Edit tour

Windows Analysis Report
SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe

Overview

General Information

Sample name:	SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe
Analysis ID:	1467950
MD5:	0e570d20533d55b18cd26885fdb6a5a6
SHA1:	924fc50d17bac3b46eee68a00ec2b7c2b08ebe19
SHA256:	914fb029425c442aaaa942e74f57b48c9c3d0366232e9d57d5661e4a52c0bc14
Tags:	exe
Infos:

Detection

Score:	29
Range:	0 - 100
Whitelisted:	false
Confidence:	20%

Signatures

Contains functionality to detect sleep reduction / modifications

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to detect sandboxes (mouse cursor move detection)

Contains functionality to dynamically determine API calls

Contains functionality to modify clipboard data

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May check if the current machine is a sandbox (GetTickCount - Sleep)

Program does not show much activity (idle)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe (PID: 2308 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe" MD5: 0E570D20533D55B18CD26885FDB6A5A6)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe.400000.0.unpack	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source:

Binary string: .PDBU source: SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe, 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: 0_2_004095D4 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,	0_2_004095D4
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: 0_2_004096B0 FindFirstFileA,GetLastError,	0_2_004096B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: 0_2_00405D5C GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	0_2_00405D5C

Source: SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe, 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://nitton.pl/tomseditor/index.php
Source: SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe, 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://tomseditor.com/blog/Projector.exe
Source: SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe, SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe, 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://tomseditor.com/blog/viewer
Source: SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe, 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://tomseditor.com/blog/viewer_update.php?v=
Source: SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe, 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://tomseditor.com/blog/vieweropen
Source: SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe, 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://tomseditor.com/blog/vieweropenS
Source: SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe, 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://tomseditor.com/blog/vieweropenSV
Source: SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe, 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://tomseditor.com/blog/youtube_thumb.php?url=

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe

Code function: 0_2_004320D0 OpenClipboard,GlobalAlloc,GlobalFix,EmptyClipboard,SetClipboardData,GlobalUnWire,

0_2_004320D0

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: 0_2_004320D0 OpenClipboard,GlobalAlloc,GlobalFix,EmptyClipboard,SetClipboardData,GlobalUnWire,	0_2_004320D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: 0_2_00436080 SetClipboardData,SetClipboardData,	0_2_00436080
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: 0_2_004361A4 SetClipboardData,	0_2_004361A4
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: 0_2_00435FFC SetClipboardData,SetClipboardData,	0_2_00435FFC

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe

Code function: 0_2_00436150 GetClipboardData,

0_2_00436150

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe

Code function: 0_2_00446708 GetKeyboardState,KiUserCallbackDispatcher,

0_2_00446708

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: 0_2_00449684 NtdllDefWindowProc_A,GetCapture,KiUserCallbackDispatcher,	0_2_00449684
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: 0_2_00463DC0 NtdllDefWindowProc_A,	0_2_00463DC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: 0_2_00464568 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,	0_2_00464568
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: 0_2_00464618 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,	0_2_00464618
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: 0_2_0043504C NtdllDefWindowProc_A,	0_2_0043504C
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: 0_2_004590EC GetSubMenu,SaveDC,RestoreDC,SaveDC,RestoreDC,NtdllDefWindowProc_A,	0_2_004590EC

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: 0_2_0049A010	0_2_0049A010
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: 0_2_004CE0A4	0_2_004CE0A4
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: 0_2_004CA1B4	0_2_004CA1B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: 0_2_004A4248	0_2_004A4248
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: 0_2_004E22D0	0_2_004E22D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: 0_2_0045E2B8	0_2_0045E2B8
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: 0_2_004B83EC	0_2_004B83EC
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: 0_2_004DA40C	0_2_004DA40C
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: 0_2_004A44FC	0_2_004A44FC
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: 0_2_004AC49C	0_2_004AC49C
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: 0_2_004C659C	0_2_004C659C
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: 0_2_004E07A8	0_2_004E07A8
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: 0_2_0046E87C	0_2_0046E87C
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: 0_2_004E6978	0_2_004E6978
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: 0_2_0040E930	0_2_0040E930
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: 0_2_004CC990	0_2_004CC990
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: 0_2_004DAAF4	0_2_004DAAF4
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: 0_2_00498D38	0_2_00498D38
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: 0_2_004C8DDC	0_2_004C8DDC
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: 0_2_0048EDA4	0_2_0048EDA4
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: 0_2_0048ADBC	0_2_0048ADBC
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: 0_2_004ACEF8	0_2_004ACEF8
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: 0_2_0048AEF4	0_2_0048AEF4
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: 0_2_004D0F40	0_2_004D0F40
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: 0_2_004CEF68	0_2_004CEF68
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: 0_2_004EAFE8	0_2_004EAFE8
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: 0_2_004590EC	0_2_004590EC
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: 0_2_004F1088	0_2_004F1088
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: 0_2_004D91D0	0_2_004D91D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: 0_2_00467270	0_2_00467270
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: 0_2_004DB344	0_2_004DB344
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: 0_2_004AD420	0_2_004AD420
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: 0_2_00473430	0_2_00473430
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: 0_2_004E5694	0_2_004E5694
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: 0_2_004F7760	0_2_004F7760
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: 0_2_004F17D4	0_2_004F17D4
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: 0_2_004B99D4	0_2_004B99D4
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: 0_2_004A1A50	0_2_004A1A50
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: 0_2_00493A18	0_2_00493A18
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: 0_2_00473D64	0_2_00473D64
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: 0_2_004A3DB8	0_2_004A3DB8
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: 0_2_004C7EBC	0_2_004C7EBC
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: 0_2_004D3F28	0_2_004D3F28
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: 0_2_004DDFC8	0_2_004DDFC8
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: 0_2_00493FB8	0_2_00493FB8

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: String function: 00404740 appears 47 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: String function: 00404B4C appears 33 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: String function: 00406DA4 appears 61 times

Source: SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe

Static PE information: Section: UPX1 ZLIB complexity 0.9981084408967391

Source: classification engine

Classification label: sus29.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe

Code function: 0_2_0048CC3C GetLastError,FormatMessageA,

0_2_0048CC3C

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe

Code function: 0_2_00409996 GetDiskFreeSpaceA,

0_2_00409996

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe

Code function: 0_2_0041A3B0 FindResourceA,

0_2_0041A3B0

Source: Yara match	File source: 0.2.SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe

Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Section loaded: wintypes.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source:

Binary string: .PDBU source: SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe, 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe

Code function: 0_2_00450608 SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode,

0_2_00450608

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: 0_2_00450C54 push 00450CE1h; ret	0_2_00450CD9
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: 0_2_0046A05C push 0046A088h; ret	0_2_0046A080
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: 0_2_004E407C push 004E41D5h; ret	0_2_004E41CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: 0_2_0048807C push 004880A8h; ret	0_2_004880A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: 0_2_00430078 push 004300A4h; ret	0_2_0043009C
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: 0_2_00486018 push ecx; mov dword ptr [esp], ecx	0_2_0048601C
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: 0_2_00430018 push 00430044h; ret	0_2_0043003C
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: 0_2_0042E020 push 0042E04Ch; ret	0_2_0042E044
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: 0_2_004D60E4 push 004D61E1h; ret	0_2_004D61D9
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: 0_2_004300E8 push 00430114h; ret	0_2_0043010C
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: 0_2_004DC090 push 004DC2B5h; ret	0_2_004DC2AD
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: 0_2_004D80A4 push 004D8150h; ret	0_2_004D8148
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: 0_2_004300B0 push 004300DCh; ret	0_2_004300D4
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: 0_2_004E80B4 push 004E81B6h; ret	0_2_004E81AE
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: 0_2_004660B8 push 00466112h; ret	0_2_0046610A
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: 0_2_004D8158 push 004D820Dh; ret	0_2_004D8205
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: 0_2_00430120 push 0043014Ch; ret	0_2_00430144
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: 0_2_00416138 push 00416164h; ret	0_2_0041615C
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: 0_2_004E81C0 push 004E82C2h; ret	0_2_004E82BA
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: 0_2_004701E4 push 0047021Ch; ret	0_2_00470214
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: 0_2_004301E4 push 00430210h; ret	0_2_00430208
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: 0_2_00430194 push 004301C0h; ret	0_2_004301B8
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: 0_2_004841B4 push 004841E0h; ret	0_2_004841D8
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: 0_2_004D8218 push 004D831Ah; ret	0_2_004D8312
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: 0_2_0043021C push 00430248h; ret	0_2_00430240
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: 0_2_004E82CC push 004E83CEh; ret	0_2_004E83C6
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: 0_2_0046A2E0 push 0046A30Ch; ret	0_2_0046A304
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: 0_2_004E02F4 push 004E03F9h; ret	0_2_004E03F1
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: 0_2_00416288 push ecx; mov dword ptr [esp], ecx	0_2_0041628B
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: 0_2_004162A8 push ecx; mov dword ptr [esp], ecx	0_2_004162AB
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: 0_2_0046A2A8 push 0046A2D4h; ret	0_2_0046A2CC

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: 0_2_00460E70 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,	0_2_00460E70
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: 0_2_00463E48 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	0_2_00463E48
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: 0_2_00464568 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,	0_2_00464568
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: 0_2_00464618 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,	0_2_00464618
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: 0_2_0042CA48 MonitorFromWindow,MonitorFromWindow,IsIconic,GetWindowPlacement,GetWindowRect,	0_2_0042CA48
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: 0_2_0044ADA8 IsIconic,GetCapture,	0_2_0044ADA8
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: 0_2_0044B65C IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,	0_2_0044B65C
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: 0_2_0044BF80 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,	0_2_0044BF80

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe

0_2_00450608

Malware Analysis System Evasion

Contains functionality to detect sleep reduction / modifications

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe

Code function: 0_2_0043FC20

0_2_0043FC20

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe

Code function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,

0_2_004633B8

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe

API coverage: 6.3 %

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe

Code function: 0_2_0043FC20

0_2_0043FC20

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: 0_2_004095D4 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,	0_2_004095D4
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: 0_2_004096B0 FindFirstFileA,GetLastError,	0_2_004096B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: 0_2_00405D5C GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	0_2_00405D5C

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe

Code function: 0_2_004261D8 GetSystemInfo,

0_2_004261D8

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe

0_2_00450608

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe

Code function: 0_2_004662E4 cpuid

0_2_004662E4

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	0_2_00405F14
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: GetLocaleInfoA,	0_2_0040C44C
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: GetLocaleInfoA,	0_2_0040C498
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: GetLocaleInfoA,	0_2_0040680A
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: GetLocaleInfoA,	0_2_0040680C
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	Code function: GetLocaleInfoA,GetACP,	0_2_0040DB1C

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe

Code function: 0_2_0040ADE8 GetLocalTime,

0_2_0040ADE8

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe

Code function: 0_2_00406DEA GetTimeZoneInformation,

0_2_00406DEA

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe

Code function: 0_2_00450C54 GetVersion,

0_2_00450C54

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Virtualization/Sandbox Evasion	11 Input Capture	2 System Time Discovery	Remote Services	11 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Deobfuscate/Decode Files or Information	LSASS Memory	12 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	21 Obfuscated Files or Information	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	3 Clipboard Data	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Software Packing	NTDS	11 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	25 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	10%	ReversingLabs
SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe	6%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
http://tomseditor.com/blog/viewer_update.php?v=	0%	Avira URL Cloud	safe
http://nitton.pl/tomseditor/index.php	0%	Avira URL Cloud	safe
http://tomseditor.com/blog/youtube_thumb.php?url=	0%	Avira URL Cloud	safe
http://tomseditor.com/blog/Projector.exe	0%	Avira URL Cloud	safe
http://tomseditor.com/blog/vieweropen	0%	Avira URL Cloud	safe
http://tomseditor.com/blog/viewer	0%	Avira URL Cloud	safe
http://tomseditor.com/blog/vieweropenS	0%	Avira URL Cloud	safe
http://tomseditor.com/blog/vieweropenSV	0%	Avira URL Cloud	safe
http://nitton.pl/tomseditor/index.php	2%	Virustotal		Browse
http://tomseditor.com/blog/viewer_update.php?v=	0%	Virustotal		Browse
http://tomseditor.com/blog/youtube_thumb.php?url=	0%	Virustotal		Browse
http://tomseditor.com/blog/Projector.exe	1%	Virustotal		Browse
http://tomseditor.com/blog/viewer	0%	Virustotal		Browse

Name	Source	Malicious	Antivirus Detection	Reputation
http://tomseditor.com/blog/Projector.exe	SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe, 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tomseditor.com/blog/youtube_thumb.php?url=	SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe, 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tomseditor.com/blog/vieweropen	SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe, 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://tomseditor.com/blog/viewer_update.php?v=	SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe, 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://nitton.pl/tomseditor/index.php	SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe, 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tomseditor.com/blog/viewer	SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe, SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe, 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tomseditor.com/blog/vieweropenS	SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe, 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://tomseditor.com/blog/vieweropenSV	SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe, 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1467950
Start date and time:	2024-07-05 06:19:09 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 31s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe
Detection:	SUS
Classification:	sus29.evad.winEXE@1/0@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 79% Number of executed functions: 41 Number of non-executed functions: 188
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Entropy (8bit):	7.939005315015433
TrID:	Win32 Executable (generic) a (10002005/4) 99.63% UPX compressed Win32 Executable (30571/9) 0.30% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe
File size:	528'384 bytes
MD5:	0e570d20533d55b18cd26885fdb6a5a6
SHA1:	924fc50d17bac3b46eee68a00ec2b7c2b08ebe19
SHA256:	914fb029425c442aaaa942e74f57b48c9c3d0366232e9d57d5661e4a52c0bc14
SHA512:	b542c0a23cf0cac27fec2a5a9d531092ca7fe50a6dd99b07024e0c69a27ad7d4bd9fda18b597da6cb974ddc49383c8bee2d1ca2d4ea2fe5810cb61736ef7f2e2
SSDEEP:	12288:687p5KzT1d4ZpLvIJWoKj5YhW26zSTLwMgJToSN:Te7sLvIJ/OPz0gJn
TLSH:	A4B423A5FE4558AFF629D3304336C1A7E23091FE70B68293FE2B2DB85D469310A57C19
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	a4868c93a2c6b0a6

Static PE Info

General

Entrypoint:	0x5a4430
Entrypoint Section:	UPX1
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:	0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	5464b33a39ace45edc996bc813b37593

Entrypoint Preview

Instruction
pushad
mov esi, 00532000h
lea edi, dword ptr [esi-00131000h]
mov dword ptr [edi+001320A0h], 785C75D4h
push edi
mov ebp, esp
lea ebx, dword ptr [esp-00003E80h]
xor eax, eax
push eax
cmp esp, ebx
jne 00007FFBED453B5Dh
inc esi
inc esi
push ebx
push 001A2071h
push edi
add ebx, 04h
push ebx
push 0007242Dh
push esi
add ebx, 04h
push ebx
push eax
mov dword ptr [ebx], 00000003h
push ebp
push edi
push esi
push ebx
sub esp, 7Ch
mov edx, dword ptr [esp+00000090h]
mov dword ptr [esp+74h], 00000000h
mov byte ptr [esp+73h], 00000000h
mov ebp, dword ptr [esp+0000009Ch]
lea eax, dword ptr [edx+04h]
mov dword ptr [esp+78h], eax
mov eax, 00000001h
movzx ecx, byte ptr [edx+02h]
mov ebx, eax
shl ebx, cl
mov ecx, ebx
dec ecx
mov dword ptr [esp+6Ch], ecx
movzx ecx, byte ptr [edx+01h]
shl eax, cl
dec eax
mov dword ptr [esp+68h], eax
mov eax, dword ptr [esp+000000A8h]
movzx esi, byte ptr [edx]
mov dword ptr [ebp+00h], 00000000h
mov dword ptr [esp+60h], 00000000h
mov dword ptr [eax], 00000000h
mov eax, 00000300h
mov dword ptr [esp+64h], esi
mov dword ptr [esp+5Ch], 00000001h
mov dword ptr [esp+58h], 00000001h
mov dword ptr [esp+00h], 00000000h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1b290c	0x298	.rsrc
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1a5000	0xd90c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x1a4fd4	0x18	UPX1
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
UPX0	0x1000	0x131000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
UPX1	0x132000	0x73000	0x73000	5aec3db22c4a646068783b276f4053ef	False	0.9981084408967391	data	7.999398234549258	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x1a5000	0xe000	0xdc00	3698998e4db4dbe208259de1f591b52d	False	0.6517755681818181	data	6.590884033711403	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0x17af0c	0x134	data			1.0357142857142858
RT_CURSOR	0x17b040	0x134	data			1.0357142857142858
RT_CURSOR	0x17b174	0x134	data			1.0357142857142858
RT_CURSOR	0x17b2a8	0x134	data			1.0357142857142858
RT_CURSOR	0x17b3dc	0x134	data			1.0357142857142858
RT_CURSOR	0x17b510	0x134	data			1.0357142857142858
RT_CURSOR	0x17b644	0x134	data			1.0357142857142858
RT_BITMAP	0x17b778	0x1d0	data			1.0237068965517242
RT_BITMAP	0x17b948	0x1e4	data			1.0227272727272727
RT_BITMAP	0x17bb2c	0x1d0	OpenPGP Secret Key			1.0237068965517242
RT_BITMAP	0x17bcfc	0x1d0	data			1.0237068965517242
RT_BITMAP	0x17becc	0x1d0	data			1.0237068965517242
RT_BITMAP	0x17c09c	0x1d0	data			1.0237068965517242
RT_BITMAP	0x17c26c	0x1d0	data			1.0237068965517242
RT_BITMAP	0x17c43c	0x1d0	data			1.0237068965517242
RT_BITMAP	0x17c60c	0x1d0	data			1.0237068965517242
RT_BITMAP	0x17c7dc	0x1d0	data			1.0237068965517242
RT_BITMAP	0x17c9ac	0xe8	data			1.0474137931034482
RT_ICON	0x1a5f10	0x4204	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	Polish	Poland	0.9797041420118343
RT_ICON	0x1aa118	0x1628	Device independent bitmap graphic, 64 x 128 x 8, image size 0	Polish	Poland	0.34643864598025387
RT_ICON	0x1ab744	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Polish	Poland	0.4069829424307036
RT_ICON	0x1ac5f0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Polish	Poland	0.421028880866426
RT_ICON	0x1ace9c	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	United States	0.3603411513859275
RT_ICON	0x1add48	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	United States	0.37274368231046934
RT_ICON	0x1ae5f4	0x1628	Device independent bitmap graphic, 64 x 128 x 8, image size 0	English	United States	0.26533850493653033
RT_ICON	0x1afc20	0x2c64	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9656810982048575
RT_DIALOG	0x1893ec	0x52	data			1.1341463414634145
RT_STRING	0x189440	0xe4	data			1.0482456140350878
RT_STRING	0x189524	0x364	data			1.012672811059908
RT_STRING	0x189888	0x3e4	data			1.0110441767068272
RT_STRING	0x189c6c	0x3e4	data			1.0110441767068272
RT_STRING	0x18a050	0x340	data			1.0132211538461537
RT_STRING	0x18a390	0x324	data			1.013681592039801
RT_STRING	0x18a6b4	0x3d0	data			1.0112704918032787
RT_STRING	0x18aa84	0x258	data			1.0183333333333333
RT_STRING	0x18acdc	0x3e0	data			1.0110887096774193
RT_STRING	0x18b0bc	0x2a0	data			1.0163690476190477
RT_STRING	0x18b35c	0x25c	data			1.0182119205298013
RT_STRING	0x18b5b8	0x474	data			1.0096491228070175
RT_STRING	0x18ba2c	0x3a4	OpenPGP Public Key			1.011802575107296
RT_STRING	0x18bdd0	0x1e4	data			1.0227272727272727
RT_STRING	0x18bfb4	0x1a4	data			1.026190476190476
RT_STRING	0x18c158	0x11c	data			1.0387323943661972
RT_STRING	0x18c274	0x458	data			1.0098920863309353
RT_STRING	0x18c6cc	0xe8	OpenPGP Secret Key			1.0474137931034482
RT_STRING	0x18c7b4	0xf8	data			1.0443548387096775
RT_STRING	0x18c8ac	0x1a8	data			1.025943396226415
RT_STRING	0x18ca54	0x398	data			1.0119565217391304
RT_STRING	0x18cdec	0x408	data			1.0106589147286822
RT_STRING	0x18d1f4	0x350	data			1.0129716981132075
RT_STRING	0x18d544	0x394	data			1.012008733624454
RT_STRING	0x18d8d8	0x430	data			1.0102611940298507
RT_STRING	0x18dd08	0xf4	data			1.0450819672131149
RT_STRING	0x18ddfc	0xc4	data			1.0561224489795917
RT_STRING	0x18dec0	0x2c0	data			1.015625
RT_STRING	0x18e180	0x408	data			1.0106589147286822
RT_STRING	0x18e588	0x330	data			1.0134803921568627
RT_STRING	0x18e8b8	0x314	data			1.013959390862944
RT_RCDATA	0x18ebcc	0x10	OpenPGP Public Key			1.5625
RT_RCDATA	0x18ebdc	0x8d8	data			1.0048586572438163
RT_RCDATA	0x18f4b4	0x114ec	data			1.000437284884049
RT_GROUP_CURSOR	0x1a09a0	0x14	Non-ISO extended-ASCII text, with no line terminators			1.45
RT_GROUP_CURSOR	0x1a09b4	0x14	data			1.45
RT_GROUP_CURSOR	0x1a09c8	0x14	data			1.4
RT_GROUP_CURSOR	0x1a09dc	0x14	data			1.4
RT_GROUP_CURSOR	0x1a09f0	0x14	data			1.45
RT_GROUP_CURSOR	0x1a0a04	0x14	data			1.45
RT_GROUP_CURSOR	0x1a0a18	0x14	data			1.45
RT_GROUP_ICON	0x1b2888	0x3e	data	Polish	Poland	0.8548387096774194
RT_GROUP_ICON	0x1b28cc	0x3e	data	English	United States	0.8548387096774194

Imports

DLL	Import
advapi32.dll	RegCloseKey
comctl32.dll	ImageList_Add
comdlg32.dll	PrintDlgA
gdi32.dll	SaveDC
KERNEL32.DLL	LoadLibraryA, ExitProcess, GetProcAddress, VirtualProtect
oleaut32.dll	VariantCopy
shell32.dll	DragFinish
user32.dll	GetDC
version.dll	VerQueryValueA
winmm.dll	timeGetTime
winspool.drv	OpenPrinterA

Possible Origin

Language of compilation system	Country where language is spoken	Map
Polish	Poland
English	United States

Target ID:	0
Start time:	00:19:59
Start date:	05/07/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe"
Imagebase:	0x400000
File size:	528'384 bytes
MD5 hash:	0E570D20533D55B18CD26885FDB6A5A6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	20.2%
Total number of Nodes:	985
Total number of Limit Nodes:	57

Executed Functions

Function 00405F14 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 184
registrystringlibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 00405F30
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00405F4E
RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00405F6C
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00405F8A
RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,00406019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00405FD3
RegQueryValueExA.ADVAPI32(?,00406180,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,00406019,?,80000001), ref: 00405FF1
RegCloseKey.ADVAPI32(?,00406020,00000000,00000000,00000005,00000000,00406019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00406013
lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 00406030
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 0040603D
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 00406043
lstrlen.KERNEL32(00000000), ref: 0040606E
lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000), ref: 004060B5
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 004060C5
lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000), ref: 004060ED
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 004060FD
lstrcpyn.KERNEL32(00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 00406123
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000105,00000000,00000000,00000002,00000000,00000000,00000105,00000000), ref: 00406133

Strings

Software\Borland\Locales, xrefs: 00405F44, 00405F62
Software\Borland\Delphi\Locales, xrefs: 00405F80
., xrefs: 00406080

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
String ID: .$Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 1759228003-3917250287
Opcode ID: dd3ca194a324f209d7dea3dec0006bfe6f1c7d5031058af567cc3c9e6805f411
Instruction ID: b1afeb856dea951c15522c0bd6632b498ddf59a7d963552d90492bf9f60f008d
Opcode Fuzzy Hash: dd3ca194a324f209d7dea3dec0006bfe6f1c7d5031058af567cc3c9e6805f411
Instruction Fuzzy Hash: 5851A375A4021D7EFB21D6A48C46FEF7BAC9B04748F0100B7BA45F65C2DA7C9E448B68

Function 00463E48 Relevance: 26.7, APIs: 13, Strings: 2, Instructions: 401
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

RegisterAutomation, xrefs: 0046424C
vcltest3.dll, xrefs: 0046422B

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: RegisterAutomation$vcltest3.dll
API String ID: 0-2963190186
Opcode ID: 8f404a40ef8f317abbc70a23dba416e64577a72a97c24de321e735cd85c35eb2
Instruction ID: 583fc690577ecc690f831f8c4da13c89a5322495d62f871de0d8bc76e7124e11
Opcode Fuzzy Hash: 8f404a40ef8f317abbc70a23dba416e64577a72a97c24de321e735cd85c35eb2
Instruction Fuzzy Hash: 96E16170A04144DFDF50DB5DC58AB5EB7F0AF85314F1581A6E404AB352EB38EE41DB2A

Function 00460E70 Relevance: 18.4, APIs: 12, Instructions: 407
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SendMessageA.USER32(?,00000223,00000000,00000000), ref: 004611F1

Part of subcall function 004067B4: LoadStringA.USER32(00000000,00010000,?,00000400), ref: 004067E5

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: LoadMessageSendString
String ID:
API String ID: 1946433856-0
Opcode ID: 70cd7535d70ffc1023bb0bf2c57a55cb16a6320174523d7629c2def00a05633e
Instruction ID: d2447ad7c812cef7f355c5b8bf30f00bc73ed9e532e524666dd8404afffa1251
Opcode Fuzzy Hash: 70cd7535d70ffc1023bb0bf2c57a55cb16a6320174523d7629c2def00a05633e
Instruction Fuzzy Hash: 3CF17234A04244EFEB00DBA9D9C5F9E77F4AB09304F1941A6E900D73A2E779EE40DB59

Function 004095D4 Relevance: 6.0, APIs: 4, Instructions: 37timefileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?), ref: 004095EF
FindClose.KERNEL32(00000000,00000000,?), ref: 004095FA
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00409613
FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 00409624

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: FileTime$Find$CloseDateFirstLocal
String ID:
API String ID: 2659516521-0
Opcode ID: 5be38ce4b54c9a34e2958bb37c5fa5d9521124c6ff4203c68b476d3a50e74fb5
Instruction ID: 8829e51eb595bbc14318a1cce09de129dbd2a7f851757a938066c81d4e645bb0
Opcode Fuzzy Hash: 5be38ce4b54c9a34e2958bb37c5fa5d9521124c6ff4203c68b476d3a50e74fb5
Instruction Fuzzy Hash: BBF012B2D0420C66DF10EBE58C85ACFB3AC9B08324F5146B7B559F32D2EA399F184B54

Function 00449684 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 004497A8

Strings

, xrefs: 004496FA

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Capture
String ID:
API String ID: 1145282425-3916222277
Opcode ID: 923e18214c8a00657f3384c6cd91179b72a0ac4cca02a0797efb9b6f60dbaafa
Instruction ID: cb7705ff0e372e502065e7eede82b890e9e884c0f9faa5684a2c3a519fb1f795
Opcode Fuzzy Hash: 923e18214c8a00657f3384c6cd91179b72a0ac4cca02a0797efb9b6f60dbaafa
Instruction Fuzzy Hash: 3831A171314201CBFB20AF3D8C8561B62919B81368F18866FB956C7B92DA3CDC09E74A

Function 00450C54 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(00000000,00450CDA), ref: 00450C6E

Part of subcall function 00450A04: GetCurrentProcessId.KERNEL32(?,00000000,00450B7C), ref: 00450A25
Part of subcall function 00450A04: GlobalAddAtomA.KERNEL32(00000000), ref: 00450A58
Part of subcall function 00450A04: GetCurrentThreadId.KERNEL32 ref: 00450A73
Part of subcall function 00450A04: GlobalAddAtomA.KERNEL32(00000000), ref: 00450AA9
Part of subcall function 00450A04: RegisterClipboardFormatA.USER32(00000000), ref: 00450ABF
Part of subcall function 00450A04: GetModuleHandleA.KERNEL32(USER32,00000000,00000000,?,?,00000000,00450B7C), ref: 00450B43
Part of subcall function 00450A04: GetProcAddress.KERNEL32(00000000,AnimateWindow), ref: 00450B54

Strings

0E, xrefs: 00450CB2
@ E, xrefs: 00450CA2

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: AtomCurrentGlobal$AddressClipboardFormatHandleModuleProcProcessRegisterThreadVersion
String ID: 0E$@ E
API String ID: 3775504709-3581582047
Opcode ID: f390beba46c0616a9bf84ffa27f236f24164c37965f54d0df47ea80dd5a6168b
Instruction ID: 92a494f15840cef22032a464db4778cee468f94faf7da8154a49d67c0d7d4e45
Opcode Fuzzy Hash: f390beba46c0616a9bf84ffa27f236f24164c37965f54d0df47ea80dd5a6168b
Instruction Fuzzy Hash: 9AF0313E2053408FC206EB25EE524557B64E74B3053A5053AED0043722CA799CBADA5E

Function 00446708 Relevance: 3.1, APIs: 2, Instructions: 129COMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 0044683D
KiUserCallbackDispatcher.NTDLL ref: 00446890

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: CallbackDispatcherKeyboardStateUser
String ID:
API String ID: 4281813569-0
Opcode ID: de6d012313b055398c831f40440e0fc7152c65810dec6393d35254adb44e0ad1
Instruction ID: 42d197ca61cba4adaacafbe77ce246ea256eb65a32fa0df192794913ce4d8160
Opcode Fuzzy Hash: de6d012313b055398c831f40440e0fc7152c65810dec6393d35254adb44e0ad1
Instruction Fuzzy Hash: 0741C130A006158BEB24EF69C4887AAB7F0EF46708F1641A7D404DB395C778ED49CB9B

Function 0041A3B0 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(?,00000000,0000000A), ref: 0041A3D2

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: FindResource
String ID:
API String ID: 1635176832-0
Opcode ID: de5499a6d0b4f7f7c416ee5ddefc97f75eba42f1ab41bb3e74b3356c65b91d08
Instruction ID: dcf4e022dc56ef2fa69b9cfc6607b2b11ab906fdb91ed97384872058890c6208
Opcode Fuzzy Hash: de5499a6d0b4f7f7c416ee5ddefc97f75eba42f1ab41bb3e74b3356c65b91d08
Instruction Fuzzy Hash: 0D01F7B13053006FE300DF2AFC82E6AB7EDDB89718711407BF90497381DA79AC119629

Function 004261D8 Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(?), ref: 004261E8

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: e37eea4d624e4a15b4d87b1903d7472f96202aa565e9f47abd2a345879c0eba4
Instruction ID: 96d9e19c0cec0c59c8ab45d6da492939af4a61e81fc83928871648adb39060ba
Opcode Fuzzy Hash: e37eea4d624e4a15b4d87b1903d7472f96202aa565e9f47abd2a345879c0eba4
Instruction Fuzzy Hash: 04F09671F05119DFCB10EF99D48889DBBB4FB5630179242DAD404E7342EF34A554CB95

Function 00463DC0 Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 00463DEA

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: 51379d74e1d7d2546c9bb4836826d0445103396eed893cc688ab5cf76951b134
Instruction ID: c6e738f43c88711b7573282911cb01791f22a857cf2755f83a1c042f090b1e49
Opcode Fuzzy Hash: 51379d74e1d7d2546c9bb4836826d0445103396eed893cc688ab5cf76951b134
Instruction Fuzzy Hash: 7DF0C579605608AFCB40DF9DC588D8AFBE8BB4C260B058195BD88CB321C234FD80CF90

Function 00450A04 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 103
registrylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32(?,00000000,00450B7C), ref: 00450A25
GlobalAddAtomA.KERNEL32(00000000), ref: 00450A58
GetCurrentThreadId.KERNEL32 ref: 00450A73
GlobalAddAtomA.KERNEL32(00000000), ref: 00450AA9
RegisterClipboardFormatA.USER32(00000000), ref: 00450ABF

Part of subcall function 0041AA6C: RtlInitializeCriticalSection.NTDLL(00418200), ref: 0041AA8B

Part of subcall function 00450608: SetErrorMode.KERNEL32(00008000), ref: 00450621
Part of subcall function 00450608: GetModuleHandleA.KERNEL32(USER32,00000000,0045076E,?,00008000), ref: 00450645
Part of subcall function 00450608: GetProcAddress.KERNEL32(00000000,WINNLSEnableIME), ref: 00450652
Part of subcall function 00450608: LoadLibraryA.KERNEL32(imm32.dll,00000000,0045076E,?,00008000), ref: 0045066E
Part of subcall function 00450608: GetProcAddress.KERNEL32(00000000,ImmGetContext), ref: 00450690
Part of subcall function 00450608: GetProcAddress.KERNEL32(00000000,ImmReleaseContext), ref: 004506A5
Part of subcall function 00450608: GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus), ref: 004506BA
Part of subcall function 00450608: GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus), ref: 004506CF
Part of subcall function 00450608: GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus), ref: 004506E4
Part of subcall function 00450608: GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow), ref: 004506F9
Part of subcall function 00450608: GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA), ref: 0045070E
Part of subcall function 00450608: GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA), ref: 00450723
Part of subcall function 00450608: GetProcAddress.KERNEL32(00000000,ImmIsIME), ref: 00450738
Part of subcall function 00450608: GetProcAddress.KERNEL32(00000000,ImmNotifyIME), ref: 0045074D
Part of subcall function 00450608: SetErrorMode.KERNEL32(?,00450775,00008000), ref: 00450768

Part of subcall function 004624DC: GetKeyboardLayout.USER32(00000000), ref: 00462521
Part of subcall function 004624DC: 73E9A570.USER32(00000000,?,?,00000000,?,00450AFE,00000000,00000000,?,?,00000000,00450B7C), ref: 00462576

Part of subcall function 004635C0: LoadIconA.USER32(00400000,MAINICON), ref: 004636A5
Part of subcall function 004635C0: GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00450B14,00000000,00000000,?,?,00000000,00450B7C), ref: 004636D7
Part of subcall function 004635C0: OemToCharA.USER32(?,?), ref: 004636EA
Part of subcall function 004635C0: CharLowerA.USER32(?,00400000,?,00000100,00400000,MAINICON,?,?,?,00450B14,00000000,00000000,?,?,00000000,00450B7C), ref: 0046372A

GetModuleHandleA.KERNEL32(USER32,00000000,00000000,?,?,00000000,00450B7C), ref: 00450B43
GetProcAddress.KERNEL32(00000000,AnimateWindow), ref: 00450B54

Strings

ControlOfs%.8X%.8X, xrefs: 00450A87
Delphi%.8X, xrefs: 00450A36
USER32, xrefs: 00450B3E
AnimateWindow, xrefs: 00450B4E

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: AddressProc$Module$AtomCharCurrentErrorGlobalHandleLoadMode$A570ClipboardCriticalFileFormatIconInitializeKeyboardLayoutLibraryLowerNameProcessRegisterSectionThread
String ID: AnimateWindow$ControlOfs%.8X%.8X$Delphi%.8X$USER32
API String ID: 715191208-1126952177
Opcode ID: 18ba7db59d07c119697f9478a5f348a8b9100910e2357087ceaf53fbb6adca32
Instruction ID: 6f0301116cec063f86df16c02b44e992d3a29500f28cbff857a9f390ce30218b
Opcode Fuzzy Hash: 18ba7db59d07c119697f9478a5f348a8b9100910e2357087ceaf53fbb6adca32
Instruction Fuzzy Hash: A24181746002449FC700EFBAEC92A9D77F5EB54308B51443AF500E73A2DB39A9189B69

Function 004638C8 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 132
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00422518: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 00422536

GetClassInfoA.USER32(00400000,004635B0,?), ref: 00463927
RegisterClassA.USER32(00534050), ref: 0046393F

Part of subcall function 004067B4: LoadStringA.USER32(00000000,00010000,?,00000400), ref: 004067E5

SetWindowLongA.USER32(0000000E,000000FC,10A40000), ref: 004639DB
SendMessageA.USER32(0000000E,00000080,00000001,00000000), ref: 004639FD
SetClassLongA.USER32(0000000E,000000F2,00000000), ref: 00463A10
GetSystemMenu.USER32(0000000E,00000000,0000000E,000000FC,10A40000,0045B9B0), ref: 00463A1B
DeleteMenu.USER32(00000000,0000F030,00000000,0000000E,00000000,0000000E,000000FC,10A40000,0045B9B0), ref: 00463A2A
DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F030,00000000,0000000E,00000000,0000000E,000000FC,10A40000,0045B9B0), ref: 00463A37
DeleteMenu.USER32(00000000,0000F010,00000000,00000000,0000F000,00000000,00000000,0000F030,00000000,0000000E,00000000,0000000E,000000FC,10A40000,0045B9B0), ref: 00463A4E

Strings

t(B, xrefs: 0046394C

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Menu$ClassDelete$Long$AllocInfoLoadMessageRegisterSendStringSystemVirtualWindow
String ID: t(B
API String ID: 2103932818-1765185416
Opcode ID: ed7393541091142b8fee76f1f8e24bc4b3f9191385328b195e6262c05086cdde
Instruction ID: 4e2f5335a1501f36c408db4760fdac89cd7e3a3c3bbe6170a9d3d40ceaeca4bc
Opcode Fuzzy Hash: ed7393541091142b8fee76f1f8e24bc4b3f9191385328b195e6262c05086cdde
Instruction Fuzzy Hash: 09418371B042406FE710EF69DC82F6637A8AB55704F404466FA40EF3D2DB79BC449B69

Function 00448C28 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 134
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClassInfoA.USER32(?,?,?), ref: 00448CEC
UnregisterClassA.USER32(?,?), ref: 00448D14
RegisterClassA.USER32(?), ref: 00448D2A
GetWindowLongA.USER32(00000000,000000F0), ref: 00448D66
GetWindowLongA.USER32(00000000,000000F4), ref: 00448D7B
SetWindowLongA.USER32(00000000,000000F4,00000000), ref: 00448D8E

Strings

@, xrefs: 00448C61

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: ClassLongWindow$InfoRegisterUnregister
String ID: @
API String ID: 717780171-2766056989
Opcode ID: 44f79c3cf5b4c8bec9117fe7197f57a1413243f192d86c090bb1bb2e41820fd3
Instruction ID: 6a2be13d4589b8ea2962de4882f4b5f718a5682a6136de290158235c9772cc3f
Opcode Fuzzy Hash: 44f79c3cf5b4c8bec9117fe7197f57a1413243f192d86c090bb1bb2e41820fd3
Instruction Fuzzy Hash: 2951A270A003489BEB20EB69CC81B9E77F9AF45308F1045AEE545E73D1DB38AD44CB69

Function 00462CB8 Relevance: 10.6, APIs: 7, Instructions: 89
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SystemParametersInfoA.USER32(0000001F,0000003C,?,00000000), ref: 00462D0C
CreateFontIndirectA.GDI32(?), ref: 00462D19
GetStockObject.GDI32(0000000D), ref: 00462D2F

Part of subcall function 00424B44: MulDiv.KERNEL32(00000000,?,00000048), ref: 00424B51

SystemParametersInfoA.USER32(00000029,00000000,00000154,00000000), ref: 00462D58
CreateFontIndirectA.GDI32(?), ref: 00462D68
CreateFontIndirectA.GDI32(?), ref: 00462D81
GetStockObject.GDI32(0000000D), ref: 00462DA7

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: CreateFontIndirect$InfoObjectParametersStockSystem
String ID:
API String ID: 2891467149-0
Opcode ID: 4a6e7a6f2348574796b2311c02bf24aab0c11e06f306dbf0252e2a1823b46d75
Instruction ID: d7afdf5b2c628b190c15e80c45626dde664f19f76362368a46e0ed39360024e9
Opcode Fuzzy Hash: 4a6e7a6f2348574796b2311c02bf24aab0c11e06f306dbf0252e2a1823b46d75
Instruction Fuzzy Hash: F631A830748644ABDB50EB65EC52B9673F4BB84304F4440B6B908DB396EBB89D45CB3A

Function 00442244 Relevance: 9.1, APIs: 6, Instructions: 60
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowLongA.USER32(?,000000FC,?), ref: 0044226C
GetWindowLongA.USER32(?,000000F0), ref: 00442277
GetWindowLongA.USER32(?,000000F4), ref: 00442289
SetWindowLongA.USER32(?,000000F4,?), ref: 0044229C
SetPropA.USER32(?,00000000,00000000), ref: 004422B3
SetPropA.USER32(?,00000000,00000000), ref: 004422CA

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: LongWindow$Prop
String ID:
API String ID: 3887896539-0
Opcode ID: 72e3cf06a27a8d0d19c1f90564693e2f8e07cf539f9d6f94a880299fa36e809b
Instruction ID: 125747be33099d6b0dad101e019a8ae1051cd75e8e790574a369fcfdc6eb5ccc
Opcode Fuzzy Hash: 72e3cf06a27a8d0d19c1f90564693e2f8e07cf539f9d6f94a880299fa36e809b
Instruction Fuzzy Hash: D211C975504208BFDB01DF99EC84EAA37A8BB1C3A4F108655F914DB3A1D738EA44AB64

Function 004635C0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 125
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadIconA.USER32(00400000,MAINICON), ref: 004636A5
GetModuleFileNameA.KERNEL32(00400000,?,00000100,00400000,MAINICON,?,?,?,00450B14,00000000,00000000,?,?,00000000,00450B7C), ref: 004636D7
OemToCharA.USER32(?,?), ref: 004636EA
CharLowerA.USER32(?,00400000,?,00000100,00400000,MAINICON,?,?,?,00450B14,00000000,00000000,?,?,00000000,00450B7C), ref: 0046372A

Strings

MAINICON, xrefs: 00463698

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Char$FileIconLoadLowerModuleName
String ID: MAINICON
API String ID: 3935243913-2283262055
Opcode ID: c0368131bae60808a48fe04908a02c95101316b3cdd5c42d753aebc53d3a1703
Instruction ID: 319a1b27e1a313a84912d7ec13f5c74c061438d6f724cd3c6a4b3949ee5513b3
Opcode Fuzzy Hash: c0368131bae60808a48fe04908a02c95101316b3cdd5c42d753aebc53d3a1703
Instruction Fuzzy Hash: 4C5153706042849FDB10DF29D8857C57BE4AB15309F4480BAE848DF397EBB9DA88CB65

Function 0045DA00 Relevance: 7.7, APIs: 5, Instructions: 171
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MulDiv.KERNEL32(00000000,?,00000000), ref: 0045DABF
MulDiv.KERNEL32(?,00000000,00000000), ref: 0045DB3B
MulDiv.KERNEL32(?,00000000,00000000), ref: 0045DB6A
MulDiv.KERNEL32(?,00000000,00000000), ref: 0045DB99
MulDiv.KERNEL32(?,00000000,00000000), ref: 0045DBBC

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d75d5f95a503a9609f6f3764ca11e2110b4671cfdb13cf38f80fb8bb0c265ddf
Instruction ID: 6e2ad1fc434316b6342ecacd03c27254988ab4f16f81b772471c3f1ed57fb134
Opcode Fuzzy Hash: d75d5f95a503a9609f6f3764ca11e2110b4671cfdb13cf38f80fb8bb0c265ddf
Instruction Fuzzy Hash: E971E574A04104EFDB10DBA9C589EAEB3F5AF49304F2941F6E808DB362C735AE45DB54

Function 0043B5A8 Relevance: 7.6, APIs: 5, Instructions: 110
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OffsetRect.USER32(?,00000001,00000001), ref: 0043B642
DrawTextA.USER32(00000000,00000000,00000000,?,00000000), ref: 0043B67A
OffsetRect.USER32(?,000000FF,000000FF), ref: 0043B684
DrawTextA.USER32(00000000,00000000,00000000,?,00000000), ref: 0043B6BC
DrawTextA.USER32(00000000,00000000,00000000,?,00000000), ref: 0043B6E3

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: DrawText$OffsetRect
String ID:
API String ID: 1886049697-0
Opcode ID: cc14acc726de43096e31d73b9d68371fc2e7c2bcd5553615c3706f160ba04a90
Instruction ID: 1ea0d523809295977f0cd654b747192f750e042fe7fdf6a78ab76ae3c370d537
Opcode Fuzzy Hash: cc14acc726de43096e31d73b9d68371fc2e7c2bcd5553615c3706f160ba04a90
Instruction Fuzzy Hash: E2317770604144AFDB11EB6ADC86B8B77E8EF49314F5540BAB904EB396CB789D00C669

Function 0045EF58 Relevance: 6.1, APIs: 4, Instructions: 148
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetMenu.USER32(00000000), ref: 0045F07C
SetMenu.USER32(00000000,00000000), ref: 0045F099
SetMenu.USER32(00000000,00000000), ref: 0045F0CE
SetMenu.USER32(00000000,00000000), ref: 0045F0EA

Part of subcall function 004067B4: LoadStringA.USER32(00000000,00010000,?,00000400), ref: 004067E5

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Menu$LoadString
String ID:
API String ID: 3688185913-0
Opcode ID: 2c81ceede61901455fb1a79435259bb8e73476fd07ad485d05fb2d09f672dcb1
Instruction ID: e7aa481a54ce0e755437a761022cfda8020e3e360ae4271687720fa4b9c50058
Opcode Fuzzy Hash: 2c81ceede61901455fb1a79435259bb8e73476fd07ad485d05fb2d09f672dcb1
Instruction Fuzzy Hash: 4C51C030A002449BDB20AB7AC98575A77A59F00709F0945BBBC04DB397CE7DDC4C8B9E

Function 004225D4 Relevance: 6.1, APIs: 4, Instructions: 59
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClassInfoA.USER32(00400000,004225C4,?), ref: 004225F5
UnregisterClassA.USER32(004225C4,00400000), ref: 0042261E
RegisterClassA.USER32(00533598), ref: 00422628
SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 00422673

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Class$InfoLongRegisterUnregisterWindow
String ID:
API String ID: 4025006896-0
Opcode ID: 146f6f52f2410d57444c6129e8a8c5d27ba1c02fc22bb8882a841222a0d3edf5
Instruction ID: e9c323d6891fc2a5740c800913631ac0d217a0a602bd95de30544362e39d76f1
Opcode Fuzzy Hash: 146f6f52f2410d57444c6129e8a8c5d27ba1c02fc22bb8882a841222a0d3edf5
Instruction Fuzzy Hash: 620188727042047BDB10EB68ED81F5A37ACE729304F508126F914E73D1D775E90897B9

Function 00463B48 Relevance: 6.1, APIs: 4, Instructions: 57
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnumWindows.USER32(Function_00063AD8), ref: 00463B7D
GetWindow.USER32(?,00000003), ref: 00463B95
GetWindowLongA.USER32(00000000,000000EC), ref: 00463BA2
SetWindowPos.USER32(00000000,000000EC,00000000,00000000,00000000,00000000,00000213,00000000,000000EC,?,00000003,Function_00063AD8), ref: 00463BE1

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Window$EnumLongWindows
String ID:
API String ID: 4191631535-0
Opcode ID: 3baa66b932f186fafe162d4a3e16f94bd6e2c1e604efad5acc8c8ceaab862362
Instruction ID: 60d335a4008e32ade57c48567cd6f048550e7f160f5309ccdc52ecb273c2b460
Opcode Fuzzy Hash: 3baa66b932f186fafe162d4a3e16f94bd6e2c1e604efad5acc8c8ceaab862362
Instruction Fuzzy Hash: D01177706082505FD710AE2CCC85F9677D8EB04765F140179F958AF2D3D374AD41C76A

Function 004263E0 Relevance: 6.1, APIs: 4, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SelectObject.GDI32(00000000,00000000), ref: 00426402
GetDIBColorTable.GDI32(00000000,00000000,00000100,?,00000000,00000000,00000000,00000000,?,?,0042A4A7,?,?,?,?,00428FA7), ref: 00426416
SelectObject.GDI32(00000000,00000000), ref: 00426422
DeleteDC.GDI32(00000000), ref: 00426428

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: ObjectSelect$ColorDeleteTable
String ID:
API String ID: 3862836420-0
Opcode ID: 0e66ee76b0753fe676d599b2e826bcd4f567485647af1bbbba618aa9d84ad42d
Instruction ID: e6fa3b62824e86028c9e0b4fa6490d726c91a483e5615ae50653e852034d29ae
Opcode Fuzzy Hash: 0e66ee76b0753fe676d599b2e826bcd4f567485647af1bbbba618aa9d84ad42d
Instruction Fuzzy Hash: B501847160432061D614B76AAC43E6B71B88FC5758F42852FB5899B2C2E67C8804836F

Function 0042C930 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(?), ref: 0042C992

Part of subcall function 0042C848: GetProcAddress.KERNEL32(76910000,00000000), ref: 0042C8C8

KiUserCallbackDispatcher.NTDLL(?), ref: 0042C958

Strings

GetSystemMetrics, xrefs: 0042C940

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: AddressCallbackDispatcherMetricsProcSystemUser
String ID: GetSystemMetrics
API String ID: 54681038-96882338
Opcode ID: 16089f308895e9cd93db6874e887d8bd9e174a74eeb99d363d0a41a0b2268b7f
Instruction ID: c543a70956c8356fe6399f74ce213c7bc3cc5d67e126ab1778cad81ea0fab205
Opcode Fuzzy Hash: 16089f308895e9cd93db6874e887d8bd9e174a74eeb99d363d0a41a0b2268b7f
Instruction Fuzzy Hash: 99F096F17156204ACB105B38FCC463FF9699796330FD09B23A511472D5C63D98C59A6D

Function 004649FC Relevance: 4.6, APIs: 3, Instructions: 59windowCOMMON

Download Yara Rule

APIs

PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00464A0F
TranslateMessage.USER32 ref: 00464A79
DispatchMessageA.USER32 ref: 00464A7F

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Message$DispatchPeekTranslate
String ID:
API String ID: 4217535847-0
Opcode ID: 9de74814cbb9f11d2e8adb7079f27e41d5652403c91274b43d50496de083d7d8
Instruction ID: 3096e60bd803553d2f1b30a20ddc43961de7c568ea435bf4cf47eb58f8c003e3
Opcode Fuzzy Hash: 9de74814cbb9f11d2e8adb7079f27e41d5652403c91274b43d50496de083d7d8
Instruction Fuzzy Hash: 2B01F9207442402EEF3139AA484176BA6898FD272CF14405FF45597382EAAD5C46C2AF

Function 004624DC Relevance: 3.1, APIs: 2, Instructions: 99COMMON

Download Yara Rule

APIs

GetKeyboardLayout.USER32(00000000), ref: 00462521
73E9A570.USER32(00000000,?,?,00000000,?,00450AFE,00000000,00000000,?,?,00000000,00450B7C), ref: 00462576

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: A570KeyboardLayout
String ID:
API String ID: 3858012219-0
Opcode ID: 3f03480722038deb279cc96129d11e629f2d6ce1d2fcb7f004bad91c82362d8e
Instruction ID: 31bfef86e5102864626f4edcdf5f1e0bf33d9b3ab48da7d7af604ea8c803fcae
Opcode Fuzzy Hash: 3f03480722038deb279cc96129d11e629f2d6ce1d2fcb7f004bad91c82362d8e
Instruction Fuzzy Hash: 37311970A00641AFD740EF2ADDC1B557BE4EB15308F44807AE808DF362EBB9AC059F59

Function 004350C0 Relevance: 3.0, APIs: 2, Instructions: 47timeCOMMON

Download Yara Rule

APIs

KillTimer.USER32(?,00000001,00000000,0043513F,?,?,?,00000000), ref: 004350DD
SetTimer.USER32(?,00000001,?,00000000), ref: 004350FF

Part of subcall function 004067B4: LoadStringA.USER32(00000000,00010000,?,00000400), ref: 004067E5

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Timer$KillLoadString
String ID:
API String ID: 1423459280-0
Opcode ID: 47ce580c15a6be0f159c511a51d8bcaa6f1ccde657e032fbd2e9fbbabcb0f15a
Instruction ID: 6e6affbb021d6a873f6bba320d8fc623bb445d671ecd0db108fabe7508a3f5e1
Opcode Fuzzy Hash: 47ce580c15a6be0f159c511a51d8bcaa6f1ccde657e032fbd2e9fbbabcb0f15a
Instruction Fuzzy Hash: 4C01D830A04640ABEF10EF55DC91B593BFCEB09708F511476FD00AB2C2D779AC44C658

Function 00462898 Relevance: 3.0, APIs: 2, Instructions: 37COMMON

Download Yara Rule

APIs

LoadCursorA.USER32(00000000,00007F00), ref: 004628A5
LoadCursorA.USER32(00000000,00000000), ref: 004628D4

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: CursorLoad
String ID:
API String ID: 3238433803-0
Opcode ID: 8569b0f5f9bb362022c28b7fd48258c18639e64c05b4f4789b6dcf96f0611aa7
Instruction ID: 27509eb95898745674b1639d9e74f95f13842c883bfd1498e20b4f548902231a
Opcode Fuzzy Hash: 8569b0f5f9bb362022c28b7fd48258c18639e64c05b4f4789b6dcf96f0611aa7
Instruction Fuzzy Hash: 9EF08251B04A842ADA20663E5DC197A73949BD1335F20033BFD39D73D1DB796C49426A

Function 0040780C Relevance: 3.0, APIs: 2, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000002,00000000,0048D5A8,00000000,0048D5DF,?,00000000,0048D60C), ref: 0040780E
GlobalFix.KERNEL32(00000000), ref: 00407814

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Global$Alloc
String ID:
API String ID: 2558781224-0
Opcode ID: 8dae0130a77bade94b23423767f840ffd18641c58506406d304d276e50458e84
Instruction ID: e43fb00c8eeadb22627815713288e2186937ac3e4929602cb2b705aa7a0c4ff9
Opcode Fuzzy Hash: 8dae0130a77bade94b23423767f840ffd18641c58506406d304d276e50458e84
Instruction Fuzzy Hash: 0F9002DC801350A4DC1433B6CC0EC2B009C58C070C3C24C6E300AB61C3883C8C3014FC

Function 004015CC Relevance: 2.5, APIs: 2, Instructions: 37memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,004018D5), ref: 004015FB
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,004018D5), ref: 00401622

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: e8b08ba17e8aa1e4295fdf92a59f0b5c2ba9c048c7c0811e700258df5b612e4f
Instruction ID: 0694f22a86ef56aecd839763c502e7d790f68cdfe0d663ec15031d6fce3c51de
Opcode Fuzzy Hash: e8b08ba17e8aa1e4295fdf92a59f0b5c2ba9c048c7c0811e700258df5b612e4f
Instruction Fuzzy Hash: 07F0E272F00A2027EB20666A0C85B475AD4DB857D4F180076FE08FF3E9D2758C0142A8

Function 0040D47C Relevance: 1.6, APIs: 1, Instructions: 77COMMON

Download Yara Rule

APIs

751C1540.VERSION(?,0040D564,?,?,00000000,?,00000000,?,00000000,0040D535,?,00000000,?,00000000,0040D552), ref: 0040D50D

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: C1540
String ID:
API String ID: 783658592-0
Opcode ID: 121091e4ccf018a3275cf378aba05ab76e4d213103dbd5e3b6bff0667d239e49
Instruction ID: 5c0ec426fdedd67f92deae3c44cff002390f9c164fedf4756a9454d106b6c972
Opcode Fuzzy Hash: 121091e4ccf018a3275cf378aba05ab76e4d213103dbd5e3b6bff0667d239e49
Instruction Fuzzy Hash: E0213171A04209AFDB01EFE5DC519AEB7FCEB48704B524476B910F36D1E73899058A18

Function 0040D47A Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

751C1540.VERSION(?,0040D564,?,?,00000000,?,00000000,?,00000000,0040D535,?,00000000,?,00000000,0040D552), ref: 0040D50D

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: C1540
String ID:
API String ID: 783658592-0
Opcode ID: 7b3d1b14849d9af620bf0b84a2c51dfd11cf8fe21308a04495f1ad8fc04ddc77
Instruction ID: 4fdf440b22ddcfe6103f586eb268e931f03a8eab76d147426d28f158d2a3dd6c
Opcode Fuzzy Hash: 7b3d1b14849d9af620bf0b84a2c51dfd11cf8fe21308a04495f1ad8fc04ddc77
Instruction Fuzzy Hash: AF211F71A04209BBDB01EFEADC519AEB7FCEB48704B524476B910F3691E738E9058A18

Function 0046563C Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

IsChild.USER32(00000000,00000000), ref: 0046569A

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Child
String ID:
API String ID: 3815930669-0
Opcode ID: 23945db44b9c7b4befd4f3a0981d7c10f2be8b20304451147b014ab6c8cae829
Instruction ID: 231e27d69aaca4499f939f08954f94cfbf86e8b58e9cd39b6cd2cc645cd03708
Opcode Fuzzy Hash: 23945db44b9c7b4befd4f3a0981d7c10f2be8b20304451147b014ab6c8cae829
Instruction Fuzzy Hash: 5E01D8316046046BD711AA7AED89B9673DCDB40358F40017BE808C7226FA6CDC41C7AE

Function 004078B6 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 004078F7

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: e32a36ae7af9adaf8273a42f0dacc7712928de3b82eaac8874bd020c86ac78cc
Instruction ID: 2d39d2ad03997a08a3bba0488cf49b76c531a38edacea089955256e57a640c4d
Opcode Fuzzy Hash: e32a36ae7af9adaf8273a42f0dacc7712928de3b82eaac8874bd020c86ac78cc
Instruction Fuzzy Hash: E3F07FB2704118BF9B80DE9DDD85E9B77ECEB4D2A4B05412ABA08E3241D674ED108BA4

Function 004647A0 Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

Part of subcall function 00464754: GetWindowTextA.USER32(?,?,00000100), ref: 00464777

SetWindowTextA.USER32(?,00000000), ref: 004647ED

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: 3e977381fd22c75a2cf97ede32084c00ced17c1a491337bff7671248ff8f97b9
Instruction ID: fce5ddae57c6d689f06af8e61e6a08ef326468ed46e0f08c85a9f91ece175e28
Opcode Fuzzy Hash: 3e977381fd22c75a2cf97ede32084c00ced17c1a491337bff7671248ff8f97b9
Instruction Fuzzy Hash: C101F7746042409BEB01EB55C841B5A73A8EBC9704F514077FA00DB282EB7CAD04C67E

Function 004078B8 Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 004078F7

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 6169e78ed7e34be91b0c6fc9f08c9c54bc17dd6b7dc9bbe8fcfc44e6a65ecf05
Instruction ID: 077812030a20db4e82be2f78ba3f969b720b4ba0e1335c6f878cb06ddab6611f
Opcode Fuzzy Hash: 6169e78ed7e34be91b0c6fc9f08c9c54bc17dd6b7dc9bbe8fcfc44e6a65ecf05
Instruction Fuzzy Hash: 27F092B2604118BF9B80DE9DDD85EDB77ECEB4D2A4B05412AFA0CE3241D674ED108BB4

Function 00407910 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

CreateWindowExA.USER32(00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 0040794D

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 884c3146d92be7d5137cb1d93b297dad52838cf3c39e11f7a1512683a972686d
Instruction ID: 3951a77991a2db3a611e8e5f75296c01a113cbf1e5ac85beafffc13e5192b40e
Opcode Fuzzy Hash: 884c3146d92be7d5137cb1d93b297dad52838cf3c39e11f7a1512683a972686d
Instruction Fuzzy Hash: 96F0A4B2704118BFDB80DE9EDD85E9B77ECEB4D6A4B00412ABA0CE7241D574ED1087B4

Function 004452DC Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?), ref: 00445317

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 3e450580647ac04c52fe3c9217b9489fe8f4b0b89d3e34e1a1c747df32f352d3
Instruction ID: 2b489bd349fd00ef9accd65a6c2d7a08998cef0b38985eff922cf8e7109b24d4
Opcode Fuzzy Hash: 3e450580647ac04c52fe3c9217b9489fe8f4b0b89d3e34e1a1c747df32f352d3
Instruction Fuzzy Hash: CDF0D4362042019FC704DF5CC8C498ABBE5FF89255F0446A8FA89CB356DA32E814CB92

Function 00405CD8 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 00405CF6

Part of subcall function 00405F14: GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 00405F30
Part of subcall function 00405F14: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00405F4E
Part of subcall function 00405F14: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00405F6C
Part of subcall function 00405F14: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00405F8A
Part of subcall function 00405F14: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,00000005,00000000,00406019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00405FD3
Part of subcall function 00405F14: RegQueryValueExA.ADVAPI32(?,00406180,00000000,00000000,00000000,00000005,?,?,00000000,00000000,00000000,00000005,00000000,00406019,?,80000001), ref: 00405FF1
Part of subcall function 00405F14: RegCloseKey.ADVAPI32(?,00406020,00000000,00000000,00000005,00000000,00406019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00406013

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Open$FileModuleNameQueryValue$Close
String ID:
API String ID: 2796650324-0
Opcode ID: f5be573f4c88fe3f99b670a1370d1c501bd094c16bc9f6adc8434252e78a74e1
Instruction ID: cfa8c2297ece92b03691fc6ccbf4bb16f7a8ea34d77b71d9b54f19b28b8bc056
Opcode Fuzzy Hash: f5be573f4c88fe3f99b670a1370d1c501bd094c16bc9f6adc8434252e78a74e1
Instruction Fuzzy Hash: 8EE06D71A006109BCF10EE58C8C5A8733D8AF48754F004966BC54DF386D3B4DD108BE8

Function 00408CF4 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

CompareStringA.KERNEL32(00000400,00000001,00000000,00000000,00000000,00000000,?,?,00408D3B,?,?,004093B5), ref: 00408D21

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: CompareString
String ID:
API String ID: 1825529933-0
Opcode ID: 2d6f0b9b6c4f605d3213341a595fcda6846287e836ea736437d58c3df25e7a30
Instruction ID: 553064d2000f8717ede8e2a2475750edad8178e8d54f3ef3dc3a66d288523e41
Opcode Fuzzy Hash: 2d6f0b9b6c4f605d3213341a595fcda6846287e836ea736437d58c3df25e7a30
Instruction Fuzzy Hash: 3ED0C9E13496202AE250B67F3D83F5A008C8B8C719F22003BB30AF72C3C9BD9D0102AD

Function 00401760 Relevance: 1.3, APIs: 1, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(?,?,00001000,00000004), ref: 004017CD

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 54148feba9445860b034a8a92c21eb993f1d8e6655e76146f796d2101c1fdcb2
Instruction ID: 69c29e15885a535391498b133208a4a0a8de99cd79da40327ccd239ae62086aa
Opcode Fuzzy Hash: 54148feba9445860b034a8a92c21eb993f1d8e6655e76146f796d2101c1fdcb2
Instruction Fuzzy Hash: A5117C76A047019BC3209F29C8C0A5BBBE5EBC8760F15C63DE598A73A5D734AC40C695

Function 00422518 Relevance: 1.3, APIs: 1, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 00422536

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a67ba6861ca53b641f8abda3516f92bd19cb317e31c5a0902a42886d29f95d38
Instruction ID: 52ab548a04df867111032cb8c0d33e953e9109b50629be01a8b2f1f4fb8484d1
Opcode Fuzzy Hash: a67ba6861ca53b641f8abda3516f92bd19cb317e31c5a0902a42886d29f95d38
Instruction Fuzzy Hash: 0B115A74300315ABC710DF19E980B42FBE5EF98354F10C53AE9989B385E3B4E9448BA4

Non-executed Functions

Function 00450608 Relevance: 49.1, APIs: 15, Strings: 13, Instructions: 95libraryloaderCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00008000), ref: 00450621
GetModuleHandleA.KERNEL32(USER32,00000000,0045076E,?,00008000), ref: 00450645
GetProcAddress.KERNEL32(00000000,WINNLSEnableIME), ref: 00450652
LoadLibraryA.KERNEL32(imm32.dll,00000000,0045076E,?,00008000), ref: 0045066E
GetProcAddress.KERNEL32(00000000,ImmGetContext), ref: 00450690
GetProcAddress.KERNEL32(00000000,ImmReleaseContext), ref: 004506A5
GetProcAddress.KERNEL32(00000000,ImmGetConversionStatus), ref: 004506BA
GetProcAddress.KERNEL32(00000000,ImmSetConversionStatus), ref: 004506CF
GetProcAddress.KERNEL32(00000000,ImmSetOpenStatus), ref: 004506E4
GetProcAddress.KERNEL32(00000000,ImmSetCompositionWindow), ref: 004506F9
GetProcAddress.KERNEL32(00000000,ImmSetCompositionFontA), ref: 0045070E
GetProcAddress.KERNEL32(00000000,ImmGetCompositionStringA), ref: 00450723
GetProcAddress.KERNEL32(00000000,ImmIsIME), ref: 00450738
GetProcAddress.KERNEL32(00000000,ImmNotifyIME), ref: 0045074D
SetErrorMode.KERNEL32(?,00450775,00008000), ref: 00450768

Strings

USER32, xrefs: 00450640
WINNLSEnableIME, xrefs: 0045064C
ImmSetCompositionWindow, xrefs: 004506EE
ImmGetContext, xrefs: 00450685
ImmGetCompositionStringA, xrefs: 00450718
imm32.dll, xrefs: 00450669
ImmIsIME, xrefs: 0045072D
ImmSetOpenStatus, xrefs: 004506D9
ImmSetCompositionFontA, xrefs: 00450703
ImmNotifyIME, xrefs: 00450742
ImmSetConversionStatus, xrefs: 004506C4
ImmGetConversionStatus, xrefs: 004506AF
ImmReleaseContext, xrefs: 0045069A

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: AddressProc$ErrorMode$HandleLibraryLoadModule
String ID: ImmGetCompositionStringA$ImmGetContext$ImmGetConversionStatus$ImmIsIME$ImmNotifyIME$ImmReleaseContext$ImmSetCompositionFontA$ImmSetCompositionWindow$ImmSetConversionStatus$ImmSetOpenStatus$USER32$WINNLSEnableIME$imm32.dll
API String ID: 3397921170-3950384806
Opcode ID: ff937d978ebb106f54e8a3b972f839453409118848b1952555684fc0f1ccd067
Instruction ID: bcafe8d7a4dfb89b1f4beac3eec6cf7414ee6186ac4b167b60750b402a8a3453
Opcode Fuzzy Hash: ff937d978ebb106f54e8a3b972f839453409118848b1952555684fc0f1ccd067
Instruction Fuzzy Hash: C2317479604340BFDB00EB71ED56E1577F8EB58B05B12442BB80197392D6BC982CEF68

Function 004D0F40 Relevance: 48.0, Strings: 38, Instructions: 517COMMON

Download Yara Rule

Strings

rpf, xrefs: 004D136F
sgi, xrefs: 004D13CA
tiff, xrefs: 004D126E
pcd, xrefs: 004D1526
pdd, xrefs: 004D149F
ged, xrefs: 004D161B
pcx, xrefs: 004D12F6
psd, xrefs: 004D1481
wmf, xrefs: 004D1076
tub, xrefs: 004D15B5
jpg, xrefs: 004D111E
FL, xrefs: 004D150F
pic, xrefs: 004D14F9
eps, xrefs: 004D12C9
pcc, xrefs: 004D1314
psp, xrefs: 004D1553
jpeg, xrefs: 004D117A
emf, xrefs: 004D10B3
fax, xrefs: 004D129C
tif, xrefs: 004D1240
dib, xrefs: 004D1203
\AL, xrefs: 004D14B5, 004D14E2
msk, xrefs: 004D1198
rgb, xrefs: 004D1426
png, xrefs: 004D15E8
jfif, xrefs: 004D10F0
rgba, xrefs: 004D13F8
cel, xrefs: 004D14CC
pBL, xrefs: 004D13B3, 004D13F0, 004D141E, 004D144C
scr, xrefs: 004D1342
pfr, xrefs: 004D1581
D9B, xrefs: 004D0F8F, 004D0FC9, 004D0FEC, 004D1190, 004D11BE, 004D11FB
rle, xrefs: 004D11D5
ico, xrefs: 004D1021
rla, xrefs: 004D138D
bmp, xrefs: 004D0FE0
EL, xrefs: 004D12DF, 004D130C, 004D133A
jpe, xrefs: 004D114C

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: D9B$\AL$bmp$cel$dib$emf$eps$fax$ged$ico$jfif$jpe$jpeg$jpg$msk$pBL$pcc$pcd$pcx$pdd$pfr$pic$png$psd$psp$rgb$rgba$rla$rle$rpf$scr$sgi$tif$tiff$tub$wmf$EL$FL
API String ID: 0-726106878
Opcode ID: 43c2e0c1d5da1fe027cd1f7911c35e97468e286160ec6c93bf25047e5bd77a7d
Instruction ID: d4a99753215f9a036306e073b154d3fc0c66c20c2340656a9eff8c68a660e295
Opcode Fuzzy Hash: 43c2e0c1d5da1fe027cd1f7911c35e97468e286160ec6c93bf25047e5bd77a7d
Instruction Fuzzy Hash: 1D224FB5700144AFDB00EF99EDA1F9A73B9EB48305F148067FA119B3B5C674ED068B68

Function 004CA1B4 Relevance: 37.7, APIs: 18, Strings: 3, Instructions: 995COMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(?,00000064,?), ref: 004CA450
MulDiv.KERNEL32(00000000,00000064,00000005), ref: 004CA578
MulDiv.KERNEL32(00000001,00000064,00000005), ref: 004CA5BD
MulDiv.KERNEL32(00000002,00000064,00000005), ref: 004CA602
MulDiv.KERNEL32(00000003,00000064,00000005), ref: 004CA651
MulDiv.KERNEL32(00000004,00000064,00000005), ref: 004CA696
MulDiv.KERNEL32(00000005,00000064,00000005), ref: 004CA6DB
MulDiv.KERNEL32(00000006,00000064,00000005), ref: 004CA72A
MulDiv.KERNEL32(00000007,00000064,00000005), ref: 004CA76F
MulDiv.KERNEL32(00000008,00000064,00000005), ref: 004CA7B4

Strings

8#L, xrefs: 004CA555
t$7?, xrefs: 004CA3A5
PCD, xrefs: 004CAD11

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: 8#L$PCD$t$7?
API String ID: 0-1344295584
Opcode ID: 533d9858bf58f0b850eaf22e34a8a38fe1cfa6b804e54c234256681c594b6506
Instruction ID: 19e49fa89494fe001ee7ad734b2a392fded8b8d0f3b84e664f101a418c842c80
Opcode Fuzzy Hash: 533d9858bf58f0b850eaf22e34a8a38fe1cfa6b804e54c234256681c594b6506
Instruction Fuzzy Hash: 0D82E875A00208AFDB40DB99C991FAEB7F5EF48704F20806AF904FB391C679AE41DB55

Function 00405D5C Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 136stringlibraryfileCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00405D79
GetProcAddress.KERNEL32(00000000,GetLongPathNameA), ref: 00405D8A
lstrcpyn.KERNEL32(?,?,?), ref: 00405DBA
lstrcpyn.KERNEL32(?,?,?,kernel32.dll), ref: 00405E1E
lstrcpyn.KERNEL32(?,?,00000001,?,?,?,kernel32.dll), ref: 00405E53
FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll), ref: 00405E66
FindClose.KERNEL32(00000000,?,?,?,?,00000001,?,?,?,kernel32.dll), ref: 00405E73
lstrlen.KERNEL32(?,00000000,?,?,?,?,00000001,?,?,?,kernel32.dll), ref: 00405E7F
lstrcpyn.KERNEL32(0000005D,?,00000104), ref: 00405EB3
lstrlen.KERNEL32(?,0000005D,?,00000104), ref: 00405EBF
lstrcpyn.KERNEL32(?,0000005C,?,?,0000005D,?,00000104), ref: 00405EE1

Strings

kernel32.dll, xrefs: 00405D74
GetLongPathNameA, xrefs: 00405D84
\, xrefs: 00405E91

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
String ID: GetLongPathNameA$\$kernel32.dll
API String ID: 3245196872-1565342463
Opcode ID: 622fca862ede482ad9ac39b9f014d34330fe16ee00285a254696d6776c3174e9
Instruction ID: 9dbc75c6d1bc213631ce3c7385af16737f0384cc68e9fa89e6e243b74f86982c
Opcode Fuzzy Hash: 622fca862ede482ad9ac39b9f014d34330fe16ee00285a254696d6776c3174e9
Instruction Fuzzy Hash: 81415C72900659ABDB10DBA8CD89ADFB7ECDF44304F1440B7A949F7281D6389F448F98

Function 004C659C Relevance: 23.4, APIs: 12, Strings: 1, Instructions: 700COMMON

Download Yara Rule

APIs

Part of subcall function 0042A220: GdiFlush.GDI32(?,?,00538B08,?,004AD0FC), ref: 0042A256

MulDiv.KERNEL32(00000000,00000064,?), ref: 004C6907
OffsetRect.USER32(?,00000000,00000001), ref: 004C6938
MulDiv.KERNEL32(00000000,00000064,?), ref: 004C6A11
OffsetRect.USER32(?,00000000,00000001), ref: 004C6A42

Strings

sgi, bw or rgb(a), xrefs: 004C6DE7

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: OffsetRect$Flush
String ID: sgi, bw or rgb(a)
API String ID: 1672064848-1345870794
Opcode ID: a57402db46456260f65d86e29ddcd5d5990aef594f664050e0e5e78fa2a9d321
Instruction ID: 9c8109225f0d0729989a4b32241276541da6d05a20b13f06c2e9c1ce21a45027
Opcode Fuzzy Hash: a57402db46456260f65d86e29ddcd5d5990aef594f664050e0e5e78fa2a9d321
Instruction Fuzzy Hash: CF422175A00108AFDB50DF99C991F9EB7B5EF48704F1081AAF904EB386C735AE41DB58

Function 004C7EBC Relevance: 16.9, APIs: 2, Strings: 7, Instructions: 1130COMMON

Download Yara Rule

Strings

Compression method , xrefs: 004C8700
LCL, xrefs: 004C800F
P"L, xrefs: 004C86DF
TIF/TIFF, xrefs: 004C8259, 004C873B, 004C8D0B
d!L, xrefs: 004C85AB
is , xrefs: 004C8719
L, xrefs: 004C8572

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Object
String ID: is $Compression method $LCL$P"L$TIF/TIFF$d!L$ L
API String ID: 2936123098-777046359
Opcode ID: 96615393b8f026b32825321a12b1ea13dae628fd5ca572a6a53460ad13f5c01d
Instruction ID: 1d03d01537d6f8acac06e837614b14e4346c36ef671f4e6c5ccad7308bc8b4dc
Opcode Fuzzy Hash: 96615393b8f026b32825321a12b1ea13dae628fd5ca572a6a53460ad13f5c01d
Instruction Fuzzy Hash: ACA21A78A001089FDB44DFA9C981F9DB7F5FF48304F2480AAE805AB356DB39AE45CB54

Function 0044BF80 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 0044BF8F
GetWindowPlacement.USER32(?,0000002C), ref: 0044BFAC
GetWindowRect.USER32(?), ref: 0044BFC5
GetWindowLongA.USER32(?,000000F0), ref: 0044BFD3
GetWindowLongA.USER32(?,000000F8), ref: 0044BFE8
ScreenToClient.USER32(00000000), ref: 0044BFF5
ScreenToClient.USER32(00000000,?), ref: 0044C000

Strings

,, xrefs: 0044BF98

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Window$ClientLongScreen$IconicPlacementRect
String ID: ,
API String ID: 2266315723-3772416878
Opcode ID: cec151c7ba0a72cbdf91c47d8eeee423db3f624bbe190896f95f4532af70feaa
Instruction ID: 0cfc7e15ae5f44427199523bcaf605dfa69a415dbf9e1a176f1ee7a3f209578d
Opcode Fuzzy Hash: cec151c7ba0a72cbdf91c47d8eeee423db3f624bbe190896f95f4532af70feaa
Instruction Fuzzy Hash: F511B171908240ABCB01DE6DCC85A8B37D8AF49314F04097AFD18DB282D739E9048B66

Function 004DA40C Relevance: 13.0, Strings: 10, Instructions: 471COMMON

Download Yara Rule

Strings

:memory, xrefs: 004DA788
BMHD, xrefs: 004DA4E5
BODY, xrefs: 004DA773
PBM , xrefs: 004DA49E, 004DA824
\BH, xrefs: 004DA78F
ACBM, xrefs: 004DA4B1
ABIT, xrefs: 004DA60A
ILBM, xrefs: 004DA48B
FORM, xrefs: 004DA475
CMAP, xrefs: 004DA59D

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: :memory$ABIT$ACBM$BMHD$BODY$CMAP$FORM$ILBM$PBM $\BH
API String ID: 0-3273259247
Opcode ID: e63e111e292f8c9da6f84c8284c40a001ccdc45ecc429e619b21ef55bf68c1eb
Instruction ID: 170ccc5ec994dd161e66b05bf9a913f959f91103e0ed67d8a13c0ad4ce3e67c3
Opcode Fuzzy Hash: e63e111e292f8c9da6f84c8284c40a001ccdc45ecc429e619b21ef55bf68c1eb
Instruction Fuzzy Hash: AE025CB0A042598FCF10EFA9C8A16AEBBB1FF88304F11456BE544EB345D7389D52CB59

Function 004CE0A4 Relevance: 12.9, APIs: 4, Strings: 3, Instructions: 660COMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00000000,00000064,?), ref: 004CE6DB
OffsetRect.USER32(?,00000000,00000001), ref: 004CE70C
MulDiv.KERNEL32(?,00000064,?), ref: 004CE87C
OffsetRect.USER32(?,00000000,00000001), ref: 004CE8AD

Strings

s, xrefs: 004CE53A
PSP, xrefs: 004CE312, 004CE78E, 004CE9D9
~, xrefs: 004CE3A7

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: OffsetRect
String ID: PSP$s$~
API String ID: 177026234-855822502
Opcode ID: 436180e9c4ae5a88adb797c0005c5cf507e335220d96df181ded2c1277e40846
Instruction ID: 1276425662c3928a6284c79b34bf3df77af0061c0a8521b7ce5a76c6854a2bda
Opcode Fuzzy Hash: 436180e9c4ae5a88adb797c0005c5cf507e335220d96df181ded2c1277e40846
Instruction Fuzzy Hash: CD520978A002189FDB60DF69CC91B9EB7B5FF49304F1041AAE508A7382D735AE85CF59

Function 00498D38 Relevance: 12.7, APIs: 8, Instructions: 727COMMON

Download Yara Rule

APIs

Part of subcall function 0041ABC4: RtlEnterCriticalSection.NTDLL(00AA09A8), ref: 0041ABCB

Part of subcall function 004067B4: LoadStringA.USER32(00000000,00010000,?,00000400), ref: 004067E5

MulDiv.KERNEL32(00000000,00000064,?), ref: 00498E79
MulDiv.KERNEL32(00000000,00000064,?), ref: 00498F5C
IntersectRect.USER32(?,?,?), ref: 00499046
EqualRect.USER32(?,?), ref: 00499057
MulDiv.KERNEL32(00000000,00000064,?), ref: 00499081
MulDiv.KERNEL32(00000000,00000064,?), ref: 0049915F
MulDiv.KERNEL32(00000000,00000064,?), ref: 004992AD
MulDiv.KERNEL32(?,00000064,?), ref: 004994ED

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Rect$CriticalEnterEqualIntersectLoadSectionString
String ID:
API String ID: 2871691274-0
Opcode ID: b70ca2c81184e8ce7939d4921e389c45249e2fd90384ebfff846be145ba6485c
Instruction ID: ee2ea7f554c50058bfaddc461285cdf78886f3ce5aba17cf87995140d7357b60
Opcode Fuzzy Hash: b70ca2c81184e8ce7939d4921e389c45249e2fd90384ebfff846be145ba6485c
Instruction Fuzzy Hash: CF421E75A142149FDF00EBA9C981E9E77F5AF49314F11857EF800AB356CA38EE05CB58

Function 004590EC Relevance: 9.4, APIs: 6, Instructions: 405nativeCOMMON

Download Yara Rule

APIs

SaveDC.GDI32(?), ref: 004593BB
RestoreDC.GDI32(?,?), ref: 0045942F
SaveDC.GDI32(?), ref: 004594E0
RestoreDC.GDI32(?,?), ref: 0045954D
NtdllDefWindowProc_A.NTDLL(?,?,?,?,00000000,0045961F), ref: 00459601

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: RestoreSave$NtdllProc_Window
String ID:
API String ID: 2725519021-0
Opcode ID: 155dce203e39d1e00a8573cbe09c778f533d07570171b30726b7a1e09b05e4e6
Instruction ID: 5e56a682ac468ab9ed30c6f40fa2f39614c259c53882d5771ea16a7acdf91520
Opcode Fuzzy Hash: 155dce203e39d1e00a8573cbe09c778f533d07570171b30726b7a1e09b05e4e6
Instruction Fuzzy Hash: A5E16234A04609EFDB10DF69C48199EB7F5FF48305B2085AAEC05A7362DB38ED46CB59

Function 00464618 Relevance: 9.1, APIs: 6, Instructions: 86windownativeCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 00464620
SetActiveWindow.USER32(?,?,?,?,00464041,00000000,00464502), ref: 00464631
IsWindowEnabled.USER32(00000000), ref: 00464654
NtdllDefWindowProc_A.NTDLL(?,00000112,0000F120,00000000,00000000,?,?,?,?,00464041,00000000,00464502), ref: 0046466D
SetWindowPos.USER32(?,00000000,00000000,?,?,00464041,00000000,00464502), ref: 004646B3
SetFocus.USER32(00000000,?,00000000,00000000,?,?,00464041,00000000,00464502), ref: 004646F8

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Window$ActiveEnabledFocusIconicNtdllProc_
String ID:
API String ID: 3996302123-0
Opcode ID: 87af3c71f6ebae3eee10bb87f8e9895c06a8152d9c6099cdfe72c840e57f6208
Instruction ID: 4b9307d71d97944f0ec320865191d040b9571bf88ad4fb051efc852eada53655
Opcode Fuzzy Hash: 87af3c71f6ebae3eee10bb87f8e9895c06a8152d9c6099cdfe72c840e57f6208
Instruction Fuzzy Hash: 3E310370B002409BEF14AA69CDC5B563798AB45714F0804ABBD00DF2D7EB7DEC548B1E

Function 004320D0 Relevance: 9.1, APIs: 6, Instructions: 82clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00000000), ref: 004320F4
GlobalAlloc.KERNEL32(00002002,00000001,00000000,004321CA,?,00000000,004321FE), ref: 0043211E
GlobalFix.KERNEL32(?), ref: 00432138
EmptyClipboard.USER32 ref: 00432167
SetClipboardData.USER32(00000001,?), ref: 00432172
GlobalUnWire.KERNEL32(?), ref: 00432188

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: ClipboardGlobal$AllocDataEmptyOpenWire
String ID:
API String ID: 461592451-0
Opcode ID: 0c05ae93e8a0b09c1d336c1568b08b2e9762d2e162be79ea9e6070695479ca9a
Instruction ID: 948efbce9353a7f339553a55d759969dd059f300a2cc52529e5fafb2752a3cf0
Opcode Fuzzy Hash: 0c05ae93e8a0b09c1d336c1568b08b2e9762d2e162be79ea9e6070695479ca9a
Instruction Fuzzy Hash: 4521E270604644BFEB01EB66DE52A69B7A8EB4D704F520476FA00E26D1CA786D10D968

Function 0044B65C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 0044B69B
SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 0044B6B9
GetWindowPlacement.USER32(?,0000002C), ref: 0044B6EF
SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 0044B713

Strings

,, xrefs: 0044B6DD

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Window$Placement$Iconic
String ID: ,
API String ID: 568898626-3772416878
Opcode ID: 496f2bcd46d5e10f64a8709201f179e0f6ceb8eba7e3ae3c1d5c41b962619f06
Instruction ID: 9ace06089765310ea8430f20cf88cc9d2dfb6b5727772981840069b901abef6a
Opcode Fuzzy Hash: 496f2bcd46d5e10f64a8709201f179e0f6ceb8eba7e3ae3c1d5c41b962619f06
Instruction Fuzzy Hash: A6215371A00108ABDF14DE69C8C19DA77A8EF48354F05846AFD04EF346D779ED048BA5

Function 0042CA48 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 0042C848: GetProcAddress.KERNEL32(76910000,00000000), ref: 0042C8C8

MonitorFromWindow.USER32(?,?), ref: 0042CA78

Strings

MonitorFromWindow, xrefs: 0042CA5F

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: AddressFromMonitorProcWindow
String ID: MonitorFromWindow
API String ID: 2184870004-2842599566
Opcode ID: f3ff6349f829b9b9c5b6ee483603810676dc2d5df8a3fcb0b7e989887f64fb7c
Instruction ID: 0561238ea2f5e74d18e7200604dfc8b3d0b181c54bfae8a013891814795f2012
Opcode Fuzzy Hash: f3ff6349f829b9b9c5b6ee483603810676dc2d5df8a3fcb0b7e989887f64fb7c
Instruction Fuzzy Hash: 6F014F72A0512C6AC700EB94BCC1BEF736CEB19314B844117F81696341D728AD0557FE

Function 0045E2B8 Relevance: 7.8, APIs: 5, Instructions: 284windowCOMMON

Download Yara Rule

APIs

SetFocus.USER32(00000000), ref: 0045E376
SaveDC.GDI32(?), ref: 0045E49D
RestoreDC.GDI32(?,?), ref: 0045E50E
SaveDC.GDI32(?), ref: 0045E5B1
RestoreDC.GDI32(?,?), ref: 0045E615

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: RestoreSave$Focus
String ID:
API String ID: 1675357626-0
Opcode ID: a972d4d6926d3cb9d967d4ec819330f60277329ce33ffa7006e03a813a6f5272
Instruction ID: 116817842a3f137b9ae286985c504dcf126f1001fd5f92cfbb97c96aff50a967
Opcode Fuzzy Hash: a972d4d6926d3cb9d967d4ec819330f60277329ce33ffa7006e03a813a6f5272
Instruction Fuzzy Hash: 23B17274A04104EFCB18DF6AC985AAE73F5EB55345F9540B6E8009B362CB38EF45CB19

Function 00464568 Relevance: 7.6, APIs: 5, Instructions: 59nativewindowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 00464570
SetActiveWindow.USER32(?,?,?,?,00464034,00000000,00464502), ref: 00464588
IsWindowEnabled.USER32(00000000), ref: 004645AB
SetWindowPos.USER32(?,00000000,?,?,?,00000000,00000040,00000000,?,?,?,?,00464034,00000000,00464502), ref: 004645D4
NtdllDefWindowProc_A.NTDLL(?,00000112,0000F020,00000000,?,00000000,?,?,?,00000000,00000040,00000000,?,?,?,?), ref: 004645E9

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Window$ActiveEnabledIconicNtdllProc_
String ID:
API String ID: 1720852555-0
Opcode ID: dd704523bdd94101e3dbae2f7be5e1fcd6c0df2763598b3f9ed0d81305289f62
Instruction ID: 4adf2dd4120f17eb57c65e4b7f3fc8835ae384b5d5f50e44b729d7ad2582a0fa
Opcode Fuzzy Hash: dd704523bdd94101e3dbae2f7be5e1fcd6c0df2763598b3f9ed0d81305289f62
Instruction Fuzzy Hash: E611E671600240ABDF54EE6DC9C6B973798AF45714F0804AABF05DF287E67DEC40876A

Function 00493A18 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 438COMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00000006,?,00000033), ref: 00493BFB
MulDiv.KERNEL32(00000024,?,00000033), ref: 00493C1D
MulDiv.KERNEL32(0000001F,00000064,?), ref: 00493D25

Part of subcall function 004067B4: LoadStringA.USER32(00000000,00010000,?,00000400), ref: 004067E5

Strings

D9B, xrefs: 00493A39

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: LoadString
String ID: D9B
API String ID: 2948472770-511987976
Opcode ID: 40eeef612a46da1fa27e4e3a0f40b07093a14bad35cc4d75cef0fe56f7d8a281
Instruction ID: a048172999bbc5417f8a8aae1427575fe6d0c139d4fb9d2599e5140d06a7992b
Opcode Fuzzy Hash: 40eeef612a46da1fa27e4e3a0f40b07093a14bad35cc4d75cef0fe56f7d8a281
Instruction Fuzzy Hash: 33025A74E042889FDF01DFA9C851BAEBBF1AF4A305F1440AAE480EB391D7799E05DB54

Function 0040E930 Relevance: 6.6, Strings: 5, Instructions: 339COMMON

Download Yara Rule

Strings

$2S, xrefs: 0040EC46
<1S, xrefs: 0040EC5B
01S, xrefs: 0040EC70
\2S, xrefs: 0040EC31
1S, xrefs: 0040EB4C

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: $2S$01S$1S$<1S$\2S
API String ID: 0-149574985
Opcode ID: 70b3abb95aff017a04c1ee5bc4ac58da5ef5d4d6634a843272392e369f5f8a30
Instruction ID: f6501dd7d72c50b274b827287878c4ef2b1db5be743b011efb20a9307363de5d
Opcode Fuzzy Hash: 70b3abb95aff017a04c1ee5bc4ac58da5ef5d4d6634a843272392e369f5f8a30
Instruction Fuzzy Hash: 04D1365054E7C00FC7029B349DA16967F74AF93214F0A80EBED849F2E7D62C990ADB36

Function 004B83EC Relevance: 6.4, Strings: 5, Instructions: 179COMMON

Download Yara Rule

Strings

J, xrefs: 004B857C
F, xrefs: 004B8585
X, xrefs: 004B8599
J, xrefs: 004B840A
X, xrefs: 004B858F

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: F$J$J$X$X
API String ID: 0-2166313073
Opcode ID: 12fdb1c193f4f78136981c133ba371dc7561109d75048bcbb9abb70116e7edbf
Instruction ID: cb50cea485c934ec49e5e53e8114f428ebdae18fbcd81dd9b80710b9bae49a38
Opcode Fuzzy Hash: 12fdb1c193f4f78136981c133ba371dc7561109d75048bcbb9abb70116e7edbf
Instruction Fuzzy Hash: 54718F706042809FD729CF29C094692BFE5AF5A304F19C0DED4C98F367CA7AD946CBA5

Function 004D3F28 Relevance: 6.4, Strings: 4, Instructions: 1398COMMON

Download Yara Rule

Strings

DDS , xrefs: 004D3F74
DXT1, xrefs: 004D408D
DXT3, xrefs: 004D4601
DXT5, xrefs: 004D4CF2

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: DDS $DXT1$DXT3$DXT5
API String ID: 0-3267405239
Opcode ID: f74bb1975a12dd2a3e95e6515129a5e131b654520b448eea3d48ae96e239f3bf
Instruction ID: ff6f2f7a5391d551f37923a6f9b0f124b4022aa9ad2e57414e88b0603458f506
Opcode Fuzzy Hash: f74bb1975a12dd2a3e95e6515129a5e131b654520b448eea3d48ae96e239f3bf
Instruction Fuzzy Hash: D3D26C74B042988FDB21EF69C8503DEBBB1EB99300F1045EAD588E7342EA394E91CF55

Function 0043FC20 Relevance: 6.0, APIs: 4, Instructions: 46sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 0043F680: WinHelpA.USER32(00000000,0043F698,00000002,00000000), ref: 0043F68F

GetTickCount.KERNEL32 ref: 0043FC3E
Sleep.KERNEL32(00000000,00000000,0043FC9D,?,?,00000000,00000000,?,0043FC16), ref: 0043FC47
GetTickCount.KERNEL32 ref: 0043FC4C
WinHelpA.USER32(00000000,?,?,00000000), ref: 0043FC82

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: CountHelpTick$Sleep
String ID:
API String ID: 2438605093-0
Opcode ID: 2e09e3a0159fc9bb47ff531349d46ddcc0b1a5f356e2dca7038df03d29cc0344
Instruction ID: 272eafc7eb77bc650f6e3b237f321e37de92822cdd720c079227e355fa858e1c
Opcode Fuzzy Hash: 2e09e3a0159fc9bb47ff531349d46ddcc0b1a5f356e2dca7038df03d29cc0344
Instruction Fuzzy Hash: 8A01A230B44348AFE711EBA6CC42B6E72E8EF4C704F62547BF500A76D2DB78AD048559

Function 004E22D0 Relevance: 5.4, Strings: 4, Instructions: 350COMMON

Download Yara Rule

Strings

t"N, xrefs: 004E2417, 004E2695
\BH, xrefs: 004E24CB
4"N, xrefs: 004E23FB, 004E26AB
:memory, xrefs: 004E24C4

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: 4"N$:memory$\BH$t"N
API String ID: 0-541200545
Opcode ID: 67ab41e76ce30632a85fcc21e74501e69039dfdcbf60c105b81bb7ed92fd59ef
Instruction ID: 9c60e18e9f04b079c12d0b553845fc6fb427938709971e497ba86c1fdc71f370
Opcode Fuzzy Hash: 67ab41e76ce30632a85fcc21e74501e69039dfdcbf60c105b81bb7ed92fd59ef
Instruction Fuzzy Hash: 14D18374E00199DFCF10EFAAC581AAEB7B4FF59314F20056AE550AB351C778AE42CB58

Function 0048CC3C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,0048CD1B), ref: 0048CC6A
FormatMessageA.KERNEL32(00001000,00000000,00000000,00000400,?,00000100,00000000,00000000,0048CD1B), ref: 0048CC90

Strings

4(B, xrefs: 0048CCDA

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: ErrorFormatLastMessage
String ID: 4(B
API String ID: 3479602957-430709320
Opcode ID: 29ec30ae1a9c5dab48625a55f99b00e736f25ac2b3f0a8727ca4d171e8ba9169
Instruction ID: 21de85b321d5d12c73622067ed9fa72f734b4305f2b92a17a377a8e65b12fdb5
Opcode Fuzzy Hash: 29ec30ae1a9c5dab48625a55f99b00e736f25ac2b3f0a8727ca4d171e8ba9169
Instruction Fuzzy Hash: B311CF7160420897E711FB21CDC1BDA73B99B94304F10847BBA44B73C1DEB85DC48A6D

Function 004633B8 Relevance: 4.5, APIs: 3, Instructions: 33synchronizationthreadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 004633C4
GetCursorPos.USER32(?), ref: 004633E1
WaitForSingleObject.KERNEL32(00000000,00000064), ref: 00463401

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: CurrentCursorObjectSingleThreadWait
String ID:
API String ID: 1359611202-0
Opcode ID: 664a6452fc786f82fbc53645dbe0589f19e86cc2fbb28b7711a9a3ce75ab3ccd
Instruction ID: 819a01418f0c647f3e2eed0683132e65660bb55d3e2120cece08bb092a2107d8
Opcode Fuzzy Hash: 664a6452fc786f82fbc53645dbe0589f19e86cc2fbb28b7711a9a3ce75ab3ccd
Instruction Fuzzy Hash: D2F054315042449BDB14AF69E886B4A73F8EB10315F40017BF900DB3D1FB7D9994DA2E

Function 004CEF68 Relevance: 4.1, Strings: 3, Instructions: 346COMMON

Download Yara Rule

Strings

PNG, xrefs: 004CF103, 004CF1B4, 004CF3B4
P"L, xrefs: 004CF0D9
IDATPLTEgAMA, xrefs: 004CF143

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: IDATPLTEgAMA$P"L$PNG
API String ID: 0-1994570322
Opcode ID: 6cca6cf87b806be2d73a2b23ae08558700118e33edda0b32d2e4973c6b1a67d6
Instruction ID: 5f06a131fae6b7adc36e85fe6148b9e0724636680eb05b0b5154d85527a4a21d
Opcode Fuzzy Hash: 6cca6cf87b806be2d73a2b23ae08558700118e33edda0b32d2e4973c6b1a67d6
Instruction Fuzzy Hash: 22E12C38A00108EFDB44DF99D981FDEB7F6AF48304F2481BAE904A7351D778AE459B58

Function 004E07A8 Relevance: 4.1, Strings: 3, Instructions: 321COMMON

Download Yara Rule

Strings

8BPS, xrefs: 004E0832
:memory, xrefs: 004E0895
\BH, xrefs: 004E089C

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: 8BPS$:memory$\BH
API String ID: 0-136306569
Opcode ID: 31745a3e93939be329f28df52a05dfecf2b141a5d60ee4a467b5aa515c3d503d
Instruction ID: f855c3aac6d3ffcf0f28410a3a19a8fbc5577cb00a4e86b15ae6c00db16bfc8c
Opcode Fuzzy Hash: 31745a3e93939be329f28df52a05dfecf2b141a5d60ee4a467b5aa515c3d503d
Instruction Fuzzy Hash: 22B18070A041999FCB04EFAAC8816EEB7B5EF99305F10446BF454FB352CA7899418B68

Function 00493FB8 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 299COMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(0000001F,00000064,?), ref: 004941BF

Strings

D9B, xrefs: 00493FD8

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: D9B
API String ID: 0-511987976
Opcode ID: 726b4ee48fee1da2e516786783af02e9bdc1514140e62d66cc66e5c6397d8f34
Instruction ID: 22eba4e66bd2efecc3abafa21ab19a58a9355e5876b7d4efa8459f464f8a192d
Opcode Fuzzy Hash: 726b4ee48fee1da2e516786783af02e9bdc1514140e62d66cc66e5c6397d8f34
Instruction Fuzzy Hash: 19B180B0A042859FDF11DBA9C851BBEBFB5AF89308F1440BAE48097381C77D9D46DB58

Function 004AD420 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 284COMMON

Download Yara Rule

APIs

Part of subcall function 0042B060: DeleteObject.GDI32(00000000), ref: 0042B1A7

DeleteObject.GDI32(?), ref: 004AD549

Strings

D9B, xrefs: 004AD448

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: DeleteObject
String ID: D9B
API String ID: 1531683806-511987976
Opcode ID: 2def474d8c090931b2b0a3e6ea33710286f8bfab9a27e6ea6418e2e93058602b
Instruction ID: 22e02bae3b0573867318dbfe425c92a03ef4854afd4847c63ff928d213dbc9c1
Opcode Fuzzy Hash: 2def474d8c090931b2b0a3e6ea33710286f8bfab9a27e6ea6418e2e93058602b
Instruction Fuzzy Hash: BCC13634E00158DFCB15DB69C984BDEB7F5AF5A304F5081EAE809AB351DA38AE85CF44

Function 004DDFC8 Relevance: 3.1, Strings: 2, Instructions: 585COMMON

Download Yara Rule

Strings

\BH, xrefs: 004DE1C0, 004DE322, 004DE487
:memory, xrefs: 004DE1B9, 004DE31B, 004DE480

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: :memory$\BH
API String ID: 0-3878241749
Opcode ID: c110cf2f942b31a7ce4fe0e6b5da32b5316121b3a9f55455c8f3af154f7c0f03
Instruction ID: 7c45833a859b037d6fd5c088ad2cf74f00e4431de1791d3d9001c3263f8c08f3
Opcode Fuzzy Hash: c110cf2f942b31a7ce4fe0e6b5da32b5316121b3a9f55455c8f3af154f7c0f03
Instruction Fuzzy Hash: 05222570E001599FCB10FFEAD891AAEBBB5EF54304F10456BE844EB356D738AD428B58

Function 0044ADA8 Relevance: 3.1, APIs: 2, Instructions: 63windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 0044ADE0
GetCapture.USER32 ref: 0044ADE9

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: CaptureIconic
String ID:
API String ID: 2277910766-0
Opcode ID: df094401348f258267f7563dd6672625206778f69b43bc59dfd101cbad4f3f6e
Instruction ID: f10aca7f425c3d9b41fa13570cd981c84bdbc37e66fcfcbbc1a1dd9d5cf7ff17
Opcode Fuzzy Hash: df094401348f258267f7563dd6672625206778f69b43bc59dfd101cbad4f3f6e
Instruction Fuzzy Hash: 051182327802059BEB20DF9DD9859AAB3E8EF04318B34407AF814DB352DB39EE509759

Function 00436080 Relevance: 3.0, APIs: 2, Instructions: 46clipboardCOMMON

Download Yara Rule

APIs

SetClipboardData.USER32(?,?), ref: 004360C9
SetClipboardData.USER32(00000009,00000000), ref: 004360DA

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: ClipboardData
String ID:
API String ID: 2952336681-0
Opcode ID: c0c249b93a80f01d7a77dcb6c6e27970668b16a2d4efd4169c3e2b12b5479d66
Instruction ID: 9bc4a1954aa3f8f85bf8343aebba444bf9c0fae8aa93a1c8945b2513e688d129
Opcode Fuzzy Hash: c0c249b93a80f01d7a77dcb6c6e27970668b16a2d4efd4169c3e2b12b5479d66
Instruction Fuzzy Hash: 3F016970A04209EFCB04DFA9C8859AEB7F8FF0C300F1145A6E504E72A1EB75AE40CB65

Function 00435FFC Relevance: 3.0, APIs: 2, Instructions: 45clipboardCOMMON

Download Yara Rule

APIs

SetClipboardData.USER32(?,?), ref: 00436045
SetClipboardData.USER32(00000009,00000000), ref: 00436056

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: ClipboardData
String ID:
API String ID: 2952336681-0
Opcode ID: 6a4e89b28675ec8855bd96b4d220eb8446444ee5ebf35fa90772ec6d79dce0ca
Instruction ID: eca456fb170219eb53b8b610f2df9fa7066a5ae54d8d7e4d431b3acf5aef5265
Opcode Fuzzy Hash: 6a4e89b28675ec8855bd96b4d220eb8446444ee5ebf35fa90772ec6d79dce0ca
Instruction Fuzzy Hash: 27016970A04609AFCB04DBA9C881AAEB7F8FF08300F1149A6B404E7291DB74AE40CB65

Function 0040DB1C Relevance: 3.0, APIs: 2, Instructions: 37COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,0040DB80), ref: 0040DB42
GetACP.KERNEL32(?,?,00001004,?,00000007,00000000,0040DB80), ref: 0040DB5B

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 1884172b494ef64e61d5d87ac41e70bb733ce7e18e2f04438fc916fe4af58f1b
Instruction ID: 8ae3de11b30185b591dbfbdb903b861d682c93104a8713605b6a6178693530df
Opcode Fuzzy Hash: 1884172b494ef64e61d5d87ac41e70bb733ce7e18e2f04438fc916fe4af58f1b
Instruction Fuzzy Hash: E9F09671E043047FDB00EBE2D85299EB3BADBC4718F51C57AB610A76C1DA7C65048658

Function 004096B0 Relevance: 3.0, APIs: 2, Instructions: 33fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,?,?,?,004EC2D8,?,?,?,00000000,004EC327), ref: 004096CB
GetLastError.KERNEL32(00000000,?,?,?,?,004EC2D8,?,?,?,00000000,004EC327), ref: 004096F0

Part of subcall function 0040964C: FileTimeToLocalFileTime.KERNEL32(?), ref: 00409679
Part of subcall function 0040964C: FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 00409688

Part of subcall function 00409724: FindClose.KERNEL32(?,?,004096EE,00000000,?,?,?,?,004EC2D8,?,?,?,00000000,004EC327), ref: 00409730

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: FileTime$Find$CloseDateErrorFirstLastLocal
String ID:
API String ID: 976985129-0
Opcode ID: 657082f0d3cee3eafa1d391f08072548a3622d5f3db13b2cc92ee2c836ca67ac
Instruction ID: e5e222ae4b3e1edca6e7e69f6ad0f42d122d8570d28140a71d9f916234369ba4
Opcode Fuzzy Hash: 657082f0d3cee3eafa1d391f08072548a3622d5f3db13b2cc92ee2c836ca67ac
Instruction Fuzzy Hash: 95E06DB2B0256007CB15AF6E5CC159B61D88A847A830A067BB915FB3C7D63ECC1293D9

Function 004C8DDC Relevance: 3.0, Strings: 2, Instructions: 457COMMON

Download Yara Rule

Strings

LCL, xrefs: 004C8F07
MM, xrefs: 004C8F2F

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: LCL$MM
API String ID: 0-1966558449
Opcode ID: 63a05b47c84527a6d2d4db66216ba569a0f64dd7a088f7c5ceb86575037aa6e0
Instruction ID: 8abfefa7dfa2d5050556067eaf24452c438bc4cca268861650448c65f3fddbb7
Opcode Fuzzy Hash: 63a05b47c84527a6d2d4db66216ba569a0f64dd7a088f7c5ceb86575037aa6e0
Instruction Fuzzy Hash: 9B02A638604185DBEB55DF68C489FAF7BA1AB05304F14809FD8419B386CB7DDE41CB9A

Function 004A1A50 Relevance: 1.9, Strings: 1, Instructions: 645COMMON

Download Yara Rule

Strings

|gS, xrefs: 004A1C3C

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: |gS
API String ID: 0-2054468872
Opcode ID: aeb144ef3b1690433ff582404c58d8e31139980a1cd54db4af01818ec1723c01
Instruction ID: 23b0ceeb8c8c38199f0b7e032bf8f99960272fd32bb32a687a2ed38e24ef23eb
Opcode Fuzzy Hash: aeb144ef3b1690433ff582404c58d8e31139980a1cd54db4af01818ec1723c01
Instruction Fuzzy Hash: 30524D70508341CFDB19CF18C48475ABBE2FFA6304F158A5EE8958B3A6D778D885CB86

Function 004E6978 Relevance: 1.8, Strings: 1, Instructions: 530COMMON

Download Yara Rule

Strings

PIXT, xrefs: 004E69B5

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: PIXT
API String ID: 0-2338726976
Opcode ID: 95933a5cf607175a5f0df57d9fde8ae2841e41078bc2c60fa48b58b52608e0b2
Instruction ID: 88cf564ce8e3f10311d61e2a5024f4aca63768c446ef14bb0c4c54c77ca50a66
Opcode Fuzzy Hash: 95933a5cf607175a5f0df57d9fde8ae2841e41078bc2c60fa48b58b52608e0b2
Instruction Fuzzy Hash: 3F126170E041899FDB10EFAEC441AAEBBB1EF68314F11456AE854E7342D638DE41DB58

Function 004CC990 Relevance: 1.8, Strings: 1, Instructions: 517COMMON

Download Yara Rule

Strings

PSD/PDD, xrefs: 004CCA8F

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: FlushOffsetRect
String ID: PSD/PDD
API String ID: 1860502862-3902352457
Opcode ID: 4406275225f4c49322fc2eb0d048eeacba47579bf734749fb83f331ca2c1c8ac
Instruction ID: 0b68088b644d553491eca00efdf287c559d1d25d6c73a1c6d0ec1f6fee1f28c3
Opcode Fuzzy Hash: 4406275225f4c49322fc2eb0d048eeacba47579bf734749fb83f331ca2c1c8ac
Instruction Fuzzy Hash: A922AE78E002099FCB80DFA9D581ADDBBF1FF48314F2481AAE919A7351D734AE418F58

Function 0049A010 Relevance: 1.8, APIs: 1, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a75ef5eaf5fa4e396d24ababcd9a4a772aa66962c398cdc752cc07dd21660eb
Instruction ID: 6f32e376c423b0c08d3ad0a121c0b39aa4ca2e1e70502d77f32762e573e770a0
Opcode Fuzzy Hash: 4a75ef5eaf5fa4e396d24ababcd9a4a772aa66962c398cdc752cc07dd21660eb
Instruction Fuzzy Hash: E0A1FB75A00208DFCB04DFA9C581A9EBBF5FF89304F2181AAED04AB356D735AE41DB54

Function 004F1088 Relevance: 1.6, Strings: 1, Instructions: 390COMMON

Download Yara Rule

Strings

, xrefs: 004F1244

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 7ef2f9938fcf5fb3bbddd0854b1012eecedf511c46242ac48360cbcda20a709e
Instruction ID: 13af1216db14f48b5102094643a1e310b0aec9de3d34a03e247ad3e02972eebc
Opcode Fuzzy Hash: 7ef2f9938fcf5fb3bbddd0854b1012eecedf511c46242ac48360cbcda20a709e
Instruction Fuzzy Hash: 67027E78608245DFD349DF18C094A2AB7F2EF99304F24CA9ED5854B366C736E882CF52

Function 004F7760 Relevance: 1.6, Strings: 1, Instructions: 389COMMON

Download Yara Rule

Strings

, xrefs: 004F7ACA

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 557200104f406de20ec338f1439a1d9b9578e08132c0d23b19a10e718a0d9e01
Instruction ID: b5a9eade2d722d9f739d22ed67a01db5b56ea310a437d5108f3e7f7ff996aa24
Opcode Fuzzy Hash: 557200104f406de20ec338f1439a1d9b9578e08132c0d23b19a10e718a0d9e01
Instruction Fuzzy Hash: 94129174E0424A9FCB04CFA8C5909EEBBF2FF49314F24815AD855AB355D734A982CF94

Function 00473D64 Relevance: 1.6, Strings: 1, Instructions: 372COMMON

Download Yara Rule

Strings

@=G, xrefs: 00473DDB, 00474192

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: @=G
API String ID: 0-227264607
Opcode ID: 057c7c8c7be3ee7c4c579042b0bd0c7ae2efb1d06f792d9b252e868233b09bab
Instruction ID: cd18552fb84c155f6026860be6e684354b0895a7ae7e60110256bee86ae74bd4
Opcode Fuzzy Hash: 057c7c8c7be3ee7c4c579042b0bd0c7ae2efb1d06f792d9b252e868233b09bab
Instruction Fuzzy Hash: 93F1E374A0060A9FCB20DF99C4819AEF7F2FF88314F24866AE459A7355D734E982CF54

Function 00409996 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 004099B9

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: DiskFreeSpace
String ID:
API String ID: 1705453755-0
Opcode ID: 56636f80f8176e7f785ab2a29698e1686f14b4106ad9e8c3892e951ff906e81c
Instruction ID: 4e5c451eefbaba04fd70ce62acaf46e057f6f7fb0e0251704f51b4bfef687198
Opcode Fuzzy Hash: 56636f80f8176e7f785ab2a29698e1686f14b4106ad9e8c3892e951ff906e81c
Instruction Fuzzy Hash: 7011C3B5A00109AFDB04CF99C8819AFB7F9EFC8314B54C569A509EB255E6319E018BA4

Function 0043504C Relevance: 1.5, APIs: 1, Instructions: 41nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 004350B1

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: 975482edda59c58fea9316b157a1b29263a1dfa51b0a883583f099fb3179b404
Instruction ID: c7e2ca23b72e6199a4e3fcd80179c9d53998486e017de9dfd02be68c9f78b085
Opcode Fuzzy Hash: 975482edda59c58fea9316b157a1b29263a1dfa51b0a883583f099fb3179b404
Instruction Fuzzy Hash: CDF06276608644AF9B14DE9AD881C96B7FCEB4D72075140B6F904D7641D276AD008BA4

Function 0040680A Relevance: 1.5, APIs: 1, Instructions: 38COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,00406872), ref: 00406832

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 733e2c765f3ca7fca0ae6c3ff36b10117c3136072b099959121336a536d9372c
Instruction ID: a185853ff122ada5d9580153f7d5c4a023c2652e370531f0f3f577c2d6a0da46
Opcode Fuzzy Hash: 733e2c765f3ca7fca0ae6c3ff36b10117c3136072b099959121336a536d9372c
Instruction Fuzzy Hash: EAF0CD71A04309AFE715EFA1CC51AAFB3B6F7C4714F40C57AA510B75C0E7786A04C684

Function 0040680C Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,00406872), ref: 00406832

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: a2c06219047754c5ea57ba583d72bf084450101058aa4234e4a89dcfa73a95ff
Instruction ID: 29b3bcc85a639fb1690354b5c198fe638388a697aa86c3154c0e8a448105b031
Opcode Fuzzy Hash: a2c06219047754c5ea57ba583d72bf084450101058aa4234e4a89dcfa73a95ff
Instruction Fuzzy Hash: E3F0CD71904309AFE715EFA1CC51A9FB3B6F7C4714F40C57AA510775C0D7786A04C684

Function 004361A4 Relevance: 1.5, APIs: 1, Instructions: 32clipboardCOMMON

Download Yara Rule

APIs

SetClipboardData.USER32(00000000), ref: 004361D4

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: ClipboardData
String ID:
API String ID: 2952336681-0
Opcode ID: 4c74228df97f1ca86c96fbec362272866c204f43c05151ab457dad0846295d5e
Instruction ID: ca68ab202b34ee1b1b9aeb8a001f24e4b73df0a80b401aaf2eac34e6c41abdae
Opcode Fuzzy Hash: 4c74228df97f1ca86c96fbec362272866c204f43c05151ab457dad0846295d5e
Instruction Fuzzy Hash: 5BF0EC70A14204BFCB04CF69CA51C2ABBFCEF4D30072240B6F800D7211DAB4ED00DAA4

Function 0040C44C Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040C46A

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: e2f6bb85904c992d27eff5d43d45629a3a7acb5d68e57777ec72ae42e4d601af
Instruction ID: 1a6c4334858c2ea06db05b4b52c564b52ef175afc32ef90a0b9268abf89bb910
Opcode Fuzzy Hash: e2f6bb85904c992d27eff5d43d45629a3a7acb5d68e57777ec72ae42e4d601af
Instruction Fuzzy Hash: 2DE0D87270421457D310AA699CC69FA735CAB58310F00427FBE09E73C6EEB89D4442ED

Function 00436150 Relevance: 1.5, APIs: 1, Instructions: 28clipboardCOMMON

Download Yara Rule

APIs

GetClipboardData.USER32(00000000), ref: 00436176

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: ClipboardData
String ID:
API String ID: 2952336681-0
Opcode ID: f54cd5da21a965272d5e437543ae66cca70342109594b4038ee0ea3b12fe329a
Instruction ID: 80f17d0e1c1e8a01532270f1bc5f9065a281d764f5768e6df9b0f994ba75cba3
Opcode Fuzzy Hash: f54cd5da21a965272d5e437543ae66cca70342109594b4038ee0ea3b12fe329a
Instruction Fuzzy Hash: 3BF0A070A04604AFCB00CF65C89581ABBF8FB4D71072284B2F804D7291DA34AD00DAA5

Function 0040C498 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0040DE2E,00000000,0040E047,?,?,00000000,00000000), ref: 0040C4AB

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 5d32ee54b27713dae6b558668f0811b1e9cea28660a1d26a28ad1fd658e51286
Instruction ID: 3dd52887d224f80f985d3a2f6d69d6c1a9fc16c0feb5374f8aac7370db0e9f18
Opcode Fuzzy Hash: 5d32ee54b27713dae6b558668f0811b1e9cea28660a1d26a28ad1fd658e51286
Instruction Fuzzy Hash: CDD05E6630D2506AE310965B6DC5DBB4AECDAC97A0F14453BFA49D6342D2288C0693B5

Function 0040ADE8 Relevance: 1.5, APIs: 1, Instructions: 22timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0040ADF0

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: LocalTime
String ID:
API String ID: 481472006-0
Opcode ID: 2c87f4ff2cc428fb1c68881bde1edcb6d3676a9583b7079f7252e17f393d4b2c
Instruction ID: d973a8048538195aa8490dbf47e6e2eca0501678c53f9d62c484e185f3a071f9
Opcode Fuzzy Hash: 2c87f4ff2cc428fb1c68881bde1edcb6d3676a9583b7079f7252e17f393d4b2c
Instruction Fuzzy Hash: 50E0A568408603A6C200BF55C4414AEB7A5AE98B44F408C5DF8D4423A1EB3584A9C76B

Function 004E5694 Relevance: 1.5, Strings: 1, Instructions: 249COMMON

Download Yara Rule

Strings

xVN, xrefs: 004E5701, 004E5718, 004E572F, 004E5746, 004E595D

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: xVN
API String ID: 0-3626399423
Opcode ID: e5a704862a3d997e7c1f8c2ace096e143210de171bc767c008cf56e2fb00348c
Instruction ID: 1cb3bac7b6e680e48246064168c967fe8097807bfe071df5cb78895e084ebc13
Opcode Fuzzy Hash: e5a704862a3d997e7c1f8c2ace096e143210de171bc767c008cf56e2fb00348c
Instruction Fuzzy Hash: 54916F71E005489FCB01DFAAC891AEEBBF5FF49315F14846AE845EB312D634AD41CB64

Function 004ACEF8 Relevance: 1.5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

Strings

D9B, xrefs: 004AD067

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: DeleteObject
String ID: D9B
API String ID: 1531683806-511987976
Opcode ID: 1a024186b6dec4ed6105e1f26f2e25f519c06650f1fa43d9b8fd1deb823e75d2
Instruction ID: 2f746e531044ec849fcae0d2e62cc9f749fbaa576a57d275cc1f793b8bbe758c
Opcode Fuzzy Hash: 1a024186b6dec4ed6105e1f26f2e25f519c06650f1fa43d9b8fd1deb823e75d2
Instruction Fuzzy Hash: 32A14974A002189FDB10DF65C981B8EB7F5FB49304F1081EAE808AB391DB75AE85CF54

Function 0048AEF4 Relevance: 1.5, Strings: 1, Instructions: 226COMMON

Download Yara Rule

Strings

dKS, xrefs: 0048B118

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: dKS
API String ID: 0-1366305902
Opcode ID: 05a6f3d2f6d93237ef63789cc9b9b867dc037cc9c82022b3073baae83ee7a861
Instruction ID: 85771b9530ade3d3eb8c50114095c935901e982d19fc58e12f0f7aaea0ba793c
Opcode Fuzzy Hash: 05a6f3d2f6d93237ef63789cc9b9b867dc037cc9c82022b3073baae83ee7a861
Instruction Fuzzy Hash: 78A17F70A042498FDB04DBA9C594BEEBBF1EF49304F1481BAD504BB3A1D7785E05CBA6

Function 004DAAF4 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

Unable to decode file, xrefs: 004DAC0D

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: Unable to decode file
API String ID: 0-79868684
Opcode ID: 51ed837cc558d0eae20c792c27a255b6757bdea12cd02ea62d52723f70fcc0ce
Instruction ID: d50f06ac5b5073a298528e7734878d97b8ee1f6a80d975e2e9b37b1f961e42aa
Opcode Fuzzy Hash: 51ed837cc558d0eae20c792c27a255b6757bdea12cd02ea62d52723f70fcc0ce
Instruction Fuzzy Hash: 4761CE70B101098FDB10DFADC891AAEB7F6FB89304F158567E440D7315C638EE128B9A

Function 0046E87C Relevance: .9, Instructions: 912COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1c1e7f41d66ceda069363c7a0d61e3f21f3a2219595d87f372ebe0eff8ade29
Instruction ID: e98965c999073b177c5eef82bc11799985b62577169fc5a43ec71e9f38c59600
Opcode Fuzzy Hash: f1c1e7f41d66ceda069363c7a0d61e3f21f3a2219595d87f372ebe0eff8ade29
Instruction Fuzzy Hash: 45822535E042299FCB50CFA9D980AEEBBF1FF49304F1541AAE448AB352E6349A41CF55

Function 004D91D0 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e8bdd94459022f74a568e8a61ac222b3146e5318b4763d5bd0df5197e5b7df3
Instruction ID: 61593093bd14fb0615663c97ae36eb6bedaad7103cb6353b525b37a498e49df6
Opcode Fuzzy Hash: 7e8bdd94459022f74a568e8a61ac222b3146e5318b4763d5bd0df5197e5b7df3
Instruction Fuzzy Hash: 0E22A075A0455A9FDB00DFA9C890AAEB7F1FB99304F10416BE845EB352C738AE05CB94

Function 004F17D4 Relevance: .5, Instructions: 461COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b3bf51fb7542270328da32e46674860bab60a060f3a79d3bb8115602655b9c1
Instruction ID: 52ecd567e70f2e4235fd3c5558dada698b345ea4248a813446fdb15a2a94fb5b
Opcode Fuzzy Hash: 4b3bf51fb7542270328da32e46674860bab60a060f3a79d3bb8115602655b9c1
Instruction Fuzzy Hash: 09328E74E00259DFCF09CF98D9909EEBBB2BF89314F20826AD416AB254D734A946CF54

Function 00473430 Relevance: .4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ef712e3723d42f3fe4e68b050d81d9892adab74770c0323719135ac28422940
Instruction ID: 66642db0f5b76f20ee48bfa151f6308c63a38ff2424f66133dd97b59234062b9
Opcode Fuzzy Hash: 9ef712e3723d42f3fe4e68b050d81d9892adab74770c0323719135ac28422940
Instruction Fuzzy Hash: 02E113716047019FC714DF29C888A5BB7E1FB98309F108A2DF4A9CB355DB34EA4ADB46

Function 004EAFE8 Relevance: .3, Instructions: 305COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 704610c9ed082730d53bb9740c889caed42b57dcfc5a11d89a91384c28dc2e1e
Instruction ID: b8ab103aade638a93bbd1328185ab59070d35630c9d8daaad1bd625a0b17be76
Opcode Fuzzy Hash: 704610c9ed082730d53bb9740c889caed42b57dcfc5a11d89a91384c28dc2e1e
Instruction Fuzzy Hash: B8A1E231A001495BEB14EBAAC8413BFB7B2EF85314F50817AEA54EB782D63CDE46C754

Function 004DB344 Relevance: .2, Instructions: 245COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4703f985dcb42d6b1e477d1e58354ef7b9e1ad737f684bfdaad8ed53c2967c6e
Instruction ID: 8135948989ec9c5b989201541f8eb00510bdbcc0a05156797a8957d1b56a8f5d
Opcode Fuzzy Hash: 4703f985dcb42d6b1e477d1e58354ef7b9e1ad737f684bfdaad8ed53c2967c6e
Instruction Fuzzy Hash: A6915E71B00149DBDB00DFA9C991AAEB7F5EB88304F15817AE814B7392C739ED05CB98

Function 004B99D4 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eef7286dc15d362924f4be3c5d309ce6a490f2189785fb1e25b0287770ab66b1
Instruction ID: ab91c1130d9f585de852848002cb28e17ca1c2f7cb40bec8a1d25e51fe2216f8
Opcode Fuzzy Hash: eef7286dc15d362924f4be3c5d309ce6a490f2189785fb1e25b0287770ab66b1
Instruction Fuzzy Hash: 61B130B15042008FE74CCF19D489B85BBE1BF49318F1680AAD9098F3A7D7BAD985CF95

Function 004A3DB8 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8edbc22c7405612587b3705b247d0bc703d12d156190f4babee4519dbdbef6d2
Instruction ID: 88e71a2509e5cf245dd950556713d9586b7b5854b55d3e6faef91fcd4eba11f7
Opcode Fuzzy Hash: 8edbc22c7405612587b3705b247d0bc703d12d156190f4babee4519dbdbef6d2
Instruction Fuzzy Hash: 1561632278D68103E33D8E7D6CE02B7DAD35FD631862ED57DA4DAC3F42E86EA4165108

Function 004A44FC Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 541b5c93655ccc8afebc73664aad9e6f334c45aedf271df2dc3f292001414c40
Instruction ID: 2317bd4cf965034dacd6dcd7e49cc6edc3f612d01cfa9199504e39982549d98d
Opcode Fuzzy Hash: 541b5c93655ccc8afebc73664aad9e6f334c45aedf271df2dc3f292001414c40
Instruction Fuzzy Hash: 4D817C73D104774BEB628EA88C443A17392AFDD39EF5B42B0ED04BB64AD538BD5182C0

Function 0048EDA4 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5852e1992767a40f11465aaf82952d6fea3d7ed543abeb2f2b95017b6ae57e60
Instruction ID: 436b682a475362257544aae6ce2f0cc71f9c6202330ef3948b8e845e24ca7c83
Opcode Fuzzy Hash: 5852e1992767a40f11465aaf82952d6fea3d7ed543abeb2f2b95017b6ae57e60
Instruction Fuzzy Hash: 198184B1600B108BD7B4DF39C582A0BB7F4FF886483444A2EE096DBB96D675F915CB48

Function 004A4248 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2945ffd980141f8c97937d932ae03df8929420310ccb1ca70e5017797f4d2253
Instruction ID: 6a3d1eca5f7106a9b3fe82219fab7eef90cf1ad858b257a773d69962a5c3988f
Opcode Fuzzy Hash: 2945ffd980141f8c97937d932ae03df8929420310ccb1ca70e5017797f4d2253
Instruction Fuzzy Hash: 59712673D204779BEF608EA888443617392EFD925CFAF46B0DE05BB646C634BC5296D0

Function 004AC49C Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62346620ab677d3d95cd496c1290bc255244a89bf9595c847f234708a113b76f
Instruction ID: 4a3bbb392f4c130e15ed9e04f768be9019e8f56de0c1126e32751b6e70ee6978
Opcode Fuzzy Hash: 62346620ab677d3d95cd496c1290bc255244a89bf9595c847f234708a113b76f
Instruction Fuzzy Hash: 2B317E327682D25BC761AE6CCCC0676B7D6FB4A301B244B79EE98CB346C139D9469390

Function 0048ADBC Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3061623392b8b2c4a8ad746e9052c9e6da9aefd593d9a449f64d6345f7cba9e4
Instruction ID: f03a963fb8cac62d9ac7e670dd05319ff93cca1af7888db2988f9552ccd1b647
Opcode Fuzzy Hash: 3061623392b8b2c4a8ad746e9052c9e6da9aefd593d9a449f64d6345f7cba9e4
Instruction Fuzzy Hash: A0211C33D684F206DB74ADFD4C4023AB6D08B4A162B5B47B2DDC5FB586E11C9C9293E1

Function 00467270 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 929e65f0c90fbbc04021c26ed16fa91a7616c920a609b2e2ae2b9c4c207d77e9
Instruction ID: 18786e2d680a08836a65d3bc23d62983b0e63d208fea493891718a41fee39235
Opcode Fuzzy Hash: 929e65f0c90fbbc04021c26ed16fa91a7616c920a609b2e2ae2b9c4c207d77e9
Instruction Fuzzy Hash: FC21AD3490C1999BDB14CFA994A05EEBFB19F4A208F2481FAC8A1D7356E1344615D784

Function 004662E4 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a35edd85d241dc68653b4c380b6aa8caa8bd952efb0c9537444741b00ada9645
Instruction ID: 0e40c4513e33e78aa59b481bc9cc09f98931429571f6ef5fbecb416ebf8ef550
Opcode Fuzzy Hash: a35edd85d241dc68653b4c380b6aa8caa8bd952efb0c9537444741b00ada9645
Instruction Fuzzy Hash:

Function 00406DEA Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b12964de0a963589df2cc3d312907d68ad20bed97cff7c39fb39673166ab926c
Instruction ID: 11cbac9f05c0bec0d23d4d1fe477ff06d069409e0a4ea82d5a05209bc21fa05c
Opcode Fuzzy Hash: b12964de0a963589df2cc3d312907d68ad20bed97cff7c39fb39673166ab926c
Instruction Fuzzy Hash:

Function 0042F7E4 Relevance: 166.5, APIs: 48, Strings: 47, Instructions: 266libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(uxtheme.dll,00000000,0042FB97), ref: 0042F81A
GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0042F832
GetProcAddress.KERNEL32(00000000,CloseThemeData), ref: 0042F844
GetProcAddress.KERNEL32(00000000,DrawThemeBackground), ref: 0042F856
GetProcAddress.KERNEL32(00000000,DrawThemeText), ref: 0042F868
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0042F87A
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundContentRect), ref: 0042F88C
GetProcAddress.KERNEL32(00000000,GetThemePartSize), ref: 0042F89E
GetProcAddress.KERNEL32(00000000,GetThemeTextExtent), ref: 0042F8B0
GetProcAddress.KERNEL32(00000000,GetThemeTextMetrics), ref: 0042F8C2
GetProcAddress.KERNEL32(00000000,GetThemeBackgroundRegion), ref: 0042F8D4
GetProcAddress.KERNEL32(00000000,HitTestThemeBackground), ref: 0042F8E6
GetProcAddress.KERNEL32(00000000,DrawThemeEdge), ref: 0042F8F8
GetProcAddress.KERNEL32(00000000,DrawThemeIcon), ref: 0042F90A
GetProcAddress.KERNEL32(00000000,IsThemePartDefined), ref: 0042F91C
GetProcAddress.KERNEL32(00000000,IsThemeBackgroundPartiallyTransparent), ref: 0042F92E
GetProcAddress.KERNEL32(00000000,GetThemeColor), ref: 0042F940
GetProcAddress.KERNEL32(00000000,GetThemeMetric), ref: 0042F952
GetProcAddress.KERNEL32(00000000,GetThemeString), ref: 0042F964
GetProcAddress.KERNEL32(00000000,GetThemeBool), ref: 0042F976
GetProcAddress.KERNEL32(00000000,GetThemeInt), ref: 0042F988
GetProcAddress.KERNEL32(00000000,GetThemeEnumValue), ref: 0042F99A
GetProcAddress.KERNEL32(00000000,GetThemePosition), ref: 0042F9AC
GetProcAddress.KERNEL32(00000000,GetThemeFont), ref: 0042F9BE
GetProcAddress.KERNEL32(00000000,GetThemeRect), ref: 0042F9D0
GetProcAddress.KERNEL32(00000000,GetThemeMargins), ref: 0042F9E2
GetProcAddress.KERNEL32(00000000,GetThemeIntList), ref: 0042F9F4
GetProcAddress.KERNEL32(00000000,GetThemePropertyOrigin), ref: 0042FA06
GetProcAddress.KERNEL32(00000000,SetWindowTheme), ref: 0042FA18
GetProcAddress.KERNEL32(00000000,GetThemeFilename), ref: 0042FA2A
GetProcAddress.KERNEL32(00000000,GetThemeSysColor), ref: 0042FA3C
GetProcAddress.KERNEL32(00000000,GetThemeSysColorBrush), ref: 0042FA4E
GetProcAddress.KERNEL32(00000000,GetThemeSysBool), ref: 0042FA60
GetProcAddress.KERNEL32(00000000,GetThemeSysSize), ref: 0042FA72
GetProcAddress.KERNEL32(00000000,GetThemeSysFont), ref: 0042FA84
GetProcAddress.KERNEL32(00000000,GetThemeSysString), ref: 0042FA96
GetProcAddress.KERNEL32(00000000,GetThemeSysInt), ref: 0042FAA8
GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 0042FABA
GetProcAddress.KERNEL32(00000000,IsAppThemed), ref: 0042FACC
GetProcAddress.KERNEL32(00000000,GetWindowTheme), ref: 0042FADE
GetProcAddress.KERNEL32(00000000,EnableThemeDialogTexture), ref: 0042FAF0
GetProcAddress.KERNEL32(00000000,IsThemeDialogTextureEnabled), ref: 0042FB02
GetProcAddress.KERNEL32(00000000,GetThemeAppProperties), ref: 0042FB14
GetProcAddress.KERNEL32(00000000,SetThemeAppProperties), ref: 0042FB26
GetProcAddress.KERNEL32(00000000,GetCurrentThemeName), ref: 0042FB38
GetProcAddress.KERNEL32(00000000,GetThemeDocumentationProperty), ref: 0042FB4A
GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground), ref: 0042FB5C
GetProcAddress.KERNEL32(00000000,EnableTheming), ref: 0042FB6E

Strings

DrawThemeIcon, xrefs: 0042F902
DrawThemeParentBackground, xrefs: 0042FB54
GetCurrentThemeName, xrefs: 0042FB30
DrawThemeEdge, xrefs: 0042F8F0
GetThemeFilename, xrefs: 0042FA22
GetThemeTextExtent, xrefs: 0042F8A8
GetThemeInt, xrefs: 0042F980
HitTestThemeBackground, xrefs: 0042F8DE
GetThemeIntList, xrefs: 0042F9EC
GetThemeFont, xrefs: 0042F9B6
GetThemeRect, xrefs: 0042F9C8
IsThemeDialogTextureEnabled, xrefs: 0042FAFA
EnableTheming, xrefs: 0042FB66
GetThemeAppProperties, xrefs: 0042FB0C
GetThemeSysString, xrefs: 0042FA8E
GetThemeSysColorBrush, xrefs: 0042FA46
GetThemeTextMetrics, xrefs: 0042F8BA
IsThemePartDefined, xrefs: 0042F914
GetThemeSysFont, xrefs: 0042FA7C
GetThemeDocumentationProperty, xrefs: 0042FB42
DrawThemeText, xrefs: 0042F860
GetThemeMetric, xrefs: 0042F94A
GetThemePartSize, xrefs: 0042F896
GetThemeSysInt, xrefs: 0042FAA0
GetThemeBackgroundContentRect, xrefs: 0042F872, 0042F884
SetThemeAppProperties, xrefs: 0042FB1E
GetThemeMargins, xrefs: 0042F9DA
CloseThemeData, xrefs: 0042F83C
IsAppThemed, xrefs: 0042FAC4
GetThemeSysBool, xrefs: 0042FA58
GetThemePropertyOrigin, xrefs: 0042F9FE
GetThemeBackgroundRegion, xrefs: 0042F8CC
IsThemeBackgroundPartiallyTransparent, xrefs: 0042F926
GetThemeSysSize, xrefs: 0042FA6A
GetThemeColor, xrefs: 0042F938
GetWindowTheme, xrefs: 0042FAD6
OpenThemeData, xrefs: 0042F82A
GetThemeEnumValue, xrefs: 0042F992
GetThemePosition, xrefs: 0042F9A4
GetThemeString, xrefs: 0042F95C
SetWindowTheme, xrefs: 0042FA10
DrawThemeBackground, xrefs: 0042F84E
GetThemeBool, xrefs: 0042F96E
uxtheme.dll, xrefs: 0042F815
GetThemeSysColor, xrefs: 0042FA34
EnableThemeDialogTexture, xrefs: 0042FAE8
IsThemeActive, xrefs: 0042FAB2

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: CloseThemeData$DrawThemeBackground$DrawThemeEdge$DrawThemeIcon$DrawThemeParentBackground$DrawThemeText$EnableThemeDialogTexture$EnableTheming$GetCurrentThemeName$GetThemeAppProperties$GetThemeBackgroundContentRect$GetThemeBackgroundRegion$GetThemeBool$GetThemeColor$GetThemeDocumentationProperty$GetThemeEnumValue$GetThemeFilename$GetThemeFont$GetThemeInt$GetThemeIntList$GetThemeMargins$GetThemeMetric$GetThemePartSize$GetThemePosition$GetThemePropertyOrigin$GetThemeRect$GetThemeString$GetThemeSysBool$GetThemeSysColor$GetThemeSysColorBrush$GetThemeSysFont$GetThemeSysInt$GetThemeSysSize$GetThemeSysString$GetThemeTextExtent$GetThemeTextMetrics$GetWindowTheme$HitTestThemeBackground$IsAppThemed$IsThemeActive$IsThemeBackgroundPartiallyTransparent$IsThemeDialogTextureEnabled$IsThemePartDefined$OpenThemeData$SetThemeAppProperties$SetWindowTheme$uxtheme.dll
API String ID: 2238633743-2910565190
Opcode ID: 59f864e6a618093bc764ec02e6e258cda9e9137c8b18c183cf093a543bdac21c
Instruction ID: 4a4d3c8dae220b8c10cc1b562dd6f309b2270a84d7ee490acf332df04daffbf1
Opcode Fuzzy Hash: 59f864e6a618093bc764ec02e6e258cda9e9137c8b18c183cf093a543bdac21c
Instruction Fuzzy Hash: 91A125B1B54660AFDF00EBB5FA82E2537B8EF95700391057BB401DF291C6BC9818DB29

Function 0040F2D0 Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 0040F2D9

Part of subcall function 0040F2A4: GetProcAddress.KERNEL32(00000000), ref: 0040F2BD

Strings

VarMul, xrefs: 0040F355
VarBstrFromCy, xrefs: 0040F489
oleaut32.dll, xrefs: 0040F2D4
VarNeg, xrefs: 0040F2FD
VarDateFromStr, xrefs: 0040F447
VarBoolFromStr, xrefs: 0040F473
VarR4FromStr, xrefs: 0040F41B
VarIdiv, xrefs: 0040F381
VarMod, xrefs: 0040F397
VariantChangeTypeEx, xrefs: 0040F2E7
VarXor, xrefs: 0040F3D9
VarI4FromStr, xrefs: 0040F405
VarR8FromStr, xrefs: 0040F431
VarAnd, xrefs: 0040F3AD
VarCyFromStr, xrefs: 0040F45D
VarNot, xrefs: 0040F313
VarSub, xrefs: 0040F33F
VarOr, xrefs: 0040F3C3
VarDiv, xrefs: 0040F36B
VarCmp, xrefs: 0040F3EF
VarBstrFromDate, xrefs: 0040F49F
VarBstrFromBool, xrefs: 0040F4B5
VarAdd, xrefs: 0040F329

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
API String ID: 1646373207-1918263038
Opcode ID: 22f3c063ca6793b496059884c4234611d99649a1a2678124d16dc5dc8016fda9
Instruction ID: a90c8b490043de3605a1bf824df29d9c861a51eb077e70e58ebe5cfb0e2291ad
Opcode Fuzzy Hash: 22f3c063ca6793b496059884c4234611d99649a1a2678124d16dc5dc8016fda9
Instruction Fuzzy Hash: 774140615042086BD324BB6E790252673E8DAA4704360C47FB404FBFE6DB3DAC4D9A7C

Function 004983FC Relevance: 28.4, APIs: 15, Strings: 1, Instructions: 433timeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM(?,?,00000000,004989AE,?,00000000,004989BF), ref: 004984A8

Strings

d, xrefs: 0049862F

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Timetime
String ID: d
API String ID: 17336451-2564639436
Opcode ID: e98bf90b20905a5916708a2b840fb684f572ea029c6e0c1236aeccb4747347a8
Instruction ID: 914b57a91b480fac3c148384d4dacffd4509fe0f0b45473e3449e659cf57cab9
Opcode Fuzzy Hash: e98bf90b20905a5916708a2b840fb684f572ea029c6e0c1236aeccb4747347a8
Instruction Fuzzy Hash: D7120C74A04248EFDF10DFACC585B9DBBF1AF06304F2540AAE404AB362C7789E45DB55

Function 004324AC Relevance: 26.7, APIs: 11, Strings: 4, Instructions: 454windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00431FD4: SystemParametersInfoA.USER32(00000029,00000000,00000154,00000000), ref: 00432011
Part of subcall function 00431FD4: CreateFontIndirectA.GDI32(?), ref: 0043201E

Part of subcall function 00431E08: GetTextExtentPointA.GDI32(00000000,00000034,00000034,?), ref: 00431E43

MulDiv.KERNEL32(00000008,?,00000004), ref: 00432559
MulDiv.KERNEL32(00000008,?,00000008), ref: 00432569
MulDiv.KERNEL32(0000000A,?,00000004), ref: 00432576
MulDiv.KERNEL32(0000000A,?,00000008), ref: 00432583
MulDiv.KERNEL32(00000032,?,00000004), ref: 00432590
DrawTextA.USER32(00000000,00000000,000000FF,?,00000000), ref: 00432603
MulDiv.KERNEL32(0000000E,?,00000008), ref: 00432636
MulDiv.KERNEL32(00000004,?,00000004), ref: 00432646
SetRect.USER32(?,00000000,00000000,00000000,00000000), ref: 0043266C
DrawTextA.USER32(00000000,00000000,00000001,?,00000000), ref: 004326A4
LoadIconA.USER32(00000000), ref: 00432800

Part of subcall function 00464754: GetWindowTextA.USER32(?,?,00000100), ref: 00464777

Strings

Message, xrefs: 00432849
t9S, xrefs: 00432950
, xrefs: 004326D0
Image, xrefs: 004327E5

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Text$Draw$CreateExtentFontIconIndirectInfoLoadParametersPointRectSystemWindow
String ID: $Image$Message$t9S
API String ID: 4220236395-2498284466
Opcode ID: 77e726f3df7e77a4137a2298774c71c58e5aa5f982384f5c90285d6ea62ab55a
Instruction ID: 0103f07d2410f192d4bb29aa767b0ccf560501507b91fba281c250d7c99e4aa5
Opcode Fuzzy Hash: 77e726f3df7e77a4137a2298774c71c58e5aa5f982384f5c90285d6ea62ab55a
Instruction Fuzzy Hash: 15027F74E002089FDB00EFA9C985B9DB7F5FF48308F14916AE914AB392C778AD45CB59

Function 00425E94 Relevance: 24.2, APIs: 16, Instructions: 248windowCOMMON

Download Yara Rule

APIs

SelectObject.GDI32(?,?), ref: 00425EEC
MaskBlt.GDI32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00425F67,?,?), ref: 00425F3B
SelectObject.GDI32(?,?), ref: 00425F55
DeleteObject.GDI32(?), ref: 00425F61
SelectObject.GDI32(?,?), ref: 00425FAB
StretchBlt.GDI32(?,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 0042602A
StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,?,?,?,?,00440328), ref: 0042604C
SetTextColor.GDI32(?,00000000), ref: 00426054
SetBkColor.GDI32(?,00FFFFFF), ref: 00426062
StretchBlt.GDI32(?,?,?,?,?,?,?,?,?,?,008800C6), ref: 0042608E
StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,00660046), ref: 004260B3
SetTextColor.GDI32(?,?), ref: 004260BD
SetBkColor.GDI32(?,?), ref: 004260C7
SelectObject.GDI32(?,00000000), ref: 004260DA
DeleteObject.GDI32(?), ref: 004260E3
DeleteDC.GDI32(?), ref: 0042610E

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Object$ColorSelectStretch$Delete$Text$Mask
String ID:
API String ID: 326492243-0
Opcode ID: f67a84046814da034142ce65a94de746e492c4cb41b415a422b6f27899265fc9
Instruction ID: e1db017f6df555e443f6397a59335503b0a83ad8602761020ac2475941837167
Opcode Fuzzy Hash: f67a84046814da034142ce65a94de746e492c4cb41b415a422b6f27899265fc9
Instruction Fuzzy Hash: 6681B4B1A04259AFDB50EFA9DD81EAF77FCAB0D714F110459FA18E7281C638ED008B65

Function 00407968 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 61registryclipboardwindowCOMMON

Download Yara Rule

APIs

FindWindowA.USER32(MouseZ,Magellan MSWHEEL), ref: 00407980
RegisterClipboardFormatA.USER32(MSWHEEL_ROLLMSG), ref: 0040798C
RegisterClipboardFormatA.USER32(MSH_WHEELSUPPORT_MSG), ref: 0040799B
RegisterClipboardFormatA.USER32(MSH_SCROLL_LINES_MSG), ref: 004079A7
SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 004079BF
SendMessageA.USER32(00000000,?,00000000,00000000), ref: 004079E3

Strings

MSWHEEL_ROLLMSG, xrefs: 00407987
MouseZ, xrefs: 0040797B
MSH_WHEELSUPPORT_MSG, xrefs: 00407996
MSH_SCROLL_LINES_MSG, xrefs: 004079A2
Magellan MSWHEEL, xrefs: 00407976

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: ClipboardFormatRegister$MessageSend$FindWindow
String ID: MSH_SCROLL_LINES_MSG$MSH_WHEELSUPPORT_MSG$MSWHEEL_ROLLMSG$Magellan MSWHEEL$MouseZ
API String ID: 1416857345-3736581797
Opcode ID: a652a34ccefb31ca474db751a83e47dbac5200056c08899811b8f5108a11fdf2
Instruction ID: a7ea0b2a7ab190df046fa92e9e2b0d8567f960b8ef129492408548317461016b
Opcode Fuzzy Hash: a652a34ccefb31ca474db751a83e47dbac5200056c08899811b8f5108a11fdf2
Instruction Fuzzy Hash: D21112B0B48305AFE7109F69CC82B6AB798EF54710F20453BB9456B3C0D6B97D408B6A

Function 004298DC Relevance: 18.2, APIs: 12, Instructions: 194windowCOMMON

Download Yara Rule

APIs

GetObjectA.GDI32(?,00000054,?), ref: 004298FF
73E9A570.USER32(00000000,00000000,00429AD7,?,?,00000054,?), ref: 0042992D
SelectObject.GDI32(?,00000000), ref: 00429973
PatBlt.GDI32(?,00000000,00000000,?,?,00000042), ref: 00429995
SelectObject.GDI32(?), ref: 004299EB
SetBkColor.GDI32(?), ref: 00429A26
SetBkColor.GDI32(?,00000000), ref: 00429A54
SelectObject.GDI32(?,00000000), ref: 00429A67
DeleteObject.GDI32 ref: 00429A73
DeleteDC.GDI32(?), ref: 00429A89
SelectObject.GDI32(?,00000000), ref: 00429AA4
DeleteDC.GDI32(00000000), ref: 00429AC0

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Object$Select$Delete$Color$A570
String ID:
API String ID: 3306858847-0
Opcode ID: 221a9b3f053d7484b8942ccfde4768bfd80d89e98cefe2f398227f7b141480f9
Instruction ID: 8c7ab3196d1779cf978a3bb94e077fc9b431080fa161f55c99d378178522c799
Opcode Fuzzy Hash: 221a9b3f053d7484b8942ccfde4768bfd80d89e98cefe2f398227f7b141480f9
Instruction Fuzzy Hash: A3512D71F04355ABDB10DBE99C46FAFB7FCAB08704F50446AB604EB2C1D678A940CB68

Function 0042CDF4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

EnumDisplayMonitors.USER32(?,?,?,?), ref: 0042CE2D
GetSystemMetrics.USER32(00000000), ref: 0042CE52
GetSystemMetrics.USER32(00000001), ref: 0042CE5D
GetClipBox.GDI32(?,?), ref: 0042CE6F
GetDCOrgEx.GDI32(?,?), ref: 0042CE7C
OffsetRect.USER32(?,?,?), ref: 0042CE95
IntersectRect.USER32(?,?,?), ref: 0042CEA6
IntersectRect.USER32(?,?,?), ref: 0042CEBC

Part of subcall function 0042C848: GetProcAddress.KERNEL32(76910000,00000000), ref: 0042C8C8

Strings

EnumDisplayMonitors, xrefs: 0042CE0C

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Rect$IntersectMetricsSystem$AddressClipDisplayEnumMonitorsOffsetProc
String ID: EnumDisplayMonitors
API String ID: 362875416-2491903729
Opcode ID: faae1c3df708dc615496fd283e33454bc787157529d7898d7411b3e28c500f6c
Instruction ID: de622c9c875c87ed24c822475d17d8763186b133f7b1dcc1ce7bfe2907808bcd
Opcode Fuzzy Hash: faae1c3df708dc615496fd283e33454bc787157529d7898d7411b3e28c500f6c
Instruction Fuzzy Hash: F6314F72E00219AFDB11DBA9EC80AEFB7BCEB19310F514127F915E3241D6389A058BB5

Function 0044CA84 Relevance: 16.7, APIs: 11, Instructions: 224COMMON

Download Yara Rule

APIs

GetClientRect.USER32(00000000,?), ref: 0044CADB
GetWindowRect.USER32(00000000,?), ref: 0044CAED
MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0044CB03
OffsetRect.USER32(?,?,?), ref: 0044CB18
ExcludeClipRect.GDI32(?,?,?,?,?,?,?,?,00000000,00000000,?,00000002,00000000,?,00000000,0044CCEA), ref: 0044CB31
InflateRect.USER32(?,00000000,00000000), ref: 0044CB4F
GetWindowLongA.USER32(00000000,000000F0), ref: 0044CBA5
DrawEdge.USER32(?,?,00000000,00000008), ref: 0044CC71
IntersectClipRect.GDI32(?,?,?,?,?), ref: 0044CC8A
OffsetRect.USER32(?,?,?), ref: 0044CCA9
FillRect.USER32(?,?,00000000), ref: 0044CCC5

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Rect$Window$ClipOffset$ClientDrawEdgeExcludeFillInflateIntersectLongPoints
String ID:
API String ID: 1573515177-0
Opcode ID: 287aa888fc3452c0f103b9c58a62bcbe6bc5483369055ad282bba400be49e9b5
Instruction ID: bfa61d8a80e37062637b0d33e2982eb7c37940c3b901d68276bb02a2c93baf0e
Opcode Fuzzy Hash: 287aa888fc3452c0f103b9c58a62bcbe6bc5483369055ad282bba400be49e9b5
Instruction Fuzzy Hash: 70912871E04148AFDB41DBA9C985FEEB7F9AF09304F1440A6F904E7251C739AE44DB64

Function 004029B0 Relevance: 16.6, APIs: 9, Strings: 2, Instructions: 109COMMON

Download Yara Rule

APIs

CharNextA.USER32(00000000,?,?,00000000,?,00402AC0,00000000,00402AED,?,?,?,00000000), ref: 004029E7
CharNextA.USER32(00000000,00000000,?,?,00000000,?,00402AC0,00000000,00402AED,?,?,?,00000000), ref: 004029F1
CharNextA.USER32(00000000,00000000,?,?,00000000,?,00402AC0,00000000,00402AED,?,?,?,00000000), ref: 00402A0E
CharNextA.USER32(00000000,?,?,00000000,?,00402AC0,00000000,00402AED,?,?,?,00000000), ref: 00402A18
CharNextA.USER32(00000000,00000000,?,?,00000000,?,00402AC0,00000000,00402AED,?,?,?,00000000), ref: 00402A41
CharNextA.USER32(00000000,00000000,00000000,?,?,00000000,?,00402AC0,00000000,00402AED,?,?,?,00000000), ref: 00402A4B
CharNextA.USER32(00000000,00000000,00000000,?,?,00000000,?,00402AC0,00000000,00402AED,?,?,?,00000000), ref: 00402A6F
CharNextA.USER32(00000000,00000000,?,?,00000000,?,00402AC0,00000000,00402AED,?,?,?,00000000), ref: 00402A79

Strings

", xrefs: 004029D1
", xrefs: 004029CC

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: CharNext
String ID: "$"
API String ID: 3213498283-3758156766
Opcode ID: 247e1fc6fd185e1701208ee6e0e989fa5825e317732fa7958044c18824aab2c7
Instruction ID: bfd035978699741461f7618ae54848c9b94a9bcf328f5d827199bdd2b2a4da68
Opcode Fuzzy Hash: 247e1fc6fd185e1701208ee6e0e989fa5825e317732fa7958044c18824aab2c7
Instruction Fuzzy Hash: CA2105847447811ADB312AB80EC87677B894B1A314B2801BF9491F73CBD8FC4C47976E

Function 00505A84 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 203COMMON

Download Yara Rule

APIs

CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 00505B00
GetClipRgn.GDI32(00000000,00000000), ref: 00505B10
CreateRectRgn.GDI32(?,?,?,?), ref: 00505B31
SelectClipRgn.GDI32(00000000,00000000), ref: 00505B45
DeleteObject.GDI32(00000000), ref: 00505B4E
DrawFrameControl.USER32(00000000,?,00000004,00000000), ref: 00505C41
SelectClipRgn.GDI32(00000000,00000000), ref: 00505C5C
DeleteObject.GDI32(00000000), ref: 00505C62

Strings

4YP, xrefs: 00505AB7

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Clip$CreateDeleteObjectRectSelect$ControlDrawFrame
String ID: 4YP
API String ID: 1967790632-3694207927
Opcode ID: 7384ecd6d5a5a27b648058c169d5ac85870a1182e1d01d816e90ec92fea2af31
Instruction ID: 2fa11a3b6589b523852c21dc6379652358754729f924101bfb3538797668613a
Opcode Fuzzy Hash: 7384ecd6d5a5a27b648058c169d5ac85870a1182e1d01d816e90ec92fea2af31
Instruction Fuzzy Hash: AF619571A046045FDF14EFB9D882BDEBBB5BF09308F44845AF411E7282DA78AC04CB29

Function 00449A7C Relevance: 15.2, APIs: 10, Instructions: 177windowCOMMON

Download Yara Rule

APIs

RectVisible.GDI32(00000000,?), ref: 00449B35
SaveDC.GDI32(00000000), ref: 00449B4B
IntersectClipRect.GDI32(00000000,00000000,00000000,?,?), ref: 00449B6E
RestoreDC.GDI32(00000000,00000000), ref: 00449B89
CreateSolidBrush.GDI32(00000000), ref: 00449C0A
FrameRect.USER32(00000000,?,?), ref: 00449C3D
DeleteObject.GDI32(?), ref: 00449C47
CreateSolidBrush.GDI32(00000000), ref: 00449C57
FrameRect.USER32(00000000,?,00000000), ref: 00449C8A
DeleteObject.GDI32(00000000), ref: 00449C94

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Rect$BrushCreateDeleteFrameObjectSolid$ClipIntersectRestoreSaveVisible
String ID:
API String ID: 375863564-0
Opcode ID: a9f51c1f53d2916aeb308c3ca33560b1706fa79161aa027cdcd67acd36fc038c
Instruction ID: 0d97f0ad5badd73d44ddf2754bca7e3de2a868c73ed3c3cc95e6f31bb03fb13b
Opcode Fuzzy Hash: a9f51c1f53d2916aeb308c3ca33560b1706fa79161aa027cdcd67acd36fc038c
Instruction Fuzzy Hash: 97514C716042459BEB14EF29C8C4B5B77E8AF88308F04445EFE898B386DB39EC45DB59

Function 00438548 Relevance: 15.1, APIs: 10, Instructions: 142COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(00000000,000000EC), ref: 00438563
GetWindowRect.USER32(00000000,?), ref: 0043857E
OffsetRect.USER32(?,?,?), ref: 00438593
GetWindowLongA.USER32(00000000,000000F0), ref: 004385D2
GetSystemMetrics.USER32(00000002), ref: 004385E7
GetSystemMetrics.USER32(00000003), ref: 004385F0
InflateRect.USER32(?,000000FE,000000FE), ref: 004385FF
GetSysColorBrush.USER32(0000000F), ref: 0043862C
FillRect.USER32(?,?,00000000), ref: 0043863A
ExcludeClipRect.GDI32(?,?,?,?,?,00000000,004386A3,?,00000000,?,?,?,00000000,?,00000000,000000EC), ref: 0043865F

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Rect$Window$LongMetricsSystem$BrushClipColorExcludeFillInflateOffset
String ID:
API String ID: 239630386-0
Opcode ID: f08a6797b143668b0c95f807d8c7eab55a30b9f8294e3d0a32f8e3f61b6b8b61
Instruction ID: d863946502bf7c4f4a957e009e65fd5f45e32e3fe4a3f9f06bca7e6111d8745f
Opcode Fuzzy Hash: f08a6797b143668b0c95f807d8c7eab55a30b9f8294e3d0a32f8e3f61b6b8b61
Instruction Fuzzy Hash: 9B412271E04149ABDB01EAE9CD86EDFB7BDEF49314F10056AF904F7191CA38AD418768

Function 00402D38 Relevance: 15.1, APIs: 10, Instructions: 129fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00402DC0
GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00402DE4
SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00402E00
ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000001,00000000), ref: 00402E21
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00402E4A
SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 00402E58
GetStdHandle.KERNEL32(000000F5), ref: 00402E93
GetFileType.KERNEL32(?,000000F5), ref: 00402EA9
CloseHandle.KERNEL32(?,?,000000F5), ref: 00402EC4
GetLastError.KERNEL32(000000F5), ref: 00402EDC

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
String ID:
API String ID: 1694776339-0
Opcode ID: 7c24209f2cf2d84b1f84bf29237fe32a02acf0e79bb2e12492c6d9ff63ba5fc0
Instruction ID: b8a3fdf711eef59d8ad8504431a6a0cbfa232888b3ac76dcfd5dab3ab586f966
Opcode Fuzzy Hash: 7c24209f2cf2d84b1f84bf29237fe32a02acf0e79bb2e12492c6d9ff63ba5fc0
Instruction Fuzzy Hash: 9E417E30544701AAE7306B24CA0DB6776A5BB00714F248A3FE4A6B66E0E7FD9881879D

Function 00460434 Relevance: 15.1, APIs: 10, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetSystemMenu.USER32(00000000,00000000), ref: 0046047F
DeleteMenu.USER32(00000000,0000F130,00000000,00000000,00000000), ref: 0046049D
DeleteMenu.USER32(00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 004604AA
DeleteMenu.USER32(00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 004604B7
DeleteMenu.USER32(00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 004604C4
DeleteMenu.USER32(00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000), ref: 004604D1
DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000), ref: 004604DE
DeleteMenu.USER32(00000000,0000F120,00000000,00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000), ref: 004604EB
EnableMenuItem.USER32(00000000,0000F020,00000001), ref: 00460509
EnableMenuItem.USER32(00000000,0000F030,00000001), ref: 00460525

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Menu$Delete$EnableItem$System
String ID:
API String ID: 3985193851-0
Opcode ID: 7b84cc764a934028e84db4b7ac003af528aafc471e83085afaf84b609a5303bf
Instruction ID: 4411743394293c15471ab9a23b16fd20c28961f583d2939724077bc83005abf5
Opcode Fuzzy Hash: 7b84cc764a934028e84db4b7ac003af528aafc471e83085afaf84b609a5303bf
Instruction Fuzzy Hash: B82150707443047EE320EA64CC8EF5A7BD89F04718F1480A9BA057F2D3D6B8F980865D

Function 0042A6E4 Relevance: 14.4, APIs: 6, Strings: 2, Instructions: 351COMMON

Download Yara Rule

APIs

73E9A570.USER32(00000000,?,00000000,0042AC01,?,?), ref: 0042A94E
SelectObject.GDI32(?,00000000), ref: 0042A9D2
GetLastError.KERNEL32(?,?,00000004,00000000,?,00000000,00000000,0042AA8B,?,?,00000000,00000001,00000001,00000001,00000001,00000000), ref: 0042AA40
SelectObject.GDI32(?,?), ref: 0042AA7F
DeleteObject.GDI32(00000000), ref: 0042AA85

Strings

BM, xrefs: 0042A808
(, xrefs: 0042A89D

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Object$Select$A570DeleteErrorLast
String ID: ($BM
API String ID: 2612784382-2980357723
Opcode ID: 34ed1f50ef2280744e5929652e31c2e03dbc59f7906271d5229b2aca82724ecc
Instruction ID: 5b4090eb44ed676c0641fb7e9264032050046bf9ecb97a5452f96abd07c6b867
Opcode Fuzzy Hash: 34ed1f50ef2280744e5929652e31c2e03dbc59f7906271d5229b2aca82724ecc
Instruction Fuzzy Hash: 67D14B74F002189FDF04DFA9D885AAEBBB5EF48304F50846AE905EB391D7389850CB69

Function 00449E00 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 133COMMON

Download Yara Rule

APIs

73E9A570.USER32(00000000), ref: 00449E4B
SelectObject.GDI32()C,?), ref: 00449E91
BeginPaint.USER32(00000000,?,00000000,00449F52,?,)C,?,00000000,00000000,00000000,00000000,?), ref: 00449EB3
EndPaint.USER32(00000000,?,00000000,00000000,00000000,?,?,)C,?,00000000,00000000,00000000,00000000,?), ref: 00449F20
SelectObject.GDI32()C,?), ref: 00449F3A
DeleteDC.GDI32()C), ref: 00449F43
DeleteObject.GDI32(?), ref: 00449F4C

Part of subcall function 00449924: BeginPaint.USER32(00000000,?,?,?,00000000), ref: 0044994A
Part of subcall function 00449924: EndPaint.USER32(00000000,?,00449A4B,?,?,00000000), ref: 00449A3E

Strings

)C, xrefs: 00449E8D, 00449EBA, 00449EBE, 00449ECD, 00449EEA, 00449F36, 00449F3F, 00449E90, 00449EBD, 00449EED, 00449F39, 00449F42

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Paint$Object$BeginDeleteSelect$A570
String ID: )C
API String ID: 3982538872-4099117812
Opcode ID: ad3e68ddc6dcacf0c87b446897da101322be30fd9adc85a4cb43d2d42bf63dcd
Instruction ID: 0b9b828483245cba80446af68dcd76790693591bc84e2b893b812bbd2b7be71a
Opcode Fuzzy Hash: ad3e68ddc6dcacf0c87b446897da101322be30fd9adc85a4cb43d2d42bf63dcd
Instruction Fuzzy Hash: DF413E71B00204AFDB10EBA9CD85F9EB7F8AB49704F10447AB909EB381DA78ED05D759

Function 00432B6C Relevance: 13.7, APIs: 9, Instructions: 237COMMON

Download Yara Rule

APIs

Part of subcall function 00431E08: GetTextExtentPointA.GDI32(00000000,00000034,00000034,?), ref: 00431E43

MulDiv.KERNEL32(000000B4,?,00000004), ref: 00432C00
MulDiv.KERNEL32(00000008,?,00000004), ref: 00432C45
MulDiv.KERNEL32(00000008,?,00000008), ref: 00432C5B
MulDiv.KERNEL32(000000A4,?,00000004), ref: 00432C74
MulDiv.KERNEL32(000000A4,?,00000004), ref: 00432CD1

Part of subcall function 0043BEF4: SendMessageA.USER32(00000000,000000B1,00000000,000000FF), ref: 0043BF08

MulDiv.KERNEL32(00000032,?,00000004), ref: 00432D0F
MulDiv.KERNEL32(0000000E,?,00000008), ref: 00432D1F

Part of subcall function 004067B4: LoadStringA.USER32(00000000,00010000,?,00000400), ref: 004067E5

MulDiv.KERNEL32(00000026,?,00000004), ref: 00432D7C
MulDiv.KERNEL32(0000005C,?,00000004), ref: 00432DE2

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: ExtentLoadMessagePointSendStringText
String ID:
API String ID: 3563132563-0
Opcode ID: c8e42cb2de1c7b63844c5c1f7dfc08a307831f7219f0e0d27d161c19f738a789
Instruction ID: e0b32944a47380bcd3f98e584992fe7bec1e1920a1ecf347abc5764ce97989b4
Opcode Fuzzy Hash: c8e42cb2de1c7b63844c5c1f7dfc08a307831f7219f0e0d27d161c19f738a789
Instruction Fuzzy Hash: 3E913174B006059FDB00EF69C882B9EB7F5EF48708F204169FA05AB356CB75AD05CB99

Function 0044506C Relevance: 13.6, APIs: 9, Instructions: 150COMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(?,?,?), ref: 004450A5
MulDiv.KERNEL32(?,?,?), ref: 004450BF
MulDiv.KERNEL32(?,?,?), ref: 004450ED
MulDiv.KERNEL32(?,?,?), ref: 00445103
MulDiv.KERNEL32(?,?,?), ref: 0044513B
MulDiv.KERNEL32(?,?,?), ref: 00445153
MulDiv.KERNEL32(?,?,0000001F), ref: 0044519D
MulDiv.KERNEL32(?,?,0000001F), ref: 004451C6
MulDiv.KERNEL32(00000000,?,0000001F), ref: 004451EC

Part of subcall function 00424B44: MulDiv.KERNEL32(00000000,?,00000048), ref: 00424B51

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d308ff55eab104072aad7d6131274e082dca374d3b187c7003ba7568a20c160
Instruction ID: 39fa0f2b82bda0c46b83642ca3711108bd6145c639a0ae722daf793db15b1e90
Opcode Fuzzy Hash: 9d308ff55eab104072aad7d6131274e082dca374d3b187c7003ba7568a20c160
Instruction Fuzzy Hash: FF513C75604B406FD720EB69C881B6BB7E8AF4A704F04485EB9DAC7353C679EC40CB69

Function 00425D00 Relevance: 13.6, APIs: 9, Instructions: 131windowCOMMON

Download Yara Rule

APIs

GetObjectA.GDI32(?,00000018,?), ref: 00425D41
73E9A570.USER32(00000000,00000000,00425E4E,?,00000000,00000000), ref: 00425D64
SelectObject.GDI32(?,?), ref: 00425DD2
SelectObject.GDI32(?,00000000), ref: 00425DE1
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,?,?,00CC0020), ref: 00425E0D
SelectObject.GDI32(?,00000000), ref: 00425E1B
SelectObject.GDI32(?,00000000), ref: 00425E29
DeleteDC.GDI32(?), ref: 00425E3F
DeleteDC.GDI32(?), ref: 00425E48

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Object$Select$Delete$A570Stretch
String ID:
API String ID: 1268976527-0
Opcode ID: 9388b17367c2ba0dd6f2715468a09f4364c7b9aca32e360079633af8fd65e6db
Instruction ID: 185bde9043df893a8ea57d6fe8e66cc7a87e24244276ee129d79240e58786593
Opcode Fuzzy Hash: 9388b17367c2ba0dd6f2715468a09f4364c7b9aca32e360079633af8fd65e6db
Instruction Fuzzy Hash: 56411F71E04619AFDB10EBE9DC46FAFB7BCEB08704F514466B604F7281D67869008769

Function 0040DD7C Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(00000000,0040E047,?,?,00000000,00000000), ref: 0040DDB2

Part of subcall function 0040C44C: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040C46A

Strings

m/d/yy, xrefs: 0040DE81
AMPM, xrefs: 0040DFC6
AMPM , xrefs: 0040DFD5
:mm:ss, xrefs: 0040E002
mmmm d, yyyy, xrefs: 0040DEAE
:mm, xrefs: 0040DFE5

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Locale$InfoThread
String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
API String ID: 4232894706-2493093252
Opcode ID: bfcdeefa77e3e2c252ea586e7129a8d4cd3a0ff328cbc81b8d97d3cc11de56e5
Instruction ID: 61faac803b5bbd7a324eb0e1d928bdfba3b3ce7d89adf05980ac74c7e7707700
Opcode Fuzzy Hash: bfcdeefa77e3e2c252ea586e7129a8d4cd3a0ff328cbc81b8d97d3cc11de56e5
Instruction Fuzzy Hash: E26167707001549BDB00F7AAD891A9E77B6EB85304F10893BB111BB3C6CA3DDD19572D

Function 0045500C Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 187windowCOMMON

Download Yara Rule

APIs

InsertMenuItemA.USER32(?,000000FF,000000FF,0000002C), ref: 004551B8
GetVersion.KERNEL32(00000000,00455267), ref: 004550A8

Part of subcall function 0045551C: CreatePopupMenu.USER32 ref: 00455537

Strings

L?E, xrefs: 00455075
?, xrefs: 004550C3
,, xrefs: 004550BC

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Menu$CreateInsertItemPopupVersion
String ID: ,$?$L?E
API String ID: 133695497-579155727
Opcode ID: b58483071477a620e0972ccab4907c267015f9d930d5689d710cbcd17a0cd75f
Instruction ID: 1153c4311d25c4f90da5bedb0801a6a5d6996579d9a95ef1f7e923829736c84e
Opcode Fuzzy Hash: b58483071477a620e0972ccab4907c267015f9d930d5689d710cbcd17a0cd75f
Instruction Fuzzy Hash: 0C612230A046449BDB10EF79DC916AA7BF6AF49304F0540BAED40E7397D738D809CB58

Function 004104D4 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0041056D
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00410589
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 004105C2
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0041063F
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 00410658
VariantCopy.OLEAUT32(?), ref: 0041068D

Strings

, xrefs: 004104EE

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: ArraySafe$BoundIndex$CopyCreateVariant
String ID:
API String ID: 351091851-3916222277
Opcode ID: 234b679ea6aacadab84f5360780f84a9e732a236cef452c0c7f4b9654739461b
Instruction ID: 02ffaedf14b6740128310bfd8605a9abfb1ff67a79af41414e017534beb6e736
Opcode Fuzzy Hash: 234b679ea6aacadab84f5360780f84a9e732a236cef452c0c7f4b9654739461b
Instruction Fuzzy Hash: 0D511E7590021D9BCB22DB59D881BD9B3BDAF4C304F0041EAF648E7212D678AFC48F69

Function 00464DD0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 132windowCOMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 00464DE3
GetWindowRect.USER32(?,?), ref: 00464E3D
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,?,?), ref: 00464E75
MessageBoxA.USER32(?,?,?,?), ref: 00464EB6
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,00464F2C), ref: 00464F06
SetActiveWindow.USER32(?,00464F2C), ref: 00464F17

Strings

(, xrefs: 00464E1A

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Window$Active$MessageRect
String ID: (
API String ID: 3147912190-3887548279
Opcode ID: 4803ee09c0254806ebd25409800c1a916c1ee0c05509a1e66bedccf116ad3eb7
Instruction ID: 7213369d51f7633061b81c78b6ea98f79b9665fdde096b74b0c46334232de19f
Opcode Fuzzy Hash: 4803ee09c0254806ebd25409800c1a916c1ee0c05509a1e66bedccf116ad3eb7
Instruction Fuzzy Hash: E7412A75E00108AFDB04DBA9CD81FAEB7F9FB88300F14846AF500E7791DA78AE048B55

Function 004284D4 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 122fileCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(?,000009EC,00000000), ref: 00428576
MulDiv.KERNEL32(?,000009EC,00000000), ref: 00428593
SetWinMetaFileBits.GDI32(00000016,?,00000000,00000008,?,000009EC,00000000,?,000009EC,00000000), ref: 004285BF
GetEnhMetaFileHeader.GDI32(00000016,00000064,?,00000016,?,00000000,00000008,?,000009EC,00000000,?,000009EC,00000000), ref: 004285DF
DeleteEnhMetaFile.GDI32(00000016), ref: 00428600
SetWinMetaFileBits.GDI32(00000016,?,00000000,00000008,00000016,00000064,?,00000016,?,00000000,00000008,?,000009EC,00000000,?,000009EC), ref: 00428613

Strings

`, xrefs: 0042855B

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: FileMeta$Bits$DeleteHeader
String ID: `
API String ID: 1990453761-2679148245
Opcode ID: d7eb93d330d0970479c3822882001caf25050a33c59e84d5d21de4e9a818d4c2
Instruction ID: 720ff8cb1d1229494b2dc8aebe285825cc547ebdf4b84877a901d25684682fd6
Opcode Fuzzy Hash: d7eb93d330d0970479c3822882001caf25050a33c59e84d5d21de4e9a818d4c2
Instruction Fuzzy Hash: 86411F75E00218AFDB00DFA9D885AAEB7F9EF48710F51816AF904FB241D7399D40CB69

Function 00453470 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 80libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0040D47C: 751C1540.VERSION(?,0040D564,?,?,00000000,?,00000000,?,00000000,0040D535,?,00000000,?,00000000,0040D552), ref: 0040D50D

GetModuleHandleA.KERNEL32(comctl32.dll), ref: 004534A4
GetProcAddress.KERNEL32(00000000,ImageList_WriteEx), ref: 004534B5

Strings

comctl32.dll, xrefs: 00453484
ImageList_WriteEx, xrefs: 004534AF
\~A, xrefs: 00453510, 00453545
comctl32.dll, xrefs: 0045349F
d(B, xrefs: 00453508, 0045353D

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: AddressC1540HandleModuleProc
String ID: ImageList_WriteEx$\~A$comctl32.dll$comctl32.dll$d(B
API String ID: 1553222790-3981968051
Opcode ID: 93f5aee790a24f47c583df5069b50c1de62e3ea30a43bfe475c46b958b62fdbd
Instruction ID: f1f616d778e6143c4459c6953d3745a6164c061cca038d9838260607f6d035f7
Opcode Fuzzy Hash: 93f5aee790a24f47c583df5069b50c1de62e3ea30a43bfe475c46b958b62fdbd
Instruction Fuzzy Hash: C3219570300204ABD701EF7ADC51A1A76B8AB55787B11143AFC05D73E2EB7C9E0CDA28

Function 0042CB78 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 68stringCOMMON

Download Yara Rule

APIs

GetMonitorInfoA.USER32(?,?), ref: 0042CBA9
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0042CBD0
GetSystemMetrics.USER32(00000000), ref: 0042CBE5
GetSystemMetrics.USER32(00000001), ref: 0042CBF0
lstrcpy.KERNEL32(?,DISPLAY), ref: 0042CC1A

Part of subcall function 0042C848: GetProcAddress.KERNEL32(76910000,00000000), ref: 0042C8C8

Strings

DISPLAY, xrefs: 0042CC11
GetMonitorInfo, xrefs: 0042CB90

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: System$InfoMetrics$AddressMonitorParametersProclstrcpy
String ID: DISPLAY$GetMonitorInfo
API String ID: 1539801207-1633989206
Opcode ID: 5f5d0c040e78c559501352974bc987694680289211ec8ddd5292ba72e6c48047
Instruction ID: 53ac5f5868e1425f8ec0b3d63ae51212c46c81455a52d884a4e843dee85f1667
Opcode Fuzzy Hash: 5f5d0c040e78c559501352974bc987694680289211ec8ddd5292ba72e6c48047
Instruction Fuzzy Hash: 6611AF327013255ED720CF66BC84BABB7B8EB05710F40892BFD4997340D6B4A8449BA9

Function 00401B78 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(0053D5C8), ref: 00401BA5
LocalFree.KERNEL32(008C3A88,00000000,M$), ref: 00401BB7
VirtualFree.KERNEL32(?,00000000,00008000,008C3A88,00000000,M$), ref: 00401BD6
LocalFree.KERNEL32(008C0E38,?,00000000,00008000,008C3A88,00000000,M$), ref: 00401C15
RtlLeaveCriticalSection.NTDLL(0053D5C8), ref: 00401C3E
RtlDeleteCriticalSection.NTDLL(0053D5C8), ref: 00401C48

Strings

M$, xrefs: 00401B8C

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
String ID: M$
API String ID: 3782394904-2649047301
Opcode ID: 4edd6c7ec0c2ec91341a55bd26b0b1e13ad33f8b0fb671cc910aac9d542a86b0
Instruction ID: 2d3450d33bfc8c8a3598e13e4e1ba3781a7d55c91203b354bdb38b74eca926b9
Opcode Fuzzy Hash: 4edd6c7ec0c2ec91341a55bd26b0b1e13ad33f8b0fb671cc910aac9d542a86b0
Instruction Fuzzy Hash: 23119DB1248A405BE325BB69BC46B163BB5F79574CF40003AF000A73F2E77C98549778

Function 00404520 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38filewindowCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,004045EE,00000000,00000000,?,00000002,0040468E,00402883,004028CB,00000000,00000000), ref: 00404559
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,004045EE,00000000,00000000,?,00000002,0040468E,00402883,004028CB,00000000), ref: 0040455F
GetStdHandle.KERNEL32(000000F5,004045A8,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,004045EE,00000000,00000000), ref: 00404574
WriteFile.KERNEL32(00000000,000000F5,004045A8,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,004045EE,00000000,00000000), ref: 0040457A
MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00404598

Strings

Runtime error at 00000000, xrefs: 00404552, 00404591
Error, xrefs: 0040458C

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: FileHandleWrite$Message
String ID: Error$Runtime error at 00000000
API String ID: 1570097196-2970929446
Opcode ID: ba491f1a775f50c8a2c60eb9f278c47d8a63e26e4360bbbd5b3bead34659e73c
Instruction ID: 6f9f2faf2e5b0b18d84477bed5677b1030923aa7d3df58365b8bc40e225edff5
Opcode Fuzzy Hash: ba491f1a775f50c8a2c60eb9f278c47d8a63e26e4360bbbd5b3bead34659e73c
Instruction Fuzzy Hash: 7DF0F6E468034039EB2073B1AD4BF5B2A785794B15F10467FB710F41E286BC85C89629

Function 00429DE0 Relevance: 12.2, APIs: 8, Instructions: 217windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0042A45C: 73E9A570.USER32(00000000,?,?,?,?,00428FA7,00000000,00429033), ref: 0042A4B2
Part of subcall function 0042A45C: CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,00428FA7,00000000,00429033), ref: 0042A4F5

GetBrushOrgEx.GDI32(?,?,0000000E,00000000,?,0000000C), ref: 00429E85
SetStretchBltMode.GDI32(?,00000004), ref: 00429E93
SetBrushOrgEx.GDI32(?,?,?,?,?,00000004,?,?,0000000E,00000000,?,0000000C), ref: 00429EAB
SetStretchBltMode.GDI32(00000000,00000003), ref: 00429EC8
SelectObject.GDI32(?,?), ref: 00429F3D
SelectObject.GDI32(?,00000000), ref: 00429F9C
DeleteDC.GDI32(00000000), ref: 00429FAB

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: BrushModeObjectSelectStretch$A570CreateDeleteHalftonePalette
String ID:
API String ID: 3467007361-0
Opcode ID: c6df95427e6415bdcde3adb1048860d6f2af673e8321a872812c87a12d8f96bc
Instruction ID: 9353c46e3c15fa8c8701dba72a7d6c36ebd38e76106e4f604d2a86ffa01ee243
Opcode Fuzzy Hash: c6df95427e6415bdcde3adb1048860d6f2af673e8321a872812c87a12d8f96bc
Instruction Fuzzy Hash: 4B713B71B04205AFCB50DFA9D985F5AB7F8AF0C304F5185AAB908EB391D638ED00CB59

Function 0042E85C Relevance: 12.2, APIs: 8, Instructions: 194memoryCOMMON

Download Yara Rule

APIs

GlobalUnWire.KERNEL32(?), ref: 0042E8A4
GlobalFree.KERNEL32(?), ref: 0042E8AD
GlobalFix.KERNEL32(?), ref: 0042E8BD
74AF6000.WINSPOOL.DRV(?,?,00000000,?,00000000,00000000,00000000), ref: 0042E9E6
GlobalAlloc.KERNEL32(00000042,00000000,00000000,?,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 0042EA1B
GlobalFix.KERNEL32(00000000), ref: 0042EA2A
GlobalUnWire.KERNEL32(00000000), ref: 0042EA4F
GlobalFree.KERNEL32(00000000), ref: 0042EA58

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Global$FreeWire$AllocF6000.
String ID:
API String ID: 3325778411-0
Opcode ID: 26b0192c1cb008ccc3046e3b4746045688865abaf6a9fdb5cc540c253ba67297
Instruction ID: bce736e3731dab0e38c57d6178e435befcaafabe6c8ab9d7617fd50507bc27ff
Opcode Fuzzy Hash: 26b0192c1cb008ccc3046e3b4746045688865abaf6a9fdb5cc540c253ba67297
Instruction Fuzzy Hash: 79714EB5A002249FDB10DF6AD880B9A77F9BF48314F5141AAE808DB346D734DD41CBA9

Function 00461758 Relevance: 12.1, APIs: 8, Instructions: 144windowCOMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 004617C9
GetCapture.USER32 ref: 004617D8
SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 004617DE
ReleaseCapture.USER32 ref: 004617E3
GetActiveWindow.USER32 ref: 0046180A
SendMessageA.USER32(00000000,0000B000,00000000,00000000), ref: 004618A0
SendMessageA.USER32(00000000,0000B001,00000000,00000000), ref: 0046190D
GetActiveWindow.USER32 ref: 0046191C

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: CaptureMessageSend$ActiveWindow$Release
String ID:
API String ID: 862346643-0
Opcode ID: 68e40ec1c56af53d0122211941642d2f277e2fdd4df5519f035eb7dd4fb58af6
Instruction ID: 1df3cd161e8221f339d730eff6ed483fb4abfb3a6a97dc460540cdab2c34296e
Opcode Fuzzy Hash: 68e40ec1c56af53d0122211941642d2f277e2fdd4df5519f035eb7dd4fb58af6
Instruction Fuzzy Hash: FD515D74A00244EFDB00EF6AD996B9EB7F5EB45704F1540BAF500A73A2D738AD04DB19

Function 00449CAC Relevance: 12.1, APIs: 8, Instructions: 123COMMON

Download Yara Rule

APIs

SaveDC.GDI32 ref: 00449CC2

Part of subcall function 00443D8C: GetWindowOrgEx.GDI32(00000000), ref: 00443D9A
Part of subcall function 00443D8C: SetWindowOrgEx.GDI32(00000000,00000000,00000000,00000000), ref: 00443DB0

IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 00449CE3
GetWindowLongA.USER32(00000000,000000EC), ref: 00449CF9
GetWindowLongA.USER32(00000000,000000F0), ref: 00449D1B
SetRect.USER32(?,00000000,00000000,?,?), ref: 00449D47
DrawEdge.USER32(?,?,?,00000000), ref: 00449D56
IntersectClipRect.GDI32(?,00000000,00000000,?,?), ref: 00449D7B
RestoreDC.GDI32(?,?), ref: 00449DEC

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Window$Rect$ClipIntersectLong$DrawEdgeRestoreSave
String ID:
API String ID: 2976466617-0
Opcode ID: 8165518b29ffe1b30565c5ac5f6cbd1f7e8d5a9a9282f3965eb7ae2a3f0ac3dc
Instruction ID: 03dd98818d507dd29d73a09491a475434bab1c8e7879643574f392e7bf68955c
Opcode Fuzzy Hash: 8165518b29ffe1b30565c5ac5f6cbd1f7e8d5a9a9282f3965eb7ae2a3f0ac3dc
Instruction Fuzzy Hash: 1E414471B04105ABEB10EEA9CC81F9F77B9AF45704F10416AF904EB382DA7CED0197A9

Function 004958DC Relevance: 10.8, APIs: 7, Instructions: 251windowCOMMON

Download Yara Rule

APIs

SelectObject.GDI32(?,?), ref: 00495934
MaskBlt.GDI32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,004959AF,?,?), ref: 00495983
SelectObject.GDI32(?,?), ref: 0049599D
DeleteObject.GDI32(?), ref: 004959A9
SelectObject.GDI32(?,?), ref: 00495A09
SelectObject.GDI32(?,?), ref: 00495A6F
SelectObject.GDI32(?,00000000), ref: 00495B73

Part of subcall function 0048CC3C: GetLastError.KERNEL32(00000000,0048CD1B), ref: 0048CC6A
Part of subcall function 0048CC3C: FormatMessageA.KERNEL32(00001000,00000000,00000000,00000400,?,00000100,00000000,00000000,0048CD1B), ref: 0048CC90

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Object$Select$DeleteErrorFormatLastMaskMessage
String ID:
API String ID: 3567892783-0
Opcode ID: ca63879169974d15482942c38e9293439ed4b635795f6ffe4323442a0dbdb6a4
Instruction ID: 172b58c118f3631039cc06e5481bd4bde04f7b2eff4e767383fe09fe91a9eb17
Opcode Fuzzy Hash: ca63879169974d15482942c38e9293439ed4b635795f6ffe4323442a0dbdb6a4
Instruction Fuzzy Hash: EA91A0B1A00609AFDB51DFA9DC91EAF7BFCEB0D704F114465FA18E7681C238E8108B65

Function 0044D2A4 Relevance: 10.7, APIs: 7, Instructions: 156COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,000000FF,?,?,?,?,00000010,00000000,0044D47D), ref: 0044D389
GetTickCount.KERNEL32 ref: 0044D38E
SystemParametersInfoA.USER32(00001016,00000000,?,00000000), ref: 0044D3C9
SystemParametersInfoA.USER32(00001018,00000000,00000000,00000000), ref: 0044D3E1
AnimateWindow.USER32(00000000,00000064,00000001), ref: 0044D427
ShowWindow.USER32(00000000,00000004,00000000,000000FF,?,?,?,?,00000010,00000000,0044D47D), ref: 0044D44A

Part of subcall function 004504F8: GetCursorPos.USER32(?), ref: 004504FC

GetTickCount.KERNEL32 ref: 0044D464

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Window$CountInfoParametersSystemTick$AnimateCursorShow
String ID:
API String ID: 3024527889-0
Opcode ID: 184ac248c92e2c0d0330a5361ed3bf91f2904f9e0bddcd8045c70450f3852705
Instruction ID: 69d1a046b261efe233482c0add9d748ead9e3fe8da34d9f316f5b3acb09b869f
Opcode Fuzzy Hash: 184ac248c92e2c0d0330a5361ed3bf91f2904f9e0bddcd8045c70450f3852705
Instruction Fuzzy Hash: F3512C74A00109EFEB10DFA9C986E9EB7F5EF05344F20446AE500EB391D779AE40DB99

Function 0042EEB4 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 151COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000001,00000000,00000005,00000000,00000000,?,?,00000000,0042F091,?,00000000,?,?,?,0042EC6C), ref: 0042EF0A
GetLastError.KERNEL32(00000001,00000000,00000005,00000000,00000000,?,?,00000000,0042F091,?,00000000,?,?,?,0042EC6C), ref: 0042EF14

Part of subcall function 004067B4: LoadStringA.USER32(00000000,00010000,?,00000400), ref: 004067E5

GetProfileStringA.KERNEL32(windows,device,0042F0A0,?,000003FF), ref: 0042EF9F

Strings

windows, xrefs: 0042EF9A
zB, xrefs: 0042EFE6
device, xrefs: 0042EF95

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: ErrorLastString$LoadProfile
String ID: device$windows$zB
API String ID: 1759087498-2908805104
Opcode ID: 2d9938ac1c18159c8556ad8fa7a6982f86879950b618a5395ef3391ca9102822
Instruction ID: 1af2ce5cb2658a0b1bf5f20b61a60f15fbacef7dc96cf19b4f64c5fa56dec5a2
Opcode Fuzzy Hash: 2d9938ac1c18159c8556ad8fa7a6982f86879950b618a5395ef3391ca9102822
Instruction Fuzzy Hash: 9B516170B00218AFDB10EF66DC42B9EB7F8EF48304FA144BBF604E7291D6789D458A59

Function 00442DC4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 139threadCOMMON

Download Yara Rule

APIs

Part of subcall function 00443214: WindowFromPoint.USER32(0D,?,00000000,00442DDE,?,-0000000C,?), ref: 0044321A
Part of subcall function 00443214: GetParent.USER32(00000000), ref: 00443231

GetWindow.USER32(00000000,00000004), ref: 00442DE6
GetCurrentThreadId.KERNEL32 ref: 00442EBA
GetWindowRect.USER32(00000000,?), ref: 00442ED7
IntersectRect.USER32(?,?,?), ref: 00442F45

Part of subcall function 00442330: GetWindowThreadProcessId.USER32(00000000), ref: 0044233D
Part of subcall function 00442330: GetCurrentProcessId.KERNEL32(?,?,00000000,004648FB,?,?,00AA16DC,00000001,00464A67,?,?,?,00AA16DC), ref: 00442346
Part of subcall function 00442330: GlobalFindAtomA.KERNEL32(00000000), ref: 0044235B
Part of subcall function 00442330: GetPropA.USER32(00000000,00000000), ref: 00442372

Strings

0D, xrefs: 00442EEB, 00442EA2, 00442EE3, 00442EDC
0D, xrefs: 00442DD3, 00442E4B, 00442E74, 00442E89, 00442E58

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Window$CurrentProcessRectThread$AtomFindFromGlobalIntersectParentPointProp
String ID: 0D$0D
API String ID: 2049660638-1020036159
Opcode ID: 86758aeca54fdede1fc69109b90139f809b35c6f88d14a5e45f6c3ae973b21e6
Instruction ID: 17b57300639ab20a751792f5ab4bf8eb9b3789a90c7ccb95a58c24a00ef01663
Opcode Fuzzy Hash: 86758aeca54fdede1fc69109b90139f809b35c6f88d14a5e45f6c3ae973b21e6
Instruction Fuzzy Hash: F6517C31A002099FDB10DFA9C980AAFB7F4AF05354FA44166F844EB351D778EE45CBA9

Function 00462978 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 125registryCOMMON

Download Yara Rule

APIs

GetKeyboardLayoutList.USER32(00000040,?,00000000,00462B23,?,00AA12E8,?,00462B85,00000000,?,00447A3F), ref: 004629CE
RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,00020019,?,00000040,?,00000000,00462B23,?,00AA12E8,?,00462B85,00000000,?,00447A3F), ref: 00462A36
RegQueryValueExA.ADVAPI32(?,layout text,00000000,00000000,?,?,00000000,00462ADF,?,80000002,00000000,00000000,00020019,?,00000040,?), ref: 00462A70
RegCloseKey.ADVAPI32(?,00462AE6,00000000,?,?,00000000,00462ADF,?,80000002,00000000,00000000,00020019,?,00000040,?,00000000), ref: 00462AD9

Strings

layout text, xrefs: 00462A67
System\CurrentControlSet\Control\Keyboard Layouts\%.8x, xrefs: 00462A20

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: CloseKeyboardLayoutListOpenQueryValue
String ID: System\CurrentControlSet\Control\Keyboard Layouts\%.8x$layout text
API String ID: 1703357764-2652665750
Opcode ID: cfcecd160974a5ebc6f9d4fa128f91d7c499dcbf1a36445fe45b6aefa09f70bc
Instruction ID: 2c3dcaa53d4d5a0f863340afa259cb3a8887150a850a3e669054f079543414ea
Opcode Fuzzy Hash: cfcecd160974a5ebc6f9d4fa128f91d7c499dcbf1a36445fe45b6aefa09f70bc
Instruction Fuzzy Hash: C4418F74A04609AFDB10DF95CE81B9EB7F8FB48704F5040A6E900E7381E7B4AE44CB69

Function 00445F44 Relevance: 10.6, APIs: 7, Instructions: 122windowCOMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00445F7B
SelectObject.GDI32(?,00000000), ref: 00445FB1
PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 00445FD7
PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 00445FF9
PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 00446018
PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 00446032
SelectObject.GDI32(?,?), ref: 0044603F

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: ObjectSelect$DesktopWindow
String ID:
API String ID: 2666862715-0
Opcode ID: 6779dfd26fac2593bf7ae4a5ee94555976eb251571dbfb40dbd8e372b7b5e999
Instruction ID: f8fbb216217f6811247560b636bd0aeff7d60d7f41a2b6b374945b5a3ed68121
Opcode Fuzzy Hash: 6779dfd26fac2593bf7ae4a5ee94555976eb251571dbfb40dbd8e372b7b5e999
Instruction Fuzzy Hash: 3D311DB5E04619AFDB00DEEDCC85DAFBBBCEF4A744B004465B504F7282C679AD048BA5

Function 00428A88 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99COMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(?,?,000009EC), ref: 00428ADA
MulDiv.KERNEL32(?,?,000009EC), ref: 00428AF1
73E9A570.USER32(00000000,?,?,000009EC,?,?,000009EC), ref: 00428B08
GetWinMetaFileBits.GDI32(?,00000000,00000000,00000008,?,00000000,00428BC3,?,00000000,?,?,000009EC,?,?,000009EC), ref: 00428B2C
GetWinMetaFileBits.GDI32(?,?,?,00000008,?,00000000,00428BA3,?,?,00000000,00000000,00000008,?,00000000,00428BC3), ref: 00428B5F

Strings

`, xrefs: 00428AC0

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: BitsFileMeta$A570
String ID: `
API String ID: 2497453717-2679148245
Opcode ID: e7978a01d5d367e8828d13deb8e6f4df71f917b703b8b563afc475dbdd08b62f
Instruction ID: 878f2aeeaf24aaa9e1b96208363617e15f6ea7b5134d3d2fd55e52dacc6912fd
Opcode Fuzzy Hash: e7978a01d5d367e8828d13deb8e6f4df71f917b703b8b563afc475dbdd08b62f
Instruction Fuzzy Hash: 60316675B00218AFDB00DFD5D881EAEB7B8EF09704F5144AAF904FB281D639AE41D769

Function 004553EC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 77COMMON

Download Yara Rule

Strings

L?E, xrefs: 00455475

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: L?E
API String ID: 0-3634967189
Opcode ID: de27a2290cb824ad3858b92a65c30b807e1b41ac68918c61bb67cfe9fdc86541
Instruction ID: af7043b00f252190add70e867cbd2f586c873116a434f4286dd7fb4d51f7aeea
Opcode Fuzzy Hash: de27a2290cb824ad3858b92a65c30b807e1b41ac68918c61bb67cfe9fdc86541
Instruction Fuzzy Hash: B111A130A01A8856DA60BE3A8C25BBF2B895F5275BF04006BBC41DB347DA6CDC898658

Function 0042CC4C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 68stringCOMMON

Download Yara Rule

APIs

SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0042CCA4
GetSystemMetrics.USER32(00000000), ref: 0042CCB9
GetSystemMetrics.USER32(00000001), ref: 0042CCC4
lstrcpy.KERNEL32(?,DISPLAY), ref: 0042CCEE

Part of subcall function 0042C848: GetProcAddress.KERNEL32(76910000,00000000), ref: 0042C8C8

Strings

GetMonitorInfoA, xrefs: 0042CC64
DISPLAY, xrefs: 0042CCE5

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: System$Metrics$AddressInfoParametersProclstrcpy
String ID: DISPLAY$GetMonitorInfoA
API String ID: 2545840971-1370492664
Opcode ID: 018ecb2043b52690f35dee35e80fb29322ed08f3e363ba916b0bbbde2fefc9fc
Instruction ID: 94f7c848bcfefb1fbe5e516b75e01b8d3b199e990b730b28d7bb93400fb79419
Opcode Fuzzy Hash: 018ecb2043b52690f35dee35e80fb29322ed08f3e363ba916b0bbbde2fefc9fc
Instruction Fuzzy Hash: 7911B4727013159FD7208F66BC847ABBBB9EF15310F40452BED5AA7340D7B5A90487A8

Function 0042CD20 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 68stringCOMMON

Download Yara Rule

APIs

SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0042CD78
GetSystemMetrics.USER32(00000000), ref: 0042CD8D
GetSystemMetrics.USER32(00000001), ref: 0042CD98
lstrcpy.KERNEL32(?,DISPLAY), ref: 0042CDC2

Part of subcall function 0042C848: GetProcAddress.KERNEL32(76910000,00000000), ref: 0042C8C8

Strings

DISPLAY, xrefs: 0042CDB9
GetMonitorInfoW, xrefs: 0042CD38

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: System$Metrics$AddressInfoParametersProclstrcpy
String ID: DISPLAY$GetMonitorInfoW
API String ID: 2545840971-2774842281
Opcode ID: 38640024d3738cbcb5639a4191d073947bb7a9093cdb9a4740f4adf3a6ec4c1f
Instruction ID: 7b48b18dd3b62cd01769088c5c1cac7dbd775fdb747bf6a5a9a15d142a581dcf
Opcode Fuzzy Hash: 38640024d3738cbcb5639a4191d073947bb7a9093cdb9a4740f4adf3a6ec4c1f
Instruction Fuzzy Hash: E711DF767117219ED3208F20BC807ABBBF8EF49310F40453AEC4997380D2B4AA04CBB9

Function 0043C270 Relevance: 10.6, APIs: 7, Instructions: 63COMMON

Download Yara Rule

APIs

73E9A570.USER32(00000000), ref: 0043C27A
GetTextMetricsA.GDI32(00000000), ref: 0043C283

Part of subcall function 004248B8: CreateFontIndirectA.GDI32(?), ref: 004249F6

SelectObject.GDI32(00000000,00000000), ref: 0043C292
GetTextMetricsA.GDI32(00000000,?), ref: 0043C29F
SelectObject.GDI32(00000000,00000000), ref: 0043C2A6
GetSystemMetrics.USER32(00000006), ref: 0043C2D4
GetSystemMetrics.USER32(00000006), ref: 0043C2EE

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Metrics$ObjectSelectSystemText$A570CreateFontIndirect
String ID:
API String ID: 1816951023-0
Opcode ID: 7f6303f277fec4e4e5963eb9ea79e46bb52593b62fd25ad46842a9bf9a48579a
Instruction ID: eecda416f773f89ea3cd1f80e06f162105c665fc9d0ded8e8aedf1ed3703e0dd
Opcode Fuzzy Hash: 7f6303f277fec4e4e5963eb9ea79e46bb52593b62fd25ad46842a9bf9a48579a
Instruction Fuzzy Hash: 6011A561B083442BF31066BA8CC2F6B66CCDB59358F44157AFA45E63D3D96CAC40C36A

Function 00462C28 Relevance: 10.6, APIs: 7, Instructions: 57threadwindowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32 ref: 00462C43
WindowFromPoint.USER32(?,?), ref: 00462C50
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00462C5E
GetCurrentThreadId.KERNEL32 ref: 00462C65
SendMessageA.USER32(00000000,00000084,00000000,00000000), ref: 00462C7E
SendMessageA.USER32(00000000,00000020,00000000,00000000), ref: 00462C95
SetCursor.USER32(00000000), ref: 00462CA7

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: CursorMessageSendThreadWindow$CurrentFromPointProcess
String ID:
API String ID: 1770779139-0
Opcode ID: adf4d0a0a7cbfedc8a98a898bde044678db7537ac1559609abe2b1235279df0f
Instruction ID: aa37844adf9978e8f818134fb47f0326c184120bf352d339c796bc51ee6eb38e
Opcode Fuzzy Hash: adf4d0a0a7cbfedc8a98a898bde044678db7537ac1559609abe2b1235279df0f
Instruction Fuzzy Hash: 3F0188226196103AD6213A750D86B7F3568DF84B64F10447FB904761C2F97EAC01526F

Function 0040CB40 Relevance: 10.6, APIs: 7, Instructions: 56filewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0040C9B8: VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040C9D5
Part of subcall function 0040C9B8: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040C9F9
Part of subcall function 0040C9B8: GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040CA14
Part of subcall function 0040C9B8: LoadStringA.USER32(00000000,0000FFEF,?,00000100), ref: 0040CAAA

CharToOemA.USER32(?,?), ref: 0040CB77
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,?,?), ref: 0040CB94
WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,?,?), ref: 0040CB9A
GetStdHandle.KERNEL32(000000F4,0040CC04,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 0040CBAF
WriteFile.KERNEL32(00000000,000000F4,0040CC04,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 0040CBB5
LoadStringA.USER32(00000000,0000FFD0,?,00000040), ref: 0040CBD7
MessageBoxA.USER32(00000000,?,?,00002010), ref: 0040CBED

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: File$HandleLoadModuleNameStringWrite$CharMessageQueryVirtual
String ID:
API String ID: 185507032-0
Opcode ID: 46e9a7fc103f3c3570b0ee59e1d2ec6e1d6b0856096fb765799defaee1b1bd2d
Instruction ID: 527d5ea13da49c69ccbf14a011ddfcef9924fbd70789ff534f640700b21b38af
Opcode Fuzzy Hash: 46e9a7fc103f3c3570b0ee59e1d2ec6e1d6b0856096fb765799defaee1b1bd2d
Instruction Fuzzy Hash: 65115EB2508200BAE200F7A5DD86F8B77EC9B44304F40463BB755F61E2DB78E9448B7A

Function 0045E77C Relevance: 9.2, APIs: 6, Instructions: 150COMMON

Download Yara Rule

APIs

FillRect.USER32(?,?), ref: 0045E7F5
GetClientRect.USER32(00000000,?), ref: 0045E820
FillRect.USER32(?,?,00000000), ref: 0045E83F

Part of subcall function 0045E6F0: CallWindowProcA.USER32(?,?,?,?,?), ref: 0045E72A

BeginPaint.USER32(?,?), ref: 0045E8B7
GetWindowRect.USER32(?,?), ref: 0045E8E4
EndPaint.USER32(?,?,0045E958), ref: 0045E944

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Rect$FillPaintWindow$BeginCallClientProc
String ID:
API String ID: 901200654-0
Opcode ID: 8eb3cae9139913e8de327428884a9301b3e05bf132240d44ac53330a50be15f7
Instruction ID: 9126647342d40bfd23a756d9691c7c5b9e6e39b9fdd851de095e8a0c9ec4f4fd
Opcode Fuzzy Hash: 8eb3cae9139913e8de327428884a9301b3e05bf132240d44ac53330a50be15f7
Instruction Fuzzy Hash: 76513070D04109EFDB54DF9AC585E9DB7F4AF08315F1481A6E808EB352D738AE49DB08

Function 0041C7D4 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

CharNextA.USER32(?,?,00000000,0041C923), ref: 0041C824
CharNextA.USER32(?,?,00000000,0041C923), ref: 0041C89C
CharNextA.USER32(?,?,?,00000000,0041C923), ref: 0041C8BD
CharNextA.USER32(00000000,?,?,?,00000000,0041C923), ref: 0041C8D4

Strings

, xrefs: 0041C86D

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: CharNext
String ID:
API String ID: 3213498283-3916222277
Opcode ID: bcaeb892402b0107be382b875a23f9c42b6480e65c5e54dfb82c42c93133c44a
Instruction ID: 22bef8333e448b53336447e5195f7f381797901fe8f79ee7033e5a41e89e0862
Opcode Fuzzy Hash: bcaeb892402b0107be382b875a23f9c42b6480e65c5e54dfb82c42c93133c44a
Instruction Fuzzy Hash: 36415B74A44184DFCB20EFA9C9D19A9B7F5EF5A30072404AAF4C1D7351C738AD81DB59

Function 0049019C Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 364COMMON

Download Yara Rule

Strings

TH, xrefs: 00490435
,H, xrefs: 00490476
D9B, xrefs: 004901AF

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: ,H$D9B$TH
API String ID: 0-4050845589
Opcode ID: ae02e7d2a932f06cca074e53cf2eba3512b53e53ff0015ab655bd089af8275a1
Instruction ID: 078b9a43aa0aefe11835cdee8cbbe539dd71178a2a62b56c87c0c4e9506d61bd
Opcode Fuzzy Hash: ae02e7d2a932f06cca074e53cf2eba3512b53e53ff0015ab655bd089af8275a1
Instruction Fuzzy Hash: B4E12C70A0410ADFCB00DFA9D8819AEBBF5FB49304F20457AE905EB351DB39AD41DB69

Function 00420DD8 Relevance: 9.1, APIs: 6, Instructions: 109threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00420DE3
GetCurrentThreadId.KERNEL32 ref: 00420DF2

Part of subcall function 00420D8C: ResetEvent.KERNEL32(000000E4,00420E2D), ref: 00420D92

RtlEnterCriticalSection.NTDLL(0053D868), ref: 00420E37
InterlockedExchange.KERNEL32(00533574,?), ref: 00420E53
RtlLeaveCriticalSection.NTDLL(0053D868), ref: 00420EAC
RtlEnterCriticalSection.NTDLL(0053D868), ref: 00420F0B

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: CriticalSection$CurrentEnterThread$EventExchangeInterlockedLeaveReset
String ID:
API String ID: 2189153385-0
Opcode ID: 48c928a74a06e8eded7d43de6fd25e10ef6bd0e84dac0bd832250aa5eb3b4d77
Instruction ID: 01d31c055e12c0dae44944bb330aaef60a45828d3e8d2421e85588c189767800
Opcode Fuzzy Hash: 48c928a74a06e8eded7d43de6fd25e10ef6bd0e84dac0bd832250aa5eb3b4d77
Instruction Fuzzy Hash: 0E31B730B44304AFD711DF65E852A6EBBF4EB49714F9288B6F400A3692D77D5C50CA29

Function 0042124C Relevance: 9.1, APIs: 6, Instructions: 73synchronizationthreadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00421256
CreateEventA.KERNEL32(00000000,000000FF,00000000,00000000), ref: 0042127B
RtlEnterCriticalSection.NTDLL(0053D868), ref: 00421296
RtlLeaveCriticalSection.NTDLL(0053D868), ref: 004212FB
WaitForSingleObject.KERNEL32(?,000000FF,00000000,00421331,?,0053D868,00000000,00421350,?,0053D868,00000000,0042136E,?,00000000,000000FF,00000000), ref: 00421314
RtlEnterCriticalSection.NTDLL(0053D868), ref: 0042132B

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: CriticalSection$Enter$CreateCurrentEventLeaveObjectSingleThreadWait
String ID:
API String ID: 1504017990-0
Opcode ID: cdc541c3c24f7246882cc5ee8aff9edf1728e4d05a09e17feeb0341d0b617926
Instruction ID: 2c7b93ceaaa123ccd3e893fc5a7f5e2ae3de92b82470b9c01303b32ea1db2353
Opcode Fuzzy Hash: cdc541c3c24f7246882cc5ee8aff9edf1728e4d05a09e17feeb0341d0b617926
Instruction Fuzzy Hash: E7212530B00300EFDB11DF65EC82E59BBB5FB19714F6146A6F800A77E0C6796D10DA69

Function 00431BB4 Relevance: 9.1, APIs: 6, Instructions: 60memoryCOMMON

Download Yara Rule

APIs

GlobalSize.KERNEL32(00000000), ref: 00431BC9
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00431BD3
GlobalFix.KERNEL32(00000000), ref: 00431BF3
GlobalFix.KERNEL32(00000000), ref: 00431BFE
GlobalUnWire.KERNEL32(00000000), ref: 00431C27
GlobalUnWire.KERNEL32(00000000), ref: 00431C30

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Global$Wire$AllocSize
String ID:
API String ID: 3044844065-0
Opcode ID: ea4032ff48a94be2143a545390936b50206f2c3e5f5dadd887e9f8c1a7ed5634
Instruction ID: 7ac5a20b542a9835d376f772973c080fcdece298206ca554adb3d4cf7e9ef2ac
Opcode Fuzzy Hash: ea4032ff48a94be2143a545390936b50206f2c3e5f5dadd887e9f8c1a7ed5634
Instruction Fuzzy Hash: 6411C275A44318AFDB10EBB9C946A9E77E8DB0C714F20147AB504E32C0DA3C9D50C758

Function 0047B9BC Relevance: 9.1, APIs: 6, Instructions: 58COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(00000000,00000000), ref: 0047BA05
SetBkMode.GDI32(00000000,00000001), ref: 0047BA14
SelectObject.GDI32(00000000,00000000), ref: 0047B9E8

Part of subcall function 004243E4: GetSysColor.USER32(?), ref: 004243EE

SelectObject.GDI32(00000000,00000000), ref: 0047BA3C
SetTextColor.GDI32(00000000,00000000), ref: 0047BA59
SetBkMode.GDI32(00000000,00000001), ref: 0047BA68

Part of subcall function 004248B8: CreateFontIndirectA.GDI32(?), ref: 004249F6

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Color$ModeObjectSelectText$CreateFontIndirect
String ID:
API String ID: 1727930112-0
Opcode ID: fd846bdce2b059ab7fcb2423a1d68a7c3cd299acc3857e977fcea282d9708da6
Instruction ID: 3da182a7289163915b05c23ec23749d2ba6118d49374c199a8b0da7b57f9826d
Opcode Fuzzy Hash: fd846bdce2b059ab7fcb2423a1d68a7c3cd299acc3857e977fcea282d9708da6
Instruction Fuzzy Hash: D40155B0B442455AD600BF7B5C96F8911589F45308F80987F7949EF6ABCE3CE84486AD

Function 00425AC4 Relevance: 9.0, APIs: 6, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 004250C4: CreateBrushIndirect.GDI32(?), ref: 0042516E

UnrealizeObject.GDI32(00000000), ref: 00425AD0
SelectObject.GDI32(?,00000000), ref: 00425AE2
SetBkColor.GDI32(?,00000000), ref: 00425B05
SetBkMode.GDI32(?,00000002), ref: 00425B10
SetBkColor.GDI32(?,00000000), ref: 00425B2B
SetBkMode.GDI32(?,00000001), ref: 00425B36

Part of subcall function 004243E4: GetSysColor.USER32(?), ref: 004243EE

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Color$ModeObject$BrushCreateIndirectSelectUnrealize
String ID:
API String ID: 3527656728-0
Opcode ID: fbb699258950ca24fb31083ed274a2ef0b22220ae275d2b822ac5a2bee1d24b4
Instruction ID: 0f75828e81133c144eac778142af1c21e42b9febf03229908901f3aa3198a07f
Opcode Fuzzy Hash: fbb699258950ca24fb31083ed274a2ef0b22220ae275d2b822ac5a2bee1d24b4
Instruction Fuzzy Hash: 21F0BBB57012109BDA00FFBAEDC6D0B27A86F08309740449AB904DF29BC93CE811877A

Function 004068D5 Relevance: 9.0, APIs: 6, Instructions: 41threadCOMMON

Download Yara Rule

APIs

Part of subcall function 0040378C: GetKeyboardType.USER32(00000000), ref: 00403791
Part of subcall function 0040378C: GetKeyboardType.USER32(00000001), ref: 0040379D

GetCommandLineA.KERNEL32 ref: 0040693B
GetVersion.KERNEL32 ref: 0040694F
GetVersion.KERNEL32 ref: 00406960
GetCurrentThreadId.KERNEL32 ref: 0040699C

Part of subcall function 004037BC: RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 004037DE
Part of subcall function 004037BC: RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,0040382D,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00403811
Part of subcall function 004037BC: RegCloseKey.ADVAPI32(?,00403834,00000000,?,00000004,00000000,0040382D,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00403827

GetThreadLocale.KERNEL32 ref: 0040697C

Part of subcall function 0040680C: GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,00406872), ref: 00406832

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: KeyboardLocaleThreadTypeVersion$CloseCommandCurrentInfoLineOpenQueryValue
String ID:
API String ID: 3734044017-0
Opcode ID: da802a4acc14e8ce3e969fd2c00984414c46d67bd95a8de8f68d1205a7744866
Instruction ID: d101f47a9a4845e70a77bd054437b378b78de5e7d6f44ade2170f308f84314d9
Opcode Fuzzy Hash: da802a4acc14e8ce3e969fd2c00984414c46d67bd95a8de8f68d1205a7744866
Instruction Fuzzy Hash: C5015EF580528189E714BFB2B84A3583A70AB21308F11847FA8416A7F2F73D411DAF7E

Function 00471188 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191COMMON

Download Yara Rule

APIs

DrawFrameControl.USER32(00000000,?,00000003,00000000), ref: 00471246
FillRect.USER32(00000000,?,00000000), ref: 004712CA
FillRect.USER32(00000000,?,00000000), ref: 00471381
FillRect.USER32(00000000,?,00000000), ref: 004713F8

Part of subcall function 004250C4: CreateBrushIndirect.GDI32(?), ref: 0042516E

Strings

BS, xrefs: 004711AB

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: FillRect$BrushControlCreateDrawFrameIndirect
String ID: BS
API String ID: 2881406452-3558652245
Opcode ID: 70105dac61909c590ca701bad4b4322ac4fedbc71058d22882493b9141a0c61f
Instruction ID: 4ee228cd91ce23ddc4fee6ab813c99c71734066ba1891034cd904fc54ea8c9b5
Opcode Fuzzy Hash: 70105dac61909c590ca701bad4b4322ac4fedbc71058d22882493b9141a0c61f
Instruction Fuzzy Hash: A171B2306047049FD710EBA8DC95FDB77E8AF49310F40462AB4A9D73A2CB78B849CB64

Function 004526DC Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 170COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(00000000,00FFFFFF), ref: 00452829
SetBkColor.GDI32(00000000,00000000), ref: 00452831

Strings

D9B, xrefs: 0045274D

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Color$Text
String ID: D9B
API String ID: 657580467-511987976
Opcode ID: 845dc0967a2eeb83428e7afbe3f71402ce8cd48cc01aed508383d1becfe5ea78
Instruction ID: caf2c13c3b6147a2c1068a04975f49f9108eea05e755136bfc0b238ce7408eac
Opcode Fuzzy Hash: 845dc0967a2eeb83428e7afbe3f71402ce8cd48cc01aed508383d1becfe5ea78
Instruction Fuzzy Hash: C3512D71701215ABCB40FF69DD82F5E37A8AF09314F50016AFD04EB386CA78EC558B69

Function 0049A38C Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 117clipboardCOMMON

Download Yara Rule

APIs

GetClipboardData.USER32(00000000), ref: 0049A3B9
GlobalSize.KERNEL32(00000000), ref: 0049A3DC
GlobalFix.KERNEL32(00000000), ref: 0049A3E7

Strings

D9B, xrefs: 0049A485
,(B, xrefs: 0049A4DB

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Global$ClipboardDataSize
String ID: ,(B$D9B
API String ID: 3883663762-2452140183
Opcode ID: 0fd263615e5dfb8f3822832488f1e0d9005db0e2b952a397faf464073ff822d1
Instruction ID: 29955305e4ae14cabca3e244b94cc8bf70332ddcab5d36c1d27d9245ea7aa51e
Opcode Fuzzy Hash: 0fd263615e5dfb8f3822832488f1e0d9005db0e2b952a397faf464073ff822d1
Instruction Fuzzy Hash: D2419174B00204AFCB00DF69D89596EBBF8FB89714BA184BAF800E7791D678AD10DB55

Function 00442FA0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 115keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000011), ref: 00442FC7
IsWindowVisible.USER32(00000000), ref: 00443045

Part of subcall function 00442F5C: IsChild.USER32(00000000,00000000), ref: 00442F8C

PtInRect.USER32(?,?,?), ref: 004430A0

Strings

v2D, xrefs: 004430EF
v2D, xrefs: 004430DD

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: ChildRectStateVisibleWindow
String ID: v2D$v2D
API String ID: 2086824273-368615219
Opcode ID: 9f5b21d4e126521a4f6a4fef42126da44afa7a61907db46da55d2cb991178c09
Instruction ID: 953e1a30aed7577064e81aa3d5d44619de54438c2ca322721f986de361957b2b
Opcode Fuzzy Hash: 9f5b21d4e126521a4f6a4fef42126da44afa7a61907db46da55d2cb991178c09
Instruction Fuzzy Hash: 8A41E630A041098FEB10EF99D981ADFF7F5AF00315F1402A6E500A7356D735AE45CBA5

Function 004037BC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 004037DE
RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,0040382D,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00403811
RegCloseKey.ADVAPI32(?,00403834,00000000,?,00000004,00000000,0040382D,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00403827

Strings

FPUMaskValue, xrefs: 00403808
SOFTWARE\Borland\Delphi\RTL, xrefs: 004037D4

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
API String ID: 3677997916-4173385793
Opcode ID: 424e2b8a8011753df0c036b2dd939be4e47eabbd8e4c82b230d68772e49f862a
Instruction ID: 2ae8515d3de74d9156670e2f2254b0c851129a6067a190d8579be2bfc431f93e
Opcode Fuzzy Hash: 424e2b8a8011753df0c036b2dd939be4e47eabbd8e4c82b230d68772e49f862a
Instruction Fuzzy Hash: 8B017976940348BAE711EF91CD42FA977ECEB08701F1041B6B900E76D0E6785B14D758

Function 00401AB4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.NTDLL(0053D5C8), ref: 00401ACA
RtlEnterCriticalSection.NTDLL(0053D5C8), ref: 00401ADD
LocalAlloc.KERNEL32(00000000,00000FF8,00000000,1%), ref: 00401B07
RtlLeaveCriticalSection.NTDLL(0053D5C8), ref: 00401B64

Strings

1%, xrefs: 00401ABA

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: CriticalSection$AllocEnterInitializeLeaveLocal
String ID: 1%
API String ID: 730355536-1768441705
Opcode ID: e14f617ac8df99f3c0aa0fc7897efde2739acf0e446a4b0004ff17612f3cd299
Instruction ID: e9e4e5671b1e06996e0894820e83410eec8309045aa88d00e830df15344794fe
Opcode Fuzzy Hash: e14f617ac8df99f3c0aa0fc7897efde2739acf0e446a4b0004ff17612f3cd299
Instruction Fuzzy Hash: 8401ADB0A046005EE315AB7AB80AB253FF5E7AA708F80403AE004A73F1D77C54548B39

Function 00437C0C Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 32COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,00000000,00437C7B), ref: 00437C34
FreeLibrary.KERNEL32(00000000,00000000,00437C7B), ref: 00437C48

Strings

p{C, xrefs: 00437C52, 00437C62
X{C, xrefs: 00437C5D
X{C, xrefs: 00437C4D

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID: X{C$X{C$p{C
API String ID: 3664257935-188954857
Opcode ID: ceba55c3a60528cbc97ce3b50033a31ef078a1f15cb491101e043323cea43b11
Instruction ID: c5fab5d12dc97593affa39518c13bc3daef7e0a7b10c844c8b000a16791dc76f
Opcode Fuzzy Hash: ceba55c3a60528cbc97ce3b50033a31ef078a1f15cb491101e043323cea43b11
Instruction Fuzzy Hash: 50F090B02082409BE7359B25FCB5A16B7B8E319304F52683AE540963A1C63C6C14DF68

Function 004555AC Relevance: 7.7, APIs: 5, Instructions: 162COMMON

Download Yara Rule

APIs

DrawEdge.USER32(00000000,?,00000006,00000002), ref: 0045567B
OffsetRect.USER32(?,00000001,00000001), ref: 004556CC
DrawTextA.USER32(00000000,00000000,00000000,?,?), ref: 00455701
OffsetRect.USER32(?,000000FF,000000FF), ref: 0045570E
DrawTextA.USER32(00000000,00000000,00000000,?,?), ref: 00455775

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Draw$OffsetRectText$Edge
String ID:
API String ID: 3610532707-0
Opcode ID: c28341d78fc23ea05296c532d3bb5fd77140812b65a2f996bbbc21aa19f72f65
Instruction ID: 94562264dd035c3b88cd461f29f21a60b8e057ff9c6625640df891e218cf921d
Opcode Fuzzy Hash: c28341d78fc23ea05296c532d3bb5fd77140812b65a2f996bbbc21aa19f72f65
Instruction Fuzzy Hash: 9A519270A00A44AFDB10EBA9D891BAE77E5EF48324F54416BFD14E7392C778ED048B19

Function 00449924 Relevance: 7.6, APIs: 5, Instructions: 104COMMON

Download Yara Rule

APIs

BeginPaint.USER32(00000000,?,?,?,00000000), ref: 0044994A
SaveDC.GDI32(00000000), ref: 0044997E
ExcludeClipRect.GDI32(00000000,?,?,?,?,00000000,00449A44,?,?,?,00000000), ref: 004499E0
RestoreDC.GDI32(00000000,?), ref: 00449A0A
EndPaint.USER32(00000000,?,00449A4B,?,?,00000000), ref: 00449A3E

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Paint$BeginClipExcludeRectRestoreSave
String ID:
API String ID: 3808407030-0
Opcode ID: e8065bc40e3a79e3bcdd671fa19ab696cc8cfd947b9ba551c43ea94fe5df797f
Instruction ID: 2939045f509a1a639ba6687182a8caa615d5b25059c53e5fe23eb9ba55e0bc4b
Opcode Fuzzy Hash: e8065bc40e3a79e3bcdd671fa19ab696cc8cfd947b9ba551c43ea94fe5df797f
Instruction Fuzzy Hash: D9415D70A04244AFEB14DF99C885F9FB7F9EF49304F1480AAE504A7362D739AD40DB58

Function 0041D528 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 95COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,0041D651,?,?,00418A1C,00000001), ref: 0041D59D

Part of subcall function 004094B8: CreateFileA.KERNEL32(00000000,00000000,00000000,00000000,00000003,00000080,00000000,?,?,00418A1C,0041D5DD,00000000,0041D651,?,?,00418A1C), ref: 00409506

Part of subcall function 0040995C: GetFullPathNameA.KERNEL32(00000000,00000104,?,?,?,00418A1C,0041D5F8,00000000,0041D651,?,?,00418A1C,00000001), ref: 0040997B

GetLastError.KERNEL32(00000000,0041D651,?,?,00418A1C,00000001), ref: 0041D602

Part of subcall function 0040C400: FormatMessageA.KERNEL32(00003200,00000000,00000000,00000000,?,00000100,00000000,00000000,0040E266,00000000,0040E2C0), ref: 0040C41F

Strings

P`A, xrefs: 0041D61F
T}A, xrefs: 0041D627
8`A, xrefs: 0041D5BA

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: ErrorLast$CreateFileFormatFullMessageNamePath
String ID: 8`A$P`A$T}A
API String ID: 1652710734-218184577
Opcode ID: a40289f3a0af55cbbaddf434d9ab74dd69e9549ed3552f8fa2ae8cc63bcf38fd
Instruction ID: e5d77a07013a7c0971da30eda95baf9895d08632da60c58cd82095a1a54c6e57
Opcode Fuzzy Hash: a40289f3a0af55cbbaddf434d9ab74dd69e9549ed3552f8fa2ae8cc63bcf38fd
Instruction Fuzzy Hash: BA316170E046099FDB00EFA5C8816EEBBF5AF48308F51813AE504B7382D7795D45CBA9

Function 0043C5E8 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,000000BB,?,00000000), ref: 0043C624
SendMessageA.USER32(00000000,000000BB,?,00000000), ref: 0043C653
SendMessageA.USER32(00000000,000000C1,00000000,00000000), ref: 0043C66F
SendMessageA.USER32(00000000,000000B1,00000000,00000000), ref: 0043C69A
SendMessageA.USER32(00000000,000000C2,00000000,00000000), ref: 0043C6B8

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 36599383f52809a098aad449d30bd6a312c55ef4e938b533c590c16f02546285
Instruction ID: 1273efc3fa2c2057f07e10b5279cf71471bf709be64dbcab16c27cd73d612936
Opcode Fuzzy Hash: 36599383f52809a098aad449d30bd6a312c55ef4e938b533c590c16f02546285
Instruction Fuzzy Hash: 372160B0644704BBE710AAB68CC6F5B76ACEB85714F10187EB901B76C2DB79ED00866D

Function 004648A4 Relevance: 7.6, APIs: 5, Instructions: 73windowCOMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 004648C7
SendMessageA.USER32(00000000,-0000BBEE,00AA16DC,?), ref: 0046491B
GetWindowLongA.USER32(00000000,000000FA), ref: 0046492B
SendMessageA.USER32(00000000,-0000BBEE,00AA16DC,?), ref: 0046494A

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: MessageSend$CaptureLongWindow
String ID:
API String ID: 1158686931-0
Opcode ID: 91684f954b50b1f67e03243a35c0e7921911955dd319d5177395ae552c86d354
Instruction ID: f08b0608d4da1021af6879189eca49eb2ec238adb360515a61165939514cd166
Opcode Fuzzy Hash: 91684f954b50b1f67e03243a35c0e7921911955dd319d5177395ae552c86d354
Instruction Fuzzy Hash: 2C115EB524460A5FDB60BA6ACD80B1773DC9B95364B20043AF969C3742FA6CFC04477A

Function 0042910C Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

Part of subcall function 00426484: GetObjectA.GDI32(?,00000004), ref: 0042649B

73E9A570.USER32(00000000), ref: 0042914A
SelectObject.GDI32(?), ref: 00429163
SetDIBColorTable.GDI32(?,00000000,00000000,?,00000000,004291BB,?,?,?,?,00000000), ref: 00429187
SelectObject.GDI32(?,?), ref: 004291A1
DeleteDC.GDI32(?), ref: 004291AA

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Object$Select$A570ColorDeleteTable
String ID:
API String ID: 1418124628-0
Opcode ID: aa73fd7085e106145292a48fa3dd85ed7bdc26d286b28a5f66ecf77f07c6a881
Instruction ID: b33cbc6f381e21be718910a743bb353d8e74972da4eef66ba5b97ee997f1b262
Opcode Fuzzy Hash: aa73fd7085e106145292a48fa3dd85ed7bdc26d286b28a5f66ecf77f07c6a881
Instruction Fuzzy Hash: 4C116371F042196BEB10EBE9DC55EAEB3BCEF08704F4048BAF504E7291D6789D508769

Function 0040C6D4 Relevance: 7.6, APIs: 5, Instructions: 50threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(?,00000000,0040C76B,?,?,00000000), ref: 0040C6EC

Part of subcall function 0040C44C: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040C46A

GetThreadLocale.KERNEL32(00000000,00000004,00000000,0040C76B,?,?,00000000), ref: 0040C71C
EnumCalendarInfoA.KERNEL32(Function_0000C620,00000000,00000000,00000004), ref: 0040C727
GetThreadLocale.KERNEL32(00000000,00000003,00000000,0040C76B,?,?,00000000), ref: 0040C745
EnumCalendarInfoA.KERNEL32(Function_0000C65C,00000000,00000000,00000003), ref: 0040C750

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Locale$InfoThread$CalendarEnum
String ID:
API String ID: 4102113445-0
Opcode ID: 4f089ebef5878702126541596a15c7d66edd5f983145b4d8b4a72fefd7115e6e
Instruction ID: 5af87b3a7293b1194f7ef19f93a4114888ee582e09f3d8846b18260b20e46c2a
Opcode Fuzzy Hash: 4f089ebef5878702126541596a15c7d66edd5f983145b4d8b4a72fefd7115e6e
Instruction Fuzzy Hash: 6C01F271604604BBE711B775CC92F5A36ACEB46B18F210676F501BB6C2E77D9E0086AC

Function 004634CC Relevance: 7.5, APIs: 5, Instructions: 25synchronizationthreadCOMMON

Download Yara Rule

APIs

UnhookWindowsHookEx.USER32(00000000), ref: 004634DB
SetEvent.KERNEL32(00000000,00465902,00000000,00464987,?,?,00AA16DC,00000001,00464A47,?,?,?,00AA16DC), ref: 004634F6
GetCurrentThreadId.KERNEL32 ref: 004634FB
WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,00465902,00000000,00464987,?,?,00AA16DC,00000001,00464A47,?,?,?,00AA16DC), ref: 00463510
CloseHandle.KERNEL32(00000000,00000000,00465902,00000000,00464987,?,?,00AA16DC,00000001,00464A47,?,?,?,00AA16DC), ref: 0046351B

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: CloseCurrentEventHandleHookObjectSingleThreadUnhookWaitWindows
String ID:
API String ID: 2429646606-0
Opcode ID: 59a1c0792b72c3302a8386fde3d8edea116c1dec7b7a5f745065638928fe8423
Instruction ID: fd8e5e6f2b3dc1594a6b6390324ebaf60c2074ccbda6d5802e2769b19709a681
Opcode Fuzzy Hash: 59a1c0792b72c3302a8386fde3d8edea116c1dec7b7a5f745065638928fe8423
Instruction Fuzzy Hash: 2DF0C0B59001429AC750EF79FCA9E06F2FCA754319B134926B021D73E1D63C9598EF35

Function 0047A4BC Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 453COMMON

Download Yara Rule

APIs

GetTextMetricsA.GDI32(?,?), ref: 0047A550
GetGlyphOutlineW.GDI32(?,00000020,00000000,?,00000000,00000000,0055DD7C), ref: 0047A5F9

Strings

, xrefs: 0047A605
, xrefs: 0047A676

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: GlyphMetricsOutlineText
String ID: $
API String ID: 2286437433-227171996
Opcode ID: 52cfa2b73540d35051fb187fac57e0a4bc43b0eaee52ae23dbe48aaf490a77cd
Instruction ID: 5cab512b9e904298cdca5ac70d774549e5790517355480f9d9b1160e432da0de
Opcode Fuzzy Hash: 52cfa2b73540d35051fb187fac57e0a4bc43b0eaee52ae23dbe48aaf490a77cd
Instruction Fuzzy Hash: 80025070900209DFCB20DFA9C584ADEBBB5FF84314F2584AAE448A7352D7349EA5CF56

Function 004C60A4 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 187COMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00000000,00000064,00000000), ref: 004C623A
OffsetRect.USER32(?,00000000,00000001), ref: 004C6265

Strings

Autodesk, xrefs: 004C628E
, xrefs: 004C6162

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: OffsetRect
String ID: $Autodesk
API String ID: 177026234-2270613959
Opcode ID: f95a1237a251960973c6dfc4bffababd266986c37e066f373f722098d6d713bf
Instruction ID: c4c7449c62672275d6b578dd1e6774d2804f5af9f11a8d3e9d2eaeb337153dba
Opcode Fuzzy Hash: f95a1237a251960973c6dfc4bffababd266986c37e066f373f722098d6d713bf
Instruction Fuzzy Hash: 8E615175B002049FDB10DF69C885B9AB7B9FF48304F5081BAFA08EB351DA759E49CB54

Function 0040C784 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(?,00000000,0040C94E,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0040C7B3

Part of subcall function 0040C44C: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0040C46A

Strings

ggg, xrefs: 0040C898
yyyy, xrefs: 0040C8A5
eeee, xrefs: 0040C8BE

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Locale$InfoThread
String ID: eeee$ggg$yyyy
API String ID: 4232894706-1253427255
Opcode ID: 7cbe0e61bc7c4c6cdb7ce4303924ee6c0bf0eb44aa5b044dc543ff8aa7226f51
Instruction ID: bbe616d2e19d99ddf3031d9cf468c96e5b1121923b0ec5fe95598fbef1dab483
Opcode Fuzzy Hash: 7cbe0e61bc7c4c6cdb7ce4303924ee6c0bf0eb44aa5b044dc543ff8aa7226f51
Instruction Fuzzy Hash: D141E5B5704145CBC711BB7A88C16BEB3A9EB85304B64473BA581B33D2D73C9D02966D

Function 0049A514 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 113memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(C08B0002,00000000), ref: 0049A59F
GlobalFix.KERNEL32(00000000), ref: 0049A5BF
GlobalUnWire.KERNEL32(00000000), ref: 0049A5FB

Strings

$0S, xrefs: 0049A596

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Global$AllocWire
String ID: $0S
API String ID: 924321537-3978363283
Opcode ID: f50f012bbe90d44498f02dc34236a401448a53de855bc5e646152aed7bba2450
Instruction ID: f3dadeb5906a8a39c79780da6c431b29622be7baa2ccec0611864cc50eaca293
Opcode Fuzzy Hash: f50f012bbe90d44498f02dc34236a401448a53de855bc5e646152aed7bba2450
Instruction Fuzzy Hash: 3F31C075704204AFDB01DF69C851A6EBBF8FB89710B5244B6F804D77A0DB38AC21CB59

Function 0042B060 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 113windowCOMMON

Download Yara Rule

APIs

73E9A570.USER32(00000000), ref: 0042B11D
CreateHalftonePalette.GDI32(00000000,00000000), ref: 0042B12A
DeleteObject.GDI32(00000000), ref: 0042B1A7

Strings

(, xrefs: 0042B0D3

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: A570CreateDeleteHalftoneObjectPalette
String ID: (
API String ID: 1897567740-3887548279
Opcode ID: 87d3bc4c60f0e18b57ba3177af2d90d7c2167be08cbc8384d1d724152418c1b9
Instruction ID: a053b3ea12c5a3ce958495125e14ac93e2685088d5cdf40176453a6440d27510
Opcode Fuzzy Hash: 87d3bc4c60f0e18b57ba3177af2d90d7c2167be08cbc8384d1d724152418c1b9
Instruction Fuzzy Hash: CC41E430B04218DFDB00DFA9D855BAEBBF6EF49344F5040AAE404A7351D7785E15DB89

Function 004C5624 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 78COMMON

Download Yara Rule

APIs

OffsetRect.USER32(?,?,?), ref: 004C56D7

Strings

K:\TomsEditor desktop\delf1\GraphicEx-master\GraphicEx.pas, xrefs: 004C5640, 004C5663
Start progress display first using InitProgress., xrefs: 004C5645
Initialize a progress section first using StartProgressSection., xrefs: 004C5668

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: OffsetRect
String ID: Initialize a progress section first using StartProgressSection.$K:\TomsEditor desktop\delf1\GraphicEx-master\GraphicEx.pas$Start progress display first using InitProgress.
API String ID: 177026234-2002869065
Opcode ID: 6ecb4afa2ef47beaab19c2dec355ef4b02220a29d681f7a47c4c8af73f11f51a
Instruction ID: 3efea98d2136278272cb6105295ceb4ea5f62b37e5d511f6b55e70756e949204
Opcode Fuzzy Hash: 6ecb4afa2ef47beaab19c2dec355ef4b02220a29d681f7a47c4c8af73f11f51a
Instruction Fuzzy Hash: E1218E75202504EFD7509F55E888F9E7BA8FF50310F64C47AE98D9B245DA74A8908B28

Function 004587FC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoA.USER32(00000000,00000000,000000FF), ref: 0045884A
SetMenuItemInfoA.USER32(00000000,00000000,000000FF), ref: 0045889C
DrawMenuBar.USER32(00000000), ref: 004588A9

Strings

P, xrefs: 0045883C

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Menu$InfoItem$Draw
String ID: P
API String ID: 3227129158-3110715001
Opcode ID: 574032eb00c8d0ef5d685dda439e2f4a4f19196a96f347763cfa1bf0ef713e88
Instruction ID: ba749c7175bca6b4e9ac51a98d48b6fdf308954bc6cb853349374d68b9ed8368
Opcode Fuzzy Hash: 574032eb00c8d0ef5d685dda439e2f4a4f19196a96f347763cfa1bf0ef713e88
Instruction Fuzzy Hash: 0711B2706052005FD3209B28CC81B4B7AD4AF84365F588A6DF894E73DACB39D848C78A

Function 00428BD0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51fileclipboardCOMMON

Download Yara Rule

APIs

GetClipboardData.USER32(0000000E), ref: 00428BDD
CopyEnhMetaFileA.GDI32(00000000,00000000), ref: 00428BFF
GetEnhMetaFileHeader.GDI32(?,00000064,?,00000000,00000000), ref: 00428C11

Strings

,(B, xrefs: 00428BE8

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: FileMeta$ClipboardCopyDataHeader
String ID: ,(B
API String ID: 1752724394-194635904
Opcode ID: baadab77a9dca474f06048a11739ca374c50c39b362e0ca208207e20cd309471
Instruction ID: 599a9f678d68ffeda96944ba16cea45cb765bd0ede1c1b36a894265290379eda
Opcode Fuzzy Hash: baadab77a9dca474f06048a11739ca374c50c39b362e0ca208207e20cd309471
Instruction Fuzzy Hash: 86112A72B002048FD710EF6ED885A9ABBF8AF49310B50416EF949DB352DA75EC05CB99

Function 004708A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 49COMMON

Download Yara Rule

APIs

GetSysColor.USER32(?), ref: 004708DA
GetSysColor.USER32 ref: 004708EC

Strings

Assertion failure, xrefs: 004708BD
K:\TomsEditor desktop\delf1\graphics32-master\Source\GR32_RangeBars.pas, xrefs: 004708B8

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Color
String ID: Assertion failure$K:\TomsEditor desktop\delf1\graphics32-master\Source\GR32_RangeBars.pas
API String ID: 2811717613-3946103339
Opcode ID: bd4574764b42f27b68dc36ddaf72d66198838425f48c5f6f8b374bcd32fde7ea
Instruction ID: 5d39edc94f32615f3189b200d94a2011e131f4109af9e36bb491dbe99edcbcdc
Opcode Fuzzy Hash: bd4574764b42f27b68dc36ddaf72d66198838425f48c5f6f8b374bcd32fde7ea
Instruction Fuzzy Hash: F4F028E3FA2A1A07E32464AA9C813B26449CFD4325F09803B6E18D7397DC5C9C0521DC

Function 00415EC2 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00415A78: RtlEnterCriticalSection.NTDLL(0053D824), ref: 00415A87
Part of subcall function 00415A78: RtlLeaveCriticalSection.NTDLL(0053D824), ref: 00415AD3

RtlDeleteCriticalSection.NTDLL(0053D824), ref: 00415EE7

Strings

XZA, xrefs: 00415EF1
PIA, xrefs: 00415EFC
(4S, xrefs: 00415F11

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: CriticalSection$DeleteEnterLeave
String ID: (4S$PIA$XZA
API String ID: 655268472-1648536688
Opcode ID: 5943dc16dcc6b696d463c42498cefbf24e56c705369e9bfd7708e768214bb91a
Instruction ID: fcfd0c2176e8dd8b94e16b5f64319f048be524182d4b9e8b584acc72c2dad556
Opcode Fuzzy Hash: 5943dc16dcc6b696d463c42498cefbf24e56c705369e9bfd7708e768214bb91a
Instruction Fuzzy Hash: 16F0A030754A409FE701BB66BD134A677F8EBC1708B91803BB5009B691CA7C9C528ABD

Function 00415EC4 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 30COMMON

Download Yara Rule

APIs

Part of subcall function 00415A78: RtlEnterCriticalSection.NTDLL(0053D824), ref: 00415A87
Part of subcall function 00415A78: RtlLeaveCriticalSection.NTDLL(0053D824), ref: 00415AD3

RtlDeleteCriticalSection.NTDLL(0053D824), ref: 00415EE7

Strings

XZA, xrefs: 00415EF1
PIA, xrefs: 00415EFC
(4S, xrefs: 00415F11

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: CriticalSection$DeleteEnterLeave
String ID: (4S$PIA$XZA
API String ID: 655268472-1648536688
Opcode ID: 2ff6c6fe0847e25a0433e610e4fc2cba7c74f204beff717170cce895fc37f617
Instruction ID: 5cb3ce660bef98bb6cdbe2360b71d2e6411638f45af40c53eb374df6b05dcf60
Opcode Fuzzy Hash: 2ff6c6fe0847e25a0433e610e4fc2cba7c74f204beff717170cce895fc37f617
Instruction Fuzzy Hash: 74F0A030654A409FE701BB66BD134A677B8EBC1708B91803BB5009B691CA7C9C528ABD

Function 0045551C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23windowCOMMON

Download Yara Rule

APIs

CreatePopupMenu.USER32 ref: 00455537
CreateMenu.USER32 ref: 00455541

Strings

0BE, xrefs: 00455528
4(B, xrefs: 0045554F

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: CreateMenu$Popup
String ID: 0BE$4(B
API String ID: 257293969-775028033
Opcode ID: 0e802584aeac7a01942712ef025b2323d32e073488ba35cdb26a41c12bf371fe
Instruction ID: 3ccb5b4851db2ebeee6221ef8a8bf3497091280c749e8d3eea8b14f5967ec6b2
Opcode Fuzzy Hash: 0e802584aeac7a01942712ef025b2323d32e073488ba35cdb26a41c12bf371fe
Instruction Fuzzy Hash: 95E0ED70602504DBCB40FF65C6D66253BA9AB4430AF4424AFBC019F35BE77CD888DB59

Function 0040E318 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,0040EDD5,00000000,0040EDE8), ref: 0040E31E
GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA), ref: 0040E32F

Strings

GetDiskFreeSpaceExA, xrefs: 0040E329
kernel32.dll, xrefs: 0040E319

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: GetDiskFreeSpaceExA$kernel32.dll
API String ID: 1646373207-3712701948
Opcode ID: 1ab90790e9638472e26b056e7b625fbacac3f72932dc6d460e2ec535226e92f8
Instruction ID: 9e6ab07ed63e5a84859d2e81e84ab6aba5bde930afd86e306366fd9412bce8ad
Opcode Fuzzy Hash: 1ab90790e9638472e26b056e7b625fbacac3f72932dc6d460e2ec535226e92f8
Instruction Fuzzy Hash: FCD09EB1B023859ADB10ABF699C17156A949B60314F142C3FA401773D2DABC9964E61C

Function 00443360 Relevance: 6.2, APIs: 4, Instructions: 204COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 004433D4
GetDesktopWindow.USER32 ref: 004434F9
SetCursor.USER32(00000000), ref: 0044354E

Part of subcall function 0044D868: ShowCursor.USER32(000000FF,00000000,?,00443529), ref: 0044D89F

SetCursor.USER32(00000000), ref: 00443539

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Cursor$DesktopWindow$Show
String ID:
API String ID: 110329033-0
Opcode ID: c844eff5e2adb55e67a3f6cf157bffc3f72b97fceda53d18d6a13ec6482fc0e8
Instruction ID: 33d86b365cd0e34458838efa4763e71f7cbc602c46d8cf27e0bae10d94a46b65
Opcode Fuzzy Hash: c844eff5e2adb55e67a3f6cf157bffc3f72b97fceda53d18d6a13ec6482fc0e8
Instruction Fuzzy Hash: 2A91B478600241DFD300DF6AE8A4A16FBF1BF69705F06805AE444873A2C739ED59DF69

Function 00410234 Relevance: 6.1, APIs: 4, Instructions: 115COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 004102E3
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 004102FF
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 00410376
VariantClear.OLEAUT32(?), ref: 0041039F

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: ArraySafe$Bound$ClearIndexVariant
String ID:
API String ID: 920484758-0
Opcode ID: 98738b091a786ce6b36dc1dc9d640032da7a27ca7c01776b982fbf5dc2e8be24
Instruction ID: 1617b1551acd1be1fbacdd9e5877533f3d2330b7dd25f20dc83ee0a4dfdbed84
Opcode Fuzzy Hash: 98738b091a786ce6b36dc1dc9d640032da7a27ca7c01776b982fbf5dc2e8be24
Instruction Fuzzy Hash: 9E41FB75A0121D9FCB61DB59C894BC9B3BCAB4C304F0041EAE648E7212DA78AFC48F58

Function 0047B228 Relevance: 6.1, APIs: 4, Instructions: 107COMMON

Download Yara Rule

APIs

DeleteObject.GDI32(?), ref: 0047B2C7
SelectObject.GDI32(?,?), ref: 0047B302
DeleteDC.GDI32(?), ref: 0047B312
DeleteObject.GDI32(?), ref: 0047B31B

Part of subcall function 004067B4: LoadStringA.USER32(00000000,00010000,?,00000400), ref: 004067E5

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: DeleteObject$LoadSelectString
String ID:
API String ID: 2724564707-0
Opcode ID: 1f083e4a812b530ab77a5e2bff8976e2e89c32ff6830f04428c10bad27cdfeea
Instruction ID: 1a59201442db9016deec8a170a616c3e193fb20fccf17061411e7bac484c720a
Opcode Fuzzy Hash: 1f083e4a812b530ab77a5e2bff8976e2e89c32ff6830f04428c10bad27cdfeea
Instruction Fuzzy Hash: 31413FB1A002049FDB54EF65D881B5977F9FB48304F0184BAFE19EB396DB34A904CB54

Function 004C537C Relevance: 6.1, APIs: 4, Instructions: 103fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000002,08000080,00000000), ref: 004C53F2
GetFileSize.KERNEL32(00000000,?,00000000,80000000,00000001,00000000,00000002,08000080,00000000), ref: 004C540D
CreateFileMappingA.KERNEL32(00000002,00000000,00000002,00000000,00000000,00000000), ref: 004C5441
MapViewOfFile.KERNEL32(00000002,00000004,00000000,00000000,00000000), ref: 004C5460

Part of subcall function 0040E230: GetLastError.KERNEL32(00000000,0040E2C0), ref: 0040E24A

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: File$Create$ErrorLastMappingSizeView
String ID:
API String ID: 4192862406-0
Opcode ID: b895e9d9684607f515abd3e366047e4a265fc67d4cad6ac07519b37128152c10
Instruction ID: 7ce6a60c028cf649fe65190ef70219930bc68b70838029b93626bdd0580c0a6e
Opcode Fuzzy Hash: b895e9d9684607f515abd3e366047e4a265fc67d4cad6ac07519b37128152c10
Instruction Fuzzy Hash: 7F310875A442046BEB10DFA9CC42F5E7BA49B40754F14816EF904FF3C2D6B8AD818BAD

Function 0040C9B8 Relevance: 6.1, APIs: 4, Instructions: 102COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040C9D5
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040C9F9
GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040CA14
LoadStringA.USER32(00000000,0000FFEF,?,00000100), ref: 0040CAAA

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID:
API String ID: 3990497365-0
Opcode ID: e3556ad5e61d47adf35561a3173eaaf3563349c0018ac661601a2581f26e51f4
Instruction ID: 755d68ab95d1bdafea0286407d4d324641174ce365d4d9a707a43c3d22ce26ae
Opcode Fuzzy Hash: e3556ad5e61d47adf35561a3173eaaf3563349c0018ac661601a2581f26e51f4
Instruction Fuzzy Hash: 13417070A0025C9BDB21DB69CC85BCAB7BCAB08304F0041FBA548F7282D778AF848F54

Function 0040C9B6 Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 0040C9D5
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0040C9F9
GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0040CA14
LoadStringA.USER32(00000000,0000FFEF,?,00000100), ref: 0040CAAA

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID:
API String ID: 3990497365-0
Opcode ID: 49d4297400e2d0b52047a0869caf2408bad9bb9a47bc139b5c486ed1706d3ab5
Instruction ID: 7bda89aceb654925a6635a61ea737fa8614718537118f2faead7ab08db6631a0
Opcode Fuzzy Hash: 49d4297400e2d0b52047a0869caf2408bad9bb9a47bc139b5c486ed1706d3ab5
Instruction Fuzzy Hash: 6C418270A0025C9BDB10DB69CC85BDAB7BC9B08304F0041FAA548F7282D778AF848F54

Function 0040DC08 Relevance: 6.1, APIs: 4, Instructions: 95threadCOMMON

Download Yara Rule

APIs

GetStringTypeA.KERNEL32(00000C00,00000002,?,00000080,?), ref: 0040DCFC
GetThreadLocale.KERNEL32 ref: 0040DC32

Part of subcall function 0040DB90: GetCPInfo.KERNEL32(00000000,?), ref: 0040DBA9

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: InfoLocaleStringThreadType
String ID:
API String ID: 1505017576-0
Opcode ID: 5d4a59c179c48849a46ce5e7bc8019d86a182f3825205bce1e5e8b584fa45e85
Instruction ID: 4b4fefabd10199f53e171133ebc6be2c53a1c4e6b00b65a9bd7bcf62bbc4fc46
Opcode Fuzzy Hash: 5d4a59c179c48849a46ce5e7bc8019d86a182f3825205bce1e5e8b584fa45e85
Instruction Fuzzy Hash: C9312921D043548AEB21ABA5BC017B23BB4EBA1304F04807BE584AB3D6D77C495DE77A

Function 0049601C Relevance: 6.1, APIs: 4, Instructions: 88COMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(?,?,?), ref: 00496074
MulDiv.KERNEL32(?,?,00000000), ref: 00496091
MulDiv.KERNEL32(?,?,?), ref: 004960CA
MulDiv.KERNEL32(?,?,00000000), ref: 004960F9

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1639d70337249250a49c6a92bfac82fba3813e5c2b9343205ca744677a06c840
Instruction ID: c3bfafe4ee7594ea0f900ba74d74ef3f4eb36d05e1c51aee4286fe5aa3c24be8
Opcode Fuzzy Hash: 1639d70337249250a49c6a92bfac82fba3813e5c2b9343205ca744677a06c840
Instruction Fuzzy Hash: AA21F9B5604210AFC700DF29C881A2BB7E9AFC9715F10887EB889C7341D67AE8059B61

Function 0047B47C Relevance: 6.1, APIs: 4, Instructions: 84COMMON

Download Yara Rule

APIs

Part of subcall function 0047B9BC: SelectObject.GDI32(00000000,00000000), ref: 0047B9E8
Part of subcall function 0047B9BC: SetTextColor.GDI32(00000000,00000000), ref: 0047BA05
Part of subcall function 0047B9BC: SetBkMode.GDI32(00000000,00000001), ref: 0047BA14

GetTextExtentPoint32A.GDI32(00000000,00000000,00000000), ref: 0047B4BD
SelectObject.GDI32(?,00000000), ref: 0047B50B
GetTextExtentPoint32A.GDI32(?,00000000,00000000), ref: 0047B527
SelectObject.GDI32(?,00000000), ref: 0047B531

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: ObjectSelectText$ExtentPoint32$ColorMode
String ID:
API String ID: 599825263-0
Opcode ID: 4268e09a9098b8f1446f4a618dbd9f5931aac673da2db652ab013a11e06ad7e3
Instruction ID: f7c802c4f90829c212c7ffdad493dad4775d9075efad0a91d1d5d38bde650b88
Opcode Fuzzy Hash: 4268e09a9098b8f1446f4a618dbd9f5931aac673da2db652ab013a11e06ad7e3
Instruction Fuzzy Hash: 0E21FC71704210AF9340FBBEAD42B5A76EDDF49318351447BB508E3252DA3CEC04576A

Function 0047B564 Relevance: 6.1, APIs: 4, Instructions: 84COMMON

Download Yara Rule

APIs

Part of subcall function 0047B9BC: SelectObject.GDI32(00000000,00000000), ref: 0047B9E8
Part of subcall function 0047B9BC: SetTextColor.GDI32(00000000,00000000), ref: 0047BA05
Part of subcall function 0047B9BC: SetBkMode.GDI32(00000000,00000001), ref: 0047BA14

GetTextExtentPoint32W.GDI32(00000000,00000000,00000000), ref: 0047B5A5
SelectObject.GDI32(?,00000000), ref: 0047B5F3
GetTextExtentPoint32W.GDI32(?,00000000,00000000), ref: 0047B60F
SelectObject.GDI32(?,00000000), ref: 0047B619

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: ObjectSelectText$ExtentPoint32$ColorMode
String ID:
API String ID: 599825263-0
Opcode ID: 85ab8aa2c6f1696041c4472cfbf86cb7ac7d54dd0f572b4ff339b7106fa359c2
Instruction ID: 0d852485fbb16822ca631ca5349b222f07a9f0ac104134f9888e83a04192d3c8
Opcode Fuzzy Hash: 85ab8aa2c6f1696041c4472cfbf86cb7ac7d54dd0f572b4ff339b7106fa359c2
Instruction Fuzzy Hash: 97213BB1704210AF8740FBBE9D42A5E76ECDF89308351447BBA08E3352DA7CED04976A

Function 00458E54 Relevance: 6.1, APIs: 4, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetMenuState.USER32(?,?,?), ref: 00458E77
GetSubMenu.USER32(?,?), ref: 00458E82
GetMenuItemID.USER32(?,?), ref: 00458E9B
GetMenuStringA.USER32(?,?,?,?,?), ref: 00458EEE

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Menu$ItemStateString
String ID:
API String ID: 306270399-0
Opcode ID: e3383dcb107a40e43420fff3ced1630ca2424b328b68ee56dd8777bda8bec6af
Instruction ID: 269c12fbc1a68bd625b996c05ac8934d1896b227f0e2018adffe5275ea51860f
Opcode Fuzzy Hash: e3383dcb107a40e43420fff3ced1630ca2424b328b68ee56dd8777bda8bec6af
Instruction Fuzzy Hash: 93116031605148BFC700EA6D8C859AF7BE8AB493A5B10446EFC08E7393DE789D069769

Function 00435E18 Relevance: 6.1, APIs: 4, Instructions: 66clipboardCOMMON

Download Yara Rule

APIs

EnumClipboardFormats.USER32(00000000), ref: 00435E3C
GetClipboardData.USER32(00000000), ref: 00435E5C
GetClipboardData.USER32(00000009), ref: 00435E65
EnumClipboardFormats.USER32(00000000), ref: 00435E81

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Clipboard$DataEnumFormats
String ID:
API String ID: 1256399260-0
Opcode ID: 295b667a9e06dd5810dee4bb26ef7859cd17efac8bd5897a3d96790a37c4cb6b
Instruction ID: 15e53a84bd04ddb8be76eaa439b7033ea85c8464af052dd938e5f14b446d3fcc
Opcode Fuzzy Hash: 295b667a9e06dd5810dee4bb26ef7859cd17efac8bd5897a3d96790a37c4cb6b
Instruction Fuzzy Hash: BA11E371B08200AFD714AB6ADD52A2A77E9EB8D359B10007BF904D7391D939ED01E269

Function 00461E9C Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(00000000,000000EC), ref: 00461ED0
SetWindowLongA.USER32(00000000,000000EC,00000000), ref: 00461F02
SetLayeredWindowAttributes.USER32(00000000,?,?,00000000,00000000,000000EC,?,?,0045FA90), ref: 00461F3C
SetWindowLongA.USER32(00000000,000000EC,00000000), ref: 00461F55

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 9eff9f5b1ab494ddbdf7630dedeec9d6dc2f1f3d7a3614e7a06254be100c5ec5
Instruction ID: 1cd7612b9bbfd0eb403be84ffe12e1717fd5e5d26d919150ca347b5c6b81dc14
Opcode Fuzzy Hash: 9eff9f5b1ab494ddbdf7630dedeec9d6dc2f1f3d7a3614e7a06254be100c5ec5
Instruction Fuzzy Hash: B311CA60E0428065DB10AE799CCDB8A165C4F06358F1819BEBC45EB3E7DB7CD888C7AD

Function 0041DAB8 Relevance: 6.1, APIs: 4, Instructions: 51COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(?,?,?), ref: 0041DACF
LoadResource.KERNEL32(?,0041DB5C,?,?,?,00418C10,?,00000001,00000000,?,0041DA28,?), ref: 0041DAE9
SizeofResource.KERNEL32(?,0041DB5C,?,0041DB5C,?,?,?,00418C10,?,00000001,00000000,?,0041DA28,?), ref: 0041DB03
LockResource.KERNEL32(0041D6F0,00000000,?,0041DB5C,?,0041DB5C,?,?,?,00418C10,?,00000001,00000000,?,0041DA28,?), ref: 0041DB0D

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: 3dd4578c533c9bb1ee7e7209456605291599365772d49284f3076edfcb1d13e5
Instruction ID: a28442adcc77be8333304f47a6c32bf68428842b84274882699db08da1a5bd46
Opcode Fuzzy Hash: 3dd4578c533c9bb1ee7e7209456605291599365772d49284f3076edfcb1d13e5
Instruction Fuzzy Hash: A0F062B2A042046F5704EE6DE841D9B77ECEE883A4311006FF908D7242DA39DD51837C

Function 004709A0 Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

CreateSolidBrush.GDI32(00000000), ref: 004709C8
CreatePatternBrush.GDI32(00000000), ref: 004709ED
FillRect.USER32(00000000,?,00000000), ref: 004709FF
DeleteObject.GDI32(00000000), ref: 00470A05

Part of subcall function 004243E4: GetSysColor.USER32(?), ref: 004243EE

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: BrushCreate$ColorDeleteFillObjectPatternRectSolid
String ID:
API String ID: 4088857295-0
Opcode ID: 912885ba514c66db21d54f9bed359243197574b95a4d319d874e64614eaae102
Instruction ID: a2d988ad04d5a381a8c322df22dc8cf6bb544f8a41c31f61a14bd4ab21eadf56
Opcode Fuzzy Hash: 912885ba514c66db21d54f9bed359243197574b95a4d319d874e64614eaae102
Instruction Fuzzy Hash: EFF081B1704305AFD700BB7AAC8589AB7DC9F59358311447FBA09E7313D9B9EC0583A8

Function 0040964C Relevance: 6.0, APIs: 4, Instructions: 39timefileCOMMON

Download Yara Rule

APIs

FindNextFileA.KERNEL32(?,?), ref: 0040965C
GetLastError.KERNEL32(?,?), ref: 00409665
FileTimeToLocalFileTime.KERNEL32(?), ref: 00409679
FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 00409688

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: FileTime$DateErrorFindLastLocalNext
String ID:
API String ID: 2103556486-0
Opcode ID: 2b923fe597d71e023a705f5c3f0cb832aab3556db9965e022921584ddfaf3d14
Instruction ID: e162e89522690ffbe5e57cc9b1466d741ad06980228809ebf5bcad7f5c826590
Opcode Fuzzy Hash: 2b923fe597d71e023a705f5c3f0cb832aab3556db9965e022921584ddfaf3d14
Instruction Fuzzy Hash: 30F01DB25042009FDF44DFA4C9C2C8733ECEB4831471085B7EE46DB28BE639D9558BA9

Function 004431B4 Relevance: 6.0, APIs: 4, Instructions: 37threadCOMMON

Download Yara Rule

APIs

GetWindowThreadProcessId.USER32(00000000), ref: 004431C1
GetCurrentProcessId.KERNEL32(00000000,?,?,-0000000C,00000000,0044322C,0D,?,00000000,00442DDE,?,-0000000C,?), ref: 004431CA
GlobalFindAtomA.KERNEL32(00000000), ref: 004431DF
GetPropA.USER32(00000000,00000000), ref: 004431F6

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Process$AtomCurrentFindGlobalPropThreadWindow
String ID:
API String ID: 2582817389-0
Opcode ID: 2e2cfc40d3c1a72b926ec1b64a227bb3408532998e90b859b9ab037d3700fd17
Instruction ID: 5401e2f5639f62fd114a0c5522b1c2004ca6879ea75d9e8e2961d2a300d0a079
Opcode Fuzzy Hash: 2e2cfc40d3c1a72b926ec1b64a227bb3408532998e90b859b9ab037d3700fd17
Instruction Fuzzy Hash: 2EF05C6120652113F220BBBBAC4197F75FCBE40B15302007BFD00D2296C66CCD99A1BE

Function 00442330 Relevance: 6.0, APIs: 4, Instructions: 35threadCOMMON

Download Yara Rule

APIs

GetWindowThreadProcessId.USER32(00000000), ref: 0044233D
GetCurrentProcessId.KERNEL32(?,?,00000000,004648FB,?,?,00AA16DC,00000001,00464A67,?,?,?,00AA16DC), ref: 00442346
GlobalFindAtomA.KERNEL32(00000000), ref: 0044235B
GetPropA.USER32(00000000,00000000), ref: 00442372

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Process$AtomCurrentFindGlobalPropThreadWindow
String ID:
API String ID: 2582817389-0
Opcode ID: 413488d6062358ab8bc4cd576c72d73d858eeec4885931172e7551ddca18d9ed
Instruction ID: 699ca30d0c793ca57b3f0432a7980b6298a175ddb3a644150c4aecf18aed7baf
Opcode Fuzzy Hash: 413488d6062358ab8bc4cd576c72d73d858eeec4885931172e7551ddca18d9ed
Instruction Fuzzy Hash: B4F0A76160515257EA10BBBAAE8193B61FC9940394342043BBD01EA252C56C8C0492BD

Function 00463458 Relevance: 6.0, APIs: 4, Instructions: 34threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00463470
SetWindowsHookExA.USER32(00000003,00463414,00000000,00000000), ref: 00463480
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0046349B
CreateThread.KERNEL32(00000000,000003E8,004633B8,00000000,00000000), ref: 004634BF

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: CreateThread$CurrentEventHookWindows
String ID:
API String ID: 1195359707-0
Opcode ID: b0f4e89a32fc9d2bf60b6df09868a2b548d96585f81a359d15cdc0de8a0696bd
Instruction ID: e265a0768a1807d9aafc7dff4f6274120428cecbe54900555d4b9f1dc5f9ecb4
Opcode Fuzzy Hash: b0f4e89a32fc9d2bf60b6df09868a2b548d96585f81a359d15cdc0de8a0696bd
Instruction Fuzzy Hash: 99F054B06843417EF7116F21BC16F12F5B89720B1AF12406AF1156A3D1D6F815989E3E

Function 0040781A Relevance: 6.0, APIs: 4, Instructions: 12memoryCOMMON

Download Yara Rule

APIs

GlobalHandle.KERNEL32 ref: 0040781F
GlobalUnWire.KERNEL32(00000000), ref: 00407826
GlobalReAlloc.KERNEL32(00000000,00000000), ref: 0040782B
GlobalFix.KERNEL32(00000000), ref: 00407831

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Global$AllocHandleWire
String ID:
API String ID: 2210401237-0
Opcode ID: bf5ea3c2541c201097959473381bd350e13ea196bb2b4f9484afcac6c9d8c525
Instruction ID: 6bbbd635c96f592fcceee2221d872c94be36c58ca2949d8e70e53d0fd1d4d0ef
Opcode Fuzzy Hash: bf5ea3c2541c201097959473381bd350e13ea196bb2b4f9484afcac6c9d8c525
Instruction Fuzzy Hash: BBB004C8A11361B9E91933BACC0EE7B049D9990B08392496E381AF20C3E97D9C6410B9

Function 004248B8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 123COMMON

Download Yara Rule

APIs

Part of subcall function 00423BFC: RtlEnterCriticalSection.NTDLL(?), ref: 00423C00

CreateFontIndirectA.GDI32(?), ref: 004249F6

Strings

Default, xrefs: 00424984
MS Sans Serif, xrefs: 00424995

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: CreateCriticalEnterFontIndirectSection
String ID: MS Sans Serif$Default
API String ID: 2931345757-2137701257
Opcode ID: 4a856f1f2d5f2633581e5c56d13048f93d28c390df8a791ddf3f0a1364645265
Instruction ID: be504f7e177fbb719631c1ce2555df02bd40e40eb7931595ccda63f087269ea1
Opcode Fuzzy Hash: 4a856f1f2d5f2633581e5c56d13048f93d28c390df8a791ddf3f0a1364645265
Instruction Fuzzy Hash: C9513E70B04298DFDB01CFA8E541B8EBBF5EF88304F6540AAE440A7352D3789E45DB69

Function 004586D8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000010), ref: 004586FC
GetKeyState.USER32(00000011), ref: 0045870E

Strings

, xrefs: 0045871E

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: State
String ID:
API String ID: 1649606143-3916222277
Opcode ID: 7227640e5d3e6ccb6f6a3283693616de59f706344136089dc3cf9172ef3ffd8e
Instruction ID: 2be1bf3d41b12b548972c2fbdf53e1df71106c389cb7c94c5bd37be768bf279c
Opcode Fuzzy Hash: 7227640e5d3e6ccb6f6a3283693616de59f706344136089dc3cf9172ef3ffd8e
Instruction Fuzzy Hash: D231F634A04248AFDB11DFA5DC5269EF7F5EB48305F6184AAEC00B6692EF785A08C664

Function 0049AD3C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76registryclipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 004067B4: LoadStringA.USER32(00000000,00010000,?,00000400), ref: 004067E5

RegisterClipboardFormatA.USER32(00000000), ref: 0049AD9A
73E9A570.USER32(00000000,00000000,0049AE46,?,?,00000000,00000000), ref: 0049ADBE

Strings

GIF, xrefs: 0049AD75

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: A570ClipboardFormatLoadRegisterString
String ID: GIF
API String ID: 1473950484-881873598
Opcode ID: 78f5ed4434428343c2a3ff2588b20eb83b01f2aca0eec0743426c75da30d7ea2
Instruction ID: 700e6ce80a3d81a22f4ca927e45b8089e42fba3a64e6971ed507559f7745d970
Opcode Fuzzy Hash: 78f5ed4434428343c2a3ff2588b20eb83b01f2aca0eec0743426c75da30d7ea2
Instruction Fuzzy Hash: 9921F174208740ABDB10EB71FCA6F1A3BACE748704F51487AF901973E2D6386904E76D

Function 0040B108 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,0040B1E6), ref: 0040B18E
GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100,00000000,0040B1E6), ref: 0040B194

Strings

yyyy, xrefs: 0040B169

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: DateFormatLocaleThread
String ID: yyyy
API String ID: 3303714858-3145165042
Opcode ID: 29e4bbe2f65c637743aa91cbb56b14d7ad440abb234d48ea55ed5f83871914cc
Instruction ID: 6f1ea2e294de028c3090534ad8d6d3c127c0d87c895e77c83702dc9062ff581d
Opcode Fuzzy Hash: 29e4bbe2f65c637743aa91cbb56b14d7ad440abb234d48ea55ed5f83871914cc
Instruction Fuzzy Hash: 8B215E746042089BDB00EB69D892AAEB3B8EF49340F51407BF905FB791D7789E40C7AD

Function 0042A5BC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(0053D8AC), ref: 0042A65F
RtlLeaveCriticalSection.NTDLL(0053D8AC), ref: 0042A69D

Strings

8B, xrefs: 0042A5CE

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave
String ID: 8B
API String ID: 3168844106-1803290843
Opcode ID: 5b584aef5b6a0cccb5612602d9cb795b9ec88ee646a1f1f0dfcfab0a19899327
Instruction ID: 3136ebb7a22f2c794d2da69e8510d6a777be9d04c101dd0776e9a34900c88a3e
Opcode Fuzzy Hash: 5b584aef5b6a0cccb5612602d9cb795b9ec88ee646a1f1f0dfcfab0a19899327
Instruction Fuzzy Hash: 2D219079B04308EFC701DF69D881889BBF5FB48324F5581AAF844A7351D778EE90CA58

Function 00429B8C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(0053D8AC), ref: 00429BB7
RtlLeaveCriticalSection.NTDLL(0053D8AC), ref: 00429C3E

Part of subcall function 0042A5BC: RtlEnterCriticalSection.NTDLL(0053D8AC), ref: 0042A65F
Part of subcall function 0042A5BC: RtlLeaveCriticalSection.NTDLL(0053D8AC), ref: 0042A69D

Strings

D9B, xrefs: 00429B9F

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave
String ID: D9B
API String ID: 3168844106-511987976
Opcode ID: de64013050d0aab4e926824cbb0242fbc633da893fe5285388f6136390974581
Instruction ID: 4ae5b6e0bdcfc2ab7ff77b611567e2a82ec299dd2f5f592c5ab91c2ea021d992
Opcode Fuzzy Hash: de64013050d0aab4e926824cbb0242fbc633da893fe5285388f6136390974581
Instruction Fuzzy Hash: 1721C234704244EFC714DFAAE982A9ABBF9EF48310FA041BAA84597751C638ED41CA58

Function 00458498 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,00000234,00000000,00000000), ref: 0045851E
DrawMenuBar.USER32(00000000), ref: 0045852F

Strings

0BE, xrefs: 00458540

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: DrawMenuMessageSend
String ID: 0BE
API String ID: 2625368238-533963802
Opcode ID: c987462ad0be6c913c5c6341cc74d63b430a8e172fb4af7445a5fc3506da90c9
Instruction ID: 9d16f98497fe61f240f9ec8a0a2700b0933145f62f70e77fb8fc341d9e1ba0b7
Opcode Fuzzy Hash: c987462ad0be6c913c5c6341cc74d63b430a8e172fb4af7445a5fc3506da90c9
Instruction Fuzzy Hash: 5511A2303016481BDB11EA2A9C8576A67965F9535AF08007EFD04EF353EE7CEC0A9B98

Function 004251E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59COMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.NTDLL(00428D0C), ref: 00425200

Strings

$1B, xrefs: 00425228
$2B, xrefs: 00425249

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: CriticalInitializeSection
String ID: $1B$$2B
API String ID: 32694325-775798600
Opcode ID: 87fe9c0af1b6edc2249ff161582ca9c23e8a5b6f012ac03f09e7617ea12d8e0f
Instruction ID: b59138d0af6b3d84eb818eee654e7480245cf05c5f3af63157d10fcc4d66c3f8
Opcode Fuzzy Hash: 87fe9c0af1b6edc2249ff161582ca9c23e8a5b6f012ac03f09e7617ea12d8e0f
Instruction Fuzzy Hash: D0116071700B159FC320DF2AE440552BBF9BF84764384862BE459C7B11D379F9698FA8

Function 0044580C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

IntersectRect.USER32(?,?,?), ref: 0044586C
EqualRect.USER32(?,?), ref: 0044587C

Strings

@, xrefs: 0044584D

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Rect$EqualIntersect
String ID: @
API String ID: 3291753422-2766056989
Opcode ID: b82b3dad8e0ee5e036f52823eda6b128f05401d3a8e80f1322fc3c9b8054e7d7
Instruction ID: 1f7484e598e537fa6c35e0bacf55813b83400421c5047ff3b49ffcf1bb0f175a
Opcode Fuzzy Hash: b82b3dad8e0ee5e036f52823eda6b128f05401d3a8e80f1322fc3c9b8054e7d7
Instruction Fuzzy Hash: 7A119131A04A48ABDB11EA6CC884BDF7BE89F48358F040296FD04EB343DB39DD068795

Function 0042CAE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000000), ref: 0042CB2E
GetSystemMetrics.USER32(00000001), ref: 0042CB40

Part of subcall function 0042C848: GetProcAddress.KERNEL32(76910000,00000000), ref: 0042C8C8

Strings

MonitorFromPoint, xrefs: 0042CAF2

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: MetricsSystem$AddressProc
String ID: MonitorFromPoint
API String ID: 1792783759-1072306578
Opcode ID: 6f81f084d4afc8aa7eb44ed05ea3070c6db6b052b1d53f3ae2a25bfb36df7864
Instruction ID: b102c027d1c4c413bd7656d0c577a3d478be47482dce60b3c1706ce6531400e8
Opcode Fuzzy Hash: 6f81f084d4afc8aa7eb44ed05ea3070c6db6b052b1d53f3ae2a25bfb36df7864
Instruction Fuzzy Hash: C7015A32301228ABDB109F55B8C6B9EBB74EB507A4F908026F9049B251C278B8459AB8

Function 0042C9B8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000000), ref: 0042CA09
GetSystemMetrics.USER32(00000001), ref: 0042CA15

Part of subcall function 0042C848: GetProcAddress.KERNEL32(76910000,00000000), ref: 0042C8C8

Strings

MonitorFromRect, xrefs: 0042C9CD

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: MetricsSystem$AddressProc
String ID: MonitorFromRect
API String ID: 1792783759-4033241945
Opcode ID: 61b0e691ae2ca9e9d73c79d9392d3fd5745886e1f0f065c30e1483d92387d5a0
Instruction ID: 9b19bdc2017e1b0667b92dcbce1154c53ad48c76a498d214fe98b1038b913a49
Opcode Fuzzy Hash: 61b0e691ae2ca9e9d73c79d9392d3fd5745886e1f0f065c30e1483d92387d5a0
Instruction Fuzzy Hash: A1016D3270023C9BD720DB14F9C9B6ABBB8EB55355F948056E904DB302CA78EC449BB6

Function 00437940 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42registryCOMMON

Download Yara Rule

APIs

RegSetValueExA.ADVAPI32(?,00000000,00000000,00000000,?,?), ref: 00437971

Strings

`A, xrefs: 00437987
,vC, xrefs: 0043798F

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: Value
String ID: ,vC$`A
API String ID: 3702945584-1192799466
Opcode ID: e29b0d2cbc9ec3c4c8ca2aff6d608f2f5fa7c7496656df309b48c28480bc0baf
Instruction ID: 1fce8ba1216819b4375aee3f451261840c8ee90dbeb93ce18da6fe462e9131c0
Opcode Fuzzy Hash: e29b0d2cbc9ec3c4c8ca2aff6d608f2f5fa7c7496656df309b48c28480bc0baf
Instruction Fuzzy Hash: 23F0A4B2A041086BD710EB9EDC81F9ABBEC9F59314F144166FA58D7381D6359D0087A4

Function 00443214 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

WindowFromPoint.USER32(0D,?,00000000,00442DDE,?,-0000000C,?), ref: 0044321A

Part of subcall function 004431B4: GetWindowThreadProcessId.USER32(00000000), ref: 004431C1
Part of subcall function 004431B4: GetCurrentProcessId.KERNEL32(00000000,?,?,-0000000C,00000000,0044322C,0D,?,00000000,00442DDE,?,-0000000C,?), ref: 004431CA
Part of subcall function 004431B4: GlobalFindAtomA.KERNEL32(00000000), ref: 004431DF
Part of subcall function 004431B4: GetPropA.USER32(00000000,00000000), ref: 004431F6

GetParent.USER32(00000000), ref: 00443231

Strings

0D, xrefs: 00443218

Memory Dump Source

Source File: 00000000.00000002.3328743713.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3328725906.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000533000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000055F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000589000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000593000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3328743713.0000000000597000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3329019865.00000000005B2000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: ProcessWindow$AtomCurrentFindFromGlobalParentPointPropThread
String ID: 0D
API String ID: 383691619-1254500326
Opcode ID: f71d28c6adf0ffd93dbe3729035335ecb369e990b943da9de01104844a64a445
Instruction ID: ccae8d0c26528655460a805121580a192774b7c7b686a9d75ec127e72fdbd595
Opcode Fuzzy Hash: f71d28c6adf0ffd93dbe3729035335ecb369e990b943da9de01104844a64a445
Instruction Fuzzy Hash: 66D0C9613043421FBF123EF65CC1917BA986F2474A31494FBB6005B323DEADDD29562E

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exePID: 2308, Parent PID: 4004

General

Chronological Activities

Disassembly

Analysis Process: SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exePID: 2308, Parent PID: 4004COMMON

Execution Graph

Windows Analysis Report
SecuriteInfo.com.BScope.Trojan.Zpevdo.14269.7346.exe

Function 00405F14 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 184
registrystringlibraryCOMMON

Function 00463E48 Relevance: 26.7, APIs: 13, Strings: 2, Instructions: 401
COMMON

Function 00460E70 Relevance: 18.4, APIs: 12, Instructions: 407
windowCOMMON

Function 00450A04 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 103
registrylibraryloaderCOMMON

Function 004638C8 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 132
windowregistryCOMMON

Function 00448C28 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 134
registryCOMMON

Function 00462CB8 Relevance: 10.6, APIs: 7, Instructions: 89
COMMON

Function 00442244 Relevance: 9.1, APIs: 6, Instructions: 60
COMMON

Function 004635C0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 125
windowCOMMON

Function 0045DA00 Relevance: 7.7, APIs: 5, Instructions: 171
COMMON

Function 0043B5A8 Relevance: 7.6, APIs: 5, Instructions: 110
COMMON

Function 0045EF58 Relevance: 6.1, APIs: 4, Instructions: 148
windowCOMMON

Function 004225D4 Relevance: 6.1, APIs: 4, Instructions: 59
registryCOMMON

Function 00463B48 Relevance: 6.1, APIs: 4, Instructions: 57
COMMON

Function 004263E0 Relevance: 6.1, APIs: 4, Instructions: 55
COMMON