Edit tour

Windows Analysis Report
ZX7MDKtbfn.exe

Overview

General Information

Sample name:	ZX7MDKtbfn.exe renamed because original name is a hash value
Original sample name:	1aeb3a19d439d8a4a00313d12f463827.exe
Analysis ID:	1464724
MD5:	1aeb3a19d439d8a4a00313d12f463827
SHA1:	beedd7366e1ef168595d800ebe013067c78775de
SHA256:	b0e5fddc8448dc854ab400c9b0ac82c43a2f44fa6970cd2975e7d28116a7740d
Tags:	exeStealc
Infos:

Detection

Mars Stealer, Stealc, Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Mars stealer

Yara detected Stealc

Yara detected Vidar stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Deletes itself after installation

Found direct / indirect Syscall (likely to bypass EDR)

Found hidden mapped module (file has been removed from disk)

Injects code into the Windows Explorer (explorer.exe)

Maps a DLL or memory area into another process

PE file has a writeable .text section

Sample uses string decryption to hide its real strings

Switches to a custom stack to bypass stack traces

Writes to foreign memory regions

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the clipboard data

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

PE / OLE file has an invalid certificate

PE file contains sections with non-standard names

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

ZX7MDKtbfn.exe (PID: 6208 cmdline: "C:\Users\user\Desktop\ZX7MDKtbfn.exe" MD5: 1AEB3A19D439D8A4A00313D12F463827)

cmd.exe (PID: 6184 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2004 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

explorer.exe (PID: 332 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/ https://cocomelonc.github.io/book/2023/12/13/malwild-book.html https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-stealc-cbe5c94b84af	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: Vidar

{"C2 url": "http://188.130.207.35/0b92e7ab19e861f9.php"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\tkqesalfwllvk	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
C:\Users\user\AppData\Local\Temp\tkqesalfwllvk	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000001.00000002.1904758194.0000000005910000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000001.00000002.1904758194.0000000005910000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
00000003.00000002.1903471784.00000000008C1000.00000080.00000001.01000000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000003.00000002.1903471784.00000000008C1000.00000080.00000001.01000000.00000000.sdmp	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
decrypted.memstr	JoeSecurity_Stealc	Yara detected Stealc	Joe Security

Unpacked PEs

Source	Rule	Description	Author
1.2.cmd.exe.59100c8.7.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
1.2.cmd.exe.59100c8.7.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
1.2.cmd.exe.59100c8.7.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
1.2.cmd.exe.59100c8.7.raw.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security

Sigma Signatures

System Summary

Sigma detected: Proxy Execution Via Explorer.exe

Source: Process started

Author: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative: Data: Command: C:\Windows\SysWOW64\explorer.exe, CommandLine: C:\Windows\SysWOW64\explorer.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\explorer.exe, NewProcessName: C:\Windows\SysWOW64\explorer.exe, OriginalFileName: C:\Windows\SysWOW64\explorer.exe, ParentCommandLine: C:\Windows\SysWOW64\cmd.exe, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6184, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Windows\SysWOW64\explorer.exe, ProcessId: 332, ProcessName: explorer.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://188.130.207.35/0b92e7ab19e861f9.php

Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\tkqesalfwllvk

Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen

Found malware configuration

Source: 1.2.cmd.exe.59100c8.7.raw.unpack

Malware Configuration Extractor: Vidar {"C2 url": "http://188.130.207.35/0b92e7ab19e861f9.php"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\tkqesalfwllvk	ReversingLabs: Detection: 62%
Source: C:\Users\user\AppData\Local\Temp\tkqesalfwllvk	Virustotal: Detection: 59%			Perma Link

Multi AV Scanner detection for submitted file

Source: ZX7MDKtbfn.exe	Virustotal: Detection: 39%			Perma Link
Source: ZX7MDKtbfn.exe	ReversingLabs: Detection: 54%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: INSERT_KEY_HERE
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: GetProcAddress
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: LoadLibraryA
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: lstrcatA
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: OpenEventA
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: CreateEventA
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: CloseHandle
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: Sleep
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: GetUserDefaultLangID
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: VirtualAllocExNuma
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: VirtualFree
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: GetSystemInfo
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: VirtualAlloc
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: HeapAlloc
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: GetComputerNameA
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: lstrcpyA
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: GetProcessHeap
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: GetCurrentProcess
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: lstrlenA
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: ExitProcess
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: GlobalMemoryStatusEx
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: GetSystemTime
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: SystemTimeToFileTime
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: advapi32.dll
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: gdi32.dll
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: user32.dll
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: crypt32.dll
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: ntdll.dll
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: GetUserNameA
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: CreateDCA
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: GetDeviceCaps
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: ReleaseDC
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: CryptStringToBinaryA
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: sscanf
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: VMwareVMware
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: HAL9TH
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: JohnDoe
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: DISPLAY
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: %hu/%hu/%hu
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: http://188.130.207.35
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: /0b92e7ab19e861f9.php
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: /c4633c2e8e686369/
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: night26
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: GetEnvironmentVariableA
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: GetFileAttributesA
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: GlobalLock
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: HeapFree
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: GetFileSize
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: GlobalSize
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: CreateToolhelp32Snapshot
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: IsWow64Process
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: Process32Next
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: GetLocalTime
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: FreeLibrary
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: GetTimeZoneInformation
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: GetSystemPowerStatus
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: GetVolumeInformationA
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: GetWindowsDirectoryA
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: Process32First
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: GetLocaleInfoA
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: GetUserDefaultLocaleName
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: GetModuleFileNameA
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: DeleteFileA
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: FindNextFileA
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: LocalFree
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: FindClose
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: SetEnvironmentVariableA
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: LocalAlloc
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: GetFileSizeEx
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: ReadFile
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: SetFilePointer
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: WriteFile
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: CreateFileA
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: FindFirstFileA
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: CopyFileA
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: VirtualProtect
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: GetLogicalProcessorInformationEx
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: GetLastError
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: lstrcpynA
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: MultiByteToWideChar
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: GlobalFree
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: WideCharToMultiByte
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: GlobalAlloc
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: OpenProcess
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: TerminateProcess
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: GetCurrentProcessId
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: gdiplus.dll
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: ole32.dll
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: bcrypt.dll
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: wininet.dll
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: shlwapi.dll
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: shell32.dll
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: psapi.dll
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: rstrtmgr.dll
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: CreateCompatibleBitmap
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: SelectObject
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: BitBlt
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: DeleteObject
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: CreateCompatibleDC
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: GdipGetImageEncodersSize
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: GdipGetImageEncoders
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: GdipCreateBitmapFromHBITMAP
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: GdiplusStartup
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: GdiplusShutdown
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: GdipSaveImageToStream
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: GdipDisposeImage
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: GdipFree
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: GetHGlobalFromStream
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: CreateStreamOnHGlobal
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: CoUninitialize
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: CoInitialize
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: CoCreateInstance
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: BCryptGenerateSymmetricKey
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: BCryptCloseAlgorithmProvider
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: BCryptDecrypt
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: BCryptSetProperty
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: BCryptDestroyKey
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: BCryptOpenAlgorithmProvider
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: GetWindowRect
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: GetDesktopWindow
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: GetDC
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: CloseWindow
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: wsprintfA
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: EnumDisplayDevicesA
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: GetKeyboardLayoutList
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: CharToOemW
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: wsprintfW
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: RegQueryValueExA
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: RegEnumKeyExA
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: RegOpenKeyExA
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: RegCloseKey
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: RegEnumValueA
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: CryptBinaryToStringA
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: CryptUnprotectData
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: SHGetFolderPathA
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: ShellExecuteExA
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: InternetOpenUrlA
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: InternetConnectA
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: InternetCloseHandle
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: InternetOpenA
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: HttpSendRequestA
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: HttpOpenRequestA
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: InternetReadFile
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: InternetCrackUrlA
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: StrCmpCA
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: StrStrA
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: StrCmpCW
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: PathMatchSpecA
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: GetModuleFileNameExA
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: RmStartSession
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: RmRegisterResources
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: RmGetList
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: RmEndSession
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: sqlite3_open
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: sqlite3_prepare_v2
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: sqlite3_step
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: sqlite3_column_text
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: sqlite3_finalize
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: sqlite3_close
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: sqlite3_column_bytes
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: sqlite3_column_blob
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: encrypted_key
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: PATH
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: C:\ProgramData\nss3.dll
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: NSS_Init
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: NSS_Shutdown
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: PK11_GetInternalKeySlot
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: PK11_FreeSlot
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: PK11_Authenticate
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: PK11SDR_Decrypt
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: C:\ProgramData\
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: SELECT origin_url, username_value, password_value FROM logins
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: browser:
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: profile:
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: url:
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: login:
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: password:
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: Opera
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: OperaGX
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: Network
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: cookies
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: .txt
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: TRUE
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: FALSE
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: autofill
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: SELECT name, value FROM autofill
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: history
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: SELECT url FROM urls LIMIT 1000
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: name:
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: month:
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: year:
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: card:
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: Cookies
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: Login Data
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: Web Data
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: History
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: logins.json
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: formSubmitURL
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: usernameField
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: encryptedUsername
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: encryptedPassword
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: guid
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: SELECT fieldname, value FROM moz_formhistory
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: SELECT url FROM moz_places LIMIT 1000
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: cookies.sqlite
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: formhistory.sqlite
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: places.sqlite
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: plugins
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: Local Extension Settings
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: Sync Extension Settings
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: IndexedDB
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: Opera Stable
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: Opera GX Stable
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: CURRENT
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: chrome-extension_
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: _0.indexeddb.leveldb
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: Local State
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: profiles.ini
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: chrome
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: opera
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: firefox
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: wallets
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: %08lX%04lX%lu
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: ProductName
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: %d/%d/%d %d:%d:%d
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: ProcessorNameString
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: DisplayName
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: DisplayVersion
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: Network Info:
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: - IP: IP?
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: - Country: ISO?
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: System Summary:
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: - HWID:
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: - OS:
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: - Architecture:
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: - UserName:
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: - Computer Name:
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: - Local Time:
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: - UTC:
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: - Language:
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: - Keyboards:
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: - Laptop:
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: - Running Path:
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: - CPU:
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: - Threads:
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: - Cores:
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: - RAM:
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: - Display Resolution:
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: - GPU:
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: User Agents:
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: Installed Apps:
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: All Users:
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: Current User:
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: Process List:
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: system_info.txt
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: freebl3.dll
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: mozglue.dll
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: msvcp140.dll
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: nss3.dll
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: softokn3.dll
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: vcruntime140.dll
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: \Temp\
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: .exe
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: runas
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: open
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: /c start
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: %DESKTOP%
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: %APPDATA%
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: %LOCALAPPDATA%
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: %USERPROFILE%
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: %DOCUMENTS%
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: %PROGRAMFILES%
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: %PROGRAMFILES_86%
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: %RECENT%
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: *.lnk
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: files
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: \discord\
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: \Local Storage\leveldb\CURRENT
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: \Local Storage\leveldb
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: \Telegram Desktop\
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: key_datas
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: D877F783D5D3EF8C*
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: map*
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: A7FDF864FBC10B77*
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: A92DAA6EA6F891F2*
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: F8806DD0C461824F*
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: Telegram
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: *.tox
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: *.ini
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: Password
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: 00000001
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: 00000002
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: 00000003
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: 00000004
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: \Outlook\accounts.txt
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: Pidgin
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: \.purple\
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: accounts.xml
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: dQw4w9WgXcQ
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: token:
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: Software\Valve\Steam
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: SteamPath
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: \config\
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: ssfn*
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: config.vdf
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: DialogConfig.vdf
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: DialogConfigOverlay*.vdf
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: libraryfolders.vdf
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: loginusers.vdf
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: \Steam\
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: sqlite3.dll
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: browsers
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: done
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: soft
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: \Discord\tokens.txt
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: /c timeout /t 5 & del /f /q "
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: " & del "C:\ProgramData\*.dll"" & exit
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: C:\Windows\system32\cmd.exe
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: https
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: POST
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: HTTP/1.1
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: Content-Disposition: form-data; name="
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: hwid
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: build
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: token
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: file_name
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: file
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: message
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
Source: 1.2.cmd.exe.59100c8.7.raw.unpack	String decryptor: screenshot.jpg

Source:	Binary string: ntdll.pdb source: ZX7MDKtbfn.exe, 00000000.00000002.1710561334.0000000002832000.00000004.00000020.00020000.00000000.sdmp, ZX7MDKtbfn.exe, 00000000.00000002.1710875109.0000000002E33000.00000004.00000001.00020000.00000000.sdmp, ZX7MDKtbfn.exe, 00000000.00000002.1710711662.0000000002C30000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: cmd.exe, 00000001.00000002.1903882571.0000000005420000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1903632081.0000000004FD4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1904161815.00000000050E0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1903820933.0000000004CAD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: ZX7MDKtbfn.exe, 00000000.00000002.1710561334.0000000002832000.00000004.00000020.00020000.00000000.sdmp, ZX7MDKtbfn.exe, 00000000.00000002.1710875109.0000000002E33000.00000004.00000001.00020000.00000000.sdmp, ZX7MDKtbfn.exe, 00000000.00000002.1710711662.0000000002C30000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: cmd.exe, 00000001.00000002.1903882571.0000000005420000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1903632081.0000000004FD4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1904161815.00000000050E0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1903820933.0000000004CAD000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe

Code function: 0_2_000000014000352C _invalid_parameter_noinfo,_invalid_parameter_noinfo,lstrlenW,FindFirstFileW,lstrlenW,FindClose,

0_2_000000014000352C

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://188.130.207.35/0b92e7ab19e861f9.php

Source: ZX7MDKtbfn.exe, 00000000.00000002.1710437061.0000000002630000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://c0rl.m%L
Source: ZX7MDKtbfn.exe, 00000000.00000002.1710437061.000000000271D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1903800390.000000000537F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1904039629.0000000005048000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: ZX7MDKtbfn.exe, 00000000.00000002.1710437061.000000000271D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1903800390.000000000537F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1904039629.0000000005048000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: ZX7MDKtbfn.exe, 00000000.00000002.1710437061.000000000271D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1903800390.000000000537F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1904039629.0000000005048000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: ZX7MDKtbfn.exe, 00000000.00000002.1710437061.000000000271D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1903800390.000000000537F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1904039629.0000000005048000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: ZX7MDKtbfn.exe	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: ZX7MDKtbfn.exe	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: ZX7MDKtbfn.exe	String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
Source: ZX7MDKtbfn.exe	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: ZX7MDKtbfn.exe, 00000000.00000002.1710437061.0000000002630000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.
Source: ZX7MDKtbfn.exe, 00000000.00000002.1710437061.000000000271D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1903800390.000000000537F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1904039629.0000000005048000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: ZX7MDKtbfn.exe, 00000000.00000002.1710437061.000000000271D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1903800390.000000000537F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1904039629.0000000005048000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: ZX7MDKtbfn.exe, 00000000.00000002.1710437061.000000000271D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1903800390.000000000537F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1904039629.0000000005048000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: ZX7MDKtbfn.exe, 00000000.00000002.1710437061.000000000271D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1903800390.000000000537F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1904039629.0000000005048000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: ZX7MDKtbfn.exe, 00000000.00000002.1710437061.000000000271D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1903800390.000000000537F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1904039629.0000000005048000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: ZX7MDKtbfn.exe, 00000000.00000002.1710437061.000000000271D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1903800390.000000000537F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1904039629.0000000005048000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: ZX7MDKtbfn.exe, 00000000.00000002.1710437061.000000000271D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1903800390.000000000537F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1904039629.0000000005048000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: ZX7MDKtbfn.exe, 00000000.00000002.1710437061.000000000271D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1903800390.000000000537F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1904039629.0000000005048000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: ZX7MDKtbfn.exe, 00000000.00000002.1710437061.000000000271D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1903800390.000000000537F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1904039629.0000000005048000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: ZX7MDKtbfn.exe, 00000000.00000002.1710437061.000000000271D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1903800390.000000000537F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1904039629.0000000005048000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: ZX7MDKtbfn.exe, 00000000.00000002.1710437061.000000000271D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1903800390.000000000537F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1904039629.0000000005048000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: ZX7MDKtbfn.exe, 00000000.00000002.1710437061.000000000271D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1903800390.000000000537F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1904039629.0000000005048000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: ZX7MDKtbfn.exe, 00000000.00000002.1710437061.000000000271D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1903800390.000000000537F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1904039629.0000000005048000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0L
Source: ZX7MDKtbfn.exe, 00000000.00000002.1710437061.000000000271D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1903800390.000000000537F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1904039629.0000000005048000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: ZX7MDKtbfn.exe	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: ZX7MDKtbfn.exe	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: ZX7MDKtbfn.exe	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: ZX7MDKtbfn.exe	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: ZX7MDKtbfn.exe, 00000000.00000002.1710437061.000000000271D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1903800390.000000000537F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1904039629.0000000005048000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: ZX7MDKtbfn.exe, 00000000.00000002.1710437061.000000000271D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1903800390.000000000537F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1904039629.0000000005048000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s2.symcb.com0
Source: ZX7MDKtbfn.exe	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: ZX7MDKtbfn.exe	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: ZX7MDKtbfn.exe	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: ZX7MDKtbfn.exe, 00000000.00000002.1710437061.000000000271D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1903800390.000000000537F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1904039629.0000000005048000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: ZX7MDKtbfn.exe, 00000000.00000002.1710437061.000000000271D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1903800390.000000000537F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1904039629.0000000005048000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: ZX7MDKtbfn.exe, 00000000.00000002.1710437061.000000000271D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1903800390.000000000537F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1904039629.0000000005048000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcd.com0&
Source: ZX7MDKtbfn.exe, 00000000.00000002.1710437061.000000000271D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1903800390.000000000537F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1904039629.0000000005048000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: ZX7MDKtbfn.exe, 00000000.00000002.1710437061.0000000002630000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1903800390.0000000005337000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1904039629.0000000005000000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.info-zip.org/
Source: ZX7MDKtbfn.exe	String found in binary or memory: http://www.softwareok.com
Source: ZX7MDKtbfn.exe	String found in binary or memory: http://www.softwareok.comhttp://www.softwareok.deProgram
Source: ZX7MDKtbfn.exe	String found in binary or memory: http://www.softwareok.de
Source: ZX7MDKtbfn.exe, 00000000.00000002.1710437061.000000000271D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1903800390.000000000537F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1904039629.0000000005048000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/cps0(
Source: ZX7MDKtbfn.exe, 00000000.00000002.1710437061.000000000271D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1903800390.000000000537F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1904039629.0000000005048000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/rpa00
Source: ZX7MDKtbfn.exe, 00000000.00000002.1710437061.000000000271D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1903800390.000000000537F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1904039629.0000000005048000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0
Source: ZX7MDKtbfn.exe, 00000000.00000002.1710437061.000000000271D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1903800390.000000000537F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1904039629.0000000005048000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0/
Source: ZX7MDKtbfn.exe, 00000000.00000002.1710437061.000000000271D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1903800390.000000000537F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1904039629.0000000005048000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: ZX7MDKtbfn.exe, 00000000.00000002.1710437061.000000000271D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1903800390.000000000537F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1904039629.0000000005048000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0
Source: ZX7MDKtbfn.exe, 00000000.00000002.1710437061.000000000271D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1903800390.000000000537F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1904039629.0000000005048000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: ZX7MDKtbfn.exe	String found in binary or memory: https://www.globalsign.com/repository/0

Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe

Code function: 0_2_000000014000117C lstrlenW,OpenClipboard,EmptyClipboard,lstrlenW,GlobalAlloc,GlobalLock,lstrcpyW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_000000014000117C

Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe

Code function: 0_2_000000014000117C lstrlenW,OpenClipboard,EmptyClipboard,lstrlenW,GlobalAlloc,GlobalLock,lstrcpyW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_000000014000117C

Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe

Code function: 0_2_000000014000235C OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

0_2_000000014000235C

System Summary

PE file has a writeable .text section

Source: tkqesalfwllvk.1.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe	Code function: 0_2_00000001400175F1 NtQuerySystemInformation,		0_2_00000001400175F1
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe	Code function: 0_2_00000001400175F1 NtQuerySystemInformation,		0_2_00000001400175F1

Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe	Code function: 0_2_00000001400077F4	0_2_00000001400077F4
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe	Code function: 0_2_000000014001B884	0_2_000000014001B884
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe	Code function: 0_2_0000000140004098	0_2_0000000140004098
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe	Code function: 0_2_000000014001E114	0_2_000000014001E114
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe	Code function: 0_2_0000000140029144	0_2_0000000140029144
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe	Code function: 0_2_000000014000A158	0_2_000000014000A158
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe	Code function: 0_2_000000014002F1A8	0_2_000000014002F1A8
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe	Code function: 0_2_000000014002F9A8	0_2_000000014002F9A8
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe	Code function: 0_2_000000014002C1C4	0_2_000000014002C1C4
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe	Code function: 0_2_0000000140027244	0_2_0000000140027244
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe	Code function: 0_2_000000014000D250	0_2_000000014000D250
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe	Code function: 0_2_000000014002D264	0_2_000000014002D264
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe	Code function: 0_2_000000014002BAE8	0_2_000000014002BAE8
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe	Code function: 0_2_000000014001B334	0_2_000000014001B334
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe	Code function: 0_2_0000000140024B40	0_2_0000000140024B40
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe	Code function: 0_2_000000014001E358	0_2_000000014001E358
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe	Code function: 0_2_000000014000F398	0_2_000000014000F398
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe	Code function: 0_2_000000014001AC0C	0_2_000000014001AC0C
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe	Code function: 0_2_00000001400294A8	0_2_00000001400294A8
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe	Code function: 0_2_000000014000ECDC	0_2_000000014000ECDC
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe	Code function: 0_2_0000000140009CFC	0_2_0000000140009CFC
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe	Code function: 0_2_000000014002FD18	0_2_000000014002FD18
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe	Code function: 0_2_000000014001FD20	0_2_000000014001FD20
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe	Code function: 0_2_0000000140022DB4	0_2_0000000140022DB4
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe	Code function: 0_2_000000014002BDB4	0_2_000000014002BDB4
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe	Code function: 0_2_0000000140029DB8	0_2_0000000140029DB8
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe	Code function: 0_2_00000001400315E8	0_2_00000001400315E8
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe	Code function: 0_2_000000014001CDFC	0_2_000000014001CDFC
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe	Code function: 0_2_000000014002B60C	0_2_000000014002B60C
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe	Code function: 0_2_0000000140032E34	0_2_0000000140032E34
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe	Code function: 0_2_000000014002C664	0_2_000000014002C664
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe	Code function: 0_2_000000014001A6A9	0_2_000000014001A6A9
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe	Code function: 0_2_000000014001E6F0	0_2_000000014001E6F0
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe	Code function: 0_2_0000000140033730	0_2_0000000140033730
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe	Code function: 0_2_0000000140011F3C	0_2_0000000140011F3C
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe	Code function: 0_2_0000000140034758	0_2_0000000140034758
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe	Code function: 0_2_000000014000F770	0_2_000000014000F770
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe	Code function: 0_2_0000000140021F7C	0_2_0000000140021F7C
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe	Code function: 0_2_000000014002379C	0_2_000000014002379C
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe	Code function: 0_2_0000000140004FDC	0_2_0000000140004FDC

Source: ZX7MDKtbfn.exe

Static PE information: invalid certificate

Source: ZX7MDKtbfn.exe, 00000000.00000002.1710561334.00000000029AA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs ZX7MDKtbfn.exe
Source: ZX7MDKtbfn.exe, 00000000.00000002.1710142038.0000000002621000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNewFileTime.exe vs ZX7MDKtbfn.exe
Source: ZX7MDKtbfn.exe, 00000000.00000002.1710711662.0000000002DB6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs ZX7MDKtbfn.exe
Source: ZX7MDKtbfn.exe, 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameNewFileTime.exe vs ZX7MDKtbfn.exe
Source: ZX7MDKtbfn.exe, 00000000.00000002.1710437061.000000000271D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamezip.exe( vs ZX7MDKtbfn.exe
Source: ZX7MDKtbfn.exe	Binary or memory string: OriginalFilenameNewFileTime.exe vs ZX7MDKtbfn.exe

Source: classification engine

Classification label: mal100.troj.evad.winEXE@6/3@0/0

Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe

Code function: 0_2_0000000140008924 CoCreateInstance,

0_2_0000000140008924

Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe

Code function: 0_2_000000014000B4AC LoadLibraryExW,FindResourceW,LoadResource,SizeofResource,MultiByteToWideChar,FreeLibrary,

0_2_000000014000B4AC

Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe

File created: C:\Users\user\AppData\Roaming\NewFileTime

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2004:120:WilError_03

Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe

File created: C:\Users\user\AppData\Local\Temp\e41a1be0

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe			Jump to behavior

Source: ZX7MDKtbfn.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe

File read: C:\Users\user\AppData\Roaming\NewFileTime\NewFileTime.ini

Jump to behavior

Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: ZX7MDKtbfn.exe	Virustotal: Detection: 39%
Source: ZX7MDKtbfn.exe	ReversingLabs: Detection: 54%

Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe

File read: C:\Users\user\Desktop\ZX7MDKtbfn.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\ZX7MDKtbfn.exe "C:\Users\user\Desktop\ZX7MDKtbfn.exe"
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior

Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: shdocvw.dll	Jump to behavior

Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe

File written: C:\Users\user\AppData\Roaming\NewFileTime\NewFileTime.ini

Jump to behavior

Source: ZX7MDKtbfn.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source:	Binary string: ntdll.pdb source: ZX7MDKtbfn.exe, 00000000.00000002.1710561334.0000000002832000.00000004.00000020.00020000.00000000.sdmp, ZX7MDKtbfn.exe, 00000000.00000002.1710875109.0000000002E33000.00000004.00000001.00020000.00000000.sdmp, ZX7MDKtbfn.exe, 00000000.00000002.1710711662.0000000002C30000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: cmd.exe, 00000001.00000002.1903882571.0000000005420000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1903632081.0000000004FD4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1904161815.00000000050E0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1903820933.0000000004CAD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: ZX7MDKtbfn.exe, 00000000.00000002.1710561334.0000000002832000.00000004.00000020.00020000.00000000.sdmp, ZX7MDKtbfn.exe, 00000000.00000002.1710875109.0000000002E33000.00000004.00000001.00020000.00000000.sdmp, ZX7MDKtbfn.exe, 00000000.00000002.1710711662.0000000002C30000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: cmd.exe, 00000001.00000002.1903882571.0000000005420000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1903632081.0000000004FD4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1904161815.00000000050E0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1903820933.0000000004CAD000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe

Code function: 0_2_0000000140004C0C GetModuleHandleW,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetModuleHandleW,GetProcAddress,

0_2_0000000140004C0C

Source: tkqesalfwllvk.1.dr

Static PE information: section name: nrb

Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe	Code function: 0_2_000000014001A1C7 push FFFFFFF8h; retf		0_2_000000014001A1D1
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe	Code function: 0_2_000000014001A5EF push rdx; retf		0_2_000000014001A5FD

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Local\Temp\tkqesalfwllvk

Jump to dropped file

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Local\Temp\tkqesalfwllvk

Jump to dropped file

Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe

Code function: 0_2_000000014000814C GetPrivateProfileStringW,

0_2_000000014000814C

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\Windows\SysWOW64\cmd.exe

File deleted: c:\users\user\desktop\zx7mdktbfn.exe

Jump to behavior

Found hidden mapped module (file has been removed from disk)

Source: C:\Windows\SysWOW64\cmd.exe

Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\TKQESALFWLLVK

Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe

0_2_0000000140004C0C

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Windows\SysWOW64\cmd.exe	API/Special instruction interceptor: Address: 6CC43B97
Source: C:\Windows\SysWOW64\explorer.exe	API/Special instruction interceptor: Address: EDA317

Source: C:\Windows\SysWOW64\cmd.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\tkqesalfwllvk

Jump to dropped file

Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe

API coverage: 6.4 %

Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe

Code function: 0_2_000000014000352C _invalid_parameter_noinfo,_invalid_parameter_noinfo,lstrlenW,FindFirstFileW,lstrlenW,FindClose,

0_2_000000014000352C

Source: ZX7MDKtbfn.exe, 00000000.00000002.1710437061.0000000002630000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware
Source: explorer.exe, 00000003.00000002.1904039629.0000000005048000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: noreply@vmware.com0
Source: explorer.exe, 00000003.00000002.1904039629.0000000005048000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0
Source: explorer.exe, 00000003.00000002.1904039629.0000000005048000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1!0
Source: explorer.exe, 00000003.00000002.1904039629.0000000005048000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0/
Source: explorer.exe, 00000003.00000002.1904039629.0000000005048000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1
Source: explorer.exe, 00000003.00000002.1904039629.0000000005048000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.0

Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe	API call chain: ExitProcess graph end node			graph_0-18785
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe	API call chain: ExitProcess graph end node			graph_0-20537

Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe

Code function: 0_2_0000000140020980 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_0000000140020980

Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe

0_2_0000000140004C0C

Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe

Code function: 0_2_0000000140032648 GetProcessHeap,HeapAlloc,_errno,_errno,__doserrno,_errno,GetProcessHeap,HeapFree,SetEndOfFile,_errno,__doserrno,GetLastError,

0_2_0000000140032648

Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe	Code function: 0_2_0000000140020980 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0000000140020980
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe	Code function: 0_2_000000014002E33C RtlCaptureContext,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_000000014002E33C
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe	Code function: 0_2_000000014002DDC0 SetUnhandledExceptionFilter,	0_2_000000014002DDC0
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe	Code function: 0_2_0000000140020EEC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0000000140020EEC

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe	NtCreateFile: Direct from: 0x7FFDFF1978EC	Jump to behavior
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe	NtQuerySystemInformation: Direct from: 0x14E968	Jump to behavior
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe	NtAllocateVirtualMemory: Direct from: 0xA0A76ACB	Jump to behavior
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe	NtClose: Direct from: 0x14ECC8
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe	NtAllocateVirtualMemory: Direct from: 0x110	Jump to behavior
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe	NtProtectVirtualMemory: Direct from: 0x254	Jump to behavior
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe	NtAllocateVirtualMemory: Direct from: 0x7FFDFF1A8054	Jump to behavior
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe	NtAllocateVirtualMemory: Direct from: 0x6DFA7E	Jump to behavior
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe	NtProtectVirtualMemory: Direct from: 0x3	Jump to behavior
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe	NtProtectVirtualMemory: Direct from: 0x27AFA50	Jump to behavior
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe	NtCreateFile: Direct from: 0x80	Jump to behavior
Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe	NtWriteFile: Direct from: 0x2ACDA30	Jump to behavior

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 332 base: 8B0000 value: 00	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 332 base: 7EF2D8 value: 00	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 332 base: 7F01E8 value: 00	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 332 base: ED79C0 value: 55	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 332 base: 8C0000 value: 00	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe

Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: ED79C0			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 8C0000			Jump to behavior

Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe

Code function: 0_2_0000000140011A04 GetModuleFileNameW,ShellExecuteExW,PostQuitMessage,

0_2_0000000140011A04

Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe			Jump to behavior

Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe

Code function: GetLocaleInfoA,

0_2_00000001400328F0

Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe

Code function: 0_2_00000001400375E0 GetLocalTime,GetUserDefaultLCID,GetUserDefaultLangID,EnumDateFormatsW,EnumTimeFormatsW,EnumTimeFormatsW,

0_2_00000001400375E0

Source: C:\Users\user\Desktop\ZX7MDKtbfn.exe

Code function: 0_2_000000014002C1C4 ___lc_codepage_func,free,free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_000000014002C1C4

Stealing of Sensitive Information

Yara detected Mars stealer

Source: Yara match	File source: 1.2.cmd.exe.59100c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.cmd.exe.59100c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1904758194.0000000005910000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1903471784.00000000008C1000.00000080.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\tkqesalfwllvk, type: DROPPED

Yara detected Stealc

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected Vidar stealer

Source: Yara match	File source: 1.2.cmd.exe.59100c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.cmd.exe.59100c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1904758194.0000000005910000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1903471784.00000000008C1000.00000080.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\tkqesalfwllvk, type: DROPPED

Remote Access Functionality

Yara detected Mars stealer

Source: Yara match	File source: 1.2.cmd.exe.59100c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.cmd.exe.59100c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1904758194.0000000005910000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1903471784.00000000008C1000.00000080.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\tkqesalfwllvk, type: DROPPED

Yara detected Stealc

Source: Yara match

File source: decrypted.memstr, type: MEMORYSTR

Yara detected Vidar stealer

Source: Yara match	File source: 1.2.cmd.exe.59100c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.cmd.exe.59100c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1904758194.0000000005910000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1903471784.00000000008C1000.00000080.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\tkqesalfwllvk, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	11 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Masquerading	OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	311 Process Injection	311 Process Injection	LSASS Memory	221 Security Software Discovery	Remote Desktop Protocol	3 Clipboard Data	1 Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Abuse Elevation Control Mechanism	1 Abuse Elevation Control Mechanism	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	11 DLL Side-Loading	1 Obfuscated Files or Information	NTDS	3 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 DLL Side-Loading	LSA Secrets	112 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 File Deletion	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
ZX7MDKtbfn.exe	40%	Virustotal		Browse
ZX7MDKtbfn.exe	54%	ReversingLabs	Win64.Spyware.Vidar

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\tkqesalfwllvk	100%	Avira	TR/Crypt.ZPACK.Gen
C:\Users\user\AppData\Local\Temp\tkqesalfwllvk	62%	ReversingLabs	Win32.Trojan.Stealerc
C:\Users\user\AppData\Local\Temp\tkqesalfwllvk	59%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
http://www.symauth.com/cps0(	0%	URL Reputation	safe
http://www.symauth.com/rpa00	0%	URL Reputation	safe
http://www.vmware.com/0	0%	Virustotal		Browse
http://www.softwareok.comhttp://www.softwareok.deProgram	0%	Avira URL Cloud	safe
http://c0rl.m%L	0%	Avira URL Cloud	safe
http://www.vmware.com/0/	0%	Avira URL Cloud	safe
http://188.130.207.35/0b92e7ab19e861f9.php	100%	Avira URL Cloud	malware
http://www.vmware.com/0	0%	Avira URL Cloud	safe
http://www.vmware.com/0/	0%	Virustotal		Browse
http://crl3.digicert.	0%	Avira URL Cloud	safe
http://www.softwareok.com	0%	Avira URL Cloud	safe
http://www.softwareok.de	0%	Avira URL Cloud	safe
http://188.130.207.35/0b92e7ab19e861f9.php	1%	Virustotal		Browse
http://www.info-zip.org/	0%	Avira URL Cloud	safe
http://www.info-zip.org/	0%	Virustotal		Browse
http://www.softwareok.com	0%	Virustotal		Browse
http://www.softwareok.de	0%	Virustotal		Browse

Name	Malicious	Antivirus Detection	Reputation
http://188.130.207.35/0b92e7ab19e861f9.php	true	1%, Virustotal, Browse Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.vmware.com/0/	ZX7MDKtbfn.exe, 00000000.00000002.1710437061.000000000271D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1903800390.000000000537F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1904039629.0000000005048000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.softwareok.comhttp://www.softwareok.deProgram	ZX7MDKtbfn.exe	false	Avira URL Cloud: safe	unknown
http://www.vmware.com/0	ZX7MDKtbfn.exe, 00000000.00000002.1710437061.000000000271D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1903800390.000000000537F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1904039629.0000000005048000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://c0rl.m%L	ZX7MDKtbfn.exe, 00000000.00000002.1710437061.0000000002630000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.symauth.com/cps0(	ZX7MDKtbfn.exe, 00000000.00000002.1710437061.000000000271D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1903800390.000000000537F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1904039629.0000000005048000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.symauth.com/rpa00	ZX7MDKtbfn.exe, 00000000.00000002.1710437061.000000000271D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1903800390.000000000537F000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1904039629.0000000005048000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl3.digicert.	ZX7MDKtbfn.exe, 00000000.00000002.1710437061.0000000002630000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.softwareok.de	ZX7MDKtbfn.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.softwareok.com	ZX7MDKtbfn.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.info-zip.org/	ZX7MDKtbfn.exe, 00000000.00000002.1710437061.0000000002630000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1903800390.0000000005337000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1904039629.0000000005000000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1464724
Start date and time:	2024-06-30 00:36:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 22s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	ZX7MDKtbfn.exe renamed because original name is a hash value
Original Sample Name:	1aeb3a19d439d8a4a00313d12f463827.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@6/3@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 97% Number of executed functions: 22 Number of non-executed functions: 173
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

Time	Type	Description
18:37:10	API Interceptor	2x Sleep call for process: cmd.exe modified

Process:	C:\Users\user\Desktop\ZX7MDKtbfn.exe
File Type:	data
Category:	dropped
Size (bytes):	890886
Entropy (8bit):	7.39779396364767
Encrypted:	false
SSDEEP:	24576:zVa4irxGcm9y+960XVbUnj+v2VATl7I0RRdDrl3+3bExbb:zVlxcm9JBXVbUnj+v2V0l7NHN3+Axv
MD5:	B0066B189A17AFEF5257648047F807EC
SHA1:	24DF5DFD667F0EF02FE2FB047CD5B850F4E47880
SHA-256:	47442BA18D5BED7CA98FBB1A946211FE9D87E7F0A7C2C9E6CC83CFD0490D962D
SHA-512:	71FF8941DBB2E15CC3A3CC0D4CBACB1E60217B349AB3506EF4D1700BF05E18F902FF155E2AB67CF26C17146A8B30A80C2F0E02B22621CDA3D5B019E2411A7DB4
Malicious:	false
Reputation:	low
Preview:	..>...>...>...>...>..>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...?..n...j..s...Q...J...P...M..._...s...b...Y...M..._...N...>...>...>...>...>...>...>...>...>...>...>.w...W...D...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>.}...J...M...]...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>..w...l..W...M.......b...S...L...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>...>..........>...>...>...>...>...>...>...>...>...>...>.

C:\Users\user\AppData\Local\Temp\tkqesalfwllvk

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	165888
Entropy (8bit):	6.1721486095568405
Encrypted:	false
SSDEEP:	3072:mi5iO+xGNftsLz4oPoKxQgC6OEFdV9ugE5RaopCi:mI+xGNVwgE7OEHRKRaK
MD5:	845BA054AA9855750386EE17D1AA7C23
SHA1:	05F9D90F1BEB711F51AC07CF756610A80ED0DFB3
SHA-256:	0D571A55B28970E2BE17C0FB7B319CD6C0AB85D253BE69B627B388C18EAABE03
SHA-512:	5D6C21CDE2E7563021A747252487ADD4BAC1CCA93354A29B9FFC513F1ED9D66CB783F79E8F97865E1F9F9B498F572B3538DE35D55056BD1923FE4D9B0FEAE31C
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: C:\Users\user\AppData\Local\Temp\tkqesalfwllvk, Author: Joe Security Rule: JoeSecurity_MarsStealer, Description: Yara detected Mars stealer, Source: C:\Users\user\AppData\Local\Temp\tkqesalfwllvk, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 62% Antivirus: Virustotal, Detection: 59%, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......J.dZ............a.......a.......a...5...............................Z...a.......a.......Rich............................PE..L....^.S......................!..... I............@...........................#...........@..................................4..<............................p#.."...................................................................................text...:........................... ....rdata..Ny.......z..................@..@.data...,+!..@.......*..............@....reloc...A...p#..B...6..............@..Bnrb...........#......x..............@...................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\NewFileTime\NewFileTime.ini

Download File

Process:	C:\Users\user\Desktop\ZX7MDKtbfn.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	3.939470570797251
Encrypted:	false
SSDEEP:	3:LCXn078:Y
MD5:	71BFA4B1B2A2049BEFA50A86463A014F
SHA1:	8CA6218C1F92B40DA01501E18786CC2724E4C769
SHA-256:	A4683279940CA2EA6C25B63F07F41D7E2EAB4AC3246FF57C8C771E7C923ABD29
SHA-512:	574CCBC6A9387EED4E74AF3E06A5023DB1F74E24A8A9F3E9A96BEE77483C3E5DA257DF4FF7976F7E389F51EC9CA89C56B103186FE499F5F3839738CAFE657735
Malicious:	false
Reputation:	low
Preview:	[Program]..TestIni=eeee..

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.640685904827284
TrID:	Win64 Executable GUI (202006/5) 77.37% InstallShield setup (43055/19) 16.49% Win64 Executable (generic) (12005/4) 4.60% Generic Win/DOS Executable (2004/3) 0.77% DOS Executable Generic (2002/1) 0.77%
File name:	ZX7MDKtbfn.exe
File size:	1'013'072 bytes
MD5:	1aeb3a19d439d8a4a00313d12f463827
SHA1:	beedd7366e1ef168595d800ebe013067c78775de
SHA256:	b0e5fddc8448dc854ab400c9b0ac82c43a2f44fa6970cd2975e7d28116a7740d
SHA512:	074c2316d385feb4c78e6068a8fbf37d570bb9ee87a69b76bc3878a1b18eb9f97ca6511709008dcc60158d0dc81395adaed5e309d0266ed7713e7e5e4e442422
SSDEEP:	24576:liG03BDYmHDQKcdE2v4jtaUN4cDHZgboRxRprGE:oJYuHTI4jJJObkf
TLSH:	A7250256E7E808F5E817C47AC843E617E271BC454374DB8B12A5FA463F33790EA26326
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........"..BC..BC..BC..\....C..\...NC..e...EC..e...CC..e...QC..BC...B..\....C..\...CC..\...CC..RichBC..................PE..d....Uif...

File Icon


Icon Hash:	9bec6c1c4c488399

Static PE Info

General

Entrypoint:	0x140024104
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x6669550E [Wed Jun 12 07:58:06 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	2
File Version Major:	5
File Version Minor:	2
Subsystem Version Major:	5
Subsystem Version Minor:	2
Import Hash:	e3e62d98ab20000990c4a887192c5b6f

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=GlobalSign GCC R45 EV CodeSigning CA 2020, O=GlobalSign nv-sa, C=BE
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	27/07/2023 10:33:53 27/07/2024 10:33:53
Subject Chain	E=support@softwareok.com, CN=Nenad Hrg, O=Nenad Hrg, STREET=Edelweissstrasse 104, L=Taufkirchen, S=Bayern, C=DE, OID.1.3.6.1.4.1.311.60.2.1.1=Taufkirchen, OID.1.3.6.1.4.1.311.60.2.1.2=Bayern, OID.1.3.6.1.4.1.311.60.2.1.3=DE, SERIALNUMBER=15.06.2017, OID.2.5.4.15=Private Organization
Version:	3
Thumbprint MD5:	130FD907520A9599B863C019A3AE8DEE
Thumbprint SHA-1:	14B9806AC6B4F2C74D64200D7589578B737238E5
Thumbprint SHA-256:	0985E74FBB0CC64E2C7552F9F2ADF08F9025C0736A1BB5332B670406E634CCD9
Serial:	0728CF127EB4526B3FC8DF87

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007FA545308650h
dec eax
add esp, 28h
jmp 00007FA5452FE2EBh
int3
int3
inc eax
push ebx
dec eax
sub esp, 30h
dec eax
mov ebx, ecx
mov ecx, 0000000Eh
call 00007FA5453045DEh
nop
dec eax
mov eax, dword ptr [ebx+08h]
dec eax
test eax, eax
je 00007FA5452FE516h
dec eax
mov ecx, dword ptr [000466E4h]
dec eax
mov dword ptr [esp+20h], ecx
dec eax
lea edx, dword ptr [000466D0h]
dec eax
test ecx, ecx
je 00007FA5452FE4F0h
dec eax
cmp dword ptr [ecx], eax
jne 00007FA5452FE4E1h
dec eax
mov eax, dword ptr [ecx+08h]
dec eax
mov dword ptr [edx+08h], eax
call 00007FA5452FD756h
jmp 00007FA5452FE4DCh
dec eax
mov edx, ecx
dec eax
mov dword ptr [esp+20h], ecx
jmp 00007FA5452FE4AFh
dec eax
mov ecx, dword ptr [ebx+08h]
call 00007FA5452FD741h
dec eax
and dword ptr [ebx+08h], 00000000h
mov ecx, 0000000Eh
call 00007FA545304486h
dec eax
add esp, 30h
pop ebx
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
nop word ptr [eax+eax+00000000h]
dec eax
sub edx, ecx
dec esp
mov ecx, edx
test cl, 00000007h
je 00007FA5452FE4EDh
mov al, byte ptr [ecx]
inc edx
mov dl, byte ptr [ecx+ecx]
cmp al, dl
jne 00007FA5452FE528h
dec eax
inc ecx
test al, al
je 00007FA5452FE529h
dec eax
test ecx, 00000007h
jne 00007FA5452FE4B8h
nop
dec ecx
mov ebx, 01010100h

Rich Headers

Programming Language:

[ C ] VS2008 build 21022
[ASM] VS2008 build 21022
[ C ] VS2005 build 50727
[IMP] VS2005 build 50727
[C++] VS2008 build 21022
[RES] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x41e90	0xc8	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x70000	0xa1fb6	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x6d000	0x2b80	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0xf4c00	0x2950	.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x38000	0x880	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x36a5e	0x36c00	fdea1d40009312686498eb54b28bf7ae	False	0.5340815853310502	data	6.411064485753337	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x38000	0xba16	0xbc00	038a62424ff1b4607657d835432e5b16	False	0.43623254654255317	data	6.001746209943679	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x44000	0x289b8	0xd400	92e61a4d8282765a6e36874723e99e37	False	0.8889114091981132	data	7.604764885622444	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x6d000	0x2b80	0x2c00	4c6fea894ae0e416ec864839334ca72c	False	0.46484375	data	5.464105663255213	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x70000	0xa1fb6	0xa2000	3423a5e0c7695ea513ccc5f8517978ec	False	0.9205623673804012	data	7.780618586111253	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
FPE	0x70618	0x9c12d	PNG image data, 483 x 348, 8-bit/color RGB, non-interlaced	German	Germany	0.9488343863458251
RT_BITMAP	0x10c748	0x770	Device independent bitmap graphic, 80 x 45 x 4, image size 1800	German	Germany	0.14233193277310924
RT_BITMAP	0x10ceb8	0x1580	Device independent bitmap graphic, 144 x 75 x 4, image size 5400	German	Germany	0.03343023255813953
RT_BITMAP	0x10e438	0x4e8	Device independent bitmap graphic, 48 x 48 x 4, image size 1152	German	Germany	0.04856687898089172
RT_BITMAP	0x10e920	0x4e8	Device independent bitmap graphic, 48 x 48 x 4, image size 1152	German	Germany	0.04856687898089172
RT_BITMAP	0x10ee08	0xa68	Device independent bitmap graphic, 80 x 64 x 4, image size 2560	German	Germany	0.0259009009009009
RT_ICON	0x10f870	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	German	Germany	0.27956989247311825
RT_ICON	0x10fb58	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	German	Germany	0.10618279569892473
RT_ICON	0x10fe40	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	German	Germany	0.11290322580645161
RT_ICON	0x110128	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	German	Germany	0.1814516129032258
RT_MENU	0x110410	0x9e	data	German	Germany	0.569620253164557
RT_MENU	0x1104b0	0xc2	data	German	Germany	0.5567010309278351
RT_MENU	0x110574	0x90	data	German	Germany	0.5902777777777778
RT_DIALOG	0x110604	0x3c	Applesoft BASIC program data, first line number 200	German	Germany	0.8833333333333333
RT_DIALOG	0x110640	0x1f4	data	German	Germany	0.548
RT_DIALOG	0x110834	0x9a0	data	German	Germany	0.31087662337662336
RT_DIALOG	0x1111d4	0x178	data	German	Germany	0.6196808510638298
RT_DIALOG	0x11134c	0x33e	data	German	Germany	0.45903614457831327
RT_DIALOG	0x11168c	0x8a	Applesoft BASIC program data, first line number 200	German	Germany	0.7463768115942029
RT_STRING	0x111718	0x52	data	German	Germany	0.4878048780487805
RT_ACCELERATOR	0x11176c	0x20	data	German	Germany	1.09375
RT_GROUP_ICON	0x11178c	0x14	data	German	Germany	1.2
RT_GROUP_ICON	0x1117a0	0x14	data	German	Germany	1.25
RT_GROUP_ICON	0x1117b4	0x14	data	German	Germany	1.25
RT_GROUP_ICON	0x1117c8	0x14	data	German	Germany	1.2
RT_VERSION	0x1117dc	0x470	data	German	Germany	0.426056338028169
RT_MANIFEST	0x111c4c	0x36a	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.4679633867276888

Imports

DLL	Import
KERNEL32.dll	TzSpecificLocalTimeToSystemTime, SystemTimeToTzSpecificLocalTime, FileTimeToSystemTime, FileTimeToLocalFileTime, GetFileTime, GetSystemTimeAsFileTime, GetDateFormatW, GetTimeFormatW, EnumTimeFormatsW, EnumDateFormatsW, GetUserDefaultLCID, FindNextFileW, CreateThread, GetTempFileNameW, GetCurrentProcessId, ReadFile, GetTimeZoneInformation, CompareStringW, CompareStringA, GetProcessHeap, SetEndOfFile, CreateFileA, GetLocaleInfoA, GetStringTypeW, GetStringTypeA, LCMapStringA, WriteConsoleW, GetConsoleOutputCP, WriteConsoleA, FlushFileBuffers, SetStdHandle, GetTickCount, QueryPerformanceCounter, GetCommandLineW, GetEnvironmentStringsW, LCMapStringW, HeapSize, HeapReAlloc, HeapCreate, HeapSetInformation, SetFilePointer, GetStartupInfoA, GetFileType, SetHandleCount, InitializeCriticalSectionAndSpinCount, LoadLibraryA, GetModuleFileNameA, GetStdHandle, IsValidCodePage, GetOEMCP, GetACP, GetCPInfo, GetConsoleMode, GetConsoleCP, FlsAlloc, SetLastError, FlsFree, FlsSetValue, FlsGetValue, DecodePointer, EncodePointer, GetStartupInfoW, HeapFree, HeapAlloc, ExitProcess, Sleep, RtlUnwindEx, RtlPcToFileHeader, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, IsDebuggerPresent, SetUnhandledExceptionFilter, UnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, GetFullPathNameW, GetUserDefaultLangID, DeleteFileW, GetTempPathW, CreateDirectoryW, LoadLibraryExW, FindResourceW, LoadResource, SizeofResource, FreeLibrary, lstrcmpiW, LeaveCriticalSection, EnterCriticalSection, WideCharToMultiByte, WriteFile, GetLastError, DeleteCriticalSection, InitializeCriticalSection, SetEnvironmentVariableA, RaiseException, GetModuleFileNameW, GetPrivateProfileStringW, WritePrivateProfileStringW, GetLocalTime, GetCurrentThreadId, OutputDebugStringW, DebugBreak, GetModuleHandleW, GetProcAddress, LoadLibraryW, lstrcatW, FindFirstFileW, FindClose, lstrcpynW, lstrlenA, GetFileAttributesW, SetFileAttributesW, CreateFileW, SystemTimeToFileTime, LocalFileTimeToFileTime, SetFileTime, CloseHandle, MultiByteToWideChar, lstrlenW, GlobalAlloc, GlobalLock, lstrcpyW, FreeEnvironmentStringsW, GlobalUnlock
USER32.dll	RedrawWindow, CheckMenuItem, DestroyMenu, GetCursorPos, GetKeyState, SetRect, GetWindowPlacement, SetParent, GetFocus, InsertMenuW, KillTimer, GetDlgItem, EndDialog, SetWindowTextW, DialogBoxParamW, CopyRect, GetClientRect, GetMessagePos, GetMenuItemCount, UnhookWindowsHookEx, TrackPopupMenuEx, GetSubMenu, GetActiveWindow, IsWindowVisible, GetSysColorBrush, SetMenuItemInfoW, TrackPopupMenu, SendDlgItemMessageW, ClientToScreen, MoveWindow, GetSysColor, LoadAcceleratorsW, TranslateAcceleratorW, TranslateMessage, DispatchMessageW, GetMessageW, EnableWindow, wsprintfW, ScreenToClient, LoadIconW, LoadCursorW, RegisterClassExW, DestroyWindow, PostQuitMessage, BeginPaint, EndPaint, InvalidateRect, GetDlgCtrlID, CreateWindowExW, ShowWindow, SetWindowsHookExW, CallNextHookEx, GetDC, GetWindowTextW, GetParent, GetClassNameW, CharNextW, CharLowerW, DefWindowProcW, GetMenuItemInfoW, DrawTextW, wvsprintfW, PostMessageW, GetWindowLongPtrW, SetWindowLongPtrW, CallWindowProcW, GetWindowLongW, SetWindowLongW, SetWindowPos, MapWindowPoints, GetWindowRect, OffsetRect, ReleaseDC, SetPropW, SystemParametersInfoW, GetSystemMetrics, LoadImageW, SetTimer, LoadMenuW, SetMenu, CreateMenu, CreatePopupMenu, AppendMenuW, MessageBoxW, GetClipboardData, LoadStringW, OpenClipboard, EmptyClipboard, SetClipboardData, CloseClipboard, SendMessageW
GDI32.dll	GetCurrentObject, SetPixel, GetStockObject, GetObjectW, CreateFontIndirectW, SetTextColor, ExtTextOutW, SetBkColor, SetBkMode, CreateSolidBrush, GetClipBox, OffsetWindowOrgEx, SelectObject, GetTextExtentPoint32W, GetDeviceCaps, DeleteObject
COMDLG32.dll	GetOpenFileNameW
ADVAPI32.dll	RegDeleteValueW, RegCloseKey, RegCreateKeyExW, RegOpenKeyExW, RegSetValueExW, RegQueryInfoKeyW, RegDeleteKeyW, RegEnumKeyExW
SHELL32.dll	DragQueryFileW, DragFinish, ShellExecuteExW, SHGetSpecialFolderPathW, SHGetMalloc, SHBrowseForFolderW, SHGetPathFromIDListW, ShellExecuteW
ole32.dll	CoTaskMemFree, CoTaskMemRealloc, CoTaskMemAlloc, CoCreateInstance, OleInitialize
OLEAUT32.dll	VarDateFromStr, VarUI4FromStr, SysAllocStringLen
COMCTL32.dll	InitCommonControlsEx, ImageList_ReplaceIcon, ImageList_Create, ImageList_DrawEx, ImageList_Draw

Possible Origin

Language of compilation system	Country where language is spoken	Map
German	Germany
English	United States

Target ID:	0
Start time:	18:36:56
Start date:	29/06/2024
Path:	C:\Users\user\Desktop\ZX7MDKtbfn.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\ZX7MDKtbfn.exe"
Imagebase:	0x140000000
File size:	1'013'072 bytes
MD5 hash:	1AEB3A19D439D8A4A00313D12F463827
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	18:36:57
Start date:	29/06/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\cmd.exe
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000001.00000002.1904758194.0000000005910000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MarsStealer, Description: Yara detected Mars stealer, Source: 00000001.00000002.1904758194.0000000005910000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	18:36:57
Start date:	29/06/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	18:37:12
Start date:	29/06/2024
Path:	C:\Windows\SysWOW64\explorer.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\explorer.exe
Imagebase:	0xdf0000
File size:	4'514'184 bytes
MD5 hash:	DD6597597673F72E10C9DE7901FBA0A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000003.00000002.1903471784.00000000008C1000.00000080.00000001.01000000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MarsStealer, Description: Yara detected Mars stealer, Source: 00000003.00000002.1903471784.00000000008C1000.00000080.00000001.01000000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	5.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	26.6%
Total number of Nodes:	1701
Total number of Limit Nodes:	19

Executed Functions

Function 0000000140004C0C Relevance: 35.1, APIs: 14, Strings: 6, Instructions: 98
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32 ref: 0000000140004C19
GetProcAddress.KERNEL32 ref: 0000000140004C29
LoadLibraryW.KERNEL32 ref: 0000000140004C67
GetProcAddress.KERNEL32 ref: 0000000140004C83
GetProcAddress.KERNEL32 ref: 0000000140004CA3
GetProcAddress.KERNEL32 ref: 0000000140004CB8
GetProcAddress.KERNEL32 ref: 0000000140004CCD
GetProcAddress.KERNEL32 ref: 0000000140004CE2
GetProcAddress.KERNEL32 ref: 0000000140004CF7
GetProcAddress.KERNEL32 ref: 0000000140004D18
GetProcAddress.KERNEL32 ref: 0000000140004D27
GetProcAddress.KERNEL32 ref: 0000000140004D3C
GetModuleHandleW.KERNEL32 ref: 0000000140004D50
GetProcAddress.KERNEL32 ref: 0000000140004D60

Strings

ntdll.dll, xrefs: 0000000140004C12
UxTheme.dll, xrefs: 0000000140004C60
DrawThemeTextEx, xrefs: 0000000140004C79
RtlGetNtVersionNumbers, xrefs: 0000000140004C1F
SetWindowCompositionAttribute, xrefs: 0000000140004D56
user32.dll, xrefs: 0000000140004D42

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: AddressProc$HandleModule$LibraryLoad
String ID: DrawThemeTextEx$RtlGetNtVersionNumbers$SetWindowCompositionAttribute$UxTheme.dll$ntdll.dll$user32.dll
API String ID: 551388010-3518025130
Opcode ID: 482856162065091f885c937aeb4121b92e2c1f38fde39c510a0b181295fd8c07
Instruction ID: 2a2989e24c78233461c63ed4672a7e9909380dc3ee54ffd61e38e74c4469ebed
Opcode Fuzzy Hash: 482856162065091f885c937aeb4121b92e2c1f38fde39c510a0b181295fd8c07
Instruction Fuzzy Hash: 185136B4100B4296FB17EB53F8583DA23A1A78D7C9F440169FB4A47AB1DF3E8499C314

Function 00000001400375E0 Relevance: 4.5, APIs: 3, Instructions: 17
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLocalTime.KERNEL32 ref: 00000001400375EB
GetUserDefaultLCID.KERNEL32 ref: 00000001400375F1
EnumDateFormatsW.KERNEL32 ref: 000000014003760C

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: DateDefaultEnumFormatsLocalTimeUser
String ID:
API String ID: 2965704199-0
Opcode ID: bba93817254c45bba4cfd27ed92c085bf92a9cfc1b204d9e3048a8a5ef15f651
Instruction ID: 7b0e9376260185fc80ebbbda697e7394f82ea9eeab13ca7abf84db8350a87c61
Opcode Fuzzy Hash: bba93817254c45bba4cfd27ed92c085bf92a9cfc1b204d9e3048a8a5ef15f651
Instruction Fuzzy Hash: 45F03934A1065186E7138F23EC453D23765F78D784F600421EE1D477B0EB7D966ACB40

Function 000000014000814C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 12
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetPrivateProfileStringW.KERNEL32 ref: 0000000140008176

Strings

C:\Users\user\AppData\Roaming\NewFileTime\NewFileTime.ini, xrefs: 0000000140008155

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: PrivateProfileString
String ID: C:\Users\user\AppData\Roaming\NewFileTime\NewFileTime.ini
API String ID: 1096422788-3799827989
Opcode ID: c5735b3782fe7e2ed24149136fab4e3f63cee7f4502a6b4433267697e68085b4
Instruction ID: 8380b5ca3b776c55a1bf3377c456cc8bf44ced7b083b6df96fe1c3d8883e5db7
Opcode Fuzzy Hash: c5735b3782fe7e2ed24149136fab4e3f63cee7f4502a6b4433267697e68085b4
Instruction Fuzzy Hash: D6D0C7B1604B89C2D6219B46A8447897BA0F7597C9F900115EF4C13735CB3CC226CB48

Function 00000001400175F1 Relevance: 1.6, APIs: 1, Instructions: 104nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140017551: GlobalAlloc.KERNELBASE ref: 000000014001759A

NtQuerySystemInformation.NTDLL ref: 0000000140017675

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: AllocGlobalInformationQuerySystem
String ID:
API String ID: 3737350999-0
Opcode ID: 32be8fa3b71e1cbd380bd190b05309b577a131ec799a5c772b6de765baed6ab9
Instruction ID: 615d784bc4df09136c8c0e84204ef8de0ebc4a4130a70348a130dbf59748bc48
Opcode Fuzzy Hash: 32be8fa3b71e1cbd380bd190b05309b577a131ec799a5c772b6de765baed6ab9
Instruction Fuzzy Hash: 08517776618A8486D761DB1AE484B9EB7B0F3C8B84F104515FB8E87BA9DB79C9408F00

Function 000000014000BEE8 Relevance: 30.3, APIs: 13, Strings: 4, Instructions: 513
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32 ref: 000000014000BF46
GetTempPathW.KERNEL32 ref: 000000014000BF85
CharLowerW.USER32 ref: 000000014000C082
CharLowerW.USER32 ref: 000000014000C097
lstrcpyW.KERNEL32 ref: 000000014000C202
lstrlenW.KERNEL32 ref: 000000014000C257
lstrlenW.KERNEL32 ref: 000000014000C2ED
SHGetSpecialFolderPathW.SHELL32 ref: 000000014000C38D
lstrlenW.KERNEL32 ref: 000000014000C3A5
CreateDirectoryW.KERNEL32 ref: 000000014000C459
lstrcpyW.KERNEL32 ref: 000000014000C5AB
lstrlenW.KERNEL32 ref: 000000014000C61F

Strings

TestIni, xrefs: 000000014000C2A0, 000000014000C2CF, 000000014000C5D2, 000000014000C601
eeee, xrefs: 000000014000C27F, 000000014000C2FD, 000000014000C5B1
C:\Users\user\AppData\Roaming\NewFileTime\NewFileTime.ini, xrefs: 000000014000C1FB, 000000014000C5A4
.ini, xrefs: 000000014000C09D, 000000014000C45F

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: lstrlen$CharLowerPathlstrcpy$CreateDirectoryFolderSpecialTemp
String ID: .ini$C:\Users\user\AppData\Roaming\NewFileTime\NewFileTime.ini$TestIni$eeee
API String ID: 1004854021-3373269793
Opcode ID: 374631e09a907260bf80d3c782fcb77576be921c6bff0f232b9e73cc475dd484
Instruction ID: bcd9e3bd838057f94441950f627922d61a879500a582d0e0f26c5fc85a3f1aa0
Opcode Fuzzy Hash: 374631e09a907260bf80d3c782fcb77576be921c6bff0f232b9e73cc475dd484
Instruction Fuzzy Hash: 7C328172301A4192EA62DF26E8513DA7360F7897F4F544322B76E836F6DE38C945CB40

Function 000000014000D650 Relevance: 26.5, APIs: 11, Strings: 4, Instructions: 287
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32 ref: 000000014000D677
LoadStringW.USER32 ref: 000000014000D6A4
LoadStringW.USER32 ref: 000000014000D6BA
InitCommonControlsEx.COMCTL32 ref: 000000014000D6DE
GetUserDefaultLangID.KERNEL32 ref: 000000014000D7A7
GetUserDefaultLangID.KERNEL32 ref: 000000014000D7B6
LoadAcceleratorsW.USER32 ref: 000000014000DA1C
TranslateAcceleratorW.USER32 ref: 000000014000DA34
TranslateMessage.USER32 ref: 000000014000DA43
DispatchMessageW.USER32 ref: 000000014000DA4E
GetMessageW.USER32 ref: 000000014000DA61

Strings

disable_dark_theme, xrefs: 000000014000D74E
lng, xrefs: 000000014000D9E7
soft_paint, xrefs: 000000014000D760
Lisens, xrefs: 000000014000D73C

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: LoadMessage$DefaultLangStringTranslateUser$AcceleratorAcceleratorsCommonControlsDispatchInitlstrlen
String ID: Lisens$disable_dark_theme$lng$soft_paint
API String ID: 249006279-461540367
Opcode ID: 3d99a117655a148bedba31ba30f4b0a81ba9e65de3613fdb3391f07775da7f83
Instruction ID: ce77c421a507276892d05941270336c25402ca27bf5d596d9753e4cc185d14ae
Opcode Fuzzy Hash: 3d99a117655a148bedba31ba30f4b0a81ba9e65de3613fdb3391f07775da7f83
Instruction Fuzzy Hash: 77C17DB160870186FB73DB17B4853EE33A2A39C7C8F608523FB0A476B5DB3989458721

Function 000000014001ED8C Relevance: 13.6, APIs: 9, Instructions: 71
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStockObject.GDI32 ref: 000000014001EDB7
GetObjectW.GDI32 ref: 000000014001EDC9
SystemParametersInfoW.USER32 ref: 000000014001EDFF
CreateFontIndirectW.GDI32 ref: 000000014001EE39
CreateFontIndirectW.GDI32 ref: 000000014001EE5A
GetSystemMetrics.USER32 ref: 000000014001EE6C
GetSystemMetrics.USER32 ref: 000000014001EE82
GetSystemMetrics.USER32 ref: 000000014001EE93
GetSystemMetrics.USER32 ref: 000000014001EEA2

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: System$Metrics$CreateFontIndirectObject$InfoParametersStock
String ID:
API String ID: 4204584070-0
Opcode ID: 8ca030c2bb6dd16c0e87f29d34277584b531a975379582408b48c99ec792e43b
Instruction ID: 510aa3edb2fbd26033c38d0003b77237aa57e7fdc392dedf776d810b4b1f59ec
Opcode Fuzzy Hash: 8ca030c2bb6dd16c0e87f29d34277584b531a975379582408b48c99ec792e43b
Instruction Fuzzy Hash: 9A317E72204B8597E76ACF21E5443DEB3A1F388789F404129DB5947695DF3CD06CCB00

Function 0000000140008818 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 28
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadIconW.USER32 ref: 000000014000884C
LoadCursorW.USER32 ref: 000000014000885E
LoadIconW.USER32 ref: 0000000140008891
RegisterClassExW.USER32 ref: 00000001400088A7

Strings

m, xrefs: 0000000140008888
P, xrefs: 0000000140008837

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: Load$Icon$ClassCursorRegister
String ID: P$m
API String ID: 4202395251-1360399329
Opcode ID: ebf67bd7337fe250ead9c0d10d10c72322d928add0c117cb9c8cf18698d8c7fb
Instruction ID: d0f5ea02c2cc54904d841f528e7bbb943d8527f317d938af2402d9a125222a74
Opcode Fuzzy Hash: ebf67bd7337fe250ead9c0d10d10c72322d928add0c117cb9c8cf18698d8c7fb
Instruction Fuzzy Hash: 2F01C472519F8086E7628B01F88934BB7A5F388799F601119F7CA83B68DF7DC168CB40

Function 0000000140023F2C Relevance: 7.6, APIs: 5, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStartupInfoW.KERNEL32 ref: 0000000140023F43
_FF_MSGBANNER.LIBCMT ref: 0000000140023FE2
_FF_MSGBANNER.LIBCMT ref: 000000014002400C
GetCommandLineW.KERNEL32 ref: 000000014002403E
_cinit.LIBCMT ref: 000000014002407E

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: CommandInfoLineStartup_cinit
String ID:
API String ID: 1675588807-0
Opcode ID: a6dbe5fe1d592d9ddc0af471f6049a28d7886296bb7f79d5ccd79a7ededf20c9
Instruction ID: 06e94b4c2e6005e7d51b799ac4514ab7821629891da3816f025ddbeffb1b155c
Opcode Fuzzy Hash: a6dbe5fe1d592d9ddc0af471f6049a28d7886296bb7f79d5ccd79a7ededf20c9
Instruction Fuzzy Hash: 2A41733160474186FBA3ABA3A5913EE62A1AB8C3C4F50483DBB49436F3DF38CD419752

Function 0000000140030B7B Relevance: 4.6, APIs: 3, Instructions: 146
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32 ref: 0000000140030C56
GlobalAlloc.KERNEL32 ref: 0000000140030CA9

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: AllocExitGlobalProcess
String ID:
API String ID: 3642446439-0
Opcode ID: a03eb0701cc6eb8cac6b514f02259921640b861e40fed228d7cee931863291a7
Instruction ID: 4258da7f274c6e04c4d2c9205f12d60dc6553c03449d6cd58c9155ee8d89b4bb
Opcode Fuzzy Hash: a03eb0701cc6eb8cac6b514f02259921640b861e40fed228d7cee931863291a7
Instruction Fuzzy Hash: 5251927271155486EB67CF17D4A0BEA77A1F78CBC4F1A9211EF4A037A4CB38A852D704

Function 0000000140030C24 Relevance: 4.6, APIs: 3, Instructions: 94
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32 ref: 0000000140030C56
GlobalAlloc.KERNEL32 ref: 0000000140030CA9
VirtualProtect.KERNELBASE ref: 0000000140030D92

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: AllocExitGlobalProcessProtectVirtual
String ID:
API String ID: 2838013928-0
Opcode ID: 245144daa2ee5a0f49845f5475b9c7ce6e71f9f1eecfc88eb72b09183cf58fc2
Instruction ID: 0175d510a5b46dda359d3d002f5d042de8b99942e260f713ee2fb820361081a2
Opcode Fuzzy Hash: 245144daa2ee5a0f49845f5475b9c7ce6e71f9f1eecfc88eb72b09183cf58fc2
Instruction Fuzzy Hash: C941737261124046E767DB23D4A0BFA37E1E78DBC5F1A9220EF49437A4C638A846D704

Function 000000014000872C Relevance: 4.6, APIs: 3, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesW.KERNEL32 ref: 0000000140008738
GetLastError.KERNEL32 ref: 0000000140008743
GetLastError.KERNEL32 ref: 000000014000874E

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: ErrorLast$AttributesFile
String ID:
API String ID: 2642427456-0
Opcode ID: 725e2751a1ffd1fb0f3150e52045197fd8501a6cc0d3d144a5d773b7a3689b8d
Instruction ID: 6a4d95fc124e6ee73c71290dfd54d9a7322ce3b577b57af1ee738ba9bf4a8a30
Opcode Fuzzy Hash: 725e2751a1ffd1fb0f3150e52045197fd8501a6cc0d3d144a5d773b7a3689b8d
Instruction Fuzzy Hash: 16212C72600E0182EB63CB7EE8593A82350FB487B5F644712BB7A871F5CF74C8418752

Function 0000000140016C01 Relevance: 4.6, APIs: 3, Instructions: 62
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE ref: 0000000140016C4A

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: baec721d2821db414ceeaa2bf37cb35bd8282c49a277c6bfc66e36b8aabf3e15
Instruction ID: c383dbae1a27b48bfd87c08c3d6e76de05f21ef001a7d44355dd4547820677a8
Opcode Fuzzy Hash: baec721d2821db414ceeaa2bf37cb35bd8282c49a277c6bfc66e36b8aabf3e15
Instruction Fuzzy Hash: 07317636608B4482EB508F25E45435ABBB1F7C9B94F604126EBDD47B68DF7AC4458F40

Function 0000000140018570 Relevance: 3.4, APIs: 2, Instructions: 447
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 0000000140018E8B
VirtualProtect.KERNELBASE ref: 0000000140018ED1

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 3bcc0f36319ccde6b0273f2ece0aa3c91961a8b7fe7356c883ced505f8de2c86
Instruction ID: b2ef9e500f22efa3545b67e830b686edb40faaece803310e0e257195c7d1d4c9
Opcode Fuzzy Hash: 3bcc0f36319ccde6b0273f2ece0aa3c91961a8b7fe7356c883ced505f8de2c86
Instruction Fuzzy Hash: BD427D76209BC48ADA71CB1AE4907DAB7A0F7C9B84F104126EBCD87B69DF39C545CB40

Function 0000000140030D94 Relevance: 3.1, APIs: 2, Instructions: 78
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 0000000140030DF1
ExitProcess.KERNEL32 ref: 0000000140030E0F

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: ExitProcessProtectVirtual
String ID:
API String ID: 1518624053-0
Opcode ID: bf20b7adf3a027542fbd5b989bb94608d8b78b000e21a446af202c3d490a2184
Instruction ID: 529a24e6c1fbcf9daf5303dd55a33dea3b869f99b1bcb5240b2e3c513a03f08d
Opcode Fuzzy Hash: bf20b7adf3a027542fbd5b989bb94608d8b78b000e21a446af202c3d490a2184
Instruction Fuzzy Hash: 4431C3713052808BFB63CB6AE4947AA7791E78D7D0F158625EB9943BF4CA38D4818B05

Function 0000000140018DE8 Relevance: 3.1, APIs: 2, Instructions: 55
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00000001400166E1: LoadLibraryW.KERNELBASE(?,?,?,?,?,?,00000001400179B3), ref: 0000000140016719

Part of subcall function 0000000140017551: GlobalAlloc.KERNELBASE ref: 000000014001759A

VirtualProtect.KERNELBASE ref: 0000000140018E8B
VirtualProtect.KERNELBASE ref: 0000000140018ED1

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: ProtectVirtual$AllocGlobalLibraryLoad
String ID:
API String ID: 2510009449-0
Opcode ID: 7b1006b3ec3228eb6862de1997fbc5aee531c0bdf4a370ba8d4f5df8926497da
Instruction ID: a03202ba3fa2d8d69e3adc8e62869fc2542a0dcec0745587a99ba35fd2d9eb5f
Opcode Fuzzy Hash: 7b1006b3ec3228eb6862de1997fbc5aee531c0bdf4a370ba8d4f5df8926497da
Instruction Fuzzy Hash: B2311A7A209BC48AD671DB26E4917DEB7A0F7C9B84F404026EB8D87B19DF39D9518F00

Function 0000000140030DBC Relevance: 3.0, APIs: 2, Instructions: 47memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 0000000140030DF1
ExitProcess.KERNEL32 ref: 0000000140030E0F

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: ExitProcessProtectVirtual
String ID:
API String ID: 1518624053-0
Opcode ID: 2541951058f0a72a2a7fb6d683975d4a959834241996bc355c4f166674dbd8b7
Instruction ID: e89298bce2d6fa47c62722c5c2ed998eb87923f9b1e0d3de82e99985844e2ffa
Opcode Fuzzy Hash: 2541951058f0a72a2a7fb6d683975d4a959834241996bc355c4f166674dbd8b7
Instruction Fuzzy Hash: 681198713052408BFB26DB26E4507AE73A1E78C7D0F518525E74A87B75CA3CE455CB05

Function 000000014002B780 Relevance: 3.0, APIs: 2, Instructions: 18memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNEL32 ref: 000000014002B792
HeapSetInformation.KERNEL32 ref: 000000014002B7BC

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: Heap$CreateInformation
String ID:
API String ID: 1774340351-0
Opcode ID: f2fad7ed84ad52d1957250b01254dd880c27fca0936b88acd442e123904c65a4
Instruction ID: 6c6a130fadb90d8e88219f4ab4d06951c54a7333c63850b2e15b6151c6cd386f
Opcode Fuzzy Hash: f2fad7ed84ad52d1957250b01254dd880c27fca0936b88acd442e123904c65a4
Instruction Fuzzy Hash: 4FE04FB5721B9082E79A9B23A84579A6690EB8C780F90542DBE49037A4EE3CC1858B00

Function 00000001400166E1 Relevance: 1.5, APIs: 1, Instructions: 17libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140017551: GlobalAlloc.KERNELBASE ref: 000000014001759A

LoadLibraryW.KERNELBASE(?,?,?,?,?,?,00000001400179B3), ref: 0000000140016719

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: AllocGlobalLibraryLoad
String ID:
API String ID: 3361179946-0
Opcode ID: 9a8ff4eada6292a57e958cd5b1d6b39b402b5e85bec2340caf22a4aefd90f417
Instruction ID: a98747b4552046b1fb5e9ad4d3e68afe25e80eae21c0e9ad3937b6e2198f553b
Opcode Fuzzy Hash: 9a8ff4eada6292a57e958cd5b1d6b39b402b5e85bec2340caf22a4aefd90f417
Instruction Fuzzy Hash: 7EE04E36618E8482CA20EB16E88124AB7B5F7C9B98F504125FBCD47B39DF39C6518A00

Function 000000014000DA84 Relevance: 1.5, APIs: 1, Instructions: 11comCOMMONLIBRARYCODE

Download Yara Rule

APIs

OleInitialize.OLE32 ref: 000000014000DA99

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 8efbdf770bd8140a0d47d454bf1ca47bbf849dc5c78b0822263cfbe2e4650dfd
Instruction ID: ea3d2dbb976040860e980c21925cf9bf278fd39b7b00eac8f6c3221d4b6756bf
Opcode Fuzzy Hash: 8efbdf770bd8140a0d47d454bf1ca47bbf849dc5c78b0822263cfbe2e4650dfd
Instruction Fuzzy Hash: CCC08C36721B08C2EF2B1BB3A8413A92368A30CB80F980030EE4D43320DE3CC0A6C710

Function 00000001400373C0 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

CreateSolidBrush.GDI32 ref: 00000001400373C9

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: BrushCreateSolid
String ID:
API String ID: 4168422804-0
Opcode ID: 3a06ae4a05feed5ade123007ea37f63aa0b6ec04c6fe1c2d2b20515e39371d65
Instruction ID: be339ba2660259c56d30cb9dfccae10c1d14e88300c0401283b281c4230168bf
Opcode Fuzzy Hash: 3a06ae4a05feed5ade123007ea37f63aa0b6ec04c6fe1c2d2b20515e39371d65
Instruction Fuzzy Hash: 66B09234A42B0192EB0A678268A138922A4B38D759F9008A8960912330CA3802EE8700

Function 0000000140017551 Relevance: 1.3, APIs: 1, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNELBASE ref: 000000014001759A

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: ba1b9466268fe03848d5d9d10af9dd6cf040b6a4df980d2f73a2bd1ec1c171d8
Instruction ID: 67b3fb2ff2c5d53ccb30895aa0ab94e8bcaffe8ee28364a13de3d94a864ec4e8
Opcode Fuzzy Hash: ba1b9466268fe03848d5d9d10af9dd6cf040b6a4df980d2f73a2bd1ec1c171d8
Instruction Fuzzy Hash: 1BF07436609684CBC750DF19E08461ABBB0F3C9B54F604125EB8D83B28DB39C945CF00

Non-executed Functions

Function 000000014001B884 Relevance: 174.3, APIs: 53, Strings: 46, Instructions: 1077threadwindowCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32 ref: 000000014001B9D5
GetDlgItem.USER32 ref: 000000014001BA33
GetWindowTextW.USER32 ref: 000000014001BA4A
GetDlgItem.USER32 ref: 000000014001BB39
SetWindowTextW.USER32 ref: 000000014001BB4A
GetModuleFileNameW.KERNEL32 ref: 000000014001CADE
ShellExecuteW.SHELL32 ref: 000000014001CB28
PostQuitMessage.USER32 ref: 000000014001CB33

Part of subcall function 000000014000ECDC: CreatePopupMenu.USER32 ref: 000000014000ED0E
Part of subcall function 000000014000ECDC: SendMessageW.USER32 ref: 000000014000ED29
Part of subcall function 000000014000ECDC: lstrcpyW.KERNEL32 ref: 000000014000ED5B
Part of subcall function 000000014000ECDC: lstrcatW.KERNEL32 ref: 000000014000ED6D
Part of subcall function 000000014000ECDC: AppendMenuW.USER32 ref: 000000014000ED8F
Part of subcall function 000000014000ECDC: lstrcpyW.KERNEL32 ref: 000000014000EDA7
Part of subcall function 000000014000ECDC: lstrcatW.KERNEL32 ref: 000000014000EDB9
Part of subcall function 000000014000ECDC: AppendMenuW.USER32 ref: 000000014000EDD2
Part of subcall function 000000014000ECDC: ClientToScreen.USER32 ref: 000000014000EE19
Part of subcall function 000000014000ECDC: SendMessageW.USER32 ref: 000000014000EE31
Part of subcall function 000000014000ECDC: TrackPopupMenu.USER32 ref: 000000014000EE60
Part of subcall function 000000014000ECDC: SendMessageW.USER32 ref: 000000014000EE78
Part of subcall function 000000014000ECDC: SendMessageW.USER32 ref: 000000014000EE90

Strings

?seite=Microsoft/, xrefs: 000000014001C265, 000000014001C272
Load from File (Unicode), xrefs: 000000014001C938
t, xrefs: 000000014001BE46
M, xrefs: 000000014001BCDC
f, xrefs: 000000014001BD21
%s / %d %%, xrefs: 000000014001C82C
N, xrefs: 000000014001BD39
h, xrefs: 000000014001BDA5
r, xrefs: 000000014001BCF9
by_top, xrefs: 000000014001CDAD
%i.) %s / %d %%, xrefs: 000000014001C84B
/, xrefs: 000000014001BD31
?, xrefs: 000000014001BDFA
c, xrefs: 000000014001BE12
m, xrefs: 000000014001BE9C
Translate, xrefs: 000000014001C91D
?faq-NewFileTime&faq=14, xrefs: 000000014001C08F, 000000014001C09C
NewFileTime, xrefs: 000000014001CD9F
explorer.exe, xrefs: 000000014001CB13
?, xrefs: 000000014001BCD4
m, xrefs: 000000014001BD86
open, xrefs: 000000014001BF45, 000000014001C0C7, 000000014001C2B5, 000000014001C37E, 000000014001C74D, 000000014001CB1A, 000000014001CBB9, 000000014001CCEB
n, xrefs: 000000014001BDB9
l, xrefs: 000000014001BE7D
/, xrefs: 000000014001BD95
error, xrefs: 000000014001BB6A
M, xrefs: 000000014001BE02
/, xrefs: 000000014001BEAB
t, xrefs: 000000014001BD29
lng, xrefs: 000000014001CA19
N, xrefs: 000000014001BE56
F, xrefs: 000000014001BD53
c, xrefs: 000000014001BCF1
k, xrefs: 000000014001BECD
w, xrefs: 000000014001BD4B
D, xrefs: 000000014001BEB3
AtlMiscX.cpp, xrefs: 000000014001C775
k, xrefs: 000000014001BDC1
disable_dark_theme, xrefs: 000000014001CC97
?faq-NewFileTime&faq=0, xrefs: 000000014001C340, 000000014001C34D
F, xrefs: 000000014001BE6D
r, xrefs: 000000014001BE1A
/, xrefs: 000000014001BE4E
w, xrefs: 000000014001BE65
l, xrefs: 000000014001BD63
soft_paint, xrefs: 000000014001CC16

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: Message$MenuSend$AppendCreateItemPopupTextWindowlstrcatlstrcpy$ClientExecuteFileModuleNamePostQuitScreenShellThreadTrack
String ID: %i.) %s / %d %%$%s / %d %%$/$/$/$/$?$?$?faq-NewFileTime&faq=0$?faq-NewFileTime&faq=14$?seite=Microsoft/$AtlMiscX.cpp$D$F$F$Load from File (Unicode)$M$M$N$N$NewFileTime$Translate$by_top$c$c$disable_dark_theme$error$explorer.exe$f$h$k$k$l$l$lng$m$m$n$open$r$r$soft_paint$t$t$w$w
API String ID: 620179758-3706992354
Opcode ID: 01820f876c10ae008cecaf408018e442dbefdd257c97783c1ffb0f00efad932d
Instruction ID: 2c2e88b87c4c81e695c9e86dea2ddb183d70350cb4fb51ba56288c34bd2ebf3a
Opcode Fuzzy Hash: 01820f876c10ae008cecaf408018e442dbefdd257c97783c1ffb0f00efad932d
Instruction Fuzzy Hash: F7C2AC32218AC086E733DB26E8447DEB760FB887C4F444126EB8947AB9DF79C549CB45

Function 000000014000F770 Relevance: 96.8, APIs: 54, Strings: 1, Instructions: 513windowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32 ref: 000000014000F7B3
GetClientRect.USER32 ref: 000000014000F7E2
GetDlgItem.USER32 ref: 000000014000F88A
GetWindowRect.USER32 ref: 000000014000F89B
GetDlgItem.USER32 ref: 000000014000F8AF
GetWindowRect.USER32 ref: 000000014000F8BD
GetDlgItem.USER32 ref: 000000014000F8CF
GetWindowRect.USER32 ref: 000000014000F8E0
GetDlgItem.USER32 ref: 000000014000F8F0
GetWindowRect.USER32 ref: 000000014000F901
ScreenToClient.USER32 ref: 000000014000F912
ScreenToClient.USER32 ref: 000000014000F927
GetWindowRect.USER32 ref: 000000014000F93C
SetWindowPos.USER32 ref: 000000014000F9BB
ShowWindow.USER32 ref: 000000014000F9C7
GetDlgItem.USER32 ref: 000000014000F9F2
ShowWindow.USER32 ref: 000000014000FA00

Part of subcall function 000000014000E41C: SetWindowPos.USER32 ref: 000000014000E446

RedrawWindow.USER32 ref: 000000014000FA28
GetDlgItem.USER32 ref: 000000014000FA3A
GetDlgItem.USER32 ref: 000000014000FAAD
GetDlgItem.USER32 ref: 000000014000FAFA
ShowWindow.USER32 ref: 000000014000FB08
GetDlgItem.USER32 ref: 000000014000FB29
ShowWindow.USER32 ref: 000000014000FB77
GetDlgItem.USER32 ref: 000000014000FB98
GetSystemMetrics.USER32 ref: 000000014000FBFE
GetSystemMetrics.USER32 ref: 000000014000FC2D
GetSystemMetrics.USER32 ref: 000000014000FC54
GetDlgItem.USER32 ref: 000000014000FC9F
GetDlgItem.USER32 ref: 000000014000FD03
GetDlgItem.USER32 ref: 000000014000FD3C
GetDlgItem.USER32 ref: 000000014000FD83
GetClientRect.USER32 ref: 000000014000FDB9
GetSystemMetrics.USER32 ref: 000000014000FDCA
SetWindowPos.USER32 ref: 000000014000FE0C
SetWindowPos.USER32 ref: 000000014000FE2F
SetWindowPos.USER32 ref: 000000014000FE52
SendMessageW.USER32 ref: 000000014000FE69
InvalidateRect.USER32 ref: 000000014000FE86
GetDlgItem.USER32 ref: 000000014000FEAB
GetWindowRect.USER32 ref: 000000014000FEBC
ScreenToClient.USER32 ref: 000000014000FED1
ScreenToClient.USER32 ref: 000000014000FEE6
SetWindowPos.USER32 ref: 000000014000FF1C
SendMessageW.USER32 ref: 000000014000FF39
SetWindowPos.USER32 ref: 000000014000FF75
SendMessageW.USER32 ref: 000000014000FF99
SendMessageW.USER32 ref: 000000014000FFB1
SendMessageW.USER32 ref: 000000014000FFCB
SetWindowPos.USER32 ref: 000000014000FFFD
SendMessageW.USER32 ref: 0000000140010027
SendMessageW.USER32 ref: 000000014001003C
SetWindowPos.USER32 ref: 000000014001007B
SetWindowPos.USER32 ref: 00000001400100B3

Strings

@, xrefs: 0000000140010063

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: Window$Item$Rect$MessageSend$Client$MetricsScreenShowSystem$InvalidateRedraw
String ID: @
API String ID: 2446400382-2766056989
Opcode ID: 106088971997ccaaf9f159ef4d2182e3f8a42df8fd0f80f3183598f329176db2
Instruction ID: b99fa26f9a26dbc569857090a15c5db61be10b6a8b49227ef21e9957d73836a1
Opcode Fuzzy Hash: 106088971997ccaaf9f159ef4d2182e3f8a42df8fd0f80f3183598f329176db2
Instruction Fuzzy Hash: F8424D72618B858AD762CF26E454B9BB7B5FBC9794F108216EB8953B28DF38C445CF00

Function 000000014001A6A9 Relevance: 66.8, APIs: 35, Strings: 3, Instructions: 302windowstringCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014000AF94: lstrlenW.KERNEL32 ref: 000000014000AFE2
Part of subcall function 000000014000AF94: lstrlenW.KERNEL32 ref: 000000014000B004

Part of subcall function 000000014001D7D8: SendMessageW.USER32 ref: 000000014001D870
Part of subcall function 000000014001D7D8: SendMessageW.USER32 ref: 000000014001D88F
Part of subcall function 000000014001D7D8: SendMessageW.USER32 ref: 000000014001D8A6

SendMessageW.USER32 ref: 000000014001A7B4
SendMessageW.USER32 ref: 000000014001A7CE
GetSystemMetrics.USER32 ref: 000000014001A7D7
SendMessageW.USER32 ref: 000000014001A7F2
SendMessageW.USER32 ref: 000000014001A807
SendMessageW.USER32 ref: 000000014001A81C
SendMessageW.USER32 ref: 000000014001A846
SendMessageW.USER32 ref: 000000014001A85B
SendMessageW.USER32 ref: 000000014001A870
SendMessageW.USER32 ref: 000000014001A885
GetDlgItem.USER32 ref: 000000014001A89B
SendMessageW.USER32 ref: 000000014001A8B5
GetDlgItem.USER32 ref: 000000014001A8C9
SendMessageW.USER32 ref: 000000014001A8DA
GetDlgItem.USER32 ref: 000000014001A8EE
SendMessageW.USER32 ref: 000000014001A900
SendMessageW.USER32 ref: 000000014001A91A
SendMessageW.USER32 ref: 000000014001A92F
GetDlgItem.USER32 ref: 000000014001A93F
SetWindowTextW.USER32 ref: 000000014001A952
GetDlgItem.USER32 ref: 000000014001A962
SetWindowTextW.USER32 ref: 000000014001A96E
GetDlgItem.USER32 ref: 000000014001A97E
SetWindowTextW.USER32 ref: 000000014001A98A
GetDlgItem.USER32 ref: 000000014001A99E
ShowWindow.USER32 ref: 000000014001A9C2
ShowWindow.USER32 ref: 000000014001A9D1
GetWindowRect.USER32 ref: 000000014001A9DF
ScreenToClient.USER32 ref: 000000014001A9F1
ScreenToClient.USER32 ref: 000000014001AA03
lstrcatW.KERNEL32 ref: 000000014001AA56
lstrcatW.KERNEL32 ref: 000000014001AA71
SendMessageW.USER32 ref: 000000014001AB21
SetWindowPos.USER32 ref: 000000014001AB50
ShowWindow.USER32 ref: 000000014001AB60

Part of subcall function 000000014000F398: GetDlgItem.USER32 ref: 000000014000F567
Part of subcall function 000000014000F398: ShowWindow.USER32 ref: 000000014000F572
Part of subcall function 000000014000F398: GetDlgItem.USER32 ref: 000000014000F5A9
Part of subcall function 000000014000F398: ShowWindow.USER32 ref: 000000014000F5B4

Part of subcall function 000000014000F770: GetWindowRect.USER32 ref: 000000014000F7B3
Part of subcall function 000000014000F770: GetClientRect.USER32 ref: 000000014000F7E2
Part of subcall function 000000014000F770: GetDlgItem.USER32 ref: 000000014000F88A
Part of subcall function 000000014000F770: GetWindowRect.USER32 ref: 000000014000F89B
Part of subcall function 000000014000F770: GetDlgItem.USER32 ref: 000000014000F8AF
Part of subcall function 000000014000F770: GetWindowRect.USER32 ref: 000000014000F8BD
Part of subcall function 000000014000F770: GetDlgItem.USER32 ref: 000000014000F8CF
Part of subcall function 000000014000F770: GetWindowRect.USER32 ref: 000000014000F8E0
Part of subcall function 000000014000F770: GetDlgItem.USER32 ref: 000000014000F8F0
Part of subcall function 000000014000F770: GetWindowRect.USER32 ref: 000000014000F901
Part of subcall function 000000014000F770: ScreenToClient.USER32 ref: 000000014000F912
Part of subcall function 000000014000F770: ScreenToClient.USER32 ref: 000000014000F927
Part of subcall function 000000014000F770: GetWindowRect.USER32 ref: 000000014000F93C

Part of subcall function 000000014000E3E0: GetWindowLongPtrW.USER32 ref: 000000014000E3F2
Part of subcall function 000000014000E3E0: SetWindowLongPtrW.USER32 ref: 000000014000E40E

Strings

0, xrefs: 000000014001A783
# FAQ, xrefs: 000000014001AADF
=>txt<=, xrefs: 000000014001A73A

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: MessageSendWindow$Item$Rect$ClientShow$Screen$Text$Longlstrcatlstrlen$MetricsSystem
String ID: # FAQ$0$=>txt<=
API String ID: 2841652420-3025407568
Opcode ID: 1102e0693119983d0228aba76e2a68adea951f5099abb5976361dd6c146c032b
Instruction ID: 623eda39665a89a6187279503a2c40471ac2bc2897676b376b0c80c412d297f2
Opcode Fuzzy Hash: 1102e0693119983d0228aba76e2a68adea951f5099abb5976361dd6c146c032b
Instruction Fuzzy Hash: 52D14A36314A8187E766EB27E851BDBB3A2F7C9BC4F404125AF9A47A65CF3CD5058B00

Function 000000014000A158 Relevance: 60.1, APIs: 30, Strings: 4, Instructions: 623stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140008DCC: CharNextW.USER32 ref: 0000000140008E04
Part of subcall function 0000000140008DCC: CharNextW.USER32 ref: 0000000140008E2E
Part of subcall function 0000000140008DCC: CharNextW.USER32 ref: 0000000140008E46
Part of subcall function 0000000140008DCC: CharNextW.USER32 ref: 0000000140008E5B
Part of subcall function 0000000140008DCC: CharNextW.USER32 ref: 0000000140008E6A
Part of subcall function 0000000140008DCC: CharNextW.USER32 ref: 0000000140008EBE

lstrcmpiW.KERNEL32 ref: 000000014000A1F1
lstrcmpiW.KERNEL32 ref: 000000014000A20B
CharNextW.USER32 ref: 000000014000A260
lstrcmpiW.KERNEL32 ref: 000000014000A28B
lstrlenW.KERNEL32 ref: 000000014000A946

Strings

NoRemove, xrefs: 000000014000A32F
Val, xrefs: 000000014000A36E
ForceRemove, xrefs: 000000014000A201
Delete, xrefs: 000000014000A1E7

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: CharNext$lstrcmpi$lstrlen
String ID: Delete$ForceRemove$NoRemove$Val
API String ID: 421489534-1781481701
Opcode ID: 10aba86e1589bc4cfa1ea29e7434c4f3cb27b6fc231b9d0215996dc8296f36f6
Instruction ID: 8d20fe5447a4eb766d9ded4572a7cf9aedc921bf957330696d968bef3086c7fb
Opcode Fuzzy Hash: 10aba86e1589bc4cfa1ea29e7434c4f3cb27b6fc231b9d0215996dc8296f36f6
Instruction Fuzzy Hash: BE4223B170478186EB76DB66B9403EA62D2F78E7C0F548126FB8987AB5EF3CC4458701

Function 000000014001CDFC Relevance: 52.9, APIs: 27, Strings: 3, Instructions: 427timeCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32 ref: 000000014001CEDB

Part of subcall function 000000014001B334: CreatePopupMenu.USER32 ref: 000000014001B388

KillTimer.USER32 ref: 000000014001D21A
SetTimer.USER32 ref: 000000014001D233

Strings

WinRC, xrefs: 000000014001CFCF, 000000014001D165
m_auto_history, xrefs: 000000014001D4AA
ID_ALLE_MARKIEREN, xrefs: 000000014001D3B3

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: Timer$CreateKillLongMenuPopupWindow
String ID: ID_ALLE_MARKIEREN$WinRC$m_auto_history
API String ID: 333754552-4151237627
Opcode ID: 381e906cb99168f6f66f00d819b695aa2eea8b9d2ede069658f98d9784ee0639
Instruction ID: c90ac497b1e608b2657f2066c44eac41c88d02ccdc936d3683b3d71f7d987d8c
Opcode Fuzzy Hash: 381e906cb99168f6f66f00d819b695aa2eea8b9d2ede069658f98d9784ee0639
Instruction Fuzzy Hash: E5128232214B4092EB669B27E8447EA73A1F78D7D4F540226FB5A4BAF5CF3AC546C700

Function 0000000140004098 Relevance: 51.1, APIs: 27, Strings: 2, Instructions: 374stringwindowCOMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 0000000140004131
_invalid_parameter_noinfo.LIBCMT ref: 0000000140004149
MessageBoxW.USER32 ref: 00000001400041BF
lstrcatW.KERNEL32 ref: 00000001400042B3
lstrcatW.KERNEL32 ref: 00000001400042CE
lstrcatW.KERNEL32 ref: 00000001400042E6
lstrcatW.KERNEL32 ref: 0000000140004301
lstrcatW.KERNEL32 ref: 0000000140004312
lstrcatW.KERNEL32 ref: 000000014000432D
lstrcatW.KERNEL32 ref: 000000014000433E
lstrcatW.KERNEL32 ref: 0000000140004359
lstrcatW.KERNEL32 ref: 000000014000436A
lstrcatW.KERNEL32 ref: 0000000140004385
lstrcatW.KERNEL32 ref: 0000000140004396
lstrcatW.KERNEL32 ref: 00000001400043AB
lstrlenW.KERNEL32 ref: 00000001400043B9
_invalid_parameter_noinfo.LIBCMT ref: 00000001400044A9
_invalid_parameter_noinfo.LIBCMT ref: 00000001400044C1
lstrcatW.KERNEL32 ref: 00000001400044F1
lstrcatW.KERNEL32 ref: 0000000140004502
lstrcatW.KERNEL32 ref: 0000000140004518
lstrcatW.KERNEL32 ref: 0000000140004529
lstrlenW.KERNEL32 ref: 0000000140004537
lstrcatW.KERNEL32 ref: 0000000140004593
lstrlenW.KERNEL32 ref: 00000001400045A1
lstrlenW.KERNEL32 ref: 0000000140004623

Strings

.txt, xrefs: 00000001400043D3
open, xrefs: 0000000140004696

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: lstrcat$_invalid_parameter_noinfolstrlen$Message
String ID: .txt$open
API String ID: 3548936114-2053232146
Opcode ID: 967637adb3680d2227f19d735fdd0d0a3dad75f88921fbb915ea8cf618ef1f4e
Instruction ID: 1c268ee56c1031dfd144c0d0561f7edf9a2acb048a92cafc79fd89b8ab0e2cbf
Opcode Fuzzy Hash: 967637adb3680d2227f19d735fdd0d0a3dad75f88921fbb915ea8cf618ef1f4e
Instruction Fuzzy Hash: A00260B2204A8185EB22DB26E8503DE7361F7997E4F444221FB5E47AF6DF78C589C700

Function 0000000140011F3C Relevance: 49.2, APIs: 27, Strings: 1, Instructions: 198windowstringCOMMON

Download Yara Rule

APIs

CreatePopupMenu.USER32 ref: 0000000140011F61
CreatePopupMenu.USER32 ref: 0000000140011F6A
ShowWindow.USER32 ref: 0000000140011F79
CreatePopupMenu.USER32 ref: 0000000140011F7F
AppendMenuW.USER32 ref: 0000000140011F9A

Part of subcall function 000000014000AF94: lstrlenW.KERNEL32 ref: 000000014000AFE2
Part of subcall function 000000014000AF94: lstrlenW.KERNEL32 ref: 000000014000B004

AppendMenuW.USER32 ref: 0000000140011FBF
AppendMenuW.USER32 ref: 0000000140011FDE
AppendMenuW.USER32 ref: 0000000140011FFD
AppendMenuW.USER32 ref: 0000000140012015
AppendMenuW.USER32 ref: 000000014001202E
lstrlenW.KERNEL32 ref: 000000014001205C
lstrlenW.KERNEL32 ref: 0000000140012079
lstrlenW.KERNEL32 ref: 00000001400120A7
AppendMenuW.USER32 ref: 00000001400120D5
AppendMenuW.USER32 ref: 00000001400120EF
AppendMenuW.USER32 ref: 0000000140012103
AppendMenuW.USER32 ref: 0000000140012122
AppendMenuW.USER32 ref: 000000014001214A
AppendMenuW.USER32 ref: 0000000140012169
AppendMenuW.USER32 ref: 000000014001217D
AppendMenuW.USER32 ref: 000000014001219C
AppendMenuW.USER32 ref: 00000001400121B0
AppendMenuW.USER32 ref: 00000001400121CF
SetParent.USER32 ref: 00000001400121F2
ShowWindow.USER32 ref: 0000000140012201
ShowWindow.USER32 ref: 0000000140012213
ShowWindow.USER32 ref: 0000000140012222

Strings

FAQ, xrefs: 000000014001201B

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: Menu$Append$lstrlen$ShowWindow$CreatePopup$Parent
String ID: FAQ
API String ID: 3931491449-2119710534
Opcode ID: 4b6adb6bb58feda4153e4d1fd0c26128ec8c6e9e807665b1fa842ff3937db57a
Instruction ID: 9eb0fb22f179a463a66af860a0259b4170a8fd7da793c3e12424e217b101b872
Opcode Fuzzy Hash: 4b6adb6bb58feda4153e4d1fd0c26128ec8c6e9e807665b1fa842ff3937db57a
Instruction Fuzzy Hash: B5816B71200A4086E757EB63E9587EB63A2FB8DBD4F448121AF4A47BB5DE3CC54AC700

Function 000000014000D250 Relevance: 47.4, APIs: 23, Strings: 4, Instructions: 197windowstringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 000000014000D2C4
SendMessageW.USER32 ref: 000000014000D2D8

Part of subcall function 000000014000CA34: GetDlgItem.USER32 ref: 000000014000CA5D
Part of subcall function 000000014000CA34: SetWindowTextW.USER32 ref: 000000014000CA69
Part of subcall function 000000014000CA34: GetDlgItem.USER32 ref: 000000014000CA84
Part of subcall function 000000014000CA34: SetWindowTextW.USER32 ref: 000000014000CA90
Part of subcall function 000000014000CA34: SetWindowTextW.USER32 ref: 000000014000CB40
Part of subcall function 000000014000CA34: lstrlenW.KERNEL32 ref: 000000014000CB5B
Part of subcall function 000000014000CA34: GetDlgItem.USER32 ref: 000000014000CB78
Part of subcall function 000000014000CA34: SetWindowTextW.USER32 ref: 000000014000CB86
Part of subcall function 000000014000CA34: GetDlgItem.USER32 ref: 000000014000CB9D
Part of subcall function 000000014000CA34: SetWindowTextW.USER32 ref: 000000014000CBAD

GetDlgItem.USER32 ref: 000000014000D317
EnableWindow.USER32 ref: 000000014000D322
GetDlgItem.USER32 ref: 000000014000D334
SendMessageW.USER32 ref: 000000014000D348
GetDlgItem.USER32 ref: 000000014000D358
EnableWindow.USER32 ref: 000000014000D363
EndDialog.USER32 ref: 000000014000D392
PostQuitMessage.USER32 ref: 000000014000D3AC
GetDlgItem.USER32 ref: 000000014000D3E0
EnableWindow.USER32 ref: 000000014000D3EB
LoadIconW.USER32 ref: 000000014000D3FB
lstrlenW.KERNEL32 ref: 000000014000D431
_cwprintf_s_l.LIBCMT ref: 000000014000D45F
GetDlgItem.USER32 ref: 000000014000D494
SendMessageW.USER32 ref: 000000014000D4A8
GetDlgItem.USER32 ref: 000000014000D4FD
SendMessageW.USER32 ref: 000000014000D511
SendMessageW.USER32 ref: 000000014000D527
SendMessageW.USER32 ref: 000000014000D538
GetDlgItem.USER32 ref: 000000014000D546
SendMessageW.USER32 ref: 000000014000D558

Strings

%s / %d %%, xrefs: 000000014000D453
<===> , xrefs: 000000014000D464
lng, xrefs: 000000014000D2E6
Lisens, xrefs: 000000014000D379

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: Item$MessageWindow$Send$Text$Enable$lstrlen$DialogIconLoadPostQuit_cwprintf_s_l
String ID: <===> $%s / %d %%$Lisens$lng
API String ID: 1576141169-2546170310
Opcode ID: ce4a12bb5159f58344a376fc0d91c0a031609c44fc0960d3a4dfe3dcc0bc13b0
Instruction ID: 06ece2c57b3cbcd01cfba8bced4e9ab41e5ebcbd6216f5e59882027bb9d0696d
Opcode Fuzzy Hash: ce4a12bb5159f58344a376fc0d91c0a031609c44fc0960d3a4dfe3dcc0bc13b0
Instruction Fuzzy Hash: D9814A75600B4186FB63DB23A8147EA3362B78CBE5F544222FF0A437B4DE38C9468701

Function 000000014001B334 Relevance: 40.6, APIs: 14, Strings: 9, Instructions: 304windowstringthreadCOMMON

Download Yara Rule

APIs

CreatePopupMenu.USER32 ref: 000000014001B388

Part of subcall function 000000014000AF94: lstrlenW.KERNEL32 ref: 000000014000AFE2
Part of subcall function 000000014000AF94: lstrlenW.KERNEL32 ref: 000000014000B004

AppendMenuW.USER32 ref: 000000014001B59F
AppendMenuW.USER32 ref: 000000014001B5C0
AppendMenuW.USER32 ref: 000000014001B5D5
AppendMenuW.USER32 ref: 000000014001B602
AppendMenuW.USER32 ref: 000000014001B62B
AppendMenuW.USER32 ref: 000000014001B658
AppendMenuW.USER32 ref: 000000014001B68A
SendMessageW.USER32 ref: 000000014001B6E3
ClientToScreen.USER32 ref: 000000014001B6F1
TrackPopupMenu.USER32 ref: 000000014001B72A
SendMessageW.USER32 ref: 000000014001B741
lstrcpyW.KERNEL32 ref: 000000014001B7BC
CreateThread.KERNEL32 ref: 000000014001B7E4

Strings

drop_import_subdirs, xrefs: 000000014001B4A8
includ_root_name, xrefs: 000000014001B489
import_files, xrefs: 000000014001B46B
NewFileTime, xrefs: 000000014001B50D, 000000014001B80A
drop_includ_root_name, xrefs: 000000014001B4D5
import_folders, xrefs: 000000014001B47A
drop_import_folders, xrefs: 000000014001B4C6
import_subdirs, xrefs: 000000014001B45C
drop_import_files, xrefs: 000000014001B4B7

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: Menu$Append$CreateMessagePopupSendlstrlen$ClientScreenThreadTracklstrcpy
String ID: NewFileTime$drop_import_files$drop_import_folders$drop_import_subdirs$drop_includ_root_name$import_files$import_folders$import_subdirs$includ_root_name
API String ID: 209204759-1048854340
Opcode ID: 2c9350a22f673949e992f7fa1641cd839ba3905a32ed8b1e1a6fc62147e054b2
Instruction ID: ef1e9546a9801e9a7eef9088f887cbec8a1532c87f6557e0281b487de6455240
Opcode Fuzzy Hash: 2c9350a22f673949e992f7fa1641cd839ba3905a32ed8b1e1a6fc62147e054b2
Instruction Fuzzy Hash: 9AD17D72204B8086E766CB26E8507DA73E5F789BD4F448226EB9E07BA4DF3DC545CB40

Function 0000000140027244 Relevance: 39.0, APIs: 21, Strings: 1, Instructions: 468COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 0000000140027295
_errno.LIBCMT ref: 000000014002729C

Strings

U, xrefs: 0000000140027853

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: __doserrno_errno
String ID: U
API String ID: 921712934-4171548499
Opcode ID: c2f5a4a32a1fd7faf28d9790efe799f6934c332bd00df124116e318faf283119
Instruction ID: fda7a5f18ed4e22b4c34da33cd395cb654f11cca3f3662e91c1788bf9aaa24c7
Opcode Fuzzy Hash: c2f5a4a32a1fd7faf28d9790efe799f6934c332bd00df124116e318faf283119
Instruction Fuzzy Hash: 4912E332214A4586EB228F2AD484BEAA7A1F38CBC4F54411AFF4D43BB5DB7DC945CB10

Function 000000014002F1A8 Relevance: 36.5, APIs: 24, Instructions: 546fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 000000014002F25F
_errno.LIBCMT ref: 000000014002F269
__doserrno.LIBCMT ref: 000000014002F3CA
_errno.LIBCMT ref: 000000014002F3D4
_errno.LIBCMT ref: 000000014002F3DF
CreateFileW.KERNEL32 ref: 000000014002F41C
CreateFileW.KERNEL32 ref: 000000014002F471
GetLastError.KERNEL32 ref: 000000014002F4A4
_errno.LIBCMT ref: 000000014002F4B1
GetFileType.KERNEL32 ref: 000000014002F4C0
GetLastError.KERNEL32 ref: 000000014002F4EC
CloseHandle.KERNEL32 ref: 000000014002F500
_errno.LIBCMT ref: 000000014002F50A
_lseek_nolock.LIBCMT ref: 000000014002F5A1
__doserrno.LIBCMT ref: 000000014002F5AF
_close_nolock.LIBCMT ref: 000000014002F5BE
_lseek_nolock.LIBCMT ref: 000000014002F603
_close_nolock.LIBCMT ref: 000000014002F78F

Part of subcall function 0000000140026C18: CloseHandle.KERNEL32 ref: 0000000140026C77
Part of subcall function 0000000140026C18: GetLastError.KERNEL32 ref: 0000000140026C81

_errno.LIBCMT ref: 000000014002F794
_lseek_nolock.LIBCMT ref: 000000014002F7B6
CloseHandle.KERNEL32 ref: 000000014002F8F9
CreateFileW.KERNEL32 ref: 000000014002F92E
GetLastError.KERNEL32 ref: 000000014002F93A

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: _errno$ErrorFileLast$CloseCreateHandle__doserrno_lseek_nolock$_close_nolock$Type
String ID:
API String ID: 3224512341-0
Opcode ID: 9c13d51a2ea11e643f08cc32fba56636b8f68d672ed118be39630bc64abd32e1
Instruction ID: e7694955031988417830c5a025100e7ce7cc31b55d5a804d86771d18ac0e51fc
Opcode Fuzzy Hash: 9c13d51a2ea11e643f08cc32fba56636b8f68d672ed118be39630bc64abd32e1
Instruction Fuzzy Hash: 8A32F232604A4486FB769B2AD4943FD76A0E7897E4F24422DFB5A877F5CA3CCC449B01

Function 000000014001AC0C Relevance: 33.6, APIs: 17, Strings: 2, Instructions: 356timewindowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014000E454: SendDlgItemMessageW.USER32 ref: 000000014000E4AA
Part of subcall function 000000014000E454: SendDlgItemMessageW.USER32 ref: 000000014000E4CC

Part of subcall function 000000014000E5FC: GetDlgItem.USER32 ref: 000000014000E682
Part of subcall function 000000014000E5FC: GetWindowTextW.USER32 ref: 000000014000E699
Part of subcall function 000000014000E5FC: GetDlgItem.USER32 ref: 000000014000E6AB
Part of subcall function 000000014000E5FC: GetWindowTextW.USER32 ref: 000000014000E6BF
Part of subcall function 000000014000E5FC: GetDlgItem.USER32 ref: 000000014000E6D1
Part of subcall function 000000014000E5FC: GetWindowTextW.USER32 ref: 000000014000E6E5
Part of subcall function 000000014000E5FC: lstrlenW.KERNEL32 ref: 000000014000E71E
Part of subcall function 000000014000E5FC: lstrlenW.KERNEL32 ref: 000000014000E730
Part of subcall function 000000014000E5FC: lstrlenW.KERNEL32 ref: 000000014000E745

SendMessageW.USER32 ref: 000000014001AD87
SendMessageW.USER32 ref: 000000014001ADE4
SendMessageW.USER32 ref: 000000014001AE31
lstrlenW.KERNEL32 ref: 000000014001AE3F
GetFileAttributesW.KERNEL32 ref: 000000014001AE55
CreateFileW.KERNEL32 ref: 000000014001AE8F
SetFileAttributesW.KERNEL32 ref: 000000014001AEA7
CreateFileW.KERNEL32 ref: 000000014001AED6
GetFileTime.KERNEL32 ref: 000000014001AFA5
FileTimeToLocalFileTime.KERNEL32 ref: 000000014001AFBB
FileTimeToSystemTime.KERNEL32 ref: 000000014001AFD1
lstrlenW.KERNEL32 ref: 000000014001B00C
GetDlgItem.USER32 ref: 000000014001B0B9
GetFileTime.KERNEL32 ref: 000000014001B1F8
SetFileTime.KERNEL32 ref: 000000014001B2A7
CloseHandle.KERNEL32 ref: 000000014001B2C2
SetFileAttributesW.KERNEL32 ref: 000000014001B2DA

Strings

H, xrefs: 000000014001AD9E
---55-----------------------------, xrefs: 000000014001B076

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: File$Time$Item$MessageSendlstrlen$AttributesTextWindow$Create$CloseHandleLocalSystem
String ID: ---55-----------------------------$H
API String ID: 3218686481-4244547292
Opcode ID: a9205fa3dd04b7910306f939ecf08a270ec5b4fec89e9bf2086f401c2fd5192d
Instruction ID: ef5a25932a81372504512f287373f018585440c0cf7755c3e310de7ae6e4f01f
Opcode Fuzzy Hash: a9205fa3dd04b7910306f939ecf08a270ec5b4fec89e9bf2086f401c2fd5192d
Instruction Fuzzy Hash: 0E027B72208AC596E772DF22E8403DFB360F789794F844212EB9D47AA9DF79C549CB40

Function 000000014000F398 Relevance: 33.5, APIs: 17, Strings: 2, Instructions: 201COMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 000000014000F567
ShowWindow.USER32 ref: 000000014000F572
GetDlgItem.USER32 ref: 000000014000F5A9
ShowWindow.USER32 ref: 000000014000F5B4
GetDlgItem.USER32 ref: 000000014000F5EC
ShowWindow.USER32 ref: 000000014000F5F7
GetDlgItem.USER32 ref: 000000014000F61E
ShowWindow.USER32 ref: 000000014000F629
GetDlgItem.USER32 ref: 000000014000F64E
ShowWindow.USER32 ref: 000000014000F659
GetDlgItem.USER32 ref: 000000014000F67E
ShowWindow.USER32 ref: 000000014000F68C
GetDlgItem.USER32 ref: 000000014000F6B3
ShowWindow.USER32 ref: 000000014000F6C1
GetDlgItem.USER32 ref: 000000014000F6E6
ShowWindow.USER32 ref: 000000014000F6F1
ShowWindow.USER32 ref: 000000014000F711

Strings

NewFileTime, xrefs: 000000014000F717
TimeMode, xrefs: 000000014000F725

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: ShowWindow$Item
String ID: NewFileTime$TimeMode
API String ID: 4083201348-2088062544
Opcode ID: e8f9ff07f1da249a81f6edc4780fe698cb116c3ef55f6eaf78f8f76cd3b15b12
Instruction ID: 1ed9a7febdc01096e347714ec3149e03759c5a2fe25de2a8054f92303789c220
Opcode Fuzzy Hash: e8f9ff07f1da249a81f6edc4780fe698cb116c3ef55f6eaf78f8f76cd3b15b12
Instruction Fuzzy Hash: A5A1717260578587E772CF26F4487EA73A1F7C8788F148024EB894BA69DF79C449AF00

Function 00000001400077F4 Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 281windowstringCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 0000000140007836
SendMessageW.USER32 ref: 0000000140007856
CopyRect.USER32 ref: 000000014000787D
GetDeviceCaps.GDI32 ref: 00000001400078E7
SetBkColor.GDI32 ref: 00000001400079D8
ExtTextOutW.GDI32 ref: 0000000140007A12
SetBkColor.GDI32 ref: 0000000140007A22
SetBkColor.GDI32 ref: 0000000140007A67
ExtTextOutW.GDI32 ref: 0000000140007A9B
SetBkColor.GDI32 ref: 0000000140007AA6
SetBkMode.GDI32 ref: 0000000140007ACE
SendMessageW.USER32 ref: 0000000140007B30
lstrlenW.KERNEL32 ref: 0000000140007B4E
ImageList_DrawEx.COMCTL32 ref: 0000000140007BB1
SetTextColor.GDI32 ref: 0000000140007BFF
DrawTextW.USER32 ref: 0000000140007C26

Strings

c, xrefs: 0000000140007B08

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: Color$Text$MessageSend$Draw$CapsCopyDeviceImageList_ModeRectlstrlen
String ID: c
API String ID: 1005190377-112844655
Opcode ID: 4d15fd36e634596ebeefb694dd69e8207f7d6d9b90b0c7ea4d777ee87978400b
Instruction ID: 7ff77dbdbc2da10bfb6413160ceb208b11c18b0968c1d49333167eed299bce3e
Opcode Fuzzy Hash: 4d15fd36e634596ebeefb694dd69e8207f7d6d9b90b0c7ea4d777ee87978400b
Instruction Fuzzy Hash: EFC182B261869087E365CF26F48479EB7A1F38C794F504615EB8A43BA9DB7CC849CF00

Function 000000014002FD18 Relevance: 28.9, APIs: 19, Instructions: 377COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32 ref: 000000014002FD8A
GetLastError.KERNEL32 ref: 000000014002FDA0
MultiByteToWideChar.KERNEL32 ref: 000000014002FE4A
malloc.LIBCMT ref: 000000014002FEBB
MultiByteToWideChar.KERNEL32 ref: 000000014002FEF2
LCMapStringW.KERNEL32 ref: 000000014002FF17
LCMapStringW.KERNEL32 ref: 000000014002FF67
malloc.LIBCMT ref: 000000014002FFBA
LCMapStringW.KERNEL32 ref: 000000014002FFF4
WideCharToMultiByte.KERNEL32 ref: 0000000140030037
free.LIBCMT ref: 0000000140030048
free.LIBCMT ref: 0000000140030056
LCMapStringA.KERNEL32 ref: 00000001400300E5
malloc.LIBCMT ref: 0000000140030153
LCMapStringA.KERNEL32 ref: 000000014003019C
free.LIBCMT ref: 00000001400301E4
LCMapStringA.KERNEL32 ref: 0000000140030204
free.LIBCMT ref: 0000000140030216
free.LIBCMT ref: 0000000140030228

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: String$free$ByteCharMultiWidemalloc$ErrorLast
String ID:
API String ID: 1837315383-0
Opcode ID: 5288a767974a648bf6f3ab9ce33a5a1cd71155a7f302ac1d4dce2434d597c56c
Instruction ID: cb86dcc390884d4e72f8ff9097684286cb5cae2b47f7b59dd0c10be49c47c077
Opcode Fuzzy Hash: 5288a767974a648bf6f3ab9ce33a5a1cd71155a7f302ac1d4dce2434d597c56c
Instruction Fuzzy Hash: A5F1B0322016808AE7679F26E4507EE77A1F74CBD8F544629FB5A57BF4DB38CA418700

Function 000000014001E114 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 123windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32 ref: 000000014001E18A
GetStockObject.GDI32 ref: 000000014001E1A7
GetObjectW.GDI32 ref: 000000014001E1CD
SystemParametersInfoW.USER32 ref: 000000014001E203
CreateFontIndirectW.GDI32 ref: 000000014001E22A
SendMessageW.USER32 ref: 000000014001E245
SendMessageW.USER32 ref: 000000014001E25B
SendMessageW.USER32 ref: 000000014001E273
GetClientRect.USER32 ref: 000000014001E295
SetWindowPos.USER32 ref: 000000014001E2D5
GetWindowLongPtrW.USER32 ref: 000000014001E2EC
SetWindowLongPtrW.USER32 ref: 000000014001E305
GetWindowLongPtrW.USER32 ref: 000000014001E311
SetWindowLongPtrW.USER32 ref: 000000014001E32B

Strings

@, xrefs: 000000014001E2B4
ToolbarWindow32, xrefs: 000000014001E178

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: Window$Long$MessageSend$CreateObject$ClientFontIndirectInfoParametersRectStockSystem
String ID: @$ToolbarWindow32
API String ID: 2936060913-1960738117
Opcode ID: 6afc1b42cda1044846e29d0a495e6e7e7d73e4fc0e76106fc63753939c5fc012
Instruction ID: b06a62640cc2af199d0f663bdfc94c27f1c92ed1e600176451e82f3c16d555fe
Opcode Fuzzy Hash: 6afc1b42cda1044846e29d0a495e6e7e7d73e4fc0e76106fc63753939c5fc012
Instruction Fuzzy Hash: 89514836624B8087E762DF22E89479A77A1F78CB84F505126EB4D43B68DF3CD419CB00

Function 0000000140004FDC Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 127windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 0000000140005006
PostMessageW.USER32 ref: 000000014000501D
PostMessageW.USER32 ref: 0000000140005031
PostMessageW.USER32 ref: 0000000140005048
SendMessageW.USER32 ref: 000000014000505F

Part of subcall function 000000014000E248: LoadLibraryW.KERNEL32 ref: 000000014000E273
Part of subcall function 000000014000E248: GetProcAddress.KERNEL32 ref: 000000014000E28F

Part of subcall function 0000000140004DF8: LoadLibraryW.KERNEL32 ref: 0000000140004E22
Part of subcall function 0000000140004DF8: GetProcAddress.KERNEL32 ref: 0000000140004E3E

SendMessageW.USER32 ref: 0000000140005129
SendMessageW.USER32 ref: 0000000140005160
SendMessageW.USER32 ref: 0000000140005176
SendMessageW.USER32 ref: 0000000140005195
PostMessageW.USER32 ref: 00000001400051AD
GetWindowLongPtrW.USER32 ref: 00000001400051BD
SetWindowLongPtrW.USER32 ref: 00000001400051D6

Part of subcall function 0000000140004EC8: LoadLibraryW.KERNEL32 ref: 0000000140004EFA
Part of subcall function 0000000140004EC8: GetProcAddress.KERNEL32 ref: 0000000140004F16

Part of subcall function 0000000140004E68: LoadLibraryW.KERNEL32 ref: 0000000140004E8A
Part of subcall function 0000000140004E68: GetProcAddress.KERNEL32 ref: 0000000140004EA6

Strings

ItemsView, xrefs: 000000014000506F, 00000001400050DD
Header, xrefs: 000000014000509D
Explorer, xrefs: 000000014000508B

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: Message$Send$AddressLibraryLoadPostProc$LongWindow
String ID: Explorer$Header$ItemsView
API String ID: 2695819665-1669636973
Opcode ID: 37850f150042f173669735cbec38ca756c63925510a49cfdc7e6420e6918b4a7
Instruction ID: 5d94e87a7bb4ea0ade996356f8f2d901556d8bcb3b9a8093ff4b392fae26cb00
Opcode Fuzzy Hash: 37850f150042f173669735cbec38ca756c63925510a49cfdc7e6420e6918b4a7
Instruction Fuzzy Hash: 39517B7531069142FB62EB27B915BDA2351EB8EBC4F942120FE4617FB5DE39C1468B04

Function 000000014000ECDC Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 106windowstringCOMMON

Download Yara Rule

APIs

CreatePopupMenu.USER32 ref: 000000014000ED0E
SendMessageW.USER32 ref: 000000014000ED29

Part of subcall function 000000014000AF94: lstrlenW.KERNEL32 ref: 000000014000AFE2
Part of subcall function 000000014000AF94: lstrlenW.KERNEL32 ref: 000000014000B004

lstrcpyW.KERNEL32 ref: 000000014000ED5B
lstrcatW.KERNEL32 ref: 000000014000ED6D
AppendMenuW.USER32 ref: 000000014000ED8F
lstrcpyW.KERNEL32 ref: 000000014000EDA7
lstrcatW.KERNEL32 ref: 000000014000EDB9
AppendMenuW.USER32 ref: 000000014000EDD2

Part of subcall function 000000014001D6F8: SendMessageW.USER32 ref: 000000014001D716
Part of subcall function 000000014001D6F8: SendMessageW.USER32 ref: 000000014001D72A

ClientToScreen.USER32 ref: 000000014000EE19
SendMessageW.USER32 ref: 000000014000EE31
TrackPopupMenu.USER32 ref: 000000014000EE60
SendMessageW.USER32 ref: 000000014000EE78
SendMessageW.USER32 ref: 000000014000EE90

Strings

<==*.txt, xrefs: 000000014000EDAD
==>*.txt, xrefs: 000000014000ED61

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: MessageSend$Menu$AppendPopuplstrcatlstrcpylstrlen$ClientCreateScreenTrack
String ID: <==*.txt$ ==>*.txt
API String ID: 560381921-3135909850
Opcode ID: 92947c3f0478832a78d692db01b094bff251e6deea0552e7e51e11bb66ff6492
Instruction ID: a7bf07e0626f9e0d9ce282f455679efa27ea28db89fe2a65fb371f1390eced39
Opcode Fuzzy Hash: 92947c3f0478832a78d692db01b094bff251e6deea0552e7e51e11bb66ff6492
Instruction Fuzzy Hash: A7510772704B8686EB22DB26E4547DAB3A1F789BC4F404125EF8907B69DF3DD649CB00

Function 0000000140009CFC Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 282stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140008DCC: CharNextW.USER32 ref: 0000000140008E04
Part of subcall function 0000000140008DCC: CharNextW.USER32 ref: 0000000140008E2E
Part of subcall function 0000000140008DCC: CharNextW.USER32 ref: 0000000140008E46
Part of subcall function 0000000140008DCC: CharNextW.USER32 ref: 0000000140008E5B
Part of subcall function 0000000140008DCC: CharNextW.USER32 ref: 0000000140008E6A
Part of subcall function 0000000140008DCC: CharNextW.USER32 ref: 0000000140008EBE

Part of subcall function 0000000140008C74: lstrcmpiW.KERNEL32 ref: 0000000140008D20

CharNextW.USER32 ref: 0000000140009DA4
lstrlenW.KERNEL32 ref: 0000000140009DFB
CharNextW.USER32 ref: 0000000140009E8A
CharNextW.USER32 ref: 0000000140009EA9

Strings

0, xrefs: 000000014000A02C
0, xrefs: 0000000140009E81

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: CharNext$lstrcmpilstrlen
String ID: 0$0
API String ID: 1051761657-203156872
Opcode ID: 2bce30ddc8d71025c1e9df989e191b55b2049c42fbacc02c91e690613a3b72e0
Instruction ID: 241d1ac211b25a5624ec3dc1d6e8b931e1259d2cc414bd636608316604ca07fc
Opcode Fuzzy Hash: 2bce30ddc8d71025c1e9df989e191b55b2049c42fbacc02c91e690613a3b72e0
Instruction Fuzzy Hash: 02B160B261468482EA72DB26F4543EE63A1F78D7D0F504522FB9A87AF5DB3CC9458B00

Function 0000000140032648 Relevance: 18.1, APIs: 12, Instructions: 115memoryfileCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000000014002E3E0: _errno.LIBCMT ref: 000000014002E402

_errno.LIBCMT ref: 00000001400326D0

Part of subcall function 000000014002E3E0: SetFilePointer.KERNEL32 ref: 000000014002E422
Part of subcall function 000000014002E3E0: GetLastError.KERNEL32 ref: 000000014002E431

GetProcessHeap.KERNEL32 ref: 00000001400326A2
HeapAlloc.KERNEL32 ref: 00000001400326B7
_errno.LIBCMT ref: 00000001400326C5
__doserrno.LIBCMT ref: 000000014003272A
_errno.LIBCMT ref: 0000000140032734
GetProcessHeap.KERNEL32 ref: 000000014003274D
HeapFree.KERNEL32 ref: 000000014003275B
SetEndOfFile.KERNEL32 ref: 0000000140032786
_errno.LIBCMT ref: 000000014003279D
__doserrno.LIBCMT ref: 00000001400327A8
GetLastError.KERNEL32 ref: 00000001400327B0

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: _errno$Heap$ErrorFileLastProcess__doserrno$AllocFreePointer
String ID:
API String ID: 3112900366-0
Opcode ID: c2a6dd15c24d5f0b268b56a6af76d3d3135095af367dd045aa05bf15e4de59b5
Instruction ID: b341377dd8606bbc372ab098be70a3da96ec5ad492d5c8d0a4c98b4d0813330e
Opcode Fuzzy Hash: c2a6dd15c24d5f0b268b56a6af76d3d3135095af367dd045aa05bf15e4de59b5
Instruction Fuzzy Hash: E9415A31304A5086EA27AB7799053DA6391AB8CFF0F084719FF39077F2DA78C9468751

Function 000000014001E358 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 87windowCOMMON

Download Yara Rule

APIs

DestroyMenu.USER32 ref: 000000014001E394
SendMessageW.USER32 ref: 000000014001E3AC
SendMessageW.USER32 ref: 000000014001E3C1
SendMessageW.USER32 ref: 000000014001E3DC
GetMenuItemCount.USER32 ref: 000000014001E40F
GetMenuItemInfoW.USER32 ref: 000000014001E469
SendMessageW.USER32 ref: 000000014001E4AA

Strings

0, xrefs: 000000014001E454
d, xrefs: 000000014001E461
P, xrefs: 000000014001E44C

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: MessageSend$Menu$Item$CountDestroyInfo
String ID: 0$P$d
API String ID: 4101362009-2681740709
Opcode ID: 7ccf97e8cdc334c15c0fd18c79d172b159b99b236b701a5b8b4d98b1bdfffd42
Instruction ID: f78b8c662d12b52a0b987608025b7e4cb2ab4a0335eed816eeb0fe8e580ab72c
Opcode Fuzzy Hash: 7ccf97e8cdc334c15c0fd18c79d172b159b99b236b701a5b8b4d98b1bdfffd42
Instruction Fuzzy Hash: 5E414D3332468187EBA2DF26E4547DE73A1F7C8B88F405125EB4A47A69DF39C545CB40

Function 000000014001E6F0 Relevance: 16.7, APIs: 11, Instructions: 153windowCOMMON

Download Yara Rule

APIs

ScreenToClient.USER32 ref: 000000014001E741
PostMessageW.USER32 ref: 000000014001E77B
ScreenToClient.USER32 ref: 000000014001E7A2

Part of subcall function 000000014001E054: GetMessagePos.USER32 ref: 000000014001E05D

SendMessageW.USER32 ref: 000000014001E833
PostMessageW.USER32 ref: 000000014001E87C
PostMessageW.USER32 ref: 000000014001E891

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: Message$Post$ClientScreen$Send
String ID:
API String ID: 1673922604-0
Opcode ID: eff630000e75b6635fd7ce34bc8a1178aba287e4ee3d992507275cc7034dc3c4
Instruction ID: 33a6f2a5eda9d745e43fd60cfac609350fbf9d2ab21fb76245bda778ffa167bb
Opcode Fuzzy Hash: eff630000e75b6635fd7ce34bc8a1178aba287e4ee3d992507275cc7034dc3c4
Instruction Fuzzy Hash: EE615E7261469187F7A68F26D490B9E3370F78CBD8F615111FB0A5BAA8DF76C881CB40

Function 0000000140024B40 Relevance: 15.7, APIs: 10, Instructions: 726COMMON

Download Yara Rule

APIs

Part of subcall function 00000001400220C4: _getptd.LIBCMT ref: 00000001400220DA

_errno.LIBCMT ref: 0000000140024BAB

Part of subcall function 0000000140021014: DecodePointer.KERNEL32 ref: 000000014002103B

DecodePointer.KERNEL32 ref: 000000014002519A
DecodePointer.KERNEL32 ref: 00000001400251DE
DecodePointer.KERNEL32 ref: 0000000140025205
write_multi_char.LIBCMT ref: 000000014002529B
write_multi_char.LIBCMT ref: 00000001400252D5
write_char.LIBCMT ref: 0000000140025326
write_multi_char.LIBCMT ref: 0000000140025380
free.LIBCMT ref: 00000001400253AB

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: DecodePointer$write_multi_char$_errno_getptdfreewrite_char
String ID:
API String ID: 2334620807-0
Opcode ID: 2a338c2d6e833b6ae6643e0c2e5d2d9a5699f611b987bbd0a0a1c8ef03c71091
Instruction ID: 4b9d7e0f6971e7051e8d2a1561cc8c53d52080545a6630c954abc71b42e9b8c6
Opcode Fuzzy Hash: 2a338c2d6e833b6ae6643e0c2e5d2d9a5699f611b987bbd0a0a1c8ef03c71091
Instruction Fuzzy Hash: B452D132608A9086FB72AB1694543FEAAA1F38D7C5F24401EFB4647AF4DB79CD50CB44

Function 000000014002B60C Relevance: 15.1, APIs: 10, Instructions: 106COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 000000014002B635
_errno.LIBCMT ref: 000000014002B63E
__doserrno.LIBCMT ref: 000000014002B68F
_errno.LIBCMT ref: 000000014002B696

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: 3f8c234d526b853f1d0a13f1c59d438bc8bcce9948453cc016890d01476ff734
Instruction ID: 77fa4cc82883ef6bec80cb48eb704d233a8196d33deb303c1f818e6df00008d3
Opcode Fuzzy Hash: 3f8c234d526b853f1d0a13f1c59d438bc8bcce9948453cc016890d01476ff734
Instruction Fuzzy Hash: D041D33261465086E3236FB7A9817DE7691A7C87A4F55461DBB250BBF3CB7CCC428B04

Function 000000014000117C Relevance: 15.0, APIs: 10, Instructions: 39clipboardstringmemoryCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32 ref: 0000000140001192
OpenClipboard.USER32 ref: 000000014000119E
EmptyClipboard.USER32 ref: 00000001400011A8
lstrlenW.KERNEL32 ref: 00000001400011B1
GlobalAlloc.KERNEL32 ref: 00000001400011C5
GlobalLock.KERNEL32 ref: 00000001400011D6
lstrcpyW.KERNEL32 ref: 00000001400011E2
GlobalUnlock.KERNEL32 ref: 00000001400011EB
SetClipboardData.USER32 ref: 00000001400011F9
CloseClipboard.USER32 ref: 00000001400011FF

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: Clipboard$Global$lstrlen$AllocCloseDataEmptyLockOpenUnlocklstrcpy
String ID:
API String ID: 3195042410-0
Opcode ID: 75e0d5cf2db84dc7fda820f8a848ac0d9242c06a47a0c6aa24a750ea17c90458
Instruction ID: 85a44d5501ab7578c0f238b17d38850853a42dde67f19c09d3a47778c34e0e44
Opcode Fuzzy Hash: 75e0d5cf2db84dc7fda820f8a848ac0d9242c06a47a0c6aa24a750ea17c90458
Instruction Fuzzy Hash: BC01E87530170282EE2BAB63B9583AA53A2BB4DFD2F444468AF16477B5DE3CC4588310

Function 000000014001FD20 Relevance: 13.8, APIs: 9, Instructions: 311windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014001F0F8: GetSysColor.USER32 ref: 000000014001F10B

CopyRect.USER32 ref: 000000014001FEA5
OffsetRect.USER32 ref: 000000014001FF41
ImageList_Draw.COMCTL32 ref: 000000014001FFB9
GetSysColorBrush.USER32 ref: 000000014001FFE1
GetMenuItemInfoW.USER32 ref: 0000000140020017
GetSystemMetrics.USER32 ref: 0000000140020030
GetSystemMetrics.USER32 ref: 000000014002003C
GetSystemMetrics.USER32 ref: 0000000140020048
SetBkMode.GDI32 ref: 00000001400200DD

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: MetricsSystem$ColorRect$BrushCopyDrawImageInfoItemList_MenuModeOffset
String ID:
API String ID: 397519409-0
Opcode ID: 8f9933e1d5d7a2f41f259a712545474b3aade06e28bf8e921787f3afa80b5938
Instruction ID: 94c3833fc9394bd3d134917a4699a55aa5f582c67a9c2af36899c981b9b3996c
Opcode Fuzzy Hash: 8f9933e1d5d7a2f41f259a712545474b3aade06e28bf8e921787f3afa80b5938
Instruction Fuzzy Hash: E4D19F726187808BD72ACF26E4407EEB7A1F789BC4F104219FB8557BA9DB39D845CB40

Function 0000000140029DB8 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 137fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32 ref: 0000000140029E7B
GetStdHandle.KERNEL32 ref: 0000000140029F87
WriteFile.KERNEL32 ref: 0000000140029FC1

Strings

Microsoft Visual C++ Runtime Library, xrefs: 0000000140029F6B
Runtime Error!Program: , xrefs: 0000000140029E3A
<program name unknown>, xrefs: 0000000140029E85
..., xrefs: 0000000140029EDE

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: File$HandleModuleNameWrite
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 3784150691-4022980321
Opcode ID: ef5d1f5f4c9133ff764559fb9911655840c363ca54683d4bd821b87feff13a4e
Instruction ID: cea4439f1d943ea7d018dacc00063387fbe6a7cd4c5ee0da0804236d002d3b59
Opcode Fuzzy Hash: ef5d1f5f4c9133ff764559fb9911655840c363ca54683d4bd821b87feff13a4e
Instruction Fuzzy Hash: 7951AA3130074141FBA7DB23BA657EA2356A78D7D8F90462ABF4987AF6CF3CC9058600

Function 0000000140020980 Relevance: 12.1, APIs: 8, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 0000000140024263
RtlLookupFunctionEntry.KERNEL32 ref: 0000000140024282
RtlVirtualUnwind.KERNEL32 ref: 00000001400242CE
IsDebuggerPresent.KERNEL32 ref: 0000000140024340
SetUnhandledExceptionFilter.KERNEL32 ref: 0000000140024358
UnhandledExceptionFilter.KERNEL32 ref: 0000000140024365
GetCurrentProcess.KERNEL32 ref: 000000014002437E
TerminateProcess.KERNEL32 ref: 000000014002438C

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerEntryFunctionLookupPresentTerminateUnwindVirtual
String ID:
API String ID: 3778485334-0
Opcode ID: a1d6ea9f31f7e586580eddbd16d237b3e1a2931ccaaa10f0ee09e0705401479e
Instruction ID: c789a2875958f30da99454a7855f3f5d5e74b33ed7efb307c3c197e7f1116c15
Opcode Fuzzy Hash: a1d6ea9f31f7e586580eddbd16d237b3e1a2931ccaaa10f0ee09e0705401479e
Instruction Fuzzy Hash: 4331E235105B8489EB52AB56F8403DA73A1F789794FA0041AFB8E437B5DF7CC499CB00

Function 0000000140020EEC Relevance: 12.1, APIs: 8, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 0000000140020F2B
RtlLookupFunctionEntry.KERNEL32 ref: 0000000140020F44
RtlVirtualUnwind.KERNEL32 ref: 0000000140020F82
IsDebuggerPresent.KERNEL32 ref: 0000000140020FC9
SetUnhandledExceptionFilter.KERNEL32 ref: 0000000140020FD3
UnhandledExceptionFilter.KERNEL32 ref: 0000000140020FDE
GetCurrentProcess.KERNEL32 ref: 0000000140020FF4
TerminateProcess.KERNEL32 ref: 0000000140021002

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerEntryFunctionLookupPresentTerminateUnwindVirtual
String ID:
API String ID: 3778485334-0
Opcode ID: 47002528f4cc524ad57f570c11931872c4db0255eb23ad5f9b3c731d41850263
Instruction ID: baa7dedf4cda339c85fe5ff51b142c4e251141e41940e2fe26a3b2cbf3d820cc
Opcode Fuzzy Hash: 47002528f4cc524ad57f570c11931872c4db0255eb23ad5f9b3c731d41850263
Instruction Fuzzy Hash: 86312D32208B8586EB669B56F4543DBB3A0F789795F500129EB8D43B69EF78C649CB00

Function 0000000140029144 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 171COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00000001400220C4: _getptd.LIBCMT ref: 00000001400220DA

_errno.LIBCMT ref: 0000000140029186

Part of subcall function 0000000140021014: DecodePointer.KERNEL32 ref: 000000014002103B

_errno.LIBCMT ref: 00000001400291C4
_errno.LIBCMT ref: 000000014002920C

Strings

e+000, xrefs: 000000014002929E
gfff, xrefs: 000000014002932B
-, xrefs: 0000000140029300

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: _errno$DecodePointer_getptd
String ID: -$e+000$gfff
API String ID: 2834218312-2620144452
Opcode ID: 9acf91ce678945ae429ac90e9590d5ad4a2bcf4e4ce1364059b5bae6fe850ad4
Instruction ID: 507b3c53bca52cdaac35193fe881df14eeb4631689afd028e9018d8888d1629d
Opcode Fuzzy Hash: 9acf91ce678945ae429ac90e9590d5ad4a2bcf4e4ce1364059b5bae6fe850ad4
Instruction Fuzzy Hash: 906149736047C096E726CB26A8813CE7B95F389BD8F588219FB5847BE6CB39C955C700

Function 00000001400315E8 Relevance: 10.6, APIs: 7, Instructions: 138COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 000000014003162E
_errno.LIBCMT ref: 000000014003169C
_errno.LIBCMT ref: 00000001400316A7
_errno.LIBCMT ref: 00000001400316DB
WideCharToMultiByte.KERNEL32 ref: 0000000140031776
GetLastError.KERNEL32 ref: 0000000140031796
_errno.LIBCMT ref: 00000001400317BC

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: _errno$ByteCharErrorLastMultiWide
String ID:
API String ID: 3895584640-0
Opcode ID: d1825ca0622f490be2a350b2715472adedd0baf391691fb023f8b8e99816b0be
Instruction ID: eb44eba026cf0ea227dc4931d4ea18a03b73082ed8c6cec3f4a485c9138ad7ae
Opcode Fuzzy Hash: d1825ca0622f490be2a350b2715472adedd0baf391691fb023f8b8e99816b0be
Instruction Fuzzy Hash: FD5183326086C08AE7739FA6E4513EFB790E3CD7D4F188129B79947AE5CE78C8418B15

Function 000000014002C1C4 Relevance: 9.3, APIs: 6, Instructions: 301COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000000014002C164: _errno.LIBCMT ref: 000000014002C16D

free.LIBCMT ref: 000000014002C2E6

Part of subcall function 00000001400233E0: HeapFree.KERNEL32 ref: 00000001400233F6
Part of subcall function 00000001400233E0: _errno.LIBCMT ref: 0000000140023400
Part of subcall function 00000001400233E0: GetLastError.KERNEL32 ref: 0000000140023408

Part of subcall function 0000000140024400: _errno.LIBCMT ref: 0000000140024418

___lc_codepage_func.LIBCMT ref: 000000014002C26F

Part of subcall function 0000000140020EEC: RtlCaptureContext.KERNEL32 ref: 0000000140020F2B
Part of subcall function 0000000140020EEC: RtlLookupFunctionEntry.KERNEL32 ref: 0000000140020F44
Part of subcall function 0000000140020EEC: RtlVirtualUnwind.KERNEL32 ref: 0000000140020F82
Part of subcall function 0000000140020EEC: IsDebuggerPresent.KERNEL32 ref: 0000000140020FC9
Part of subcall function 0000000140020EEC: SetUnhandledExceptionFilter.KERNEL32 ref: 0000000140020FD3
Part of subcall function 0000000140020EEC: UnhandledExceptionFilter.KERNEL32 ref: 0000000140020FDE
Part of subcall function 0000000140020EEC: GetCurrentProcess.KERNEL32 ref: 0000000140020FF4
Part of subcall function 0000000140020EEC: TerminateProcess.KERNEL32 ref: 0000000140021002

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: _errno$ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerEntryErrorFreeFunctionHeapLastLookupPresentTerminateUnwindVirtual___lc_codepage_funcfree
String ID:
API String ID: 1196105306-0
Opcode ID: 3932f37897961f7b70b5f62861b84904f2bc9eace79fd09d3a313583a432d24b
Instruction ID: 541f5b29676171b8f14d92ba491df789aba901029401b110fb960b3222a8f73b
Opcode Fuzzy Hash: 3932f37897961f7b70b5f62861b84904f2bc9eace79fd09d3a313583a432d24b
Instruction Fuzzy Hash: DFD1807622468085E736DF27E891BEA7796B38D7C0F544519BB8A537B6CB38CC91CB00

Function 000000014000352C Relevance: 9.2, APIs: 6, Instructions: 156stringfileCOMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00000001400035A5
_invalid_parameter_noinfo.LIBCMT ref: 00000001400035BD
lstrlenW.KERNEL32 ref: 00000001400035F0
FindFirstFileW.KERNEL32 ref: 0000000140003616
lstrlenW.KERNEL32 ref: 00000001400036BF
FindClose.KERNEL32 ref: 000000014000377C

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: Find_invalid_parameter_noinfolstrlen$CloseFileFirst
String ID:
API String ID: 3380813453-0
Opcode ID: ac996e620fb865ffe4305768c57e704f7dcad4ed10f29c8230e9e4e8e43649d1
Instruction ID: d71b91f46b01f1beaa89098f3e8f7983c18c27de211f2aecca55ffb5dd4a8ee0
Opcode Fuzzy Hash: ac996e620fb865ffe4305768c57e704f7dcad4ed10f29c8230e9e4e8e43649d1
Instruction Fuzzy Hash: 8A714C72218B8086EB62DB26E4443DAB364F7887E5F445211FBAE476EADF78C444CB40

Function 000000014000B4AC Relevance: 9.1, APIs: 6, Instructions: 128libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32 ref: 000000014000B501
FindResourceW.KERNEL32 ref: 000000014000B529
FreeLibrary.KERNEL32 ref: 000000014000B65A

Part of subcall function 00000001400088D0: GetLastError.KERNEL32 ref: 00000001400088D4

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: Library$ErrorFindFreeLastLoadResource
String ID:
API String ID: 3418355812-0
Opcode ID: f8a7afd736b60cf97253cd329281692ca9e144958beda2c4d90f0060fde7fe35
Instruction ID: 38c978011b2bd899206312611df8c2dd3227b3caf0cb91059037025d07f87c12
Opcode Fuzzy Hash: f8a7afd736b60cf97253cd329281692ca9e144958beda2c4d90f0060fde7fe35
Instruction Fuzzy Hash: E55160B1604B8086EA22DB27B44439A63E1F78DBD4F544625FB9E43BB5DF3CC4418B04

Function 00000001400294A8 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 298COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00000001400220C4: _getptd.LIBCMT ref: 00000001400220DA

_errno.LIBCMT ref: 00000001400294FD

Part of subcall function 0000000140021014: DecodePointer.KERNEL32 ref: 000000014002103B

_errno.LIBCMT ref: 000000014002953C
_errno.LIBCMT ref: 000000014002957F

Strings

gfffffff, xrefs: 0000000140029869
0, xrefs: 00000001400294E3

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: _errno$DecodePointer_getptd
String ID: 0$gfffffff
API String ID: 2834218312-1804767287
Opcode ID: 3b1e3a7a69c499aa407524f3f5858aabada78ddbd5e88c6318303ee1723d9822
Instruction ID: 44e79a8c90f9becbce38d99e63e1e20309a0d0db36a6b60bb658f59e7a448b8f
Opcode Fuzzy Hash: 3b1e3a7a69c499aa407524f3f5858aabada78ddbd5e88c6318303ee1723d9822
Instruction Fuzzy Hash: 33B134727187C846EB228B2AE1453EE7BA5F75A7D0F14821AEB59077E6DA39C851C300

Function 0000000140011A04 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 56windowCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32 ref: 0000000140011A3F
ShellExecuteExW.SHELL32 ref: 0000000140011AB3
PostQuitMessage.USER32 ref: 0000000140011AC2

Strings

runas, xrefs: 0000000140011A9A
p, xrefs: 0000000140011A55

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: ExecuteFileMessageModuleNamePostQuitShell
String ID: p$runas
API String ID: 336066014-3312006974
Opcode ID: 9564bdc89f7b0902a8eda47ab24fa3d56a4b843f059df2dce31138d0e04cbfa7
Instruction ID: c1424f956143a5a1578768159312e5afcc8add31ac4baff4747b376e2a10b5a6
Opcode Fuzzy Hash: 9564bdc89f7b0902a8eda47ab24fa3d56a4b843f059df2dce31138d0e04cbfa7
Instruction Fuzzy Hash: FC213D32225A4082E762DB26E8953DA73A0F7C97A4F541315B7AA476F6DF3CC444CB40

Function 000000014002BDB4 Relevance: 7.7, APIs: 5, Instructions: 233COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 000000014002BDD7

Part of subcall function 0000000140021014: DecodePointer.KERNEL32 ref: 000000014002103B

_errno.LIBCMT ref: 000000014002BE1A
__tzset.LIBCMT ref: 000000014002BE37
_isindst.LIBCMT ref: 000000014002BEE0

Part of subcall function 000000014002BAE8: _errno.LIBCMT ref: 000000014002BB0A

_isindst.LIBCMT ref: 000000014002BF34

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: _errno$_isindst$DecodePointer__tzset
String ID:
API String ID: 1966732829-0
Opcode ID: 58374c1b2a2f98f4847a6bc07e68b6fd87aa77f6339a3e590ec2414bcab38c0a
Instruction ID: cc784e64a2b287267bbb50f2fa7d905aac11e1f5bf70add13bdc742dcb0b26f9
Opcode Fuzzy Hash: 58374c1b2a2f98f4847a6bc07e68b6fd87aa77f6339a3e590ec2414bcab38c0a
Instruction Fuzzy Hash: 2E91D4B271074587EB699F2AD9517E97791E7987C4F04C03DFB098BBA6EB38D9018B00

Function 0000000140021F7C Relevance: 7.6, APIs: 5, Instructions: 92COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000000140021FAE

Part of subcall function 0000000140021014: DecodePointer.KERNEL32 ref: 000000014002103B

_errno.LIBCMT ref: 0000000140021FE2

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: _errno$DecodePointer
String ID:
API String ID: 2310398763-0
Opcode ID: 4eb49a82fd37e2eec9ed965f68739e53691a6e0333091df4ca9a68fcaca3d5fb
Instruction ID: c21c6326dda0c781092b440910cde773b26aa409ace8e3d10dc354a4d884e3e4
Opcode Fuzzy Hash: 4eb49a82fd37e2eec9ed965f68739e53691a6e0333091df4ca9a68fcaca3d5fb
Instruction Fuzzy Hash: B831D63571424056F722ABB3A942BDF7191B79C7C8F50482CBB4A87BA6DB7DCD518B00

Function 000000014000235C Relevance: 7.5, APIs: 5, Instructions: 32clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0000000140002372
GetClipboardData.USER32 ref: 000000014000237F
GlobalLock.KERNEL32 ref: 0000000140002390

Part of subcall function 0000000140002048: lstrlenA.KERNEL32 ref: 000000014000206C
Part of subcall function 0000000140002048: MultiByteToWideChar.KERNEL32 ref: 00000001400020EA
Part of subcall function 0000000140002048: lstrlenW.KERNEL32 ref: 0000000140002106

GlobalUnlock.KERNEL32 ref: 00000001400023A9
CloseClipboard.USER32 ref: 00000001400023B4

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: Clipboard$Globallstrlen$ByteCharCloseDataLockMultiOpenUnlockWide
String ID:
API String ID: 1403404304-0
Opcode ID: a7b6c9a52cc8f421cca6d1a929aa9a08007fea4829d6aa6b41a34c4b6bb3f73e
Instruction ID: c37f6d32d26034defeedc8312d50fc132ccb4fc55c1db35c2e6f7c069010cb4d
Opcode Fuzzy Hash: a7b6c9a52cc8f421cca6d1a929aa9a08007fea4829d6aa6b41a34c4b6bb3f73e
Instruction Fuzzy Hash: 04F0EC7220578143EA569F53B8543AA63A1A74CBC0F488874BF1A47765CF7C89858704

Function 000000014002379C Relevance: 4.7, APIs: 3, Instructions: 188COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 00000001400237B8

Part of subcall function 0000000140021014: DecodePointer.KERNEL32 ref: 000000014002103B

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: DecodePointer_errno
String ID:
API String ID: 3485708101-0
Opcode ID: 3e459024ea0e7e06ff0298b100436c5b676e8d99ce8dacbc8232de5f55b9a46a
Instruction ID: c81967f0ea978885d90790be491030c42e636d1140ac246318cf2aafead7618e
Opcode Fuzzy Hash: 3e459024ea0e7e06ff0298b100436c5b676e8d99ce8dacbc8232de5f55b9a46a
Instruction Fuzzy Hash: D27108B3B1074582EF69CB26D4527E9A391E798784F41812AFB4D8B7E6EF3CC9058701

Function 000000014002F9A8 Relevance: 4.6, APIs: 3, Instructions: 90COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 000000014002F9D1

Part of subcall function 0000000140021014: DecodePointer.KERNEL32 ref: 000000014002103B

_errno.LIBCMT ref: 000000014002FA08

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: _errno$DecodePointer
String ID:
API String ID: 2310398763-0
Opcode ID: 040e57844b95b1aac0f5d3d908b9dd3dc0278b2e859fb3a9c4398a2b5762fcfb
Instruction ID: 8e884d629428016955043b00ce2b1038ff1335f38ad460863ea57737f821ece9
Opcode Fuzzy Hash: 040e57844b95b1aac0f5d3d908b9dd3dc0278b2e859fb3a9c4398a2b5762fcfb
Instruction Fuzzy Hash: C331C53271468183F7669F66A4427EE7691E7C87D4F14822DBB898BAE5CF3DCC019B00

Function 000000014002E33C Relevance: 4.5, APIs: 3, Instructions: 35COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 000000014002E37B
SetUnhandledExceptionFilter.KERNEL32 ref: 000000014002E3C1
UnhandledExceptionFilter.KERNEL32 ref: 000000014002E3CC

Part of subcall function 0000000140029DB8: GetModuleFileNameA.KERNEL32 ref: 0000000140029E7B

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextFileModuleName
String ID:
API String ID: 2731829486-0
Opcode ID: 8fe18963ab3640381c1b7b539030e41c9e85d820ed06073e74d6d3147bdfe559
Instruction ID: 75e9627e1f95d8188a63dc29fe44c50bd00d95cafe5b697357f290464913ad4c
Opcode Fuzzy Hash: 8fe18963ab3640381c1b7b539030e41c9e85d820ed06073e74d6d3147bdfe559
Instruction Fuzzy Hash: F7014031214B8442EA779B62E4553DB63A0FB8D785F040129BB8E07BB6DF3CC9048B11

Function 000000014002D264 Relevance: 3.2, APIs: 2, Instructions: 228COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 000000014002D4DB
RaiseException.KERNEL32 ref: 000000014002D4EC

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: ExceptionRaise_clrfp
String ID:
API String ID: 15204871-0
Opcode ID: b7cbde301a3a9ff193e40c0b0aea68397e57a048c5837e5ab6fd878f6a4a7d33
Instruction ID: 9427c14b2d3d450674ee58f4cbbfd9749e1946679eaf59cd43d2996d14561614
Opcode Fuzzy Hash: b7cbde301a3a9ff193e40c0b0aea68397e57a048c5837e5ab6fd878f6a4a7d33
Instruction Fuzzy Hash: 96B13A37625B8887EB56CF1AD04575DBBA0F388B84F15911AEB9A837B4CB79CC41CB00

Function 000000014002BAE8 Relevance: 3.2, APIs: 2, Instructions: 208COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 000000014002BB0A

Part of subcall function 0000000140021014: DecodePointer.KERNEL32 ref: 000000014002103B

_errno.LIBCMT ref: 000000014002BB52

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: _errno$DecodePointer
String ID:
API String ID: 2310398763-0
Opcode ID: 62b50e914ff5b5f096aab9f4c7bd816813a68ef589ae6c6adac63eedef23e6db
Instruction ID: 9f6dca5cf2168be29d42bde10df588497ab621f9784375a9351e711b5768f408
Opcode Fuzzy Hash: 62b50e914ff5b5f096aab9f4c7bd816813a68ef589ae6c6adac63eedef23e6db
Instruction Fuzzy Hash: E7610DB2B1164947DB1DCB19D8517A89257E3DC784F58C53AFB098FBE9EA3CD9014700

Function 0000000140022DB4 Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000000140022DF8
_errno.LIBCMT ref: 0000000140022FD9

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: _errno
String ID:
API String ID: 2918714741-0
Opcode ID: 008ddf8118d2a675a53ca7f040f092817eadcabe9b24cfaf17f3a9c542cbd953
Instruction ID: 6a58b7e3cf08394905035cbfad16f77bb43de518597e504e9fe72aa480055201
Opcode Fuzzy Hash: 008ddf8118d2a675a53ca7f040f092817eadcabe9b24cfaf17f3a9c542cbd953
Instruction Fuzzy Hash: 4051F83130529052FA669BA796007E96690B78CBE4F148B39BF7957FF5CB38CC525700

Function 0000000140032E34 Relevance: 2.1, APIs: 1, Instructions: 633COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000000140032E9F

Part of subcall function 0000000140021014: DecodePointer.KERNEL32 ref: 000000014002103B

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: DecodePointer_errno
String ID:
API String ID: 3485708101-0
Opcode ID: dfac3def6e4679d2c42f2156e86edb6683207ff314f40f1f9f01a8c8e6f99243
Instruction ID: 34243789452c12b1186d30612953d42e5bc0a683d6c6e04561ab5f5cf05f726c
Opcode Fuzzy Hash: dfac3def6e4679d2c42f2156e86edb6683207ff314f40f1f9f01a8c8e6f99243
Instruction Fuzzy Hash: D732CF766182848AF7678E5BD0D17EFA7A2F3587C4F904026FB8643BE5D639C985CB00

Function 0000000140008924 Relevance: 1.5, APIs: 1, Instructions: 33comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32 ref: 0000000140008966

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: e19f7bf19f57a8d65e39874363c9333e2753856c09bbc3d03c87624729b817b1
Instruction ID: f5659001896022c0f7836767a070d56e8f9610552ef70e7070a010b649cd089f
Opcode Fuzzy Hash: e19f7bf19f57a8d65e39874363c9333e2753856c09bbc3d03c87624729b817b1
Instruction Fuzzy Hash: DE01FB76604A4692EB22CF16F4503AAB3A1F798BD8F588421EF9947638DF39C456C701

Function 00000001400328F0 Relevance: 1.5, APIs: 1, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32 ref: 0000000140032918

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 466d1670c5bce286a0daef306080a13856fabe08137c35c4eb8beab9799a7278
Instruction ID: 1f3cb64077bd9531e28c12e72072f9be53a2f9401bfe88423e5feaea1d5e02d7
Opcode Fuzzy Hash: 466d1670c5bce286a0daef306080a13856fabe08137c35c4eb8beab9799a7278
Instruction Fuzzy Hash: F5E0ED75618A8081FB339722E8513DB67A0E79D7D8F900316FB9D576B6DA3CC2468B00

Function 000000014002DDC0 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 000000014002DDCB

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: d937f9d3e8b2bd48224f9ec4fd393822044444bc02b974ed7697fbe7a9c2030c
Instruction ID: bf3788297e14b85cdde9da6e369f98fe0d49daf15a2899e470153e95660d48bb
Opcode Fuzzy Hash: d937f9d3e8b2bd48224f9ec4fd393822044444bc02b974ed7697fbe7a9c2030c
Instruction Fuzzy Hash: 88B01270B11D40C1F706AB33EC813D223B0A75CB50FD00C93D20982270DA3C8ADB8700

Function 0000000140033730 Relevance: .8, Instructions: 795COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8a818c2d1b71a107525404a977239508cccf6b5f4e993f1b846d85c679fbc0e
Instruction ID: 0bcbfae16171d9c580330ad88bc086f923da016e4890cddef9f8e1bfce5cd00e
Opcode Fuzzy Hash: a8a818c2d1b71a107525404a977239508cccf6b5f4e993f1b846d85c679fbc0e
Instruction Fuzzy Hash: 2462F2736186908BE7278F2AE040B9FBBE1F398784FA49115F78547AA5D739D941CF00

Function 000000014002C664 Relevance: .2, Instructions: 202COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68742e373aa55f01ecae086dc066fe510b444c2a4ac05c5f5a437dbcd332a052
Instruction ID: ab8a1e59ac98f0a2fc87a494b9400f92d420d009f8a740be5d856526f550a658
Opcode Fuzzy Hash: 68742e373aa55f01ecae086dc066fe510b444c2a4ac05c5f5a437dbcd332a052
Instruction Fuzzy Hash: 1C71C776B142454BD35DCB29D941B9C7696E3EC384F589129FB06CBFA4EA35DD008B00

Function 0000000140034758 Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14248f0eb354f1b2a825556ee673fe211df960756756c125f80a840440616ad8
Instruction ID: 7260b25eb20c8cf91aaf9ca1364f7693766f1e711fb5deeb9d1712f7c22decc9
Opcode Fuzzy Hash: 14248f0eb354f1b2a825556ee673fe211df960756756c125f80a840440616ad8
Instruction Fuzzy Hash: 0561B2776106918BE75ACF2AD050B5EB7E1F388B8CF54D029EB058B798DB38E845CB40

Function 00000001400305E8 Relevance: 53.8, APIs: 43, Instructions: 94COMMONLIBRARYCODE

Download Yara Rule

APIs

free.LIBCMT ref: 00000001400305FD

Part of subcall function 00000001400233E0: HeapFree.KERNEL32 ref: 00000001400233F6
Part of subcall function 00000001400233E0: _errno.LIBCMT ref: 0000000140023400
Part of subcall function 00000001400233E0: GetLastError.KERNEL32 ref: 0000000140023408

free.LIBCMT ref: 0000000140030606
free.LIBCMT ref: 000000014003060F
free.LIBCMT ref: 0000000140030618
free.LIBCMT ref: 0000000140030621
free.LIBCMT ref: 000000014003062A
free.LIBCMT ref: 0000000140030632
free.LIBCMT ref: 000000014003063B
free.LIBCMT ref: 0000000140030644
free.LIBCMT ref: 000000014003064D
free.LIBCMT ref: 0000000140030656
free.LIBCMT ref: 000000014003065F
free.LIBCMT ref: 0000000140030668
free.LIBCMT ref: 0000000140030671
free.LIBCMT ref: 000000014003067A
free.LIBCMT ref: 0000000140030683
free.LIBCMT ref: 000000014003068F
free.LIBCMT ref: 000000014003069B
free.LIBCMT ref: 00000001400306A7
free.LIBCMT ref: 00000001400306B3
free.LIBCMT ref: 00000001400306BF
free.LIBCMT ref: 00000001400306CB
free.LIBCMT ref: 00000001400306D7
free.LIBCMT ref: 00000001400306E3
free.LIBCMT ref: 00000001400306EF
free.LIBCMT ref: 00000001400306FB
free.LIBCMT ref: 0000000140030707
free.LIBCMT ref: 0000000140030713
free.LIBCMT ref: 000000014003071F
free.LIBCMT ref: 000000014003072B
free.LIBCMT ref: 0000000140030737
free.LIBCMT ref: 0000000140030743
free.LIBCMT ref: 000000014003074F
free.LIBCMT ref: 000000014003075B
free.LIBCMT ref: 0000000140030767
free.LIBCMT ref: 0000000140030773
free.LIBCMT ref: 000000014003077F
free.LIBCMT ref: 000000014003078B
free.LIBCMT ref: 0000000140030797
free.LIBCMT ref: 00000001400307A3
free.LIBCMT ref: 00000001400307AF
free.LIBCMT ref: 00000001400307BB
free.LIBCMT ref: 00000001400307C7

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: free$ErrorFreeHeapLast_errno
String ID:
API String ID: 1012874770-0
Opcode ID: 2b9ca906a177cd4df12e7967b6808e0be8713f438521b22a9fb15ca3d5003208
Instruction ID: 5318e1f4523c63a4f36c711186424246fdae5e5122f40aa2221e255e4ea43636
Opcode Fuzzy Hash: 2b9ca906a177cd4df12e7967b6808e0be8713f438521b22a9fb15ca3d5003208
Instruction Fuzzy Hash: B041623261154481EA56EB77C8A23ED1321AF88BC4F044136BF4E9B6B7CE32CE55C392

Function 000000014000CE04 Relevance: 49.3, APIs: 22, Strings: 6, Instructions: 253stringfilememoryCOMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32 ref: 000000014000CE53

Part of subcall function 0000000140001F00: lstrlenA.KERNEL32 ref: 0000000140001F2E
Part of subcall function 0000000140001F00: MultiByteToWideChar.KERNEL32 ref: 0000000140001F73
Part of subcall function 0000000140001F00: lstrlenW.KERNEL32 ref: 0000000140001F8F

Part of subcall function 000000014000AAE0: lstrlenW.KERNEL32 ref: 000000014000AB10
Part of subcall function 000000014000AAE0: lstrlenW.KERNEL32 ref: 000000014000AB8C

DeleteFileW.KERNEL32 ref: 000000014000CF3B
lstrlenW.KERNEL32 ref: 000000014000CF54
lstrlenW.KERNEL32 ref: 000000014000CF7F
lstrlenW.KERNEL32 ref: 000000014000CF9B
lstrlenW.KERNEL32 ref: 000000014000CFBE
lstrlenW.KERNEL32 ref: 000000014000CFD6
lstrlenW.KERNEL32 ref: 000000014000D000
lstrlenW.KERNEL32 ref: 000000014000D018
lstrlenW.KERNEL32 ref: 000000014000D030
lstrlenW.KERNEL32 ref: 000000014000D04C
lstrlenW.KERNEL32 ref: 000000014000D078
lstrlenW.KERNEL32 ref: 000000014000D090
lstrlenW.KERNEL32 ref: 000000014000D0A8
lstrlenW.KERNEL32 ref: 000000014000D0D8
lstrlenW.KERNEL32 ref: 000000014000D0F0
CreateFileW.KERNEL32 ref: 000000014000D12C
WriteFile.KERNEL32 ref: 000000014000D168
SysAllocStringLen.OLEAUT32 ref: 000000014000D174
WriteFile.KERNEL32 ref: 000000014000D19F
CloseHandle.KERNEL32 ref: 000000014000D1A8
ShellExecuteW.SHELL32 ref: 000000014000D1CD

Strings

.txt, xrefs: 000000014000CF25
##=, xrefs: 000000014000D045, 000000014000D052
and Language Name : German / Deutsch , xrefs: 000000014000CF94, 000000014000CFA1
Please don't forget! Write in e-mail subject: Strings for: , xrefs: 000000014000CF4D, 000000014000CF5A
translate_, xrefs: 000000014000CF05
open, xrefs: 000000014000D1C4

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: lstrlen$File$Write$AllocByteCharCloseCreateDeleteExecuteHandleMultiPathShellStringTempWide
String ID: Please don't forget! Write in e-mail subject: Strings for: $ and Language Name : German / Deutsch $##=$.txt$open$translate_
API String ID: 2433048188-2236905139
Opcode ID: c8396e524c21905edb1ef91da888cd6253bbd485d97350fdfc870cb24f61a7b7
Instruction ID: 6e609fe32b2c22c87a4bcb0ab6e4968d2e24e97c084290480a6d0db3cac2a30f
Opcode Fuzzy Hash: c8396e524c21905edb1ef91da888cd6253bbd485d97350fdfc870cb24f61a7b7
Instruction Fuzzy Hash: 93C12D72214A4192EB13DB26E8543EB6361F7C97E5F544222FB6A43AF6DF38C909C740

Function 0000000140005ECC Relevance: 47.7, APIs: 9, Strings: 18, Instructions: 468windowstringCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32 ref: 0000000140005F43
lstrlenW.KERNEL32 ref: 0000000140005F61
CharLowerW.USER32 ref: 0000000140005F8A

Part of subcall function 0000000140001F00: lstrlenA.KERNEL32 ref: 0000000140001F2E
Part of subcall function 0000000140001F00: MultiByteToWideChar.KERNEL32 ref: 0000000140001F73
Part of subcall function 0000000140001F00: lstrlenW.KERNEL32 ref: 0000000140001F8F

GetWindowLongPtrW.USER32 ref: 0000000140006033
SetWindowLongPtrW.USER32 ref: 000000014000604C
GetWindowLongW.USER32 ref: 000000014000610B
SendMessageW.USER32 ref: 00000001400064D4
SendMessageW.USER32 ref: 00000001400064EC

Part of subcall function 000000014000E248: LoadLibraryW.KERNEL32 ref: 000000014000E273
Part of subcall function 000000014000E248: GetProcAddress.KERNEL32 ref: 000000014000E28F

CallNextHookEx.USER32 ref: 0000000140006633

Strings

sysheader32, xrefs: 00000001400061CD
, xrefs: 00000001400064C2
combobox, xrefs: 00000001400062C1
systreeview32, xrefs: 0000000140006457
#32768, xrefs: 0000000140005F90
sysdatetimepick32, xrefs: 00000001400063FA
rebarwindow32, xrefs: 0000000140006539
syslistview32, xrefs: 000000014000622E
edit, xrefs: 00000001400062F1
comboboxex32, xrefs: 0000000140006289
msctls_statusbar32, xrefs: 0000000140006594
Groupbox, xrefs: 0000000140006119
button, xrefs: 0000000140006099
Explorer, xrefs: 00000001400060ED
systabcontrol32, xrefs: 0000000140006172
#32770, xrefs: 0000000140005FD6
static, xrefs: 0000000140006052
toolbarwindow32, xrefs: 00000001400064F2

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: LongWindowlstrlen$CharMessageSend$AddressByteCallClassHookLibraryLoadLowerMultiNameNextProcWide
String ID: $#32768$#32770$Explorer$Groupbox$button$combobox$comboboxex32$edit$msctls_statusbar32$rebarwindow32$static$sysdatetimepick32$sysheader32$syslistview32$systabcontrol32$systreeview32$toolbarwindow32
API String ID: 3800115462-3950342425
Opcode ID: 93fa2cd6f119f3e49d941c07ff4c980bb940f16bc4bb7a1760a131b72911d191
Instruction ID: c519bd17110ed3c7fd0d1e0eebe891a36b1000b06720ac5d25bb1e912f6e9245
Opcode Fuzzy Hash: 93fa2cd6f119f3e49d941c07ff4c980bb940f16bc4bb7a1760a131b72911d191
Instruction Fuzzy Hash: B12290B2200A8192EA63DF27E8913EE6361F78C7D4F484111FB1993AB6DF7DC9468741

Function 0000000140005BD0 Relevance: 42.1, APIs: 22, Strings: 2, Instructions: 148windowstringCOMMON

Download Yara Rule

APIs

CallWindowProcW.USER32 ref: 0000000140005C18
GetDC.USER32 ref: 0000000140005C21
GetClientRect.USER32 ref: 0000000140005C49

Part of subcall function 0000000140001F00: lstrlenA.KERNEL32 ref: 0000000140001F2E
Part of subcall function 0000000140001F00: MultiByteToWideChar.KERNEL32 ref: 0000000140001F73
Part of subcall function 0000000140001F00: lstrlenW.KERNEL32 ref: 0000000140001F8F

GetWindowTextW.USER32 ref: 0000000140005C7C
lstrlenW.KERNEL32 ref: 0000000140005C94
SendMessageW.USER32 ref: 0000000140005CB3
SelectObject.GDI32 ref: 0000000140005CBF
SetBkMode.GDI32 ref: 0000000140005CD0
SetTextColor.GDI32 ref: 0000000140005CE0
SetBkColor.GDI32 ref: 0000000140005CEF
GetSystemMetrics.USER32 ref: 0000000140005CFA
DrawTextW.USER32 ref: 0000000140005D1D
SetBkMode.GDI32 ref: 0000000140005D28
SelectObject.GDI32 ref: 0000000140005D34
ReleaseDC.USER32 ref: 0000000140005D3F
GetParent.USER32 ref: 0000000140005D7E
GetParent.USER32 ref: 0000000140005D87
MapWindowPoints.USER32 ref: 0000000140005DB7
OffsetWindowOrgEx.GDI32 ref: 0000000140005DCE
SendMessageW.USER32 ref: 0000000140005DE2
OffsetWindowOrgEx.GDI32 ref: 0000000140005E01
CallWindowProcW.USER32 ref: 0000000140005E21

Strings

, xrefs: 0000000140005CE6
-------------, xrefs: 0000000140005C4F

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: Window$Textlstrlen$CallColorMessageModeObjectOffsetParentProcSelectSend$ByteCharClientDrawMetricsMultiPointsRectReleaseSystemWide
String ID: $-------------
API String ID: 2844040763-333830642
Opcode ID: ff7de811299c57b8170fea9cf05f8785fe589cb8a552c0c9f363798b5abb4639
Instruction ID: 2d393f61da206b7981ea66a2af02f260ba6d198776ffaa33381884ffbe57976f
Opcode Fuzzy Hash: ff7de811299c57b8170fea9cf05f8785fe589cb8a552c0c9f363798b5abb4639
Instruction Fuzzy Hash: 46610972204B8086EB66DF12E85879AB3A5F78DBD1F145265EF5A03B78DF38C549CB00

Function 00000001400094C4 Relevance: 38.8, APIs: 19, Strings: 3, Instructions: 287stringmemoryCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32 ref: 0000000140009520
CoTaskMemAlloc.OLE32 ref: 0000000140009551
CoTaskMemFree.OLE32 ref: 000000014000956B
CharNextW.USER32 ref: 00000001400095D1
CharNextW.USER32 ref: 00000001400095DE
CharNextW.USER32 ref: 00000001400095EB
CharNextW.USER32 ref: 00000001400095F8
lstrlenW.KERNEL32 ref: 000000014000960E
CharNextW.USER32 ref: 000000014000964A
CharNextW.USER32 ref: 000000014000965E
lstrlenW.KERNEL32 ref: 00000001400096B3
CharNextW.USER32 ref: 00000001400096EA
CharNextW.USER32 ref: 000000014000973B
EnterCriticalSection.KERNEL32 ref: 00000001400097C2
LeaveCriticalSection.KERNEL32 ref: 00000001400097DC
lstrlenW.KERNEL32 ref: 00000001400097F3
CharNextW.USER32 ref: 000000014000981C

Part of subcall function 0000000140008B5C: CoTaskMemRealloc.OLE32 ref: 0000000140008BC8

CharNextW.USER32 ref: 0000000140009855
CoTaskMemFree.OLE32 ref: 00000001400098E6

Strings

HKCR, xrefs: 00000001400095B2
}}, xrefs: 00000001400096AC, 00000001400096BC
HKCU{Software{Classes, xrefs: 0000000140009607, 0000000140009617

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: CharNext$Tasklstrlen$CriticalFreeSection$AllocEnterLeaveRealloc
String ID: }}$HKCR$HKCU{Software{Classes
API String ID: 612149696-1142484189
Opcode ID: 3fd01e7b1163ed06309d74709cdd4697ded98e8e42741ed17219a4fc33e35ddf
Instruction ID: 05c030b2901b8f26215cd0b29ce18dcad0245e4277a1b43c9d8bce5a2ec7569c
Opcode Fuzzy Hash: 3fd01e7b1163ed06309d74709cdd4697ded98e8e42741ed17219a4fc33e35ddf
Instruction Fuzzy Hash: BCC16AB2615A4086EB63DB12F8503ED63A0F38DBD4F548116FB4A4BBB5DF79C9858340

Function 0000000140004728 Relevance: 34.7, APIs: 23, Instructions: 184windowtimeCOMMON

Download Yara Rule

APIs

EndDialog.USER32 ref: 00000001400047BE
GetSystemMetrics.USER32 ref: 00000001400047CE
GetSystemMetrics.USER32 ref: 00000001400047DB
LoadImageW.USER32 ref: 0000000140004803
GetSystemMetrics.USER32 ref: 000000014000480F
GetSystemMetrics.USER32 ref: 000000014000481A
LoadImageW.USER32 ref: 0000000140004839
SendMessageW.USER32 ref: 000000014000484D
SendMessageW.USER32 ref: 000000014000485E
SetTimer.USER32 ref: 0000000140004882
SetWindowTextW.USER32 ref: 0000000140004899
LoadMenuW.USER32 ref: 00000001400048B2
SetMenu.USER32 ref: 00000001400048BF
CreateMenu.USER32 ref: 00000001400048C5
CreatePopupMenu.USER32 ref: 00000001400048CE
CreatePopupMenu.USER32 ref: 00000001400048D7
AppendMenuW.USER32 ref: 00000001400048FC
AppendMenuW.USER32 ref: 0000000140004920
AppendMenuW.USER32 ref: 000000014000493F
AppendMenuW.USER32 ref: 000000014000495B
AppendMenuW.USER32 ref: 000000014000497A
AppendMenuW.USER32 ref: 0000000140004999
SetMenu.USER32 ref: 00000001400049A6

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: Menu$Append$MetricsSystem$CreateLoad$ImageMessagePopupSend$DialogTextTimerWindow
String ID:
API String ID: 3533344478-0
Opcode ID: b97a6207998817724dbcef747c92f77b8d263b3011a9af9bc5e071333983fcba
Instruction ID: 6c51b1b7e23fb72ab67962e62b05478897af4d89763ad049133d25a7f5348037
Opcode Fuzzy Hash: b97a6207998817724dbcef747c92f77b8d263b3011a9af9bc5e071333983fcba
Instruction Fuzzy Hash: 0D719CB561865086E722EB23F848BEA63A1F78DBC5F504125BF0A07BB9DF3CC5498700

Function 000000014002AE8C Relevance: 30.5, APIs: 20, Instructions: 485COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 000000014002AEBF
_errno.LIBCMT ref: 000000014002AEC8
__doserrno.LIBCMT ref: 000000014002AF22
_errno.LIBCMT ref: 000000014002AF29

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: 0329c8a0359cb3f0a7e8e5aa197fc3859766d75684d7961f707a99775b7d8901
Instruction ID: 68c4b659af6f3ade7700144e37872b548d3a54c17c1577b02749d4f322554173
Opcode Fuzzy Hash: 0329c8a0359cb3f0a7e8e5aa197fc3859766d75684d7961f707a99775b7d8901
Instruction Fuzzy Hash: 5322C372208B9482E7639B56A4843ED7B91F789BD4F588109FB5A077F6DB38CD85C301

Function 0000000140005558 Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 293stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

CharNextW.USER32 ref: 00000001400055B1
CharNextW.USER32 ref: 0000000140005608
CharNextW.USER32 ref: 000000014000563C
CharNextW.USER32 ref: 0000000140005657
CharNextW.USER32 ref: 0000000140005670
CharNextW.USER32 ref: 00000001400056BB
CharNextW.USER32 ref: 00000001400056FA
OutputDebugStringW.KERNEL32 ref: 0000000140005791
DebugBreak.KERNEL32 ref: 0000000140005797
lstrlenW.KERNEL32 ref: 00000001400057B8
lstrlenA.KERNEL32 ref: 00000001400057D8
CharNextW.USER32 ref: 00000001400058B5
CharNextW.USER32 ref: 00000001400058C7
wvsprintfW.USER32 ref: 000000014000590C
lstrlenW.KERNEL32 ref: 000000014000591D

Strings

Floating point (%%e, %%f, %%g, and %%G) is not supported by the WTL::CString class., xrefs: 000000014000578A

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: CharNext$lstrlen$Debug$BreakOutputStringwvsprintf
String ID: Floating point (%%e, %%f, %%g, and %%G) is not supported by the WTL::CString class.
API String ID: 437668353-233888011
Opcode ID: 47731f3bae297d16c4b27dc1d2ee2b8e062dba05732c235a0b2093117568696e
Instruction ID: 66e62ce65dd890726ba853ae6152a817950b16c58c767dc0e303e8d0c4688ee3
Opcode Fuzzy Hash: 47731f3bae297d16c4b27dc1d2ee2b8e062dba05732c235a0b2093117568696e
Instruction Fuzzy Hash: 8AB1B5B660464181FA7AFB17B5583FF2291B74EBC2F948025EF0B536F4DA79C8809352

Function 0000000140026470 Relevance: 26.6, APIs: 11, Strings: 4, Instructions: 337COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0000000140021540: RtlLookupFunctionEntry.KERNEL32 ref: 00000001400215B4

__GetUnwindTryBlock.LIBCMT ref: 00000001400264E1
__SetUnwindTryBlock.LIBCMT ref: 0000000140026509

Part of subcall function 0000000140021158: RaiseException.KERNEL32 ref: 00000001400211D8

__GetUnwindTryBlock.LIBCMT ref: 0000000140026513
_getptd.LIBCMT ref: 0000000140026568
_getptd.LIBCMT ref: 000000014002657A
_getptd.LIBCMT ref: 0000000140026586
_SetThrowImageBase.LIBCMT ref: 00000001400265A3
_getptd.LIBCMT ref: 00000001400265F3
_getptd.LIBCMT ref: 0000000140026605
_getptd.LIBCMT ref: 0000000140026611
_getptd.LIBCMT ref: 0000000140026952

Strings

csm, xrefs: 00000001400266EF
csm, xrefs: 0000000140026529
csm, xrefs: 00000001400265BF
bad exception, xrefs: 000000014002669F

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: _getptd$BlockUnwind$BaseEntryExceptionFunctionImageLookupRaiseThrow
String ID: bad exception$csm$csm$csm
API String ID: 2351602029-820278400
Opcode ID: 54840be7fd3c2570377b6a702331bff503cccb6a55b6321fc7b1604d2f18a14f
Instruction ID: 285e6f54085172a451a86f7f0575a97a25d6d2b8a27b6ed2990c6c9758564d97
Opcode Fuzzy Hash: 54840be7fd3c2570377b6a702331bff503cccb6a55b6321fc7b1604d2f18a14f
Instruction Fuzzy Hash: 85E1817220468086EA72AB77A4443ED77A4F7997C4F44452DFF8907BAACF38D991CB01

Function 000000014000CA34 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 185stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 000000014000CA5D
SetWindowTextW.USER32 ref: 000000014000CA69
GetDlgItem.USER32 ref: 000000014000CA84
SetWindowTextW.USER32 ref: 000000014000CA90

Part of subcall function 0000000140001F00: lstrlenA.KERNEL32 ref: 0000000140001F2E
Part of subcall function 0000000140001F00: MultiByteToWideChar.KERNEL32 ref: 0000000140001F73
Part of subcall function 0000000140001F00: lstrlenW.KERNEL32 ref: 0000000140001F8F

Part of subcall function 000000014000BCB0: lstrlenW.KERNEL32 ref: 000000014000BCF8

Part of subcall function 000000014000BC34: lstrlenW.KERNEL32 ref: 000000014000BC7B

SetWindowTextW.USER32 ref: 000000014000CB40
lstrlenW.KERNEL32 ref: 000000014000CB5B
GetDlgItem.USER32 ref: 000000014000CB78
SetWindowTextW.USER32 ref: 000000014000CB86
GetDlgItem.USER32 ref: 000000014000CB9D
SetWindowTextW.USER32 ref: 000000014000CBAD
GetDlgItem.USER32 ref: 000000014000CBBD
SetWindowTextW.USER32 ref: 000000014000CBCD
GetDlgItem.USER32 ref: 000000014000CC95
SetWindowTextW.USER32 ref: 000000014000CCA6

Strings

- , xrefs: 000000014000CA96

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: TextWindow$Item$lstrlen$ByteCharMultiWide
String ID: -
API String ID: 360983386-3695764949
Opcode ID: 0489edcda1481621dc3291c15f0c88b45b370b1c246d2ed9adb942b8e108f2a7
Instruction ID: 3f5a51692fff7400307770bd2e5ffa7c0c33d87cdac88fabcaeddeb41a18a210
Opcode Fuzzy Hash: 0489edcda1481621dc3291c15f0c88b45b370b1c246d2ed9adb942b8e108f2a7
Instruction Fuzzy Hash: 45812C72341A0182EA52DB27E8517EA6361EB89BF4F544325BB3E877F6DE3CC8458701

Function 0000000140034978 Relevance: 24.3, APIs: 16, Instructions: 348COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32 ref: 00000001400349E5
GetLastError.KERNEL32 ref: 00000001400349F9
GetCPInfo.KERNEL32 ref: 0000000140034AFC

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: CompareErrorInfoLastString
String ID:
API String ID: 3723911898-0
Opcode ID: 18af59161a79b0eb4d7aaaacb2757f401f279c5247c557f43973b386fee0985c
Instruction ID: fdc4a155da6a1d1a409bf3efb905b59fa623469911c2cf4e6f30e77b8732378c
Opcode Fuzzy Hash: 18af59161a79b0eb4d7aaaacb2757f401f279c5247c557f43973b386fee0985c
Instruction Fuzzy Hash: 68E19D322056808AEB739F9394543EA7B92F34C7D4F544625FB5A0BBE8DB38E945C701

Function 0000000140007C60 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 120windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 0000000140007CA4
SelectObject.GDI32 ref: 0000000140007CB0
GetDlgCtrlID.USER32 ref: 0000000140007CC2
GetClientRect.USER32 ref: 0000000140007CFB
CopyRect.USER32 ref: 0000000140007D0B
SendMessageW.USER32 ref: 0000000140007D22

Part of subcall function 00000001400076B0: CopyRect.USER32 ref: 00000001400076CE

SendMessageW.USER32 ref: 0000000140007D52
SendMessageW.USER32 ref: 0000000140007D6A
SendMessageW.USER32 ref: 0000000140007D9F
_cwprintf_s_l.LIBCMT ref: 0000000140007DCD

Part of subcall function 00000001400077F4: SendMessageW.USER32 ref: 0000000140007836
Part of subcall function 00000001400077F4: SendMessageW.USER32 ref: 0000000140007856
Part of subcall function 00000001400077F4: CopyRect.USER32 ref: 000000014000787D
Part of subcall function 00000001400077F4: GetDeviceCaps.GDI32 ref: 00000001400078E7

Part of subcall function 0000000140007478: SendMessageW.USER32 ref: 00000001400074AA
Part of subcall function 0000000140007478: CopyRect.USER32 ref: 00000001400074CC
Part of subcall function 0000000140007478: SetBkColor.GDI32 ref: 0000000140007536
Part of subcall function 0000000140007478: ExtTextOutW.GDI32 ref: 000000014000761A
Part of subcall function 0000000140007478: SetBkColor.GDI32 ref: 0000000140007625
Part of subcall function 0000000140007478: SetBkColor.GDI32 ref: 0000000140007650
Part of subcall function 0000000140007478: ExtTextOutW.GDI32 ref: 0000000140007680
Part of subcall function 0000000140007478: SetBkColor.GDI32 ref: 000000014000768B

SendMessageW.USER32 ref: 0000000140007E3E

Strings

%d %d , xrefs: 0000000140007DBE
e, xrefs: 0000000140007CB6

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: MessageSend$Rect$ColorCopy$Text$CapsClientCtrlDeviceObjectSelect_cwprintf_s_l
String ID: %d %d $e
API String ID: 304713326-3858312234
Opcode ID: 5743438c54ebef0fc57862db801e6e143aca407b12d083be401e386b72b6b0c8
Instruction ID: 03c1db68694c137dbd6b4e4d74f1f4b05bfafbbb18c348af287fd7696b4aa910
Opcode Fuzzy Hash: 5743438c54ebef0fc57862db801e6e143aca407b12d083be401e386b72b6b0c8
Instruction Fuzzy Hash: CB517A73204B8186E722DF26F45479A77A0F7C8BE5F504211EB9943AA9CF3CC946CB40

Function 0000000140031244 Relevance: 22.6, APIs: 15, Instructions: 130libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 0000000140031281
GetProcAddress.KERNEL32 ref: 000000014003129D
GetProcAddress.KERNEL32 ref: 00000001400312C5
EncodePointer.KERNEL32(?,?,?,?,?,000000FC,00000000,0000000140029F80,?,?,?,?,?,000000014002A014), ref: 00000001400312CE
GetProcAddress.KERNEL32 ref: 00000001400312E4
EncodePointer.KERNEL32(?,?,?,?,?,000000FC,00000000,0000000140029F80,?,?,?,?,?,000000014002A014), ref: 00000001400312ED
GetProcAddress.KERNEL32 ref: 0000000140031303
EncodePointer.KERNEL32(?,?,?,?,?,000000FC,00000000,0000000140029F80,?,?,?,?,?,000000014002A014), ref: 000000014003130C
GetProcAddress.KERNEL32 ref: 000000014003132A
EncodePointer.KERNEL32(?,?,?,?,?,000000FC,00000000,0000000140029F80,?,?,?,?,?,000000014002A014), ref: 0000000140031333
DecodePointer.KERNEL32(?,?,?,?,?,000000FC,00000000,0000000140029F80,?,?,?,?,?,000000014002A014), ref: 0000000140031365
DecodePointer.KERNEL32(?,?,?,?,?,000000FC,00000000,0000000140029F80,?,?,?,?,?,000000014002A014), ref: 0000000140031374
DecodePointer.KERNEL32(?,?,?,?,?,000000FC,00000000,0000000140029F80,?,?,?,?,?,000000014002A014), ref: 00000001400313CC
DecodePointer.KERNEL32(?,?,?,?,?,000000FC,00000000,0000000140029F80,?,?,?,?,?,000000014002A014), ref: 00000001400313EC
DecodePointer.KERNEL32(?,?,?,?,?,000000FC,00000000,0000000140029F80,?,?,?,?,?,000000014002A014), ref: 0000000140031405

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: Pointer$AddressDecodeProc$Encode$LibraryLoad
String ID:
API String ID: 3085332118-0
Opcode ID: 7ace09c67c20a76bf4d67dcd146ac2da4ac6b44b4523eebc8a03b40b00f8c093
Instruction ID: ff738b489165baf402e4f76d1a77cc2ce5a29216287c6ae3caa731f1841cd97e
Opcode Fuzzy Hash: 7ace09c67c20a76bf4d67dcd146ac2da4ac6b44b4523eebc8a03b40b00f8c093
Instruction Fuzzy Hash: B5513E31206B5581FE57EB57B8503EA23D1AB8DBD0F580429BF5E47BB2EE38C6958310

Function 000000014000C70C Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 195stringwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140008334: lstrlenW.KERNEL32 ref: 0000000140008371

Part of subcall function 0000000140001F00: lstrlenA.KERNEL32 ref: 0000000140001F2E
Part of subcall function 0000000140001F00: MultiByteToWideChar.KERNEL32 ref: 0000000140001F73
Part of subcall function 0000000140001F00: lstrlenW.KERNEL32 ref: 0000000140001F8F

lstrlenW.KERNEL32 ref: 000000014000C7A5
lstrlenW.KERNEL32 ref: 000000014000C7C1
_cwprintf_s_l.LIBCMT ref: 000000014000C850
_cwprintf_s_l.LIBCMT ref: 000000014000C93C
MessageBoxW.USER32 ref: 000000014000C983

Strings

%d,, xrefs: 000000014000C89F
Translate, xrefs: 000000014000C963
..and.., xrefs: 000000014000C7DA
miss:, xrefs: 000000014000C777
%d %%, xrefs: 000000014000C92D
%d=%s, xrefs: 000000014000C844

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: lstrlen$_cwprintf_s_l$ByteCharMessageMultiWide
String ID: miss:$%d %%$%d,$%d=%s$..and..$Translate
API String ID: 748578601-3786228004
Opcode ID: 9c12ecbcda9fa4f56c9f2fa4632f78e5846b32c399f2c58f804135ab7d105881
Instruction ID: f6b88ee2deacc65aac84b9bed579b5fd60ce164f98064f71de05433bad061922
Opcode Fuzzy Hash: 9c12ecbcda9fa4f56c9f2fa4632f78e5846b32c399f2c58f804135ab7d105881
Instruction Fuzzy Hash: 45919D72311A4595EB63DB26F8417EA6360F78D7E4F444211BB5D936B6EF38C84AC700

Function 00000001400101B4 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 129windowkeyboardCOMMON

Download Yara Rule

APIs

CreatePopupMenu.USER32 ref: 00000001400101E5
AppendMenuW.USER32 ref: 0000000140010200
wsprintfW.USER32 ref: 0000000140010230
AppendMenuW.USER32 ref: 000000014001024A
AppendMenuW.USER32 ref: 0000000140010271
GetDlgItem.USER32 ref: 000000014001029C
GetWindowRect.USER32 ref: 00000001400102AA
SendDlgItemMessageW.USER32 ref: 0000000140010370
GetKeyState.USER32 ref: 000000014001037B
SendDlgItemMessageW.USER32 ref: 00000001400103AD

Strings

%02d:%02d, xrefs: 0000000140010216

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: Menu$AppendItem$MessageSend$CreatePopupRectStateWindowwsprintf
String ID: %02d:%02d
API String ID: 3909457406-4169306755
Opcode ID: 9929a8201e915cfdc8fedc09dc0f021a2dfda7079aed067d47bab4ffd2a6c7c2
Instruction ID: 7521ba4cd33d13d258e59183989c0ad3ed8976fbc6f37c202930898a900a0eae
Opcode Fuzzy Hash: 9929a8201e915cfdc8fedc09dc0f021a2dfda7079aed067d47bab4ffd2a6c7c2
Instruction Fuzzy Hash: F751257221878086E762DB22F484B9FB7A5F78D788F501015FB8A47B69DB7DC549CB00

Function 0000000140025C50 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 0000000140025C7F
_getptd.LIBCMT ref: 0000000140025C93
_getptd.LIBCMT ref: 0000000140025CD2
_getptd.LIBCMT ref: 0000000140025CDE
_getptd.LIBCMT ref: 0000000140025CEA
_CreateFrameInfo.LIBCMT ref: 0000000140025CFF

Part of subcall function 00000001400219E8: _getptd.LIBCMT ref: 00000001400219F4
Part of subcall function 00000001400219E8: _getptd.LIBCMT ref: 0000000140021A02
Part of subcall function 00000001400219E8: _getptd.LIBCMT ref: 0000000140021A16

_getptd.LIBCMT ref: 0000000140025D1D
_getptd.LIBCMT ref: 0000000140025D2E
_getptd.LIBCMT ref: 0000000140025E45
_getptd.LIBCMT ref: 0000000140025E59

Strings

csm, xrefs: 0000000140025DF8

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: _getptd$CreateFrameInfo
String ID: csm
API String ID: 4181383844-1018135373
Opcode ID: dcb4dcbe70b25820c092e3de3e443819420dfc7c02c34d08497b78647f6d6d68
Instruction ID: 8f46683c2ca5d0869daaf1b249c067e1d6dd2541e65167c15a714d9cfe751e4a
Opcode Fuzzy Hash: dcb4dcbe70b25820c092e3de3e443819420dfc7c02c34d08497b78647f6d6d68
Instruction Fuzzy Hash: DD412F32200B8181DA61AF52E4487EE77A4F389BD1F45462AEF9D07BA5DF34C891CB01

Function 0000000140007478 Relevance: 18.2, APIs: 12, Instructions: 156windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 00000001400074AA
CopyRect.USER32 ref: 00000001400074CC
SetBkColor.GDI32 ref: 0000000140007536
SetBkColor.GDI32 ref: 000000014000757C
ExtTextOutW.GDI32 ref: 00000001400075B4
SetBkColor.GDI32 ref: 00000001400075BF
SetBkColor.GDI32 ref: 00000001400075EA
ExtTextOutW.GDI32 ref: 000000014000761A
SetBkColor.GDI32 ref: 0000000140007625
SetBkColor.GDI32 ref: 0000000140007650
ExtTextOutW.GDI32 ref: 0000000140007680
SetBkColor.GDI32 ref: 000000014000768B

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: Color$Text$CopyMessageRectSend
String ID:
API String ID: 4233274074-0
Opcode ID: 820b42d3ce84ea2715eaa9a4f351abf001f02c176079197391ddaf8a3f415dff
Instruction ID: bbeb2f62b00d92ff76c688356ffcfcec2b806822792e02760fd7e7e0ba0cd1b3
Opcode Fuzzy Hash: 820b42d3ce84ea2715eaa9a4f351abf001f02c176079197391ddaf8a3f415dff
Instruction Fuzzy Hash: 71611B76604B808BD755CF6AE88075AB7B1F38CB90F144225EF8A93B68DB7CD8458F00

Function 000000014000F118 Relevance: 18.1, APIs: 12, Instructions: 109COMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 000000014000F19E
GetWindowTextW.USER32 ref: 000000014000F1B2
GetDlgItem.USER32 ref: 000000014000F1E6
GetWindowTextW.USER32 ref: 000000014000F1FA
GetDlgItem.USER32 ref: 000000014000F22E
GetWindowTextW.USER32 ref: 000000014000F242
GetDlgItem.USER32 ref: 000000014000F2B9
SetWindowTextW.USER32 ref: 000000014000F2C7
GetDlgItem.USER32 ref: 000000014000F2D9
SetWindowTextW.USER32 ref: 000000014000F2E7
GetDlgItem.USER32 ref: 000000014000F2F9
SetWindowTextW.USER32 ref: 000000014000F307

Part of subcall function 000000014000E454: SendDlgItemMessageW.USER32 ref: 000000014000E4AA
Part of subcall function 000000014000E454: SendDlgItemMessageW.USER32 ref: 000000014000E4CC

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: Item$TextWindow$MessageSend
String ID:
API String ID: 1177832550-0
Opcode ID: a363b9cd74bc2e4dd1b4ccf27cdc277ba63d93fce69b664481f1d1dc597ae9fc
Instruction ID: feeaf258969b712e0437733aa35a93b4080ad5b5dd35af999fc3a0f8535680f6
Opcode Fuzzy Hash: a363b9cd74bc2e4dd1b4ccf27cdc277ba63d93fce69b664481f1d1dc597ae9fc
Instruction Fuzzy Hash: 34511776714B8582EB62DB62E4447DB7361F78CB88F405121EF8947B69CF3CC6898B50

Function 0000000140028810 Relevance: 18.1, APIs: 11, Strings: 1, Instructions: 90COMMONLIBRARYCODE

Download Yara Rule

APIs

free.LIBCMT ref: 000000014002885C

Part of subcall function 00000001400233E0: HeapFree.KERNEL32 ref: 00000001400233F6
Part of subcall function 00000001400233E0: _errno.LIBCMT ref: 0000000140023400
Part of subcall function 00000001400233E0: GetLastError.KERNEL32 ref: 0000000140023408

Part of subcall function 000000014003081C: free.LIBCMT ref: 000000014003083A
Part of subcall function 000000014003081C: free.LIBCMT ref: 000000014003084C
Part of subcall function 000000014003081C: free.LIBCMT ref: 000000014003085E
Part of subcall function 000000014003081C: free.LIBCMT ref: 0000000140030870
Part of subcall function 000000014003081C: free.LIBCMT ref: 0000000140030882
Part of subcall function 000000014003081C: free.LIBCMT ref: 0000000140030894
Part of subcall function 000000014003081C: free.LIBCMT ref: 00000001400308A6

free.LIBCMT ref: 000000014002887E
free.LIBCMT ref: 0000000140028896
free.LIBCMT ref: 00000001400288A2
free.LIBCMT ref: 00000001400288C6
free.LIBCMT ref: 00000001400288DA
free.LIBCMT ref: 00000001400288E9
free.LIBCMT ref: 00000001400288F5
free.LIBCMT ref: 0000000140028922
free.LIBCMT ref: 000000014002894A
free.LIBCMT ref: 0000000140028964

Strings

%s %d, xrefs: 000000014002881A

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: free$ErrorFreeHeapLast_errno
String ID: %s %d
API String ID: 1012874770-753429341
Opcode ID: 4a562cbc5e5cdbc03e6503f3844dc50fcfc7ebf498fca32075d04b6ea072a536
Instruction ID: 82cacfc702e54f4f8b1b985fa928eae132eee949d8bd04800168f155a2a732a4
Opcode Fuzzy Hash: 4a562cbc5e5cdbc03e6503f3844dc50fcfc7ebf498fca32075d04b6ea072a536
Instruction Fuzzy Hash: C041DA3660268484EE66DF67C4913ED23A0AB8CBD4F484439BF4A4B6A5DF35CD91C352

Function 0000000140001414 Relevance: 18.1, APIs: 12, Instructions: 77timefileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32 ref: 0000000140001442
SetFileAttributesW.KERNEL32 ref: 0000000140001474
CreateFileW.KERNEL32 ref: 000000014000149C
SystemTimeToFileTime.KERNEL32 ref: 00000001400014BA
LocalFileTimeToFileTime.KERNEL32 ref: 00000001400014CD
SystemTimeToFileTime.KERNEL32 ref: 00000001400014DF
LocalFileTimeToFileTime.KERNEL32 ref: 00000001400014F2
SystemTimeToFileTime.KERNEL32 ref: 0000000140001504
LocalFileTimeToFileTime.KERNEL32 ref: 000000014000151A
SetFileTime.KERNEL32 ref: 0000000140001535
CloseHandle.KERNEL32 ref: 000000014000153E
SetFileAttributesW.KERNEL32 ref: 000000014000154E

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: File$Time$AttributesLocalSystem$CloseCreateHandle
String ID:
API String ID: 3993054239-0
Opcode ID: a6b9cc98d673ec6d763a98b109de7921fa88bcb6b367d7ac6f5350da46a3025e
Instruction ID: 574870e3f1f7daa1c91575efc89833146e98ea8f6bc65486a1dbd3a5376e35a6
Opcode Fuzzy Hash: a6b9cc98d673ec6d763a98b109de7921fa88bcb6b367d7ac6f5350da46a3025e
Instruction Fuzzy Hash: CA313A72204A46D6EB728F25E8547EA6361F788B99F504111EF4A4BAB8DF3CC58EC740

Function 000000014001F72C Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 87stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32 ref: 000000014001F75E
lstrlenW.KERNEL32 ref: 000000014001F77A
SetTextColor.GDI32 ref: 000000014001F790
OutputDebugStringW.KERNEL32 ref: 000000014001F7A5
GetCurrentObject.GDI32 ref: 000000014001F7B3
GetObjectW.GDI32 ref: 000000014001F7CB
CreateFontIndirectW.GDI32 ref: 000000014001F7D6
DrawTextW.USER32 ref: 000000014001F809
DrawTextW.USER32 ref: 000000014001F846

Strings

NULL, xrefs: 000000014001F79E

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: Text$DrawObjectlstrlen$ColorCreateCurrentDebugFontIndirectOutputString
String ID: NULL
API String ID: 2332924160-413889302
Opcode ID: 99a343f62a19cc4b63382606dd7244755f715a88833b5ace7206bf6f7cffc46c
Instruction ID: ec3a89b7c6eb906c8ccea528d9a45604d6be0145017eba85e01630213e7b7634
Opcode Fuzzy Hash: 99a343f62a19cc4b63382606dd7244755f715a88833b5ace7206bf6f7cffc46c
Instruction Fuzzy Hash: 49318C36604B4186E76A9B17E858BAB77A4F789FD8F044225EF5A477B0CF38C449C704

Function 000000014000EEC0 Relevance: 16.6, APIs: 11, Instructions: 83windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32 ref: 000000014000EED1
ScreenToClient.USER32 ref: 000000014000EEFE
SendMessageW.USER32 ref: 000000014000EF3D
SendMessageW.USER32 ref: 000000014000EF55
ScreenToClient.USER32 ref: 000000014000EF69
SendMessageW.USER32 ref: 000000014000EF8C
CreatePopupMenu.USER32 ref: 000000014000EFA6
SendMessageW.USER32 ref: 000000014000EFC1

Part of subcall function 000000014000AF94: lstrlenW.KERNEL32 ref: 000000014000AFE2
Part of subcall function 000000014000AF94: lstrlenW.KERNEL32 ref: 000000014000B004

AppendMenuW.USER32 ref: 000000014000EFE2
AppendMenuW.USER32 ref: 000000014000F003
TrackPopupMenu.USER32 ref: 000000014000F030

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: MenuMessageSend$AppendClientPopupScreenlstrlen$CreateCursorTrack
String ID:
API String ID: 4055743554-0
Opcode ID: d05fd3a24742e53cae79399e30fd41d37b1ab7ad8a5021a39c2726fa77414c51
Instruction ID: 1d4d2cb1830fe848b365ebb1412a7e1a1146829800aa3a230ce1ddb2ed9d3740
Opcode Fuzzy Hash: d05fd3a24742e53cae79399e30fd41d37b1ab7ad8a5021a39c2726fa77414c51
Instruction Fuzzy Hash: 38315C72304A8182E762DB62E8447DBB3A1F789BD5F408121EF9A07BA5DF7DC549CB00

Function 000000014001F86C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 121windowstringCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32 ref: 000000014001F8E2
GetMenuItemInfoW.USER32 ref: 000000014001F937
lstrlenW.KERNEL32 ref: 000000014001F9D8
lstrcpyW.KERNEL32 ref: 000000014001FA08
SetMenuItemInfoW.USER32 ref: 000000014001FA23
GetMenuItemCount.USER32 ref: 000000014001FA2E

Strings

P, xrefs: 000000014001F91F
d, xrefs: 000000014001F927
1, xrefs: 000000014001F94E

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: ItemMenu$CountInfo$lstrcpylstrlen
String ID: 1$P$d
API String ID: 1621444650-2729980949
Opcode ID: f879b82b5203b1a495ee4d4d651e841cfd687a141cbda9023dc9268c2b1cb274
Instruction ID: 92b2ca05c473842eeef5f76707ba2f2ccca9571c08c428dd256a5c6d0f9f384b
Opcode Fuzzy Hash: f879b82b5203b1a495ee4d4d651e841cfd687a141cbda9023dc9268c2b1cb274
Instruction Fuzzy Hash: 88517D32204B8086E762DF16E4443EAB7A5F38CBD8F544115FB8A4B7A9CB3DC556DB40

Function 000000014000DF4C Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 93windowstringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32 ref: 000000014000DF73
SendMessageW.USER32 ref: 000000014000DFC1
SendMessageW.USER32 ref: 000000014000DFE0
SendMessageW.USER32 ref: 000000014000E01E
GetWindowRect.USER32 ref: 000000014000E02D
SendMessageW.USER32 ref: 000000014000E072
SetWindowPos.USER32 ref: 000000014000E098
SendMessageW.USER32 ref: 000000014000E0CD

Strings

H, xrefs: 000000014000E0C1

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: MessageSend$Window$Rectlstrlen
String ID: H
API String ID: 3779541553-2852464175
Opcode ID: 45219e080afd435258b80a4200127f3ea9e91af25264a22e61c64da464090010
Instruction ID: 0907280f12c77494ec979a95511f6ca8c01249dc477fc0f7b769772100e135ca
Opcode Fuzzy Hash: 45219e080afd435258b80a4200127f3ea9e91af25264a22e61c64da464090010
Instruction Fuzzy Hash: AA412BB3214B84C6E7619F56E44479EB7A0F388B94F54812AEF9947B68DFBCC854CB00

Function 0000000140008540 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 79windowCOMMON

Download Yara Rule

APIs

DefWindowProcW.USER32 ref: 0000000140008570
MessageBoxW.USER32 ref: 00000001400085A8
GetClientRect.USER32 ref: 00000001400085FF
SetWindowPos.USER32 ref: 000000014000862F
SetWindowPos.USER32 ref: 0000000140008660
PostQuitMessage.USER32 ref: 000000014000866A
PostMessageW.USER32 ref: 0000000140008680

Strings

ID_ALLE_MARKIEREN 55, xrefs: 0000000140008599

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: MessageWindow$Post$ClientProcQuitRect
String ID: ID_ALLE_MARKIEREN 55
API String ID: 2307391448-762229833
Opcode ID: 342e8400889548e116219bca690e8227ab82d17065cf1329574d00490e77c41d
Instruction ID: a0748b7812055ba003620c2703d8f677a86cbde5394a0cc6288f87a0055d71ff
Opcode Fuzzy Hash: 342e8400889548e116219bca690e8227ab82d17065cf1329574d00490e77c41d
Instruction Fuzzy Hash: 97313AB1214A4086F7778F26B8587AA37A1B74D7C5F664225FF8A479B4CF3EC5448B00

Function 000000014000B02C Relevance: 15.3, APIs: 7, Strings: 3, Instructions: 275stringCOMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 000000014000B0A8

Part of subcall function 0000000140023328: _FF_MSGBANNER.LIBCMT ref: 0000000140023358
Part of subcall function 0000000140023328: HeapAlloc.KERNEL32 ref: 000000014002337D
Part of subcall function 0000000140023328: _errno.LIBCMT ref: 00000001400233A1
Part of subcall function 0000000140023328: _errno.LIBCMT ref: 00000001400233AC

lstrlenW.KERNEL32 ref: 000000014000B120
lstrlenW.KERNEL32 ref: 000000014000B233
lstrlenW.KERNEL32 ref: 000000014000B2B0
lstrlenW.KERNEL32 ref: 000000014000B2C6
lstrlenW.KERNEL32 ref: 000000014000B333
lstrlenW.KERNEL32 ref: 000000014000B3CA

Strings

=, xrefs: 000000014000B1A6
#, xrefs: 000000014000B13C
#, xrefs: 000000014000B147

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: lstrlen$_errno$AllocHeapmalloc
String ID: #$#$=
API String ID: 3459853442-4237873070
Opcode ID: 30f082a26efafddb3f55e5a201d22c85c1928f0da59724078842b4a6141e7042
Instruction ID: 59401c71c0cc532df3ef23edca405d50558effb3f9fc568eb295317674ded75b
Opcode Fuzzy Hash: 30f082a26efafddb3f55e5a201d22c85c1928f0da59724078842b4a6141e7042
Instruction Fuzzy Hash: 8AC1AFB1610A5095EB22DF12F8513EE63A1F79CBC4F854621EB4A577B6EB38C982C340

Function 0000000140032944 Relevance: 15.2, APIs: 10, Instructions: 177COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCPInfo.KERNEL32 ref: 000000014003299A
GetCPInfo.KERNEL32 ref: 00000001400329B9
MultiByteToWideChar.KERNEL32 ref: 0000000140032A5E
malloc.LIBCMT ref: 0000000140032A75
MultiByteToWideChar.KERNEL32 ref: 0000000140032ABD
WideCharToMultiByte.KERNEL32 ref: 0000000140032AF8
WideCharToMultiByte.KERNEL32 ref: 0000000140032B34
WideCharToMultiByte.KERNEL32 ref: 0000000140032B74
free.LIBCMT ref: 0000000140032B82
free.LIBCMT ref: 0000000140032BA4

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: ByteCharMultiWide$Infofree$malloc
String ID:
API String ID: 1309074677-0
Opcode ID: b3e417af6bfcb691171f5f62a21cdd0e1351153b6b0bf190db596ba82e5b48e1
Instruction ID: 7d30ea9d1b6328f3f5d0a2d796eaa2ae03f0dd52cd7759159f514d55d152be6c
Opcode Fuzzy Hash: b3e417af6bfcb691171f5f62a21cdd0e1351153b6b0bf190db596ba82e5b48e1
Instruction Fuzzy Hash: 10617F72200B8086E7279F27A8403DAB7D5F788BE4F584625FB5A47BF4DB78C9818301

Function 00000001400103EC Relevance: 15.1, APIs: 10, Instructions: 126COMMON

Download Yara Rule

APIs

GetWindowPlacement.USER32 ref: 0000000140010412
GetSystemMetrics.USER32 ref: 0000000140010460
GetSystemMetrics.USER32 ref: 000000014001046F
GetSystemMetrics.USER32 ref: 000000014001047A
GetSystemMetrics.USER32 ref: 0000000140010485
GetSystemMetrics.USER32 ref: 000000014001048F
GetSystemMetrics.USER32 ref: 000000014001049C
SetRect.USER32 ref: 00000001400104B3
GetWindowRect.USER32 ref: 00000001400104D7
MoveWindow.USER32 ref: 00000001400105A1

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: MetricsSystem$Window$Rect$MovePlacement
String ID:
API String ID: 3067230557-0
Opcode ID: f3cb280ced51fa99c12758cb33349750688eb506dea49fafc1c2bea987a9b32d
Instruction ID: 11cd3a549efd2002a41d6ad52ca17ceb0c2a1e6f3e3ed0b40073de20402f855b
Opcode Fuzzy Hash: f3cb280ced51fa99c12758cb33349750688eb506dea49fafc1c2bea987a9b32d
Instruction Fuzzy Hash: A55143726297408BD7568F26E444B5BB7B1F788794F105229FF4687B28EB39C845CF40

Function 0000000140003CAC Relevance: 15.1, APIs: 10, Instructions: 112windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 0000000140003CC7

Part of subcall function 000000014000AF94: lstrlenW.KERNEL32 ref: 000000014000AFE2
Part of subcall function 000000014000AF94: lstrlenW.KERNEL32 ref: 000000014000B004

SendMessageW.USER32 ref: 0000000140003D03
SendMessageW.USER32 ref: 0000000140003D32
SendMessageW.USER32 ref: 0000000140003D5A
SendMessageW.USER32 ref: 0000000140003D82
SendMessageW.USER32 ref: 0000000140003DAA
SendMessageW.USER32 ref: 0000000140003DBE
GetDlgItem.USER32 ref: 0000000140003DDA
SetWindowTextW.USER32 ref: 0000000140003DE6

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: MessageSend$Itemlstrlen$TextWindow
String ID:
API String ID: 2284117219-0
Opcode ID: d8ba48bb359f1a44f553ce23a7516e24e4e14629b8accebf21c7dd3065ac619b
Instruction ID: ad57713d16d7b96dca78d0f5386864289386c990d012a58d91b6946783248a86
Opcode Fuzzy Hash: d8ba48bb359f1a44f553ce23a7516e24e4e14629b8accebf21c7dd3065ac619b
Instruction Fuzzy Hash: 59513572714B4687EB26DF22E48479E73A1F78CB88F404225EB8947B69DF38C516CB40

Function 000000014001EAB0 Relevance: 15.1, APIs: 10, Instructions: 93windowthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014001E078: GetSysColor.USER32 ref: 000000014001E099
Part of subcall function 000000014001E078: CreateSolidBrush.GDI32 ref: 000000014001E0A3

IsWindowVisible.USER32 ref: 000000014001EACA
GetActiveWindow.USER32 ref: 000000014001EAD8
GetSubMenu.USER32 ref: 000000014001EAEF
MapWindowPoints.USER32 ref: 000000014001EB60
MapWindowPoints.USER32 ref: 000000014001EB77
GetCurrentThreadId.KERNEL32 ref: 000000014001EBA8
SetWindowsHookExW.USER32 ref: 000000014001EBBE
TrackPopupMenuEx.USER32 ref: 000000014001EBF6
SendMessageW.USER32 ref: 000000014001EC12
UnhookWindowsHookEx.USER32 ref: 000000014001EC31

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: Window$HookMenuPointsWindows$ActiveBrushColorCreateCurrentMessagePopupSendSolidThreadTrackUnhookVisible
String ID:
API String ID: 2131219004-0
Opcode ID: 7f3304377c9fe74e69068b9b5e29bc0f860d558ba991592e3f79c450349debd2
Instruction ID: b2256a8a562964273970209cf20299167bceb42ef5727cca84e7a9c1b4210cb7
Opcode Fuzzy Hash: 7f3304377c9fe74e69068b9b5e29bc0f860d558ba991592e3f79c450349debd2
Instruction Fuzzy Hash: C7415832215B4087E762DF22E84479A73A0F78CB99F145214FB4A076B9CF3DC885CB80

Function 0000000140034FF8 Relevance: 13.8, APIs: 9, Instructions: 256COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000000140035020

Part of subcall function 0000000140021014: DecodePointer.KERNEL32 ref: 000000014002103B

__wtomb_environ.LIBCMT ref: 0000000140035119
_errno.LIBCMT ref: 0000000140035123
free.LIBCMT ref: 0000000140035215
SetEnvironmentVariableA.KERNEL32 ref: 0000000140035360
_errno.LIBCMT ref: 000000014003536E
free.LIBCMT ref: 000000014003537C
free.LIBCMT ref: 0000000140035389
free.LIBCMT ref: 000000014003539B

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: free$_errno$DecodeEnvironmentPointerVariable__wtomb_environ
String ID:
API String ID: 3451773520-0
Opcode ID: 2fb84f8d87491c8ec97805cb3dd6a07c1fb1541a13330d7f0f46802c8e08aca8
Instruction ID: eaa8afa5f5afc84e9ff4e7cc9f8d6f0937495319643be68c41824f3c58cae049
Opcode Fuzzy Hash: 2fb84f8d87491c8ec97805cb3dd6a07c1fb1541a13330d7f0f46802c8e08aca8
Instruction Fuzzy Hash: A0A1F07670164045FA63BB23AD103EB6396F78D7D9F248A19FB5A477F5CA38C8958300

Function 00000001400302F0 Relevance: 13.7, APIs: 9, Instructions: 173COMMONLIBRARYCODE

Download Yara Rule

APIs

GetStringTypeW.KERNEL32 ref: 0000000140030350
GetLastError.KERNEL32 ref: 0000000140030362
MultiByteToWideChar.KERNEL32 ref: 00000001400303C2
malloc.LIBCMT ref: 000000014003042E
MultiByteToWideChar.KERNEL32 ref: 0000000140030478
GetStringTypeW.KERNEL32 ref: 000000014003048F
free.LIBCMT ref: 00000001400304A0
GetStringTypeA.KERNEL32 ref: 000000014003051D
free.LIBCMT ref: 000000014003052D

Part of subcall function 0000000140032944: GetCPInfo.KERNEL32 ref: 000000014003299A
Part of subcall function 0000000140032944: GetCPInfo.KERNEL32 ref: 00000001400329B9
Part of subcall function 0000000140032944: MultiByteToWideChar.KERNEL32 ref: 0000000140032ABD
Part of subcall function 0000000140032944: WideCharToMultiByte.KERNEL32 ref: 0000000140032AF8

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: ByteCharMultiWide$StringType$Infofree$ErrorLastmalloc
String ID:
API String ID: 3804003340-0
Opcode ID: bda7a183201838b1d0828cb897197d4929ab937c6d879225f2a9ce0b785eed37
Instruction ID: 894f98c7ad49a25eed2e76b70853e6e0b5abf37ffe7b96512bc8f988df3864f8
Opcode Fuzzy Hash: bda7a183201838b1d0828cb897197d4929ab937c6d879225f2a9ce0b785eed37
Instruction Fuzzy Hash: A8619D72302B848AEB229F27A4507DA67A5F74CBE8F144625FF1953BE5CB34C9418740

Function 000000014001EF2C Relevance: 13.6, APIs: 9, Instructions: 99COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 000000014001EF70
GetDC.USER32 ref: 000000014001EF89
CreateFontIndirectW.GDI32 ref: 000000014001EFBA
SelectObject.GDI32 ref: 000000014001EFD2
DrawTextW.USER32 ref: 000000014001F007
SelectObject.GDI32 ref: 000000014001F01B
DeleteObject.GDI32 ref: 000000014001F029
GetSystemMetrics.USER32 ref: 000000014001F073
ReleaseDC.USER32 ref: 000000014001F085

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: Object$MetricsSelectSystem$CreateDeleteDrawFontIndirectReleaseText
String ID:
API String ID: 2845678740-0
Opcode ID: 0b715da06a633a7be759c258f91d3406d6387774add8d639ffa1ee0778085062
Instruction ID: d412ebdc6ac23cbf0038242c10feb182b63b6444e61b84f4ff5dd93e8eca052c
Opcode Fuzzy Hash: 0b715da06a633a7be759c258f91d3406d6387774add8d639ffa1ee0778085062
Instruction Fuzzy Hash: 80417F722147858BE7668F22E84479A7361F78CBDAF004125FF5A476A9DB3CC449CB00

Function 000000014002AD58 Relevance: 13.6, APIs: 9, Instructions: 89COMMON

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 000000014002AD81
_errno.LIBCMT ref: 000000014002AD8A
__doserrno.LIBCMT ref: 000000014002ADD9
_errno.LIBCMT ref: 000000014002ADE0

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: c4052a7b1b221fb836adf21bd4ee7861a80ae7ce8361a03a7014eab329009e6f
Instruction ID: 91dc65ab31b48ea86d65e2bf425f4f3a7c114418195127770f6a1359f774f928
Opcode Fuzzy Hash: c4052a7b1b221fb836adf21bd4ee7861a80ae7ce8361a03a7014eab329009e6f
Instruction Fuzzy Hash: 67319E3261068086E713AF67A8817EE7651B7897E4F66461DBB690B7F3CB7CC8428704

Function 000000014000E5FC Relevance: 13.6, APIs: 9, Instructions: 86stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 000000014000E682
GetWindowTextW.USER32 ref: 000000014000E699
GetDlgItem.USER32 ref: 000000014000E6AB
GetWindowTextW.USER32 ref: 000000014000E6BF
GetDlgItem.USER32 ref: 000000014000E6D1
GetWindowTextW.USER32 ref: 000000014000E6E5
lstrlenW.KERNEL32 ref: 000000014000E71E
lstrlenW.KERNEL32 ref: 000000014000E730
lstrlenW.KERNEL32 ref: 000000014000E745

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: ItemTextWindowlstrlen
String ID:
API String ID: 1325350155-0
Opcode ID: a2f7c14f3afc2b4570be6bf858c9e8284bd980d4da30a0745145f0b6ba446433
Instruction ID: d01c3097062cc532514542e770649159f5686710fa100535acf24f684403b413
Opcode Fuzzy Hash: a2f7c14f3afc2b4570be6bf858c9e8284bd980d4da30a0745145f0b6ba446433
Instruction Fuzzy Hash: 0C414AB2614B8196F722DF62E8547DA73A1F78CBD9F404025AF49436AAEF7CC548CB40

Function 00000001400246E4 Relevance: 12.6, APIs: 10, Instructions: 82COMMON

Download Yara Rule

APIs

free.LIBCMT ref: 0000000140024703

Part of subcall function 00000001400233E0: HeapFree.KERNEL32 ref: 00000001400233F6
Part of subcall function 00000001400233E0: _errno.LIBCMT ref: 0000000140023400
Part of subcall function 00000001400233E0: GetLastError.KERNEL32 ref: 0000000140023408

free.LIBCMT ref: 0000000140024711
free.LIBCMT ref: 000000014002471F
free.LIBCMT ref: 000000014002472D
free.LIBCMT ref: 000000014002473B
free.LIBCMT ref: 0000000140024749
free.LIBCMT ref: 000000014002475A
free.LIBCMT ref: 0000000140024772
free.LIBCMT ref: 00000001400247AA
free.LIBCMT ref: 0000000140024809

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: free$ErrorFreeHeapLast_errno
String ID:
API String ID: 1012874770-0
Opcode ID: 597783b4217e9e999585c72ff7e10460f04a4f91c762634a398a5ff366d9076a
Instruction ID: 99bd03217147f15ae0894c99ba903d0829a65ec0d21145ba12c413c87a284bb3
Opcode Fuzzy Hash: 597783b4217e9e999585c72ff7e10460f04a4f91c762634a398a5ff366d9076a
Instruction Fuzzy Hash: 1531053120664085FF5BEBA790A17F91291AF8ABC4F081529BB1A076E6CF398D408352

Function 0000000140027AD8 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 215COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000000140027B3E
_wsopen_s.LIBCMT ref: 0000000140027D84

Part of subcall function 000000014002FC40: _errno.LIBCMT ref: 000000014002FC61

Strings

UTF-8, xrefs: 0000000140027CEA
UNICODE, xrefs: 0000000140027D32
UTF-16LE, xrefs: 0000000140027D0E
=, xrefs: 0000000140027CD6
ccs, xrefs: 0000000140027CA8

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: _errno$_wsopen_s
String ID: =$UNICODE$UTF-16LE$UTF-8$ccs
API String ID: 586276568-31882262
Opcode ID: 571354c4be807f6cf4724e6eeb6a877927578d1b2654a503da0cc6e0ed5381d8
Instruction ID: 86dd04ba3034f0d75e798a63b1b59ea4b0985549a843248414bb8ee4db6c73c6
Opcode Fuzzy Hash: 571354c4be807f6cf4724e6eeb6a877927578d1b2654a503da0cc6e0ed5381d8
Instruction Fuzzy Hash: FB71BD76A0021082FB7B5F27A844FFA6295A75DBD0F75411EFB4E13AF4C639CD815602

Function 000000014000B6A0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 153stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00000001400084B4: InitializeCriticalSection.KERNEL32 ref: 00000001400084B8

GetModuleFileNameW.KERNEL32 ref: 000000014000B76F
GetModuleHandleW.KERNEL32 ref: 000000014000B7ED
lstrlenW.KERNEL32 ref: 000000014000B817
lstrlenW.KERNEL32 ref: 000000014000B856

Strings

Module, xrefs: 000000014000B878
REGISTRY, xrefs: 000000014000B8CA
Module_Raw, xrefs: 000000014000B896

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: Modulelstrlen$CriticalFileHandleInitializeNameSection
String ID: Module$Module_Raw$REGISTRY
API String ID: 3852420207-549000027
Opcode ID: b278e3b9391431edd1f474d3c85d583de7e0008674a8f6f560e27dbde200d3b6
Instruction ID: ba9462bc970822d1beaaa5755169598f6b6781d45fe6c128d0830f68b1bfeb82
Opcode Fuzzy Hash: b278e3b9391431edd1f474d3c85d583de7e0008674a8f6f560e27dbde200d3b6
Instruction Fuzzy Hash: 6D517FB221878191FA72DB12F4847DA6365FB887C4F904116FB8E87AB9DB3CC549CB41

Function 000000014000B91C Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 147stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00000001400084B4: InitializeCriticalSection.KERNEL32 ref: 00000001400084B8

GetModuleFileNameW.KERNEL32 ref: 000000014000B9EA
GetModuleHandleW.KERNEL32 ref: 000000014000BA68
lstrlenW.KERNEL32 ref: 000000014000BA92
lstrlenW.KERNEL32 ref: 000000014000BAD1

Strings

Module, xrefs: 000000014000BAF3
REGISTRY, xrefs: 000000014000BB2B
Module_Raw, xrefs: 000000014000BB11

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: Modulelstrlen$CriticalFileHandleInitializeNameSection
String ID: Module$Module_Raw$REGISTRY
API String ID: 3852420207-549000027
Opcode ID: 43e2db0d49436a38b8b126c1ff4b80b3a04e5e253a41970f842c10e25da26b79
Instruction ID: ef6551ca5c69081ae40ec7680f044ae938afcecdb88c7ef2f103f42920e75773
Opcode Fuzzy Hash: 43e2db0d49436a38b8b126c1ff4b80b3a04e5e253a41970f842c10e25da26b79
Instruction Fuzzy Hash: 395192B2218B8192EB32DB52F4847EA7361F788784F901116FB8E87AB9DB7CC545C741

Function 00000001400224CC Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99COMMON

Download Yara Rule

APIs

DecodePointer.KERNEL32 ref: 0000000140022528
DecodePointer.KERNEL32 ref: 0000000140022545
DecodePointer.KERNEL32 ref: 0000000140022584
DecodePointer.KERNEL32 ref: 000000014002259D
DecodePointer.KERNEL32 ref: 00000001400225AC
ExitProcess.KERNEL32 ref: 0000000140022637

Strings

rotect, xrefs: 00000001400225E4

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: DecodePointer$ExitProcess
String ID: rotect
API String ID: 1284615037-1605590708
Opcode ID: 51a6834b59eba75131cd978c961325821067cd87898811e565d3ff65d43bb1d9
Instruction ID: d3ee3df186d67f7fe7db0f1b4b0fce109a8667d4dbdf13d6b7a7be4c70ed9e3b
Opcode Fuzzy Hash: 51a6834b59eba75131cd978c961325821067cd87898811e565d3ff65d43bb1d9
Instruction Fuzzy Hash: CE418C31216A5091EB52EB43EC543E962A5F78D7C4F54482DBB8E47BB6EF3CC8618700

Function 000000014001226C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 77COMMON

Download Yara Rule

APIs

GetWindowRect.USER32 ref: 00000001400122A8
GetWindowPlacement.USER32 ref: 00000001400122E5
CopyRect.USER32 ref: 00000001400122FC
GetWindowRect.USER32 ref: 000000014001232B
_cwprintf_s_l.LIBCMT ref: 0000000140012376

Strings

,, xrefs: 00000001400122CD
%d;%d;%d;%d;%d;x,y,w,h,SW, xrefs: 0000000140012367

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: RectWindow$CopyPlacement_cwprintf_s_l
String ID: %d;%d;%d;%d;%d;x,y,w,h,SW$,
API String ID: 3201689876-1288783108
Opcode ID: 1b676ddfa276d302064f48a2bb525ef4eca56e6bb2c7f79876d1ce3e61ed8f86
Instruction ID: c17a60aac2f298e690757afcf336e6d0ed455cecff1d96641ea01c252cce2da4
Opcode Fuzzy Hash: 1b676ddfa276d302064f48a2bb525ef4eca56e6bb2c7f79876d1ce3e61ed8f86
Instruction Fuzzy Hash: D9412C72614B8087E711CF1AE44439EB3A0F789BB5F504215EBA943AA9CF7CC545CF40

Function 000000014000E0EC Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 71windowCOMMON

Download Yara Rule

APIs

InitCommonControlsEx.COMCTL32 ref: 000000014000E121
CreateWindowExW.USER32 ref: 000000014000E17E
SendMessageW.USER32 ref: 000000014000E206
SendMessageW.USER32 ref: 000000014000E228

Strings

tooltips_class32, xrefs: 000000014000E166
No Text associated, xrefs: 000000014000E1C9
H, xrefs: 000000014000E184

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: MessageSend$CommonControlsCreateInitWindow
String ID: H$No Text associated$tooltips_class32
API String ID: 3342334947-2882939136
Opcode ID: a07237cb0f0c2608778430ffe3190fb1b3362ad626f68706e6138aadacd60009
Instruction ID: bcb7a20e779659e90bf72ca1d2af38a17a0bb97f28f875f836532f9c4a2ffaa0
Opcode Fuzzy Hash: a07237cb0f0c2608778430ffe3190fb1b3362ad626f68706e6138aadacd60009
Instruction Fuzzy Hash: 6D313072214B808AE761CF15F44478EB7A4F388BE4F544219EB9847BA9CF78C449CB40

Function 000000014001D5B8 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 67windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32 ref: 000000014001D613
SendMessageW.USER32 ref: 000000014001D646
CreateWindowExW.USER32 ref: 000000014001D691
SendMessageW.USER32 ref: 000000014001D6DA

Strings

g+, xrefs: 000000014001D5DF
ReBarWindow32, xrefs: 000000014001D5F9
ToolbarWindow32, xrefs: 000000014001D67A

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: CreateMessageSendWindow
String ID: ReBarWindow32$ToolbarWindow32$g+
API String ID: 304178485-667860993
Opcode ID: 708da49c48fa1391d0cf99ffe26453205b1b1b1cea1c7a84782522edceb0759f
Instruction ID: 796acd7b7c1217826ab6c4563d3f39c19edbf644788da0db1e8a0ede26bdcb58
Opcode Fuzzy Hash: 708da49c48fa1391d0cf99ffe26453205b1b1b1cea1c7a84782522edceb0759f
Instruction Fuzzy Hash: 8A31DA72618B8086D761CF5AF44478ABBE5F788794F50522AFB9983B68CB7CC445CF40

Function 000000014000F040 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

CreatePopupMenu.USER32 ref: 000000014000F04D
AppendMenuW.USER32 ref: 000000014000F06F

Part of subcall function 000000014001D6F8: SendMessageW.USER32 ref: 000000014001D716
Part of subcall function 000000014001D6F8: SendMessageW.USER32 ref: 000000014001D72A

ClientToScreen.USER32 ref: 000000014000F0AF
SendMessageW.USER32 ref: 000000014000F0C9
SendMessageW.USER32 ref: 000000014000F0E0
SendMessageW.USER32 ref: 000000014000F0FA

Strings

Add to Shell Send-To Menu, xrefs: 000000014000F05A

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: MessageSend$Menu$AppendClientCreatePopupScreen
String ID: Add to Shell Send-To Menu
API String ID: 1661845258-3913549151
Opcode ID: bca6f972f7c390880098818a57ec50335b75254f5dacec2faa81c0f5fc501244
Instruction ID: 003312ff7a3d2d219a127bfd5e1bcea2a5dfe1b1da2d704bb9ff34a9acbc5861
Opcode Fuzzy Hash: bca6f972f7c390880098818a57ec50335b75254f5dacec2faa81c0f5fc501244
Instruction Fuzzy Hash: 98113A72714B4582EB259B12F8047DB67A0F78DBC8F500121EF9907B68CF3DC2458B40

Function 0000000140010A9C Relevance: 12.2, APIs: 8, Instructions: 175stringCOMMON

Download Yara Rule

APIs

_fread_nolock.LIBCMT ref: 0000000140010B63
malloc.LIBCMT ref: 0000000140010B92
_fread_nolock.LIBCMT ref: 0000000140010BAC
lstrlenW.KERNEL32 ref: 0000000140010BD3
lstrlenA.KERNEL32 ref: 0000000140010BF4
MultiByteToWideChar.KERNEL32 ref: 0000000140010C5A
lstrlenW.KERNEL32 ref: 0000000140010C80
_fread_nolock.LIBCMT ref: 0000000140010CAB

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: _fread_nolocklstrlen$ByteCharMultiWidemalloc
String ID:
API String ID: 2371134797-0
Opcode ID: 205620a3fdea7baab2e1b38ae69dd215bddbc44f08318e0fa8b95ac29cdbefe9
Instruction ID: 5ead02336626b1d205d46c96fafd50e50f974c47f02f6034348b8dc8db9fecf9
Opcode Fuzzy Hash: 205620a3fdea7baab2e1b38ae69dd215bddbc44f08318e0fa8b95ac29cdbefe9
Instruction Fuzzy Hash: 1161B032300A8085EA22DF77A8507E92790F78DBE8F548725BF6A5B7F2DE79C4448340

Function 000000014001E4D8 Relevance: 12.1, APIs: 8, Instructions: 122windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 000000014001E53B
GetClientRect.USER32 ref: 000000014001E56C
PostMessageW.USER32 ref: 000000014001E5DB
PostMessageW.USER32 ref: 000000014001E5F3
SendMessageW.USER32 ref: 000000014001E627
GetClientRect.USER32 ref: 000000014001E658
SendMessageW.USER32 ref: 000000014001E684
SendMessageW.USER32 ref: 000000014001E6B2

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: Message$Send$ClientPostRect
String ID:
API String ID: 2296908145-0
Opcode ID: 2c77ea7a578a4bde213b40e6100d9ef29e2defe4b6d4c9c2601038ae37d6a9a6
Instruction ID: 0000cdb11765bc328924b70f611cee767de0f4cad92cd081dbda985ce4d49e0f
Opcode Fuzzy Hash: 2c77ea7a578a4bde213b40e6100d9ef29e2defe4b6d4c9c2601038ae37d6a9a6
Instruction Fuzzy Hash: CA5127726147408AEBA1CF26E44439A77A0F38CB95F505126FB8A87B68DF3DC545CF40

Function 00000001400279A4 Relevance: 12.1, APIs: 8, Instructions: 89COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 00000001400279CD
_errno.LIBCMT ref: 00000001400279D6
__doserrno.LIBCMT ref: 0000000140027A25
_errno.LIBCMT ref: 0000000140027A2C

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: 8d2797eb5a6f6227af35280fece64eb3ae8d0df317bbba9e73275f85b3812edc
Instruction ID: d6dead47aa9d49af118804f2b9b5f02e9263ca85af6c82d5d1cd878ed998663c
Opcode Fuzzy Hash: 8d2797eb5a6f6227af35280fece64eb3ae8d0df317bbba9e73275f85b3812edc
Instruction Fuzzy Hash: 6F31D132A1069086E313AFA7A881BDE7651B7C87E4F55461DBB290B7F3CB38C9428715

Function 000000014002E478 Relevance: 12.1, APIs: 8, Instructions: 89COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 000000014002E4A1
_errno.LIBCMT ref: 000000014002E4AA
__doserrno.LIBCMT ref: 000000014002E4FA
_errno.LIBCMT ref: 000000014002E501

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: 39f156948a35b6bcd0f4cc8c6a57c5ea70c98b77d57cfe8fde7cdbc599926948
Instruction ID: 834d0eeafcb1727c66ce041a00b0fd0be26fe7525889a5cf24bc4a0534955989
Opcode Fuzzy Hash: 39f156948a35b6bcd0f4cc8c6a57c5ea70c98b77d57cfe8fde7cdbc599926948
Instruction Fuzzy Hash: 9C31AF32610A9085E713AF67A9817DD7A51A7887F8F55471DBF390BBF3DA38C8428704

Function 0000000140026CD4 Relevance: 12.1, APIs: 8, Instructions: 79COMMON

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 0000000140026CF3
_errno.LIBCMT ref: 0000000140026CFC
__doserrno.LIBCMT ref: 0000000140026D4C
_errno.LIBCMT ref: 0000000140026D53

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: 745d1f90cbd04c1f6692ab99217ca2988eeb1361b01008a08a585ea8c806e58f
Instruction ID: 9531e3917bea35870b830c80b6f796ba5e4d1992aa9550f1a0e5848f29d46b15
Opcode Fuzzy Hash: 745d1f90cbd04c1f6692ab99217ca2988eeb1361b01008a08a585ea8c806e58f
Instruction Fuzzy Hash: 5F319132A0469886F3136FB7A9817ED7651A7C8794F65461DFB25077F3CA38CC428704

Function 0000000140008DCC Relevance: 10.6, APIs: 7, Instructions: 116COMMON

Download Yara Rule

APIs

CharNextW.USER32 ref: 0000000140008E04
CharNextW.USER32 ref: 0000000140008E2E
CharNextW.USER32 ref: 0000000140008E46
CharNextW.USER32 ref: 0000000140008E5B
CharNextW.USER32 ref: 0000000140008E6A
CharNextW.USER32 ref: 0000000140008EBE
CharNextW.USER32 ref: 0000000140008EE6

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: CharNext
String ID:
API String ID: 3213498283-0
Opcode ID: 2cd2b2985da726bb594837950bff3eaa349c6ccbb9983bba573205b7588601a5
Instruction ID: 65b4db2a574e379bc451b6abf69f46b760f6bd468da9ff3f6b99f8fadb82b638
Opcode Fuzzy Hash: 2cd2b2985da726bb594837950bff3eaa349c6ccbb9983bba573205b7588601a5
Instruction Fuzzy Hash: A7412D76610A51C1EB72DF26F5543AD33A1F358FC8F649412EF89872A4EB78C952C302

Function 000000014002EED0 Relevance: 10.6, APIs: 7, Instructions: 79COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 000000014002EEE9
_errno.LIBCMT ref: 000000014002EF36

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: _errno
String ID:
API String ID: 2918714741-0
Opcode ID: 02c27170618a036ecb493836d80251c9effd0aacbbd2e9e4f5a56257d2afbea2
Instruction ID: 00dc0484bce81ba81570dd1e687eb433040ceee0b9cc8fadcad1ff25e9609a58
Opcode Fuzzy Hash: 02c27170618a036ecb493836d80251c9effd0aacbbd2e9e4f5a56257d2afbea2
Instruction Fuzzy Hash: 7B31E432A1068085F7636FB79A957EE3751A7887E4F15422CBB25076F2CF7CCC418204

Function 0000000140025D62 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 0000000140025D6A
RaiseException.KERNEL32 ref: 0000000140025DA6
RaiseException.KERNEL32 ref: 0000000140025DC9
_getptd.LIBCMT ref: 0000000140025E45
_getptd.LIBCMT ref: 0000000140025E59

Strings

csm, xrefs: 0000000140025DF8

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: _getptd$ExceptionRaise
String ID: csm
API String ID: 2255768072-1018135373
Opcode ID: 7fc2362f8dbab87f33d010c3d0fb9b378f7627bc6043941f79a5f35d8454174c
Instruction ID: 79a59cc144ed7d0bf83947a7f03cc7318b9195ae386405ad5954418485fc41b5
Opcode Fuzzy Hash: 7fc2362f8dbab87f33d010c3d0fb9b378f7627bc6043941f79a5f35d8454174c
Instruction Fuzzy Hash: DE315E3620064182DA76EF12E04CBDE7365F3987E2F02422AEF99077A5CB35CD85CB04

Function 000000014000DE68 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46stringCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32 ref: 000000014000DEB9
SHGetSpecialFolderPathW.SHELL32 ref: 000000014000DEE4
lstrcatW.KERNEL32 ref: 000000014000DEF6
lstrcatW.KERNEL32 ref: 000000014000DF04
lstrcatW.KERNEL32 ref: 000000014000DF16

Part of subcall function 000000014000DCC8: GetFullPathNameW.KERNEL32 ref: 000000014000DD09

Strings

.lnk, xrefs: 000000014000DF0A

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: lstrcat$NamePath$FileFolderFullModuleSpecial
String ID: .lnk
API String ID: 3275041929-24824748
Opcode ID: a06a325e7e32df813ea757db018431707d5550562118fe0fc3e70ad6e049c26b
Instruction ID: 04afe0e45acc7f58f2dfefc3f1efc53d181581211c6a1566498dd249aa810b72
Opcode Fuzzy Hash: a06a325e7e32df813ea757db018431707d5550562118fe0fc3e70ad6e049c26b
Instruction Fuzzy Hash: C4114272314A8682EB32DB22E4557DA73A0F78D7C9F805015E68D47979DF3CC249CB50

Function 000000014000DB38 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 41stringCOMMON

Download Yara Rule

APIs

SHGetSpecialFolderPathW.SHELL32 ref: 000000014000DB7B
lstrcatW.KERNEL32 ref: 000000014000DB8D
lstrcatW.KERNEL32 ref: 000000014000DB9B
lstrcatW.KERNEL32 ref: 000000014000DBAD
GetFileAttributesW.KERNEL32 ref: 000000014000DBB8

Strings

.lnk, xrefs: 000000014000DBA1

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: lstrcat$AttributesFileFolderPathSpecial
String ID: .lnk
API String ID: 4281909832-24824748
Opcode ID: 013c0af145ad89499ff850cef9f070864e72159f9424d4119372de7531777bbb
Instruction ID: a433376e6b53be3742247dc48e2d1a2df8e13914ce52744ca49dca0788df4c2a
Opcode Fuzzy Hash: 013c0af145ad89499ff850cef9f070864e72159f9424d4119372de7531777bbb
Instruction Fuzzy Hash: 09116572214A4692EB339B22F4553DA73A0F79D789F805111E78E479B5EF3CC249CB00

Function 000000014001DB14 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 35windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 000000014001DB36
GetSystemMetrics.USER32 ref: 000000014001DB51
GetSystemMetrics.USER32 ref: 000000014001DB5E
LoadImageW.USER32 ref: 000000014001DB80
LoadIconW.USER32 ref: 000000014001DB8E

Strings

shell32, xrefs: 000000014001DB2F

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: LoadMetricsSystem$HandleIconImageModule
String ID: shell32
API String ID: 746619649-4179111565
Opcode ID: 7e36e0e1673bdf692532e9431dc1f7c344c2b3bcb30634e596084fcc3363e06d
Instruction ID: 70e1068e7f156a340762e0867f3a5bf1e32cac208f4588cd48e87ecacdec427e
Opcode Fuzzy Hash: 7e36e0e1673bdf692532e9431dc1f7c344c2b3bcb30634e596084fcc3363e06d
Instruction Fuzzy Hash: D901FB75208B5082FB678B12F8943AA73A5AB9CBC5F551926EF4A077B5DF3DC8448700

Function 000000014000DBEC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33stringfileCOMMON

Download Yara Rule

APIs

SHGetSpecialFolderPathW.SHELL32 ref: 000000014000DC2F
lstrcatW.KERNEL32 ref: 000000014000DC41
lstrcatW.KERNEL32 ref: 000000014000DC4F
lstrcatW.KERNEL32 ref: 000000014000DC61
DeleteFileW.KERNEL32 ref: 000000014000DC6C

Strings

.lnk, xrefs: 000000014000DC55

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: lstrcat$DeleteFileFolderPathSpecial
String ID: .lnk
API String ID: 3806928880-24824748
Opcode ID: cabba6a2a5e1bdee8f48826d517b59b701a4278b2c7ae5d72632c92eee333526
Instruction ID: 1b6049455d8045c94f39243e486084faadb2c8e5d335f4299f6257e8b51bd787
Opcode Fuzzy Hash: cabba6a2a5e1bdee8f48826d517b59b701a4278b2c7ae5d72632c92eee333526
Instruction Fuzzy Hash: 14011272214A4692EF329B22F4557DA73A0F79D789F405111AA8E47975EF3CC249CB40

Function 0000000140005254 Relevance: 9.1, APIs: 6, Instructions: 138COMMON

Download Yara Rule

APIs

GetClipBox.GDI32 ref: 00000001400052A0
GetClientRect.USER32 ref: 00000001400052BE

Part of subcall function 00000001400051EC: SetBkColor.GDI32 ref: 0000000140005204
Part of subcall function 00000001400051EC: ExtTextOutW.GDI32 ref: 0000000140005232
Part of subcall function 00000001400051EC: SetBkColor.GDI32 ref: 000000014000523D

GetClipBox.GDI32 ref: 00000001400053D8
SetBkColor.GDI32 ref: 00000001400053E3
ExtTextOutW.GDI32 ref: 0000000140005411
SetBkColor.GDI32 ref: 000000014000541C

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: Color$ClipText$ClientRect
String ID:
API String ID: 2840198628-0
Opcode ID: 657c819af42ebf7f26d011cfceea618806519fe36feb86fd66a1878117d1a741
Instruction ID: f1ffc3c875c73937ea1f088a15420b84735c1c2cc46fd56a80c2127b953eda32
Opcode Fuzzy Hash: 657c819af42ebf7f26d011cfceea618806519fe36feb86fd66a1878117d1a741
Instruction Fuzzy Hash: 955157766187508BD315CF1AB84079AFBA5F3D9B85F60411AFB8643B28DB79D84ACF00

Function 000000014001176C Relevance: 9.1, APIs: 6, Instructions: 74stringtimeCOMMON

Download Yara Rule

APIs

GetDateFormatW.KERNEL32 ref: 00000001400117DA
lstrcatW.KERNEL32 ref: 00000001400117E8
GetTimeFormatW.KERNEL32 ref: 0000000140011817
lstrcatW.KERNEL32 ref: 0000000140011827
lstrcatW.KERNEL32 ref: 0000000140011835
lstrlenW.KERNEL32 ref: 0000000140011872

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: lstrcat$Format$DateTimelstrlen
String ID:
API String ID: 365480835-0
Opcode ID: e3fdd2dcdad3fa91fce4bd44158a1b7b209f9732fa67263d12582367aa8b3393
Instruction ID: 0a58d182bebf9254c63b6763dbd7e1ec27a578a05b8b341b74520de5c815abaf
Opcode Fuzzy Hash: e3fdd2dcdad3fa91fce4bd44158a1b7b209f9732fa67263d12582367aa8b3393
Instruction Fuzzy Hash: CD31F136608B4586EA228F57E85439AB366FB8EBC4F548025EB8D07B75DF3CC585CB04

Function 00000001400091BC Relevance: 9.1, APIs: 6, Instructions: 71COMMONLIBRARYCODE

Download Yara Rule

APIs

free.LIBCMT ref: 0000000140009212
free.LIBCMT ref: 0000000140009224
RaiseException.KERNEL32 ref: 0000000140009253
RaiseException.KERNEL32 ref: 0000000140009269
EnterCriticalSection.KERNEL32 ref: 0000000140009284
LeaveCriticalSection.KERNEL32 ref: 0000000140009298

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: CriticalExceptionRaiseSectionfree$EnterLeave
String ID:
API String ID: 3551343617-0
Opcode ID: ed73c1b417f373f761823b30662a7f29bec581e64a104c18e638798ae2733e48
Instruction ID: 0d82f685da8bbb6fee8261519a0c582728b1d618d49a14be06bb573459986ed8
Opcode Fuzzy Hash: ed73c1b417f373f761823b30662a7f29bec581e64a104c18e638798ae2733e48
Instruction Fuzzy Hash: 67217A32700A40C2EB16DF66E4A17AD7360FB8CFC8F448525EF5907A6ACF78C8968741

Function 000000014002A14C Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

_FF_MSGBANNER.LIBCMT ref: 000000014002A173

Part of subcall function 0000000140029DB8: GetModuleFileNameA.KERNEL32 ref: 0000000140029E7B

Part of subcall function 000000014002B8E8: malloc.LIBCMT ref: 000000014002B907
Part of subcall function 000000014002B8E8: Sleep.KERNEL32 ref: 000000014002B91E

_errno.LIBCMT ref: 000000014002A1B5
free.LIBCMT ref: 000000014002A1EB
_errno.LIBCMT ref: 000000014002A1F0
LeaveCriticalSection.KERNEL32 ref: 000000014002A216

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: _errno$CriticalFileLeaveModuleNameSectionSleepfreemalloc
String ID:
API String ID: 3068740851-0
Opcode ID: 19dbd74d1b4f557b1a711452783cc03b0086d904643248965124c86aff9e1190
Instruction ID: f9186f3a19b96dd40c5c61f10c19ddfc48715476fd44869e62dee15b1a1e589b
Opcode Fuzzy Hash: 19dbd74d1b4f557b1a711452783cc03b0086d904643248965124c86aff9e1190
Instruction Fuzzy Hash: 4021893165564083F662BB57E8443EE6295EB8EBD4F08402DBB4A477E6CF7CCD848700

Function 000000014002F094 Relevance: 9.1, APIs: 6, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

__initconout.LIBCMT ref: 000000014002F0C2

Part of subcall function 00000001400325D0: CreateFileA.KERNEL32 ref: 00000001400325F9

WriteConsoleW.KERNEL32 ref: 000000014002F0EE
GetLastError.KERNEL32 ref: 000000014002F109
GetConsoleOutputCP.KERNEL32 ref: 000000014002F11B
WideCharToMultiByte.KERNEL32 ref: 000000014002F14E
WriteConsoleA.KERNEL32 ref: 000000014002F174

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: Console$Write$ByteCharCreateErrorFileLastMultiOutputWide__initconout
String ID:
API String ID: 2210154019-0
Opcode ID: aadd5e9152424483ef952dc0a785e3261826ec2c6e0f4f8975eb622e326b4f1e
Instruction ID: 51f0a1c2ff3e0e44df9b98ca73789e0e93e947209e979ae097d4cc05b012cb5e
Opcode Fuzzy Hash: aadd5e9152424483ef952dc0a785e3261826ec2c6e0f4f8975eb622e326b4f1e
Instruction Fuzzy Hash: 0D312C31204A4082FB62DB52E8543EA63A0F7897F5F900319FBA907AF4DBBDC955DB40

Function 000000014000EB54 Relevance: 9.0, APIs: 6, Instructions: 49timeCOMMON

Download Yara Rule

APIs

FileTimeToLocalFileTime.KERNEL32 ref: 000000014000EB87
FileTimeToLocalFileTime.KERNEL32 ref: 000000014000EB96
FileTimeToLocalFileTime.KERNEL32 ref: 000000014000EBA5
FileTimeToSystemTime.KERNEL32 ref: 000000014000EBB3
FileTimeToSystemTime.KERNEL32 ref: 000000014000EBC1
FileTimeToSystemTime.KERNEL32 ref: 000000014000EBCF

Part of subcall function 000000014000E30C: TzSpecificLocalTimeToSystemTime.KERNEL32 ref: 000000014000E324

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: Time$File$LocalSystem$Specific
String ID:
API String ID: 2459877898-0
Opcode ID: 6769b9f2814837ccc9b627fe99d552f52f82e558d6a6c9ffa4545fef51b6b731
Instruction ID: 7161712a92c21ead8637d389983684c7ee3d15a288acc2d8301887f5d9c90525
Opcode Fuzzy Hash: 6769b9f2814837ccc9b627fe99d552f52f82e558d6a6c9ffa4545fef51b6b731
Instruction Fuzzy Hash: 0C118F7220498585EE62DB22F5593EAA360EB8CBC9F404121FF4E07669DF3CC54BC700

Function 000000014000738C Relevance: 9.0, APIs: 6, Instructions: 48windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00000001400073B3
SendMessageW.USER32 ref: 00000001400073C6
GetClientRect.USER32 ref: 00000001400073EC
SetBkColor.GDI32 ref: 00000001400073F8
ExtTextOutW.GDI32 ref: 000000014000742E
SetBkColor.GDI32 ref: 0000000140007439

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: Color$ClientMessageParentRectSendText
String ID:
API String ID: 4160086982-0
Opcode ID: 279577d0e16ffe6735817a75d4cf5399436863870df4752a9fbbea469a46e138
Instruction ID: 442311bd51b9d23ec9e18a4bbe39e9f66f677482eceedcda1bf3c411abd1cbde
Opcode Fuzzy Hash: 279577d0e16ffe6735817a75d4cf5399436863870df4752a9fbbea469a46e138
Instruction Fuzzy Hash: DE111732614B8086E761CB16F58876AB7B1F799BE6F604214EF4947BA8CF7CC449CB00

Function 000000014002463C Relevance: 9.0, APIs: 6, Instructions: 37threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0000000140024646
FlsGetValue.KERNEL32 ref: 0000000140024654
SetLastError.KERNEL32 ref: 00000001400246AC

Part of subcall function 000000014002B954: Sleep.KERNEL32 ref: 000000014002B999

FlsSetValue.KERNEL32 ref: 0000000140024680
GetCurrentThreadId.KERNEL32 ref: 0000000140024694
free.LIBCMT ref: 00000001400246A3

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: ErrorLastValue$CurrentSleepThreadfree
String ID:
API String ID: 4106700288-0
Opcode ID: 201acfdd03fcfe121df5318accc0df6f6f64808154f4bf93b9b87cd795f80b64
Instruction ID: 4179d68eafd8547126f1751adf2716c5d5675962773ab70a5d57703ebee865e5
Opcode Fuzzy Hash: 201acfdd03fcfe121df5318accc0df6f6f64808154f4bf93b9b87cd795f80b64
Instruction Fuzzy Hash: 47014F35201B4182FB579F67A4583AA6291BB8DBE0F588228FF25033F5EE3CD8458715

Function 0000000140005B0C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

SetTextColor.GDI32 ref: 0000000140005B60
SetBkColor.GDI32 ref: 0000000140005B6B
CreateSolidBrush.GDI32 ref: 0000000140005B7F
CallWindowProcW.USER32 ref: 0000000140005BB5

Strings

, xrefs: 0000000140005B57

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: Color$BrushCallCreateProcSolidTextWindow
String ID:
API String ID: 3981015970-1776720792
Opcode ID: 2f3ff881e417d866401c7b4e21ae1d59eaae8a00ce67342fcb8389bb0c39493f
Instruction ID: a4766c602fb169631144e02dac8d122acc668da0a7f7351d038aa0fcec19f809
Opcode Fuzzy Hash: 2f3ff881e417d866401c7b4e21ae1d59eaae8a00ce67342fcb8389bb0c39493f
Instruction Fuzzy Hash: 83114370205B4082FB66EB13B4803AAB3A1A78EBD1F540465FF4903BB5CF78D5868704

Function 0000000140008408 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SHGetMalloc.SHELL32 ref: 0000000140008429
SHBrowseForFolderW.SHELL32 ref: 000000014000845F
SHGetPathFromIDListW.SHELL32 ref: 0000000140008470
MessageBoxW.USER32 ref: 000000014000848F

Strings

Failed to get directory, xrefs: 0000000140008483

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: BrowseFolderFromListMallocMessagePath
String ID: Failed to get directory
API String ID: 624402985-3482270500
Opcode ID: 59e1d6a9d2d761bbed68d6ee15483d37dd9643cec58ff0896e4a2800afa24dc7
Instruction ID: 3d0984d498c2ab468f1c5affe37be72698df49d0432b9d0ab9f1dcf90f0c751d
Opcode Fuzzy Hash: 59e1d6a9d2d761bbed68d6ee15483d37dd9643cec58ff0896e4a2800afa24dc7
Instruction Fuzzy Hash: 7C114272614B8486D722CF16F84478E73A4F388BD0FA94465EB8A47B24CF38D895C740

Function 0000000140001568 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 000000014000159B
SendMessageW.USER32 ref: 00000001400015B5

Part of subcall function 000000014000AF94: lstrlenW.KERNEL32 ref: 000000014000AFE2
Part of subcall function 000000014000AF94: lstrlenW.KERNEL32 ref: 000000014000B004

Part of subcall function 0000000140020E20: _errno.LIBCMT ref: 0000000140020E39

GetDlgItem.USER32 ref: 00000001400015FD
SetWindowTextW.USER32 ref: 000000014000160B

Strings

%s: (%d), xrefs: 00000001400015E0

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: MessageSendlstrlen$ItemTextWindow_errno
String ID: %s: (%d)
API String ID: 4252194696-1966556983
Opcode ID: 95c64502a51654df99c750c72dc9adcdfc2dba3022fa361b73cbc99ab9e95c0b
Instruction ID: d350e42107ca1e0cbec71812192b2dac559a8bb88033cf7263b2be23be0aeb2f
Opcode Fuzzy Hash: 95c64502a51654df99c750c72dc9adcdfc2dba3022fa361b73cbc99ab9e95c0b
Instruction Fuzzy Hash: 13114C72710B8582EB72EB62E4557DA23A1F78CBC9F405121EF8D47B6ADE3CC5858B00

Function 000000014003081C Relevance: 8.8, APIs: 7, Instructions: 36COMMONLIBRARYCODE

Download Yara Rule

APIs

free.LIBCMT ref: 000000014003083A

Part of subcall function 00000001400233E0: HeapFree.KERNEL32 ref: 00000001400233F6
Part of subcall function 00000001400233E0: _errno.LIBCMT ref: 0000000140023400
Part of subcall function 00000001400233E0: GetLastError.KERNEL32 ref: 0000000140023408

free.LIBCMT ref: 000000014003084C
free.LIBCMT ref: 000000014003085E
free.LIBCMT ref: 0000000140030870
free.LIBCMT ref: 0000000140030882
free.LIBCMT ref: 0000000140030894
free.LIBCMT ref: 00000001400308A6

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: free$ErrorFreeHeapLast_errno
String ID:
API String ID: 1012874770-0
Opcode ID: 05969b0a63e5ef97327066bffbc3ebde3a39da6d1ec3dbb39778d697a93ae3e3
Instruction ID: 81f40cfa74acf8b3da505754697cd5e5d9416ad43b98f18e50fbfca890a913ee
Opcode Fuzzy Hash: 05969b0a63e5ef97327066bffbc3ebde3a39da6d1ec3dbb39778d697a93ae3e3
Instruction Fuzzy Hash: 4601277621140091EAA7EB63D4A23EE1361AB8CBD4F540016BB4E879B6CE76D981C391

Function 000000014000899C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 33registrylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00000001400089BC
GetProcAddress.KERNEL32 ref: 00000001400089D1
RegDeleteKeyW.ADVAPI32 ref: 0000000140008A0D

Strings

Advapi32.dll, xrefs: 00000001400089B5
RegDeleteKeyExW, xrefs: 00000001400089C7

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: AddressDeleteHandleModuleProc
String ID: Advapi32.dll$RegDeleteKeyExW
API String ID: 588496660-2191092095
Opcode ID: b492a6868c76d8596b1642ed53a4bb29bf956baf675d2b632650e1f8e85a2ab5
Instruction ID: aca99bae81c2001e47b863c34a77a564a8f0a9d403ef9922e6393678b56945da
Opcode Fuzzy Hash: b492a6868c76d8596b1642ed53a4bb29bf956baf675d2b632650e1f8e85a2ab5
Instruction Fuzzy Hash: 570174B0202A85A0FF63CB53F9547E923A5B74DBC4F184921AF8E07B70DA38C088C311

Function 0000000140025934 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 18COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 000000014002594B

Part of subcall function 000000014002439C: _getptd.LIBCMT ref: 00000001400243A0

_getptd.LIBCMT ref: 000000014002595D
_getptd.LIBCMT ref: 000000014002596B

Strings

csm, xrefs: 0000000140025943
MOC, xrefs: 000000014002593B

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: _getptd
String ID: MOC$csm
API String ID: 3186804695-1389381023
Opcode ID: 102a9b634d79f4332f45fe088737f1319e88c40b2a227994754c7ec1b1e5185a
Instruction ID: 8976728e49f7bdb9388b030d51783cddd04b4602f69130769ce4e86eefc2a19d
Opcode Fuzzy Hash: 102a9b634d79f4332f45fe088737f1319e88c40b2a227994754c7ec1b1e5185a
Instruction Fuzzy Hash: 35E01A36610100C6E7177BA6D0493EC35A0E75DBA6F86C5AAA384433B3C7BC8DC08A12

Function 000000014002A874 Relevance: 7.7, APIs: 5, Instructions: 199COMMON

Download Yara Rule

APIs

GetStartupInfoA.KERNEL32 ref: 000000014002A899

Part of subcall function 000000014002B954: Sleep.KERNEL32 ref: 000000014002B999

GetFileType.KERNEL32 ref: 000000014002AA16

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: FileInfoSleepStartupType
String ID:
API String ID: 1527402494-0
Opcode ID: bb5c867c1d99e60cf75de4b23b8eb59053141b58cd73c1813e2cab70e4c5971b
Instruction ID: f931d877bb07b17a36fffa76bb0385c9009bc6eecd3fe91272fb392ace2bcd1e
Opcode Fuzzy Hash: bb5c867c1d99e60cf75de4b23b8eb59053141b58cd73c1813e2cab70e4c5971b
Instruction Fuzzy Hash: F8916F7220468486EB228B26D84879927A5F74A7F4F654719EB79473F1DF3CCC86C702

Function 000000014002D5C8 Relevance: 7.7, APIs: 5, Instructions: 161COMMON

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 000000014002D602
_set_statfp.LIBCMT ref: 000000014002D620
_set_statfp.LIBCMT ref: 000000014002D649
_set_statfp.LIBCMT ref: 000000014002D813

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 538368d97fb95966269389a4d75f1f3889576bef91e7ebca293239c9f0aa55f7
Instruction ID: 46829c8c7ca1e6f1109bd8b5248dfc70eecbace757dad75fae2e7767d48bf803
Opcode Fuzzy Hash: 538368d97fb95966269389a4d75f1f3889576bef91e7ebca293239c9f0aa55f7
Instruction Fuzzy Hash: 45619436514D4885F6679F36A4543EAB360BB597D0F10860BBB9A675F4EF388C86CA00

Function 00000001400285F0 Relevance: 7.6, APIs: 5, Instructions: 122COMMONLIBRARYCODE

Download Yara Rule

APIs

_getptd.LIBCMT ref: 000000014002860F

Part of subcall function 000000014002822C: _getptd.LIBCMT ref: 0000000140028236

Part of subcall function 00000001400282E8: GetOEMCP.KERNEL32 ref: 0000000140028312

Part of subcall function 000000014002B8E8: malloc.LIBCMT ref: 000000014002B907
Part of subcall function 000000014002B8E8: Sleep.KERNEL32 ref: 000000014002B91E

free.LIBCMT ref: 000000014002869B

Part of subcall function 00000001400233E0: HeapFree.KERNEL32 ref: 00000001400233F6
Part of subcall function 00000001400233E0: _errno.LIBCMT ref: 0000000140023400
Part of subcall function 00000001400233E0: GetLastError.KERNEL32 ref: 0000000140023408

free.LIBCMT ref: 0000000140028783
free.LIBCMT ref: 00000001400287B3
_errno.LIBCMT ref: 00000001400287B8

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: free$_errno_getptd$ErrorFreeHeapLastSleepmalloc
String ID:
API String ID: 1803835655-0
Opcode ID: e52dc13354a6d2d63758cef695f0df984d9a43070c9da0b8ef6f5563e672d7ed
Instruction ID: 67fc43d42368c29778d5f6303e962a8f7fb9bd6a80975c2cc915b4430b8991d1
Opcode Fuzzy Hash: e52dc13354a6d2d63758cef695f0df984d9a43070c9da0b8ef6f5563e672d7ed
Instruction Fuzzy Hash: EC519C3A20564086E766DF27E8403EDB6A5F789BD4F24421AFF9A473B5CB38C842C700

Function 000000014000907C Relevance: 7.6, APIs: 5, Instructions: 82registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 00000001400090CF
RegCloseKey.ADVAPI32 ref: 00000001400090E9
RegEnumKeyExW.ADVAPI32 ref: 0000000140009152
RegCloseKey.ADVAPI32 ref: 0000000140009166
RegCloseKey.ADVAPI32 ref: 0000000140009190

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: Close$EnumOpen
String ID:
API String ID: 138425441-0
Opcode ID: 1193fdcbd1d9a5aa403b48b930ffa08f71031b6f56217856e5e3945cdc72648a
Instruction ID: 6cecd80d60d350dfb10401f3ec94ec3c35dc388fbbdaf79d70c29bc06a3a4aaa
Opcode Fuzzy Hash: 1193fdcbd1d9a5aa403b48b930ffa08f71031b6f56217856e5e3945cdc72648a
Instruction Fuzzy Hash: 7631ED76209B4186E762CB56F8943AAB7A4F7CC7D0F540125FB8D83B69DF79C4858B00

Function 000000014000125C Relevance: 7.6, APIs: 6, Instructions: 77COMMON

Download Yara Rule

APIs

rand.LIBCMT ref: 000000014000129E
rand.LIBCMT ref: 00000001400012B4
rand.LIBCMT ref: 00000001400012CC
rand.LIBCMT ref: 00000001400012E4
rand.LIBCMT ref: 00000001400012FC
rand.LIBCMT ref: 0000000140001316

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: rand
String ID:
API String ID: 415692148-0
Opcode ID: 59dcf43f60280dc758562654a5c57087e8c2ea166ee7f9ccf4d7375d91ac2a6a
Instruction ID: 634ef7d60cf11f9f40ad2295604fa5063a29d62b97fb22bbccf23448785e3aeb
Opcode Fuzzy Hash: 59dcf43f60280dc758562654a5c57087e8c2ea166ee7f9ccf4d7375d91ac2a6a
Instruction Fuzzy Hash: 47210573521A1442E7099E7EDC063D92187D3E9381F2CC229F2818BAA7C93CE5456254

Function 00000001400235EC Relevance: 7.6, APIs: 5, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,00000001400236FD,?,?,?,?,000000014000AFD0), ref: 0000000140023615
DecodePointer.KERNEL32(?,?,?,00000001400236FD,?,?,?,?,000000014000AFD0), ref: 0000000140023624

Part of subcall function 000000014002B8A0: _errno.LIBCMT ref: 000000014002B8A9

EncodePointer.KERNEL32(?,?,?,00000001400236FD,?,?,?,?,000000014000AFD0), ref: 00000001400236A1

Part of subcall function 000000014002B9D8: realloc.LIBCMT ref: 000000014002BA03
Part of subcall function 000000014002B9D8: Sleep.KERNEL32 ref: 000000014002BA1F

EncodePointer.KERNEL32(?,?,?,00000001400236FD,?,?,?,?,000000014000AFD0), ref: 00000001400236B0
EncodePointer.KERNEL32(?,?,?,00000001400236FD,?,?,?,?,000000014000AFD0), ref: 00000001400236BC

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: Pointer$Encode$Decode$Sleep_errnorealloc
String ID:
API String ID: 1310268301-0
Opcode ID: ea76b814063291d8411bb4e9c76abd750005dd812113eac47c963c6a5b98230c
Instruction ID: d52509031a2a65f19880dcd2979f8082bf3554f7947dcdca139e2c84a90965c9
Opcode Fuzzy Hash: ea76b814063291d8411bb4e9c76abd750005dd812113eac47c963c6a5b98230c
Instruction Fuzzy Hash: D221713131269451EB02EB53E94D3D9A255B34DBC0F949C2EFB8D0B776DA78C880C305

Function 000000014001D8D0 Relevance: 7.5, APIs: 5, Instructions: 47windowCOMMON

Download Yara Rule

APIs

MapWindowPoints.USER32 ref: 000000014001D906
OffsetWindowOrgEx.GDI32 ref: 000000014001D920
SendMessageW.USER32 ref: 000000014001D933
OffsetWindowOrgEx.GDI32 ref: 000000014001D952
CallWindowProcW.USER32 ref: 000000014001D972

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: Window$Offset$CallMessagePointsProcSend
String ID:
API String ID: 2294167712-0
Opcode ID: 73959b250ca702b0d1639cfd3c92fda08340a667c3619c9b0616eb7da8210f50
Instruction ID: 9ce2473cdb658e290da9a4340f0c091c8792b6ea2e6b5be4f335029d717e9c0b
Opcode Fuzzy Hash: 73959b250ca702b0d1639cfd3c92fda08340a667c3619c9b0616eb7da8210f50
Instruction Fuzzy Hash: 8D113D76725B4486E751CB13F548BAE73A1E789FD6F505511EF4A07B24CB38C548CB40

Function 000000014002E288 Relevance: 7.5, APIs: 5, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 000000014002E2BF
GetCurrentProcessId.KERNEL32 ref: 000000014002E2CA
GetCurrentThreadId.KERNEL32 ref: 000000014002E2D6
GetTickCount.KERNEL32 ref: 000000014002E2E2
QueryPerformanceCounter.KERNEL32 ref: 000000014002E2F3

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 5209f588cc2fa609681d6e1dcbc770fa02fed9718b0bdb0cac7482956c3fbddf
Instruction ID: 6bddc6cb4385633a7a56087d2fe727c6de6f38ea41639c96d71a48019dcc14d8
Opcode Fuzzy Hash: 5209f588cc2fa609681d6e1dcbc770fa02fed9718b0bdb0cac7482956c3fbddf
Instruction Fuzzy Hash: AE016931269B4082EB928F23E8443966364F74DBD0F552621FF5A477B4DB3CC9958300

Function 0000000140009400 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 000000014000941B

Part of subcall function 00000001400091BC: free.LIBCMT ref: 0000000140009212
Part of subcall function 00000001400091BC: free.LIBCMT ref: 0000000140009224

LeaveCriticalSection.KERNEL32 ref: 000000014000942E
DeleteCriticalSection.KERNEL32 ref: 0000000140009442
free.LIBCMT ref: 000000014000945A
free.LIBCMT ref: 000000014000946D

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: free$CriticalSection$DeleteEnterLeave
String ID:
API String ID: 3880800478-0
Opcode ID: ef4fe7bb0bd9fde0c2e74318e35e95a2e6f898e4222a9677e76b035138b548e7
Instruction ID: 3abafb19e856ceb92d784894e806af6a573dbd44d83d50d386ffe0c0706fc5c2
Opcode Fuzzy Hash: ef4fe7bb0bd9fde0c2e74318e35e95a2e6f898e4222a9677e76b035138b548e7
Instruction Fuzzy Hash: 6A018F72600B4186EF1ADF72E4A43ED2360EB5CF88F544414EB4A072B6CF38CA89C390

Function 000000014002622C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMONLIBRARYCODE

Download Yara Rule

APIs

_getptd.LIBCMT ref: 000000014002625D
_getptd.LIBCMT ref: 000000014002627C
_CallSETranslator.LIBCMT ref: 00000001400262BD

Part of subcall function 000000014002186C: _getptd.LIBCMT ref: 0000000140021893

Strings

MOC, xrefs: 0000000140026292

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: _getptd$CallTranslator
String ID: MOC
API String ID: 3569367362-624257665
Opcode ID: 6335d35dea8cc251e99d838233b3b38bf4b47131f68ff503f540dd34b9688aea
Instruction ID: 1f7a762585c6ee52e35eb0b646a22eee5757ca2703cb31e07a479bd70b6aa6ba
Opcode Fuzzy Hash: 6335d35dea8cc251e99d838233b3b38bf4b47131f68ff503f540dd34b9688aea
Instruction Fuzzy Hash: 1A61A372604BC4D6DB21DB66E4843EDB3A1F788BC8F04451AEB8E47AA5DF78C955C700

Function 0000000140003E68 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 126stringCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014000AF94: lstrlenW.KERNEL32 ref: 000000014000AFE2
Part of subcall function 000000014000AF94: lstrlenW.KERNEL32 ref: 000000014000B004

GetOpenFileNameW.COMDLG32 ref: 0000000140003FA1
lstrlenW.KERNEL32 ref: 0000000140003FB4
lstrlenW.KERNEL32 ref: 0000000140003FF9

Strings

(*.txt), xrefs: 0000000140003F49

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: lstrlen$FileNameOpen
String ID: (*.txt)
API String ID: 2045520122-245773581
Opcode ID: 5f225a8f711fdea94c8f4f23b8fe78dc2b421c444eab590216c524ed82063591
Instruction ID: 49d6e0f9d1ea1d7ed09f542c2050d084741786c08fffcc93ae19efadcecd5051
Opcode Fuzzy Hash: 5f225a8f711fdea94c8f4f23b8fe78dc2b421c444eab590216c524ed82063591
Instruction Fuzzy Hash: B9511C72204B8186E762DB12E8443DE73A5F7C87E4F544225FB9E436AADF38C955CB40

Function 0000000140010D14 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 107windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 0000000140010DC8
GetWindowRect.USER32 ref: 0000000140010DEA
SendMessageW.USER32 ref: 0000000140010E05

Part of subcall function 000000014000AF94: lstrlenW.KERNEL32 ref: 000000014000AFE2
Part of subcall function 000000014000AF94: lstrlenW.KERNEL32 ref: 000000014000B004

Part of subcall function 000000014000E0EC: InitCommonControlsEx.COMCTL32 ref: 000000014000E121
Part of subcall function 000000014000E0EC: CreateWindowExW.USER32 ref: 000000014000E17E
Part of subcall function 000000014000E0EC: SendMessageW.USER32 ref: 000000014000E206
Part of subcall function 000000014000E0EC: SendMessageW.USER32 ref: 000000014000E228

Strings

H, xrefs: 0000000140010D98

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: MessageSend$Windowlstrlen$CommonControlsCreateInitRect
String ID: H
API String ID: 1372791256-2852464175
Opcode ID: 50b1fe00eeb27e1acbfef57b8fab6ad99f2f5054a2e963192ff346d98eb9d003
Instruction ID: a3e4548a82bb412857e3852e90ef64b7f01243e854d6380213d8322776bf8cf7
Opcode Fuzzy Hash: 50b1fe00eeb27e1acbfef57b8fab6ad99f2f5054a2e963192ff346d98eb9d003
Instruction Fuzzy Hash: 40417972310A8086EB52CB17E8507EA73A1F789BE4F144625BBAD47BE5CB78C5458700

Function 000000014002059C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 66COMMON

Download Yara Rule

APIs

Part of subcall function 0000000140021158: RaiseException.KERNEL32 ref: 00000001400211D8

DeleteCriticalSection.KERNEL32 ref: 000000014002069D
free.LIBCMT ref: 00000001400206AC

Part of subcall function 00000001400233E0: HeapFree.KERNEL32 ref: 00000001400233F6
Part of subcall function 00000001400233E0: _errno.LIBCMT ref: 0000000140023400
Part of subcall function 00000001400233E0: GetLastError.KERNEL32 ref: 0000000140023408

Strings

string too long, xrefs: 00000001400205AC
invalid string position, xrefs: 0000000140020628, 0000000140020637

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: CriticalDeleteErrorExceptionFreeHeapLastRaiseSection_errnofree
String ID: invalid string position$string too long
API String ID: 547437092-4289949731
Opcode ID: 35f3f04cad14892041986ba513368dba0a64224294ebc354842753fda4ce4678
Instruction ID: 203c419a48c638351f67f03f43efd1dd6b3773767cdf3a334ac412b95512d966
Opcode Fuzzy Hash: 35f3f04cad14892041986ba513368dba0a64224294ebc354842753fda4ce4678
Instruction Fuzzy Hash: B5313E72205B4492EB22DB52E4503DA7360FBD93B4F800215B7AC47AF6EF78C649C740

Function 000000014001D7D8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 000000014001D870
SendMessageW.USER32 ref: 000000014001D88F
SendMessageW.USER32 ref: 000000014001D8A6

Strings

0, xrefs: 000000014001D85B

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: MessageSend
String ID: 0
API String ID: 3850602802-4108050209
Opcode ID: 93dad9285767f3d4440683608dd4babf6ef21b431dc14772969b4446d2586301
Instruction ID: c2d0fa74d301afe80e333ab08432797edbcaf1f182be5db997229c506366fc89
Opcode Fuzzy Hash: 93dad9285767f3d4440683608dd4babf6ef21b431dc14772969b4446d2586301
Instruction Fuzzy Hash: 96214F722097D48AF7629B12E45079BB7A1F7D8B84F444225AF890BB59CF7CC549CB40

Function 000000014001D9BC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43stringCOMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32 ref: 000000014001DA16
GetTempFileNameW.KERNEL32 ref: 000000014001DA4A
lstrcatW.KERNEL32 ref: 000000014001DA58

Strings

NewFileTime, xrefs: 000000014001DA38

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: Temp$FileNamePathlstrcat
String ID: NewFileTime
API String ID: 3812338829-2104491786
Opcode ID: 5a1a0d975d98f0c99ab9175760d88b47d3243777165d4e149d69e8d4a824f8f7
Instruction ID: c96bba4ab549cf5ab1acc087190ca6b82ff2930029193e7636dcf21d10d1c241
Opcode Fuzzy Hash: 5a1a0d975d98f0c99ab9175760d88b47d3243777165d4e149d69e8d4a824f8f7
Instruction Fuzzy Hash: 76113072224A8582EA22DB16F5917DAA361F7C8BC5F845015FB8A07A6EDF7CC245CB40

Function 0000000140004EC8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 0000000140004EFA
GetProcAddress.KERNEL32 ref: 0000000140004F16

Strings

GetThemeColor, xrefs: 0000000140004F0C
UxTheme.dll, xrefs: 0000000140004EF3

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetThemeColor$UxTheme.dll
API String ID: 2574300362-1403370624
Opcode ID: f2b40e43dee3695a01d3c1b6fc70e1c68474e74a5aed59a950d44f8c79eba9be
Instruction ID: 3a1bf0a2fed9506417a1ba60ec02f12143f3cc9f7321dfa03a3b7432066aa429
Opcode Fuzzy Hash: f2b40e43dee3695a01d3c1b6fc70e1c68474e74a5aed59a950d44f8c79eba9be
Instruction Fuzzy Hash: 0C010871616B8196EB12CF07B4503AAA3A0BB8CBD4F484525FF8D43B65DF38D5018744

Function 000000014001D740 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 000000014001D768
SendMessageW.USER32 ref: 000000014001D7A6
SendMessageW.USER32 ref: 000000014001D7BA

Strings

0, xrefs: 000000014001D791

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: MessageSend
String ID: 0
API String ID: 3850602802-4108050209
Opcode ID: 2340f5c4874cb2bea06ad2aff2c505c9f9957da0decfd7de850667791c93fd96
Instruction ID: 6bc6557a2fe11d61588e44f88cba7dc157cd7961b52c261ef9d7ff5259c9d41d
Opcode Fuzzy Hash: 2340f5c4874cb2bea06ad2aff2c505c9f9957da0decfd7de850667791c93fd96
Instruction Fuzzy Hash: 28015A7231479086E7219F12B40478BB7A1F389BC4F948225EF8907F19CF38C5528B00

Function 000000014001DD48 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 000000014001DD6B
GetProcAddress.KERNEL32 ref: 000000014001DD9C

Strings

SetMenuInfo, xrefs: 000000014001DD95
USER32.DLL, xrefs: 000000014001DD64

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: SetMenuInfo$USER32.DLL
API String ID: 2574300362-3329878150
Opcode ID: 3aef8be94d7436ed62aaaec43e7db3bcff190f7f3432346d657dbf1ba4d477ab
Instruction ID: d54bbe345d64b50dd9f5dafb3766ef8168ede6d663848f51b421a2ee3dc4acb4
Opcode Fuzzy Hash: 3aef8be94d7436ed62aaaec43e7db3bcff190f7f3432346d657dbf1ba4d477ab
Instruction Fuzzy Hash: CA01B274212B0485EE57AB57F9503E533A1AB4EBC8F584426BA4D4B770EF3DC8958700

Function 0000000140004DF8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 0000000140004E22
GetProcAddress.KERNEL32 ref: 0000000140004E3E

Strings

OpenThemeData, xrefs: 0000000140004E34
UxTheme.dll, xrefs: 0000000140004E1B

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: OpenThemeData$UxTheme.dll
API String ID: 2574300362-2669680030
Opcode ID: c18bb3a8216c8a16abe00f1191efa965295245dbf3cd5a62f4ee2b40511cc02b
Instruction ID: 0d24317b48df186c9a4c60a73987f845b20e3df5069d8a55247ae0ba6abbfac3
Opcode Fuzzy Hash: c18bb3a8216c8a16abe00f1191efa965295245dbf3cd5a62f4ee2b40511cc02b
Instruction Fuzzy Hash: 70F0F4B1201B8485EA56CB53F98439A63A0B78DBC4F884470AB5D47BB4EF78CA858300

Function 000000014001E078 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 29COMMON

Download Yara Rule

APIs

GetSysColor.USER32 ref: 000000014001E099
CreateSolidBrush.GDI32 ref: 000000014001E0A3

Strings

, xrefs: 000000014001E082
(, xrefs: 000000014001E0C4

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: BrushColorCreateSolid
String ID: $(
API String ID: 2798526982-1539405979
Opcode ID: 84242a94481f37e56b1524efe97fba5957b5d415659088d58ec6db768573046f
Instruction ID: 472f1bddf64d8595a2ca697bb951a3da52325ed307a5bcf38187378ed6720a07
Opcode Fuzzy Hash: 84242a94481f37e56b1524efe97fba5957b5d415659088d58ec6db768573046f
Instruction Fuzzy Hash: 86F04F7130474086EB229B52F54539973A1F78D7C4F444124FB4907767DF3DC5488B00

Function 000000014000E248 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 000000014000E273
GetProcAddress.KERNEL32 ref: 000000014000E28F

Strings

SetWindowTheme, xrefs: 000000014000E285
UxTheme.dll, xrefs: 000000014000E26C

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: SetWindowTheme$UxTheme.dll
API String ID: 2574300362-2822173195
Opcode ID: d5c94aa1f9f7d21a3bd2feaa51f25541e5b84533e0ec88b7d13967f6030f774a
Instruction ID: 30fd374cc613d4effe27f67bf42de58f2ee512cd8bb83aed656eec6bac997c25
Opcode Fuzzy Hash: d5c94aa1f9f7d21a3bd2feaa51f25541e5b84533e0ec88b7d13967f6030f774a
Instruction Fuzzy Hash: 7CF03434202B8081EA56CB43FA5039A6368AB8DBD0F489424EF4D13B78EF38C5818700

Function 0000000140004E68 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 26libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 0000000140004E8A
GetProcAddress.KERNEL32 ref: 0000000140004EA6

Strings

CloseThemeData, xrefs: 0000000140004E9C
UxTheme.dll, xrefs: 0000000140004E83

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: CloseThemeData$UxTheme.dll
API String ID: 2574300362-2595282165
Opcode ID: e8c387d641fb8e51e3c03c20841daa632c8e3f3ba99025b5eab46648e8ead2fb
Instruction ID: ee40c2586d0c6acff68425429279a32b68e877504b21aa29b543cfed7d631a7a
Opcode Fuzzy Hash: e8c387d641fb8e51e3c03c20841daa632c8e3f3ba99025b5eab46648e8ead2fb
Instruction Fuzzy Hash: C9F01CB1301B8486EB52EB97F9843A623E0B74DBC4F880430EB0D43B71DE78D9848340

Function 0000000140005E44 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 0000000140005E6F
GetWindowLongPtrW.USER32 ref: 0000000140005E7D
SetWindowLongPtrW.USER32 ref: 0000000140005E99

Strings

, xrefs: 0000000140005E5D

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-1776720792
Opcode ID: 3aeaa558b6b2c0159eccfc5278b3035ece5f02e62fdf3b1267b3259ea6fc7b29
Instruction ID: 401b7198a9540c9bb7341a056e6629a793f68858d16f97e61dc7b9c0826600a1
Opcode Fuzzy Hash: 3aeaa558b6b2c0159eccfc5278b3035ece5f02e62fdf3b1267b3259ea6fc7b29
Instruction Fuzzy Hash: F0F039B0200B4642EB26AB6778157D63351AB8E7D5FA41260BE260B7F2DB39C5968308

Function 00000001400082E8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 00000001400082FF
GetProcAddress.KERNEL32 ref: 000000014000831B

Strings

SetProcessDPIAware, xrefs: 0000000140008311
user32.dll, xrefs: 00000001400082F8

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: SetProcessDPIAware$user32.dll
API String ID: 2574300362-1137607222
Opcode ID: c7878aff7cfcc8d1d46f41128e1f4d618a258f57f224b7a3f1dad0c7af04273c
Instruction ID: 5eaeb2a78d624d1a81023cbc0472bfdd4b09cff9311590694e13c127f8a58050
Opcode Fuzzy Hash: c7878aff7cfcc8d1d46f41128e1f4d618a258f57f224b7a3f1dad0c7af04273c
Instruction Fuzzy Hash: E0E05270612B0592ED67DB57A8543D923A4BB8DB80F941814EE4D43770EF3896458310

Function 0000000140022340 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 000000014002234F
GetProcAddress.KERNEL32 ref: 0000000140022364

Strings

mscoree.dll, xrefs: 0000000140022348
CorExitProcess, xrefs: 000000014002235A

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 1646373207-1276376045
Opcode ID: a477fdc8a25a44b7675dc969a54300d71a7e7f53510a1c8ac4380ac5c4b4df6c
Instruction ID: a015aff6f4427f667b4b09c7dc2eb7dd83fabefeecff2e3d4ae01b07386c79d8
Opcode Fuzzy Hash: a477fdc8a25a44b7675dc969a54300d71a7e7f53510a1c8ac4380ac5c4b4df6c
Instruction Fuzzy Hash: 13E0127075270552FE1B9B92A8843AF13906B4D784F48182C9B1E073B0DE7C9958C310

Function 0000000140025980 Relevance: 6.1, APIs: 4, Instructions: 107COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000000014002162C: _getptd.LIBCMT ref: 0000000140021630

_getptd.LIBCMT ref: 00000001400259C2
_SetImageBase.LIBCMT ref: 0000000140025A98
_getptd.LIBCMT ref: 0000000140025ACB
_getptd.LIBCMT ref: 0000000140025AD9

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: _getptd$BaseImage
String ID:
API String ID: 2482573191-0
Opcode ID: 3916a3e25778a8367ef24eaa4cf08520b0aeb0be183adc4b289c53aa8dff1cf7
Instruction ID: 0e915f88a97122ce4faf3b51c3f75c38eb6c9defd2392851d1b8b8305ec8327b
Opcode Fuzzy Hash: 3916a3e25778a8367ef24eaa4cf08520b0aeb0be183adc4b289c53aa8dff1cf7
Instruction Fuzzy Hash: 5A41D93260060585EA22BB67E4863ED7791B79CBD9F49821AFF59437F2DB34CC82C605

Function 0000000140002134 Relevance: 6.1, APIs: 4, Instructions: 79stringCOMMON

Download Yara Rule

APIs

LoadStringW.USER32 ref: 0000000140002171
lstrlenW.KERNEL32 ref: 0000000140002195
LoadStringW.USER32 ref: 00000001400021DC
lstrlenW.KERNEL32 ref: 0000000140002205

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: LoadStringlstrlen
String ID:
API String ID: 1897449643-0
Opcode ID: bdef103284028c455be90ae8b7cffa1e7fb7f46af017d6971ac4c7f3d8552742
Instruction ID: 4f7a4d769f4e655427fa8ca216a08505d3380d194db964f2c8460e2026e85dd1
Opcode Fuzzy Hash: bdef103284028c455be90ae8b7cffa1e7fb7f46af017d6971ac4c7f3d8552742
Instruction Fuzzy Hash: 6531487230468085EA22EB26E8983EA62A0B79CBC8F554535AF8E87765DE38C945C740

Function 00000001400118B0 Relevance: 6.1, APIs: 4, Instructions: 62stringtimeCOMMON

Download Yara Rule

APIs

GetTimeFormatW.KERNEL32 ref: 000000014001191E
lstrcatW.KERNEL32 ref: 000000014001192E
lstrcatW.KERNEL32 ref: 000000014001193C
lstrlenW.KERNEL32 ref: 0000000140011979

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: lstrcat$FormatTimelstrlen
String ID:
API String ID: 2673408140-0
Opcode ID: d38802d239e3f24e65dadd489ec9e8b6e2ccd952fbbed3ae7944fa5c925024f9
Instruction ID: 82d31f4fca9db3e877078faec2b3d94b4f758b807147c64aedeb77dbaeb5fab3
Opcode Fuzzy Hash: d38802d239e3f24e65dadd489ec9e8b6e2ccd952fbbed3ae7944fa5c925024f9
Instruction Fuzzy Hash: 93210276208B4486EA228F17E85439AB361FB8EBC4F448025EF8D07B65DF3CC4858B40

Function 000000014000E528 Relevance: 6.1, APIs: 4, Instructions: 55timeCOMMON

Download Yara Rule

APIs

SystemTimeToFileTime.KERNEL32 ref: 000000014000E576
LocalFileTimeToFileTime.KERNEL32 ref: 000000014000E584
FileTimeToLocalFileTime.KERNEL32 ref: 000000014000E599
FileTimeToSystemTime.KERNEL32 ref: 000000014000E5A9

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: Time$File$LocalSystem
String ID:
API String ID: 1748579591-0
Opcode ID: 1bc2897713aa0559016f372cfba5fe574e7f30da4d9d3829c2e4da8a486cf9eb
Instruction ID: 410d881a86ad0cf46a9b4913303012d326bbc5bb44c73a206b71bcb9eba0f4a3
Opcode Fuzzy Hash: 1bc2897713aa0559016f372cfba5fe574e7f30da4d9d3829c2e4da8a486cf9eb
Instruction Fuzzy Hash: A0213D76108A90D6D736CF12E8003AAB370F79CB89F144512FBD943AA8EB7CC595CB04

Function 0000000140011200 Relevance: 6.0, APIs: 4, Instructions: 50stringtimeCOMMON

Download Yara Rule

APIs

GetTimeFormatW.KERNEL32 ref: 000000014001125E
lstrlenW.KERNEL32 ref: 000000014001126C
lstrlenW.KERNEL32 ref: 000000014001128C
lstrlenW.KERNEL32 ref: 00000001400112AC

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: lstrlen$FormatTime
String ID:
API String ID: 2032843652-0
Opcode ID: c1c63609f6aa10a15d2eb9c994342222697a51d3c80218c3915525f6e33abac8
Instruction ID: f90e6cd2b0eef361529040bf9577253295b304ade0aecb57122d640b0f4778dc
Opcode Fuzzy Hash: c1c63609f6aa10a15d2eb9c994342222697a51d3c80218c3915525f6e33abac8
Instruction Fuzzy Hash: 3C210871614A8182EA52DB62F8543DA7361F7CC7C4F841522BB4E47A76DF3CC649C740

Function 000000014001E9EC Relevance: 6.0, APIs: 4, Instructions: 44threadwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014001E078: GetSysColor.USER32 ref: 000000014001E099
Part of subcall function 000000014001E078: CreateSolidBrush.GDI32 ref: 000000014001E0A3

GetCurrentThreadId.KERNEL32 ref: 000000014001EA18
SetWindowsHookExW.USER32 ref: 000000014001EA2E
TrackPopupMenuEx.USER32 ref: 000000014001EA60
UnhookWindowsHookEx.USER32 ref: 000000014001EA81

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: HookWindows$BrushColorCreateCurrentMenuPopupSolidThreadTrackUnhook
String ID:
API String ID: 1107585696-0
Opcode ID: e5fba189729172175edc5ae47572d2c06692692c55b78c3903395ea91ff22167
Instruction ID: 527e0a7af27238916b32e5bc7d86914fc8b14973477c020148ec9fc0c3c2a07e
Opcode Fuzzy Hash: e5fba189729172175edc5ae47572d2c06692692c55b78c3903395ea91ff22167
Instruction Fuzzy Hash: B2114632214B9087E7229B12F84579AB3A1F38DBE4F248514FB890BBB5CF7DC0658B00

Function 0000000140024560 Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

FlsFree.KERNEL32 ref: 000000014002456F
DeleteCriticalSection.KERNEL32 ref: 000000014002A0E6
free.LIBCMT ref: 000000014002A0EF
DeleteCriticalSection.KERNEL32 ref: 000000014002A10F

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: CriticalDeleteSection$Freefree
String ID:
API String ID: 1250194111-0
Opcode ID: 7fd0ce3227c5847081759df8311bdbacdcdc0ab3b7a9ea5f430d96f47b8c2cd5
Instruction ID: 4a7d07857490f39b4bf37aa71b1a52bc97b39607d10a106cd12c50d37c8aabf1
Opcode Fuzzy Hash: 7fd0ce3227c5847081759df8311bdbacdcdc0ab3b7a9ea5f430d96f47b8c2cd5
Instruction Fuzzy Hash: 91115E32A05A4087FB2A8F13E4843997360F74DBE4F584619FB6507BB5CF38D9A58705

Function 0000000140021C38 Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000000140021C4D

Part of subcall function 0000000140021014: DecodePointer.KERNEL32 ref: 000000014002103B

_flush.LIBCMT ref: 0000000140021C76
_freebuf.LIBCMT ref: 0000000140021C80

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: DecodePointer_errno_flush_freebuf
String ID:
API String ID: 1889905870-0
Opcode ID: 58728a3f630adc67d94fdad6948d31af9eb0acb2d760c64e054a1a47538d4bb7
Instruction ID: ae6e03caef564e86e8df9f4497866eca7c87f26f7a99dc8372eedd6dc4ac7bea
Opcode Fuzzy Hash: 58728a3f630adc67d94fdad6948d31af9eb0acb2d760c64e054a1a47538d4bb7
Instruction Fuzzy Hash: CB01B136A0454042FF26ABB794523F961A1ABEC7E8F39432CBB55871F2CA39CD118240

Function 000000014002EB60 Relevance: 6.0, APIs: 4, Instructions: 36COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 000000014002EB69
_errno.LIBCMT ref: 000000014002EB71

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: bf50f63cb61c9305a40a1a1abcd9afde6bed67695bdd05177c1e729153833394
Instruction ID: 0b9163e9ebaef6462607a935f9b5d9520b04c91e54d25fb77240731f235db8ea
Opcode Fuzzy Hash: bf50f63cb61c9305a40a1a1abcd9afde6bed67695bdd05177c1e729153833394
Instruction Fuzzy Hash: C5018F72A1468885FB176BA689913E977519B987A9F50831DFB2A073F2CB7C48058610

Function 000000014000730C Relevance: 6.0, APIs: 4, Instructions: 34COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32 ref: 000000014000732F
GetWindowLongW.USER32 ref: 000000014000733F
SetWindowLongW.USER32 ref: 000000014000735B
InvalidateRect.USER32 ref: 000000014000736B

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: LongWindow$InvalidateRect
String ID:
API String ID: 16496253-0
Opcode ID: e1aefd2e050614edb765658698b8a053f2dafe54bad3a36ca0e4eb58ba6d914a
Instruction ID: a08a573b916e3c0210a98b691144cea3e46799110ddcac1f6bf3b83e0a3f6963
Opcode Fuzzy Hash: e1aefd2e050614edb765658698b8a053f2dafe54bad3a36ca0e4eb58ba6d914a
Instruction Fuzzy Hash: 9DF0A4B5B15610C2F73A8B27A405B996391EB8CBD0F284111DE19477B4DA39C581D741

Function 00000001400269F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMONLIBRARYCODE

Download Yara Rule

APIs

_getptd.LIBCMT ref: 0000000140026A14

Strings

csm, xrefs: 0000000140026A41
csm, xrefs: 0000000140026B4B

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: _getptd
String ID: csm$csm
API String ID: 3186804695-3733052814
Opcode ID: be36e2eccabefad928e6174177a85db731b46fb05eb81e2b2b80393f09926bea
Instruction ID: fe925c8b4e7a68279575b16d94bd537d5f6b645d3f9532430693979a6dfb6981
Opcode Fuzzy Hash: be36e2eccabefad928e6174177a85db731b46fb05eb81e2b2b80393f09926bea
Instruction Fuzzy Hash: CE516F321046808AEB669F3794547EDB6A0F35CBD4F04812EFB4997BA5CB38CC91CB42

Function 00000001400226F8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 90COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 000000014002271F

Part of subcall function 0000000140021014: DecodePointer.KERNEL32 ref: 000000014002103B

_errno.LIBCMT ref: 00000001400227CC

Strings

@, xrefs: 000000014002274F

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: _errno$DecodePointer
String ID: @
API String ID: 2310398763-2766056989
Opcode ID: eee9a7467dff28915ff0ad97e698c2aba002b96eb8372f10dc970808afbc5b2f
Instruction ID: 79574fa047db2aa7f4e24d5561e3477577875db66987740ca4c39ea5600cf2c3
Opcode Fuzzy Hash: eee9a7467dff28915ff0ad97e698c2aba002b96eb8372f10dc970808afbc5b2f
Instruction Fuzzy Hash: 4E310A72618A4052FB1ADB7798913ED2291A79CBE4F648A1DFB2D472F5CF3CCC518200

Function 0000000140022830 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 85COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000000140022850

Part of subcall function 0000000140021014: DecodePointer.KERNEL32 ref: 000000014002103B

_errno.LIBCMT ref: 00000001400228FA

Strings

@, xrefs: 000000014002287D

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: _errno$DecodePointer
String ID: @
API String ID: 2310398763-2766056989
Opcode ID: ef935c08709b0715828a8220c120331e33017be1d762c6943db2ce76dcd46653
Instruction ID: 43c1e9af875613abd21283c5106eb7cd6c0621ce129b4895a84636c0b8014eb5
Opcode Fuzzy Hash: ef935c08709b0715828a8220c120331e33017be1d762c6943db2ce76dcd46653
Instruction Fuzzy Hash: D931F53260064552FB6BDBBB98513E92291AB9C7E4F644B1DBB6E872F5CF3CC8518200

Function 0000000140030FC4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000000140030FDA
_errno.LIBCMT ref: 000000014003101C

Strings

1, xrefs: 000000014003106C

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: _errno
String ID: 1
API String ID: 2918714741-2212294583
Opcode ID: 6dba4d4bcb50d708ffceed6cd493898a46a87885e995b7c8d979602477574829
Instruction ID: d4f3cefc0070eca2f65d3ab8b66debf35629a16231f522796388ca908a7ba1d9
Opcode Fuzzy Hash: 6dba4d4bcb50d708ffceed6cd493898a46a87885e995b7c8d979602477574829
Instruction Fuzzy Hash: B921D0322192C085FB6B8B2A84543EE6B90D79D7C4F98C025BB45476F3DBBE8981CB11

Function 0000000140022954 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000000140022972

Part of subcall function 0000000140021014: DecodePointer.KERNEL32 ref: 000000014002103B

_flush.LIBCMT ref: 00000001400229AB

Strings

, xrefs: 0000000140022A0B

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: DecodePointer_errno_flush
String ID:
API String ID: 1831910206-3916222277
Opcode ID: 58e9f3b7e7715a9be02fdd7f563f60ab92dac668dcb01a8ff8cbaf348f647b47
Instruction ID: cf1f297cf45de6d2d6c970c1681206909e6ca168388171b18e9e56c3afd55169
Opcode Fuzzy Hash: 58e9f3b7e7715a9be02fdd7f563f60ab92dac668dcb01a8ff8cbaf348f647b47
Instruction Fuzzy Hash: 2B21053270064046EB2ADB7AE8523FD32519B997E4F144719FB2A875F6CF39C9918640

Function 000000014001DF00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 000000014001DFA6
SendMessageW.USER32 ref: 000000014001DFC4

Strings

0, xrefs: 000000014001DF8E

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: MessageSend
String ID: 0
API String ID: 3850602802-4108050209
Opcode ID: 68f6e42a8c29fa401cc30bd2daac788f884f4f9ab69d56ca03fd9850ed750627
Instruction ID: 242fec86f133bf537de08e773c1da2f6fc0fe8764822f96b167d6e82d927a5d6
Opcode Fuzzy Hash: 68f6e42a8c29fa401cc30bd2daac788f884f4f9ab69d56ca03fd9850ed750627
Instruction Fuzzy Hash: 13213B732097C48AE721DF52A45079BB7A0F798794F444229EF8907B5ACB7CD549CB04

Function 0000000140009E54 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58registrystringCOMMON

Download Yara Rule

APIs

CharNextW.USER32 ref: 0000000140009E8A
CharNextW.USER32 ref: 0000000140009EA9
VarUI4FromStr.OLEAUT32 ref: 0000000140009F18
RegSetValueExW.ADVAPI32 ref: 0000000140009F49
lstrlenW.KERNEL32 ref: 0000000140009F5E

Strings

0, xrefs: 0000000140009E81

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: CharNext$FromValuelstrlen
String ID: 0
API String ID: 3981755402-4108050209
Opcode ID: 4083ae89b29f2dbe9ae206ce8c776232c04bea53539bcf1e248f926375ae3098
Instruction ID: a6fe00fdf7bfb2eb6bd976289b900b36306ea6c5702ff168bf950d1dcbf7bf70
Opcode Fuzzy Hash: 4083ae89b29f2dbe9ae206ce8c776232c04bea53539bcf1e248f926375ae3098
Instruction Fuzzy Hash: 3F213DB260568082EA62DB56F0513EAA3A1F78D7D0F904012EF8A476B5EB78CD869741

Function 000000014002822C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

_getptd.LIBCMT ref: 0000000140028236
free.LIBCMT ref: 000000014002829B

Strings

%s %d, xrefs: 0000000140028231

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: _getptdfree
String ID: %s %d
API String ID: 4044852259-753429341
Opcode ID: 90e48572108a4f38e91f8695dfcb48f396574d5934127186aebd8417f5224337
Instruction ID: 3739a0e14d244473f29a25976e53e8efd908f60296dc86379c46532f26e059f4
Opcode Fuzzy Hash: 90e48572108a4f38e91f8695dfcb48f396574d5934127186aebd8417f5224337
Instruction Fuzzy Hash: 81111936212A40C6EAAADF62E8817ED62A5F78C7D0F484529FF5D037B5CF38C9588701

Function 0000000140020604 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

Part of subcall function 0000000140021158: RaiseException.KERNEL32 ref: 00000001400211D8

DeleteCriticalSection.KERNEL32 ref: 000000014002069D
free.LIBCMT ref: 00000001400206AC

Part of subcall function 00000001400233E0: HeapFree.KERNEL32 ref: 00000001400233F6
Part of subcall function 00000001400233E0: _errno.LIBCMT ref: 0000000140023400
Part of subcall function 00000001400233E0: GetLastError.KERNEL32 ref: 0000000140023408

Strings

invalid string position, xrefs: 0000000140020628, 0000000140020637

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: CriticalDeleteErrorExceptionFreeHeapLastRaiseSection_errnofree
String ID: invalid string position
API String ID: 547437092-1799206989
Opcode ID: 0cba4f1f962fed55e2b58f878475dcf3f0ace70d2c72b1e291a59797e092bd92
Instruction ID: 0023664ba09d2261e2383d60bbe5d67594f56881ec4712713e9a1038dee97d4b
Opcode Fuzzy Hash: 0cba4f1f962fed55e2b58f878475dcf3f0ace70d2c72b1e291a59797e092bd92
Instruction Fuzzy Hash: D5114F72515B8492EB22DB56E4503DA7360FBD93A8F800215B79847AF6DF7CC649C740

Function 0000000140001348 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

Part of subcall function 000000014000AF94: lstrlenW.KERNEL32 ref: 000000014000AFE2
Part of subcall function 000000014000AF94: lstrlenW.KERNEL32 ref: 000000014000B004

Part of subcall function 0000000140020E20: _errno.LIBCMT ref: 0000000140020E39

GetDlgItem.USER32 ref: 00000001400013BB
SetWindowTextW.USER32 ref: 00000001400013C9

Strings

%s %d, xrefs: 000000014000139E

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: lstrlen$ItemTextWindow_errno
String ID: %s %d
API String ID: 3108854270-753429341
Opcode ID: fcba73669d95c45c22eb4d18631bbdb9ed23e29b967e687e30ec166637de451a
Instruction ID: b14574355856d50c6019d81d62ac1753ccdbeb2dfd559e16726816a95d3458ba
Opcode Fuzzy Hash: fcba73669d95c45c22eb4d18631bbdb9ed23e29b967e687e30ec166637de451a
Instruction Fuzzy Hash: D01156B261474581EB22DB12F4553DA73A1F7CCB84F445115AF8D07666DF3CC595CB40

Function 00000001400370EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 0000000140021A60: _getptd.LIBCMT ref: 0000000140021A6D
Part of subcall function 0000000140021A60: _getptd.LIBCMT ref: 0000000140021A80

_getptd.LIBCMT ref: 0000000140037152
_getptd.LIBCMT ref: 0000000140037165

Strings

csm, xrefs: 0000000140037108

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: _getptd
String ID: csm
API String ID: 3186804695-1018135373
Opcode ID: c89808370be4779bf8eba8fb16748c5cf2d63891067de9cc4948c536e2f37f8d
Instruction ID: 5fff552ee0b7196016ec34b030aeacf05b02ae96fe461eb4794e80c3ab6938dc
Opcode Fuzzy Hash: c89808370be4779bf8eba8fb16748c5cf2d63891067de9cc4948c536e2f37f8d
Instruction Fuzzy Hash: 9B018C7310124089EB769F27C8807E923A4E799BD9F484139EB4D0B766CB30C9808741

Function 000000014000DAB4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26COMMON

Download Yara Rule

APIs

SHGetSpecialFolderPathW.SHELL32 ref: 000000014000DAF2
ShellExecuteW.SHELL32 ref: 000000014000DB17

Strings

open, xrefs: 000000014000DAFD

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: ExecuteFolderPathShellSpecial
String ID: open
API String ID: 2297481064-2758837156
Opcode ID: aac77193c12434ba908f0341fb382d8df1c8a33d12b65eff78404e4d98a9d7cf
Instruction ID: 09a4c799e54ae8846743d707ad9e4daab224f0e01f44b0b5193f1e9e0560c709
Opcode Fuzzy Hash: aac77193c12434ba908f0341fb382d8df1c8a33d12b65eff78404e4d98a9d7cf
Instruction Fuzzy Hash: 37F04F33624B4282FB619B12F0557DA73A0F7DC789F816015AA8E47A69DF3CC109CF40

Function 00000001400105C4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26timewindowCOMMON

Download Yara Rule

APIs

SetTimer.USER32 ref: 00000001400105EF
SendMessageW.USER32 ref: 0000000140010635

Strings

H, xrefs: 0000000140010620

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: MessageSendTimer
String ID: H
API String ID: 551239993-2852464175
Opcode ID: de54493971df98df63a3addbc0ab10aa80841982d822509f346d4eb89af35cac
Instruction ID: 9c8c0d8a088c1df08a879e5dd3a6e4f4258d9c07e5874a833c3e8553728e949f
Opcode Fuzzy Hash: de54493971df98df63a3addbc0ab10aa80841982d822509f346d4eb89af35cac
Instruction Fuzzy Hash: 67F04971214A9486E3628B16EC0079A33A4F38C788FA10125FB8D8BBB4CF7DC5158B04

Function 000000014001DBA0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 000000014001DBC2
LoadImageW.USER32 ref: 000000014001DBEC

Strings

shell32, xrefs: 000000014001DBBB

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: HandleImageLoadModule
String ID: shell32
API String ID: 2603579926-4179111565
Opcode ID: 5a9c988ae696ff1a728a7f7970dbe349491f966232117ac616c70a4f5c83bbf0
Instruction ID: 1ed1a2cd36a678e9b68ce72a787924a39e02254dc5ce3af31b948014160dbd50
Opcode Fuzzy Hash: 5a9c988ae696ff1a728a7f7970dbe349491f966232117ac616c70a4f5c83bbf0
Instruction Fuzzy Hash: 83F03076219B5082EB228B16F8803DA73A5BB9C7C9F645829EF4D07B74DB3DC4448700

Function 000000014000EC54 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32 ref: 000000014000EC5D
lstrcatW.KERNEL32 ref: 000000014000EC78

Strings

\, xrefs: 000000014000EC66

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: lstrcatlstrlen
String ID: \
API String ID: 1475610065-2967466578
Opcode ID: 2429d382ea8c48a5a2d273c1930597cd6d5ae4141fa66db3c5ae48037f9c214f
Instruction ID: 765a1461a4f0243c01c2eb15c101e916e1f20eac8cbd040a8389547057061e8e
Opcode Fuzzy Hash: 2429d382ea8c48a5a2d273c1930597cd6d5ae4141fa66db3c5ae48037f9c214f
Instruction Fuzzy Hash: 31D0A7B060070181EB279F63744979613F0AB0C7C6F0454549F020B230DF3840D9C740

Function 000000014000AAE0 Relevance: 5.2, APIs: 4, Instructions: 189stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32 ref: 000000014000AB10
lstrlenW.KERNEL32 ref: 000000014000AB2F
lstrlenW.KERNEL32 ref: 000000014000AB8C
lstrlenW.KERNEL32 ref: 000000014000AD15

Memory Dump Source

Source File: 00000000.00000002.1711139441.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1711125768.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711161665.0000000140038000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711175580.0000000140044000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711187858.0000000140045000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.000000014004F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711201769.0000000140068000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014006D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1711274962.000000014010E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_ZX7MDKtbfn.jbxd

Similarity

API ID: lstrlen
String ID:
API String ID: 1659193697-0
Opcode ID: bed1296294a2804ffbd15b655644283ddcd89ddde96b9d7b70a52f006021c23c
Instruction ID: 9d8152ff9b24ea88a251aeece93b0ce4a03cb19caeb67d52574beebca15dde09
Opcode Fuzzy Hash: bed1296294a2804ffbd15b655644283ddcd89ddde96b9d7b70a52f006021c23c
Instruction Fuzzy Hash: 31619072300A448AEF26DF26E8443EAB7E1F78DBC4F484526AF4A877A5DE3CC5458704

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ZX7MDKtbfn.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Vidar

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\e41a1be0

C:\Users\user\AppData\Local\Temp\tkqesalfwllvk

C:\Users\user\AppData\Roaming\NewFileTime\NewFileTime.ini

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Windows Analysis Report
ZX7MDKtbfn.exe

Function 0000000140004C0C Relevance: 35.1, APIs: 14, Strings: 6, Instructions: 98
libraryloaderCOMMON

Function 00000001400375E0 Relevance: 4.5, APIs: 3, Instructions: 17
timeCOMMON

Function 000000014000814C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 12
COMMON

Function 000000014000BEE8 Relevance: 30.3, APIs: 13, Strings: 4, Instructions: 513
stringCOMMON

Function 000000014000D650 Relevance: 26.5, APIs: 11, Strings: 4, Instructions: 287
windowstringCOMMON

Function 000000014001ED8C Relevance: 13.6, APIs: 9, Instructions: 71
COMMONLIBRARYCODE

Function 0000000140008818 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 28
windowregistryCOMMON

Function 0000000140023F2C Relevance: 7.6, APIs: 5, Instructions: 111
COMMON

Function 0000000140030B7B Relevance: 4.6, APIs: 3, Instructions: 146
memoryCOMMON

Function 0000000140030C24 Relevance: 4.6, APIs: 3, Instructions: 94
memoryCOMMON

Function 000000014000872C Relevance: 4.6, APIs: 3, Instructions: 71
COMMON

Function 0000000140016C01 Relevance: 4.6, APIs: 3, Instructions: 62
fileCOMMON

Function 0000000140018570 Relevance: 3.4, APIs: 2, Instructions: 447
memoryCOMMON

Function 0000000140030D94 Relevance: 3.1, APIs: 2, Instructions: 78
memoryCOMMON

Function 0000000140018DE8 Relevance: 3.1, APIs: 2, Instructions: 55
memoryCOMMON