Edit tour

Windows Analysis Report
kbdgc.exe

Overview

General Information

Sample name:	kbdgc.exe
Analysis ID:	1467148
MD5:	5025218d868f68c956a6bcb8f3c99007
SHA1:	84f0f59997a46562e837730335c304b719335ce9
SHA256:	ae8ada4be2d0844a57fcfcab82e65dd28613f4e9e802a14562c7f595115ee9bc
Tags:	exe
Infos:

Detection

Score:	27
Range:	0 - 100
Whitelisted:	false
Confidence:	20%

Signatures

AI detected suspicious sample

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

File is packed with WinRar

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found potential string decryption / allocating functions

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

kbdgc.exe (PID: 7600 cmdline: "C:\Users\user\Desktop\kbdgc.exe" MD5: 5025218D868F68C956A6BCB8F3C99007)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 86.2% probability

Source: kbdgc.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: kbdgc.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:

Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: kbdgc.exe

Source: C:\Users\user\Desktop\kbdgc.exe	Code function: 0_2_00B79F76 FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,		0_2_00B79F76
Source: C:\Users\user\Desktop\kbdgc.exe	Code function: 0_2_00B89D3B SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,		0_2_00B89D3B

Source: zwei.exe.0.dr	String found in binary or memory: http://192.168.30.6:8080/SSH/jsp/upload/upload.jsp
Source: zwei.exe.0.dr	String found in binary or memory: http://www.Jewsys.com
Source: zwei.exe.0.dr	String found in binary or memory: http://www.zwei.com__vbaFailedFriend

Source: C:\Users\user\Desktop\kbdgc.exe

Code function: 0_2_00B76DD8: __EH_prolog,_wcslen,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

0_2_00B76DD8

Source: C:\Users\user\Desktop\kbdgc.exe	Code function: 0_2_00B780FA	0_2_00B780FA
Source: C:\Users\user\Desktop\kbdgc.exe	Code function: 0_2_00B854D8	0_2_00B854D8
Source: C:\Users\user\Desktop\kbdgc.exe	Code function: 0_2_00B8E08A	0_2_00B8E08A
Source: C:\Users\user\Desktop\kbdgc.exe	Code function: 0_2_00B7E8DD	0_2_00B7E8DD
Source: C:\Users\user\Desktop\kbdgc.exe	Code function: 0_2_00B7D828	0_2_00B7D828
Source: C:\Users\user\Desktop\kbdgc.exe	Code function: 0_2_00B73058	0_2_00B73058
Source: C:\Users\user\Desktop\kbdgc.exe	Code function: 0_2_00B8E99E	0_2_00B8E99E
Source: C:\Users\user\Desktop\kbdgc.exe	Code function: 0_2_00B8590D	0_2_00B8590D
Source: C:\Users\user\Desktop\kbdgc.exe	Code function: 0_2_00B8295B	0_2_00B8295B
Source: C:\Users\user\Desktop\kbdgc.exe	Code function: 0_2_00B7D22A	0_2_00B7D22A
Source: C:\Users\user\Desktop\kbdgc.exe	Code function: 0_2_00B8F208	0_2_00B8F208
Source: C:\Users\user\Desktop\kbdgc.exe	Code function: 0_2_00B9E244	0_2_00B9E244
Source: C:\Users\user\Desktop\kbdgc.exe	Code function: 0_2_00B92308	0_2_00B92308
Source: C:\Users\user\Desktop\kbdgc.exe	Code function: 0_2_00B84B09	0_2_00B84B09
Source: C:\Users\user\Desktop\kbdgc.exe	Code function: 0_2_00B82C8C	0_2_00B82C8C
Source: C:\Users\user\Desktop\kbdgc.exe	Code function: 0_2_00B7DC8B	0_2_00B7DC8B
Source: C:\Users\user\Desktop\kbdgc.exe	Code function: 0_2_00B99C3E	0_2_00B99C3E
Source: C:\Users\user\Desktop\kbdgc.exe	Code function: 0_2_00B75C39	0_2_00B75C39
Source: C:\Users\user\Desktop\kbdgc.exe	Code function: 0_2_00B8E586	0_2_00B8E586
Source: C:\Users\user\Desktop\kbdgc.exe	Code function: 0_2_00B725F5	0_2_00B725F5
Source: C:\Users\user\Desktop\kbdgc.exe	Code function: 0_2_00B8EDD3	0_2_00B8EDD3
Source: C:\Users\user\Desktop\kbdgc.exe	Code function: 0_2_00B73D3B	0_2_00B73D3B
Source: C:\Users\user\Desktop\kbdgc.exe	Code function: 0_2_00B7B686	0_2_00B7B686
Source: C:\Users\user\Desktop\kbdgc.exe	Code function: 0_2_00B826E0	0_2_00B826E0
Source: C:\Users\user\Desktop\kbdgc.exe	Code function: 0_2_00B7CE12	0_2_00B7CE12
Source: C:\Users\user\Desktop\kbdgc.exe	Code function: 0_2_00B99790	0_2_00B99790
Source: C:\Users\user\Desktop\kbdgc.exe	Code function: 0_2_00B85F46	0_2_00B85F46

Source: C:\Users\user\Desktop\kbdgc.exe	Code function: String function: 00B8C630 appears 53 times
Source: C:\Users\user\Desktop\kbdgc.exe	Code function: String function: 00B8CFB0 appears 31 times
Source: C:\Users\user\Desktop\kbdgc.exe	Code function: String function: 00B8C560 appears 36 times

Source: kbdgc.exe, 00000000.00000003.1674339680.0000000005F08000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: OriginalFilenamezwei.exe vs kbdgc.exe

Source: kbdgc.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: sus27.winEXE@1/17@0/0

Source: C:\Users\user\Desktop\kbdgc.exe

File created: C:\Users\user\Desktop\__tmp_rar_sfx_access_check_6376203

Jump to behavior

Source: C:\Users\user\Desktop\kbdgc.exe	Command line argument: sfxname	0_2_00B8B905
Source: C:\Users\user\Desktop\kbdgc.exe	Command line argument: sfxstime	0_2_00B8B905
Source: C:\Users\user\Desktop\kbdgc.exe	Command line argument: STARTDLG	0_2_00B8B905

Source: kbdgc.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\kbdgc.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\kbdgc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: zwei.exe.0.dr

Binary or memory string: select * from tbright with(nolock) where code ='frm_metalout' and empl_no =';

Source: C:\Users\user\Desktop\kbdgc.exe

File read: C:\Users\user\Desktop\kbdgc.exe

Jump to behavior

Source: C:\Users\user\Desktop\kbdgc.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\kbdgc.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\kbdgc.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\kbdgc.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\kbdgc.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\kbdgc.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll	Jump to behavior
Source: C:\Users\user\Desktop\kbdgc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\kbdgc.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Users\user\Desktop\kbdgc.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\kbdgc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\kbdgc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\kbdgc.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\kbdgc.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\kbdgc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\kbdgc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\kbdgc.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\kbdgc.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\kbdgc.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\kbdgc.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\kbdgc.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\kbdgc.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\kbdgc.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\kbdgc.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\kbdgc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\kbdgc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\kbdgc.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\Desktop\kbdgc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: kbdgc.exe

Static file information: File size 6427166 > 1048576

Source: kbdgc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: kbdgc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: kbdgc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: kbdgc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: kbdgc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: kbdgc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: kbdgc.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: kbdgc.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: kbdgc.exe

Source: kbdgc.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: kbdgc.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: kbdgc.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: kbdgc.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: kbdgc.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\kbdgc.exe

File created: C:\Users\user\Desktop\__tmp_rar_sfx_access_check_6376203

Jump to behavior

Source: C:\Users\user\Desktop\kbdgc.exe	Code function: 0_2_00B8C560 push eax; ret		0_2_00B8C57E
Source: C:\Users\user\Desktop\kbdgc.exe	Code function: 0_2_00B8CFF6 push ecx; ret		0_2_00B8D009

Source: C:\Users\user\Desktop\kbdgc.exe

File created: C:\Users\user\Desktop\update\zwei.exe

Jump to dropped file

Source: C:\Users\user\Desktop\kbdgc.exe

Dropped PE file which has not been started: C:\Users\user\Desktop\update\zwei.exe

Jump to dropped file

Source: C:\Users\user\Desktop\kbdgc.exe

Evasive API call chain: GetLocalTime,DecisionNodes

graph_0-21900

Source: C:\Users\user\Desktop\kbdgc.exe	Code function: 0_2_00B79F76 FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,		0_2_00B79F76
Source: C:\Users\user\Desktop\kbdgc.exe	Code function: 0_2_00B89D3B SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,		0_2_00B89D3B

Source: C:\Users\user\Desktop\kbdgc.exe

Code function: 0_2_00B8C07D VirtualQuery,GetSystemInfo,

0_2_00B8C07D

Source: C:\Users\user\Desktop\kbdgc.exe

API call chain: ExitProcess graph end node

graph_0-22042

Source: C:\Users\user\Desktop\kbdgc.exe

Code function: 0_2_00B8D1B5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00B8D1B5

Source: C:\Users\user\Desktop\kbdgc.exe

Code function: 0_2_00B94444 mov eax, dword ptr fs:[00000030h]

0_2_00B94444

Source: C:\Users\user\Desktop\kbdgc.exe

Code function: 0_2_00B98382 GetProcessHeap,

0_2_00B98382

Source: C:\Users\user\Desktop\kbdgc.exe	Code function: 0_2_00B8D1B5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00B8D1B5
Source: C:\Users\user\Desktop\kbdgc.exe	Code function: 0_2_00B8D303 SetUnhandledExceptionFilter,	0_2_00B8D303
Source: C:\Users\user\Desktop\kbdgc.exe	Code function: 0_2_00B8D4BB SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00B8D4BB
Source: C:\Users\user\Desktop\kbdgc.exe	Code function: 0_2_00B9552C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00B9552C

Source: C:\Users\user\Desktop\kbdgc.exe

Code function: 0_2_00B8D00B cpuid

0_2_00B8D00B

Source: C:\Users\user\Desktop\kbdgc.exe

Code function: GetLocaleInfoW,GetNumberFormatW,

0_2_00B88C23

Source: C:\Users\user\Desktop\kbdgc.exe

Code function: 0_2_00B8B905 OleInitialize,GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,LoadBitmapW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,DeleteObject,CloseHandle,OleUninitialize,

0_2_00B8B905

Source: C:\Users\user\Desktop\kbdgc.exe

Code function: 0_2_00B7A5E3 GetVersionExW,

0_2_00B7A5E3

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 DLL Side-Loading	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Deobfuscate/Decode Files or Information	LSASS Memory	2 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Software Packing	NTDS	24 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

⊘No Antivirus matches

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://192.168.30.6:8080/SSH/jsp/upload/upload.jsp	0%	Avira URL Cloud	safe
http://www.zwei.com__vbaFailedFriend	0%	Avira URL Cloud	safe
http://www.Jewsys.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.zwei.com__vbaFailedFriend	zwei.exe.0.dr	false	Avira URL Cloud: safe	unknown
http://www.Jewsys.com	zwei.exe.0.dr	false	Avira URL Cloud: safe	unknown
http://192.168.30.6:8080/SSH/jsp/upload/upload.jsp	zwei.exe.0.dr	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1467148
Start date and time:	2024-07-03 18:54:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 46s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	1
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	kbdgc.exe
Detection:	SUS
Classification:	sus27.winEXE@1/17@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 72 Number of non-executed functions: 86
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

VT rate limit hit for: kbdgc.exe

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\Desktop\update\INSALEEXIST_TEMP.rpt

Download File

Process:	C:\Users\user\Desktop\kbdgc.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, Code page: 936, Revision Number: 74, Total Editing Time: 1d+15:47:03, Last Saved Time/Date: Fri Jun 7 10:58:20 2024, Create Time/Date: Wed Jul 24 13:49:08 2013, Number of Pages: 1, Number of Words: 0, Number of Characters: 0, Name of Creating Application: Crystal
Category:	dropped
Size (bytes):	20992
Entropy (8bit):	7.317925520512782
Encrypted:	false
SSDEEP:	384:lzzN+du/iRjWD6KdIX84HyUM+QqVO3rFLqXzUflNFOKFT1T7tTSr:xUMUiD6K6X84HyJ/35LqjUflJ5tTE
MD5:	EC4AC33729E7AE3E2DD811D9D2C7E12E
SHA1:	51DD666551138996F9883313E904AD103FC0DFD9
SHA-256:	F587B7042132D3E94274422812DED7775B749A563E02EC91378BD494F149B08B
SHA-512:	B1FBAD8CF21BAECD012F34F35880D75BA891B4263C96871EC5E98BDFE7BC9EA8D9809C7BBC1E8845110A03B9320FCFA3943159560D0E9BABE36C1E16F39760A9
Malicious:	false
Reputation:	low
Preview:	......................>.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................S.u.b.d.o.c.u.m.e.n.t. .1..............................................................................9....pr.9................C.o.n.t.e.n.t.s.....................................................................................................@...:.......Q.E.S.e.s.s.i.o.n...................................................................................................$...........S.u.b.d.o.c.u.m.e.n.t. .2............................................................................\.9

C:\Users\user\Desktop\update\INSALEEXIST_TMP.rpt

Download File

Process:	C:\Users\user\Desktop\kbdgc.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 936, Revision Number: 87, Total Editing Time: 03:46:56, Last Saved Time/Date: Mon Jul 1 04:55:50 2024, Create Time/Date: Wed Apr 11 10:39:29 2018, Number of Pages: 1, Number of Words: 0, Number of Characters: 0, Name of Creating Application: Crystal
Category:	dropped
Size (bytes):	16896
Entropy (8bit):	7.257528123852287
Encrypted:	false
SSDEEP:	384:QaHVlEz4VGlgccKENhtKeLCQMkh+A9Q90HnI/7:QElnICccKENhtKeLCQMG+CQ8+7
MD5:	9A90B2AC6AB4D0C35D9A55B5BA699464
SHA1:	6C73AC92D1994AEAF0AFD3450C55DA204B53B2B7
SHA-256:	29ECDE4F562E0176F0FF6C6C6E8F7DFC1222A35C3D3BC5290E987C67E130FB3C
SHA-512:	FC82DAF986BB807A5D65371EB4A7991C79F7CD0179415E0B36570E5F0DF20537AF99D136EA88CE0434B8E505381CED3EC6FCE813CD4AF9B0D2EF51B76F8045EE
Malicious:	false
Reputation:	low
Preview:	......................>........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................O.J=.8vK.P..8......\.]J..gC.~.#z..dH..U..@...$..E..\|...6Im......I...$.....:.....J"..E@..D.Q.m..@.jB+...M.?.<(.n..Z`.~.@..x..T..l..c......!.5n.....<.o.pS.87P...;....J..~B.+..a..Ib..rT\|....cE..DmX(#..M .4............Fi..A..v..........h.;.>4U.m..#.m...k.E...Pw........~.......#/N=I...z..P...3d..m<.I...!...]Y...V...h...r..zl....}a..B....r0..)A..h..!)=.tY.[..9$J...(.....\..'W..F~..8.g.j.x.>..o.F..%Fk.5h.7.....P.).s..]lf.8......K......n4..

C:\Users\user\Desktop\update\Monsec_Thwx.rpt

Download File

Process:	C:\Users\user\Desktop\kbdgc.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, Code page: 936, Revision Number: 47, Total Editing Time: 1d+09:27:40, Last Saved Time/Date: Thu Jun 27 07:58:55 2024, Create Time/Date: Sat Jan 23 07:53:15 2021, Number of Pages: 1, Number of Words: 0, Number of Characters: 0, Name of Creating Application: Crystal
Category:	dropped
Size (bytes):	27136
Entropy (8bit):	7.4794390494515905
Encrypted:	false
SSDEEP:	768:decBsMWg1dsp927OSmtOiZPF3N0Kbcxgs:ccB2gDspw7OzhTqSs
MD5:	F5960AAF6CFCA05F6F529AE4ADD63719
SHA1:	C53FB97CFAAD02C5B0165F4594C778026FFAF66B
SHA-256:	1CD65580C695A7B93E4F83AAF80A7EE5EF74CD11681874B5705DFF8DA493F839
SHA-512:	EA9100FF8AAFC18180730503B7B0F64CADA6C4C3959687C9D13A7CCC325F579A14E37E4CF7C16E851066E425FE5E5AA95C8290342567B09A1757427A44D54DA0
Malicious:	false
Reputation:	low
Preview:	......................>....................... ...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.e.p.o.r.t.I.n.f.o.................................................................................................{...:...............................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\update\Monsec_sum.rpt

Download File

Process:	C:\Users\user\Desktop\kbdgc.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, Code page: 936, Revision Number: 43, Total Editing Time: 1d+05:46:38, Last Saved Time/Date: Mon Jul 1 10:30:27 2024, Create Time/Date: Sat Jan 23 07:53:15 2021, Number of Pages: 1, Number of Words: 0, Number of Characters: 0, Name of Creating Application: Crystal
Category:	dropped
Size (bytes):	115712
Entropy (8bit):	7.836027423647195
Encrypted:	false
SSDEEP:	3072:QMV00ilmQeHCE4Xs0gM6yEHPJzZ5JsFa08xHFj1:bzfQOCs9yUPJd7jxh
MD5:	51EDC791CCAFE1141F2D36AE275064DB
SHA1:	446CAC76FED174C0B5D40BAB5208F786B40299FB
SHA-256:	B5EA5ECBCF8A17D071FD6DF794FE796F271E3EBB079C6100A078D1B90E54B923
SHA-512:	C89A039F9C3998AC4C7302A92558EE58A2C43EE43AC10AAE8437A7451941423D3A6BD0399C992C3AB27074E23DEE9A3C3342BF41FB7F583EAAAB7125AE4FD90C
Malicious:	false
Reputation:	low
Preview:	......................>.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................-......0..Hm..h1.....w.zW...S.n.H......l_..\|w..T..l.g...m....i....8s.`....U.[..E.S..m. \yL.F...-.).C..q%..Kl...`.AC..2T...uhh..(L.{~c...0.N....\.g..jp6............0..Qz.N.KH.o...[l.v.&.5.2...7...z.'.....[c.l;..g>... ..Gi._..<...}..<.T..Y..f.t..~z..yI...l.jl7D.z.........@..0a..].A...yt.m..p.S.L!;q..q.L./.d....Iw....X^`X....$.X.N..m...\....I.\.Y.....2go..^u.x...i........)...'...;#..N.....~w..TF.......YZ...`[..;S..T.../C6...l.Ak....K.bm.EFv

C:\Users\user\Desktop\update\Monsec_sumOne.rpt

Download File

Process:	C:\Users\user\Desktop\kbdgc.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, Code page: 936, Revision Number: 31, Total Editing Time: 16:53:47, Last Saved Time/Date: Wed Apr 24 10:20:54 2024, Create Time/Date: Sat Jan 23 07:53:15 2021, Number of Pages: 1, Number of Words: 0, Number of Characters: 0, Name of Creating Application: Crystal
Category:	dropped
Size (bytes):	99328
Entropy (8bit):	7.838054823011136
Encrypted:	false
SSDEEP:	3072:P9PCV00ilmQeHCE4Xs0gM6yEHPJzZIK7yo2:hkzfQOCs9yUPJdT7x
MD5:	1B39F6E81667D02369AA7D7B0FC30852
SHA1:	F930B0FFA1DCB8A202B20A322EEC20D5F89D6882
SHA-256:	C68FB9AFA03F43A0F95465B6378F3D75CED4804DB06E3C2F8F6202CEFC93F480
SHA-512:	8747720ACC3A7256041BC611E8C4CB2427E29FD12AD8FBE5BB5F3A64063DAA494B4B0498CAB56EC2E623FCF1BAFCCA75C928F08E40FB47E9F32AA6DA36779ECD
Malicious:	false
Reputation:	low
Preview:	......................>.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.e.p.o.r.t.I.n.f.o.....................................................................................................:...............................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\update\SaleDtl1.rpt

Download File

Process:	C:\Users\user\Desktop\kbdgc.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 4.0, Code page: 1252, Revision Number: 136, Total Editing Time: 4d+06:57:45, Last Printed: Wed Dec 16 12:39:40 2020, Last Saved Time/Date: Wed Jul 3 06:46:47 2024, Create Time/Date: Thu Aug 8 04:21:38 2002, Number of Pages: 1, Number of Words: 0, Number of Characters: 0, Name of Creating Application: Seagate Crystal Reports
Category:	dropped
Size (bytes):	34304
Entropy (8bit):	7.5546645391024905
Encrypted:	false
SSDEEP:	768:eWHAjg1dsp9v/1Jpr+f0OowQvJzAmzZqtnwwHFs4:vagDspJRbOKvtv8Fs4
MD5:	D5C8195621D6A6CE85D8E3DFE2FEB54E
SHA1:	28F73F26381512B14204952D606C85325A23C7E1
SHA-256:	247640B4E27177B98176C482DEFB44AA1817704C681916B2F2C5723806E8E4FD
SHA-512:	4BF88E07F88441C2CC1A95D0C329BDB848D3509E0401A6EEDF9E0C4194DB81A222A90F1960D5C349E86986EEAF84088E288127AE11D1944898CDABD1DCBC159D
Malicious:	false
Reputation:	low
Preview:	......................>.......................#...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.e.p.o.r.t.I.n.f.o.................................................................................................P...:...............................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\update\SaleDtl2.rpt

Download File

Process:	C:\Users\user\Desktop\kbdgc.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 4.0, Code page: 1252, Revision Number: 136, Total Editing Time: 4d+03:46:27, Last Printed: Wed Dec 16 12:39:40 2020, Last Saved Time/Date: Wed Jul 3 04:57:48 2024, Create Time/Date: Thu Aug 8 04:21:38 2002, Number of Pages: 1, Number of Words: 0, Number of Characters: 0, Name of Creating Application: Seagate Crystal Reports
Category:	dropped
Size (bytes):	37376
Entropy (8bit):	7.668599184207851
Encrypted:	false
SSDEEP:	768:wBvDKLrfI5daeg1dsp9RNi0F4Vwg3xDDu1z7gRV4YYe:qorQ5PgDspzNT05Du1zxYY
MD5:	38797A5508B282594EF8AD42A444B199
SHA1:	C8B69B7CBA4BAB684F60F26D4249997E83B89B32
SHA-256:	1CF1FF95752A37E7E8234D96D4BCB3B65E7CA9173BCF8B6958941E5FAB2F5745
SHA-512:	32133AB1F07FDB490EDF573D7EAFEECF64CD93ED26FA213DC3368000C955E249F99B46D49AFA9F1D2EBAC37A5A76A4F545FCAC58E791CC28F42635209F47B35C
Malicious:	false
Reputation:	low
Preview:	......................>.......................$...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.e.p.o.r.t.I.n.f.o.................................................................................................P...:...............................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\update\SaleDtl3.rpt

Download File

Process:	C:\Users\user\Desktop\kbdgc.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 4.0, Code page: 1252, Revision Number: 139, Total Editing Time: 4d+02:56:30, Last Printed: Wed Dec 16 12:39:40 2020, Last Saved Time/Date: Tue Jul 2 04:08:23 2024, Create Time/Date: Thu Aug 8 04:21:38 2002, Number of Pages: 1, Number of Words: 0, Number of Characters: 0, Name of Creating Application: Seagate Crystal Reports
Category:	dropped
Size (bytes):	43520
Entropy (8bit):	7.681040219592289
Encrypted:	false
SSDEEP:	768:WXM1VYd0g1dsp9GWr1WTlDDSH+4IzaNYqPd3Ww80gXmVVr/xxQ:TYGgDsp/KocaNV3WX0gsT
MD5:	0E7BD770F1186ADBAC0245DA8B7AA01B
SHA1:	37ADA604765EF7D58E02757E698D859EEEAF8A58
SHA-256:	4472D2FABC61A9C12652D05E80143446247A891879A8C2CAE0B8C33CE29A74B4
SHA-512:	0840BC1D227B953BFCB10AAC30BB96DE1E69554A7EAF95B3331A3EE153972C1195FCD6A8A167E0FBB598FF019F33D05A578590E0EEFE7DB5F5B3A40AF8DBE70E
Malicious:	false
Reputation:	low
Preview:	......................>.......................-...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................J.U.>.....=...0I.6.o.....Z.._..........\.!G....4. ..)....k..:Z.@..X.<C:.6."G....p%.e.........g..Q??\e.D.'.A..P........=)v...: J.;u........$........Z..6N......Iw>..6!.v.29f'A..q0..vz.4L..w.#.[}.wK...It(.c..@.)&..@>.3.......X.Ga..l..F...\s..'.....j.3.B.@t?^.='...r?x.....c.C-...C.y.......B. .H.._ ....NU..=....x.&....9..yeq....:.+..BXy...+.-&V.8.*hV..........PH....... ......z...U-....F.b02.i2.HD.l...A...G.X{..d.~YB..+Rn..2a.y.SV8EqU....V.......^rV

C:\Users\user\Desktop\update\SaleDtl_sum.rpt

Download File

Process:	C:\Users\user\Desktop\kbdgc.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 4.0, Code page: 1252, Revision Number: 130, Total Editing Time: 4d+02:19:19, Last Printed: Wed Dec 16 12:39:40 2020, Last Saved Time/Date: Tue Jul 2 04:08:36 2024, Create Time/Date: Thu Aug 8 04:21:38 2002, Number of Pages: 1, Number of Words: 0, Number of Characters: 0, Name of Creating Application: Seagate Crystal Reports
Category:	dropped
Size (bytes):	33792
Entropy (8bit):	7.562436424578068
Encrypted:	false
SSDEEP:	384:qmkSf6lUVlWdEQl2AxMaiJ3sp1Xx7bNupoAXKZunujB/7l7cSz7ulSUeaFvCaFsW:lkdlUog1dsp9FgpjXsjBZ8S4vWW
MD5:	9EFAB31B11B25334F1D4A5D914E736BA
SHA1:	28CAF6139123E86CFDF6AF1E29BFEEC41C83E546
SHA-256:	F5103002B65A1712D877F8B9BF4C1CA9FA14ECAA9E5259EB1CCDB4DAE00EE1C5
SHA-512:	4FE57D75C0B7BECC9153F5A90D53C479463772994A74CF6E0407C41724AAF599E4CDDDE26AAA75246C207DDADBB66E6C6E39BB7C7B7D964C6B810B01C7AFA8AA
Malicious:	false
Reputation:	low
Preview:	......................>.......................!...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.e.p.o.r.t.I.n.f.o.................................................................................................=...:...............................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\update\daybalprc_dtl.rpt

Download File

Process:	C:\Users\user\Desktop\kbdgc.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, Code page: 936, Revision Number: 11, Total Editing Time: 05:01:39, Last Saved Time/Date: Fri Jun 7 06:56:27 2024, Create Time/Date: Thu Dec 27 07:22:14 2012, Number of Pages: 1, Number of Words: 0, Number of Characters: 0, Name of Creating Application: Crystal
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	7.288773304398094
Encrypted:	false
SSDEEP:	384:9SgjRvdgLDeGaQ5BkZIJHZGeyec6zWlYcU7WwydHKy7Yl9n4W3ptGUU2AK45dOIS:9BtCXcZepyec6zWDUlS7YlyYFUBKzI
MD5:	BC3FD89CA077D5ED0D92A2EA95FA28F1
SHA1:	F9F5B1739CB4E9427AA11B33BFA47DC0615B566D
SHA-256:	FB63CD260043C958980F2B4C5057D5EF726ABE259A8DCAA4C2D2D7E1D9C3C7A2
SHA-512:	EC06B87BEB4F5EA3BE31323873D5701CC888868F5D928258771728E250AC632C96BE3D93130253F8389A8D46D288FB95C4552ECADE61B18574463A125E408E98
Malicious:	false
Reputation:	low
Preview:	......................>......................./...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................S.u.b.d.o.c.u.m.e.n.t. .1..............................................................................o....05.o................C.o.n.t.e.n.t.s.....................................................................................................=...........Q.E.S.e.s.s.i.o.n..................................................................................................."...........S.u.b.d.o.c.u.m.e.n.t. .2..............................................................................o

C:\Users\user\Desktop\update\daysale_dtl.rpt

Download File

Process:	C:\Users\user\Desktop\kbdgc.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, Code page: 936, Revision Number: 29, Total Editing Time: 01:34:29, Last Saved Time/Date: Thu Jun 6 07:06:05 2024, Create Time/Date: Thu Dec 27 07:22:14 2012, Number of Pages: 1, Number of Words: 0, Number of Characters: 0, Name of Creating Application: Crystal
Category:	dropped
Size (bytes):	8704
Entropy (8bit):	6.451885016786889
Encrypted:	false
SSDEEP:	192:3knKQ0AvH0CDBS547sYuVkyNyX/aWLvB2oYI:UK5A/Jo0yVlOVvMoY
MD5:	6DCCCBECA34C119EB39036AFF0928EC8
SHA1:	6FFC0B7A455CE38089B03E58216623CC3506E014
SHA-256:	DDDA0A65A2DA99ABCB104BEE42F069D71D50F95776C4DCFF0B0506F40171E3E7
SHA-512:	CBBAA1AC30B7D0C4D64AED884DDA40809BD4914821DA7465790E57D2FC1D02FD47631284659E392412F1D7DEAB69CA435238E8A6C4C31F0BC6FEE4DF746D500E
Malicious:	false
Reputation:	low
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\update\daysale_dtl2.rpt

Download File

Process:	C:\Users\user\Desktop\kbdgc.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, Code page: 936, Revision Number: 34, Total Editing Time: 01:42:48, Last Saved Time/Date: Thu Jun 6 07:44:12 2024, Create Time/Date: Thu Dec 27 07:22:14 2012, Number of Pages: 1, Number of Words: 0, Number of Characters: 0, Name of Creating Application: Crystal
Category:	dropped
Size (bytes):	8704
Entropy (8bit):	6.425411330574039
Encrypted:	false
SSDEEP:	96:JTjyU2aozoboSEOg9UOh7sbRqz1Q0SgIeGXqlyAVy2emDrod0alqG+bCMVJcST+P:RUkoFOZOh75EgIeGYVgwcd0aqlVun
MD5:	61C996537672E56B3895D38793FEF51E
SHA1:	C48C8B05E18208C4E58CD997B26E9824D45D62BF
SHA-256:	3EC08A5424B1C2CD958D2FCBC3CF37EBD43941540651D907F00C16306ABDFCC7
SHA-512:	5A2281A69A6EA59D87CC8B690A0DC56A0CD602A226B050597DCD6C9EF3463EBE07B949142F4671022F04D78B0C57A8087977E68B99092527711B6815608E3913
Malicious:	false
Reputation:	low
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\update\metalin.rpt

Download File

Process:	C:\Users\user\Desktop\kbdgc.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.0, Code page: 936, Revision Number: 82, Total Editing Time: 03:58:18, Last Saved Time/Date: Wed Jul 3 04:02:28 2024, Create Time/Date: Tue Dec 13 14:17:25 2005, Number of Pages: 1, Number of Words: 0, Number of Characters: 0, Name of Creating Application: Crystal
Category:	dropped
Size (bytes):	13824
Entropy (8bit):	7.015833199595925
Encrypted:	false
SSDEEP:	384:wNHebIs5sg/ErTzf7T+dwxkbGfvBqmmjLw:jbX5v/ITzYwxi8vB7
MD5:	E8A04303C9F5D3FF634AAF3AF17C16A3
SHA1:	17C7A9D0698B022EE1CA93BD8BFDCF07EB49EFAA
SHA-256:	9AA744B900703F545830104E1E5FF8FCC5FD2F45BE6F1AE37CC7D6EBDB67E34C
SHA-512:	E842A7C5BDAACAC3F45112EE3653684DC3442D66B59849F82630F167E1F6C11F278306EC457AE1A7249DE9E4DEE6FC925B6F08CB92708437805D26734FC7C6C9
Malicious:	false
Reputation:	low
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\update\metalout.rpt

Download File

Process:	C:\Users\user\Desktop\kbdgc.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.0, Code page: 936, Revision Number: 65, Total Editing Time: 01:13:11, Last Saved Time/Date: Wed Jul 3 04:02:12 2024, Create Time/Date: Tue Dec 13 14:17:25 2005, Number of Pages: 1, Number of Words: 0, Number of Characters: 0, Name of Creating Application: Crystal
Category:	dropped
Size (bytes):	12800
Entropy (8bit):	6.9842017501205955
Encrypted:	false
SSDEEP:	192:eJaaYWfkTm1km9VjPpFAylMlpMtOQBB2sFIuZyZwJLdmtLOc:SaaFe6zAyqluD2SrZkwJp
MD5:	218DA672087A986EF7DAC94A4B5E665B
SHA1:	F83AF3EAB9303AFA49CC37FB1429183B419A3BE4
SHA-256:	FA61C479C6B8BF91A47964C64F02AC7F49F51FD04BE8235DF8A81C3D9DB95950
SHA-512:	2E57226275866731F14CBA5C3A4CADB68C9AE6D3F5F8F07B9451A51570117263459ECA1445967CEAC16C0FEE80A7F5C97AF7C904985CD1DC29E95E3550ADF347
Malicious:	false
Reputation:	low
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\update\suppaymtl_total.rpt

Download File

Process:	C:\Users\user\Desktop\kbdgc.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, Code page: 936, Revision Number: 11, Total Editing Time: 05:16:08, Last Saved Time/Date: Fri Jun 7 08:17:48 2024, Create Time/Date: Thu Dec 27 07:22:14 2012, Number of Pages: 1, Number of Words: 0, Number of Characters: 0, Name of Creating Application: Crystal
Category:	dropped
Size (bytes):	8704
Entropy (8bit):	6.325257751897019
Encrypted:	false
SSDEEP:	96:zIjyUfapzogM8zMmfKodTFECKFQcJO1Oj35l0Q8tQh8ZriIxz0sfoo:c9uM8zZfKoYC2nO1OYQ+QWrJxz0I
MD5:	6C73C30AF9548F1AC5ADECEB15B279FA
SHA1:	655E0F25F5FD5E229C0C9B86AF186E14116EC681
SHA-256:	DE547EB36BD293CAD5E227772CCE7E804184AB1F87235B3239C3638426B1A138
SHA-512:	00A372842405E76247D3CE10063CCDE4E246ED48893957CC5F04199A000C93FDFFEAFD0FC24CFEC6D26BFE4133050BA25184EB826DA12474F65596FBA25F4C5E
Malicious:	false
Reputation:	low
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\update\zjz_dtl.rpt

Download File

Process:	C:\Users\user\Desktop\kbdgc.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, Code page: 936, Revision Number: 39, Total Editing Time: 01:48:57, Last Saved Time/Date: Thu Jun 6 10:07:39 2024, Create Time/Date: Thu Dec 27 07:22:14 2012, Number of Pages: 1, Number of Words: 0, Number of Characters: 0, Name of Creating Application: Crystal
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	6.500774482657499
Encrypted:	false
SSDEEP:	96:ALFyUmaxzop6bdQVtNkRtV4yhwZ1MuQ0f837ACLlY5pVG5poQDBZ7uQooA:MWD65Q9kRtVphoM7x25pqpoPo
MD5:	9A6A2DF9EB24983122E0B06EFF4CFF57
SHA1:	E9459C7267C245EEB6AF2A866DEC8FB204E215F6
SHA-256:	8D9E6F8242B9D93518DC7945B42950EC96595BBC0984324188566A7B5D4C82C9
SHA-512:	87C240069CCF15A56AD0B5FD5F2287171BBC815F2A233C24EE7A103AFD706CDEEADF6B3AF28D1BBC42FD1D8C62681E628B3402AA9AD480FDB353C046F82E77E4
Malicious:	false
Reputation:	low
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\update\zwei.exe

Download File

Process:	C:\Users\user\Desktop\kbdgc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	50991104
Entropy (8bit):	5.545741590574733
Encrypted:	false
SSDEEP:	1572864:h3P5aFLI10JhKvkgVKJ2SUmzNCW+ke2gMNx3Smco1Ow+CiLebfraeEGQ8m+V9n3X:2wmkWiaj
MD5:	AA54788F8FF9F9D50FA3804069F148CB
SHA1:	85BF40F886EE19D1B7C18B320676C58E0FC4D623
SHA-256:	B930CFA7A81E07DA6A98A126C6D45560DF027C86B8C6716B9672ABD421C70077
SHA-512:	F6E2EB609F95946776165D35106D02E2FA8C1D0B9F7065B6A88DDCEB842482C3FFAE833891953706FFE7CCABA04E01B8913B3EB8643E424BC1D9633CE49C0BED
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........`.........................y...........Rich....................PE..L....^.f..........................................@..........................`......p8......................................4...(.... ...<..................................................................0... ....................................text...X........................... ..`.data...@\..........................@....rsrc....<... ...@..................@..@..^............MSVBVM60.DLL............................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.99198950173466
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	kbdgc.exe
File size:	6'427'166 bytes
MD5:	5025218d868f68c956a6bcb8f3c99007
SHA1:	84f0f59997a46562e837730335c304b719335ce9
SHA256:	ae8ada4be2d0844a57fcfcab82e65dd28613f4e9e802a14562c7f595115ee9bc
SHA512:	a79e4f0cc275857fdec42e68bf59e8d12c324bd948386b9cc3391ea74b9aa5906aea1f9a471c63980c5f11ddaa0ac374476fd21f285e8af1887c31a671486dd8
SSDEEP:	98304:zJpnERJapCZgZ4WUJ7X7KxKxUDxUk6ef5cUtlQbEgUyLeU7wi0:lloopCZsQJz7K36U5vQZ4Uki0
TLSH:	49563305FFC20D33EAB25436DE1A5F54A63C7A644D12C76F97E00DA5FE322E196288B1
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........1..`_Z.`_Z.`_Z...Z.`_Z...Z1`_Z...Z.`_Z.>\[.`_Z.>[[.`_Z.>Z[.`_Z...Z.`_Z...Z.`_Z.`^Z@`_Z->Z[.`_Z->_[.`_Z(>.Z.`_Z->][.`_ZRich.`_

File Icon


Icon Hash:	2775250905472797

Static PE Info

General

Entrypoint:	0x41cec9
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x598DB6FE [Fri Aug 11 13:54:06 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	027ea80e8125c6dda271246922d4c3b0

Entrypoint Preview

Instruction
call 00007FB824E3C44Fh
jmp 00007FB824E3BE53h
cmp ecx, dword ptr [0043A1B8h]
jne 00007FB824E3BFC5h
ret
jmp 00007FB824E3C5C5h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 00430F60h
mov dword ptr [ecx], 00431904h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FB824E2F9E1h
mov dword ptr [esi], 00431910h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 00431918h
mov dword ptr [ecx], 00431910h
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 004318F8h
push eax
call 00007FB824E3F158h
test byte ptr [ebp+08h], 00000001h
pop ecx
je 00007FB824E3BFCCh
push 0000000Ch
push esi
call 00007FB824E3B5C4h
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007FB824E3BF3Fh
push 00437AECh
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007FB824E3E857h
int3
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007FB824E3BF55h
push 00437D1Ch
lea eax, dword ptr [ebp-0Ch]
push eax

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[C++] VS2015 UPD3.1 build 24215
[EXP] VS2015 UPD3.1 build 24215
[RES] VS2015 UPD3 build 24213
[LNK] VS2015 UPD3.1 build 24215

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x38c40	0x34	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x38c74	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x5b000	0x39c4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x5f000	0x1f58	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x36e50	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x31898	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x30000	0x21c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x381c4	0x120	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2e1cb	0x2e200	5c7b428a0e89ea47b4077685a6b368f9	False	0.5913416751355014	data	6.694270808561643	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x30000	0x98a0	0x9a00	93fd19be3a021a1128e7caf2a14b8416	False	0.45680296266233766	COM executable for DOS	5.121063891730476	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3a000	0x1f290	0xc00	74d4929d26aa823ed75bb2f4ae8c5198	False	0.2809244791666667	data	3.237186720912972	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.gfids	0x5a000	0xe8	0x200	5cfc4d481aa83c2fc6ce55ddf06fb8cf	False	0.337890625	data	2.0550667973769086	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x5b000	0x39c4	0x3a00	3ab7d834d0baf7f50b7283fae81c49b7	False	0.4030845905172414	data	5.363611359089126	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x5f000	0x1f58	0x2000	9caffe0a7af61f18e5154f80560d2242	False	0.7845458984375	data	6.622969932482304	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_BITMAP	0x5b57c	0xbb6	Device independent bitmap graphic, 93 x 302 x 4, 2 compression, image size 2894, resolution 2835 x 2835 px/m	Chinese	China	0.2581721147431621
RT_ICON	0x5c134	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	Chinese	China	0.6047297297297297
RT_ICON	0x5c25c	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320	Chinese	China	0.4703757225433526
RT_ICON	0x5c7c4	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	Chinese	China	0.4986559139784946
RT_ICON	0x5caac	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1152	Chinese	China	0.4444945848375451
RT_DIALOG	0x5d354	0x176	data	Chinese	China	0.6898395721925134
RT_DIALOG	0x5d4cc	0xd6	data	Chinese	China	0.6962616822429907
RT_DIALOG	0x5d5a4	0xba	data	Chinese	China	0.7204301075268817
RT_DIALOG	0x5d660	0x102	data	Chinese	China	0.6201550387596899
RT_DIALOG	0x5d764	0x286	data	Chinese	China	0.4953560371517028
RT_DIALOG	0x5d9ec	0x1ce	data	Chinese	China	0.6645021645021645
RT_STRING	0x5dbbc	0xb6	data	Chinese	China	0.7472527472527473
RT_STRING	0x5dc74	0xd6	data	Chinese	China	0.6962616822429907
RT_STRING	0x5dd4c	0xca	data	Chinese	China	0.7920792079207921
RT_STRING	0x5de18	0x76	data	Chinese	China	0.9152542372881356
RT_STRING	0x5de90	0x282	data	Chinese	China	0.6417445482866043
RT_STRING	0x5e114	0x94	data	Chinese	China	0.777027027027027
RT_STRING	0x5e1a8	0x78	data	Chinese	China	0.9083333333333333
RT_STRING	0x5e220	0x64	data	Chinese	China	0.63
RT_STRING	0x5e284	0x52	data	Chinese	China	0.8780487804878049
RT_STRING	0x5e2d8	0x6a	data	Chinese	China	0.7452830188679245
RT_GROUP_ICON	0x5e344	0x3e	data	Chinese	China	0.8387096774193549
RT_MANIFEST	0x5e384	0x640	XML 1.0 document, ASCII text, with CRLF line terminators	Chinese	China	0.423125

Imports

DLL

Import

KERNEL32.dll

GetLastError, SetLastError, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, GetCurrentProcessId, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, GetTickCount, SetCurrentDirectoryW, GetExitCodeProcess, GetLocalTime, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetTimeFormatW, GetDateFormatW, GetNumberFormatW, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCommandLineA, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetProcessHeap, SetStdHandle, HeapSize, GetConsoleCP, GetConsoleMode, SetFilePointerEx, DecodePointer

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	China

Target ID:	0
Start time:	12:54:54
Start date:	03/07/2024
Path:	C:\Users\user\Desktop\kbdgc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\kbdgc.exe"
Imagebase:	0xb70000
File size:	6'427'166 bytes
MD5 hash:	5025218D868F68C956A6BCB8F3C99007
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	10%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	8.9%
Total number of Nodes:	1398
Total number of Limit Nodes:	25

Executed Functions

Function 00B8B905 Relevance: 43.9, APIs: 20, Strings: 5, Instructions: 180
filecomwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00B7EF68: GetModuleHandleW.KERNEL32 ref: 00B7EF80
Part of subcall function 00B7EF68: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00B7EF98
Part of subcall function 00B7EF68: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00B7EFBB

OleInitialize.OLE32(00000000), ref: 00B8B918

Part of subcall function 00B802DE: GetCPInfo.KERNEL32(00000000,?), ref: 00B802EF
Part of subcall function 00B802DE: IsDBCSLeadByte.KERNEL32(00000000), ref: 00B80303

GetCommandLineW.KERNEL32 ref: 00B8B93B
OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 00B8B962
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007002), ref: 00B8B977
UnmapViewOfFile.KERNEL32(00000000), ref: 00B8B9A4

Part of subcall function 00B8B5D9: SetEnvironmentVariableW.KERNEL32(sfxcmd,?), ref: 00B8B5EF
Part of subcall function 00B8B5D9: SetEnvironmentVariableW.KERNELBASE(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00B8B62B

CloseHandle.KERNEL32(00000000), ref: 00B8B9AB
GetModuleFileNameW.KERNEL32(00000000,00BC47F0,00000800), ref: 00B8B9C5
SetEnvironmentVariableW.KERNEL32(sfxname,00BC47F0), ref: 00B8B9D7
GetLocalTime.KERNEL32(?), ref: 00B8B9DE
_swprintf.LIBCMT ref: 00B8BA1D
SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 00B8BA2F
GetModuleHandleW.KERNEL32(00000000), ref: 00B8BA32
LoadIconW.USER32(00000000,00000064), ref: 00B8BA49
LoadBitmapW.USER32(00000065), ref: 00B8BA5C
DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001939B,00000000), ref: 00B8BAAC
Sleep.KERNEL32(?), ref: 00B8BAE3
DeleteObject.GDI32 ref: 00B8BB21
DeleteObject.GDI32(?), ref: 00B8BB2D

Part of subcall function 00B8A0D8: CharUpperW.USER32(?,?,?,?,00001000), ref: 00B8A130
Part of subcall function 00B8A0D8: CharUpperW.USER32(?,?,?,?,?,00001000), ref: 00B8A157

CloseHandle.KERNEL32 ref: 00B8BB6F
OleUninitialize.OLE32 ref: 00B8BB75

Strings

sfxname, xrefs: 00B8B9D2
%4d-%02d-%02d-%02d-%02d-%02d-%03d, xrefs: 00B8BA0E
STARTDLG, xrefs: 00B8BAA1
sfxstime, xrefs: 00B8BA2A
winrarsfxmappingfile.tmp, xrefs: 00B8B956

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: EnvironmentFileHandleVariable$Module$AddressCharCloseDeleteLoadObjectProcUpperView$BitmapByteCommandDialogIconInfoInitializeLeadLineLocalMappingNameOpenParamSleepTimeUninitializeUnmap_swprintf
String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
API String ID: 3132662180-3710569615
Opcode ID: a32bcf86e68be792125c0f2278b32b36c94e0ffce4203d8a317359adbbae03b9
Instruction ID: 43cbd12e3cc9b100a3121bfbb076973deeed0b6af922d311d3bfe21adf9eb5a3
Opcode Fuzzy Hash: a32bcf86e68be792125c0f2278b32b36c94e0ffce4203d8a317359adbbae03b9
Instruction Fuzzy Hash: B051E231544215AFD721BB75EC0BFAA3BECEB4A700F40059AFA45A31B1EF759940CB62

Function 00B79F76 Relevance: 7.6, APIs: 5, Instructions: 108
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,?,?,?,?,?,00B79E74,000000FF,?,?), ref: 00B79FAB
FindFirstFileW.KERNEL32(?,?,?,?,00000800,?,?,?,?,00B79E74,000000FF,?,?), ref: 00B79FE1
GetLastError.KERNEL32(?,?,00000800,?,?,?,?,00B79E74,000000FF,?,?), ref: 00B79FE9
FindNextFileW.KERNEL32(?,?,?,?,?,?,00B79E74,000000FF,?,?), ref: 00B7A011
GetLastError.KERNEL32(?,?,?,?,00B79E74,000000FF,?,?), ref: 00B7A01D

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: FileFind$ErrorFirstLast$Next
String ID:
API String ID: 869497890-0
Opcode ID: dbcaa45b049ff829a61bfc935ba890eaf504928a9abfc35ee9b32a47b82cb7fc
Instruction ID: 410b4f2afceaf149b10ac942c2f7468e2a15f42803d5ba8b66307fd2f82c1b02
Opcode Fuzzy Hash: dbcaa45b049ff829a61bfc935ba890eaf504928a9abfc35ee9b32a47b82cb7fc
Instruction Fuzzy Hash: 85418471508245AFC364EF24C884ADEF7E8FB89340F008A6AF5ADD3240D730A9548B92

Function 00B94444 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,00B9441A,?,00BA7ED8,0000000C,00B94571,?,00000002,00000000), ref: 00B94465
TerminateProcess.KERNEL32(00000000,?,00B9441A,?,00BA7ED8,0000000C,00B94571,?,00000002,00000000), ref: 00B9446C
ExitProcess.KERNEL32 ref: 00B9447E

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 972ec9dbef35fc7b69036b5471900d515ed911a304beeef2736a34718c6aeb14
Instruction ID: fe3841858204dab1258caf81209f893653a7066b3794a9aae147e01486388018
Opcode Fuzzy Hash: 972ec9dbef35fc7b69036b5471900d515ed911a304beeef2736a34718c6aeb14
Instruction Fuzzy Hash: 08E09231021108AFCF116F64D90AF893BA9FB42381F004064FA899B732DF35AD82CA50

Function 00B780FA Relevance: 3.9, APIs: 2, Instructions: 900COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00B780FF
_memcmp.LIBVCRUNTIME ref: 00B7857B

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: H_prolog_memcmp
String ID:
API String ID: 3004599000-0
Opcode ID: d99dda265a6c77fec51cc7a3a7b6117f558b6b7ffe91add9a0b8f8954936caf0
Instruction ID: cc9d170f1440b8541d056ccc9cf9a034172e51d528b740bb8c59c792e6965832
Opcode Fuzzy Hash: d99dda265a6c77fec51cc7a3a7b6117f558b6b7ffe91add9a0b8f8954936caf0
Instruction Fuzzy Hash: 9872F870944285AEDF25DF64C889BF97BE9EF05300F08C1F9E96D9B242DB315A85CB60

Function 00B854D8 Relevance: .3, Instructions: 325COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: d0a124bbecb18d222c1b28ef5013409c2b26df96fb3cf26d99faab63aa2feb40
Instruction ID: 833f418472af7db1976e260d14996fb76b6133b91a6b151e19f12fb54bd59f61
Opcode Fuzzy Hash: d0a124bbecb18d222c1b28ef5013409c2b26df96fb3cf26d99faab63aa2feb40
Instruction Fuzzy Hash: D1D129B1A047418FDB24EF28C88079BBBE5FF94304F0845ADE8859B252D334ED54CB9A

Function 00B8939B Relevance: 93.5, APIs: 45, Strings: 8, Instructions: 712
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00B893A0

Part of subcall function 00B712A6: GetDlgItem.USER32(00000000,00003021), ref: 00B712EA
Part of subcall function 00B712A6: SetWindowTextW.USER32(00000000,00BA0294), ref: 00B71300

Strings

<, xrefs: 00B89747
LICENSEDLG, xrefs: 00B89BDE
@, xrefs: 00B89754
-el -s2 "-d%s" "-p%s" "-sp%s", xrefs: 00B8972E
__tmp_rar_sfx_access_check_%u, xrefs: 00B8966D
STARTDLG, xrefs: 00B893BF
"%s"%s, xrefs: 00B898B5
winrarsfxmappingfile.tmp, xrefs: 00B89769

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: H_prologItemTextWindow
String ID: "%s"%s$-el -s2 "-d%s" "-p%s" "-sp%s"$<$@$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp
API String ID: 810644672-706182287
Opcode ID: e9b36d51f39d8b158339e60cf83e5f8d655b826e63a9751a7e83b16aa275cb2d
Instruction ID: 3107c5dabbf5fb9fb0e08de00df5a76c1b7192a7a860cd3283607482b2b9b23c
Opcode Fuzzy Hash: e9b36d51f39d8b158339e60cf83e5f8d655b826e63a9751a7e83b16aa275cb2d
Instruction Fuzzy Hash: 5032E270940315BBEF21BB64DC8AFBA3BE8EB06700F4841E9F605A70E1DBB55944DB61

Function 00B7EF68 Relevance: 52.8, APIs: 23, Strings: 7, Instructions: 314
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32 ref: 00B7EF80
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00B7EF98
GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00B7EFBB
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00B7F266
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00B7F27E
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00B7F290
ReadFile.KERNEL32(00000000,?,00007FFE,00BA07E0,00000000), ref: 00B7F2AF
CloseHandle.KERNEL32(00000000), ref: 00B7F307
GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00B7F31D
CompareStringW.KERNEL32(00000400,00001001,00BA082C,?,DXGIDebug.dll,?,?,00000000,?,00000800), ref: 00B7F377
GetFileAttributesW.KERNELBASE(?,?,00BA07F8,00000800,?,00000000,?,00000800), ref: 00B7F3A0
GetFileAttributesW.KERNEL32(?,?,00BA08B8,00000800), ref: 00B7F3D9

Part of subcall function 00B7EF1E: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00B7EF39
Part of subcall function 00B7EF1E: LoadLibraryW.KERNELBASE(?,?,00B7DB0E,Crypt32.dll,?,00B7DB90,?,00B7DB74,?,?,?,?), ref: 00B7EF5B

_swprintf.LIBCMT ref: 00B7F449
_swprintf.LIBCMT ref: 00B7F495

Part of subcall function 00B73CD1: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00B73CE4

AllocConsole.KERNEL32 ref: 00B7F49D
GetCurrentProcessId.KERNEL32 ref: 00B7F4A7
AttachConsole.KERNEL32(00000000), ref: 00B7F4AE
_wcslen.LIBCMT ref: 00B7F4C3
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 00B7F4D4
WriteConsoleW.KERNEL32(00000000), ref: 00B7F4DB
Sleep.KERNEL32(00002710), ref: 00B7F4E6
FreeConsole.KERNEL32 ref: 00B7F4EC
ExitProcess.KERNEL32 ref: 00B7F4F4

Strings

DXGIDebug.dll, xrefs: 00B7EFF8, 00B7F363
kernel32, xrefs: 00B7EF76
SetDllDirectoryW, xrefs: 00B7EF92
dwmapi.dll, xrefs: 00B7F023, 00B7F40C
uxtheme.dll, xrefs: 00B7F416
Please remove %s from %s folder. It is unsecure to run %s until it is done., xrefs: 00B7F483
SetDefaultDllDirectories, xrefs: 00B7EFB5

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l_wcslen
String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$dwmapi.dll$kernel32$uxtheme.dll
API String ID: 1207345701-3298887752
Opcode ID: e05b4148e140b6371350441894ecd03e45c9832448d9983e5179dc5002e7ce31
Instruction ID: 24edfff5dde1d0a89ed95ea345de5ddec70dfe25802ed6c0e60e1cca968191a4
Opcode Fuzzy Hash: e05b4148e140b6371350441894ecd03e45c9832448d9983e5179dc5002e7ce31
Instruction Fuzzy Hash: 75D182B202C3859BD370BF60C849B9FBBE8EF86704F4049ADF19997150DBB09548CB66

Function 00B7CB15 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 207
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00B7C4DE: _wcschr.LIBVCRUNTIME ref: 00B7C50D

GetWindowRect.USER32(?,?), ref: 00B7CB4C
GetClientRect.USER32(?,?), ref: 00B7CB58
GetWindowLongW.USER32(?,000000F0), ref: 00B7CBF9
GetWindowRect.USER32(?,?), ref: 00B7CC26
GetWindowTextW.USER32(?,?,00000400), ref: 00B7CC45
SetWindowTextW.USER32(?,?), ref: 00B7CC6C
GetSystemMetrics.USER32(00000008), ref: 00B7CC74
GetWindow.USER32(?,00000005), ref: 00B7CC7F
GetWindowTextW.USER32(00000000,?,00000400), ref: 00B7CCAA
SetWindowTextW.USER32(00000000,00000000), ref: 00B7CCD7
GetWindowRect.USER32(00000000,?), ref: 00B7CCEA
GetWindow.USER32(00000000,00000002), ref: 00B7CD5C

Strings

d, xrefs: 00B7CB78

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: Window$RectText$ClientLongMetricsSystem_wcschr
String ID: d
API String ID: 4134264131-2564639436
Opcode ID: de89f35603be13f8c936608516715abe01010fd4234909616eba5971c2535e1c
Instruction ID: 3629a7764cf0e98d9841312a8e927893ebe930f41ad821be7a50a9ff8bdd097d
Opcode Fuzzy Hash: de89f35603be13f8c936608516715abe01010fd4234909616eba5971c2535e1c
Instruction Fuzzy Hash: 0F616E72208304AFD311DF68CD89E6BBBEAFB89704F44491DF59493290DB74E905CB62

Function 00B8AF10 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 96
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(00000068,00BC6818), ref: 00B8AF1F
ShowWindow.USER32(00000000,00000005,?,?,?,?,?,?,?,?,?,?,?,?,?,00B88C19), ref: 00B8AF4A
SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00B8AF59
SendMessageW.USER32(00000000,000000C2,00000000,00BA0294), ref: 00B8AF63
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00B8AF79
SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 00B8AF8F
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00B8AFCF
SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 00B8AFD9
SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00B8AFE8
SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00B8B00B
SendMessageW.USER32(00000000,000000C2,00000000,00BA12C0), ref: 00B8B016

Strings

\, xrefs: 00B8AF7F

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: MessageSend$ItemShowWindow
String ID: \
API String ID: 1207805008-2967466578
Opcode ID: a8af27dfdd608e68316721c154abc0af26982e8bc71440aaff70e0d5499992df
Instruction ID: 57e93871d664711b596142232e20bf5b696c36feb9402396f9838d41f6b639f9
Opcode Fuzzy Hash: a8af27dfdd608e68316721c154abc0af26982e8bc71440aaff70e0d5499992df
Instruction Fuzzy Hash: A42104B12457443BE311BB249C46FAB7ADCEF82754F000619F690971E0CBA55908CBBB

Function 00B8C323 Relevance: 15.2, APIs: 10, Instructions: 158
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExA.KERNELBASE(?,00000000,00000000), ref: 00B8C37E
GetLastError.KERNEL32 ref: 00B8C38A
DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B8C3B9
RaiseException.KERNEL32(C06D007E,00000000,00000001,?), ref: 00B8C3CA
FreeLibrary.KERNEL32(00000000), ref: 00B8C3E4
GetProcAddress.KERNEL32(?,?), ref: 00B8C44C
GetLastError.KERNEL32(?,?), ref: 00B8C458
DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B8C487
RaiseException.KERNEL32(C06D007F,00000000,00000001,?,?,?), ref: 00B8C498
DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B8C4CF

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: AccessDloadReleaseSectionWrite$ErrorExceptionLastLibraryRaise$AddressFreeLoadProc
String ID:
API String ID: 202095176-0
Opcode ID: da5706e96d6d0adadf653a03cfc1302f9f90fa5f041fee4c35d6308baa502227
Instruction ID: ec9c74ebc5f3a73e3add019bdf407b23e750c2b8f5d25f92c1dc7aa13a6f7a9b
Opcode Fuzzy Hash: da5706e96d6d0adadf653a03cfc1302f9f90fa5f041fee4c35d6308baa502227
Instruction Fuzzy Hash: FB518CB5911319AFDB21EFA4D895ABE7BF9FF45310F1500A9E901A7320DB709D41CBA0

Function 00B7C717 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 256
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00B7C71C
_wcschr.LIBVCRUNTIME ref: 00B7C73A
GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,00B7C6FE,?), ref: 00B7C754
_wcsrchr.LIBVCRUNTIME ref: 00B7C762

Part of subcall function 00B802A5: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,00B7AF29,00000000,?,?), ref: 00B802C1

Strings

*messages***, xrefs: 00B7C814
*messages***, xrefs: 00B7C84D
a, xrefs: 00B7C869
R, xrefs: 00B7C85F

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: ByteCharFileH_prologModuleMultiNameWide_wcschr_wcsrchr
String ID: *messages***$*messages***$R$a
API String ID: 3071809318-2900423073
Opcode ID: e41242cf21396dc42122339eb0831a85a906794df47f2c8eb60a8fb7425dcd8c
Instruction ID: 8e2d716e45c061981193449a5aa34a2cf442c2ee10d80f65eb9091908a38b4e4
Opcode Fuzzy Hash: e41242cf21396dc42122339eb0831a85a906794df47f2c8eb60a8fb7425dcd8c
Instruction Fuzzy Hash: BD912BB29002059ADB35DF64CC91BAE7BE4EF40710F1085EEE66DA71D1DB709E84CB50

Function 00B96D6B Relevance: 9.2, APIs: 6, Instructions: 216
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00B92752,00B92752,?,?,?,00B96FBC,00000001,00000001,3EE85006), ref: 00B96DC5
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00B96FBC,00000001,00000001,3EE85006,?,?,?), ref: 00B96E4B
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,3EE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00B96F45
__freea.LIBCMT ref: 00B96F52

Part of subcall function 00B953D5: RtlAllocateHeap.NTDLL(00000000,?,?,?,00B91B3A,?,0000015D,?,?,?,?,00B926B9,000000FF,00000000,?,?), ref: 00B95407

__freea.LIBCMT ref: 00B96F5B
__freea.LIBCMT ref: 00B96F80

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: ba8ddadf3a54e7a8c01df678d6caf72d875db1c58e3a979d02e0896b6f1ac103
Instruction ID: 6067ee625d6803450404babdc10ae6b2744b6e68a54440be9f35cfc152ad57ea
Opcode Fuzzy Hash: ba8ddadf3a54e7a8c01df678d6caf72d875db1c58e3a979d02e0896b6f1ac103
Instruction Fuzzy Hash: F151CF7261021AABEF258F64DC81FBF77EAEB40750F1546B9FD18D6180EB74EC4086A0

Function 00B98287 Relevance: 7.6, APIs: 5, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00B98290
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00B982B3

Part of subcall function 00B953D5: RtlAllocateHeap.NTDLL(00000000,?,?,?,00B91B3A,?,0000015D,?,?,?,?,00B926B9,000000FF,00000000,?,?), ref: 00B95407

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00B982D9
_free.LIBCMT ref: 00B982EC
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00B982FB

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 633fdf51ec29a05307aa44728f18112f3e34b450cff72f649d0ea1bd919e85cf
Instruction ID: c0896b5ad421106627e0888bca60fba51b66913022e0260ed508566fe3117cbd
Opcode Fuzzy Hash: 633fdf51ec29a05307aa44728f18112f3e34b450cff72f649d0ea1bd919e85cf
Instruction Fuzzy Hash: 750184B2605A157B2B212BB65C8DCBF7AEDDEC7FA432501BAB904D3101DEA08C0181B8

Function 00B7F5E6 Relevance: 7.5, APIs: 5, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00B7F9DE: ResetEvent.KERNEL32(?,?,00B7F608,00DC1E08,?,00BB1E64,00000000,00B9F0A1,000000FF,000001B8,00B7F8A4,?,?,?,?,00B7A2A3), ref: 00B7F9FE
Part of subcall function 00B7F9DE: ReleaseSemaphore.KERNEL32(?,?,00000000,?,?,?,?,00B7A2A3,?,?,?,?,00B9F0A1,000000FF), ref: 00B7FA12

ReleaseSemaphore.KERNEL32(?,00000020,00000000), ref: 00B7F61A
CloseHandle.KERNEL32(?,?), ref: 00B7F634
DeleteCriticalSection.KERNEL32(?), ref: 00B7F64D
FindCloseChangeNotification.KERNELBASE(?), ref: 00B7F659
CloseHandle.KERNEL32(?), ref: 00B7F665

Part of subcall function 00B7F6DC: WaitForSingleObject.KERNEL32(?,000000FF,00B7F920,?,?,00B7F995,?,?,?,?,?,00B7F97F), ref: 00B7F6E2
Part of subcall function 00B7F6DC: GetLastError.KERNEL32(?,?,00B7F995,?,?,?,?,?,00B7F97F), ref: 00B7F6EE

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: Close$HandleReleaseSemaphore$ChangeCriticalDeleteErrorEventFindLastNotificationObjectResetSectionSingleWait
String ID:
API String ID: 565839277-0
Opcode ID: 899a637e2aab2591eba012f1b4c21c724c69676a8262d070931db38819307046
Instruction ID: bf03f04ddda4151d32db7ef3961b8a2ecd2f7284a781511fd911b2a59174232f
Opcode Fuzzy Hash: 899a637e2aab2591eba012f1b4c21c724c69676a8262d070931db38819307046
Instruction Fuzzy Hash: 4901B132010748EFCB31AF28DD89F96BBEAFB46710F00456AF26E92570CB716800DB61

Function 00B888F1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClassNameW.USER32(?,?,00000050), ref: 00B88908
SHAutoComplete.SHLWAPI(?,00000010), ref: 00B8893F

Part of subcall function 00B806E6: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,?,000000FF,00B7A92C,?,?,?,00B7A8DB,?,-00000002,?,00000000,?), ref: 00B806FC

FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 00B8892F

Strings

EDIT, xrefs: 00B88913, 00B8891E, 00B8892B

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: AutoClassCompareCompleteFindNameStringWindow
String ID: EDIT
API String ID: 4243998846-3080729518
Opcode ID: 7731d3737bf04e3a5c0d45aac09b055ed55d61c86d9967ee7a86f33ffd94525a
Instruction ID: e6dd2f5da438c92c45ddfc382c7c3e38e75500ae207cb8bb2eaefdb445ac2a83
Opcode Fuzzy Hash: 7731d3737bf04e3a5c0d45aac09b055ed55d61c86d9967ee7a86f33ffd94525a
Instruction Fuzzy Hash: 0EF08232A013287BDB3066659C0AFAB76ECDB97B51F4401A5F900E3190DB60A901CBF7

Function 00B8B5D9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetEnvironmentVariableW.KERNEL32(sfxcmd,?), ref: 00B8B5EF
SetEnvironmentVariableW.KERNELBASE(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00B8B62B

Strings

sfxpar, xrefs: 00B8B626
sfxcmd, xrefs: 00B8B5EA

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: EnvironmentVariable
String ID: sfxcmd$sfxpar
API String ID: 1431749950-3493335439
Opcode ID: c0e99cd3c90fda872ef2346e03d73e651b898a0cb3b69a150f44d33c98edeb39
Instruction ID: 381ed259a0df2a7aef1890c5d29408fcf848fff7dcebb220c3d2be3078a8b9dc
Opcode Fuzzy Hash: c0e99cd3c90fda872ef2346e03d73e651b898a0cb3b69a150f44d33c98edeb39
Instruction Fuzzy Hash: 99F0A7B2414224A6C7213BA59C0AEFABBDCEF09781F0000D5FC4857161EB719C50C7F0

Function 00B8895F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00B7EF1E: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00B7EF39
Part of subcall function 00B7EF1E: LoadLibraryW.KERNELBASE(?,?,00B7DB0E,Crypt32.dll,?,00B7DB90,?,00B7DB74,?,?,?,?), ref: 00B7EF5B

OleInitialize.OLE32(00000000), ref: 00B88975
SHGetMalloc.SHELL32(00BB20D8), ref: 00B88998

Strings

3To, xrefs: 00B8898D
riched20.dll, xrefs: 00B88965

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: DirectoryInitializeLibraryLoadMallocSystem
String ID: riched20.dll$3To
API String ID: 1045004029-2168385784
Opcode ID: dd00931190d49c1f39027dd8f20233ee3d5076bb1a3aff01bb775058697296bf
Instruction ID: 56eb12dd4ad3eb8acd91b520b9f50b5ed5be543ec208ba6213f0aab4cbd3f0c1
Opcode Fuzzy Hash: dd00931190d49c1f39027dd8f20233ee3d5076bb1a3aff01bb775058697296bf
Instruction Fuzzy Hash: 31E01A70544349ABD750AF98DD0AAA97BE8EB05711F000599F944E3250DAB59944CBA1

Function 00B79C30 Relevance: 6.1, APIs: 4, Instructions: 127
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000000,?,00B77C5C,?,?,?), ref: 00B79CD6
CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,00000000,?,00B77C5C,?,?), ref: 00B79D1A
SetFileTime.KERNELBASE(?,00000800,?,00000000,?,00000000,?,00B77C5C,?,?,?,?,?,?,?,?), ref: 00B79D9B
CloseHandle.KERNEL32(?,?,00000000,?,00B77C5C,?,?,?,?,?,?,?,?,?,?,?), ref: 00B79DA2

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: File$Create$CloseHandleTime
String ID:
API String ID: 2287278272-0
Opcode ID: f7c91896b611e8b6d024c7830f881dd67541109abd0e03c621504c1b7911cf55
Instruction ID: e36b74dbe8f49e338dabc6a67c9c5c9e654428141fffc43089db5a4cd0cf1f66
Opcode Fuzzy Hash: f7c91896b611e8b6d024c7830f881dd67541109abd0e03c621504c1b7911cf55
Instruction Fuzzy Hash: DF41E430248385AAD731DF34DC55FEABBE8EB85300F0489ADB5F8D31D1D6649A48C752

Function 00B79443 Relevance: 6.1, APIs: 4, Instructions: 99fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,00000000,00000003,-00000001,00000000,?,?,?,00000000,00B7746D,?,00000005,?,00000011), ref: 00B794C3
GetLastError.KERNEL32(?,00000000,00B7746D,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00B794D0
CreateFileW.KERNEL32(?,?,?,00000000,00000003,?,00000000,?,?,00000800,?,00000000,00B7746D,?,00000005,?), ref: 00B79505
GetLastError.KERNEL32(?,00000000,00B7746D,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00B7950D

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: CreateErrorFileLast
String ID:
API String ID: 1214770103-0
Opcode ID: e613e00ae6a8bfe8e02a32fb5c6b2f795af14d769adeda402121735ae442fcb3
Instruction ID: 5d63a71e4e4c0c93007ab4af7a67ea05bfa4ee03ee64a5461fc1d36c97382967
Opcode Fuzzy Hash: e613e00ae6a8bfe8e02a32fb5c6b2f795af14d769adeda402121735ae442fcb3
Instruction Fuzzy Hash: E53186B08407656BD330AF209C45BE6BBE8FB49324F008728F9B8832C1D7759989CB90

Function 00B79319 Relevance: 6.1, APIs: 4, Instructions: 57fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00B79329
ReadFile.KERNELBASE(?,?,00000001,?,00000000), ref: 00B79341
GetLastError.KERNEL32 ref: 00B79373
GetLastError.KERNEL32 ref: 00B79392

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: ErrorLast$FileHandleRead
String ID:
API String ID: 2244327787-0
Opcode ID: fa6089f212b30eddceaca5798ad82edbfbc4a6bd467695d09249e7ca638f4e81
Instruction ID: 4457c661dd17840e2b941682de1d583475eb995b5a3b2dbe5ab79b85ba5b89c9
Opcode Fuzzy Hash: fa6089f212b30eddceaca5798ad82edbfbc4a6bd467695d09249e7ca638f4e81
Instruction Fuzzy Hash: BE117C30514608EFDB349F60D844AAD77ECEB06361F11C1AAF93E861D0CB369D40DB59

Function 00B9718E Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,00B919A3,00000000,00000000,?,00B97135,00B919A3,00000000,00000000,00000000,?,00B97332,00000006,FlsSetValue), ref: 00B971C0
GetLastError.KERNEL32(?,00B97135,00B919A3,00000000,00000000,00000000,?,00B97332,00000006,FlsSetValue,00BA36D8,00BA36E0,00000000,00000364,?,00B95DAE), ref: 00B971CC
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00B97135,00B919A3,00000000,00000000,00000000,?,00B97332,00000006,FlsSetValue,00BA36D8,00BA36E0,00000000), ref: 00B971DA

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 626038740ee54cfb33ce3301b8d311b64deed48c84dfc4bdedce25519d25b5ee
Instruction ID: f3fa87f7ea96f2134106d58929e91b1d71e2de39138020e0c8dcaeda6d1cb7ff
Opcode Fuzzy Hash: 626038740ee54cfb33ce3301b8d311b64deed48c84dfc4bdedce25519d25b5ee
Instruction Fuzzy Hash: 3601AC32679236ABCF215F689C45E567BD8EF07BA1B210570F916E7140DF20DC01C6E0

Function 00B891F2 Relevance: 6.0, APIs: 4, Instructions: 30windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00B89203
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00B89214
TranslateMessage.USER32(?), ref: 00B8921E
DispatchMessageW.USER32(?), ref: 00B89228

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: Message$DispatchPeekTranslate
String ID:
API String ID: 4217535847-0
Opcode ID: d1d788a3f907d29e53d891427e2e3086790a9aed827b3305e1d4be7645bd2e64
Instruction ID: a0f8ea7976034ed52de250084949ea695b9be371b0d21984e4dc1d9acc8a1b87
Opcode Fuzzy Hash: d1d788a3f907d29e53d891427e2e3086790a9aed827b3305e1d4be7645bd2e64
Instruction Fuzzy Hash: 20E05972D0212EA78B20ABE6ED4DDEBBFACEE062617004551B919D3410EB689505C7F1

Function 00B71CC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00B71CC5

Part of subcall function 00B73867: __EH_prolog.LIBCMT ref: 00B7386C

_wcslen.LIBCMT ref: 00B71D6C

Strings

CMT, xrefs: 00B71CFB

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: H_prolog$_wcslen
String ID: CMT
API String ID: 2838827086-2756464174
Opcode ID: 423c38055140932397b89d5811abdcd48644c59dc5454e54576c145f94fac93d
Instruction ID: c48017bdd0a5781dfd50c0465f524b16ac8518b7ce7194be942509a3619c86da
Opcode Fuzzy Hash: 423c38055140932397b89d5811abdcd48644c59dc5454e54576c145f94fac93d
Instruction Fuzzy Hash: 4F2117729042089FCB25EF9CD9859EDFBF6EF58300B1048A9E459A7261CB325A14DB61

Function 00B7F7C6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00010000,Function_0000F976,?,00000000,00000000), ref: 00B7F7EA
SetThreadPriority.KERNEL32(000000FF,00000000), ref: 00B7F831

Part of subcall function 00B76B2C: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00B76B4A

Strings

CreateThread failed, xrefs: 00B7F7F6

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: Thread$CreatePriority__vswprintf_c_l
String ID: CreateThread failed
API String ID: 2655393344-3849766595
Opcode ID: 22e7d0035b733091a347bf442a3d233bc57c33a6537e10c671a952e1ca27aaa5
Instruction ID: 93c5d9016b0118f5cec0d8ea66fafd1214767ddad767ac8912e8d93be4a94339
Opcode Fuzzy Hash: 22e7d0035b733091a347bf442a3d233bc57c33a6537e10c671a952e1ca27aaa5
Instruction Fuzzy Hash: E101FEB234830AAFD6246F54DC43F7677D9EB42751F2080BDF55592191CEE29801C675

Function 00B973C6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringEx.KERNELBASE(?,00B91F24,00000010,?,?,00B92752,?,?,00000000,?,?,?,?,?,00B923DE), ref: 00B97419
LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,3EE85006,00000001,?,000000FF), ref: 00B97437

Strings

LCMapStringEx, xrefs: 00B973D7, 00B973E1

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: String
String ID: LCMapStringEx
API String ID: 2568140703-3893581201
Opcode ID: 5cbfa18ca5323ccc24df1d70017a75106c956a64ec0aadf9355d295bcc7177a4
Instruction ID: 6f47ce23bf0c001225a35a47cd9909d0fa73dd9e71c025aa3da093c5d07480d7
Opcode Fuzzy Hash: 5cbfa18ca5323ccc24df1d70017a75106c956a64ec0aadf9355d295bcc7177a4
Instruction Fuzzy Hash: 3F01DB7265421DBBCF026F90DC06DDE7FE2FB09750F104154FE0426261CA728931EB91

Function 00B798CE Relevance: 4.6, APIs: 3, Instructions: 96fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,?,?,00B7C4A3,00000001,?,?,?,00000000,00B83D5F,?,?,?,?,?,00B83804), ref: 00B798E9
WriteFile.KERNEL32(?,00000000,?,00B83A0C,00000000,?,?,00000000,00B83D5F,?,?,?,?,?,00B83804,?), ref: 00B79929
WriteFile.KERNELBASE(?,00000000,?,00B83A0C,00000000,?,00000001,?,?,00B7C4A3,00000001,?,?,?,00000000,00B83D5F), ref: 00B79956

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: FileWrite$Handle
String ID:
API String ID: 4209713984-0
Opcode ID: 64073be353dccffbb917da4b44335535951622fc3a31d0e8e583fd2818e91c15
Instruction ID: da360f7c360ad84768f8de0487fe6599ee68e75439cbf263abdd3763e22ddaeb
Opcode Fuzzy Hash: 64073be353dccffbb917da4b44335535951622fc3a31d0e8e583fd2818e91c15
Instruction Fuzzy Hash: D931E57114460AAFEB209E24CC49FA6B7E8FB52311F04C15DE6BD935C0CB75E848CBA2

Function 00B79B8C Relevance: 4.6, APIs: 3, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00B7B4DC: _wcslen.LIBCMT ref: 00B7B4E2

CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,00B79A98,?,00000001,00000000,?,?), ref: 00B79BB3
CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,00B79A98,?,00000001,00000000,?,?), ref: 00B79BE6
GetLastError.KERNEL32(?,?,?,?,00B79A98,?,00000001,00000000,?,?), ref: 00B79C03

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: CreateDirectory$ErrorLast_wcslen
String ID:
API String ID: 2260680371-0
Opcode ID: 8b84f119ab17678227d4c4242d27782b34225678581236b3dd258aa3a60365f1
Instruction ID: 98826c320a56b26c21175b765f38f88c119048b9385a1e0a0a9a70fd8c88e0bb
Opcode Fuzzy Hash: 8b84f119ab17678227d4c4242d27782b34225678581236b3dd258aa3a60365f1
Instruction Fuzzy Hash: 8B01B57115011865EF326A78AD86FEE33DCDF06740F0484D1F82DD6191DB649A81D7E9

Function 00B7C07F Relevance: 4.6, APIs: 3, Instructions: 55COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00B7C084
new.LIBCMT ref: 00B7C0C7
new.LIBCMT ref: 00B7C0EB

Part of subcall function 00B75D54: __EH_prolog.LIBCMT ref: 00B75D59

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: d36b9367a10ee4a7857cf0b9e7d45465f2cd842e259b5051de39c502b574c1e7
Instruction ID: a82ba0462b8285a33593bd15d692178af262dab14206cd10d79324e0eec8f537
Opcode Fuzzy Hash: d36b9367a10ee4a7857cf0b9e7d45465f2cd842e259b5051de39c502b574c1e7
Instruction Fuzzy Hash: 9611A771A002449EDB14EB78D9557AEBBE4DF95300F1080EEE45ED7682DF745E04C761

Function 00B73867 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 176COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00B7386C

Strings

CMT, xrefs: 00B7387B

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: H_prolog
String ID: CMT
API String ID: 3519838083-2756464174
Opcode ID: 81dbe9e9c104b663ce6eefc83ff778c5e4f6994e51428fef80a3540b1f5e31dd
Instruction ID: b54568ba908e61903c6a304efe74926870639660cf60741d8efc8baf1d1acbb6
Opcode Fuzzy Hash: 81dbe9e9c104b663ce6eefc83ff778c5e4f6994e51428fef80a3540b1f5e31dd
Instruction Fuzzy Hash: BC61C2B1500F449EDB25DB74C8429EBB7E8EB15701F4089AEE1EF47142DA326A44EF10

Function 00B97C80 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 00B97CA5

Strings

, xrefs: 00B97CEA

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-3916222277
Opcode ID: 425b26ee220a0f7e0eae1f57998cf01513bc85da87cd2cf72b4f43b63045e78d
Instruction ID: 6e3b18bae7ccc6f2a096b7085705c88cd5c9a1dd9ace466fd909704dff6e465e
Opcode Fuzzy Hash: 425b26ee220a0f7e0eae1f57998cf01513bc85da87cd2cf72b4f43b63045e78d
Instruction Fuzzy Hash: 7C410AB055828C9ADF228F28CC84BF6BBF9EF45304F2404FDE59A87142D6359A45DF60

Function 00B71881 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00B71881

Strings

CMT, xrefs: 00B718EA

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: H_prolog
String ID: CMT
API String ID: 3519838083-2756464174
Opcode ID: 8e7599566225690d633202c8c5fe42f352d9288d0f223d0c8f35ba6c7fe63f1b
Instruction ID: c45920ea2267c790d062b1ec4e3f230f328b974283b48cc13757dc568acdf01f
Opcode Fuzzy Hash: 8e7599566225690d633202c8c5fe42f352d9288d0f223d0c8f35ba6c7fe63f1b
Instruction Fuzzy Hash: 0511B674A00205AFCB04DF6C84919BDFBEEEF84300F04C499E46997341DB359912DB60

Function 00B97364 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,00B96A57), ref: 00B973AF

Strings

InitializeCriticalSectionEx, xrefs: 00B9737F

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: InitializeCriticalSectionEx
API String ID: 2593887523-3084827643
Opcode ID: d9e6bdc77137d9b1d455480275f4a39863cdcc2e4dd62ab1ab715f70a91a8b84
Instruction ID: 00e31264b250b0da1ad0202463c07a07df1aabca42a31a96aa9e4d7a04b4c8a4
Opcode Fuzzy Hash: d9e6bdc77137d9b1d455480275f4a39863cdcc2e4dd62ab1ab715f70a91a8b84
Instruction Fuzzy Hash: 02F09071689218BBCF016F64DC06DAE7FE1EF46B20F0040A4FC086A260CE724A11EA90

Function 00B97209 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 00B97248

Strings

FlsAlloc, xrefs: 00B97224

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: Alloc
String ID: FlsAlloc
API String ID: 2773662609-671089009
Opcode ID: 3c2c272f4a80607a1fdd540c408f77a47cc2c9b5a47378cfe55b522a33f529d5
Instruction ID: 777664bcc9609cb56cb57e957e8b3c778bb5d7ad4a61b460fda5a83f4f07963c
Opcode Fuzzy Hash: 3c2c272f4a80607a1fdd540c408f77a47cc2c9b5a47378cfe55b522a33f529d5
Instruction Fuzzy Hash: 22E0A030AA9218779710AB689C0696EBAD4DF56B21F2401A5F805672A0CEA15A0086D9

Function 00B91507 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 00B9151C

Strings

FlsAlloc, xrefs: 00B9150B, 00B91515

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: try_get_function
String ID: FlsAlloc
API String ID: 2742660187-671089009
Opcode ID: b54dffd0ec73bb300a62ba2c2438d742d7cbc1a874e02380271bd24d7df7b137
Instruction ID: c44b5f18b8576c57c99c5b042c6f2ebc10516a51f6eb5394cf0bfba2d63e47a9
Opcode Fuzzy Hash: b54dffd0ec73bb300a62ba2c2438d742d7cbc1a874e02380271bd24d7df7b137
Instruction Fuzzy Hash: 8ED02B7578A32C778A5032DCAC039DD7EC4CB01BF1F0104E2FB083215796A1054052D1

Function 00B97FD5 Relevance: 3.2, APIs: 2, Instructions: 168COMMON

Download Yara Rule

APIs

Part of subcall function 00B97BA8: GetOEMCP.KERNEL32(00000000,?,?,00B97E31,?), ref: 00B97BD3

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,00B97E76,?,00000000), ref: 00B98049
GetCPInfo.KERNEL32(00000000,00B97E76,?,?,?,00B97E76,?,00000000), ref: 00B9805C

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: f5d282f48a53c574c849d5656b2ea9824897183b01869914f8e57433fa7aa147
Instruction ID: 80f04f48f1c8b10c13f82ae168033a29aa3a2bb3afbbd80fafc11201a4aa37aa
Opcode Fuzzy Hash: f5d282f48a53c574c849d5656b2ea9824897183b01869914f8e57433fa7aa147
Instruction Fuzzy Hash: C1512270A042159EDF24DF35C881ABBBBE5EF47300F1444FED096AB252EB399946CB90

Function 00B7134B Relevance: 3.1, APIs: 2, Instructions: 96COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00B7134B

Part of subcall function 00B75D54: __EH_prolog.LIBCMT ref: 00B75D59

Part of subcall function 00B7C07F: __EH_prolog.LIBCMT ref: 00B7C084
Part of subcall function 00B7C07F: new.LIBCMT ref: 00B7C0C7
Part of subcall function 00B7C07F: new.LIBCMT ref: 00B7C0EB

new.LIBCMT ref: 00B713C3

Part of subcall function 00B7A96E: __EH_prolog.LIBCMT ref: 00B7A973

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: c4048f8eccbcc34bfc896566287df6676056db3c909fbdf54fd5c3c3db68159a
Instruction ID: f88ad31e7fac27e527d03b17f3f999189e8405313922ef70afc3796854a69e13
Opcode Fuzzy Hash: c4048f8eccbcc34bfc896566287df6676056db3c909fbdf54fd5c3c3db68159a
Instruction Fuzzy Hash: 914127B0904B44DED720DF798885AD6FBE5BF28300F5089AFE5BE83282C7326654CB15

Function 00B71346 Relevance: 3.1, APIs: 2, Instructions: 94COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00B7134B

Part of subcall function 00B75D54: __EH_prolog.LIBCMT ref: 00B75D59

Part of subcall function 00B7C07F: __EH_prolog.LIBCMT ref: 00B7C084
Part of subcall function 00B7C07F: new.LIBCMT ref: 00B7C0C7
Part of subcall function 00B7C07F: new.LIBCMT ref: 00B7C0EB

new.LIBCMT ref: 00B713C3

Part of subcall function 00B7A96E: __EH_prolog.LIBCMT ref: 00B7A973

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 0cb6a44511eed0307d6ab02c59854a26c5965d8d03f95c01ee2cfe6db36211d4
Instruction ID: a3c429218519d26f41f056daeba86a38dfa90c1de76a4e6d08ea51c93398156c
Opcode Fuzzy Hash: 0cb6a44511eed0307d6ab02c59854a26c5965d8d03f95c01ee2cfe6db36211d4
Instruction Fuzzy Hash: AE4117B0905B44DED720DF798885AD6FBE5BF28300F504AAFD5BE83282D7326654CB15

Function 00B97E14 Relevance: 3.1, APIs: 2, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 00B95CDC: GetLastError.KERNEL32(?,00BACBD8,00B91E04,00BACBD8,?,?,00B919A3,?,?,00BACBD8), ref: 00B95CE0
Part of subcall function 00B95CDC: _free.LIBCMT ref: 00B95D13
Part of subcall function 00B95CDC: SetLastError.KERNEL32(00000000,?,00BACBD8), ref: 00B95D54
Part of subcall function 00B95CDC: _abort.LIBCMT ref: 00B95D5A

Part of subcall function 00B97F33: _abort.LIBCMT ref: 00B97F65
Part of subcall function 00B97F33: _free.LIBCMT ref: 00B97F99

Part of subcall function 00B97BA8: GetOEMCP.KERNEL32(00000000,?,?,00B97E31,?), ref: 00B97BD3

_free.LIBCMT ref: 00B97E8C
_free.LIBCMT ref: 00B97EC2

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: _free$ErrorLast_abort
String ID:
API String ID: 2991157371-0
Opcode ID: 1c2d091e059ee482fbfda6ccb17a1eb4204b477f2f9af87323f3214cb6fe486b
Instruction ID: b6e42763c64e92be48879c0693c477a0acddec3e1d6a081131a51da99230f2ac
Opcode Fuzzy Hash: 1c2d091e059ee482fbfda6ccb17a1eb4204b477f2f9af87323f3214cb6fe486b
Instruction Fuzzy Hash: F5317132958608AFDF21EFA8D441BAD77F9EF41320F2540E9E4049B2A1EF755D41CB54

Function 00B791F7 Relevance: 3.1, APIs: 2, Instructions: 86fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,00000001,00000000,00000002,00000000,00000000,?,?,?,?,00000000,00B7988D,?,?,00B77429), ref: 00B7927F
CreateFileW.KERNEL32(?,?,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,00000000,00B7988D,?,?,00B77429), ref: 00B792B4

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: bb5c5d367fcec239c53374083e0e8712f3faa44c68f77e8dab8e217ad2c3aa4c
Instruction ID: cfd104ffe28f8e288cc2d84dceca1f332c9c68be5c8e1f2cf6be7c19f04b7412
Opcode Fuzzy Hash: bb5c5d367fcec239c53374083e0e8712f3faa44c68f77e8dab8e217ad2c3aa4c
Instruction Fuzzy Hash: 002101B1404748BEE730AF14C885BA777E8EB49364F008AADF5F9825D2C374AD498B60

Function 00B79718 Relevance: 3.1, APIs: 2, Instructions: 82timeCOMMON

Download Yara Rule

APIs

FlushFileBuffers.KERNEL32(?,?,?,?,?,?,?,00B7718F,?,?,?), ref: 00B79732
SetFileTime.KERNELBASE(?,?,?,?), ref: 00B797E2

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: File$BuffersFlushTime
String ID:
API String ID: 1392018926-0
Opcode ID: 0b9a693a81fa1c674f527b07684c5e0ccb2634015fa88ac7deb245aada0ea8bb
Instruction ID: f108ce871bfafba330c4683b473c930ffaaa3db4b1f0fafee399ede5a5426c92
Opcode Fuzzy Hash: 0b9a693a81fa1c674f527b07684c5e0ccb2634015fa88ac7deb245aada0ea8bb
Instruction Fuzzy Hash: 6021F331268245AFC718DE24C891AAABBE8EF95704F04899DF8A9C7141C725ED08C791

Function 00B970F2 Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 00B97152
__crt_fast_encode_pointer.LIBVCRUNTIME ref: 00B9715F

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: AddressProc__crt_fast_encode_pointer
String ID:
API String ID: 2279764990-0
Opcode ID: cda258ead71278c0b6648ed759ff10ac6977bb42d74e26cc0c5706ef79114be1
Instruction ID: 6e93fd389a7accf9c7678e26df8cd720980699129a0cdc9cd3c771fed57cf526
Opcode Fuzzy Hash: cda258ead71278c0b6648ed759ff10ac6977bb42d74e26cc0c5706ef79114be1
Instruction Fuzzy Hash: 4911A737A54131AB9F259E28EC819AA73D5EB85B60B1642B0ED14FB294DF30DC4186D1

Function 00B797F1 Relevance: 3.1, APIs: 2, Instructions: 54COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,00000000,00000000,00000001), ref: 00B79827
GetLastError.KERNEL32 ref: 00B79833

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 1f1778e0941ae407d4fb4c0e9e0816c7a32c833f6ed0aa9ed53c26e36ac2ddf3
Instruction ID: 153cfbae68effcb52037301a9941726e0aec39894d421f1f5d1145da27aa1260
Opcode Fuzzy Hash: 1f1778e0941ae407d4fb4c0e9e0816c7a32c833f6ed0aa9ed53c26e36ac2ddf3
Instruction Fuzzy Hash: B601DE717042046BE730AE29CC85B6AB7DAEB86355F14C57EB16AC7690DA71DC0CC222

Function 00B7959D Relevance: 3.1, APIs: 2, Instructions: 52COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(000000FF,?,?,?), ref: 00B795F1
GetLastError.KERNEL32 ref: 00B795FE

Part of subcall function 00B793B0: __EH_prolog.LIBCMT ref: 00B793B5

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: ErrorFileH_prologLastPointer
String ID:
API String ID: 4236474358-0
Opcode ID: 6561d9c45c5d8f27e01b2e374dab7a4a835befe6c3d8d567db7f3e56fdab8eed
Instruction ID: bd339f59e10d00f731e495bbcd6816636bfdb7279eb9c4a8be980860fd27e29a
Opcode Fuzzy Hash: 6561d9c45c5d8f27e01b2e374dab7a4a835befe6c3d8d567db7f3e56fdab8eed
Instruction Fuzzy Hash: 910175722043259BCF159E298CC49AB77E9FF61720714C299E93DCB291DB71D8019760

Function 00B7783A Relevance: 3.0, APIs: 2, Instructions: 48COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00B7783F

Part of subcall function 00B7C07F: __EH_prolog.LIBCMT ref: 00B7C084
Part of subcall function 00B7C07F: new.LIBCMT ref: 00B7C0C7
Part of subcall function 00B7C07F: new.LIBCMT ref: 00B7C0EB

new.LIBCMT ref: 00B77880

Part of subcall function 00B807B4: __EH_prolog.LIBCMT ref: 00B807B9

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 44596ecfc8c3aa85106849b1a36782b617629f820770c9ac1edf5b76c6ed0f1f
Instruction ID: e0e87f5e84578e4bf60aca127457de1f26b8d3d871b5a50e5232a431f4f47a6a
Opcode Fuzzy Hash: 44596ecfc8c3aa85106849b1a36782b617629f820770c9ac1edf5b76c6ed0f1f
Instruction Fuzzy Hash: 98118BB1A007449AC724DF69D4416AAFBE4FF98340F10896FE86AC7650EB70A940CB60

Function 00B954C3 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00B954E4

Part of subcall function 00B953D5: RtlAllocateHeap.NTDLL(00000000,?,?,?,00B91B3A,?,0000015D,?,?,?,?,00B926B9,000000FF,00000000,?,?), ref: 00B95407

HeapReAlloc.KERNEL32(00000000,?,00200000,?,?,00BACBD8,00B71727,?,?,?,?,00000000,?,00B76D05,?,?), ref: 00B95520

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: Heap$AllocAllocate_free
String ID:
API String ID: 2447670028-0
Opcode ID: afdae951cffef35bea665b23943fe46c0db31d8ac73edf46ae80808d1db41059
Instruction ID: 3198cd3da38df9c167099f4fadf7146e91d3dabb2776d9d00d590d9f558f32e5
Opcode Fuzzy Hash: afdae951cffef35bea665b23943fe46c0db31d8ac73edf46ae80808d1db41059
Instruction Fuzzy Hash: 48F0C2312C4911679F732A29AC41B6B3BD9CF817B2F2180B5FC15AB795DE30C88087A0

Function 00B7CD80 Relevance: 3.0, APIs: 2, Instructions: 43COMMON

Download Yara Rule

APIs

LoadStringW.USER32(?,?,00000200,?), ref: 00B7CDC5
LoadStringW.USER32(?,?,00000200,?), ref: 00B7CDDB

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: LoadString
String ID:
API String ID: 2948472770-0
Opcode ID: 621877e2da2e1b2381b94075073bc84bb749f70f74d83ce60cd28093ab9b0ab8
Instruction ID: 0017d5b20d7436161b99c38a650222aefd8d02f5cda0ae92bf5b0b9c20288687
Opcode Fuzzy Hash: 621877e2da2e1b2381b94075073bc84bb749f70f74d83ce60cd28093ab9b0ab8
Instruction Fuzzy Hash: 24F0C8326001287BDB21AF149C46FA77E99EB06790F00047DF959A3061EB129C00C7B0

Function 00B948BE Relevance: 3.0, APIs: 2, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 00B98287: GetEnvironmentStringsW.KERNEL32 ref: 00B98290
Part of subcall function 00B98287: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00B982B3
Part of subcall function 00B98287: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00B982D9
Part of subcall function 00B98287: _free.LIBCMT ref: 00B982EC
Part of subcall function 00B98287: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00B982FB

_free.LIBCMT ref: 00B94904
_free.LIBCMT ref: 00B9490B

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: _free$ByteCharEnvironmentMultiStringsWide$Free
String ID:
API String ID: 400815659-0
Opcode ID: 8dce0f53f59ba4597e891517d65602e7402e2148d9ec9c56259ccfc97784ce48
Instruction ID: b2af6b79fa0bc84957ea0b64a0df5f21ee75524bcda491acd69e7d1bd8611ed7
Opcode Fuzzy Hash: 8dce0f53f59ba4597e891517d65602e7402e2148d9ec9c56259ccfc97784ce48
Instruction Fuzzy Hash: 21E0E513A1D9514A9EB236393C52F9B0BC48B92374B3103FEF526870D3CF508C0302A5

Function 00B7F8BB Relevance: 3.0, APIs: 2, Instructions: 33COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?), ref: 00B7F8C8
GetProcessAffinityMask.KERNEL32(00000000), ref: 00B7F8CF

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: Process$AffinityCurrentMask
String ID:
API String ID: 1231390398-0
Opcode ID: f19db42be766543eaa92f6fe5a333a5b6889cf4bfdac500e0ca939b36b4e543a
Instruction ID: bb85992b6e2cf0591e93aa74c950d9cda16d260530dfabccda94154418d77297
Opcode Fuzzy Hash: f19db42be766543eaa92f6fe5a333a5b6889cf4bfdac500e0ca939b36b4e543a
Instruction Fuzzy Hash: 36E06532E2020AAB5B1497A49C559BF72DDDA09300B2081F5A82BD7500EA20DD0157A5

Function 00B79DC9 Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00B79BFF,?,?,?,00B79A98,?,00000001,00000000,?,?), ref: 00B79DDD
SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00B79BFF,?,?,?,00B79A98,?,00000001,00000000,?,?), ref: 00B79E0E

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: cb77f1c6b4fc8e2e2874c149faeaf5dd8cae6a20c7ead79104ea4804f23159ef
Instruction ID: 2671f055a37eb1f147fe087f4884f6a4b7f3dde0a99008198d232f5b8d732e30
Opcode Fuzzy Hash: cb77f1c6b4fc8e2e2874c149faeaf5dd8cae6a20c7ead79104ea4804f23159ef
Instruction Fuzzy Hash: A3F0A07129010D6BDF11AF60EC01BDA37ADEB04385F04C0A5B99887060DB3299A8DB90

Function 00B8B8A4 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00B8B8D2
SetDlgItemTextW.USER32(00000065,?), ref: 00B8B8E9

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: ItemText_swprintf
String ID:
API String ID: 3011073432-0
Opcode ID: 7952fb9afdb23e813f09f61bdb8d723f7b3ae4abbe5ef02bf4a0bb46aa16138a
Instruction ID: 08f8bbe184313328b7740f14f9e5893e9795ed20c429317d4309bc560975e512
Opcode Fuzzy Hash: 7952fb9afdb23e813f09f61bdb8d723f7b3ae4abbe5ef02bf4a0bb46aa16138a
Instruction Fuzzy Hash: 1EF0E571A1434C3BEB11BBB09C0BFAA3BDDDB04741F0405E5F605630B2EA716A20E762

Function 00B79AB2 Relevance: 3.0, APIs: 2, Instructions: 28fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?,?,?,00B79317,?,?,00B79172), ref: 00B79AC3
DeleteFileW.KERNEL32(?,?,?,00000800,?,?,00B79317,?,?,00B79172), ref: 00B79AF1

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 0bd5a9e6fbe46d668f5c71550ccf80a7a13d56f171677c1234b03d0f17d16766
Instruction ID: ca3d0ebc5783a4bc011c5c29885ac3ab979cf5fcacb71981ff4228c5b67c501a
Opcode Fuzzy Hash: 0bd5a9e6fbe46d668f5c71550ccf80a7a13d56f171677c1234b03d0f17d16766
Instruction Fuzzy Hash: E3E0927165121D6BDF21AF61EC41BE977ECEB09381F8480A1FA88C7060DF71DD94DAA0

Function 00B79B19 Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,?,00B79B0E,?,00B772CE,?,?,?,?), ref: 00B79B2A
GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,00B79B0E,?,00B772CE,?,?,?,?), ref: 00B79B56

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 675cbfe935fab5f769e50132b5e6fe63be25fce15c7dfab2bafcd8945784e846
Instruction ID: 677162fb29002a91183365b2eab35cf25963f2dc8db197d1becaf48e47418bf4
Opcode Fuzzy Hash: 675cbfe935fab5f769e50132b5e6fe63be25fce15c7dfab2bafcd8945784e846
Instruction Fuzzy Hash: BEE0653151012867CB60AAA4DC05BD9779CDB093E1F0442E1FE58E3290DA715D8487D0

Function 00B7EF1E Relevance: 3.0, APIs: 2, Instructions: 25libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00B7EF39
LoadLibraryW.KERNELBASE(?,?,00B7DB0E,Crypt32.dll,?,00B7DB90,?,00B7DB74,?,?,?,?), ref: 00B7EF5B

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: DirectoryLibraryLoadSystem
String ID:
API String ID: 1175261203-0
Opcode ID: d2c0c0136a168bc7b38e589c8608ff3579b8ab7cdd878d8326913c5cff1a6072
Instruction ID: 21b648b0af0cf795871003767032be4e4c2c49952f65bb632c1246d784ccd722
Opcode Fuzzy Hash: d2c0c0136a168bc7b38e589c8608ff3579b8ab7cdd878d8326913c5cff1a6072
Instruction Fuzzy Hash: 77E0127281116C6BDB11AAA49C09FDA77ACEF0D381F0440E5B948D3005DA74D944CBB0

Function 00B903E6 Relevance: 3.0, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

Part of subcall function 00B91507: try_get_function.LIBVCRUNTIME ref: 00B9151C

___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00B90404
___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00B9040F

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: Value___vcrt____vcrt_uninitialize_ptdtry_get_function
String ID:
API String ID: 806969131-0
Opcode ID: 06cb347ccb3236c8db16f0f1f0b451b07cb02642ed14daf6f7dfbe0bcb7bbb79
Instruction ID: d9fb9739f10f3b1c7742035984c84de5bd0a7b6d83b901b3ec84f6783a4e6728
Opcode Fuzzy Hash: 06cb347ccb3236c8db16f0f1f0b451b07cb02642ed14daf6f7dfbe0bcb7bbb79
Instruction Fuzzy Hash: 21D0A76057C7015E5C44327C681385A17D4846777877147F9E521892E1EF1094017025

Function 00B71281 Relevance: 3.0, APIs: 2, Instructions: 11COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00B71296
ShowWindow.USER32(00000000), ref: 00B7129D

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: ItemShowWindow
String ID:
API String ID: 3351165006-0
Opcode ID: 77d1bb1e171fd3f6b80eeefc3d3ae022b1026085b8f44b425adeaf882e0e9313
Instruction ID: 717b030cada662ae580917aa3fbea1f1857d32f6eb311565dccd2f9d3d4154c0
Opcode Fuzzy Hash: 77d1bb1e171fd3f6b80eeefc3d3ae022b1026085b8f44b425adeaf882e0e9313
Instruction Fuzzy Hash: 14C01272058100BECB012BB0DC0AC2A7BA99B96212F00C904B0A5C1060C738C010DB32

Function 00B7F845 Relevance: 2.5, APIs: 2, Instructions: 46COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00BB1E64,?,?,?,?,00B7A2A3,?,?,?,?,00B9F0A1,000000FF), ref: 00B7F857
LeaveCriticalSection.KERNEL32(00BB1E64,?,?,?,?,00B7A2A3,?,?,?,?,00B9F0A1,000000FF), ref: 00B7F8AE

Part of subcall function 00B7F5E6: ReleaseSemaphore.KERNEL32(?,00000020,00000000), ref: 00B7F61A
Part of subcall function 00B7F5E6: CloseHandle.KERNEL32(?,?), ref: 00B7F634
Part of subcall function 00B7F5E6: DeleteCriticalSection.KERNEL32(?), ref: 00B7F64D
Part of subcall function 00B7F5E6: FindCloseChangeNotification.KERNELBASE(?), ref: 00B7F659
Part of subcall function 00B7F5E6: CloseHandle.KERNEL32(?), ref: 00B7F665

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: CloseCriticalSection$Handle$ChangeDeleteEnterFindLeaveNotificationReleaseSemaphore
String ID:
API String ID: 2851692498-0
Opcode ID: 1024a94076049f57bbcc7bb40216d2569b1230a4cb0b22d947c949b00a5112da
Instruction ID: df66cdd41e8e932d8607b9b634812b3cf7bf0fbd964e0b487f1162eb3435d331
Opcode Fuzzy Hash: 1024a94076049f57bbcc7bb40216d2569b1230a4cb0b22d947c949b00a5112da
Instruction Fuzzy Hash: 2EF07873500202CBD3216B2CEC4187EB3ECE7807903118666EC3857101DF72EC004379

Function 00B71927 Relevance: 1.8, APIs: 1, Instructions: 254COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00B7192C

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 2981e1b821d3e0ea146a873a112085a3abfa01b38b080c9e49c9e4e221194b1e
Instruction ID: 31ee502d682f9d0956c6338f4233a0f871d4254dcd89d153b9071add85ea929c
Opcode Fuzzy Hash: 2981e1b821d3e0ea146a873a112085a3abfa01b38b080c9e49c9e4e221194b1e
Instruction Fuzzy Hash: 61A1A470A01642AEEB19CF7CC484BB9FBE5FF45300F1489AAD47D97281D771A951CBA0

Function 00B77F13 Relevance: 1.6, APIs: 1, Instructions: 111COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00B77F18

Part of subcall function 00B71346: __EH_prolog.LIBCMT ref: 00B7134B
Part of subcall function 00B71346: new.LIBCMT ref: 00B713C3

Part of subcall function 00B71927: __EH_prolog.LIBCMT ref: 00B7192C

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 62ecfa31c41ef5314fec7f77cf861eba84fe8b2137294a9c632c90b5657c39c7
Instruction ID: 376f8928d324dbf33f0bc8fe91cb80f9532380f7c6c0a603ad98e3db6f924e72
Opcode Fuzzy Hash: 62ecfa31c41ef5314fec7f77cf861eba84fe8b2137294a9c632c90b5657c39c7
Instruction Fuzzy Hash: 4141A1719842589EDB24EB60CC55BEA77F8EF11300F4484EAE45E63092DB756EC8CB21

Function 00B81D8C Relevance: 1.6, APIs: 1, Instructions: 90COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00B81D91

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: ef78145484b7f95f35326ea47cd837b92c6b67a803d8f382b90f37388211b3e7
Instruction ID: a4fc4cb68d96fca034f6bd361e13737ec91f2800c6807248f86bacd757909478
Opcode Fuzzy Hash: ef78145484b7f95f35326ea47cd837b92c6b67a803d8f382b90f37388211b3e7
Instruction Fuzzy Hash: 1E21F5B1E41215AFDB14EF78DC42A6A7BECEB14354F0045BAE905E7691D7709D00C7A8

Function 00B88D79 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00B88D7E

Part of subcall function 00B71346: __EH_prolog.LIBCMT ref: 00B7134B
Part of subcall function 00B71346: new.LIBCMT ref: 00B713C3

Part of subcall function 00B7187C: __EH_prolog.LIBCMT ref: 00B71881

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: d0603d8a5a95c675cebd93160c1bc9f1e50efa4d7bd71fda47d572bc354af9f5
Instruction ID: 443635c7b1262071313cb128b495c1108c0157e186833ea4d9fdbd4604927fcf
Opcode Fuzzy Hash: d0603d8a5a95c675cebd93160c1bc9f1e50efa4d7bd71fda47d572bc354af9f5
Instruction Fuzzy Hash: AD213A75C042099BCB15EF98D8819EEBBF4FF59300F1048AAE809A3251DB356E04CBB0

Function 00B8B44C Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00B8B451

Part of subcall function 00B7ED7A: _wcslen.LIBCMT ref: 00B7ED90

Part of subcall function 00B7783A: __EH_prolog.LIBCMT ref: 00B7783F
Part of subcall function 00B7783A: new.LIBCMT ref: 00B77880

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: H_prolog$_wcslen
String ID:
API String ID: 2838827086-0
Opcode ID: 31f628daa8fc3898afe52af6df9a7fc4840aabdb6e6a08d2baecde174ce052fd
Instruction ID: 5b2a3d8c4d64fdb73c8f4bf7f1f2f8590117ff604fe08c3e1139b51769a43271
Opcode Fuzzy Hash: 31f628daa8fc3898afe52af6df9a7fc4840aabdb6e6a08d2baecde174ce052fd
Instruction Fuzzy Hash: 23110832508244AFD704EBACE806FD97BE0DB6D320F0084EEF41497292DFB11684DB65

Function 00B7A3AC Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 00B7A3BE

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52a26c187ae18e92b20300223c50c763a19eec92ec0916de75924cfd3bbcb820
Instruction ID: 9b4e65d7e4bcfafc17124f79a5f7c1960223a01ba015edd4a7847a007c4c0523
Opcode Fuzzy Hash: 52a26c187ae18e92b20300223c50c763a19eec92ec0916de75924cfd3bbcb820
Instruction Fuzzy Hash: 94F0AF3151470A9FDBB0EE24C84565E77D4EB51321F20CA9EE4BEC7690EBB0E880A752

Function 00B758AB Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00B758B0

Part of subcall function 00B7A96E: __EH_prolog.LIBCMT ref: 00B7A973

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 76bfebea808e8974bbec359d71d0abc72e2a0ef67b6048a22a4b831798ffc204
Instruction ID: 197bbd4bf7862816b6987fa63e44bf6d1af8bdc9ce99dbc2af36ee020a839c73
Opcode Fuzzy Hash: 76bfebea808e8974bbec359d71d0abc72e2a0ef67b6048a22a4b831798ffc204
Instruction Fuzzy Hash: EA011D34915694DAEB25E7A4C0567DDFBE49F19304F0084EDA8BE53283DFB46B04CB62

Function 00B953D5 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,00B91B3A,?,0000015D,?,?,?,?,00B926B9,000000FF,00000000,?,?), ref: 00B95407

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 9a9885c8b8dfd1833c78662f307216e46b023fa648fbef8864c017fe80f26aa7
Instruction ID: 557026a376f37c5304e7e4c7d2c359c7068fed132115090959cb32cef3446b10
Opcode Fuzzy Hash: 9a9885c8b8dfd1833c78662f307216e46b023fa648fbef8864c017fe80f26aa7
Instruction Fuzzy Hash: E8E0E531194E2066EE7326219C06B5B7BC8DB413A1F1580B0EC05D72C0CB60CC4087A4

Function 00B791A9 Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(000000FF,?,?,00B79179), ref: 00B791C4

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 2e5ff5117282f590bc3be9170445c7e741374cb0ecc65f11b0471ffa57517295
Instruction ID: 854f73423c571ae480833466e16386161408dd2cdab0febe07666cc47e4d627a
Opcode Fuzzy Hash: 2e5ff5117282f590bc3be9170445c7e741374cb0ecc65f11b0471ffa57517295
Instruction Fuzzy Hash: 37F0BE70082B1A6EDB308A20D54D792B7E5DB12725F04CB9E80FA53CD09321A85AAB10

Function 00B79E4B Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 00B79E7A

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 67fa858679aaf2d08efd509040d387b03ec6b40ff162d3941f7814b1a692bc22
Instruction ID: 2c33ff46b3a4ada021e67ec4b4caf39adaced4b668ee4fb8a415c63784f82610
Opcode Fuzzy Hash: 67fa858679aaf2d08efd509040d387b03ec6b40ff162d3941f7814b1a692bc22
Instruction Fuzzy Hash: 8CF0AE31009790EECB2267B48405BDB7FD45F15331F04CA89F5FE52192C2756099DB31

Function 00B71DAD Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00B71DB2

Part of subcall function 00B7187C: __EH_prolog.LIBCMT ref: 00B71881

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 07fc4d4c4738ef119063c285833148dde2e822f5df0cd33de598e289a74ed82b
Instruction ID: 9fcc2be0efdca057980665a2d220b86c388d8baf9f80e800a2dc065d3eacc753
Opcode Fuzzy Hash: 07fc4d4c4738ef119063c285833148dde2e822f5df0cd33de598e289a74ed82b
Instruction Fuzzy Hash: 19F0DFB2D002488ECF50EFACD806AEEBBF0EB58300F0045BAD419E7202E7348604CBA1

Function 00B71DB2 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00B71DB2

Part of subcall function 00B7187C: __EH_prolog.LIBCMT ref: 00B71881

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: ef9742a724c3354562ded9886123954e7815d08fed9df62cc830c93c762edad9
Instruction ID: 8e7c9e3265724af7aefe6760fb15acde8db07c558ea5dbf22f4dd6ce38ccbb21
Opcode Fuzzy Hash: ef9742a724c3354562ded9886123954e7815d08fed9df62cc830c93c762edad9
Instruction Fuzzy Hash: 32F0F2B1C002488ECF40EFACD806BEEBBF0EB18300F0045BAD419E7202E7348604CBA1

Function 00B7F507 Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON

Download Yara Rule

APIs

SetThreadExecutionState.KERNEL32(00000001), ref: 00B7F53C

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: ExecutionStateThread
String ID:
API String ID: 2211380416-0
Opcode ID: 6a592d408515dfb0a2b9e3609b32e781daaf618e62764df5f8a1216cffb41b0c
Instruction ID: 94c37bf9fbb0451453683675a5682c4995d5c50006c9ab7eba91d30f578db9dc
Opcode Fuzzy Hash: 6a592d408515dfb0a2b9e3609b32e781daaf618e62764df5f8a1216cffb41b0c
Instruction Fuzzy Hash: 52D0C20161411155DA213B28680BBBD1AC68F87351F0840F5B408932A28B850947D2B2

Function 00B79420 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(000000FF,00B79352), ref: 00B7942C

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: eed7e93cebe5cb4c5365db083ff8c2ffaf5aa2840d4eedae475c8dc20bf99268
Instruction ID: 423a6d30aa5c9a9cdaec8b8974ca38e3615a9b0448870d5424089649c38bb4d1
Opcode Fuzzy Hash: eed7e93cebe5cb4c5365db083ff8c2ffaf5aa2840d4eedae475c8dc20bf99268
Instruction Fuzzy Hash: CED01230012140568E7116345D0A06666D1DB43366F68C6E4E17DC51A1CB22C843F501

Function 00B8B746 Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageW.USER32(0000006A,00000402,00000000,?,?), ref: 00B8B76B

Part of subcall function 00B891F2: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00B89203
Part of subcall function 00B891F2: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00B89214
Part of subcall function 00B891F2: TranslateMessage.USER32(?), ref: 00B8921E
Part of subcall function 00B891F2: DispatchMessageW.USER32(?), ref: 00B89228

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: Message$DispatchItemPeekSendTranslate
String ID:
API String ID: 4142818094-0
Opcode ID: ab6967e2c204fe233833ac87e170127bf6e1b4443d68e13ff9074d396ee18ad3
Instruction ID: 025a9200f82d4179ae3a1e37e1c9ecffec561835d42b69976eafae9d5dd429f7
Opcode Fuzzy Hash: ab6967e2c204fe233833ac87e170127bf6e1b4443d68e13ff9074d396ee18ad3
Instruction Fuzzy Hash: 61D09E75144200BADA113B51DE0BF1A7AE2BF99B04F404694B349340B1C6629D21DB12

Function 00B79870 Relevance: 1.5, APIs: 1, Instructions: 7fileCOMMON

Download Yara Rule

APIs

SetEndOfFile.KERNELBASE(?,00B78BD6,?,?,-00000954), ref: 00B79873

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: File
String ID:
API String ID: 749574446-0
Opcode ID: 9888150c70db5ea11398db35eff33125517bbf2c22e7510e6dd57ab27ecd8aa0
Instruction ID: 6382eaad45d82a05e0799662982edfea180f9d2d3c1a7db5515edfcd128bbd6c
Opcode Fuzzy Hash: 9888150c70db5ea11398db35eff33125517bbf2c22e7510e6dd57ab27ecd8aa0
Instruction Fuzzy Hash: 56B011300F000A8A8E203B30CC0A8203A20EB2230AB0082A0A00ACA0A0CF23C002AA00

Non-executed Functions

Function 00B89D3B Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 289timewindowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00B712A6: GetDlgItem.USER32(00000000,00003021), ref: 00B712EA
Part of subcall function 00B712A6: SetWindowTextW.USER32(00000000,00BA0294), ref: 00B71300

SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 00B89DCC
EndDialog.USER32(?,00000006), ref: 00B89DDF
GetDlgItem.USER32(?,0000006C), ref: 00B89DFB
SetFocus.USER32(00000000), ref: 00B89E02
SetDlgItemTextW.USER32(?,00000065,?), ref: 00B89E42
SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 00B89E75
FindFirstFileW.KERNEL32(?,?), ref: 00B89E8B
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00B89EA9
FileTimeToSystemTime.KERNEL32(?,?), ref: 00B89EB9
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 00B89ED6
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 00B89EF4

Part of subcall function 00B7CD80: LoadStringW.USER32(?,?,00000200,?), ref: 00B7CDC5
Part of subcall function 00B7CD80: LoadStringW.USER32(?,?,00000200,?), ref: 00B7CDDB

_swprintf.LIBCMT ref: 00B89F24

Part of subcall function 00B73CD1: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00B73CE4

SetDlgItemTextW.USER32(?,0000006A,?), ref: 00B89F37
FindClose.KERNEL32(00000000), ref: 00B89F3A
_swprintf.LIBCMT ref: 00B89F95
SetDlgItemTextW.USER32(?,00000068,?), ref: 00B89FA8
SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 00B89FBE
FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 00B89FDE
FileTimeToSystemTime.KERNEL32(?,?), ref: 00B89FEE
GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 00B8A008
GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 00B8A020
_swprintf.LIBCMT ref: 00B8A051
SetDlgItemTextW.USER32(?,0000006B,?), ref: 00B8A064
_swprintf.LIBCMT ref: 00B8A0B4
SetDlgItemTextW.USER32(?,00000069,?), ref: 00B8A0C7

Part of subcall function 00B88C23: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00B88C49
Part of subcall function 00B88C23: GetNumberFormatW.KERNEL32(00000400,00000000,?,00BAA150,?,?), ref: 00B88C98

Strings

REPLACEFILEDLG, xrefs: 00B89D62
%s %s %s, xrefs: 00B89F12, 00B8A03E
%s %s, xrefs: 00B89F83, 00B8A0A6

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLoadLocalStringSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
String ID: %s %s$%s %s %s$REPLACEFILEDLG
API String ID: 3227067027-1840816070
Opcode ID: a7fabe3626d3585f3ae32f87d96ed589416f0c4a331f6aedf353098c09bed270
Instruction ID: cf15a4380883fdd9a51540bd392dc74903196c2ed71b9d2b94335b11bc1ab5a6
Opcode Fuzzy Hash: a7fabe3626d3585f3ae32f87d96ed589416f0c4a331f6aedf353098c09bed270
Instruction Fuzzy Hash: 7B919472244348BBE631ABA4CD4AFFB77ECEB4A704F044869B645D6091DB71A604C772

Function 00B76DD8 Relevance: 28.3, APIs: 12, Strings: 4, Instructions: 295fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00B76DDD
_wcslen.LIBCMT ref: 00B76E4B
_wcslen.LIBCMT ref: 00B76EBE
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,00000001), ref: 00B76F3D
CloseHandle.KERNEL32(00000000), ref: 00B76F4D

Part of subcall function 00B77790: GetCurrentProcess.KERNEL32(00000020,?), ref: 00B7779F
Part of subcall function 00B77790: GetLastError.KERNEL32 ref: 00B777E5
Part of subcall function 00B77790: CloseHandle.KERNEL32(?), ref: 00B777F4

CreateDirectoryW.KERNEL32(?,00000000,?,00000001), ref: 00B76F58
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 00B77066
DeviceIoControl.KERNEL32(00000000,000900A4,?,-00000008,00000000,00000000,?,00000000), ref: 00B77092
CloseHandle.KERNEL32(?), ref: 00B770A4
GetLastError.KERNEL32(00000014,00000000,?), ref: 00B770B4
RemoveDirectoryW.KERNEL32(?), ref: 00B770F5
DeleteFileW.KERNEL32(?), ref: 00B7711D

Strings

SeRestorePrivilege, xrefs: 00B76DFE
\??\, xrefs: 00B76E63
SeCreateSymbolicLinkPrivilege, xrefs: 00B76E08
UNC\, xrefs: 00B76E88

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: CloseCreateFileHandle$DirectoryErrorLast_wcslen$ControlCurrentDeleteDeviceH_prologProcessRemove
String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
API String ID: 1889552639-3508440684
Opcode ID: 93c5960df24debd15be09fb1a018046c68150d977c23aceba1a6b9bfd0e57950
Instruction ID: 765dfa3554c8dbd61181b623832d3b1c3b21b0e590306a34d2bb4c76b6990721
Opcode Fuzzy Hash: 93c5960df24debd15be09fb1a018046c68150d977c23aceba1a6b9bfd0e57950
Instruction Fuzzy Hash: 56B17171910218AADF21EF64CC46FEA77F8EF45300F0485E9F969E7241DB34AA45CBA1

Function 00B99C3E Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00B99D84

Strings

1#QNAN, xrefs: 00B9AF8A
1#INF, xrefs: 00B9AF91
1#SNAN, xrefs: 00B9AF83
1#IND, xrefs: 00B9AF7C

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 0fdeb24da673ddd8095193c78ce6b0c52e39de2fa40bda30f6e0587fed5e144c
Instruction ID: 960f40e3fe351cc5b5e66d00ef42f2b742d66271ec467cfe33f6c7577c3776b7
Opcode Fuzzy Hash: 0fdeb24da673ddd8095193c78ce6b0c52e39de2fa40bda30f6e0587fed5e144c
Instruction Fuzzy Hash: 38C22871E086288FDF65CE289D807EAB7F5EB85305F1541EAD40DE7240E775AE818F81

Function 00B725F5 Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 776COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00B725FE
_strlen.LIBCMT ref: 00B72B66
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B72CA7

Strings

CMT, xrefs: 00B72CD5

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: H_prologUnothrow_t@std@@@__ehfuncinfo$??2@_strlen
String ID: CMT
API String ID: 3741668355-2756464174
Opcode ID: d84a74b9df88b6369d9d14bf7d92b5485aa270d25980b3c9e48a2300b782fc2e
Instruction ID: bd1950f728bcd13d1cc3da0a9c4b69b8d1b9fdbd76cfc7a28de3b07c51df879a
Opcode Fuzzy Hash: d84a74b9df88b6369d9d14bf7d92b5485aa270d25980b3c9e48a2300b782fc2e
Instruction Fuzzy Hash: 8B62A4716002849FDB19DF38C895BEA77E1EF54300F0885BEEDAE8B286D7719945CB50

Function 00B73058 Relevance: 7.6, APIs: 3, Strings: 1, Instructions: 559COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00B73061
_memcmp.LIBVCRUNTIME ref: 00B73123
_memcmp.LIBVCRUNTIME ref: 00B7341A

Strings

CMT, xrefs: 00B736B2

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: _memcmp$H_prolog
String ID: CMT
API String ID: 212800410-2756464174
Opcode ID: de7a479d67cfdf476a2672b1b63baa77996a4852fceb6250de67fe2df0f8f417
Instruction ID: 59b722efa99cdbc7926d0d44a0b00e5b080b2915878104fc6485824a0d48199d
Opcode Fuzzy Hash: de7a479d67cfdf476a2672b1b63baa77996a4852fceb6250de67fe2df0f8f417
Instruction Fuzzy Hash: 6B2294B15142849BDF18DF28C895FEA37E5EF14700F0884B9FD6E9B286D7709A48DB60

Function 00B9552C Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00B95624
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00B9562E
UnhandledExceptionFilter.KERNEL32(-00000311,?,?,?,?,?,00000000), ref: 00B9563B

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 212ba5e6e4f12c5f626fe5d940094925d05c1573c727d57a14a2742f974bd2f8
Instruction ID: 066a63896cc6f55123f4c8cc4215f3ce0a0db98e9b6127c40bdd16dc970c6e87
Opcode Fuzzy Hash: 212ba5e6e4f12c5f626fe5d940094925d05c1573c727d57a14a2742f974bd2f8
Instruction Fuzzy Hash: CB31A3759412189BCB21EF68D889BD9BBB4BF18310F5041EAE41CA72A0EB709B85CF45

Function 00B99790 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c2cafb7d0179fca0dc76ba42366ff9ba0cff1ddef3592acb5223377cb4d6ba2
Instruction ID: 9a1f1aa82144c0306f85ba100be96e42c361849fe93c1f6f783aa99dde18d637
Opcode Fuzzy Hash: 2c2cafb7d0179fca0dc76ba42366ff9ba0cff1ddef3592acb5223377cb4d6ba2
Instruction Fuzzy Hash: EE020B71E002199BDF54CFADD8806ADBBF5EF88324F2581ADD919E7384D731A941CB90

Function 00B88C23 Relevance: 3.0, APIs: 2, Instructions: 46COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00B88C49
GetNumberFormatW.KERNEL32(00000400,00000000,?,00BAA150,?,?), ref: 00B88C98

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: FormatInfoLocaleNumber
String ID:
API String ID: 2169056816-0
Opcode ID: 814a67767d825c2521cc8c7a70a6ace4dcce8afe243dbad988c4ebc6bd417042
Instruction ID: 65465483466dab53f0abcd2dbb696c82ea6987ffd81cdcce4e75c8d56e43897b
Opcode Fuzzy Hash: 814a67767d825c2521cc8c7a70a6ace4dcce8afe243dbad988c4ebc6bd417042
Instruction Fuzzy Hash: DB011A36510208BAD710DFA4EC46F9B7BFCEF0A710F108466FA09E7261D771A925CBA5

Function 00B9E244 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00B9E23F,?,?,00000008,?,?,00B9DEDF,00000000), ref: 00B9E471

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 5c1b63aade881eb74ec27f598ff49d34de6159da38a404d33e48e2f6df6cc48c
Instruction ID: 827863240daeba10a2292f3c43c281c828bef7251f6d5310bec35ee5305dca77
Opcode Fuzzy Hash: 5c1b63aade881eb74ec27f598ff49d34de6159da38a404d33e48e2f6df6cc48c
Instruction Fuzzy Hash: 9BB13D31510609DFDB15CF28C48AB697BE0FF45364F2986A8E8A9CF3A1C335E991CB44

Function 00B73D3B Relevance: 1.6, Strings: 1, Instructions: 332COMMON

Download Yara Rule

Strings

gj, xrefs: 00B73D7E

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID:
String ID: gj
API String ID: 0-4203073231
Opcode ID: f753c6d98738af00ef9ad4458234b29911385bd382ab2aa6c705e3c5b1b0d637
Instruction ID: b1f784f518817537c0f092d58867581e22c18f204c990f2dace172fecac76399
Opcode Fuzzy Hash: f753c6d98738af00ef9ad4458234b29911385bd382ab2aa6c705e3c5b1b0d637
Instruction Fuzzy Hash: 50F1C1B2A083418FD748CF29D880A1AFBE1BFC8308F19896EF598D7711D634E9558B56

Function 00B7A5E3 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?), ref: 00B7A608

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 1eba1cc977df4d4fe9a487761a9fb9f0e4503dc6bcf31621322b659fc22a476f
Instruction ID: 401dbf2ca7b3205c833349c77679debdee480ee8a5a4347d86f3cf670cbde6d9
Opcode Fuzzy Hash: 1eba1cc977df4d4fe9a487761a9fb9f0e4503dc6bcf31621322b659fc22a476f
Instruction Fuzzy Hash: ABF01DB490420C8BCB68DF18EC936E977E5E79A710F604295DA1983390DB719D85CE62

Function 00B8D303 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0001D30F,00B8CD54), ref: 00B8D308

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 2a7ca883f7aa7bdc11a09b19f93ce3d3dd4359a6d15e6810ef2e7fb6452a1a02
Instruction ID: 681b7bf1ff37b310afabec0da22d6fa4521d0d7ebbfe3d23ef9d671742de6e8b
Opcode Fuzzy Hash: 2a7ca883f7aa7bdc11a09b19f93ce3d3dd4359a6d15e6810ef2e7fb6452a1a02
Instruction Fuzzy Hash:

Function 00B98382 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00B98382

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: fefe86e993b713ad958a6abb75609e93e17c3a6e47fa50a2cc28a474f32e2339
Instruction ID: 46e58b798d90ee22f0a747695c58669d48c0a474c36c2874c3c4c3033b1599d9
Opcode Fuzzy Hash: fefe86e993b713ad958a6abb75609e93e17c3a6e47fa50a2cc28a474f32e2339
Instruction Fuzzy Hash: DFA012301011028B53004F315B092083698654638070040156000C6120DE2444046600

Function 00B84B09 Relevance: .8, Instructions: 800COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f57cee6a3f68f2ea44f517637ee78aa12ab0d29124def700172ccf505d64b50
Instruction ID: afc10eed2fcc35ed5b40f363e8dda28ede115092792116059f3f165d3dfad845
Opcode Fuzzy Hash: 2f57cee6a3f68f2ea44f517637ee78aa12ab0d29124def700172ccf505d64b50
Instruction Fuzzy Hash: F3621931604B859FCB29EF38C8906B9BBE1EF95304F0889ADD99B8B356D730E945C710

Function 00B85F46 Relevance: .8, Instructions: 773COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 646a614e24d9edccf22d0e6f7202ac8f24f57ae9bfccc6911069f75be2a98548
Instruction ID: 020d49f67bd7eea593b32962dccc25d4a6e4326ab1160d184be75a440544ca25
Opcode Fuzzy Hash: 646a614e24d9edccf22d0e6f7202ac8f24f57ae9bfccc6911069f75be2a98548
Instruction Fuzzy Hash: AB62457060478A9FC719EF28C8805B9FBE1FF55308F0486AED9AA87752D730E955CB81

Function 00B7DC8B Relevance: .7, Instructions: 694COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb00a5abd01d033ee68bdeca0c76caad9ad43990f1d126b925065b3382741e35
Instruction ID: 829a5277ead0904ff3c52da2aa71fde598f2f2d364c8afc90d152a95df6e8026
Opcode Fuzzy Hash: bb00a5abd01d033ee68bdeca0c76caad9ad43990f1d126b925065b3382741e35
Instruction Fuzzy Hash: FF5249B2A087019FC758CF18C891A6AF7E1FFC8304F49892DF59697255D734E919CB82

Function 00B8590D Relevance: .5, Instructions: 509COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 642a2eb9d46371431086cfb1af4ad4f45592854b3025634bafb0edc2474d9246
Instruction ID: d43860297cc0cb0a72391b368455930a36b5a2b620de19323d354ed98adb4901
Opcode Fuzzy Hash: 642a2eb9d46371431086cfb1af4ad4f45592854b3025634bafb0edc2474d9246
Instruction Fuzzy Hash: B312C3B1600B068FC738EF28C8D0AB9B7E1FB54308F14896DE997C7A91D774A895CB45

Function 00B7B686 Relevance: .4, Instructions: 449COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a937ffb8167a3bc83e52ba59db907e3c001931c4c0f47df396c2d1350b2b68c
Instruction ID: 440add7e5b856edf26140fc942387c6a418eb2599472debdd4b3c3a31a40287a
Opcode Fuzzy Hash: 6a937ffb8167a3bc83e52ba59db907e3c001931c4c0f47df396c2d1350b2b68c
Instruction Fuzzy Hash: E4F15671A083458FC718CF29C484A6ABBE2FFC9314F148AAEF5A997355D730E9058F52

Function 00B8EDD3 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 92660ea888bfbc4761823987432bcc186a8af2b3bd53e08e029b95658713e578
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: 91C17F322050934ADB6D6639C57403EBFE19AA27B131A1BEDD4F6CB1E9FE20C524D720

Function 00B8F208 Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 3bc4f8049bcb8cefdf900057428882e09db11f5f9b0f80148451c8c87d135c6a
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: 31C151362051930ADF6D6639857403EBFE19AA27B131A17EED4F6CB1E9FE20C524D720

Function 00B8E99E Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction ID: 39b49d0261c5f3c83b3476aa0d564ae2ca80093c991ea2575aa8ba1837c9cd98
Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction Fuzzy Hash: 21C16F322091930ADB6D663A857403EBFE19AA27B131A17EDD4F7CB1E5FE20C564D720

Function 00B8E586 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: 958b6fbba84f3adaab61f1815fb658f52b31c22a9cf114e5f6306aea3a34f982
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: A7C180322050930ADF6D6639857403EBFE19AA27B131A1BEDD4F6CB1E5FE60D524D720

Function 00B7D22A Relevance: .3, Instructions: 318COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c5665097acd20256151c921c30662e59532a696cd5d58addabde8d45f97e848
Instruction ID: 52bb019b8d26ffe1a37dd8b0e894db970320f975f8abe63a9de045393fd60055
Opcode Fuzzy Hash: 2c5665097acd20256151c921c30662e59532a696cd5d58addabde8d45f97e848
Instruction Fuzzy Hash: A7E114755183848FC344CF29D89086FBBF0AF8A300F4549AEF9D997362C635EA15CB62

Function 00B8295B Relevance: .3, Instructions: 263COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acc86ef6530741bf12f030ffdbc9df68382067f2af2f4e8018943a469f09223c
Instruction ID: 8c192b590b75d9a24ec85f0d5a82b27fadaac02c0730f32d622c9f92627177c1
Opcode Fuzzy Hash: acc86ef6530741bf12f030ffdbc9df68382067f2af2f4e8018943a469f09223c
Instruction Fuzzy Hash: 229157B12047458BDB28FF68C8D1BBE73C5EF90300F5049ADEA9B87292EA74E505C752

Function 00B92308 Relevance: .2, Instructions: 237COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2de3448ec8d4ce43da569c41b599a0194a85f7e0faceec2f8a4eba3248b7119
Instruction ID: ca88de8b7dc083c29449dfeb3983b2befd8843bbda3ee6bfdc31872e479abe46
Opcode Fuzzy Hash: e2de3448ec8d4ce43da569c41b599a0194a85f7e0faceec2f8a4eba3248b7119
Instruction Fuzzy Hash: 50618B71E04709BADF349B288992BBE23D8EF11700F1444F9EA82DF391D659DD428369

Function 00B82C8C Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a61d5d9953e74e6cdb0c985f438739bb0da6a3f2832c33027433e3b352e928f4
Instruction ID: 5988cbec92ae812aef72373faaeea6c951430e76274b0b8a2bba9d1d09ec3696
Opcode Fuzzy Hash: a61d5d9953e74e6cdb0c985f438739bb0da6a3f2832c33027433e3b352e928f4
Instruction Fuzzy Hash: 54714D713043459BEB24FF28C8D0BBE37D1EBA1304F0049BDE9868B6A2DB749885C756

Function 00B7CE12 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baf34ac37983a97901c7efc9e024c99bbb6a4e50ba79d836059643b8e21fbdd4
Instruction ID: 2071aa0abf7ecfbdb89e80b99e88989b9a1402e1c8a75a3f2fea34cea2e71ec7
Opcode Fuzzy Hash: baf34ac37983a97901c7efc9e024c99bbb6a4e50ba79d836059643b8e21fbdd4
Instruction Fuzzy Hash: AE819EA211A2D49EC7065F7D38E11FA3FE18737241F1C85EAD4D9C72A3C87686A8C721

Function 00B7D828 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 142f9aa733a696a89d87cf7be154181c17fb7e513b482f132d628971e8a5f3b4
Instruction ID: e77b2b5c8af3db729f133806bb96db20004cd2629d1da0e9b4ae755dff3afe91
Opcode Fuzzy Hash: 142f9aa733a696a89d87cf7be154181c17fb7e513b482f132d628971e8a5f3b4
Instruction Fuzzy Hash: 7451BF3550C2914EC712DF29818056EBFF0EEDA364F4A88DEE5E95A212D130E689CB63

Function 00B7E8DD Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea7c87a74382d8d84588d431bdc4e18b8e5189a87ec0e316371a65e439a9cb0e
Instruction ID: a2ddda574389dc4ec26986882a8611c85a110ca6e535b860cc75e9997dfee5d0
Opcode Fuzzy Hash: ea7c87a74382d8d84588d431bdc4e18b8e5189a87ec0e316371a65e439a9cb0e
Instruction Fuzzy Hash: FC512471A083128FC748CF19D48059AF7E1FF88354F058A2EE899A7740DB34EA59CBD6

Function 00B826E0 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d076a1827b305f7e3beae0ec7141c057bfc4bf90f4aea6f352a5f2352c845c5
Instruction ID: 07e62b5bdc8576814e8a2add839478a1a830bdcee5339626f812042abff13ef0
Opcode Fuzzy Hash: 8d076a1827b305f7e3beae0ec7141c057bfc4bf90f4aea6f352a5f2352c845c5
Instruction Fuzzy Hash: B93103756047068FCB14EF29C85126EBBD0FB96700F40896DE89AD7741D634ED09CB92

Function 00B75C39 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 341edde6f00a0213392303534f53c4f6984cc9f2af2941549d0a4151e0e65aed
Instruction ID: 4a9a976a581597cd0af574e494c75ab89d03e5edb83be92ccb4244e897ced358
Opcode Fuzzy Hash: 341edde6f00a0213392303534f53c4f6984cc9f2af2941549d0a4151e0e65aed
Instruction Fuzzy Hash: 99213731A201214FCB58CF6DDCE183AB791E78B300B46C12BED568B2C1CA35ED20CBA0

Function 00B8A247 Relevance: 47.7, APIs: 23, Strings: 4, Instructions: 435windowfileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00B8A24C

Part of subcall function 00B88FC0: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 00B89088

SetFileAttributesW.KERNEL32(-00003C84,00000005,-00007C84,00000800,-0000FC8C,75C05540,?,00000000,00B892FD,?,00000003), ref: 00B8A381
_wcslen.LIBCMT ref: 00B8A3BC
_wcslen.LIBCMT ref: 00B8A3D0
_wcslen.LIBCMT ref: 00B8A3F5
GetFileAttributesW.KERNEL32(-00003C84), ref: 00B8A43B
DeleteFileW.KERNEL32(-00003C84), ref: 00B8A449
_wcslen.LIBCMT ref: 00B8A52B
_wcslen.LIBCMT ref: 00B8A534
SetWindowTextW.USER32(?,-00005C84), ref: 00B8A592
_wcslen.LIBCMT ref: 00B8A5D4
_wcsrchr.LIBVCRUNTIME ref: 00B8A712
GetDlgItem.USER32(?,00000066), ref: 00B8A752
SetWindowTextW.USER32(00000000,-0000103C), ref: 00B8A762
SendMessageW.USER32(00000000,00000143,00000000,00BC5808), ref: 00B8A776
SendMessageW.USER32(00000000,00000143,00000000,-0000103C), ref: 00B8A79F

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 00B8A638
%s.%d.tmp, xrefs: 00B8A461
ProgramFilesDir, xrefs: 00B8A663
<br>, xrefs: 00B8A4F5

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: _wcslen$File$AttributesMessageSendTextWindow$DeleteEnvironmentExpandH_prologItemStrings_wcsrchr
String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
API String ID: 1808871598-312220925
Opcode ID: 670d70f2c0dc7776451658085f814bda185aa6fae447dd07ae0d8666f07349be
Instruction ID: eb46dfaedb8b7249ad67847a9eceef5875f47fcd04e370cbe2ca41f3134a021a
Opcode Fuzzy Hash: 670d70f2c0dc7776451658085f814bda185aa6fae447dd07ae0d8666f07349be
Instruction Fuzzy Hash: 02E14972900219AAEF25ABA4DD85DEE77FCEB04350F1044E7F509E30A1EE749B84DB61

Function 00B98E65 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00B98EA9

Part of subcall function 00B98A44: _free.LIBCMT ref: 00B98A61
Part of subcall function 00B98A44: _free.LIBCMT ref: 00B98A73
Part of subcall function 00B98A44: _free.LIBCMT ref: 00B98A85
Part of subcall function 00B98A44: _free.LIBCMT ref: 00B98A97
Part of subcall function 00B98A44: _free.LIBCMT ref: 00B98AA9
Part of subcall function 00B98A44: _free.LIBCMT ref: 00B98ABB
Part of subcall function 00B98A44: _free.LIBCMT ref: 00B98ACD
Part of subcall function 00B98A44: _free.LIBCMT ref: 00B98ADF
Part of subcall function 00B98A44: _free.LIBCMT ref: 00B98AF1
Part of subcall function 00B98A44: _free.LIBCMT ref: 00B98B03
Part of subcall function 00B98A44: _free.LIBCMT ref: 00B98B15
Part of subcall function 00B98A44: _free.LIBCMT ref: 00B98B27
Part of subcall function 00B98A44: _free.LIBCMT ref: 00B98B39

_free.LIBCMT ref: 00B98E9E

Part of subcall function 00B9539B: RtlFreeHeap.NTDLL(00000000,00000000,?,00B98BD9,?,00000000,?,00000000,?,00B98C00,?,00000007,?,?,00B98FFD,?), ref: 00B953B1
Part of subcall function 00B9539B: GetLastError.KERNEL32(?,?,00B98BD9,?,00000000,?,00000000,?,00B98C00,?,00000007,?,?,00B98FFD,?,?), ref: 00B953C3

_free.LIBCMT ref: 00B98EC0
_free.LIBCMT ref: 00B98ED5
_free.LIBCMT ref: 00B98EE0
_free.LIBCMT ref: 00B98F02
_free.LIBCMT ref: 00B98F15
_free.LIBCMT ref: 00B98F23
_free.LIBCMT ref: 00B98F2E
_free.LIBCMT ref: 00B98F66
_free.LIBCMT ref: 00B98F6D
_free.LIBCMT ref: 00B98F8A
_free.LIBCMT ref: 00B98FA2

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: b79a6d0971d3f878f23f51fcdf8bfc5a5d6dc302c1f80c3979b526f130358afa
Instruction ID: fd6d630be6e78e3d3242d93d0c7673832d52c90099156902fdc055ec4a753f80
Opcode Fuzzy Hash: b79a6d0971d3f878f23f51fcdf8bfc5a5d6dc302c1f80c3979b526f130358afa
Instruction Fuzzy Hash: 8C313B7160CB049FEF31AA39D865B5A77E9EB02350F1548B9F44AD7152DF71AC80C724

Function 00B95BE8 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00B95BFC

Part of subcall function 00B9539B: RtlFreeHeap.NTDLL(00000000,00000000,?,00B98BD9,?,00000000,?,00000000,?,00B98C00,?,00000007,?,?,00B98FFD,?), ref: 00B953B1
Part of subcall function 00B9539B: GetLastError.KERNEL32(?,?,00B98BD9,?,00000000,?,00000000,?,00B98C00,?,00000007,?,?,00B98FFD,?,?), ref: 00B953C3

_free.LIBCMT ref: 00B95C08
_free.LIBCMT ref: 00B95C13
_free.LIBCMT ref: 00B95C1E
_free.LIBCMT ref: 00B95C29
_free.LIBCMT ref: 00B95C34
_free.LIBCMT ref: 00B95C3F
_free.LIBCMT ref: 00B95C4A
_free.LIBCMT ref: 00B95C55
_free.LIBCMT ref: 00B95C63

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: c1a03499f0b793348fbc44bbccbaa5053cc104179a97e63783b4e28d886c1258
Instruction ID: 9246c46bdac45652ce5d3a3a1b08dea1e213e81ba6b52d8f9be1718cbcd5812a
Opcode Fuzzy Hash: c1a03499f0b793348fbc44bbccbaa5053cc104179a97e63783b4e28d886c1258
Instruction Fuzzy Hash: 5911A7B614C908EFCF12EF54C9A6CDD3BA5EF08390B5145E1FA0A4B122DA71DE519B44

Function 00B8A8B8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 146COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000800,?), ref: 00B8A8CE

Part of subcall function 00B7AACD: _wcslen.LIBCMT ref: 00B7AAD3

_swprintf.LIBCMT ref: 00B8A900

Part of subcall function 00B73CD1: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00B73CE4

_swprintf.LIBCMT ref: 00B8A92D
GetFileAttributesW.KERNEL32(?), ref: 00B8A93C
SetDlgItemTextW.USER32(?,00000066,?), ref: 00B8A94F
_wcschr.LIBVCRUNTIME ref: 00B8A982
EndDialog.USER32(?,00000001), ref: 00B8AA58

Strings

%s%s%u, xrefs: 00B8A8F3, 00B8A91C

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: _swprintf$AttributesDialogFileItemPathTempText__vswprintf_c_l_wcschr_wcslen
String ID: %s%s%u
API String ID: 3334984662-1360425832
Opcode ID: 47a7ef7fe09a649380144660b630fa606e014cd1843f7e3551d6342c53d45239
Instruction ID: 530c9b2101aa9bf0e53750ab2356606f2d974f233f5fadb22fd306f0ce0bc1a6
Opcode Fuzzy Hash: 47a7ef7fe09a649380144660b630fa606e014cd1843f7e3551d6342c53d45239
Instruction Fuzzy Hash: 29513872900219AEEF25EB64CD85EEA77BCEB04310F1044E7E509E6061EF749B84DF61

Function 00B879EF Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 124memoryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00B87A14
_wcslen.LIBCMT ref: 00B87AB5
GlobalAlloc.KERNEL32(00000040,00000000,?,?,?,?,?,?,?,?,?,?,00B88214,?), ref: 00B87AC4
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,-00000003,00000000,00000000), ref: 00B87AE5

Strings

</html>, xrefs: 00B87A96
<head><meta http-equiv="content-type" content="text/html; charset=, xrefs: 00B87A3E
utf-8"></head>, xrefs: 00B87A49
<html>, xrefs: 00B87A33, 00B87A6C

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: _wcslen$AllocByteCharGlobalMultiWide
String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
API String ID: 1116704506-4209811716
Opcode ID: 9651debd4fc57dda18690c9f462490f99bfcae2a705c51b8ebafb158ecd13d25
Instruction ID: 397714e8225a7f62cab15d7a06b7863cdaebc2926a290e215dc58171dc0e7d16
Opcode Fuzzy Hash: 9651debd4fc57dda18690c9f462490f99bfcae2a705c51b8ebafb158ecd13d25
Instruction Fuzzy Hash: BF31FF365482027EE729BB24DC46EAFB7DCDF42764F2045AAF410A61E1EF70DA05C7A1

Function 00B8B0B4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 82windowCOMMON

Download Yara Rule

APIs

GetWindow.USER32(?,00000005), ref: 00B8B0D5
GetClassNameW.USER32(00000000,?,00000800), ref: 00B8B104

Part of subcall function 00B806E6: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,?,000000FF,00B7A92C,?,?,?,00B7A8DB,?,-00000002,?,00000000,?), ref: 00B806FC

GetWindowLongW.USER32(00000000,000000F0), ref: 00B8B122
SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 00B8B139

Part of subcall function 00B8856F: GetDC.USER32(00000000), ref: 00B8857B
Part of subcall function 00B8856F: GetDeviceCaps.GDI32(00000000,0000005A), ref: 00B8858A
Part of subcall function 00B8856F: ReleaseDC.USER32(00000000,00000000), ref: 00B88598

Part of subcall function 00B8852C: GetDC.USER32(00000000), ref: 00B88538
Part of subcall function 00B8852C: GetDeviceCaps.GDI32(00000000,00000058), ref: 00B88547
Part of subcall function 00B8852C: ReleaseDC.USER32(00000000,00000000), ref: 00B88555

SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 00B8B173
DeleteObject.GDI32(00000000), ref: 00B8B182
GetWindow.USER32(00000000,00000002), ref: 00B8B18B

Strings

STATIC, xrefs: 00B8B10A

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: Window$CapsDeviceMessageReleaseSend$ClassCompareDeleteLongNameObjectString
String ID: STATIC
API String ID: 2770908980-1882779555
Opcode ID: 9264eb6bf67fea54c0afe5610fc532e3b7d1b3dd4526653e400c1a937c2b228d
Instruction ID: 89c1214c00983488d1fc55a89050bef7375fae882acc590dacd4cc083a3bce3b
Opcode Fuzzy Hash: 9264eb6bf67fea54c0afe5610fc532e3b7d1b3dd4526653e400c1a937c2b228d
Instruction Fuzzy Hash: 1721BE326502147BEB227B64CC4AFAF3AE9EF16741F404191F900BB0A1CF245D42CBB2

Function 00B8B1AA Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 172COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00B8B1C9
ShowWindow.USER32(?,00000000,?,?,?,?,?,?,?), ref: 00B8B328
GetExitCodeProcess.KERNEL32(?,?), ref: 00B8B356
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00B8B37A
ShowWindow.USER32(?,00000001,?,?,?,?,?,?,?), ref: 00B8B3DE

Strings

.inf, xrefs: 00B8B29F
.exe, xrefs: 00B8B384

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: ShowWindow$CloseCodeExitHandleProcess_wcslen
String ID: .exe$.inf
API String ID: 783751319-3750412487
Opcode ID: 990b4bddb2aea8fbea350b7c399998c98ab27fd18cbea6eb9a4561e2b79543ac
Instruction ID: 3e81b5e3a8c3f4196f1459611adc99929be55012af8daf568a2d6b84ed9a4389
Opcode Fuzzy Hash: 990b4bddb2aea8fbea350b7c399998c98ab27fd18cbea6eb9a4561e2b79543ac
Instruction Fuzzy Hash: 5B51E0715047809AD731BF74D941EAFBBE8EF86340F04499EE4C193171EBA19984C766

Function 00B78F33 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 137fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00B78F38
GetLongPathNameW.KERNEL32(?,?,00000800), ref: 00B78F5B
GetShortPathNameW.KERNEL32(?,?,00000800), ref: 00B78F7A

Part of subcall function 00B7B4F8: _wcslen.LIBCMT ref: 00B7B500

Part of subcall function 00B806E6: CompareStringW.KERNEL32(00000400,00001001,00000000,000000FF,?,000000FF,00B7A92C,?,?,?,00B7A8DB,?,-00000002,?,00000000,?), ref: 00B806FC

_swprintf.LIBCMT ref: 00B79016

Part of subcall function 00B73CD1: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00B73CE4

MoveFileW.KERNEL32(?,?), ref: 00B7908B
MoveFileW.KERNEL32(?,?), ref: 00B790C7

Strings

rtmp%d, xrefs: 00B78FFF

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf_wcslen
String ID: rtmp%d
API String ID: 3726343395-3303766350
Opcode ID: 567788ed68fdf59f8b2a227b1979defd8bca5b04a23ce0b83bab7fac4a77bf43
Instruction ID: 10660a613624260bc3ee5a9f8a0be3a470b693836a26056d01db6ccb4b25f721
Opcode Fuzzy Hash: 567788ed68fdf59f8b2a227b1979defd8bca5b04a23ce0b83bab7fac4a77bf43
Instruction Fuzzy Hash: 75416C75921269AADF20FB64CC89EEA73BDEF45780F04C0E5F529A3141EA309B45CB60

Function 00B89233 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 96windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B712A6: GetDlgItem.USER32(00000000,00003021), ref: 00B712EA
Part of subcall function 00B712A6: SetWindowTextW.USER32(00000000,00BA0294), ref: 00B71300

SendMessageW.USER32(?,00000080,00000001,?), ref: 00B892A3
SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 00B892B8
GetDlgItem.USER32(?,00000065), ref: 00B892C7
SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 00B892DB
SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 00B892ED
EndDialog.USER32(?,00000001), ref: 00B89337

Strings

LICENSEDLG, xrefs: 00B89247

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: MessageSend$Item$DialogTextWindow
String ID: LICENSEDLG
API String ID: 3077722735-2177901306
Opcode ID: 81c05eb728111b1b88eac8449221b0dca74449ec018da2280d9cc3c30ef5b400
Instruction ID: e02d13226ae57bae719918db15f0f504b3fe14d1d4d43e153da5fffa3dc3e605
Opcode Fuzzy Hash: 81c05eb728111b1b88eac8449221b0dca74449ec018da2280d9cc3c30ef5b400
Instruction Fuzzy Hash: 1721D032244209BBEA217F69EC4AFBB3BDDEB4A744F050451F201A30B0CF62A941D776

Function 00B878A0 Relevance: 12.1, APIs: 8, Instructions: 135windowCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00B878B9
GetTickCount.KERNEL32 ref: 00B878D7
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00B878ED
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00B87901
TranslateMessage.USER32(?), ref: 00B8790C
DispatchMessageW.USER32(?), ref: 00B87917
ShowWindow.USER32(?,00000005,?,00000000,?,?,?,?,00000000,00000000,00000000,<html>,00000006), ref: 00B879C7
SetWindowTextW.USER32(?,00000000), ref: 00B879D1

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: Message$CountTickWindow$DispatchPeekShowTextTranslate
String ID:
API String ID: 4150546248-0
Opcode ID: f8618814cba23768ad4905b66cf5f242b064da6b6f9f3401673f2d1627bf53ea
Instruction ID: 3826f5a9b1aa6835580a3a5da50468181b2715f4b9ef772a00bd19af7e409c43
Opcode Fuzzy Hash: f8618814cba23768ad4905b66cf5f242b064da6b6f9f3401673f2d1627bf53ea
Instruction Fuzzy Hash: A7413A71208306AFD714EF65D888E2BBBE9EF89708B10086DF546C7160DF31E849CB62

Function 00B7FA35 Relevance: 12.1, APIs: 8, Instructions: 120timeCOMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 00B7FA48

Part of subcall function 00B7A5E3: GetVersionExW.KERNEL32(?), ref: 00B7A608

FileTimeToLocalFileTime.KERNEL32(?,00000000,00000000,?,00000064,00000000,00000000,?,?), ref: 00B7FA71
FileTimeToSystemTime.KERNEL32(?,?,00000000,?,00000064,00000000,00000000,?,?), ref: 00B7FA83
SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00B7FA90
SystemTimeToFileTime.KERNEL32(?,?), ref: 00B7FAA6
SystemTimeToFileTime.KERNEL32(?,?), ref: 00B7FAB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00B7FAEF
__aullrem.LIBCMT ref: 00B7FB79

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
String ID:
API String ID: 1247370737-0
Opcode ID: c8715d9b843aa0a0a5603ce63aad228804aec9e65ae2281a60db1bdc671e04ca
Instruction ID: 363cc24e1074e341b04498fc86f8b56625c3444daaa43a9569c38d0c805fce13
Opcode Fuzzy Hash: c8715d9b843aa0a0a5603ce63aad228804aec9e65ae2281a60db1bdc671e04ca
Instruction Fuzzy Hash: BF412AB240830A9FC714DF65C880A6BF7F9FF88714F408A2EF59A92250E735E548DB65

Function 00B87ED1 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 163COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00B87EDE

Strings

</style>, xrefs: 00B88032
>, xrefs: 00B87F2C
</p>, xrefs: 00B87FCE
<style>, xrefs: 00B88015
<br>, xrefs: 00B87FE6

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: _wcslen
String ID: </p>$</style>$<br>$<style>$>
API String ID: 176396367-3568243669
Opcode ID: 9b5371e6732cf5ea2cb60a42516e0e3366e3d078a7d36020d619b0610879a673
Instruction ID: edd2b4570204bacd2e288e7c11920fdf5bd49ce25f1204d3c13655f220897c80
Opcode Fuzzy Hash: 9b5371e6732cf5ea2cb60a42516e0e3366e3d078a7d36020d619b0610879a673
Instruction Fuzzy Hash: 42415D1564839396CB30BF668851776B3E0EF61744F64049AFAC4571A0FFA5CC89C392

Function 00B9BEDD Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,00B9C652,?,00000000,?,00000000,00000000), ref: 00B9BF1F
__fassign.LIBCMT ref: 00B9BF9A
__fassign.LIBCMT ref: 00B9BFB5
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 00B9BFDB
WriteFile.KERNEL32(?,?,00000000,00B9C652,00000000,?,?,?,?,?,?,?,?,?,00B9C652,?), ref: 00B9BFFA
WriteFile.KERNEL32(?,?,00000001,00B9C652,00000000,?,?,?,?,?,?,?,?,?,00B9C652,?), ref: 00B9C033

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: ea897da47cd8ba9bd02b66d56e5c6c401c5220672eec40508b8b45850ec4e269
Instruction ID: 771447d7e86e3e42e2d23d7ca0ee6727616ee99b86e7dcae6d1d2b18efafd597
Opcode Fuzzy Hash: ea897da47cd8ba9bd02b66d56e5c6c401c5220672eec40508b8b45850ec4e269
Instruction Fuzzy Hash: 8F516171900249AFDF14CFA8DC85BEEBBF5EF09310F2445AAE555E72A1D7309941CB60

Function 00B7C56F Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 134COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00B7C5F5
_strlen.LIBCMT ref: 00B7C625
_swprintf.LIBCMT ref: 00B7C646
_wcschr.LIBVCRUNTIME ref: 00B7C66F
_wcsrchr.LIBVCRUNTIME ref: 00B7C6BB

Strings

%08x, xrefs: 00B7C63A

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: _strlen$_swprintf_wcschr_wcsrchr
String ID: %08x
API String ID: 1593746830-3682738293
Opcode ID: a138fdae961f9926577b8b042f7652964df35f8f20b534289dce4a9a4522abef
Instruction ID: 745a0d1a23478e6561dc0b0e5098c1748bda4b3017466c8bea6c4bc089a10ad8
Opcode Fuzzy Hash: a138fdae961f9926577b8b042f7652964df35f8f20b534289dce4a9a4522abef
Instruction Fuzzy Hash: 6A412933908300AAD730AA248C89FBB7BECDB45350F1045AEF96CE7192E731ED44C661

Function 00B7B36E Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 123COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00B7B3A5

Part of subcall function 00B7ECFF: _wcslen.LIBCMT ref: 00B7ED05

Part of subcall function 00B7AD74: _wcsrchr.LIBVCRUNTIME ref: 00B7AD8B

_wcslen.LIBCMT ref: 00B7B424

Strings

.rar, xrefs: 00B7B386
exe, xrefs: 00B7B3B6
rar, xrefs: 00B7B3D4
sfx, xrefs: 00B7B3C5

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: _wcslen$_wcsrchr
String ID: .rar$exe$rar$sfx
API String ID: 3513545583-630704357
Opcode ID: d06038b438f3b9f26d05036c04ba11909e2e7b7a22e0aa4e7cb894c9f9fa82b5
Instruction ID: cdd9bfa7cbbb5bf6f0e65a8aad7474d20a0022d07d4c50d6e0b8d761529e70f3
Opcode Fuzzy Hash: d06038b438f3b9f26d05036c04ba11909e2e7b7a22e0aa4e7cb894c9f9fa82b5
Instruction Fuzzy Hash: 0A31262240431199CA356F3098C2F3AA3F8DF517A4B20C8CEF8F9662C3E76099C1EB55

Function 00B880A6 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 97COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000000), ref: 00B880BF
GetWindowRect.USER32(?,?), ref: 00B880E4
ShowWindow.USER32(?,00000005,?), ref: 00B8817B
SetWindowTextW.USER32(?,00000000), ref: 00B88183
ShowWindow.USER32(00000000,00000005), ref: 00B88199

Strings

RarHtmlClassName, xrefs: 00B88145

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: Window$Show$RectText
String ID: RarHtmlClassName
API String ID: 3937224194-1658105358
Opcode ID: e4e693afa5cf1df8a96852e5eb47e9e6ecfad3af1242a9d88697f317df18533a
Instruction ID: c1430dee3e17560b68837896e51adc8b475a19f04c9ef56e5106cfcfeb8896cc
Opcode Fuzzy Hash: e4e693afa5cf1df8a96852e5eb47e9e6ecfad3af1242a9d88697f317df18533a
Instruction Fuzzy Hash: CE31A031104204AFD721AFA4DD8DB1B7FE8EF49711F404599F949AA162CF30D805CBB2

Function 00B98BE7 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00B98BAB: _free.LIBCMT ref: 00B98BD4

_free.LIBCMT ref: 00B98C35

Part of subcall function 00B9539B: RtlFreeHeap.NTDLL(00000000,00000000,?,00B98BD9,?,00000000,?,00000000,?,00B98C00,?,00000007,?,?,00B98FFD,?), ref: 00B953B1
Part of subcall function 00B9539B: GetLastError.KERNEL32(?,?,00B98BD9,?,00000000,?,00000000,?,00B98C00,?,00000007,?,?,00B98FFD,?,?), ref: 00B953C3

_free.LIBCMT ref: 00B98C40
_free.LIBCMT ref: 00B98C4B
_free.LIBCMT ref: 00B98C9F
_free.LIBCMT ref: 00B98CAA
_free.LIBCMT ref: 00B98CB5
_free.LIBCMT ref: 00B98CC0

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 0a69699327f5e84a00df05e308deb8057040ce51548e750906fe9a755bda1513
Instruction ID: d2029c1dba6df817d820f2a2e4fbbb8f95ca0bd824022cb1e5e958e04a9a58d4
Opcode Fuzzy Hash: 0a69699327f5e84a00df05e308deb8057040ce51548e750906fe9a755bda1513
Instruction Fuzzy Hash: E6113DB1588B04EADE31B7B0CC67FCB7BDC9F05700F850CB5B2AA66092DA6AB5054750

Function 00B90354 Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00B9034B,00B8DDA2), ref: 00B90362
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00B90370
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00B90389
SetLastError.KERNEL32(00000000,?,00B9034B,00B8DDA2), ref: 00B903DB

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 660610edb4baf53ef0c46d28445cc343c80239622db13aa8cdd3a1a464e0d47d
Instruction ID: dd7c4970951eb92e8848cc94550feec5c5fff06337d9a248eeab1ec109e039f5
Opcode Fuzzy Hash: 660610edb4baf53ef0c46d28445cc343c80239622db13aa8cdd3a1a464e0d47d
Instruction Fuzzy Hash: 9101243213D712AFAE643778BC8752637D4EB97770F2103B9F812621E1EF514C01A228

Function 00B8BFA5 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

Strings

ReleaseSRWLockExclusive, xrefs: 00B8BFE4
AcquireSRWLockExclusive, xrefs: 00B8BFD4
KERNEL32.DLL, xrefs: 00B8BFBF

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID:
String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
API String ID: 0-1718035505
Opcode ID: f75c9c360bc09cb184903d82f72309943de77046f0fe3f71755c0e2f554c4f70
Instruction ID: 8a681f97cba8c0ea8f34b5e2679bc59340cbaf9b04d74807684dae08e18b80a1
Opcode Fuzzy Hash: f75c9c360bc09cb184903d82f72309943de77046f0fe3f71755c0e2f554c4f70
Instruction Fuzzy Hash: 4501FFB22452229B4FB07E781CD1EA3A7C8DA063D171415FAE610C3230DF20C885EFA0

Function 00B7FC6C Relevance: 9.1, APIs: 6, Instructions: 97timeCOMMON

Download Yara Rule

APIs

SystemTimeToFileTime.KERNEL32(?,?), ref: 00B7FCCA

Part of subcall function 00B7A5E3: GetVersionExW.KERNEL32(?), ref: 00B7A608

LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00B7FCEC
FileTimeToSystemTime.KERNEL32(?,?), ref: 00B7FD06
TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 00B7FD17
SystemTimeToFileTime.KERNEL32(?,?), ref: 00B7FD27
SystemTimeToFileTime.KERNEL32(?,?), ref: 00B7FD33

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: Time$File$System$Local$SpecificVersion
String ID:
API String ID: 2092733347-0
Opcode ID: b7c27a57506175d8a6a6cd0c2f354172e3d6b34daddc9bc8d34567fbf770e170
Instruction ID: f0cd62a374ac459ced67f2ad9f49e5812300504edc2f804f2ef6c2fd9cdcd5cd
Opcode Fuzzy Hash: b7c27a57506175d8a6a6cd0c2f354172e3d6b34daddc9bc8d34567fbf770e170
Instruction Fuzzy Hash: 393107751083469BC704DFA4C8809ABB7E9FFD8704F04892EF9A9C3210EA30D509CB6A

Function 00B87D18 Relevance: 9.1, APIs: 6, Instructions: 86COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00B87D3C
_memcmp.LIBVCRUNTIME ref: 00B87D53

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: c7b290362e24a009b2886432c7f95daaf7a013f89c842fcb22d7d1d09b168ff1
Instruction ID: a882815c51a784cbe02e6272509c67ece06cb9a3e6611d8353b51ac3a74f3683
Opcode Fuzzy Hash: c7b290362e24a009b2886432c7f95daaf7a013f89c842fcb22d7d1d09b168ff1
Instruction Fuzzy Hash: 0E2190F164810AABD754BA14CC82E7B77ECAE5178CF2089B5FC049A222EA70DD45D7A0

Function 00B7F717 Relevance: 9.1, APIs: 6, Instructions: 57COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00B7F71C
EnterCriticalSection.KERNEL32(00BB1E64,00000000,?,?,00B7A4C5,?,00B7C3A0,?,00000000,?,00000001,?,?,00B83653,?,00008000), ref: 00B7F72A
new.LIBCMT ref: 00B7F74A
new.LIBCMT ref: 00B7F780
LeaveCriticalSection.KERNEL32(00BB1E64,?,00B7A4C5,?,00B7C3A0,?,00000000,?,00000001,?,?,00B83653,?,00008000,?), ref: 00B7F7A0
LeaveCriticalSection.KERNEL32(00BB1E64,?,00B7A4C5,?,00B7C3A0,?,00000000,?,00000001,?,?,00B83653,?,00008000,?), ref: 00B7F7AB

Part of subcall function 00B7F545: InitializeCriticalSection.KERNEL32(000001A0,00BB1E64,00000000,?,?,00B7F79D,00000020,?,00B7A4C5,?,00B7C3A0,?,00000000,?,00000001,?), ref: 00B7F57E
Part of subcall function 00B7F545: CreateSemaphoreW.KERNEL32(00000000,00000000,00000020,00000000,?,00B7A4C5,?,00B7C3A0,?,00000000,?,00000001,?,?,00B83653,?), ref: 00B7F588
Part of subcall function 00B7F545: CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,00B7A4C5,?,00B7C3A0,?,00000000,?,00000001,?,?,00B83653,?), ref: 00B7F598

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: CriticalSection$CreateLeave$EnterEventH_prologInitializeSemaphore
String ID:
API String ID: 3919453512-0
Opcode ID: a44d377598b46bbf43cc90b58d755711ca5e3bfb70faceccfd32283e18ec3abb
Instruction ID: 5d564ad23a9c41f7efc5cda2886e2540fa8ae3df109bc29f310f23c5f9755d8a
Opcode Fuzzy Hash: a44d377598b46bbf43cc90b58d755711ca5e3bfb70faceccfd32283e18ec3abb
Instruction Fuzzy Hash: 15119135A00212DBDB18AF68EC56AB976F4EB49750F0086AAF829D7290DFB08D008764

Function 00B95CDC Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00BACBD8,00B91E04,00BACBD8,?,?,00B919A3,?,?,00BACBD8), ref: 00B95CE0
_free.LIBCMT ref: 00B95D13
_free.LIBCMT ref: 00B95D3B
SetLastError.KERNEL32(00000000,?,00BACBD8), ref: 00B95D48
SetLastError.KERNEL32(00000000,?,00BACBD8), ref: 00B95D54
_abort.LIBCMT ref: 00B95D5A

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: c553b3c4aaf3b363d91bcfb8c5454e00bb9f97d6015fbec932f2759c1fabb6d5
Instruction ID: 0c6d686a4d000e7928d858b67b13e5aaba05ccd4ce177115ee84b004ef638671
Opcode Fuzzy Hash: c553b3c4aaf3b363d91bcfb8c5454e00bb9f97d6015fbec932f2759c1fabb6d5
Instruction Fuzzy Hash: 4EF0A4351D8E0576CE333B34AD1AF1A22E6DFC3761F3501B8F91597291EE2088425325

Function 00B7AF43 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00B7AF69

Strings

UNC, xrefs: 00B7AFDB
\\?\, xrefs: 00B7AF96, 00B7AFCD, 00B7B043, 00B7B09C

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: _wcslen
String ID: UNC$\\?\
API String ID: 176396367-253988292
Opcode ID: adab79377b6a44802d74785b4a6b1f4ad2b7f960e3d46e1268a26d3845e45bf6
Instruction ID: e39f864566df2c3b2ab2dbc9b85d84bbcfa287e8388ae52304ff8c9ea398668f
Opcode Fuzzy Hash: adab79377b6a44802d74785b4a6b1f4ad2b7f960e3d46e1268a26d3845e45bf6
Instruction Fuzzy Hash: 594145769002556ACF20BBA0CC42FAF73ECEF55750F0488E6F93997182E774DA819A61

Function 00B87C00 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 113COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00B87C09
_wcslen.LIBCMT ref: 00B87C3E

Strings

<style>body{font-family:"Arial";font-size:12;}</style>, xrefs: 00B87C32
 , xrefs: 00B87CD5
<br>, xrefs: 00B87C8D

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: _wcslen
String ID:  $<br>$<style>body{font-family:"Arial";font-size:12;}</style>
API String ID: 176396367-864536935
Opcode ID: da929b2fa508b16e140653912159735fa06178292c16cd05e31563d2222555bb
Instruction ID: c447b5a8aa2fd797c28e7ded30cc02ab6747a864f4c5f83d4ce201a4864f4205
Opcode Fuzzy Hash: da929b2fa508b16e140653912159735fa06178292c16cd05e31563d2222555bb
Instruction Fuzzy Hash: C8313B3268C301A9D624BB68EC42B7A73E4EB90728F30486FF451571E0FE60ED90D7A4

Function 00B7ADD8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00B7ADFF

Part of subcall function 00B73CD1: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00B73CE4

_wcschr.LIBVCRUNTIME ref: 00B7AE1D
_wcschr.LIBVCRUNTIME ref: 00B7AE2D

Strings

%c:\, xrefs: 00B7ADF5

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: _wcschr$__vswprintf_c_l_swprintf
String ID: %c:\
API String ID: 525462905-3142399695
Opcode ID: d6eb847ebfbc5166ae9e4d8907afd2a4a0ca7434f82cec0c0c7f04888c534000
Instruction ID: a9cae280743cbd84bb54fba61930e9bbde603dde659656653bd04552820c18e2
Opcode Fuzzy Hash: d6eb847ebfbc5166ae9e4d8907afd2a4a0ca7434f82cec0c0c7f04888c534000
Instruction Fuzzy Hash: 5501F563504312B99F206B799C81D3FA7ECDED57A0770C8A6F868C6092FB20D850C2A2

Function 00B8B022 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

Part of subcall function 00B712A6: GetDlgItem.USER32(00000000,00003021), ref: 00B712EA
Part of subcall function 00B712A6: SetWindowTextW.USER32(00000000,00BA0294), ref: 00B71300

EndDialog.USER32(?,00000001), ref: 00B8B06D
GetDlgItemTextW.USER32(?,00000066,00000800), ref: 00B8B083
SetDlgItemTextW.USER32(?,00000065,?), ref: 00B8B09D
SetDlgItemTextW.USER32(?,00000066), ref: 00B8B0A8

Strings

RENAMEDLG, xrefs: 00B8B03A

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: RENAMEDLG
API String ID: 445417207-3299779563
Opcode ID: c84726dba10ab011d5aa84dfa9c35a7ed857dd844e41cd37d4bff0da63fd45bf
Instruction ID: b4bfcf34ac28656805bcdbc0aa71e097a3fed2f751a0493b5c74d050877bb53b
Opcode Fuzzy Hash: c84726dba10ab011d5aa84dfa9c35a7ed857dd844e41cd37d4bff0da63fd45bf
Instruction Fuzzy Hash: 2F01B132A44214BAD621AE78ED49F777BECE74AB41F10085AF251A70F0CB92A800D772

Function 00B944C9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00B9447A,?,?,00B9441A,?,00BA7ED8,0000000C,00B94571,?,00000002), ref: 00B944E9
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00B944FC
FreeLibrary.KERNEL32(00000000,?,?,?,00B9447A,?,?,00B9441A,?,00BA7ED8,0000000C,00B94571,?,00000002,00000000), ref: 00B9451F

Strings

mscoree.dll, xrefs: 00B944E2
CorExitProcess, xrefs: 00B944F4

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: ce888f6d143615c35d494f42e92adce2641e417b472e8b73df08fc84145f1126
Instruction ID: a016807cb993a836e812c553e2ecffc5c18bad38fa9e37b8e7f06ade09bb09b0
Opcode Fuzzy Hash: ce888f6d143615c35d494f42e92adce2641e417b472e8b73df08fc84145f1126
Instruction Fuzzy Hash: D9F0447091420CBBCF15AFA4DC0AB9E7FF4EB46711F0140A5B805A3160DF709A45CB90

Function 00B7DAFB Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00B7EF1E: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00B7EF39
Part of subcall function 00B7EF1E: LoadLibraryW.KERNELBASE(?,?,00B7DB0E,Crypt32.dll,?,00B7DB90,?,00B7DB74,?,?,?,?), ref: 00B7EF5B

GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00B7DB1A
GetProcAddress.KERNEL32(00BB1E48,CryptUnprotectMemory), ref: 00B7DB2A

Strings

CryptProtectMemory, xrefs: 00B7DB14
CryptUnprotectMemory, xrefs: 00B7DB20
Crypt32.dll, xrefs: 00B7DB04

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: AddressProc$DirectoryLibraryLoadSystem
String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
API String ID: 2141747552-1753850145
Opcode ID: a58a9d349ebdd8c538ea1bdc09e4d62215704c42545f8988acf86077d447e4a3
Instruction ID: 24e6365ddf717f7069a92180ba2ba8f691ad23140b60b8130df11ebff12508ff
Opcode Fuzzy Hash: a58a9d349ebdd8c538ea1bdc09e4d62215704c42545f8988acf86077d447e4a3
Instruction Fuzzy Hash: 48E046B0968747AEDB50AB38A809B01FBE4BF66750F04C195F068D3660DBB4D0A88F50

Function 00B94CF9 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00B94D6B
_free.LIBCMT ref: 00B94D8B

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 21eaa1ac68428d9be62f2f2db772a3ffd354b98c0d6ec38a205bc1c1b6b98de0
Instruction ID: a60e94c107727e103df8338b6225ca0c90a7475c6f90e0b9e99580fd68ac9996
Opcode Fuzzy Hash: 21eaa1ac68428d9be62f2f2db772a3ffd354b98c0d6ec38a205bc1c1b6b98de0
Instruction Fuzzy Hash: 51419036A00600ABCF24DF78C881A5DB7F5EF8A710B1645F9E515EB391DB31AD02CB80

Function 00B95D60 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00B9581C,00B954B8,?,00B95D0A,00000001,00000364,?,00B919A3,?,?,00BACBD8), ref: 00B95D65
_free.LIBCMT ref: 00B95D9A
_free.LIBCMT ref: 00B95DC1
SetLastError.KERNEL32(00000000,?,00BACBD8), ref: 00B95DCE
SetLastError.KERNEL32(00000000,?,00BACBD8), ref: 00B95DD7

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: b92dcdc88ef108a3872370a013c7d0e72c738bbc892711573435f40ea29e0d25
Instruction ID: 9d0b4b6fdd7c3254e9294aa25b861904c11eef42a8135d1133e8740220d820be
Opcode Fuzzy Hash: b92dcdc88ef108a3872370a013c7d0e72c738bbc892711573435f40ea29e0d25
Instruction Fuzzy Hash: 1E01A2721C8E01768A332B356C9AE1A22D9DFC3761B2100B8F40693251FE608C019361

Function 00B98B42 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00B98B5A

Part of subcall function 00B9539B: RtlFreeHeap.NTDLL(00000000,00000000,?,00B98BD9,?,00000000,?,00000000,?,00B98C00,?,00000007,?,?,00B98FFD,?), ref: 00B953B1
Part of subcall function 00B9539B: GetLastError.KERNEL32(?,?,00B98BD9,?,00000000,?,00000000,?,00B98C00,?,00000007,?,?,00B98FFD,?,?), ref: 00B953C3

_free.LIBCMT ref: 00B98B6C
_free.LIBCMT ref: 00B98B7E
_free.LIBCMT ref: 00B98B90
_free.LIBCMT ref: 00B98BA2

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 542b8f8824ada9be2c4f819ac1d2cbdc5f5925eeed6b0c76363162263f57322b
Instruction ID: a4a745adde0824d2bf417972279bcc071293dbb1ece33f083b179a2a25b4c08b
Opcode Fuzzy Hash: 542b8f8824ada9be2c4f819ac1d2cbdc5f5925eeed6b0c76363162263f57322b
Instruction Fuzzy Hash: 2EF012B254C700AB8E71EF58E892C1A73E9EA02B5179A08A5F009D7511CF79FC818778

Function 00B80708 Relevance: 7.5, APIs: 5, Instructions: 39COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00B80710
_wcslen.LIBCMT ref: 00B80721
_wcslen.LIBCMT ref: 00B80731
_wcslen.LIBCMT ref: 00B8073F
CompareStringW.KERNEL32(00000400,00001001,?,?,?,?,?,00000000,?,00B7A7BA,__rar_,00000000,00000006,?,?,00000000), ref: 00B8075A

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: _wcslen$CompareString
String ID:
API String ID: 3397213944-0
Opcode ID: a0314052a1bcf7efff4bee67a1c30a52c54f5ff391dacf2a8d422d9a1a7a21d8
Instruction ID: 66cda258d922881a2d2d7945c54eaaa4c15b57f2a4ba02d0712e6271ecaf9eb6
Opcode Fuzzy Hash: a0314052a1bcf7efff4bee67a1c30a52c54f5ff391dacf2a8d422d9a1a7a21d8
Instruction Fuzzy Hash: FCF09036004019BFCF523F54EC49CCE3F66EF817B0B108465F6196E0A1CE31A955EB80

Function 00B94F4B Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00B94F69

Part of subcall function 00B9539B: RtlFreeHeap.NTDLL(00000000,00000000,?,00B98BD9,?,00000000,?,00000000,?,00B98C00,?,00000007,?,?,00B98FFD,?), ref: 00B953B1
Part of subcall function 00B9539B: GetLastError.KERNEL32(?,?,00B98BD9,?,00000000,?,00000000,?,00B98C00,?,00000007,?,?,00B98FFD,?,?), ref: 00B953C3

_free.LIBCMT ref: 00B94F7B
_free.LIBCMT ref: 00B94F8E
_free.LIBCMT ref: 00B94F9F
_free.LIBCMT ref: 00B94FB0

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 4179dc5f38d011d4bbd467e0eb448a6c4bf7317d281bc17631cab665f3595edc
Instruction ID: 1f04598d795a8954c601c02bdf9432150c0d284d8673b500202a2f719465d47f
Opcode Fuzzy Hash: 4179dc5f38d011d4bbd467e0eb448a6c4bf7317d281bc17631cab665f3595edc
Instruction Fuzzy Hash: 0DF05EB084C621EBCB676F24FC66C193BE0F71975030201AAF01A9B2B2CF740802DBD9

Function 00B71FB7 Relevance: 7.5, APIs: 3, Strings: 1, Instructions: 456COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00B722E5

Strings

;%u, xrefs: 00B722D2

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: _swprintf
String ID: ;%u
API String ID: 589789837-535004727
Opcode ID: 9fd89312ba8d386f043f6ace8c2e0d5ddb793eb87aa63eb419b5408eb142e80f
Instruction ID: 2b4160b800e82518958ca39a561f17489eba9072ed21bc5ad37851bd36083ad0
Opcode Fuzzy Hash: 9fd89312ba8d386f043f6ace8c2e0d5ddb793eb87aa63eb419b5408eb142e80f
Instruction Fuzzy Hash: E4F1D7716043405ADB15EB288895FFA77E5AF90300F08C5F9FDAE9F283DB649948CB61

Function 00B945C4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\kbdgc.exe,00000104), ref: 00B94604
_free.LIBCMT ref: 00B946CF
_free.LIBCMT ref: 00B946D9

Strings

C:\Users\user\Desktop\kbdgc.exe, xrefs: 00B945FB, 00B94602, 00B94631, 00B94669

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\kbdgc.exe
API String ID: 2506810119-469509009
Opcode ID: 9e9463f5478f08326c01a00df5cf0eb9ed7d0e22c41751321ce930d91200eab7
Instruction ID: fe054725ea8087cdc4c6ed1038025ed52a2c1429c880494a58576d971a3b4007
Opcode Fuzzy Hash: 9e9463f5478f08326c01a00df5cf0eb9ed7d0e22c41751321ce930d91200eab7
Instruction Fuzzy Hash: 6F313EB1A44258BFDF21DF99D985D9EBBECEB8A710F1140FAF80497211DB704A42CB90

Function 00B8A0D8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

APIs

CharUpperW.USER32(?,?,?,?,00001000), ref: 00B8A130
CharUpperW.USER32(?,?,?,?,?,00001000), ref: 00B8A157

Strings

-, xrefs: 00B8A11E

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: CharUpper
String ID: -
API String ID: 9403516-2547889144
Opcode ID: 7b487d2a970a69b06dd502d635a3865506971f02755c64ef73c786f96858ed11
Instruction ID: cd4225f9081a335f5066f0759c408ea16adb8abf1b311da8d51fcbe1051491ee
Opcode Fuzzy Hash: 7b487d2a970a69b06dd502d635a3865506971f02755c64ef73c786f96858ed11
Instruction Fuzzy Hash: 5021D37144430666F321BA68884DB7B6AD9DB86341F04489BF994B21B1EAB4C948E363

Function 00B88A1E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 00B712A6: GetDlgItem.USER32(00000000,00003021), ref: 00B712EA
Part of subcall function 00B712A6: SetWindowTextW.USER32(00000000,00BA0294), ref: 00B71300

EndDialog.USER32(?,00000001), ref: 00B88AA6
GetDlgItemTextW.USER32(?,00000065,00000000,?), ref: 00B88ABB
SetDlgItemTextW.USER32(?,00000065,?), ref: 00B88AD0

Strings

ASKNEXTVOL, xrefs: 00B88A36

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: ASKNEXTVOL
API String ID: 445417207-3402441367
Opcode ID: e578a5f8394f411aca592e4488a7e5f54c5267184b07a7cb5ed0b7d376fe89df
Instruction ID: fc2140d15d2a8cb0e69eee2bb6fa062d40e3350a60a843dbdb18d9679cefbba4
Opcode Fuzzy Hash: e578a5f8394f411aca592e4488a7e5f54c5267184b07a7cb5ed0b7d376fe89df
Instruction Fuzzy Hash: A5119832240110BFD616AF68DD4AFA67BE9FB4A701F8444A2F201EB5F1CF71A901D765

Function 00B88F1A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 00B712A6: GetDlgItem.USER32(00000000,00003021), ref: 00B712EA
Part of subcall function 00B712A6: SetWindowTextW.USER32(00000000,00BA0294), ref: 00B71300

EndDialog.USER32(?,00000001), ref: 00B88F68
GetDlgItemTextW.USER32(?,00000065,?,00000080), ref: 00B88F80
SetDlgItemTextW.USER32(?,00000066,?), ref: 00B88FAE

Strings

GETPASSWORD1, xrefs: 00B88F33

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: ItemText$DialogWindow
String ID: GETPASSWORD1
API String ID: 445417207-3292211884
Opcode ID: 0cded6cfd01696b07c5b60306ff9c94453fcda84a97f5a30c86acd17ca350c87
Instruction ID: d627e1d56d8e8dd6f4fa2ddb64cccee1ae0f8eeffa9034cddd3b25d2b5531b9d
Opcode Fuzzy Hash: 0cded6cfd01696b07c5b60306ff9c94453fcda84a97f5a30c86acd17ca350c87
Instruction Fuzzy Hash: 8911C2329441187BDB21AA68DE49FBA77FDEB1A750F4008A1FA45E20A0CAA19940D771

Function 00B7F545 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(000001A0,00BB1E64,00000000,?,?,00B7F79D,00000020,?,00B7A4C5,?,00B7C3A0,?,00000000,?,00000001,?), ref: 00B7F57E
CreateSemaphoreW.KERNEL32(00000000,00000000,00000020,00000000,?,00B7A4C5,?,00B7C3A0,?,00000000,?,00000001,?,?,00B83653,?), ref: 00B7F588
CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,00B7A4C5,?,00B7C3A0,?,00000000,?,00000001,?,?,00B83653,?), ref: 00B7F598

Strings

Thread pool initialization failed., xrefs: 00B7F5B0

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: Create$CriticalEventInitializeSectionSemaphore
String ID: Thread pool initialization failed.
API String ID: 3340455307-2182114853
Opcode ID: a8ccc3fd7832ea084238d6e8d575a70debf990ad050a47fd1f2b98354aeaf72f
Instruction ID: 798567236b7c17fbc3c4860a33eed99470195f5c141fcc33699bf6732006df51
Opcode Fuzzy Hash: a8ccc3fd7832ea084238d6e8d575a70debf990ad050a47fd1f2b98354aeaf72f
Instruction Fuzzy Hash: D11130B1540705AFD3305F65D88AAA7FBECFB66755F10886EE2EE83240DB715840CB20

Function 00B8B6B6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON

Download Yara Rule

Strings

REPLACEFILEDLG, xrefs: 00B8B6FB, 00B8B72D
RENAMEDLG, xrefs: 00B8B711

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID:
String ID: RENAMEDLG$REPLACEFILEDLG
API String ID: 0-56093855
Opcode ID: 86ddb2a4e07a836205e3aa4a5036018a9a9d1ccc670f18c5712a5be7f1eee127
Instruction ID: 067e39f165bd1164b6f38b0761cef060804a666496f77056c747b3f0bad0d6b0
Opcode Fuzzy Hash: 86ddb2a4e07a836205e3aa4a5036018a9a9d1ccc670f18c5712a5be7f1eee127
Instruction Fuzzy Hash: F601F276604305AFC711FB38EC80E2ABBD8E78A350F0149A6F501D3230DBB28C41DB61

Function 00B7CA86 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000), ref: 00B7CA95
FindResourceW.KERNEL32(00000000,RTL,00000005), ref: 00B7CAA4

Strings

LTR, xrefs: 00B7CAB4, 00B7CABF, 00B7CAC8
RTL, xrefs: 00B7CA9D, 00B7CAA2, 00B7CAD6

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: FindHandleModuleResource
String ID: LTR$RTL
API String ID: 3537982541-719208805
Opcode ID: eb396657092a98ac9c112033b49dd7b68da4bda26c4bf1966fb30e0dd35347de
Instruction ID: a1b2ffacb4913d013eb99f15af9eaaefad34009389de62f21f7370778a051762
Opcode Fuzzy Hash: eb396657092a98ac9c112033b49dd7b68da4bda26c4bf1966fb30e0dd35347de
Instruction Fuzzy Hash: DDF0F631A1835866D634A6745C0AF673BECE742B00F0046ADB509971C0DF91A40887E0

Function 00B95F0F Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00B95F9A
__alldvrm.LIBCMT ref: 00B9619B
__alldvrm.LIBCMT ref: 00B961BD

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: e87606991b07f75024143e5cd0ca27557d54b0088f95e94a6bd6839ed64b41d6
Instruction ID: c840ef25f13b8548e715b4aabae577e83a11717d276a8e9694d994ac37adfd8d
Opcode Fuzzy Hash: e87606991b07f75024143e5cd0ca27557d54b0088f95e94a6bd6839ed64b41d6
Instruction Fuzzy Hash: 4AA135729007969FEF26CF28C8D17AEBBE5EF11350F2441FEE585AB282C2388941C750

Function 00B98CCB Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,3EE85006,00B91F24,00000000,00000000,00B92752,?,00B92752,?,00000001,00B91F24,3EE85006,00000001,00B92752,00B92752), ref: 00B98D18
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00B98DA1
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00B98DB3
__freea.LIBCMT ref: 00B98DBC

Part of subcall function 00B953D5: RtlAllocateHeap.NTDLL(00000000,?,?,?,00B91B3A,?,0000015D,?,?,?,?,00B926B9,000000FF,00000000,?,?), ref: 00B95407

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 87bc8d5879f1d4751bd28f72f2e691a7d4482d840773e4c1f06d2267ee605e29
Instruction ID: 88bfceb02287c1945ff3d398298554fc6b05cf81f149eba1f2bec96345352d0d
Opcode Fuzzy Hash: 87bc8d5879f1d4751bd28f72f2e691a7d4482d840773e4c1f06d2267ee605e29
Instruction Fuzzy Hash: AA319872A0020AABDF259F64DC85EAE7BE5EF12310F0405BDFC14972A0EB359D50CBA0

Function 00B710B0 Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00B710D4
_wcslen.LIBCMT ref: 00B710E8
_wcslen.LIBCMT ref: 00B71108
_wcslen.LIBCMT ref: 00B7111F

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: _wcslen
String ID:
API String ID: 176396367-0
Opcode ID: bde42e06df32f66d33436717cdcf6fa8f5b79226ece1e4d16ea95ee51bbce5bb
Instruction ID: 6b360dc8cb7d678c4119377c3f6d3805d26e8ba317a5d159b528de3d1f90deb8
Opcode Fuzzy Hash: bde42e06df32f66d33436717cdcf6fa8f5b79226ece1e4d16ea95ee51bbce5bb
Instruction Fuzzy Hash: DD31C4719083519BC721AB6DC84699FBBE8EF85350F408C6DF988B3251DB30A904DBF6

Function 00B9075A Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00B90771

Part of subcall function 00B90DA9: ___AdjustPointer.LIBCMT ref: 00B90DF3

_UnwindNestedFrames.LIBCMT ref: 00B90788
___FrameUnwindToState.LIBVCRUNTIME ref: 00B9079A
CallCatchBlock.LIBVCRUNTIME ref: 00B907BE

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
String ID:
API String ID: 2633735394-0
Opcode ID: 4dc650116e7e5aae9092ca9527fd40b0513069fbce0eaaf75eb99d6c00b7aab7
Instruction ID: 424572755f55b4e21d65faa017a2917f643b2aed09a55f9cdc7c8dc03f02441a
Opcode Fuzzy Hash: 4dc650116e7e5aae9092ca9527fd40b0513069fbce0eaaf75eb99d6c00b7aab7
Instruction Fuzzy Hash: 71010532010109BFCF126F95CC81E9A3BBAEF58760F054165F91866121D336E861EFA0

Function 00B902A6 Relevance: 6.0, APIs: 4, Instructions: 14COMMON

Download Yara Rule

APIs

___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00B902A6
___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00B902AB
___vcrt_initialize_locks.LIBVCRUNTIME ref: 00B902B0

Part of subcall function 00B9135E: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 00B9136F

___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00B902C5

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
String ID:
API String ID: 1761009282-0
Opcode ID: 1077441b6670170e91f7c0696cdfb54392132abf0a68dcdefd542e0a52f98195
Instruction ID: 04fb14c3bd96d5b8222ec3662f2f7e8bd421fcec13096fa79da65cd7619625a4
Opcode Fuzzy Hash: 1077441b6670170e91f7c0696cdfb54392132abf0a68dcdefd542e0a52f98195
Instruction Fuzzy Hash: 82C04C0552D703AD1C113FB8224A1FD63D04CB3BC57A819F5E840179039916040A743B

Function 00B7A653 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00B7A691
_wcslen.LIBCMT ref: 00B7A77A

Strings

__rar_, xrefs: 00B7A7B0

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: _wcslen
String ID: __rar_
API String ID: 176396367-2561138058
Opcode ID: 6b64a92fb94213f445475335a74a252b8c59d2c0982cb6bf33cc0c989a2643a8
Instruction ID: 78a751c7b51fae2b905759fc2981e3f8f02754598034fbcfccf36c38a94a6866
Opcode Fuzzy Hash: 6b64a92fb94213f445475335a74a252b8c59d2c0982cb6bf33cc0c989a2643a8
Instruction Fuzzy Hash: C541F7724043456AD6B4BA648CC5DAF73ECDBD5740F0488AAF9BDE3052EA24DC44D673

Function 00B77319 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 126timeCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00B7731E

Part of subcall function 00B7ECFF: _wcslen.LIBCMT ref: 00B7ED05

SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00B7748C

Part of subcall function 00B79DC9: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00B79BFF,?,?,?,00B79A98,?,00000001,00000000,?,?), ref: 00B79DDD
Part of subcall function 00B79DC9: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00B79BFF,?,?,?,00B79A98,?,00000001,00000000,?,?), ref: 00B79E0E

Strings

:, xrefs: 00B77384

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: File$Attributes$H_prologTime_wcslen
String ID: :
API String ID: 3922717191-336475711
Opcode ID: 170c473b25cda0fc1f42c2de75baeb8762be6d1267ad0a4d39ebdfd1987d6901
Instruction ID: 0784f135e79685570e7f68e29b0744f637f80914f9cf94de498f37c0bcc549e5
Opcode Fuzzy Hash: 170c473b25cda0fc1f42c2de75baeb8762be6d1267ad0a4d39ebdfd1987d6901
Instruction Fuzzy Hash: E741B171844218AADB24EB60CC56EEE77FCEF05300F0080D5B62DA6182DB706F89DF61

Function 00B771BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 80COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00B771C1

Part of subcall function 00B73867: __EH_prolog.LIBCMT ref: 00B7386C

Part of subcall function 00B77790: GetCurrentProcess.KERNEL32(00000020,?), ref: 00B7779F
Part of subcall function 00B77790: GetLastError.KERNEL32 ref: 00B777E5
Part of subcall function 00B77790: CloseHandle.KERNEL32(?), ref: 00B777F4

Strings

SeRestorePrivilege, xrefs: 00B7721A
SeSecurityPrivilege, xrefs: 00B77205

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: H_prolog$CloseCurrentErrorHandleLastProcess
String ID: SeRestorePrivilege$SeSecurityPrivilege
API String ID: 2432491591-639343689
Opcode ID: 3120e88772b3faf0af8409152d86b6e6fe8bfcf2347fca6ea6e5e13e4b420ed4
Instruction ID: 20b24cbc25532ccca4e23bd455ca48c016a4d0b4474cde9056907582d17fd0bc
Opcode Fuzzy Hash: 3120e88772b3faf0af8409152d86b6e6fe8bfcf2347fca6ea6e5e13e4b420ed4
Instruction Fuzzy Hash: 66217171944248AADF10EF649C03BEE7FF8EB46714F0480A6F56CA7152DB758944CBB1

Function 00B89118 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00B8916D
_wcslen.LIBCMT ref: 00B89188

Strings

}, xrefs: 00B89160

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: _wcslen
String ID: }
API String ID: 176396367-4239843852
Opcode ID: d9fc4d06fe9230a73ff71204ca7723f1735cfe3c08e37793f90d9b219fabbd0e
Instruction ID: 6efb5ec21f9376bf2c796fa23125dd868baeda25085182f890935738210c006c
Opcode Fuzzy Hash: d9fc4d06fe9230a73ff71204ca7723f1735cfe3c08e37793f90d9b219fabbd0e
Instruction Fuzzy Hash: 0D21A4226083176ADB21BB64D84DA7BB3DCDF41764F1408A9F940E3191EA61DD48C3A2

Function 00B87B37 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 76COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 00B87B44

Strings

about:blank, xrefs: 00B87BDC
Shell.Explorer, xrefs: 00B87B70

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID:
String ID: Shell.Explorer$about:blank
API String ID: 0-874089819
Opcode ID: f2d6143846f6ea6c95d51f7fe844827a42eef5964c895498fdfc09bba292a5f3
Instruction ID: 6dc539f7d8b1ec9ba637cfab14857317b88a2d96aa3cdc43299595cd02f2658c
Opcode Fuzzy Hash: f2d6143846f6ea6c95d51f7fe844827a42eef5964c895498fdfc09bba292a5f3
Instruction Fuzzy Hash: 57219271348706AFD704BF64C8A0E26B7EAFF45714B14869DB5058B661CF70EC00C7A0

Function 00B7DB7A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00B7DAFB: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00B7DB1A
Part of subcall function 00B7DAFB: GetProcAddress.KERNEL32(00BB1E48,CryptUnprotectMemory), ref: 00B7DB2A

GetCurrentProcessId.KERNEL32(?,00000080,?,00B7DB74), ref: 00B7DBFB

Strings

CryptProtectMemory failed, xrefs: 00B7DBBB
CryptUnprotectMemory failed, xrefs: 00B7DBF3

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: AddressProc$CurrentProcess
String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
API String ID: 2190909847-396321323
Opcode ID: f441ea566e474889e591425a85c27afcb94995acc2f64cd960086a5e0071a540
Instruction ID: e2902dffabd740a2068db0da3435f14eb660ea8036a1f208240818d39b70d218
Opcode Fuzzy Hash: f441ea566e474889e591425a85c27afcb94995acc2f64cd960086a5e0071a540
Instruction Fuzzy Hash: 7E112B713046115BD7069B3CCC51B6A37E9EF85B90F04C0D9F529DB296EFA1DD418290

Function 00B712A6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 00B7CB15: GetWindowRect.USER32(?,?), ref: 00B7CB4C
Part of subcall function 00B7CB15: GetClientRect.USER32(?,?), ref: 00B7CB58
Part of subcall function 00B7CB15: GetWindowLongW.USER32(?,000000F0), ref: 00B7CBF9
Part of subcall function 00B7CB15: GetWindowRect.USER32(?,?), ref: 00B7CC26
Part of subcall function 00B7CB15: GetWindowTextW.USER32(?,?,00000400), ref: 00B7CC45

GetDlgItem.USER32(00000000,00003021), ref: 00B712EA
SetWindowTextW.USER32(00000000,00BA0294), ref: 00B71300

Strings

0, xrefs: 00B712A9

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: Window$Rect$Text$ClientItemLong
String ID: 0
API String ID: 660763476-4108050209
Opcode ID: 8d19556b58b933a26b7849fb07e97fa3f8b17bd046438f6ee87e4a64d258bdf5
Instruction ID: c5af86c4144f028b2e0795fbffbb730044999c5ddf18f268806795225e086741
Opcode Fuzzy Hash: 8d19556b58b933a26b7849fb07e97fa3f8b17bd046438f6ee87e4a64d258bdf5
Instruction Fuzzy Hash: DFF0693010474CBADF151F6C880AAE93BE9AB06349F05849AFC58914A2CB79C994EA74

Function 00B7F6DC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,00B7F920,?,?,00B7F995,?,?,?,?,?,00B7F97F), ref: 00B7F6E2
GetLastError.KERNEL32(?,?,00B7F995,?,?,?,?,?,00B7F97F), ref: 00B7F6EE

Part of subcall function 00B76B2C: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00B76B4A

Strings

WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00B7F6F7

Memory Dump Source

Source File: 00000000.00000002.1685827095.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.1685813848.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685852035.0000000000BA0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BAE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685868238.0000000000BC8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1685924546.0000000000BCA000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_kbdgc.jbxd

Similarity

API ID: ErrorLastObjectSingleWait__vswprintf_c_l
String ID: WaitForMultipleObjects error %d, GetLastError %d
API String ID: 1091760877-2248577382
Opcode ID: ec1fb8011304ddd996519e696f05e4a35ef16b75f030448057b1ac37e138596c
Instruction ID: f488e91884a6be575233b811b78b8302eba4dd95c3a0283fabc04dba745bb44f
Opcode Fuzzy Hash: ec1fb8011304ddd996519e696f05e4a35ef16b75f030448057b1ac37e138596c
Instruction Fuzzy Hash: 50D05E7295C4217AC6113B246C0BF6E7EC59B63372F648BA4F13AA62F1CF210D4246E5

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report kbdgc.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\Desktop\update\INSALEEXIST_TEMP.rpt

C:\Users\user\Desktop\update\INSALEEXIST_TMP.rpt

C:\Users\user\Desktop\update\Monsec_Thwx.rpt

C:\Users\user\Desktop\update\Monsec_sum.rpt

C:\Users\user\Desktop\update\Monsec_sumOne.rpt

C:\Users\user\Desktop\update\SaleDtl1.rpt

C:\Users\user\Desktop\update\SaleDtl2.rpt

C:\Users\user\Desktop\update\SaleDtl3.rpt

C:\Users\user\Desktop\update\SaleDtl_sum.rpt

C:\Users\user\Desktop\update\daybalprc_dtl.rpt

C:\Users\user\Desktop\update\daysale_dtl.rpt

C:\Users\user\Desktop\update\daysale_dtl2.rpt

C:\Users\user\Desktop\update\metalin.rpt

C:\Users\user\Desktop\update\metalout.rpt

C:\Users\user\Desktop\update\suppaymtl_total.rpt

C:\Users\user\Desktop\update\zjz_dtl.rpt

C:\Users\user\Desktop\update\zwei.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Windows Analysis Report
kbdgc.exe

Function 00B8B905 Relevance: 43.9, APIs: 20, Strings: 5, Instructions: 180
filecomwindowCOMMON

Function 00B79F76 Relevance: 7.6, APIs: 5, Instructions: 108
fileCOMMON

Function 00B8939B Relevance: 93.5, APIs: 45, Strings: 8, Instructions: 712
COMMON

Function 00B7EF68 Relevance: 52.8, APIs: 23, Strings: 7, Instructions: 314
libraryfileloaderCOMMON

Function 00B7CB15 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 207
COMMON

Function 00B8AF10 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 96
windowCOMMON

Function 00B8C323 Relevance: 15.2, APIs: 10, Instructions: 158
libraryloaderCOMMON

Function 00B7C717 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 256
COMMON

Function 00B96D6B Relevance: 9.2, APIs: 6, Instructions: 216
COMMONLIBRARYCODE

Function 00B98287 Relevance: 7.6, APIs: 5, Instructions: 68
COMMON

Function 00B7F5E6 Relevance: 7.5, APIs: 5, Instructions: 44
COMMON

Function 00B888F1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36
COMMON

Function 00B8B5D9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32
COMMON

Function 00B8895F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23
comCOMMON

Function 00B79C30 Relevance: 6.1, APIs: 4, Instructions: 127
filetimeCOMMON