BDB206F75BC08E8B7BE8AF85710B414429F985D3710DB78E8418B98

Function 00416CAB Relevance: 9.0, APIs: 6, Instructions: 33COMMON

Download Yara Rule

APIs

GetDC.USER32(00000001), ref: 00416CB7
GetStockObject.GDI32(0000000C), ref: 00416CC1
SelectObject.GDI32(00000000,00000000), ref: 00416CCF
GetTextMetricsA.GDI32(00000000,?), ref: 00416CD8
SelectObject.GDI32(00000000,00000000), ref: 00416CE0
ReleaseDC.USER32(00000001,00000000), ref: 00416CE6

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Object$Select$MetricsReleaseStockText
String ID:
API String ID: 3540026775-0
Opcode ID: 3eca307554a3baf37b02b4af9c8ae3b05bc119b5559154845373cec3ac2ac9f0
Instruction ID: fe478a015b96522aa787beb6b6f7e2ad1797449e0ab88d9fbd4bc7e97a0070b6
Opcode Fuzzy Hash: 3eca307554a3baf37b02b4af9c8ae3b05bc119b5559154845373cec3ac2ac9f0
Instruction Fuzzy Hash: 49F03072504008BBE7116BA5EC88CAF7FBCDB89695B004022FA45D6160D7309841DBF4

Function 00412D66 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 151stringCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00412D6B
lstrcpyA.KERNEL32(00000000,?), ref: 00412E03
lstrcatA.KERNEL32(00000000,?), ref: 00412E1F

Strings

Save As , xrefs: 00412E5D
QAA, xrefs: 00412D7E

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: H_prologlstrcatlstrcpy
String ID: QAA$Save As
API String ID: 1260663600-4051652275
Opcode ID: ebf7f0f8d2666cadae7e531aee0aa205736cedbf6149e82fc4e22f71b5526468
Instruction ID: 8a9c1b373d580684919e6718cdd791cba652367444346c0b4dc55a28f1fbf685
Opcode Fuzzy Hash: ebf7f0f8d2666cadae7e531aee0aa205736cedbf6149e82fc4e22f71b5526468
Instruction Fuzzy Hash: 2A517E71B042299EDB15EF65DC41BEEBBB4AF09308F50419EF409E2181DB785E84CF5A

Function 0042C853 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 139fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,00000000,00000000,00000001,00000000,?), ref: 0042C92B

Strings

$uC, xrefs: 0042C8DA, 0042C93F, 0042C8E5

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: FileWrite
String ID: $uC
API String ID: 3934441357-2107157175
Opcode ID: e19963a3b30c727fddbfef5babaa5653edbedc006450c84b9cf5d31ab01dc5ba
Instruction ID: d1ae1cdd3427ea045db711e12ad2f8c32e0632df0437e59432ff7e5423969eb1
Opcode Fuzzy Hash: e19963a3b30c727fddbfef5babaa5653edbedc006450c84b9cf5d31ab01dc5ba
Instruction Fuzzy Hash: 5451D2B1A00218EFCB11CF68D8C4AAE7BB4FF46344FA0816BE555DB250D774D980CB59

Function 0042DB0C Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32 ref: 0042DB2B
GetEnvironmentVariableA.KERNEL32(__MSVCRT_HEAP_SELECT,?,00001090), ref: 0042DB60
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0042DBC0

Strings

__GLOBAL_HEAP_SELECTED, xrefs: 0042DB9A
__MSVCRT_HEAP_SELECT, xrefs: 0042DB5B

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: EnvironmentFileModuleNameVariableVersion
String ID: __GLOBAL_HEAP_SELECTED$__MSVCRT_HEAP_SELECT
API String ID: 1385375860-4131005785
Opcode ID: 490722ed36e1c82266166a1aa3f974a438b1e89a0d15280e167a8f78fce80c40
Instruction ID: 7b132bf464c1331de4ef7604e96d30102af62b83167fbe6d503d11ac05d98937
Opcode Fuzzy Hash: 490722ed36e1c82266166a1aa3f974a438b1e89a0d15280e167a8f78fce80c40
Instruction Fuzzy Hash: 00316A71F052B82DEB3196717C65BDA7B688B06304FA400DBD185D7242E67CEEC9CB19

Function 0041B0BA Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86windowCOMMON

Download Yara Rule

APIs

SetScrollPos.USER32(?,00000001,00000000,00000001), ref: 0041B147
InvalidateRect.USER32(?,00000000,00000001), ref: 0041B156
GetParent.USER32(?), ref: 0041B182
MessageBoxA.USER32(00000000), ref: 0041B189

Strings

This search word has been removed from the word index as it occurs too often. To change the maximum number of times a word may occur before being excluded, please change the Word Index Options from the Tools menu.Do you want to continue to display this mes, xrefs: 0041B177

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: InvalidateMessageParentRectScroll
String ID: This search word has been removed from the word index as it occurs too often. To change the maximum number of times a word may occur before being excluded, please change the Word Index Options from the Tools menu.Do you want to continue to display this mes
API String ID: 3753924916-6526060
Opcode ID: c5b533e08a99a8cdd13883f0ce2a30f2788cd0b11ed5f8d671d2a9c4ef37cc41
Instruction ID: 871e9e4237386e8684cf0c94619ba6d1c10a883b8185f15b3f5a638a4b736e62
Opcode Fuzzy Hash: c5b533e08a99a8cdd13883f0ce2a30f2788cd0b11ed5f8d671d2a9c4ef37cc41
Instruction Fuzzy Hash: 5F317EB1600B00AFD320DF69C995F97B7E9FF44344F10452EE65A8B252D775A881CF88

Function 00427F30 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 81COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?), ref: 00427F42
SetEvent.KERNEL32(?), ref: 00427F6A

Strings

Request complete, xrefs: 00427FF8, 00428001
Request error: %s, xrefs: 00427F7B, 00427F99

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Event
String ID: Request complete$Request error: %s
API String ID: 4201588131-138420935
Opcode ID: 6234f74e7a363fa1cce58f99c2c9f6955d76ffd992466065d3820db1c7bf4d96
Instruction ID: 6ffde28c8c95679ae0cac37d4c26fe16d675e27133ad217d308aed98d7097676
Opcode Fuzzy Hash: 6234f74e7a363fa1cce58f99c2c9f6955d76ffd992466065d3820db1c7bf4d96
Instruction Fuzzy Hash: 8121F472708321AFE7309F21ED41E2B77A9AB04704B41492FF64652601CB7DA919DBAD

Function 0040540C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(?), ref: 00405424
GetMenuItemInfoA.USER32(?,00000000,00000001,?), ref: 00405450
EnableMenuItem.USER32(?,00000000,00000000), ref: 0040547E
GetMenuItemCount.USER32(?), ref: 00405486

Strings

,, xrefs: 0040543D

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: ItemMenu$Count$EnableInfo
String ID: ,
API String ID: 4244199141-3772416878
Opcode ID: 5c2e6f996d36970e8ec0fa684d22adf4c0b72cffd54d56d261c74f601cb5ca54
Instruction ID: 58227d91f0725cda91b52bfa700d2be79e54fae318f84239a891035f91dc5beb
Opcode Fuzzy Hash: 5c2e6f996d36970e8ec0fa684d22adf4c0b72cffd54d56d261c74f601cb5ca54
Instruction Fuzzy Hash: C60156B1900218BAEB219BA5EC89FEFBB7DEB44315F00802AF941B61D1D7785945CF64

Function 00407CD9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 53windowCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 00407D21
wsprintfA.USER32 ref: 00407D55
SendMessageA.USER32(?,00000401,00000000,?), ref: 00407D71

Part of subcall function 004038B4: LoadStringA.USER32(00407701,00000000,00000200,00000000), ref: 004038DD

Strings

%s %ld, xrefs: 00407D4F
%s %ld - %ld, xrefs: 00407D1B

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: wsprintf$LoadMessageSendString
String ID: %s %ld$%s %ld - %ld
API String ID: 313507221-4166707028
Opcode ID: 9ce26406aae3cb595b5e3fe27fe3713587030f59c8b9c208471260d48e0a05e3
Instruction ID: 4aa1de3b7c5e720e7c12917349fcd90aac329d66436535f4a4243da9e26a3aac
Opcode Fuzzy Hash: 9ce26406aae3cb595b5e3fe27fe3713587030f59c8b9c208471260d48e0a05e3
Instruction Fuzzy Hash: A211C272500204FBCB216F64EC46ED6BFE9EF48700F00846EF64AAA191D776B614DB58

Function 00428C70 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 42windowCOMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 00428C9C
MessageBoxA.USER32(00000000,Ole Error,Insufficient memory; please close some applications and try again.,00000000), ref: 00428CCF

Strings

Insufficient memory; please close some applications and try again., xrefs: 00428CC4
Ole Error, xrefs: 00428CC9
REOBJ%ld, xrefs: 00428C96

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Messagewsprintf
String ID: Insufficient memory; please close some applications and try again.$Ole Error$REOBJ%ld
API String ID: 300413163-3865698872
Opcode ID: 109a2f416d4cf34c41e0fbcf82035f3027729712c8d1d3bdca34c5ea01317dfe
Instruction ID: 0527986464426b545bcdab799aab75fb6e49748148f0b47826f90c9917b5e92f
Opcode Fuzzy Hash: 109a2f416d4cf34c41e0fbcf82035f3027729712c8d1d3bdca34c5ea01317dfe
Instruction Fuzzy Hash: 90018F75240300ABE320DB1AEC88EA7B7F8FBD8314F40445EE999C3261D774A854CB64

Function 00426AE6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 32registryCOMMON

Download Yara Rule

APIs

LoadCursorA.USER32(00000000,00007F00), ref: 00426B14
GetSysColor.USER32(0000000F), ref: 00426B1F
CreateSolidBrush.GDI32(00000000), ref: 00426B26
RegisterClassA.USER32(?), ref: 00426B3D

Strings

TabbedDlgClass, xrefs: 00426B36

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: BrushClassColorCreateCursorLoadRegisterSolid
String ID: TabbedDlgClass
API String ID: 3559002682-3631343754
Opcode ID: 8ffa231feac20c56e14c6b5f9e1afc5eb121e4e48365991c3b9d6a267cca2877
Instruction ID: 65fd5bbe19038e99ccdd581eb2635e865a5c8bf64ba3aa3307c647255ba1ad43
Opcode Fuzzy Hash: 8ffa231feac20c56e14c6b5f9e1afc5eb121e4e48365991c3b9d6a267cca2877
Instruction Fuzzy Hash: 93F0CFB1C15329ABDB10DFE8A8496DEBFF8FB09704F10506AE641E6250D7B85640CBE8

Function 0042E7F8 Relevance: 7.8, APIs: 3, Strings: 2, Instructions: 251COMMON

Download Yara Rule

APIs

IsBadWritePtr.KERNEL32(?,?,000000FE,00000000), ref: 0042E816
IsBadWritePtr.KERNEL32(?,000041C4,?,000000FE,00000000), ref: 0042E84F
IsBadWritePtr.KERNEL32(00008000,00008000,?,000000FE,00000000), ref: 0042E8AF

Strings

, xrefs: 0042EAAF
@, xrefs: 0042EA6F

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Write
String ID: $@
API String ID: 3165279579-1077428164
Opcode ID: 1da079d3a1439e717fdd2323ae867b5f0dea250080b5103358dd48ec0298fb12
Instruction ID: dc29893b2a40b23f46556d86006aa0a2fb94c1e98d2e2b03048c3a86d90de781
Opcode Fuzzy Hash: 1da079d3a1439e717fdd2323ae867b5f0dea250080b5103358dd48ec0298fb12
Instruction Fuzzy Hash: 4FA18E30A00135DBCF24CF5AE880AAEB7B0FF45324FB4426BD422A76D1D778A941DB59

Function 0041EEA5 Relevance: 7.7, APIs: 5, Instructions: 184COMMON

Download Yara Rule

APIs

SelectObject.GDI32(?,?), ref: 0041EEF7
GetTextMetricsA.GDI32(?,?), ref: 0041EF0A
SetRect.USER32(?,00000000,00000000,?,00000000), ref: 0041EFFB
SelectObject.GDI32(?,?), ref: 0041F00D

Part of subcall function 00416935: GetTickCount.KERNEL32 ref: 00416943
Part of subcall function 00416935: GetTickCount.KERNEL32 ref: 00416952
Part of subcall function 00416935: PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 0041696A
Part of subcall function 00416935: TranslateMessage.USER32(?), ref: 00416974
Part of subcall function 00416935: DispatchMessageA.USER32(?), ref: 0041697E

Part of subcall function 004168F2: GetWindowLongA.USER32(000005DC,00000008), ref: 004168FB
Part of subcall function 004168F2: IsWindowVisible.USER32(000005DC), ref: 00416904
Part of subcall function 004168F2: ShowWindow.USER32(000005DC,00000005), ref: 00416911
Part of subcall function 004168F2: UpdateWindow.USER32(000005DC), ref: 00416918

SelectObject.GDI32(?,?), ref: 0041F0FB

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Window$MessageObjectSelect$CountTick$DispatchLongMetricsPeekRectShowTextTranslateUpdateVisible
String ID:
API String ID: 2014783612-0
Opcode ID: 36d150f792549bae6722f0334d22410c953fbbcce7c589b41c3896a34bb21e54
Instruction ID: 3005a5977370229453aaaa79a391a5f354bea0a2158c22c0906aa3fc51d4c6d4
Opcode Fuzzy Hash: 36d150f792549bae6722f0334d22410c953fbbcce7c589b41c3896a34bb21e54
Instruction Fuzzy Hash: A3714AB5A01704DFCB24DFA5C880AEAB7F5FF48309F10442EE66A97252D735AD46CB08

Function 0042FDDC Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetStartupInfoA.KERNEL32(?), ref: 0042FE35
GetFileType.KERNEL32(00000800), ref: 0042FEDB
GetStdHandle.KERNEL32(-000000F6), ref: 0042FF34
GetFileType.KERNEL32(00000000), ref: 0042FF42
SetHandleCount.KERNEL32 ref: 0042FF79

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: FileHandleType$CountInfoStartup
String ID:
API String ID: 1710529072-0
Opcode ID: 5da3ccb0497b1f05a5e7f24cd6d758ae18ebea4f3d17a78032750b47108dc95b
Instruction ID: 703c2a037f5767a463947d6c42d64da21c76c0a220f8f181bdcb0c6cde41eb3b
Opcode Fuzzy Hash: 5da3ccb0497b1f05a5e7f24cd6d758ae18ebea4f3d17a78032750b47108dc95b
Instruction Fuzzy Hash: A85106717082214BD7219B28ED4475A37B0EB13328FD6467FE9A6C73E1DB289849C70D

Function 0041CDB1 Relevance: 7.6, APIs: 5, Instructions: 137COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 0041CDCC
SelectObject.GDI32(00000000,?), ref: 0041CDD9
GetTextMetricsA.GDI32(?,?), ref: 0041CDE9
SelectObject.GDI32(?,?), ref: 0041CF15
ReleaseDC.USER32(?,?), ref: 0041CF21

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: ObjectSelect$MetricsReleaseText
String ID:
API String ID: 594571999-0
Opcode ID: 5519dc83b351f8fa950d3875bd6b5c6162ce3224d617b618a2e2a396c763dee6
Instruction ID: 975f6d8a183f669b4aa259a088fa31accd30836f8230add46a915a1b0cbd0a26
Opcode Fuzzy Hash: 5519dc83b351f8fa950d3875bd6b5c6162ce3224d617b618a2e2a396c763dee6
Instruction Fuzzy Hash: CD516A75900209EFCB14CFA4CC849FEBBB9FF08305B14846AE552A7210D738E985DB64

Function 0041B1C3 Relevance: 7.6, APIs: 5, Instructions: 91COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0041B1CC
CharUpperA.USER32(?), ref: 0041B201
SetScrollPos.USER32(?,00000001,?,00000001), ref: 0041B2E3
InvalidateRect.USER32(?,00000000,00000001), ref: 0041B2EF
GetTickCount.KERNEL32 ref: 0041B2F5

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: CountTick$CharInvalidateRectScrollUpper
String ID:
API String ID: 3182909612-0
Opcode ID: 67e334d520b1fd968d903632f619050dc62da8891c6bd9572266bc0bc0cc8779
Instruction ID: 9fc53ec2ec032cd1f8e2e68bb83236cde7ea095514facf1045369165a5fd5760
Opcode Fuzzy Hash: 67e334d520b1fd968d903632f619050dc62da8891c6bd9572266bc0bc0cc8779
Instruction Fuzzy Hash: 9241F3B11047009FD724DF64C8D5BEABBE4EF05304F14889DE69A4B292C7B5B889CB9D

Function 00415DEC Relevance: 7.6, APIs: 5, Instructions: 72COMMON

Download Yara Rule

APIs

GetScrollPos.USER32(?,00000001), ref: 00415DFC
GetClientRect.USER32(?,?), ref: 00415E0D

Part of subcall function 00414C05: GetWindowRect.USER32(?,?), ref: 00414C1A

ScrollWindow.USER32(?,00000000,00000000,00000000,00000000), ref: 00415E75
SetScrollPos.USER32(?,00000001,-00000010,00000001), ref: 00415E83
UpdateWindow.USER32(?), ref: 00415E8F

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: ScrollWindow$Rect$ClientUpdate
String ID:
API String ID: 1812947832-0
Opcode ID: 93d1a5eacccbe883448f3555586056b0889ffd681a98ea1aadfcb5608ff3670a
Instruction ID: 669c8a6444262e66e85e6436e6c486005bf9b38a7aec43b6698f8fc0cb666f0d
Opcode Fuzzy Hash: 93d1a5eacccbe883448f3555586056b0889ffd681a98ea1aadfcb5608ff3670a
Instruction Fuzzy Hash: 3D218075910704DFCB349F15DC88AEB77B6EBC1700B15092AE442D7260C774AE85DB08

Function 00415E9C Relevance: 7.6, APIs: 5, Instructions: 72COMMON

Download Yara Rule

APIs

GetScrollPos.USER32(?,00000000), ref: 00415EAF
GetClientRect.USER32(?,?), ref: 00415EC3

Part of subcall function 00414C05: GetWindowRect.USER32(?,?), ref: 00414C1A

ScrollWindow.USER32(?,00000000,00000000,00000000,00000000), ref: 00415F34
SetScrollPos.USER32(?,00000000,-00000020,00000001), ref: 00415F45
UpdateWindow.USER32(?), ref: 00415F57

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: ScrollWindow$Rect$ClientUpdate
String ID:
API String ID: 1812947832-0
Opcode ID: 8e2fbcee164c5a476c0bc200fcaf5d4a199e4a8f161430c41062834c50266952
Instruction ID: 0c8b2e79401afe263e314f66fdf62d1e49b129eea78a95152b57f3c0b34a1276
Opcode Fuzzy Hash: 8e2fbcee164c5a476c0bc200fcaf5d4a199e4a8f161430c41062834c50266952
Instruction Fuzzy Hash: 29216271510504EBCB34AB65CC88AEBBBA6EBC4300F55052AF55697260CB75BC83DB58

Function 0041B557 Relevance: 7.6, APIs: 5, Instructions: 70COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 0041B565
GetClientRect.USER32(?,?), ref: 0041B575
InvertRect.USER32(?,?), ref: 0041B5E8
SetCapture.USER32(?,?,?,?,?,0041B540,?,00000000), ref: 0041B5FD
ReleaseDC.USER32(?,?), ref: 0041B609

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Rect$CaptureClientInvertRelease
String ID:
API String ID: 2533136114-0
Opcode ID: 67839a25e47fd6e1a2cc5c7060136e4e52d91bf9b0bbaa399472bf125653e250
Instruction ID: dc6698103d554749a98bd19b981c89d0ac71983240f7df524aa4c069c22cf8d2
Opcode Fuzzy Hash: 67839a25e47fd6e1a2cc5c7060136e4e52d91bf9b0bbaa399472bf125653e250
Instruction Fuzzy Hash: FF215E71A00108EFCF11CF95CD85AEEBFB9FF58301F10442AE546A3250C735AA91DB95

Function 004240F9 Relevance: 7.6, APIs: 5, Instructions: 61stringCOMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32(?,00000000,?,00000008,?,?,004232FE,?,?,00000008,00000000,00000001,00000001,?,?,00000008), ref: 0042410A
lstrcpyA.KERNEL32(?,?,?,004232FE,?,?,00000008,00000000,00000001,00000001,?,?,00000008,?,?,?), ref: 0042412C
DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,0000000A,?,004232FE,?,?,00000008,00000000,00000001,00000001,?,?), ref: 0042417F
GetLastError.KERNEL32 ref: 00424192
GlobalUnlock.KERNEL32(?,00000000,?,?,00000000,00000000,0000000A,?,004232FE,?,?,00000008,00000000,00000001,00000001,?), ref: 004241A1

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Global$DocumentErrorLastLockPropertiesUnlocklstrcpy
String ID:
API String ID: 482598960-0
Opcode ID: 22ea0df652300f1482029cfa82083d5aa34b9fa3d4d63a70f8e3cef7bd4d11b9
Instruction ID: c4aab669fe007fa971c5d80287ce1056da7e323ea3f9f315bd49283787479663
Opcode Fuzzy Hash: 22ea0df652300f1482029cfa82083d5aa34b9fa3d4d63a70f8e3cef7bd4d11b9
Instruction Fuzzy Hash: 4821D530604715EFDB209F21EC885EBBBF4FF19354F40052EE85A86320D375A9A0DB59

Function 0041B9B3 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 0041B9C5
GetScrollInfo.USER32(?,00000001,?), ref: 0041BA01
SetScrollPos.USER32(?,00000001,?,00000001), ref: 0041BA13
InvalidateRect.USER32(?,00000000,00000001), ref: 0041BA1E
UpdateWindow.USER32(?), ref: 0041BA46

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: RectScroll$ClientInfoInvalidateUpdateWindow
String ID:
API String ID: 751044016-0
Opcode ID: 091c0de188a980d88e5e1c1ffd4bc34089ebe343b4681242d05f925591a9791d
Instruction ID: 10c97e6ca61d69f651588b254712ce8641425e1120294250f611c643c60af9d7
Opcode Fuzzy Hash: 091c0de188a980d88e5e1c1ffd4bc34089ebe343b4681242d05f925591a9791d
Instruction Fuzzy Hash: 98119471504208ABDB209B95CC89FFEB7BCEF45740F14041BF942E21A0C3B49885D6A9

Function 0041A2BD Relevance: 7.6, APIs: 5, Instructions: 54windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageA.USER32(?,00001A4D,00000147,00000000,00000000), ref: 0041A2D4

Part of subcall function 0041A1BD: wsprintfA.USER32 ref: 0041A1CF
Part of subcall function 0041A1BD: lstrlenA.KERNEL32(00446E60,0043F624,0041A94A,0043F624), ref: 0041A1D9

SetDlgItemTextA.USER32(?,00001A49,00000000), ref: 0041A30A
SetDlgItemTextA.USER32(?,00001A4B,00000000), ref: 0041A320
SetDlgItemTextA.USER32(?,00001A4A,00000000), ref: 0041A336
SetDlgItemTextA.USER32(?,00001A4C,00000000), ref: 0041A34C

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Item$Text$MessageSendlstrlenwsprintf
String ID:
API String ID: 3689792990-0
Opcode ID: 887371cced08f62526b3303bd6f9a88a7368fdc3e44bc397fdfb2f509badb58d
Instruction ID: 21b6e28aebfca2034b593c26436563f5902b3cd71a46aa76b11147f2cb778093
Opcode Fuzzy Hash: 887371cced08f62526b3303bd6f9a88a7368fdc3e44bc397fdfb2f509badb58d
Instruction Fuzzy Hash: 2D01DF353022087FE6102B619C01FEB766DDBE5755F04183EFE1B95193CAA4A828962E

Function 00416DD6 Relevance: 7.5, APIs: 5, Instructions: 46COMMON

Download Yara Rule

APIs

GetParent.USER32(00000001), ref: 00416DE1
GetWindowRect.USER32(00000001,?), ref: 00416DF0
ScreenToClient.USER32(00000000,?), ref: 00416E01
ScreenToClient.USER32(00000000,00000001), ref: 00416E08
MoveWindow.USER32(00000001,00000000,?,?,?,?,00000000,00000001,?,004042B0,?,?,(uC), ref: 00416E41

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: ClientScreenWindow$MoveParentRect
String ID:
API String ID: 3734752182-0
Opcode ID: f0f4062d4230a2ad4bf4f58996ad8f74054dabfa2d44ce57514d8cfb116f761a
Instruction ID: 0571ce558f13d2804022fa109ee18c25e1cb910e4fa7e689fe10381004552c47
Opcode Fuzzy Hash: f0f4062d4230a2ad4bf4f58996ad8f74054dabfa2d44ce57514d8cfb116f761a
Instruction Fuzzy Hash: CC01C576900119AFCF12DFA4DD84CFE7B79EB44350B008169FD55A2210DB30EA91DB94

Function 00416935 Relevance: 7.5, APIs: 5, Instructions: 41windowCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00416943
GetTickCount.KERNEL32 ref: 00416952
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 0041696A
TranslateMessage.USER32(?), ref: 00416974
DispatchMessageA.USER32(?), ref: 0041697E

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Message$CountTick$DispatchPeekTranslate
String ID:
API String ID: 3906477200-0
Opcode ID: 715725a5e2a00f58d11943aa8f9feded5b2da4945ff0e1835035d53a1e1b1479
Instruction ID: 8fbe111464f2179caf08aab183c9ce3f86923adbe6342992b87378ed7f00ea1c
Opcode Fuzzy Hash: 715725a5e2a00f58d11943aa8f9feded5b2da4945ff0e1835035d53a1e1b1479
Instruction Fuzzy Hash: 64F068B6D0014967CB20ABA9DC44DEB7BBCDBCAB44B010076F501D3140D6649441CB75

Function 00416993 Relevance: 7.5, APIs: 5, Instructions: 40COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(00000064,00000000), ref: 0041699F
GetTickCount.KERNEL32 ref: 004169B8
GetDC.USER32(00000064), ref: 004169CE
ReleaseDC.USER32(00000064,00000064), ref: 004169E6
GetTickCount.KERNEL32 ref: 004169EC

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: CountTick$LongReleaseWindow
String ID:
API String ID: 2380013091-0
Opcode ID: 41814ebd65ae273d5d1d7698818d16784145e0062ec50c3e8b35a219e9755fbe
Instruction ID: c8d24ebaa5c68e1728fc9d6194d1fabac0d679b87cffd82d71835c58b3b724a2
Opcode Fuzzy Hash: 41814ebd65ae273d5d1d7698818d16784145e0062ec50c3e8b35a219e9755fbe
Instruction Fuzzy Hash: A9F031F5500304ABDB20AF6AEC84A8ABFECEF45750F11443AF94983211D674D450CBA5

Function 00407F2B Relevance: 7.5, APIs: 5, Instructions: 38COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00407F3B
GetCursorPos.USER32(?), ref: 00407F45
ScreenToClient.USER32(?,?), ref: 00407F52
LoadCursorA.USER32(000002A7), ref: 00407F7C
SetCursor.USER32(00000000), ref: 00407F83

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Cursor$Client$LoadRectScreen
String ID:
API String ID: 1568396109-0
Opcode ID: db1611ba18ab63012f3ec215fd2fe3b404e89440ce6b0e64597a1769308252d6
Instruction ID: 620268515b04a240cb50067140649e6ed8c76cd0a5a8b2a486db92f5125087b8
Opcode Fuzzy Hash: db1611ba18ab63012f3ec215fd2fe3b404e89440ce6b0e64597a1769308252d6
Instruction Fuzzy Hash: D9F0A47190820AAFDF209FA4DC49DAE7FB8EB04340F00043AFD82D21A0D774B985DB59

Function 0041B61D Relevance: 7.5, APIs: 5, Instructions: 35COMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 0041B624
ReleaseCapture.USER32 ref: 0041B63E
GetDC.USER32(?), ref: 0041B653
InvertRect.USER32(00000000,?), ref: 0041B663
ReleaseDC.USER32(?,00000000), ref: 0041B66D

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: CaptureRelease$InvertRect
String ID:
API String ID: 713726679-0
Opcode ID: 81158b9b33d3bebefcdec4bcd6f70b9ca3b4e8bb6960d1d575bae356dd96afa8
Instruction ID: af55e6c05506e798bdf119320d1e2210c298f9ea1317a9c23646b005ba3bfedf
Opcode Fuzzy Hash: 81158b9b33d3bebefcdec4bcd6f70b9ca3b4e8bb6960d1d575bae356dd96afa8
Instruction Fuzzy Hash: A4013C72100204EFDB216F64DC48BDB7FB9FF94352F014436FA9A86160C775A8A1DBA9

Function 0041CC69 Relevance: 7.5, APIs: 5, Instructions: 31COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 0041CC77
SelectObject.GDI32(00000000,?), ref: 0041CC89
GetTextMetricsA.GDI32(00000000,?), ref: 0041CC93
SelectObject.GDI32(00000000,?), ref: 0041CC9D
ReleaseDC.USER32(?,00000000), ref: 0041CCA3

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: ObjectSelect$MetricsReleaseText
String ID:
API String ID: 594571999-0
Opcode ID: 37dc436d79dacc18c0030932d9c8fe4ab35892c8534859dbf33054b510f93ff8
Instruction ID: 4d7b4660606bd293678217ccec182035eafa26ab82b0441788c31994fb15f271
Opcode Fuzzy Hash: 37dc436d79dacc18c0030932d9c8fe4ab35892c8534859dbf33054b510f93ff8
Instruction Fuzzy Hash: E0F030B6500208FFD7217BA5EC48C9FBBBCEB482107005426F94292131DA71AC109BA0

Function 0041CC21 Relevance: 7.5, APIs: 5, Instructions: 31COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 0041CC2F
SelectObject.GDI32(00000000,?), ref: 0041CC41
GetTextMetricsA.GDI32(00000000,?), ref: 0041CC4B
SelectObject.GDI32(00000000,?), ref: 0041CC55
ReleaseDC.USER32(?,00000000), ref: 0041CC5B

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: ObjectSelect$MetricsReleaseText
String ID:
API String ID: 594571999-0
Opcode ID: 0e5632f3cd1e1461ad46a7d6d8fb9c982390fa2edb5f0bccee32ea8e0360df99
Instruction ID: f51f71b1a1878cae766f95fd9a5462c2137bf5133350017aa29d18d3136a6b13
Opcode Fuzzy Hash: 0e5632f3cd1e1461ad46a7d6d8fb9c982390fa2edb5f0bccee32ea8e0360df99
Instruction Fuzzy Hash: 2BF030B6500208FFD7216BA5EC48C9FBFBCEB482117005426F94292131D671AC109BA0

Function 0042343E Relevance: 7.5, APIs: 5, Instructions: 27COMMON

Download Yara Rule

APIs

StartPage.GDI32(?), ref: 00423448
SetBkColor.GDI32(?,00FFFFFF), ref: 0042345F
SetBkColor.GDI32(?,00000000), ref: 00423468
MoveToEx.GDI32(?,00000200,00000200,00000000), ref: 00423479
EndPage.GDI32(?), ref: 00423485

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: ColorPage$MoveStart
String ID:
API String ID: 2096235825-0
Opcode ID: 20b5033b6b8da68d898e2be0f1e098173c0918df9eadbd8cdde2866633792f6c
Instruction ID: 76de670a0012077283748a0d59a49e52cb7bcdf21a08323467bfcede0826ed24
Opcode Fuzzy Hash: 20b5033b6b8da68d898e2be0f1e098173c0918df9eadbd8cdde2866633792f6c
Instruction Fuzzy Hash: 4DE0C97210C600AFE6651B24EC09FA77AA9EF54710F111539B4D6911B0CBA16C929A24

Function 00422C94 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,00000008), ref: 00422CA1
SetWindowLongA.USER32(?,00000008,?), ref: 00422CC6
GetParent.USER32(?), ref: 00422CD9

Strings

N, xrefs: 00422CAB

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: LongWindow$Parent
String ID: N
API String ID: 2125864951-1130791706
Opcode ID: 9b7151e988b64b4339b61311ef701fa407057bf56029a1c6396ad462aefc058f
Instruction ID: 2ffb463d1776111d9875e0240fd9c377ca74bbdb7284981a00feef463ca4c86f
Opcode Fuzzy Hash: 9b7151e988b64b4339b61311ef701fa407057bf56029a1c6396ad462aefc058f
Instruction Fuzzy Hash: 69117C71600628BBDB318F15E988B9B7BA8FB04751F44841AFD4A9B251C7B8ED40DB94

Function 0042F6B8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00200020,?,00000000,?,00432C63,00200020,00000000,?,00000000), ref: 0042F6DB
LCMapStringW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,?,00432C63,00200020,00000000,?,00000000), ref: 0042F6F1
LCMapStringW.KERNEL32(?,?,?,00000000,c,C ,?,?,00432C63,00200020,00000000,?,00000000), ref: 0042F724
LCMapStringW.KERNEL32(00000000,?,?,?,?,00000000,?,00432C63,00200020,00000000,?,00000000), ref: 0042F78C
WideCharToMultiByte.KERNEL32(?,00000220,?,00000000,c,C ,?,00000000,00000000,?,00000000,?,00432C63,00200020,00000000,?,00000000), ref: 0042F7B1

Strings

c,C , xrefs: 0042F717

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: String$ByteCharMultiWide
String ID: c,C
API String ID: 352835431-3652846715
Opcode ID: e61f7b5103acbecda6d6254afaeb23f390ee5ee54899d3d0372ccbe242b624dd
Instruction ID: c5b2a1f46514825fb93fdc45a3643c8560d263da5f745636826c2dd06ddc9c3d
Opcode Fuzzy Hash: e61f7b5103acbecda6d6254afaeb23f390ee5ee54899d3d0372ccbe242b624dd
Instruction Fuzzy Hash: 92113A72A00259AFDF228F94DC40ADEBBB5FF98750F908176F91062260D3368D61DB54

Function 00425DE6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51stringCOMMON

Download Yara Rule

APIs

GetClassNameA.USER32(?,?,00000040), ref: 00425E09
lstrcmpiA.KERNEL32(?,combobox), ref: 00425E18
GetWindow.USER32(?,00000005), ref: 00425E2D

Strings

combobox, xrefs: 00425E12

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: ClassNameWindowlstrcmpi
String ID: combobox
API String ID: 2460297613-2240613097
Opcode ID: 5482d824fc8d329272cef8a06ee342c7f9f28c9ee11aa213b624d2364718d67b
Instruction ID: 621db261f690b15350a4632fdf9547774396562b3ad4afc61c4f8a5eec44cbf7
Opcode Fuzzy Hash: 5482d824fc8d329272cef8a06ee342c7f9f28c9ee11aa213b624d2364718d67b
Instruction Fuzzy Hash: 2501F272300619BBDF111FA1EC05FAF3B69EB04B90F50403AFA04E61A0EB74DD129768

Function 00425BB0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000014), ref: 00425BD0
CreateSolidBrush.GDI32(00000000), ref: 00425BD7
CreateWindowExA.USER32(00000001,TabbedDlgClass,?,80C00000,80000000,80000000,?,?,?,00000000), ref: 00425C08

Strings

TabbedDlgClass, xrefs: 00425C01

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Create$BrushColorSolidWindow
String ID: TabbedDlgClass
API String ID: 2570879405-3631343754
Opcode ID: 16926ab2eb5ec05fd82db0727e527f6d13e9d74526d0833369748d92895b5b6d
Instruction ID: 0bb6b69ba55f25be0fcc03d38b2d76a2f61fdeae5b13e472af7fbd9b2abd131a
Opcode Fuzzy Hash: 16926ab2eb5ec05fd82db0727e527f6d13e9d74526d0833369748d92895b5b6d
Instruction Fuzzy Hash: 2301C971554319AFDB20CFA8DC05FA67BE8EB08710F10452AFE49D3260D275E820DF94

Function 00414B0D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28registryCOMMON

Download Yara Rule

APIs

LoadCursorA.USER32(00000000,00007F00), ref: 00414B3B
RegisterClassA.USER32(qz@fKA), ref: 00414B55

Strings

PNX_TranscriptWnd, xrefs: 00414B4E
qz@fKA, xrefs: 00414B44, 00414B47

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: ClassCursorLoadRegister
String ID: PNX_TranscriptWnd$qz@fKA
API String ID: 1693014935-3453033467
Opcode ID: b8f4038930ebc05fe2965593c682fadc1711561bbd26b710e65931dc8c4fda5c
Instruction ID: de990219f99df7f7ece95121f8cbac417a8621d6143be8d071ebc6989b62e700
Opcode Fuzzy Hash: b8f4038930ebc05fe2965593c682fadc1711561bbd26b710e65931dc8c4fda5c
Instruction Fuzzy Hash: FCF0AFB5C15229DBCB10DFA8D9456CEBFF8EB09B04F10516BE504F6240D7B456848BE9

Function 004242A6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26stringCOMMON

Download Yara Rule

APIs

lstrcatA.KERNEL32(?,?,?,?,00000008,0042427D,?,00000001,?,00424306,00000000,00000000,?,00423395,?,?), ref: 004242BC
lstrcatA.KERNEL32(?,Windows error code: ,?,00424306,00000000,00000000,?,00423395,?,?,?,00000008,?), ref: 004242CB
lstrlenA.KERNEL32(?,0000000A,?,00424306,00000000,00000000,?,00423395,?,?,?,00000008,?), ref: 004242D0

Strings

Windows error code: , xrefs: 004242C5

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: lstrcat$lstrlen
String ID: Windows error code:
API String ID: 751011610-3697394911
Opcode ID: 0a9e0f501f048f06eb65386b53278d52b59c51f7e23a3189e32ddf4f83c46d45
Instruction ID: c7bb4688f96a5061ae0addde15ffe38261bff1b6fe1b60a75a99faa0b234e3eb
Opcode Fuzzy Hash: 0a9e0f501f048f06eb65386b53278d52b59c51f7e23a3189e32ddf4f83c46d45
Instruction Fuzzy Hash: 0AE0DFB3700211BBC2046B25EC85F9BFBACFB88311F042037B64892121C6B49C69CBB4

Function 0041677F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25registryCOMMON

Download Yara Rule

APIs

LoadCursorA.USER32(00000000,00007F00), ref: 004167B1
RegisterClassA.USER32(00000002), ref: 004167CB

Strings

ProgressBar, xrefs: 004167C4
(uC, xrefs: 0041678A

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: ClassCursorLoadRegister
String ID: (uC$ProgressBar
API String ID: 1693014935-1662027708
Opcode ID: 8141c612ce0d5c60d43fe1cc2fe69b423793b1d40a26dfb3986882cf415d8018
Instruction ID: 034a3afac2126aa664130e73771cd3289d2264896ee1eb1ef7417487947ffc31
Opcode Fuzzy Hash: 8141c612ce0d5c60d43fe1cc2fe69b423793b1d40a26dfb3986882cf415d8018
Instruction Fuzzy Hash: 49F0BCB1C05229EBCB00DF98D8496CEBFF8FB08744F10506AE900B2240D7B856448BE8

Function 00401E94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,?,00401457), ref: 00401E9D
ShellExecuteA.SHELL32(00000000,open,http://www.deposchedule.com/,00000000,0043C374,00000001), ref: 00401EC5

Strings

http://www.deposchedule.com/, xrefs: 00401EAB, 00401EB9
open, xrefs: 00401EBA

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: ExecuteShelllstrlen
String ID: http://www.deposchedule.com/$open
API String ID: 1628651668-799183738
Opcode ID: b3b47b697cd3a05b2383ca654c480d40e71ce4d46212b2e366fc1ea5cbd19d53
Instruction ID: d259d123ed050f84532244bbb6f58b2b21fefd5cd4dd938fef8223467b9b1d26
Opcode Fuzzy Hash: b3b47b697cd3a05b2383ca654c480d40e71ce4d46212b2e366fc1ea5cbd19d53
Instruction Fuzzy Hash: 80D0C272684210E6CB301B20AC89F873A38EB04700F289076BE857B0E0C77928028BDC

Function 00426355 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 17COMMON

Download Yara Rule

APIs

GetPropA.USER32(?,DlgKeyProc), ref: 00426362
SetWindowLongA.USER32(?,000000FC,00000000), ref: 0042636C
RemovePropA.USER32(?,DlgKeyProc), ref: 00426374

Strings

DlgKeyProc, xrefs: 0042635B, 00426360, 00426372

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Prop$LongRemoveWindow
String ID: DlgKeyProc
API String ID: 885655055-1425268092
Opcode ID: 05ee0ce747bcb84407b96ed04081cb7dd1474aa77133f292282785ff6c54bc2e
Instruction ID: 51c32840301955affd671738950f6c21bc78bade3d07fe3e5ef599b4a2a05286
Opcode Fuzzy Hash: 05ee0ce747bcb84407b96ed04081cb7dd1474aa77133f292282785ff6c54bc2e
Instruction Fuzzy Hash: F6D09E724090207B522127156C4CCFBBE6CEBDA671715513AFD659216147340402E6B5

Function 00426328 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000FC), ref: 00426330
SetPropA.USER32(?,DlgKeyProc,00000000), ref: 0042633D
SetWindowLongA.USER32(?,000000FC,00426B88), ref: 0042634B

Strings

DlgKeyProc, xrefs: 00426337

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: LongWindow$Prop
String ID: DlgKeyProc
API String ID: 3887896539-1425268092
Opcode ID: 22809898a74e0fe9383831316b87c98de6398bec4427845230b2e1b3694a522f
Instruction ID: 04972f3a64738cd9a171c6ba687a3189d121bcf821375486c80e7262d4d132a0
Opcode Fuzzy Hash: 22809898a74e0fe9383831316b87c98de6398bec4427845230b2e1b3694a522f
Instruction Fuzzy Hash: DED0A9B200D230BB8B012708BC49CCB3E18BF1A3313301322FD70E20E18B280601D7AD

Function 0042D518 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32,00429CE3), ref: 0042D51D
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 0042D52D

Strings

IsProcessorFeaturePresent, xrefs: 0042D527
KERNEL32, xrefs: 0042D518

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: 058eadd32f4a7db39e70fcbc685d299ebdacbc8ed1a10c18168a73f972ab75c0
Instruction ID: 97c2c2343ede4369e55c278104297889b575af7b7d6de1f489e9307a0882a427
Opcode Fuzzy Hash: 058eadd32f4a7db39e70fcbc685d299ebdacbc8ed1a10c18168a73f972ab75c0
Instruction Fuzzy Hash: 1BC0806074C31571D97037703C09F2754041B24B05F9454D7F141D11C1DFECC140D42D

Function 0042A880 Relevance: 6.5, APIs: 5, Instructions: 246COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9191e8095f8831d3192f83fa9bdb35ab9725863355b3a4c4ebdc7c5819361fff
Instruction ID: c95a3c44c532febd16219e603f0e4d654eeb3d3d0d4ceed3168a2bac8a069224
Opcode Fuzzy Hash: 9191e8095f8831d3192f83fa9bdb35ab9725863355b3a4c4ebdc7c5819361fff
Instruction Fuzzy Hash: 1E7139727001306BDF226B16BC44BAF3A25DF417A0F920527FD14962A1DB38DDA1D29E

Function 0042EB27 Relevance: 6.4, APIs: 5, Instructions: 102memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(00000000,00002020,?,00000000,?,?,0042DC9A), ref: 0042EB48
VirtualAlloc.KERNEL32(00000000,00400000,00002000,00000004,?,00000000,?,?,0042DC9A), ref: 0042EB6C
VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,?,00000000,?,?,0042DC9A), ref: 0042EB86
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000,?,?,0042DC9A), ref: 0042EC47
HeapFree.KERNEL32(00000000,00000000,?,00000000,?,?,0042DC9A), ref: 0042EC5E

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: AllocVirtual$FreeHeap
String ID:
API String ID: 714016831-0
Opcode ID: b848a6c77285f5c6017ec850d881bf955fa94859d176076bc5b7d67688ae9323
Instruction ID: 4e08a13471882751b05b7563ecaad4ad76ce1778a2e1229ecdadb8ccaad2fcfc
Opcode Fuzzy Hash: b848a6c77285f5c6017ec850d881bf955fa94859d176076bc5b7d67688ae9323
Instruction Fuzzy Hash: 6B3102B56407119FD330DF27EC84B22BBA0EB45754F50863AE1569B3E0E778A885CB4C

Function 004301F4 Relevance: 6.2, APIs: 4, Instructions: 174fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000100,00000000), ref: 00430278
GetLastError.KERNEL32 ref: 00430282
ReadFile.KERNEL32(?,?,00000001,00000000,00000000), ref: 00430349
GetLastError.KERNEL32 ref: 00430353

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: ErrorFileLastRead
String ID:
API String ID: 1948546556-0
Opcode ID: 006669eeaf75c50b19faa1485a4d86a0f53f7bf73c88224692be698c6d0c02b6
Instruction ID: 4c9ce5c587be144a59c9d8b7ca449599c948ef8846e96ee40e1e0626ba4ce3e7
Opcode Fuzzy Hash: 006669eeaf75c50b19faa1485a4d86a0f53f7bf73c88224692be698c6d0c02b6
Instruction Fuzzy Hash: 8361F531604385DFDF21CF58C8A47AE7BB4AF0A314F24629BE89197351D778D946CB0A

Function 00401000 Relevance: 6.1, APIs: 4, Instructions: 136windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,00000010,00000000,00000000), ref: 00401045
GetClientRect.USER32(?,?), ref: 004011FD
GetClientRect.USER32(?,?), ref: 00401287
IsWindowVisible.USER32(?), ref: 004013AB

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: ClientRect$MessageSendVisibleWindow
String ID:
API String ID: 3528201328-0
Opcode ID: 83b80ba348b00430c23148385cc4e5e52a9813e2dd1e56a89df8f346e98f0b70
Instruction ID: 85a8ecc3eb2f6b465dbaba8823b934b483dc43d96b9d3474dd87edbb7a990713
Opcode Fuzzy Hash: 83b80ba348b00430c23148385cc4e5e52a9813e2dd1e56a89df8f346e98f0b70
Instruction Fuzzy Hash: 5F519271204604DBD714AB30D851FEA77E6AF45704F10453AF69BAB2F1CB38A846DF8A

Function 0041F7EC Relevance: 6.1, APIs: 4, Instructions: 112stringCOMMON

Download Yara Rule

APIs

__ftol.LIBCMT ref: 0041F8FD
__ftol.LIBCMT ref: 0041F938
lstrlenA.KERNEL32(?), ref: 0041F942
TextOutA.GDI32(?,00000000,00000000,?,00000000), ref: 0041F954

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: __ftol$Textlstrlen
String ID:
API String ID: 1499030138-0
Opcode ID: 9195b4cb23bbcea9cf6befa518348e7b99a9ac0e40a60708bae89517d051c6fa
Instruction ID: 00a82c068d46f2b05bfebc6dfafc3ef39639c18f423a2babf9a02b0cd413f3cf
Opcode Fuzzy Hash: 9195b4cb23bbcea9cf6befa518348e7b99a9ac0e40a60708bae89517d051c6fa
Instruction Fuzzy Hash: E7414BB1100606DFCB24DF25C985AEBBBF5FF54318F01483EE65E96261C734A895CB58

Function 0042505C Relevance: 6.1, APIs: 4, Instructions: 91COMMON

Download Yara Rule

APIs

GetStockObject.GDI32(00000004), ref: 00425080

Part of subcall function 0042460F: GetDeviceCaps.GDI32(?,00000058), ref: 00424638
Part of subcall function 0042460F: GetDeviceCaps.GDI32(?,00000058), ref: 00424642
Part of subcall function 0042460F: GetDeviceCaps.GDI32(?,0000005A), ref: 0042464A
Part of subcall function 0042460F: GetDeviceCaps.GDI32(?,0000005A), ref: 00424654
Part of subcall function 0042460F: __ftol.LIBCMT ref: 00424679
Part of subcall function 0042460F: __ftol.LIBCMT ref: 0042468F
Part of subcall function 0042460F: __ftol.LIBCMT ref: 004246B1
Part of subcall function 0042460F: __ftol.LIBCMT ref: 004246C4
Part of subcall function 0042460F: SetRect.USER32(00000000,00000000,00000000,?,?), ref: 004246EA
Part of subcall function 0042460F: FillRect.USER32(?,?,?), ref: 004246F8

GetStockObject.GDI32(00000004), ref: 004250BA
GetStockObject.GDI32(00000004), ref: 004250F1
GetStockObject.GDI32(00000004), ref: 00425125

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: CapsDeviceObjectStock__ftol$Rect$Fill
String ID:
API String ID: 3813481265-0
Opcode ID: e7d169f1c80cb0f13b4ebfed9c9b72b1601d0b365eccf8a885d87c51fe82d19c
Instruction ID: ae8cb1bd05b296629d22826c9fdfd79376130cdf092c18749430832239a3ba21
Opcode Fuzzy Hash: e7d169f1c80cb0f13b4ebfed9c9b72b1601d0b365eccf8a885d87c51fe82d19c
Instruction Fuzzy Hash: 31314AB2500619FFDF225F91DC48FAB7BA5FF48304F05881AFAA945160C37A98A0DF59

Function 00406B58 Relevance: 6.1, APIs: 4, Instructions: 90stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0041C65C: MoveToEx.GDI32(?,00000000,?,00000000), ref: 0041C67C
Part of subcall function 0041C65C: LineTo.GDI32(?,?,?), ref: 0041C68F

Part of subcall function 0040E26F: IsCharAlphaNumericA.USER32(?,00000000,?,?,?,?,00409327,?,?,?,00000000,00000000,00000000,?,?), ref: 0040E28C

lstrcmpiA.KERNEL32(?,?), ref: 00406BF7
lstrlenA.KERNEL32(?), ref: 00406C1D
GetStockObject.GDI32(00000001), ref: 00406C37
FillRect.USER32(?,?,00000000), ref: 00406C45

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: AlphaCharFillLineMoveNumericObjectRectStocklstrcmpilstrlen
String ID:
API String ID: 764755550-0
Opcode ID: bbd03d6205d5f0dcb034e268988c34efab0d296a523c23c2a592c50b42b4d4f2
Instruction ID: 4dcac53c2ac09a5d0407cc41c90143fdc76530a8d7ea7f0a37f9bfe784135bcf
Opcode Fuzzy Hash: bbd03d6205d5f0dcb034e268988c34efab0d296a523c23c2a592c50b42b4d4f2
Instruction Fuzzy Hash: 9331E372A00209AFDF11DFA8CC85EDA7BB8FF08344F05416AF955E6250E734E9A0CB64

Function 00415B1D Relevance: 6.1, APIs: 4, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00415B3C
OffsetRect.USER32(?,?,?), ref: 00415B52
GetDC.USER32 ref: 00415B68

Part of subcall function 004251B1: GetDeviceCaps.GDI32(?,00000070), ref: 004251C6
Part of subcall function 004251B1: GetDeviceCaps.GDI32(?,00000071), ref: 004251CE
Part of subcall function 004251B1: GetDeviceCaps.GDI32(?,00000058), ref: 004251D8
Part of subcall function 004251B1: GetDeviceCaps.GDI32(?,00000008), ref: 004251DF
Part of subcall function 004251B1: GetDeviceCaps.GDI32(?,00000058), ref: 004251E7
Part of subcall function 004251B1: GetDeviceCaps.GDI32(?,0000005A), ref: 004251F8
Part of subcall function 004251B1: GetDeviceCaps.GDI32(?,0000000A), ref: 004251FF
Part of subcall function 004251B1: GetDeviceCaps.GDI32(?,0000005A), ref: 00425207
Part of subcall function 004251B1: GetDeviceCaps.GDI32(?,00000058), ref: 00425218
Part of subcall function 004251B1: GetDeviceCaps.GDI32(?,00000058), ref: 00425223
Part of subcall function 004251B1: GetDeviceCaps.GDI32(?,0000005A), ref: 00425233
Part of subcall function 004251B1: GetDeviceCaps.GDI32(?,0000005A), ref: 00425241
Part of subcall function 004251B1: __ftol.LIBCMT ref: 00425260
Part of subcall function 004251B1: __ftol.LIBCMT ref: 0042527B
Part of subcall function 004251B1: SetRect.USER32(00000000,00000000,00000000,00000000,00000000), ref: 00425288

ReleaseDC.USER32(?,00000000), ref: 00415BEA

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: CapsDevice$Rect$__ftol$OffsetReleaseWindow
String ID:
API String ID: 3885856596-0
Opcode ID: 6c6acebd3e964c749fceadd32a23695e6797b99432d14c600981f44a41e335a1
Instruction ID: 8e1c03ac377ebd74ee05f8abae549e1d3a38c62231e12d56dc76d9fff01f2e63
Opcode Fuzzy Hash: 6c6acebd3e964c749fceadd32a23695e6797b99432d14c600981f44a41e335a1
Instruction Fuzzy Hash: D62193B1504A05EFDB319B78CC49EEBBBB8FF85304F44491AF5AA92251C7346960CB68

Function 0041F757 Relevance: 6.1, APIs: 4, Instructions: 56stringCOMMON

Download Yara Rule

APIs

SelectObject.GDI32(?,?), ref: 0041F77F
lstrlenA.KERNEL32(?,?), ref: 0041F78F
GetTextExtentPointA.GDI32(?,?,00000000), ref: 0041F79A
SelectObject.GDI32(?,00000000), ref: 0041F7BD

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: ObjectSelect$ExtentPointTextlstrlen
String ID:
API String ID: 2577617693-0
Opcode ID: 41e853cb84978dffff0b26dabde2369ace2f6d9197fbb989eccd12b9a3cec006
Instruction ID: c28bd1c11aae9777dba584721573594df3cee8b449f06292e916b7babe304ef9
Opcode Fuzzy Hash: 41e853cb84978dffff0b26dabde2369ace2f6d9197fbb989eccd12b9a3cec006
Instruction Fuzzy Hash: F3114FB6500308AFDB149F65DC85BDA7BF9FB48318F00442AFA5987290D775A885CF68

Function 0040AFAF Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 55stringCOMMON

Download Yara Rule

APIs

lstrcpyA.KERNEL32 ref: 0040B043
lstrcpyA.KERNEL32(0000016C,Times New Roman), ref: 0040B05D

Strings

Courier New, xrefs: 0040AFF7
Times New Roman, xrefs: 0040B04B

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: lstrcpy
String ID: Courier New$Times New Roman
API String ID: 3722407311-1080295943
Opcode ID: c5aa0337d7b7d01737311442548fcef374f1e5074299c593226aec093e422188
Instruction ID: 65eacf5a5c97e52d297aa037852d498f6f2aa3d848346a63ecd6050fbe24d61d
Opcode Fuzzy Hash: c5aa0337d7b7d01737311442548fcef374f1e5074299c593226aec093e422188
Instruction Fuzzy Hash: 5B2149B1905B049FD3618F6A88817D3FBE8BFA9310F10492FD2EE82261D7B56544CF54

Function 00414719 Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 0041472B
ScreenToClient.USER32(?,?), ref: 00414738
GetCursor.USER32(?,?,?,?,00414823,?,?,?), ref: 00414749
SetCursor.USER32(?,?,?,00000001,?,?,?,?,00414823,?,?,?), ref: 00414754

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Cursor$ClientScreen
String ID:
API String ID: 2747520593-0
Opcode ID: 4e8d07cf88078f797e4f5a470466d467fe1251e5c5d3420570589d05382a6e0c
Instruction ID: e3b8728083697be1d951bac2cd3a84f6bf7edbfcd0b89f7673c4bc6962337e68
Opcode Fuzzy Hash: 4e8d07cf88078f797e4f5a470466d467fe1251e5c5d3420570589d05382a6e0c
Instruction Fuzzy Hash: 24118270100504EFCB24DFA0C844EEE7BB8FF41310F50886AF8A69B2A0D734AE85DB58

Function 00416BA1 Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,00000000), ref: 00416BB9

Part of subcall function 004169F8: GetStockObject.GDI32(0000000C), ref: 00416A03
Part of subcall function 004169F8: SelectObject.GDI32(00000000,00000000), ref: 00416A0E
Part of subcall function 004169F8: GetClientRect.USER32(00000064,00000000), ref: 00416A1E
Part of subcall function 004169F8: wsprintfA.USER32 ref: 00416A47
Part of subcall function 004169F8: lstrlenA.KERNEL32(?,004168D1,?,?,?,?,?,?,?,?,?,?,004169DF,00000064,00000000,00000000), ref: 00416A5E
Part of subcall function 004169F8: GetTextExtentPointA.GDI32(00000000,?,00000000), ref: 00416A66
Part of subcall function 004169F8: SetTextColor.GDI32(00000000,00FFFFFF), ref: 00416A80
Part of subcall function 004169F8: SetBkColor.GDI32(00000000,00808080), ref: 00416A8C
Part of subcall function 004169F8: CreateRectRgn.GDI32(00000000,00000000,00000001,?), ref: 00416A9C
Part of subcall function 004169F8: SelectClipRgn.GDI32(00000000,00000000), ref: 00416AAD
Part of subcall function 004169F8: lstrlenA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,004169DF,00000064,00000000,00000000), ref: 00416AB5
Part of subcall function 004169F8: ExtTextOutA.GDI32(00000000,00000064,00000001,00000002,00000000,?,00000000), ref: 00416AC8
Part of subcall function 004169F8: SetTextColor.GDI32(00000000,00000000), ref: 00416AD1
Part of subcall function 004169F8: SetBkColor.GDI32(00000000,00FFFFFF), ref: 00416ADD
Part of subcall function 004169F8: SetRectRgn.GDI32(00000000,00000001,00000000,?,?), ref: 00416AF1
Part of subcall function 004169F8: SelectClipRgn.GDI32(00000000,00000000), ref: 00416AFB
Part of subcall function 004169F8: lstrlenA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,004169DF,00000064,00000000,00000000), ref: 00416B03

GetWindowLongA.USER32(?,00000000), ref: 00416BD1
SetWindowLongA.USER32(?,00000000,00000000), ref: 00416BFD
DefWindowProcA.USER32(?,?,?,?), ref: 00416C0D

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: ColorTextWindow$LongRectSelectlstrlen$ClipObject$ClientCreateExtentPointProcStockwsprintf
String ID:
API String ID: 2692704880-0
Opcode ID: 801b778443ca79812ac801b41ef797a8d297772496d4902b1be289ed80d02187
Instruction ID: 4002382d3691bf50c0da5f4ea83e77ec99feb43d7b78290a6fee2be0328431b2
Opcode Fuzzy Hash: 801b778443ca79812ac801b41ef797a8d297772496d4902b1be289ed80d02187
Instruction Fuzzy Hash: C001A272108225BBEB116BA4AC05FFB3B18EF04701F11402AFE51C5190CA78EA51E76E

Function 0041AAD4 Relevance: 6.0, APIs: 4, Instructions: 46windowstringCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,00000146,00000000,00000000), ref: 0041AAEF
SendMessageA.USER32(?,00000148,00000000,?), ref: 0041AB08
lstrcmpiA.KERNEL32(?,?), ref: 0041AB12
SendMessageA.USER32(?,00000143,00000000,?), ref: 0041AB30

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: MessageSend$lstrcmpi
String ID:
API String ID: 2977491028-0
Opcode ID: 9e51e3043565c6d79829706d10b1598cdcc1b5f7f414c03dddb1e5eb36df96a3
Instruction ID: 4860565841aa30aaacf25475880251e18b2cfcb50964f7861122e3cc9d8e7b94
Opcode Fuzzy Hash: 9e51e3043565c6d79829706d10b1598cdcc1b5f7f414c03dddb1e5eb36df96a3
Instruction Fuzzy Hash: 4BF081726001087ADB20DF56DD85ECF7BBDEB84740F100027F601E61A0D6B0EE50CA71

Function 0041A22E Relevance: 6.0, APIs: 4, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 0041A1BD: wsprintfA.USER32 ref: 0041A1CF
Part of subcall function 0041A1BD: lstrlenA.KERNEL32(00446E60,0043F624,0041A94A,0043F624), ref: 0041A1D9

SetDlgItemTextA.USER32(?,00001A49,00000000), ref: 0041A25B
SetDlgItemTextA.USER32(?,00001A4B,00000000), ref: 0041A277
SetDlgItemTextA.USER32(?,00001A4A,00000000), ref: 0041A293
SetDlgItemTextA.USER32(?,00001A4C,00000000), ref: 0041A2AF

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: ItemText$lstrlenwsprintf
String ID:
API String ID: 340967515-0
Opcode ID: 39c466f1041de693663dedbd6ad556ff0d8a7ee820e2241e035139c3f1f23f22
Instruction ID: a5c29fc3bc6ec3a3f12dd04243cea698e92949807765a722ec752f0bdd449964
Opcode Fuzzy Hash: 39c466f1041de693663dedbd6ad556ff0d8a7ee820e2241e035139c3f1f23f22
Instruction Fuzzy Hash: 260181753013107FD210A765CC45EEBBBFEEF89750F05046AFA0697262C7B06C14CA66

Function 0041727C Relevance: 6.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0041728A
GetWindowRect.USER32(?,?), ref: 00417299
ScreenToClient.USER32(00000000,?), ref: 004172AA
ScreenToClient.USER32(00000000,?), ref: 004172B1

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: ClientScreen$ParentRectWindow
String ID:
API String ID: 2099118873-0
Opcode ID: bdfa5b1935c30d5a76a16ae17017626da96650c51a3683a4fab1e3183546132b
Instruction ID: 1429cfff0f0daa995fee4a21b37ff72a819f78afcf7a049e6eb221dbfcc63696
Opcode Fuzzy Hash: bdfa5b1935c30d5a76a16ae17017626da96650c51a3683a4fab1e3183546132b
Instruction Fuzzy Hash: CFF06272104208AFDB15AB78DC45CFFBFFDEF48314B00042AF95792111DA706D11CA98

Function 0041457B Relevance: 6.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

DeleteObject.GDI32(?), ref: 00414588
DeleteObject.GDI32(?), ref: 0041458D
DeleteObject.GDI32(?), ref: 00414592

Part of subcall function 0041CC21: GetDC.USER32(?), ref: 0041CC2F
Part of subcall function 0041CC21: SelectObject.GDI32(00000000,?), ref: 0041CC41
Part of subcall function 0041CC21: GetTextMetricsA.GDI32(00000000,?), ref: 0041CC4B
Part of subcall function 0041CC21: SelectObject.GDI32(00000000,?), ref: 0041CC55
Part of subcall function 0041CC21: ReleaseDC.USER32(?,00000000), ref: 0041CC5B

InvalidateRect.USER32(?,00000000,00000001), ref: 004145CF

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Object$Delete$Select$InvalidateMetricsRectReleaseText
String ID:
API String ID: 337145824-0
Opcode ID: ec599e45dbbc0533f34d6e8e66557d2a589c9fd108a805b7b9da9d763b9e3847
Instruction ID: 7cf0e020886c2691bf313ec6dd29dd6ddd6128db708d30dfd1bab0a14cd5457c
Opcode Fuzzy Hash: ec599e45dbbc0533f34d6e8e66557d2a589c9fd108a805b7b9da9d763b9e3847
Instruction Fuzzy Hash: 09014B71200A009FCB29AF6ACC4896EFBE6FFC8700711582EE48787660CB75A841DF44

Function 0041EE34 Relevance: 6.0, APIs: 4, Instructions: 39COMMONLIBRARYCODE

Download Yara Rule

APIs

DeleteObject.GDI32(?), ref: 0041EE4D
DeleteObject.GDI32(?), ref: 0041EE5A
DeleteObject.GDI32(?), ref: 0041EE67
DeleteObject.GDI32(?), ref: 0041EE7A

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: DeleteObject
String ID:
API String ID: 1531683806-0
Opcode ID: 8a0a32eb8496cfa162164572ea78a8bbbee17bfb5215598df37681f2dc181ba5
Instruction ID: 21ed8d581efab9dd5e8bb9c1c8db0bf7cc7fced952778997608c29bb017bd092
Opcode Fuzzy Hash: 8a0a32eb8496cfa162164572ea78a8bbbee17bfb5215598df37681f2dc181ba5
Instruction Fuzzy Hash: 15F09CF5600B489BC6209FBADC84A97F7E9AB45705F94081EE259D3201CB75B8848A5C

Function 0041A1BD Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 38stringCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 0041A1CF
lstrlenA.KERNEL32(00446E60,0043F624,0041A94A,0043F624), ref: 0041A1D9

Strings

%.4d, xrefs: 0041A1C9
`nD, xrefs: 0041A1C0

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: lstrlenwsprintf
String ID: %.4d$`nD
API String ID: 357247895-1428641093
Opcode ID: 6c7090547d6166b40f94b1b1bd3d1bb4e39e7b445312abb63056df0327059cf7
Instruction ID: 2dc82ccb41e0cd90834c51a18f31d6ac09ec2c7adacdadfc196aa2b452089a5d
Opcode Fuzzy Hash: 6c7090547d6166b40f94b1b1bd3d1bb4e39e7b445312abb63056df0327059cf7
Instruction Fuzzy Hash: FDF0F4B95047C06BE7214AA4DC08B43BFC89F12309F2508AFE58582262D3F85478C71F

Function 00428C20 Relevance: 6.0, APIs: 4, Instructions: 34COMMON

Download Yara Rule

APIs

GlobalHandle.KERNEL32(76933EB0), ref: 00428C48
GlobalUnlock.KERNEL32(00000000,?,00000000,00000000,0042909B,00000000,76933EB0,004180B3,?,?,?), ref: 00428C4B
GlobalHandle.KERNEL32(76933EB0), ref: 00428C52
GlobalFree.KERNEL32(00000000), ref: 00428C55

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Global$Handle$FreeUnlock
String ID:
API String ID: 3923883194-0
Opcode ID: 430f4d629fa07c9e218f0f5955111b0e8b365529b425afe6d908853115c815b2
Instruction ID: 0d5a95c7fa71e75f6ed2db18b74ee28129b46a1460ea77b72dbe0affabc89fd3
Opcode Fuzzy Hash: 430f4d629fa07c9e218f0f5955111b0e8b365529b425afe6d908853115c815b2
Instruction Fuzzy Hash: 06F012B77096109B9A149B69EC8485BB3A9EFD9321304443EF649C3310CA34DC41C778

Function 0041D695 Relevance: 6.0, APIs: 4, Instructions: 31timeCOMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 0041D6A1
GetCursorPos.USER32(?), ref: 0041D6AF
ScreenToClient.USER32(?,?), ref: 0041D6BC

Part of subcall function 0041D83C: GetClientRect.USER32(?,00414982), ref: 0041D868
Part of subcall function 0041D83C: GetCapture.USER32 ref: 0041D86E
Part of subcall function 0041D83C: UpdateWindow.USER32(?), ref: 0041D8BA

KillTimer.USER32(?,00000001,?,?,?,?,?,004148EE), ref: 0041D6D6

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: CaptureClient$CursorKillRectScreenTimerUpdateWindow
String ID:
API String ID: 244392045-0
Opcode ID: abbeac6826ece96dbc20f7ba6fa814a95eecdcbee568ba5709959f2b749f1716
Instruction ID: 36724bb49aa81530321205f225ff3fe4eb6d51740eea4a3409cef2c9a9b1d3ac
Opcode Fuzzy Hash: abbeac6826ece96dbc20f7ba6fa814a95eecdcbee568ba5709959f2b749f1716
Instruction Fuzzy Hash: C2F030B2504508BFDB216B91DC49DEF7FBDEB44750F100066F59692060D7B1AD81EB64

Function 004096EC Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 30stringCOMMON

Download Yara Rule

APIs

lstrcpyA.KERNEL32(?,pN@,?,?,?,00000001,0040A1CD,?,?,00000001), ref: 00409715
lstrcpyA.KERNEL32(?,?,?,00000001,0040A1CD,?,?,00000001), ref: 0040971C
lstrcpyA.KERNEL32(?,?,?,00000001,0040A1CD,?,?,00000001), ref: 00409724

Strings

pN@, xrefs: 004096F7, 00409710

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: lstrcpy
String ID: pN@
API String ID: 3722407311-3012989529
Opcode ID: 10bd9f8b63304a5794f624c349a802c25d7e6e138fa6e22da1e6ba00c2a9c4f8
Instruction ID: 416c139b394ffa15249e14e76b520ef9bbabebf7ee2321b3f94a59bf6e8af193
Opcode Fuzzy Hash: 10bd9f8b63304a5794f624c349a802c25d7e6e138fa6e22da1e6ba00c2a9c4f8
Instruction Fuzzy Hash: 38F03076200319EBDB216F65DC8085AFBA5FF94364B01083AFA8453261D737EC25DB69

Function 00428E60 Relevance: 6.0, APIs: 4, Instructions: 28COMMON

Download Yara Rule

APIs

GlobalHandle.KERNEL32(?), ref: 00428E7B
GlobalUnlock.KERNEL32(00000000), ref: 00428E7E
GlobalHandle.KERNEL32(?), ref: 00428E85
GlobalFree.KERNEL32(00000000), ref: 00428E88

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Global$Handle$FreeUnlock
String ID:
API String ID: 3923883194-0
Opcode ID: 174d01f1562d7f996a9466266a2026756ac69808c35f16766fae5f33b4b8f733
Instruction ID: aae178821d0d545ea25cb94757093d90cee243c0ab3d582444422bc411301d21
Opcode Fuzzy Hash: 174d01f1562d7f996a9466266a2026756ac69808c35f16766fae5f33b4b8f733
Instruction Fuzzy Hash: 66E01ABB7096109B9A109B59BC8488BB3A9EBD9261301443BF649C3310CA74DC02867C

Function 004226CF Relevance: 6.0, APIs: 4, Instructions: 27COMMON

Download Yara Rule

APIs

GetStockObject.GDI32(0000000C), ref: 004226E1
GetObjectA.GDI32(00000000), ref: 004226E8
CreateFontIndirectA.GDI32(?), ref: 004226F8
CreateFontIndirectA.GDI32(?), ref: 0042270B

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: CreateFontIndirectObject$Stock
String ID:
API String ID: 959261365-0
Opcode ID: 51aaa2634ae1313e4b52250e781784cd348515330763b03315fc8ae6458ecea2
Instruction ID: 1ef793c5c0e768ef1923c1730f914fe8c8b6501dff5ec13c1f59675172f118c4
Opcode Fuzzy Hash: 51aaa2634ae1313e4b52250e781784cd348515330763b03315fc8ae6458ecea2
Instruction Fuzzy Hash: 21E0C0B2D04219ABDB04ABA5EC09DCA7BFCEB48214F004126F611E3151DB7065058FA4

Function 00410E0A Relevance: 6.0, APIs: 4, Instructions: 27COMMONLIBRARYCODE

Download Yara Rule

APIs

GlobalHandle.KERNEL32(?), ref: 00410E35
GlobalUnlock.KERNEL32(00000000,?,?,00408F7A), ref: 00410E38
GlobalHandle.KERNEL32(?), ref: 00410E41
GlobalFree.KERNEL32(00000000), ref: 00410E44

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Global$Handle$FreeUnlock
String ID:
API String ID: 3923883194-0
Opcode ID: 257abe2aa0a5fac63aeea8dce974402201d8401642c48d1f6789300945e5c867
Instruction ID: 25fb7273c8d7eb8f9a35d90141a21b23ce3803a40ffff1c5ae7f27276f7c9c30
Opcode Fuzzy Hash: 257abe2aa0a5fac63aeea8dce974402201d8401642c48d1f6789300945e5c867
Instruction Fuzzy Hash: 67E030712007009FDB305F76EC08A4777A8AF88711B01986DE082C7310C7B5E880CB54

Function 004168F2 Relevance: 6.0, APIs: 4, Instructions: 25windowCOMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(000005DC,00000008), ref: 004168FB
IsWindowVisible.USER32(000005DC), ref: 00416904
ShowWindow.USER32(000005DC,00000005), ref: 00416911
UpdateWindow.USER32(000005DC), ref: 00416918

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Window$LongShowUpdateVisible
String ID:
API String ID: 1590855407-0
Opcode ID: 3afab8b94b84f585b294ac7d986c02bc1cb51aeab27ae707830a7a31259481f4
Instruction ID: 5540f24a6f1ceacbc1d034b0b5094bd3c59a93d1b75f15345252de08002d5856
Opcode Fuzzy Hash: 3afab8b94b84f585b294ac7d986c02bc1cb51aeab27ae707830a7a31259481f4
Instruction Fuzzy Hash: 29E0D872108210B7D7211F50AC0CFCF3F68FF99701F011025FA4092071D7349552DB99

Function 004145E1 Relevance: 6.0, APIs: 4, Instructions: 21COMMON

Download Yara Rule

APIs

LoadCursorA.USER32(00000000,00007F01), ref: 004145F2
GetCursor.USER32 ref: 004145F6
LoadCursorA.USER32(00000000,00007F01), ref: 00414603
SetCursor.USER32(00000000), ref: 00414606

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Cursor$Load
String ID:
API String ID: 1675784387-0
Opcode ID: 22a1afddeaea843c5051f82ea0f9d6a300af30297ce91d47d4d40a363277f44a
Instruction ID: 770233942ba92f6f2dc88b076f39b9d6bbcb903feb9e7a46888b2317112e4639
Opcode Fuzzy Hash: 22a1afddeaea843c5051f82ea0f9d6a300af30297ce91d47d4d40a363277f44a
Instruction Fuzzy Hash: 08D0A7A2F0C25567DA202BE96C8CF9B2F6CDBC5762F14103BF604D3150C6A85C00D6B8

Function 00433222 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,00000000), ref: 00433236

Strings

, xrefs: 0043327F
, xrefs: 0043325B

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Info
String ID: $
API String ID: 1807457897-3032137957
Opcode ID: 26dbcb0c5ee339fdffb02fa0dd7fc1947ac89f5a6c60bbbdd49ff746c844122e
Instruction ID: 369ae92cf9d1cc9b228ec435d596aa747a3d34b8dc5de4ac54472bc1ce0b9891
Opcode Fuzzy Hash: 26dbcb0c5ee339fdffb02fa0dd7fc1947ac89f5a6c60bbbdd49ff746c844122e
Instruction Fuzzy Hash: 4A41A0310082986EEB118F54DC49BFB3F98EB0A705F1410E6ED49CB152C7394B45DBAA

Function 0041E809 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87COMMON

Download Yara Rule

APIs

EnableWindow.USER32(?,00000001), ref: 0041E8F9

Part of subcall function 0041E911: IsWindowVisible.USER32(?), ref: 0041E91B

EnableWindow.USER32(?,00000000), ref: 0041E838

Strings

Preparing word index page layout..., xrefs: 0041E85D

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Window$Enable$Visible
String ID: Preparing word index page layout...
API String ID: 3300910207-563682661
Opcode ID: c8bdc6085a187515c5fd0ef0d950bd48402a395aadc89927ee1882c7d7cd3bf4
Instruction ID: 4dd29c00adb5f17a6a51e4be0c5613bd3d5f5658537ca69c06024d824bd46d64
Opcode Fuzzy Hash: c8bdc6085a187515c5fd0ef0d950bd48402a395aadc89927ee1882c7d7cd3bf4
Instruction Fuzzy Hash: 6D314CB56047019FC724AF66D881A9BBBE5EF44314F14883FFA5A87251CB34E884CB1D

Function 00427BDA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65COMMON

Download Yara Rule

APIs

ResetEvent.KERNEL32(?,?,?,00437520,00426F43,?,?,?,?,POST,00000000,00000001,00000000,?,00401AEC,00002AF9), ref: 00427C6C

Strings

Content-Type: application/x-www-form-urlencoded, xrefs: 00427C47, 00427C51, 00427C59
Accept: */*, xrefs: 00427C25, 00427C2F, 00427C37

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: EventReset
String ID: Accept: */*$Content-Type: application/x-www-form-urlencoded
API String ID: 2632953641-2016586534
Opcode ID: ec624ce48285cf512cd0a8feeb6be52c6f2d9679c2569a41c94e705bfe86ac08
Instruction ID: a9220b79ff25a0d1f3af19e5a6c45f84d8719eb2a72b7065fe8fdc8262927700
Opcode Fuzzy Hash: ec624ce48285cf512cd0a8feeb6be52c6f2d9679c2569a41c94e705bfe86ac08
Instruction Fuzzy Hash: FD11C2B27046216EE7316F33BCC5E3B76ADEBC1354F50452FF54192251DA389C429A6C

Function 00413ED6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00413EDB

Part of subcall function 00422B2F: lstrcpynA.KERNEL32(?,00000104,00000104,?), ref: 00422BB9

Part of subcall function 00422D2E: lstrlenA.KERNEL32(?,?,?,00000001,?), ref: 00422D3C
Part of subcall function 00422D2E: GetFocus.USER32 ref: 00422D66
Part of subcall function 00422D2E: IsWindowEnabled.USER32(?), ref: 00422D7A
Part of subcall function 00422D2E: EnableWindow.USER32(?,00000000), ref: 00422D8F
Part of subcall function 00422D2E: GetOpenFileNameA.COMDLG32(?), ref: 00422DF1
Part of subcall function 00422D2E: CommDlgExtendedError.COMDLG32(?), ref: 00422E04
Part of subcall function 00422D2E: EnableWindow.USER32(?,00000001), ref: 00422E2C
Part of subcall function 00422D2E: IsWindow.USER32(?), ref: 00422E35
Part of subcall function 00422D2E: SetFocus.USER32(?), ref: 00422E45

Strings

ptx, xrefs: 00413EFF
{C, xrefs: 00413F1E

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Window$EnableFocus$CommEnabledErrorExtendedFileH_prologNameOpenlstrcpynlstrlen
String ID: {C$ptx
API String ID: 2416099814-1112222908
Opcode ID: 4c3856fd61622f53617dcc62beb80ff2414efe2a6a3e8770cbc29cd35cdf47ee
Instruction ID: be26cd729379ab54639d1c06042b98ff7255f656198c5d6057d9e092b3118f26
Opcode Fuzzy Hash: 4c3856fd61622f53617dcc62beb80ff2414efe2a6a3e8770cbc29cd35cdf47ee
Instruction Fuzzy Hash: 1C11E132A01228BADF11AF20ED02BED7B70AF08318F50409AF515260A3CB785F88DF58

Function 0041AE28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041AE2D
DestroyWindow.USER32(?,?,?,?,?,0040721A), ref: 0041AE6F

Strings

<}C, xrefs: 0041AE47

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: DestroyH_prologWindow
String ID: <}C
API String ID: 4080165092-2809451127
Opcode ID: 1188902576434a20a13323f9db5c7a78860901755e6f57d926edb03eb0b44373
Instruction ID: 46757f3152b56f61e8c97fb631e3815d36e9e061cf9f7a877ad0522480e73995
Opcode Fuzzy Hash: 1188902576434a20a13323f9db5c7a78860901755e6f57d926edb03eb0b44373
Instruction Fuzzy Hash: AE1100B27407119FDB289F24D8047AFB7F8EF84309F10492EE05A9B281C7BC29048B9D

Function 00413E5E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00422F40: IsWindow.USER32(?), ref: 00422F4D
Part of subcall function 00422F40: SendMessageA.USER32(?,00000464,00000104,?), ref: 00422F6B

MessageBoxA.USER32(?,?,00000000,00000000), ref: 00413EB7
SetWindowLongA.USER32(?,00000000,00000001), ref: 00413EC4

Strings

The file %s is not a valid E-Transcript file., xrefs: 00413E94

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: MessageWindow$LongSend
String ID: The file %s is not a valid E-Transcript file.
API String ID: 24234429-2495432812
Opcode ID: f1d357cdd5ce7b572c1594626587b8669a7f890f3107e37ee1df4e4bc5edfb94
Instruction ID: 1165a8b675c51ef84117341fcb59e3ef04cea6d92e80c5cb17b79115311058d0
Opcode Fuzzy Hash: f1d357cdd5ce7b572c1594626587b8669a7f890f3107e37ee1df4e4bc5edfb94
Instruction Fuzzy Hash: E4F0C8723043147BE720B7659C86FAB776DAB44705F10047BFA06E2192DAA8A8445BA8

Function 004257F3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004257F8

Strings

OD, xrefs: 0042580B
string too long, xrefs: 00425800

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: H_prolog
String ID: string too long$OD
API String ID: 3519838083-2212743506
Opcode ID: fa34c3587b33fc9bc9914c179e7fc41bb5f1f7c8c9f815f4b859f3d0baa0147a
Instruction ID: d0b00db9b4c59796ff664d5183c8af0715fd4a98257dea1dc30a58c34bb459e3
Opcode Fuzzy Hash: fa34c3587b33fc9bc9914c179e7fc41bb5f1f7c8c9f815f4b859f3d0baa0147a
Instruction Fuzzy Hash: 69F062B6700255AED7009F89D841BAEF7B9EF85305F10445FF111A7281CBB85904CBA4

Function 00417605 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28registryCOMMON

Download Yara Rule

APIs

LoadCursorA.USER32(00000000,00007F84), ref: 00417633
RegisterClassA.USER32(?), ref: 0041764D

Strings

PaneSplitter, xrefs: 00417646

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: ClassCursorLoadRegister
String ID: PaneSplitter
API String ID: 1693014935-3269436181
Opcode ID: 088a1c23ca29f835b02ef299e4a07f0bfc3b4b1020145b8b3d116213a3f2f89a
Instruction ID: eef74f5a629b0f50c86d4fda26a2cda6542f9f96ff491d052117ec774d4eaa02
Opcode Fuzzy Hash: 088a1c23ca29f835b02ef299e4a07f0bfc3b4b1020145b8b3d116213a3f2f89a
Instruction Fuzzy Hash: ADF0AFB1C15229EBCB00DFD8D8456DEBFF8AB09B04F10516BE500F6240D7B856848BE9

Function 0040ACC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 0040ACD5
WritePrivateProfileStringA.KERNEL32(00000000), ref: 0040ACF1

Strings

%ld, xrefs: 0040ACCF

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: PrivateProfileStringWritewsprintf
String ID: %ld
API String ID: 1995626314-1112595699
Opcode ID: d08ceaf40cfa068617b7dbaff6fb7f6c713322ae3829dd28cde02d080c42aad9
Instruction ID: 1f37a3ca2d96f206ce7b44966381dccd165d6201256e815a2e350ebbfa75593c
Opcode Fuzzy Hash: d08ceaf40cfa068617b7dbaff6fb7f6c713322ae3829dd28cde02d080c42aad9
Instruction Fuzzy Hash: F3E012B2500118ABCF10AF94DC49CDE7BFCEF0C2007044026FC46E3150D674E914CBA4

Function 00414BCB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21windowCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 00414BE3
SendMessageA.USER32(?,00000401,00000000,?), ref: 00414BFA

Strings

Page %d of %d, xrefs: 00414BDD

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: MessageSendwsprintf
String ID: Page %d of %d
API String ID: 3751067900-1023386322
Opcode ID: 5fe3d38543bcab92406f2d081f68beba836f1ec86ce7d841f1117cdfe421cc8a
Instruction ID: 793128ed15cff08623b650deb28ed0fc1b045058eaa01eeff52ff67a2dcbaaff
Opcode Fuzzy Hash: 5fe3d38543bcab92406f2d081f68beba836f1ec86ce7d841f1117cdfe421cc8a
Instruction Fuzzy Hash: 90E086B2400218FBDB106B54DC06EDE7BACEB04700F008025FE51A2191D2B1A914C798

Function 00423AEE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 10windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32(?,Please remove all the printed pages from the printer's output tray, and return them to the top of the paper tray.,Manual Duplex Printing,00000001), ref: 00423AFE

Strings

Manual Duplex Printing, xrefs: 00423AF0
Please remove all the printed pages from the printer's output tray, and return them to the top of the paper tray., xrefs: 00423AF5

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: Message
String ID: Manual Duplex Printing$Please remove all the printed pages from the printer's output tray, and return them to the top of the paper tray.
API String ID: 2030045667-1276341297
Opcode ID: ebf65a862c2419a30bdb2b68a5d6a07b44e333f430e7e36b44b17938d61d8823
Instruction ID: 969aa8a8fc2b0d768360c9159159d11f135ae32e210714a463a0dc4225332f0e
Opcode Fuzzy Hash: ebf65a862c2419a30bdb2b68a5d6a07b44e333f430e7e36b44b17938d61d8823
Instruction Fuzzy Hash: ACC09BB67E830567D71447109C4BF4E6551E75CF01F20643ABD43D40E0C7D588A4F55D

Function 00401E74 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 9COMMON

Download Yara Rule

APIs

ShellExecuteA.SHELL32(00000000,open,http://www.reallegal.com/binderpull.asp,00000000,0043C374,00000001), ref: 00401E8D

Strings

open, xrefs: 00401E82
http://www.reallegal.com/binderpull.asp, xrefs: 00401E7D

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: ExecuteShell
String ID: http://www.reallegal.com/binderpull.asp$open
API String ID: 587946157-3567267458
Opcode ID: 8ba22e745709d161bd0e47b3dbd756d333b31aca214199c3750a7509f2c81e8e
Instruction ID: d2fde552fb2afa08fd1e6524f0a9b2018354cdcb131a5091967ce4b1ec8ff010
Opcode Fuzzy Hash: 8ba22e745709d161bd0e47b3dbd756d333b31aca214199c3750a7509f2c81e8e
Instruction Fuzzy Hash: 11B092607D030075DD2063A46CCBF0628145748F05F30E56339407A0D184EC10004A2C

Function 0042E356 Relevance: 5.1, APIs: 4, Instructions: 53memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapReAlloc.KERNEL32(00000000,?,?,00000000,0042E11E,?,?,?,00000100,?,00000000), ref: 0042E37E
HeapAlloc.KERNEL32(00000008,000041C4,?,00000000,0042E11E,?,?,?,00000100,?,00000000), ref: 0042E3B2
VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004,?,00000000,0042E11E,?,?,?,00000100,?,00000000), ref: 0042E3CC
HeapFree.KERNEL32(00000000,?,?,00000000,0042E11E,?,?,?,00000100,?,00000000), ref: 0042E3E3

Memory Dump Source

Source File: 00000000.00000002.3284228189.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3284211810.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284267076.0000000000437000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284282183.000000000043C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284303051.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284320324.0000000000447000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3284356673.0000000000449000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_signed.jbxd

Similarity

API ID: AllocHeap$FreeVirtual
String ID:
API String ID: 3499195154-0
Opcode ID: 8cb648292bd96f43a038297cb447a57f836384cb969eb0bc9cfd4f46ece1fb72
Instruction ID: 46b850fea1f7caa01f5c75c44a76ac0506f6b3ac42b377159240b627cf3c5f3b
Opcode Fuzzy Hash: 8cb648292bd96f43a038297cb447a57f836384cb969eb0bc9cfd4f46ece1fb72
Instruction Fuzzy Hash: 80118CB42002009FD731CF19EC9492A7BF2FB863127604A3DF691C76B0CB709842CB68

Source: signed.exe, etrnview.exe.0.dr	String found in binary or memory: http://www.deposchedule.com/
Source: signed.exe	String found in binary or memory: http://www.reallegal.com
Source: signed.exe, etrnview.exe.0.dr	String found in binary or memory: http://www.reallegal.com/
Source: signed.exe, etrnview.exe.0.dr	String found in binary or memory: http://www.reallegal.com/binderpull.asp
Source: signed.exe, etrnview.exe.0.dr	String found in binary or memory: http://www.reallegal.com/binderpull.asp.http://www.deposchedule.com/By

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report signed.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RealLegal E-Transcript Viewer\RealLegal E-Transcript Viewer.lnk

C:\Users\Public\Desktop\RealLegal E-Transcript Viewer.lnk

C:\Windows\etrnview.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

UDP Packets

DNS Queries

DNS Answers

Statistics

CPU Usage

Memory Usage

Windows Analysis Report
signed.exe

Function 00405D5A Relevance: 44.0, APIs: 21, Strings: 4, Instructions: 226
stringcomwindowCOMMON

Function 00405155 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 204
windowCOMMON

Function 00406252 Relevance: 66.7, APIs: 30, Strings: 8, Instructions: 223
registrystringwindowCOMMON

Function 004022EE Relevance: 65.0, APIs: 35, Strings: 2, Instructions: 265
windowCOMMON

Function 004172E4 Relevance: 46.7, APIs: 31, Instructions: 249
COMMON

Function 00404056 Relevance: 36.9, APIs: 17, Strings: 4, Instructions: 191
registrylibrarywindowCOMMON

Function 004064C3 Relevance: 33.4, APIs: 11, Strings: 8, Instructions: 151
windowstringCOMMON

Function 0040E06C Relevance: 31.6, APIs: 16, Strings: 2, Instructions: 137
stringCOMMON

Function 00403447 Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 158
windowstringCOMMON

Function 00408027 Relevance: 26.6, APIs: 13, Strings: 2, Instructions: 301
windowCOMMON

Function 0040459A Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 237
stringCOMMON

Function 00405BDA Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 106
stringCOMMON

Function 00407B70 Relevance: 21.1, APIs: 14, Instructions: 82
windowCOMMON

Function 00432D3B Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 221
COMMONLIBRARYCODE

Function 00403A45 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 207
stringwindowCOMMON