Edit tour

Windows Analysis Report
iQPxJrxxaj.exe

Overview

General Information

Sample name:	iQPxJrxxaj.exe renamed because original name is a hash value
Original sample name:	ca5fb5814ec62c8f04936740aabe2664b3c7d036203afbd8425cd67cf1f4b79d.exe
Analysis ID:	1542283
MD5:	fd379c5ed778ea1000da0b8c9458f7f8
SHA1:	59fa8241388e3020e3f539ffbe3892332b59cd93
SHA256:	ca5fb5814ec62c8f04936740aabe2664b3c7d036203afbd8425cd67cf1f4b79d
Infos:

Detection

PikaBot

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected unpacking (creates a PE file in dynamic memory)

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected PikaBot

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Contains functionality to behave differently if execute on a Russian/Kazak computer

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to modify clipboard data

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Potential key logger detected (key state polling based)

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

iQPxJrxxaj.exe (PID: 7440 cmdline: "C:\Users\user\Desktop\iQPxJrxxaj.exe" MD5: FD379C5ED778EA1000DA0B8C9458F7F8)

ctfmon.exe (PID: 7508 cmdline: "C:\Windows\SysWOW64\ctfmon.exe -p 1234" MD5: 1B19D302D7FFA3D0901B3D990A4E8E12)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Pikabot	Introducing Pikabot, an emerging malware family that comprises a downloader/installer, a loader, and a core backdoor component. Despite being in the early stages of development, it already demonstrates advanced techniques in evasion, injection, and anti-analysis. Notably, the loader component incorporates an array of sophisticated anti-debugging and anti-VM measures inspired by the open-source Al-Khaser project, while leveraging steganography to conceal its payload. Additionally, Pikabot utilizes a proprietary C2 framework and supports a diverse range of commands, encompassing host enumeration and advanced secondary payload injection options.	No Attribution	https://blog.cyber5w.com/2024/02/25/pikabotloader/ https://blog.cyber5w.com/malware%20analysis/PikabotLoader/ https://blog.krakz.fr/notes/syswhispers2/ https://blog.pulsedive.com/pikabot/ https://blog.securityonion.net/2023/09/quick-malware-analysis-pikabot.html	https://malpedia.caad.fkie.fraunhofer.de/details/win.pikabot

Malware Configuration

Threatname: Pikabot

{"C2 list": ["139.84.237.229:2967", "85.239.243.155:5000", "104.129.55.104:2223", "37.60.242.85:9785", "95.179.191.137:5938", "65.20.66.218:5938", "158.220.80.157:9785", "104.129.55.103:2224", "158.220.80.167:2967"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000003.1666658664.0000000004200000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_PikaBot	Yara detected PikaBot	Joe Security
00000000.00000002.1699427684.0000000004230000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_PikaBot	Yara detected PikaBot	Joe Security

Unpacked PEs

Source	Rule	Description	Author
0.3.iQPxJrxxaj.exe.4200000.0.unpack	JoeSecurity_PikaBot	Yara detected PikaBot	Joe Security
0.2.iQPxJrxxaj.exe.4230000.1.unpack	JoeSecurity_PikaBot	Yara detected PikaBot	Joe Security
0.3.iQPxJrxxaj.exe.4200000.0.raw.unpack	JoeSecurity_PikaBot	Yara detected PikaBot	Joe Security
0.2.iQPxJrxxaj.exe.4230000.1.raw.unpack	JoeSecurity_PikaBot	Yara detected PikaBot	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: iQPxJrxxaj.exe

Avira: detected

Found malware configuration

Source: 00000000.00000002.1699602898.0000000004580000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Pikabot {"C2 list": ["139.84.237.229:2967", "85.239.243.155:5000", "104.129.55.104:2223", "37.60.242.85:9785", "95.179.191.137:5938", "65.20.66.218:5938", "158.220.80.157:9785", "104.129.55.103:2224", "158.220.80.167:2967"]}

Multi AV Scanner detection for submitted file

Source: iQPxJrxxaj.exe

ReversingLabs: Detection: 79%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 95.9% probability

Source: C:\Users\user\Desktop\iQPxJrxxaj.exe

Code function: 0_2_00152C20 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptDestroyHash,CryptReleaseContext,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CryptDestroyHash,CryptReleaseContext,std::ios_base::_Ios_base_dtor,

0_2_00152C20

Compliance

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\Desktop\iQPxJrxxaj.exe

Unpacked PE file: 0.2.iQPxJrxxaj.exe.4230000.1.unpack

Source: iQPxJrxxaj.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: iQPxJrxxaj.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:

Binary string: E:\cpp\Notepad3\Bin\Release_x86_v143\grepWinNP3.pdb source: iQPxJrxxaj.exe

Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_001F9310 FindFirstFileExW,FindNextFileW,FindClose,FindClose,		0_2_001F9310
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_0014EBD0 PathIsDirectoryW,FindFirstFileExW,FindFirstFileW,GetLastError,FindClose,FindClose,		0_2_0014EBD0

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	IPs: 139.84.237.229:2967
Source: Malware configuration extractor	IPs: 85.239.243.155:5000
Source: Malware configuration extractor	IPs: 104.129.55.104:2223
Source: Malware configuration extractor	IPs: 37.60.242.85:9785
Source: Malware configuration extractor	IPs: 95.179.191.137:5938
Source: Malware configuration extractor	IPs: 65.20.66.218:5938
Source: Malware configuration extractor	IPs: 158.220.80.157:9785
Source: Malware configuration extractor	IPs: 104.129.55.103:2224
Source: Malware configuration extractor	IPs: 158.220.80.167:2967

Source: global traffic

TCP traffic: 192.168.2.4:49736 -> 158.220.80.167:2967

Source: Joe Sandbox View

IP Address: 37.60.242.85 37.60.242.85

Source: Joe Sandbox View	ASN Name: SINGLEHOP-LLCUS SINGLEHOP-LLCUS
Source: Joe Sandbox View	ASN Name: CP-ASDE CP-ASDE
Source: Joe Sandbox View	ASN Name: ASN-QUADRANET-GLOBALUS ASN-QUADRANET-GLOBALUS

Source: unknown	TCP traffic detected without corresponding DNS query: 158.220.80.167
Source: unknown	TCP traffic detected without corresponding DNS query: 158.220.80.167
Source: unknown	TCP traffic detected without corresponding DNS query: 158.220.80.167
Source: unknown	TCP traffic detected without corresponding DNS query: 158.220.80.167
Source: unknown	TCP traffic detected without corresponding DNS query: 158.220.80.167
Source: unknown	TCP traffic detected without corresponding DNS query: 158.220.80.167
Source: unknown	TCP traffic detected without corresponding DNS query: 158.220.80.167
Source: unknown	TCP traffic detected without corresponding DNS query: 158.220.80.167
Source: unknown	TCP traffic detected without corresponding DNS query: 158.220.80.167
Source: unknown	TCP traffic detected without corresponding DNS query: 158.220.80.167
Source: unknown	TCP traffic detected without corresponding DNS query: 158.220.80.167
Source: unknown	TCP traffic detected without corresponding DNS query: 158.220.80.167
Source: unknown	TCP traffic detected without corresponding DNS query: 158.220.80.167
Source: unknown	TCP traffic detected without corresponding DNS query: 158.220.80.167
Source: unknown	TCP traffic detected without corresponding DNS query: 158.220.80.167
Source: unknown	TCP traffic detected without corresponding DNS query: 158.220.80.167
Source: unknown	TCP traffic detected without corresponding DNS query: 158.220.80.167
Source: unknown	TCP traffic detected without corresponding DNS query: 158.220.80.167
Source: unknown	TCP traffic detected without corresponding DNS query: 158.220.80.167
Source: unknown	TCP traffic detected without corresponding DNS query: 158.220.80.167
Source: unknown	TCP traffic detected without corresponding DNS query: 158.220.80.167
Source: unknown	TCP traffic detected without corresponding DNS query: 158.220.80.167
Source: unknown	TCP traffic detected without corresponding DNS query: 158.220.80.167
Source: unknown	TCP traffic detected without corresponding DNS query: 158.220.80.167
Source: unknown	TCP traffic detected without corresponding DNS query: 158.220.80.167
Source: unknown	TCP traffic detected without corresponding DNS query: 158.220.80.167
Source: unknown	TCP traffic detected without corresponding DNS query: 158.220.80.167
Source: unknown	TCP traffic detected without corresponding DNS query: 158.220.80.167

Source: iQPxJrxxaj.exe	String found in binary or memory: http://tools.stefankueng.com
Source: iQPxJrxxaj.exe	String found in binary or memory: http://tools.stefankueng.comgrepWinNP3
Source: ctfmon.exe, 00000001.00000002.3547078943.0000000002BBC000.00000004.00000020.00020000.00000000.sdmp, ctfmon.exe, 00000001.00000003.2691384938.0000000002BB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://158.220.80.167:2967/
Source: ctfmon.exe, 00000001.00000003.2691014638.0000000002BE0000.00000004.00000020.00020000.00000000.sdmp, ctfmon.exe, 00000001.00000003.2691102525.0000000002BE3000.00000004.00000020.00020000.00000000.sdmp, ctfmon.exe, 00000001.00000003.2690957763.0000000002BEB000.00000004.00000020.00020000.00000000.sdmp, ctfmon.exe, 00000001.00000002.3547078943.0000000002BA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://158.220.80.167:2967/api/admin.teams.admins.list
Source: ctfmon.exe, 00000001.00000002.3547078943.0000000002BA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://158.220.80.167:2967/api/admin.teams.admins.list$cXD
Source: ctfmon.exe, 00000001.00000002.3547078943.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://158.220.80.167:2967/api/admin.teams.admins.list))ZZ
Source: ctfmon.exe, 00000001.00000002.3547078943.0000000002BBC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://158.220.80.167:2967/l
Source: ctfmon.exe, 00000001.00000003.2691384938.0000000002BB9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://158.220.80.167:2967/w
Source: iQPxJrxxaj.exe	String found in binary or memory: https://www.boost.org/doc/libs/release/libs/regex/doc/html/boost_regex/syntax/character_classes.html
Source: iQPxJrxxaj.exe	String found in binary or memory: https://www.boost.org/doc/libs/release/libs/regex/doc/html/boost_regex/syntax/perl_syntax.html
Source: iQPxJrxxaj.exe	String found in binary or memory: https://www.cplusplus.com/reference/ctime/strftime/
Source: iQPxJrxxaj.exe	String found in binary or memory: https://www.regular-expressions.info/tutorial.html

Source: C:\Users\user\Desktop\iQPxJrxxaj.exe

Code function: 0_2_00160B80 CloseClipboard,Sleep,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,CloseClipboard,

0_2_00160B80

Source: C:\Users\user\Desktop\iQPxJrxxaj.exe

Code function: 0_2_00160B80 CloseClipboard,Sleep,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,CloseClipboard,

0_2_00160B80

Source: C:\Users\user\Desktop\iQPxJrxxaj.exe

Code function: 0_2_00196780 GetDlgItem,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetFocus,SendMessageW,SendMessageW,GetFocus,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetFocus,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,SetFocus,IsDlgButtonChecked,SendMessageW,SendMessageW,

0_2_00196780

Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_04231000 NtAlpcCreateSectionView,		0_2_04231000
Source: C:\Windows\SysWOW64\ctfmon.exe	Code function: 1_2_00661000 NtAcquireCrossVmMutant,		1_2_00661000

Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_001577C0	0_2_001577C0
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_0017C1D0	0_2_0017C1D0
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_0019C1C0	0_2_0019C1C0
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_001CA2C0	0_2_001CA2C0
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_0019E3E0	0_2_0019E3E0
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_001615F0	0_2_001615F0
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_001A47F0	0_2_001A47F0
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_001E382B	0_2_001E382B
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_00169960	0_2_00169960
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_001A49B0	0_2_001A49B0
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_001E89F7	0_2_001E89F7
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_00181A20	0_2_00181A20
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_001EAA60	0_2_001EAA60
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_001E3B8A	0_2_001E3B8A
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_001FCECF	0_2_001FCECF
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_001F1FD4	0_2_001F1FD4
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_0423844C	0_2_0423844C
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_0423B4AC	0_2_0423B4AC
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_042335F4	0_2_042335F4
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_0423C6A0	0_2_0423C6A0
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_042346E0	0_2_042346E0
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_04231394	0_2_04231394
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_0423AF48	0_2_0423AF48
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_0423A8A0	0_2_0423A8A0
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_04232918	0_2_04232918
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_0423997C	0_2_0423997C
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_042381BC	0_2_042381BC
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_042362A8	0_2_042362A8
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_04237D18	0_2_04237D18
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_0423684C	0_2_0423684C
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_04237888	0_2_04237888
Source: C:\Windows\SysWOW64\ctfmon.exe	Code function: 1_2_0066467C	1_2_0066467C
Source: C:\Windows\SysWOW64\ctfmon.exe	Code function: 1_2_00666740	1_2_00666740
Source: C:\Windows\SysWOW64\ctfmon.exe	Code function: 1_2_00665928	1_2_00665928
Source: C:\Windows\SysWOW64\ctfmon.exe	Code function: 1_2_006680CC	1_2_006680CC
Source: C:\Windows\SysWOW64\ctfmon.exe	Code function: 1_2_00661A24	1_2_00661A24
Source: C:\Windows\SysWOW64\ctfmon.exe	Code function: 1_2_0066B4E0	1_2_0066B4E0
Source: C:\Windows\SysWOW64\ctfmon.exe	Code function: 1_2_00662EC0	1_2_00662EC0
Source: C:\Windows\SysWOW64\ctfmon.exe	Code function: 1_2_00662088	1_2_00662088

Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: String function: 001D96D0 appears 54 times
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: String function: 00130704 appears 184 times

Source: iQPxJrxxaj.exe, 00000000.00000000.1660336121.000000000022C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamegrepWinNP3.exe6 vs iQPxJrxxaj.exe
Source: iQPxJrxxaj.exe	Binary or memory string: OriginalFilenamegrepWinNP3.exe6 vs iQPxJrxxaj.exe

Source: iQPxJrxxaj.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal96.troj.expl.evad.winEXE@3/0@0/9

Source: C:\Users\user\Desktop\iQPxJrxxaj.exe

Code function: 0_2_001DA8C0 GetLastError,FormatMessageA,LocalFree,

0_2_001DA8C0

Source: C:\Users\user\Desktop\iQPxJrxxaj.exe

Code function: 0_2_042310E8 CreateToolhelp32Snapshot,Process32FirstW,AnyPopup,GetLastError,

0_2_042310E8

Source: C:\Users\user\Desktop\iQPxJrxxaj.exe

Code function: 0_2_0018C3D0 CoCreateInstance,

0_2_0018C3D0

Source: C:\Users\user\Desktop\iQPxJrxxaj.exe

Code function: 0_2_00157170 MoveWindow,CloseWindow,DestroyWindow,SendMessageW,LoadCursorW,SetCursor,ShellExecuteW,EndDialog,GetClientRect,CreateWindowExW,FindResourceW,LoadResource,LockResource,SizeofResource,SendMessageW,SendMessageW,SetFocus,SendMessageW,SendMessageW,SendMessageW,

0_2_00157170

Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Mutant created: \Sessions\1\BaseNamedObjects\{6473AA76-0EAE-4C96-8C99-AFDFEFFE42B5}
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Mutant created: \Sessions\1\BaseNamedObjects\{6473AA76-0EAE-4C96-8C99-AFDFEFFE42B6}
Source: C:\Windows\SysWOW64\ctfmon.exe	Mutant created: \Sessions\1\BaseNamedObjects\{6F70D3AF-34EF-433C-A803-E83654F6FD7C}

Source: iQPxJrxxaj.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\iQPxJrxxaj.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: iQPxJrxxaj.exe

ReversingLabs: Detection: 79%

Source: unknown	Process created: C:\Users\user\Desktop\iQPxJrxxaj.exe "C:\Users\user\Desktop\iQPxJrxxaj.exe"
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Process created: C:\Windows\SysWOW64\ctfmon.exe "C:\Windows\SysWOW64\ctfmon.exe -p 1234"
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Process created: C:\Windows\SysWOW64\ctfmon.exe "C:\Windows\SysWOW64\ctfmon.exe -p 1234"	Jump to behavior

Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ctfmon.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ctfmon.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ctfmon.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ctfmon.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ctfmon.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ctfmon.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ctfmon.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ctfmon.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ctfmon.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ctfmon.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\ctfmon.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: C:\Users\user\Desktop\iQPxJrxxaj.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}\InProcServer32

Jump to behavior

Source: iQPxJrxxaj.exe

Static file information: File size 1361408 > 1048576

Source: iQPxJrxxaj.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: iQPxJrxxaj.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: iQPxJrxxaj.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: iQPxJrxxaj.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: iQPxJrxxaj.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: iQPxJrxxaj.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: iQPxJrxxaj.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: iQPxJrxxaj.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: E:\cpp\Notepad3\Bin\Release_x86_v143\grepWinNP3.pdb source: iQPxJrxxaj.exe

Source: iQPxJrxxaj.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: iQPxJrxxaj.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: iQPxJrxxaj.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: iQPxJrxxaj.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: iQPxJrxxaj.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\Desktop\iQPxJrxxaj.exe

Unpacked PE file: 0.2.iQPxJrxxaj.exe.4230000.1.unpack

Source: C:\Users\user\Desktop\iQPxJrxxaj.exe

Code function: 0_2_0014E040 InitCommonControlsEx,SHGetKnownFolderPath,CoTaskMemFree,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_0014E040

Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_001D90B8 push ecx; ret	0_2_001D90CB
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_00115270 push 683BC3B2h; ret	0_2_001188FF
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_0011533A push esp; iretd	0_2_0011536B
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_001174CF pushfd ; retf	0_2_0014780D
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_001175EC push ED98EC23h; ret	0_2_00117622
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_001175EC push ds; retf	0_2_0011771C
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_00113641 push ds; iretd	0_2_00113642
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_00113856 push ecx; ret	0_2_0014490E
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_0011385B push ecx; ret	0_2_0014490E
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_00111899 push B0C117E4h; iretd	0_2_0011189E
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_001149AE push cs; iretd	0_2_0011F727
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_001179CE push cs; retf	0_2_001179DA
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_001149E3 push cs; iretd	0_2_0011F727
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_00112AFD push ds; retf	0_2_0012CEBA
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_00112B02 push ds; retf	0_2_0012CEBA
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_00111D12 push cs; retf	0_2_00111D1F
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_00113F71 pushfd ; retf	0_2_001257B1
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_00113F6C pushfd ; retf	0_2_001257B1
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_0423844C push esi; mov dword ptr [esp], 000013C5h	0_2_04238CB9
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_0423844C push edi; mov dword ptr [esp], 000013C5h	0_2_04238CC3
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_04231000 push dword ptr [0424414Ch]; ret	0_2_04231064
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_0423DB3C push eax; mov dword ptr [esp], 0425CCA0h	0_2_0423DC12
Source: C:\Windows\SysWOW64\ctfmon.exe	Code function: 1_2_00661000 push dword ptr [0066F790h]; ret	1_2_00661064

Source: iQPxJrxxaj.exe

Static PE information: section name: .text entropy: 6.9913927134244815

Source: C:\Users\user\Desktop\iQPxJrxxaj.exe

0_2_0014E040

Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Contains functionality to behave differently if execute on a Russian/Kazak computer

Source: C:\Users\user\Desktop\iQPxJrxxaj.exe

Code function: 0_2_04231394 GetOEMCP,GetWindowTextLengthA,GetDialogBaseUnits,GetMessageTime,GetShellWindow,GetCurrentThreadId,GetSystemDefaultLangID,GetOEMCP,GetDesktopWindow,GetModuleHandleW,GetCurrentThreadId,GetLastActivePopup, mov byte ptr [ebp-00000419h], al

0_2_04231394

Source: C:\Windows\SysWOW64\ctfmon.exe TID: 7868

Thread sleep time: -30000s >= -30000s

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_001F9310 FindFirstFileExW,FindNextFileW,FindClose,FindClose,		0_2_001F9310
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_0014EBD0 PathIsDirectoryW,FindFirstFileExW,FindFirstFileW,GetLastError,FindClose,FindClose,		0_2_0014EBD0

Source: ctfmon.exe, 00000001.00000003.2691190591.0000000002BEF000.00000004.00000020.00020000.00000000.sdmp, ctfmon.exe, 00000001.00000002.3547078943.0000000002BCE000.00000004.00000020.00020000.00000000.sdmp, ctfmon.exe, 00000001.00000003.2691267845.0000000002BF2000.00000004.00000020.00020000.00000000.sdmp, ctfmon.exe, 00000001.00000003.2690957763.0000000002BEF000.00000004.00000020.00020000.00000000.sdmp, ctfmon.exe, 00000001.00000003.2691403507.0000000002BF5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: ctfmon.exe, 00000001.00000002.3547078943.0000000002BCE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`2
Source: ctfmon.exe, 00000001.00000002.3547078943.0000000002BBC000.00000004.00000020.00020000.00000000.sdmp, ctfmon.exe, 00000001.00000003.2691384938.0000000002BB9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWh

Source: C:\Users\user\Desktop\iQPxJrxxaj.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\Desktop\iQPxJrxxaj.exe

Code function: 0_2_04233548 GetModuleHandleW,CheckRemoteDebuggerPresent,

0_2_04233548

Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Process queried: DebugFlags	Jump to behavior
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\ctfmon.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\ctfmon.exe	Process queried: DebugFlags	Jump to behavior
Source: C:\Windows\SysWOW64\ctfmon.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\ctfmon.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\ctfmon.exe	Process queried: DebugFlags	Jump to behavior
Source: C:\Windows\SysWOW64\ctfmon.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\ctfmon.exe	Process queried: DebugFlags	Jump to behavior
Source: C:\Windows\SysWOW64\ctfmon.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Windows\SysWOW64\ctfmon.exe

Code function: 1_2_006652F8 LdrLoadDll,LdrLoadDll,

1_2_006652F8

Source: C:\Users\user\Desktop\iQPxJrxxaj.exe

Code function: 0_2_001D94D1 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_001D94D1

Source: C:\Users\user\Desktop\iQPxJrxxaj.exe

0_2_0014E040

Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_0423C6A0 mov eax, dword ptr fs:[00000030h]	0_2_0423C6A0
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_042360B0 mov edx, dword ptr fs:[00000030h]	0_2_042360B0
Source: C:\Windows\SysWOW64\ctfmon.exe	Code function: 1_2_00661468 mov esi, dword ptr fs:[00000030h]	1_2_00661468
Source: C:\Windows\SysWOW64\ctfmon.exe	Code function: 1_2_0066AE50 mov eax, dword ptr fs:[00000030h]	1_2_0066AE50

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_001D94D1 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_001D94D1
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_001D986D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_001D986D
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: 0_2_001DEA53 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_001DEA53

Source: C:\Users\user\Desktop\iQPxJrxxaj.exe

Process created: C:\Windows\SysWOW64\ctfmon.exe "C:\Windows\SysWOW64\ctfmon.exe -p 1234"

Jump to behavior

Source: C:\Users\user\Desktop\iQPxJrxxaj.exe

Code function: 0_2_001D929C cpuid

0_2_001D929C

Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: EnumSystemLocalesW,	0_2_001FC014
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_001FC09F
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: GetLocaleInfoW,	0_2_001FC2F2
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_001FC41B
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: GetLocaleInfoW,	0_2_001F642D
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: GetLocaleInfoW,	0_2_001FC521
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_001FC5F7
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: EnumSystemLocalesW,	0_2_001F5EA7
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: EnumSystemLocalesW,	0_2_001FBF2E
Source: C:\Users\user\Desktop\iQPxJrxxaj.exe	Code function: EnumSystemLocalesW,	0_2_001FBF79

Source: C:\Users\user\Desktop\iQPxJrxxaj.exe

Code function: 0_2_001D9715 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_001D9715

Source: C:\Windows\SysWOW64\ctfmon.exe

Code function: 1_2_00666740 GetUserDefaultLCID,CreateMutexW,GetUserNameW,LocalAlloc,

1_2_00666740

Source: C:\Users\user\Desktop\iQPxJrxxaj.exe

Code function: 0_2_001F7559 GetTimeZoneInformation,

0_2_001F7559

Stealing of Sensitive Information

Yara detected PikaBot

Source: Yara match	File source: 0.3.iQPxJrxxaj.exe.4200000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.iQPxJrxxaj.exe.4230000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.iQPxJrxxaj.exe.4200000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.iQPxJrxxaj.exe.4230000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.1666658664.0000000004200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1699427684.0000000004230000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected PikaBot

Source: Yara match	File source: 0.3.iQPxJrxxaj.exe.4200000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.iQPxJrxxaj.exe.4230000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.iQPxJrxxaj.exe.4200000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.iQPxJrxxaj.exe.4230000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.1666658664.0000000004200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1699427684.0000000004230000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	11 Process Injection	2 Virtualization/Sandbox Evasion	1 Input Capture	2 System Time Discovery	Remote Services	1 Input Capture	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Process Injection	LSASS Memory	221 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	2 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	2 Clipboard Data	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	3 Obfuscated Files or Information	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Software Packing	LSA Secrets	1 Account Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 System Owner/User Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	1 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	22 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
iQPxJrxxaj.exe	79%	ReversingLabs	Win32.Trojan.Pikabot
iQPxJrxxaj.exe	100%	Avira	TR/Redcap.kbcgw

Name	Source	Malicious	Reputation
https://158.220.80.167:2967/	ctfmon.exe, 00000001.00000002.3547078943.0000000002BBC000.00000004.00000020.00020000.00000000.sdmp, ctfmon.exe, 00000001.00000003.2691384938.0000000002BB9000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://158.220.80.167:2967/api/admin.teams.admins.list))ZZ	ctfmon.exe, 00000001.00000002.3547078943.0000000002BC8000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://158.220.80.167:2967/w	ctfmon.exe, 00000001.00000003.2691384938.0000000002BB9000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://www.cplusplus.com/reference/ctime/strftime/	iQPxJrxxaj.exe	false	unknown
http://tools.stefankueng.com	iQPxJrxxaj.exe	false	unknown
https://158.220.80.167:2967/api/admin.teams.admins.list	ctfmon.exe, 00000001.00000003.2691014638.0000000002BE0000.00000004.00000020.00020000.00000000.sdmp, ctfmon.exe, 00000001.00000003.2691102525.0000000002BE3000.00000004.00000020.00020000.00000000.sdmp, ctfmon.exe, 00000001.00000003.2690957763.0000000002BEB000.00000004.00000020.00020000.00000000.sdmp, ctfmon.exe, 00000001.00000002.3547078943.0000000002BA8000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://158.220.80.167:2967/l	ctfmon.exe, 00000001.00000002.3547078943.0000000002BBC000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://158.220.80.167:2967/api/admin.teams.admins.list$cXD	ctfmon.exe, 00000001.00000002.3547078943.0000000002BA8000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://tools.stefankueng.comgrepWinNP3	iQPxJrxxaj.exe	false	unknown
https://www.boost.org/doc/libs/release/libs/regex/doc/html/boost_regex/syntax/character_classes.html	iQPxJrxxaj.exe	false	unknown
https://www.boost.org/doc/libs/release/libs/regex/doc/html/boost_regex/syntax/perl_syntax.html	iQPxJrxxaj.exe	false	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
37.60.242.85	unknown	Bulgaria	32475	SINGLEHOP-LLCUS	true
65.20.66.218	unknown	United States	199592	CP-ASDE	true
104.129.55.103	unknown	United States	8100	ASN-QUADRANET-GLOBALUS	true
104.129.55.104	unknown	United States	8100	ASN-QUADRANET-GLOBALUS	true
95.179.191.137	unknown	Netherlands	20473	AS-CHOOPAUS	true
158.220.80.167	unknown	Switzerland	8556	LEVANTISCH	true
139.84.237.229	unknown	United States	16498	LASALLEUS	true
85.239.243.155	unknown	Czech Republic	15685	CASABLANCA-ASInternetCollocationProviderCZ	true
158.220.80.157	unknown	Switzerland	8556	LEVANTISCH	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1542283
Start date and time:	2024-10-25 18:56:10 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 10s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	iQPxJrxxaj.exe renamed because original name is a hash value
Original Sample Name:	ca5fb5814ec62c8f04936740aabe2664b3c7d036203afbd8425cd67cf1f4b79d.exe
Detection:	MAL
Classification:	mal96.troj.expl.evad.winEXE@3/0@0/9
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 73% Number of executed functions: 64 Number of non-executed functions: 196
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
VT rate limit hit for: iQPxJrxxaj.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
37.60.242.85	Lisect_AVT_24003_G1B_115.exe	Get hash	malicious	PikaBot	Browse
	Lisect_AVT_24003_G1B_115.exe	Get hash	malicious	PikaBot	Browse
	Lisect_AVT_24003_G1B_54.exe	Get hash	malicious	PikaBot	Browse
	Lisect_AVT_24003_G1B_54.exe	Get hash	malicious	PikaBot	Browse
	Lisect_AVT_24003_G1B_96.exe	Get hash	malicious	PikaBot	Browse
	Lisect_AVT_24003_G1B_90.exe	Get hash	malicious	PikaBot	Browse
	Lisect_AVT_24003_G1B_96.exe	Get hash	malicious	PikaBot	Browse
	Lisect_AVT_24003_G1B_102.exe	Get hash	malicious	PikaBot	Browse
	Lisect_AVT_24003_G1B_104.exe	Get hash	malicious	PikaBot	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ASN-QUADRANET-GLOBALUS	la.bot.sh4.elf	Get hash	malicious	Unknown	Browse	173.205.89.188
	Play_VM.Now.matt.sibilo_Audio.wav...v.html	Get hash	malicious	HtmlDropper	Browse	185.174.100.20
	mpsl.elf	Get hash	malicious	Mirai	Browse	154.205.102.28
	IMG465244247443 ORDER Opmagasinering.exe	Get hash	malicious	XWorm	Browse	104.223.35.76
	la.bot.m68k.elf	Get hash	malicious	Unknown	Browse	23.153.31.252
	SecuriteInfo.com.Win32.MalwareX-gen.23086.24319.exe	Get hash	malicious	PureLog Stealer, XWorm	Browse	104.223.35.76
	http://tfmk.sweepshop.info/fwd/P2Q9OTU0NCZlaT00NDM2NzYzMSZpZj0zMTYwJmxpPTczNw	Get hash	malicious	Phisher	Browse	103.79.78.225
	QUOTE #46789-OCT24_JAMEELA TRD LLCS.bat.exe	Get hash	malicious	GuLoader	Browse	72.11.142.133
	sample.hta	Get hash	malicious	XWorm	Browse	107.150.23.154
CP-ASDE	http://www.thegioimoicau.com/	Get hash	malicious	Unknown	Browse	65.21.45.74
	Bill Of Lading_MEDUVB935991.pdf.exe	Get hash	malicious	FormBook	Browse	65.21.196.90
	arm.elf	Get hash	malicious	Unknown	Browse	65.21.50.224
	P1 BOL.exe	Get hash	malicious	Unknown	Browse	65.21.196.90
	Doc 784-01965670.exe	Get hash	malicious	FormBook	Browse	65.21.196.90
	TT Swift copy1.exe	Get hash	malicious	FormBook	Browse	65.21.196.90
	BL.exe	Get hash	malicious	FormBook	Browse	65.21.196.90
	rDRAWINGDWGSINC.exe	Get hash	malicious	FormBook	Browse	65.21.196.90
	https://eadzhost.net/quieter/QUOTE_TECNO_GAZ_INDUSTRIES_63787_MC.rar	Get hash	malicious	FormBook	Browse	65.21.29.43
SINGLEHOP-LLCUS	yGktPvplJn.exe	Get hash	malicious	Pushdo	Browse	96.127.180.42
	la.bot.arm5.elf	Get hash	malicious	Unknown	Browse	216.104.42.28
	la.bot.mipsel.elf	Get hash	malicious	Unknown	Browse	173.236.97.217
	https://landsmith.ae/continue.html	Get hash	malicious	HTMLPhisher	Browse	69.175.95.50
	arm5.elf	Get hash	malicious	Unknown	Browse	65.60.17.27
	https://www.bing.com/ck/a?!&&p=c60f44e2e0299106bbda17ed4610b6a047eac19fa538687ebec1fc78213d7903JmltdHM9MTcyOTEyMzIwMA&ptn=3&ver=2&hsh=4&fclid=234c270a-e3bc-6c48-2bf3-3210e2866d6d&psq=Siemens+v17&u=a1aHR0cHM6Ly9wbGM0bWUuY29tL2Rvd25sb2FkLXRpYS1wb3J0YWwtdjE3LWZ1bGwtdmVyc2lvbi1nb29nbGVkcml2ZS8&ntb=1	Get hash	malicious	Unknown	Browse	172.96.186.147
	INVOICE_bwallman#E785IKK2.html	Get hash	malicious	HTMLPhisher	Browse	108.178.43.142
	http://www.fcc-movil.com/80th/enphem1sX2F0dG9ybmV5YXpAZmQub3Jn	Get hash	malicious	Phisher	Browse	198.20.104.206
	na.elf	Get hash	malicious	Mirai	Browse	65.63.38.146

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.904757414642191
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	iQPxJrxxaj.exe
File size:	1'361'408 bytes
MD5:	fd379c5ed778ea1000da0b8c9458f7f8
SHA1:	59fa8241388e3020e3f539ffbe3892332b59cd93
SHA256:	ca5fb5814ec62c8f04936740aabe2664b3c7d036203afbd8425cd67cf1f4b79d
SHA512:	9de54ef1a15a70dcf266d24685b2c1e259170973a6c61033289303258f63e41cda1aa53335a91f8317a5963ede47a805c29dbe3f69c80f71a716515616669472
SSDEEP:	24576:7yTiqxhwB8ow5KiPUIRCv1N4JFMl2K1WKT3IDC95ag62:7yTiqxhw1rx1mY1Wm4DCOg62
TLSH:	0C55BE71B583C072E96212F1293D9B65666DBE648FB788CFF3C03D6D4431DC26936A0A
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............S...S...S...R...S...RY..S3..R...S...R...S...R...S...R...S...R...S...R...S...R...S...S!..S...R...S..KS...S..#S...S...R...

File Icon


Icon Hash:	0d66c3d363135109

Static PE Info

General

Entrypoint:	0x4c90a0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x65C4C527 [Thu Feb 8 12:12:23 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	639b8ce85c0ddfcaca9633440db01cad

Entrypoint Preview

Instruction
call 00007F3A68E3D402h
jmp 00007F3A68E3CBBFh
cmp ecx, dword ptr [005161C0h]
jne 00007F3A68E3CD43h
ret
jmp 00007F3A68E3D522h
mov ecx, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], ecx
pop ecx
pop edi
pop edi
pop esi
pop ebx
mov esp, ebp
pop ebp
push ecx
ret
mov ecx, dword ptr [ebp-10h]
xor ecx, ebp
call 00007F3A68E3CD19h
jmp 00007F3A68E3CD22h
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [005161C0h]
xor eax, ebp
push eax
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax
ret
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [005161C0h]
xor eax, ebp
push eax
mov dword ptr [ebp-10h], eax
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax
ret
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [005161C0h]
xor eax, ebp
push eax
mov dword ptr [ebp-10h], esp
push dword ptr [ebp+00h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x113b84	0x104	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x11c000	0x2b9f8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x148000	0x7c0c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1076e0	0x8c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x107780	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x107620	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xf9000	0x61c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xf7cee	0xf7e00	e5d0129f14da84e1c0aed5958842ae7f	False	0.5985062484241049	data	6.9913927134244815	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xf9000	0x1cde2	0x1ce00	f6abe18b71f5b04c0a374a8593849936	False	0.3782890286796537	data	4.77550999528983	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x116000	0x5d34	0x3e00	57db2369eae20724a58ae59e568500db	False	0.17231602822580644	DOS executable (block device driver)	4.748370462370597	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x11c000	0x2b9f8	0x2ba00	dba96c6dbecb72154dcdddcc17b2d61a	False	0.40728532414040114	data	6.255321835115764	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x148000	0x7c0c	0x7e00	b71209090055b617bcbc68cffa550b6d	False	0.6593501984126984	data	6.578028479435236	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RTF	0x13feb0	0x6053	Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033			0.10458656068778134
RT_ICON	0x11c8f0	0x884e	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced			0.997306127127873
RT_ICON	0x125140	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584			0.21585531763870816
RT_ICON	0x135968	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896			0.3706306093528578
RT_ICON	0x139b90	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600			0.48350622406639004
RT_ICON	0x13c138	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224			0.5530018761726079
RT_ICON	0x13d1e0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400			0.6549180327868852
RT_ICON	0x13db68	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088			0.7730496453900709
RT_MENU	0x13fe50	0x56	data			0.7325581395348837
RT_DIALOG	0x13e038	0xe4e	data			0.3735663571818678
RT_DIALOG	0x13ee88	0x324	data			0.40049751243781095
RT_DIALOG	0x13f1b0	0x15e	data			0.58
RT_DIALOG	0x13f310	0x12e	data			0.609271523178808
RT_DIALOG	0x13f440	0x1a4	data			0.5523809523809524
RT_DIALOG	0x13f5e8	0xc8	data			0.69
RT_DIALOG	0x13f6b0	0x7a0	data			0.42520491803278687
RT_STRING	0x145f08	0x12c	data			0.52
RT_STRING	0x146038	0x560	data			0.42151162790697677
RT_STRING	0x146598	0x200	data			0.5
RT_STRING	0x146798	0x4aa	data			0.40033500837520936
RT_STRING	0x146c48	0x4d0	data			0.336038961038961
RT_STRING	0x147150	0xea	data			0.5213675213675214
RT_STRING	0x147118	0x36	data			0.6481481481481481
RT_ACCELERATOR	0x13fea8	0x8	data			2.0
RT_GROUP_ICON	0x13dfd0	0x68	data			0.7596153846153846
RT_VERSION	0x11c600	0x2ec	data	English	United States	0.4451871657754011
RT_MANIFEST	0x147240	0x7b4	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (1912), with CRLF line terminators	English	United States	0.32302231237322515

Imports

DLL	Import
SHLWAPI.dll	PathRelativePathToW, SHGetValueW, AssocQueryStringW, StrFormatByteSizeW, PathCompactPathExW, SHAutoComplete, PathRemoveFileSpecW, PathAppendW, SHDeleteKeyW, PathIsRootW, PathCanonicalizeW, PathIsRelativeW, PathIsURLW, PathIsDirectoryW, PathFileExistsW, SHSetValueW, StrCmpLogicalW
UxTheme.dll	CloseThemeData, GetThemeInt, GetThemeBackgroundContentRect, SetWindowTheme, OpenThemeData, GetThemeColor, BeginBufferedPaint, BufferedPaintSetAlpha, EndBufferedPaint, DrawThemeBackground
KERNEL32.dll	lstrlenW, MultiByteToWideChar, FindResourceW, LoadResource, LockResource, SizeofResource, GetCurrentThreadId, GetFullPathNameW, GetLongPathNameW, GetShortPathNameW, GetModuleFileNameW, CreateFileW, CloseHandle, CreateDirectoryW, GetCurrentDirectoryW, Sleep, SetCurrentDirectoryW, FormatMessageW, GetTickCount64, GetWindowsDirectoryW, GetCurrentProcess, GetFileTime, WriteFile, SetFileTime, GetFileSizeEx, GlobalMemoryStatusEx, ReadFile, WideCharToMultiByte, GetFileSize, FlushFileBuffers, SetFilePointer, SetEndOfFile, GetCommandLineW, SetDllDirectoryW, CreateMutexW, GetSystemDirectoryW, SystemTimeToFileTime, SetErrorMode, GetUserDefaultLCID, GetStringTypeExW, LoadLibraryA, LCMapStringW, ExpandEnvironmentStringsW, OutputDebugStringW, QueryPerformanceCounter, QueryPerformanceFrequency, GetStringTypeExA, LCMapStringA, GetSystemTime, FileTimeToSystemTime, CreateThread, CreateProcessW, GetFileInformationByHandle, CompareFileTime, CopyFileW, GetFileAttributesW, SetFileAttributesW, MoveFileExA, GetTimeZoneInformation, SystemTimeToTzSpecificLocalTime, GetDateFormatW, GetTimeFormatW, CreateFileA, CreateFileMappingW, MapViewOfFile, GlobalAddAtomW, GlobalUnlock, GetOEMCP, GetACP, IsValidCodePage, HeapReAlloc, EnumSystemLocalesW, IsValidLocale, GetLocaleInfoW, CompareStringW, ReadConsoleW, GetConsoleMode, GetConsoleOutputCP, SetFilePointerEx, GetFileType, HeapAlloc, HeapFree, GetStdHandle, ExitProcess, SetEnvironmentVariableW, LoadLibraryExW, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, InitializeCriticalSectionAndSpinCount, RtlUnwind, CreateFileMappingA, GetModuleHandleA, MapViewOfFileEx, TerminateProcess, InitializeSListHead, GetCurrentProcessId, GetStartupInfoW, SetUnhandledExceptionFilter, UnhandledExceptionFilter, IsDebuggerPresent, GetCPInfo, GetSystemTimeAsFileTime, LCMapStringEx, DecodePointer, EncodePointer, DeleteCriticalSection, InitializeCriticalSectionEx, LeaveCriticalSection, EnterCriticalSection, RaiseException, IsProcessorFeaturePresent, GetModuleHandleExW, CloseThreadpoolWork, SubmitThreadpoolWork, CreateThreadpoolWork, FreeLibraryWhenCallbackReturns, SleepConditionVariableSRW, WakeAllConditionVariable, WakeConditionVariable, GetNativeSystemInfo, InitOnceBeginInitialize, InitOnceComplete, TryAcquireSRWLockExclusive, AcquireSRWLockExclusive, ReleaseSRWLockExclusive, GetStringTypeW, FormatMessageA, lstrcpyW, GlobalFree, GlobalLock, GlobalAlloc, FindNextFileW, FindClose, FindFirstFileW, FindFirstFileExW, lstrcpynW, GetModuleHandleW, MulDiv, GetLastError, GetProcAddress, FreeLibrary, LoadLibraryW, SetLastError, VerifyVersionInfoW, VerSetConditionMask, LocalFree, LocalAlloc, GetCommandLineA, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetProcessHeap, SetStdHandle, HeapSize, WriteConsoleW, DeleteAtom, UnmapViewOfFile
USER32.dll	GetSysColor, PostMessageW, CheckDlgButton, GetKeyState, RedrawWindow, CreatePopupMenu, CheckMenuItem, LoadIconA, CreateWindowExA, CheckRadioButton, SendDlgItemMessageW, AppendMenuW, DestroyMenu, SetCursor, GetClassNameW, InvalidateRgn, BeginPaint, GetClientRect, GetWindowLongW, SendMessageW, GetWindowTextLengthW, GetWindowTextW, EndPaint, DrawTextW, InflateRect, GetWindowRect, GetCursorPos, GetDCEx, LoadStringA, SetTimer, PtInRect, GetFocus, GetSystemMetrics, IntersectRect, MapWindowPoints, GetParent, GetDC, ReleaseDC, ScreenToClient, SystemParametersInfoW, DialogBoxParamW, CreateDialogParamW, EnableWindow, ShowWindow, BringWindowToTop, SetForegroundWindow, LoadAcceleratorsW, GetMessageW, TranslateAcceleratorW, IsDialogMessageW, TranslateMessage, DispatchMessageW, PostQuitMessage, DestroyWindow, EndDialog, SetFocus, KillTimer, IsDlgButtonChecked, EnumWindows, RegisterWindowMessageW, TrackPopupMenu, GetSubMenu, LoadMenuW, ClientToScreen, CreateDialogIndirectParamW, GetWindowPlacement, GetDesktopWindow, CopyRect, LoadStringW, SetDlgItemTextW, DrawIconEx, GetSysColorBrush, SetClipboardData, EmptyClipboard, OpenClipboard, CloseClipboard, EnumDisplayMonitors, GetMonitorInfoW, SetWindowTextW, SetMenuItemInfoW, GetMenuItemInfoW, GetMenuItemCount, GetSystemMenu, EnumThreadWindows, EnumChildWindows, CloseWindow, LoadCursorW, InsertMenuW, SetCapture, ReleaseCapture, DrawFocusRect, RemovePropW, GetPropW, SetPropW, RegisterClipboardFormatW, IsZoomed, EndDeferWindowPos, DeferWindowPos, BeginDeferWindowPos, InvalidateRect, SetWindowRgn, CallWindowProcW, SetWindowPlacement, MoveWindow, GetWindowDC, SetLayeredWindowAttributes, MessageBoxW, SetCursorPos, GetDlgItemTextW, DefDlgProcW, CreateWindowExW, SetWindowLongW, GetDlgItem, LoadImageW, SetWindowPos, OffsetRect
GDI32.dll	CombineRgn, SetRectRgn, CreateRectRgnIndirect, CreateRectRgn, SetBkMode, CreateFontIndirectW, GetObjectW, ExtTextOutW, SetBkColor, GetDeviceCaps, SetTextColor, EnumFontsW, CreateSolidBrush, SelectObject, DeleteObject, PatBlt
COMDLG32.dll	GetOpenFileNameW
ADVAPI32.dll	RegCloseKey, RegOpenKeyW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegDeleteValueW, CryptAcquireContextW, RegOpenKeyExW, CryptGetHashParam, CryptDestroyHash, CryptHashData, CryptReleaseContext, CryptCreateHash
SHELL32.dll	DragQueryFileW, SHGetDesktopFolder, SHGetFolderPathW, SHGetFileInfoW, CommandLineToArgvW, ShellExecuteW, ShellExecuteExW, SHGetKnownFolderPath, SHCreateItemFromParsingName
ole32.dll	CoCreateInstance, ReleaseStgMedium, OleDuplicateData, DoDragDrop, CoUninitialize, OleInitialize, OleUninitialize, RegisterDragDrop, CoTaskMemFree, CoTaskMemAlloc, CoInitializeEx
gdiplus.dll	GdipDeleteGraphics, GdipCreateFromHDC, GdipAddPathArcI, GdipClosePathFigure, GdipStartPathFigure, GdipResetPath, GdipDeletePath, GdipCreatePath, GdipSetPenDashStyle, GdipDeletePen, GdipCreatePen1, GdipDrawRectangleI, GdipAlloc, GdipFree, GdiplusShutdown, GdiplusStartup, GdipDrawPath
COMCTL32.dll	InitCommonControlsEx, ImageList_GetImageCount, ImageList_GetImageInfo
VERSION.dll	VerQueryValueW, GetFileVersionInfoW, GetFileVersionInfoSizeW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 25, 2024 18:57:37.810823917 CEST	49736	2967	192.168.2.4	158.220.80.167
Oct 25, 2024 18:57:37.817208052 CEST	2967	49736	158.220.80.167	192.168.2.4
Oct 25, 2024 18:57:37.817323923 CEST	49736	2967	192.168.2.4	158.220.80.167
Oct 25, 2024 18:57:37.821460009 CEST	49736	2967	192.168.2.4	158.220.80.167
Oct 25, 2024 18:57:37.826884031 CEST	2967	49736	158.220.80.167	192.168.2.4
Oct 25, 2024 18:57:41.467578888 CEST	2967	49736	158.220.80.167	192.168.2.4
Oct 25, 2024 18:57:41.467704058 CEST	49736	2967	192.168.2.4	158.220.80.167
Oct 25, 2024 18:57:41.467938900 CEST	49736	2967	192.168.2.4	158.220.80.167
Oct 25, 2024 18:57:41.468337059 CEST	49737	2967	192.168.2.4	158.220.80.167
Oct 25, 2024 18:57:41.474009991 CEST	2967	49736	158.220.80.167	192.168.2.4
Oct 25, 2024 18:57:41.474020958 CEST	2967	49737	158.220.80.167	192.168.2.4
Oct 25, 2024 18:57:41.474241972 CEST	49737	2967	192.168.2.4	158.220.80.167
Oct 25, 2024 18:57:41.475697994 CEST	49737	2967	192.168.2.4	158.220.80.167
Oct 25, 2024 18:57:41.481163025 CEST	2967	49737	158.220.80.167	192.168.2.4
Oct 25, 2024 18:57:44.599678993 CEST	2967	49737	158.220.80.167	192.168.2.4
Oct 25, 2024 18:57:44.599838972 CEST	49737	2967	192.168.2.4	158.220.80.167
Oct 25, 2024 18:57:44.600147009 CEST	49737	2967	192.168.2.4	158.220.80.167
Oct 25, 2024 18:57:44.601104975 CEST	49738	2967	192.168.2.4	158.220.80.167
Oct 25, 2024 18:57:44.605499983 CEST	2967	49737	158.220.80.167	192.168.2.4
Oct 25, 2024 18:57:44.606844902 CEST	2967	49738	158.220.80.167	192.168.2.4
Oct 25, 2024 18:57:44.607064009 CEST	49738	2967	192.168.2.4	158.220.80.167
Oct 25, 2024 18:57:44.608227968 CEST	49738	2967	192.168.2.4	158.220.80.167
Oct 25, 2024 18:57:44.613943100 CEST	2967	49738	158.220.80.167	192.168.2.4
Oct 25, 2024 18:57:44.614015102 CEST	49738	2967	192.168.2.4	158.220.80.167
Oct 25, 2024 18:59:17.448436975 CEST	50006	2967	192.168.2.4	158.220.80.167
Oct 25, 2024 18:59:17.454158068 CEST	2967	50006	158.220.80.167	192.168.2.4
Oct 25, 2024 18:59:17.454545975 CEST	50006	2967	192.168.2.4	158.220.80.167
Oct 25, 2024 18:59:17.454999924 CEST	50006	2967	192.168.2.4	158.220.80.167
Oct 25, 2024 18:59:17.460813046 CEST	2967	50006	158.220.80.167	192.168.2.4
Oct 25, 2024 18:59:21.110754967 CEST	2967	50006	158.220.80.167	192.168.2.4
Oct 25, 2024 18:59:21.111129999 CEST	50006	2967	192.168.2.4	158.220.80.167
Oct 25, 2024 18:59:21.111255884 CEST	50006	2967	192.168.2.4	158.220.80.167
Oct 25, 2024 18:59:21.112220049 CEST	50007	2967	192.168.2.4	158.220.80.167
Oct 25, 2024 18:59:21.116744041 CEST	2967	50006	158.220.80.167	192.168.2.4
Oct 25, 2024 18:59:21.117672920 CEST	2967	50007	158.220.80.167	192.168.2.4
Oct 25, 2024 18:59:21.117815971 CEST	50007	2967	192.168.2.4	158.220.80.167
Oct 25, 2024 18:59:21.119034052 CEST	50007	2967	192.168.2.4	158.220.80.167
Oct 25, 2024 18:59:21.124533892 CEST	2967	50007	158.220.80.167	192.168.2.4
Oct 25, 2024 18:59:24.215703011 CEST	2967	50007	158.220.80.167	192.168.2.4
Oct 25, 2024 18:59:24.216146946 CEST	50007	2967	192.168.2.4	158.220.80.167
Oct 25, 2024 18:59:24.216224909 CEST	50007	2967	192.168.2.4	158.220.80.167
Oct 25, 2024 18:59:24.217056990 CEST	50008	2967	192.168.2.4	158.220.80.167
Oct 25, 2024 18:59:24.222613096 CEST	2967	50007	158.220.80.167	192.168.2.4
Oct 25, 2024 18:59:24.222707987 CEST	2967	50008	158.220.80.167	192.168.2.4
Oct 25, 2024 18:59:24.222954035 CEST	50008	2967	192.168.2.4	158.220.80.167
Oct 25, 2024 18:59:24.223176956 CEST	50008	2967	192.168.2.4	158.220.80.167
Oct 25, 2024 18:59:24.228897095 CEST	2967	50008	158.220.80.167	192.168.2.4
Oct 25, 2024 18:59:24.229006052 CEST	50008	2967	192.168.2.4	158.220.80.167

Target ID:	0
Start time:	12:57:00
Start date:	25/10/2024
Path:	C:\Users\user\Desktop\iQPxJrxxaj.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\iQPxJrxxaj.exe"
Imagebase:	0x110000
File size:	1'361'408 bytes
MD5 hash:	FD379C5ED778EA1000DA0B8C9458F7F8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PikaBot, Description: Yara detected PikaBot, Source: 00000000.00000003.1666658664.0000000004200000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PikaBot, Description: Yara detected PikaBot, Source: 00000000.00000002.1699427684.0000000004230000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	12:57:04
Start date:	25/10/2024
Path:	C:\Windows\SysWOW64\ctfmon.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\ctfmon.exe -p 1234"
Imagebase:	0x6e0000
File size:	9'728 bytes
MD5 hash:	1B19D302D7FFA3D0901B3D990A4E8E12
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	8%
Dynamic/Decrypted Code Coverage:	31.3%
Signature Coverage:	34.9%
Total number of Nodes:	1414
Total number of Limit Nodes:	43

Executed Functions

Function 042346E0 Relevance: 74.8, APIs: 14, Strings: 28, Instructions: 1343threadCOMMON

Download Yara Rule

APIs

GetTopWindow.USER32 ref: 0423472C
GetThreadUILanguage.KERNEL32 ref: 04234788
SetLastError.KERNEL32 ref: 04234848
GetDesktopWindow.USER32 ref: 04234972

Part of subcall function 04241790: GetOEMCP.KERNEL32 ref: 0424179E
Part of subcall function 04241790: GetLastActivePopup.USER32 ref: 042417B9

GetShellWindow.USER32 ref: 04234E01
GetCurrentThread.KERNEL32 ref: 04234EAF
GetTopWindow.USER32 ref: 04234EBC
SetLastError.KERNEL32(?), ref: 042354C2
GetCurrentThreadId.KERNEL32 ref: 04235790
AnyPopup.USER32 ref: 04235806
SetLastError.KERNEL32 ref: 042358B0
GetTopWindow.USER32 ref: 042358E7
GetLastActivePopup.USER32(00000001), ref: 04235B21
GetForegroundWindow.USER32(00000001), ref: 04235CE4

Strings

LdrpResGetMappingSize Exit, xrefs: 04235A00
Nullsoft.NSIS, xrefs: 04235462, 042354C8
SdbpOpenLocalDatabaseEx, xrefs: 04235AA7
The remote user session has been deleted., xrefs: 04234A65
The action type is not compatible with the layer., xrefs: 04234A3C, 04234C21, 04234F76, 04235178, 0423527A, 0423572B, 04235826, 0423596F, 04235977, 04235CF9, 04235D20, 04235E6C, 04235E78
SXS: %s() NtMapViewOfSection failed, xrefs: 04235D28
The cloud sync provider failed user authentication., xrefs: 04235229
The printer power has been turned off., xrefs: 04235A10
WER/CrashAPI:%u: TRACE WERP_DEBUGGER_INFO.ProtectionLevel: %08X, xrefs: 04235983
An operation was attempted to a volume after it was dismounted., xrefs: 042347FB, 04234982, 04234BAB, 04234C15, 04234C2D, 04234D5B, 04235180, 04235723, 04235765, 042357D0, 042358ED, 04235AB3, 04235BA7
The directory is a reparse point., xrefs: 042353B5
STATUS_ABANDONED_WAIT_0, xrefs: 042347B7, 04234A58, 04234BE7, 04234D76, 04234DC4, 04234F42, 04235037, 04235232, 0423535E, 042353F4, 04235511, 0423571A, 042359F6, 04235E48
RtlStringCchPrintfW failed [%x], xrefs: 04234D0B, 04235040, 04235048, 042350B9, 042350C1, 04235150, 042353AD, 04235759, 04235953, 04235B4D, 04235CA3, 04235D01
Business rule scripts are disabled for the calling application., xrefs: 042358CF
The operation is not supported by the specified layer., xrefs: 04235B55
Built-in WEBP Codec, xrefs: 04234B80
The QUIC connection handshake failed., xrefs: 042357DD
Invalid value type, xrefs: 042350CD
Initializing TLS slots failed with status 0x%08lx, xrefs: 04235A08
Microsoft Time-Stamp PCA 2010, xrefs: 04235001
AslPathWildcardFindFirst/Next failed to find a file [%x], xrefs: 04234E97
The requested system device cannot be found., xrefs: 0423518D
The specified object has already been initialized., xrefs: 04235B65
Specified present path is not in VidPN's topology., xrefs: 04235B5D
{Virtual Memory Minimum Too Low}, xrefs: 04234709, 042348D7
Invalid COM Descriptor virtual address encountered, xrefs: 0423565D
NonRFGImageLoad, xrefs: 04234F82
DebugProcessHeapOnly, xrefs: 04234A21

Memory Dump Source

Source File: 00000000.00000002.1699427684.0000000004230000.00000040.00001000.00020000.00000000.sdmp, Offset: 04230000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4230000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: Window$Last$ErrorPopupThread$ActiveCurrent$DesktopForegroundLanguageShell
String ID: An operation was attempted to a volume after it was dismounted.$AslPathWildcardFindFirst/Next failed to find a file [%x]$Built-in WEBP Codec$Business rule scripts are disabled for the calling application.$DebugProcessHeapOnly$Initializing TLS slots failed with status 0x%08lx$Invalid COM Descriptor virtual address encountered$Invalid value type$LdrpResGetMappingSize Exit$Microsoft Time-Stamp PCA 2010$NonRFGImageLoad$Nullsoft.NSIS$RtlStringCchPrintfW failed [%x]$STATUS_ABANDONED_WAIT_0$SXS: %s() NtMapViewOfSection failed$SdbpOpenLocalDatabaseEx$Specified present path is not in VidPN's topology.$The QUIC connection handshake failed.$The action type is not compatible with the layer.$The cloud sync provider failed user authentication.$The directory is a reparse point.$The operation is not supported by the specified layer.$The printer power has been turned off.$The remote user session has been deleted.$The requested system device cannot be found.$The specified object has already been initialized.$WER/CrashAPI:%u: TRACE WERP_DEBUGGER_INFO.ProtectionLevel: %08X${Virtual Memory Minimum Too Low}
API String ID: 1879556982-341976307
Opcode ID: 45284923faa7a2f60c34d7943aaa60fde6ba8648ed94f1cc112c6cd66ce9a3da
Instruction ID: 989d0e757c92b0b8ac7003191026de8aed66bc122e89edce91c82a2993485243
Opcode Fuzzy Hash: 45284923faa7a2f60c34d7943aaa60fde6ba8648ed94f1cc112c6cd66ce9a3da
Instruction Fuzzy Hash: 74D2F1B5B243988EE701CF7CE4882A97FF5FB85204F1485EAC88897351D678AD85CF91

Function 0014E040 Relevance: 73.9, APIs: 26, Strings: 16, Instructions: 368
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitCommonControlsEx.COMCTL32(?), ref: 0014E0EF
SHGetKnownFolderPath.SHELL32(00209740,00000000,00000000,00000000), ref: 0014E132
CoTaskMemFree.OLE32(00000000,00000000,-00000002), ref: 0014E16C
LoadLibraryW.KERNEL32(?), ref: 0014E32F
GetProcAddress.KERNEL32(00000000,AllowDarkModeForApp), ref: 0014E363
GetProcAddress.KERNEL32(00000000,SetPreferredAppMode), ref: 0014E372
GetProcAddress.KERNEL32(AllowDarkModeForWindow), ref: 0014E384
GetProcAddress.KERNEL32(ShouldAppsUseDarkMode), ref: 0014E396
GetProcAddress.KERNEL32(IsDarkModeAllowedForWindow), ref: 0014E3A8
GetProcAddress.KERNEL32(IsDarkModeAllowedForApp), ref: 0014E3BA
GetProcAddress.KERNEL32(ShouldSystemUseDarkMode), ref: 0014E3CC
GetProcAddress.KERNEL32(RefreshImmersiveColorPolicyState), ref: 0014E3DE
GetProcAddress.KERNEL32(GetIsImmersiveColorUsingHighContrast), ref: 0014E3F0
GetProcAddress.KERNEL32(FlushMenuThemes), ref: 0014E402
GetModuleHandleW.KERNEL32(user32.dll,SetWindowCompositionAttribute), ref: 0014E413
GetProcAddress.KERNEL32(00000000), ref: 0014E41A
GetProcAddress.KERNEL32(00000087), ref: 0014E43D
GetProcAddress.KERNEL32(00000087), ref: 0014E460
GetProcAddress.KERNEL32(00000085), ref: 0014E47B
GetProcAddress.KERNEL32(00000084), ref: 0014E496
GetProcAddress.KERNEL32(00000089), ref: 0014E4B1
GetProcAddress.KERNEL32(0000008B), ref: 0014E4CC
GetProcAddress.KERNEL32(0000008A), ref: 0014E4E7
GetProcAddress.KERNEL32(00000068), ref: 0014E4FF
GetProcAddress.KERNEL32(0000006A), ref: 0014E517
GetProcAddress.KERNEL32(00000088), ref: 0014E532

Strings

RefreshImmersiveColorPolicyState, xrefs: 0014E3CE
SetPreferredAppMode, xrefs: 0014E36C
AllowDarkModeForApp, xrefs: 0014E35D
GetIsImmersiveColorUsingHighContrast, xrefs: 0014E3E0
IsDarkModeAllowedForWindow, xrefs: 0014E398
ShouldSystemUseDarkMode, xrefs: 0014E3BC
invalid stol argument, xrefs: 0014E585, 0014E599, 0014E5AD
uxtheme.dll, xrefs: 0014E31B
IsDarkModeAllowedForApp, xrefs: 0014E3AA
user32.dll, xrefs: 0014E409
FlushMenuThemes, xrefs: 0014E3F2
stol argument out of range, xrefs: 0014E58F, 0014E5A3, 0014E5B7
AllowDarkModeForWindow, xrefs: 0014E379
SetWindowCompositionAttribute, xrefs: 0014E404
ShouldAppsUseDarkMode, xrefs: 0014E386
\uxtheme.dll, xrefs: 0014E172

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: AddressProc$CommonControlsFolderFreeHandleInitKnownLibraryLoadModulePathTask
String ID: AllowDarkModeForApp$AllowDarkModeForWindow$FlushMenuThemes$GetIsImmersiveColorUsingHighContrast$IsDarkModeAllowedForApp$IsDarkModeAllowedForWindow$RefreshImmersiveColorPolicyState$SetPreferredAppMode$SetWindowCompositionAttribute$ShouldAppsUseDarkMode$ShouldSystemUseDarkMode$\uxtheme.dll$invalid stol argument$stol argument out of range$user32.dll$uxtheme.dll
API String ID: 1016854174-2742066203
Opcode ID: 153c6e10226d030018766ec0e9a33c9dc7bba35ba12bd5c3434ad267c377b51e
Instruction ID: 45bdf2d9cbdb9fbe857e745b0c618770ea14674a238c8bca7d312c3a78a3c168
Opcode Fuzzy Hash: 153c6e10226d030018766ec0e9a33c9dc7bba35ba12bd5c3434ad267c377b51e
Instruction Fuzzy Hash: 93E1AFB4D10218AFDB229FA4FC59BAD7BF4BF14308F04152AE901AB2B5D7B45991CF90

Function 0423844C Relevance: 69.3, APIs: 23, Strings: 16, Instructions: 1093threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 042384DE
GetUserDefaultLangID.KERNEL32 ref: 04238613
GetLargePageMinimum.KERNEL32 ref: 04238667
GetThreadUILanguage.KERNEL32 ref: 04238777
GetWindowTextLengthW.USER32 ref: 04238AEE
GetForegroundWindow.USER32 ref: 04238BBC
GetWindowTextLengthA.USER32 ref: 04238BCA
SetLastError.KERNEL32(00000000), ref: 04238C35
GetLastActivePopup.USER32(00000000), ref: 04238CB6
GetLastActivePopup.USER32(Failed to get the database ID), ref: 04238CC0
GetLastActivePopup.USER32(?), ref: 04238CCA
GetTopWindow.USER32(00000000), ref: 04238D6F
GetThreadUILanguage.KERNEL32(00000000), ref: 04238EFF
GetModuleHandleW.KERNEL32 ref: 04238F9B
GetThreadUILanguage.KERNEL32 ref: 04239006
GetTickCount.KERNEL32 ref: 04239049
GetLastError.KERNEL32 ref: 04239098
GetLastError.KERNEL32 ref: 04239180
GetParent.USER32 ref: 0423918E

Part of subcall function 0423A8A0: GetUserDefaultLangID.KERNEL32 ref: 0423A90D

GetSystemDefaultLangID.KERNEL32 ref: 04239475
GetTopWindow.USER32 ref: 04239564
GetLastActivePopup.USER32(0000003F), ref: 042395B7
GetOEMCP.KERNEL32(82040462), ref: 042395F6

Strings

SXS: %s() BaseDllMapResourceIdA failed, xrefs: 0423878E, 04238837, 04238B11, 04238B2C, 04238B34, 04238B4F, 04238B6A, 04238B72, 04238E6E, 04238EA0, 042390EC, 0423916C, 04239174, 042394E4, 04239526, 0423952E, 042396AF
DaylightBias, xrefs: 0423847A
M, xrefs: 04239014
A key manager capable of key dictation is already registered, xrefs: 04238624
DefaultBrowser_NOPUBLISHERID, xrefs: 042384BE, 042385F3, 04238630, 042388BB, 04238A2F, 04238CCC, 04238D41, 04238E19, 04238F06, 04238F94, 0423913D, 042391B2, 04239403, 042394D3, 0423956A, 04239614, 042396EB
#, xrefs: 042391E2
Failed to get the database ID, xrefs: 04238889, 04238CB8
H, xrefs: 0423932F
The operation was blocked by parental controls., xrefs: 04238713, 042388C3, 042389FD, 04238A5F, 04238C3B, 04238F64, 04239200, 042394CB, 04239683, 042396A7
An error occurred while NDIS tried to map the file., xrefs: 0423909E, 0423967B, 042396F3
drvGetDefaultCommConfigW, xrefs: 0423882F, 04238E66
[, xrefs: 042391EC
?, xrefs: 042393D3
&, xrefs: 042390B2
2, xrefs: 0423900A
^, xrefs: 042393DF

Memory Dump Source

Source File: 00000000.00000002.1699427684.0000000004230000.00000040.00001000.00020000.00000000.sdmp, Offset: 04230000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4230000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: Last$Window$ActivePopupThread$DefaultErrorLangLanguage$LengthTextUser$CountCurrentForegroundHandleLargeMinimumModulePageParentSystemTick
String ID: #$&$2$?$A key manager capable of key dictation is already registered$An error occurred while NDIS tried to map the file.$DaylightBias$DefaultBrowser_NOPUBLISHERID$Failed to get the database ID$H$M$SXS: %s() BaseDllMapResourceIdA failed$The operation was blocked by parental controls.$[$^$drvGetDefaultCommConfigW
API String ID: 2889099878-380783571
Opcode ID: e21f326cedcd2f2466af73c3c27981899542a332aeddd15aa3c36db1430851dd
Instruction ID: 9d64289681a2aa27c41b75f8bb4ab6027f2a2ace017e23012b71b7c2ca70c7d4
Opcode Fuzzy Hash: e21f326cedcd2f2466af73c3c27981899542a332aeddd15aa3c36db1430851dd
Instruction Fuzzy Hash: 94B2AEB1B613458FD710DF2CF4882AA7BF9FB84345F8445A9D888DB241E778A981CF81

Function 0018C3D0 Relevance: 66.6, APIs: 1, Strings: 36, Instructions: 1865comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00209790,00000000,00000001,0021592C,?), ref: 0018E064

Strings

Software\grepWinNP3\Date1High, xrefs: 0018DBEB
$!!, xrefs: 0018C75C
Software\grepWinNP3\KeepFileDate, xrefs: 0018CFA7
Software\grepWinNP3\Date2High, xrefs: 0018DD61
$!!, xrefs: 0018C77A
Software\grepWinNP3\backupinfolder, xrefs: 0018D9C8
Software\grepWinNP3\CreateBackup, xrefs: 0018CEEC
Software\grepWinNP3\OpacityNoFocus, xrefs: 0018DF92
Software\grepWinNP3\WholeWords, xrefs: 0018D062
Software\grepWinNP3\UseFileMatchRegex, xrefs: 0018D3F7
}, xrefs: 0018DE4F
Software\grepWinNP3\searchpath, xrefs: 0018D770
Software\grepWinNP3\IncludeSystem, xrefs: 0018CB45
$!!, xrefs: 0018C7B6
Software\grepWinNP3\StayOnTop, xrefs: 0018DED7
Software\grepWinNP3\Date2Low, xrefs: 0018DCA6
Software\grepWinNP3\IncludeSubfolders, xrefs: 0018CCBB
Software\grepWinNP3\Date1Low, xrefs: 0018DB30
Software\grepWinNP3\CaseSensitive, xrefs: 0018D28F
Software\grepWinNP3\Size, xrefs: 0018C982
Software\grepWinNP3\DateLimit, xrefs: 0018DA75
2000, xrefs: 0018C954
$!!, xrefs: 0018C73E
Software\grepWinNP3\SizeCombo, xrefs: 0018CA98
Software\grepWinNP3\ShowContent, xrefs: 0018DE1C
$!!, xrefs: 0018C798
Software\grepWinNP3\AllSize, xrefs: 0018C88C
Software\grepWinNP3\DotMatchesNewline, xrefs: 0018D33C
Software\grepWinNP3\IncludeSymLinks, xrefs: 0018CD76
Software\grepWinNP3\ExcludeDirsPattern, xrefs: 0018D62E
Software\grepWinNP3\IncludeBinary, xrefs: 0018CE31
Software\grepWinNP3\UTF8, xrefs: 0018D11D
Software\grepWinNP3\IncludeHidden, xrefs: 0018CC00
Software\grepWinNP3\pattern, xrefs: 0018D4EC
Software\grepWinNP3\UseRegex, xrefs: 0018C7DC
Software\grepWinNP3\editorcmd, xrefs: 0018D8B2

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: CreateInstance
String ID: $!!$$!!$$!!$$!!$$!!$2000$Software\grepWinNP3\AllSize$Software\grepWinNP3\CaseSensitive$Software\grepWinNP3\CreateBackup$Software\grepWinNP3\Date1High$Software\grepWinNP3\Date1Low$Software\grepWinNP3\Date2High$Software\grepWinNP3\Date2Low$Software\grepWinNP3\DateLimit$Software\grepWinNP3\DotMatchesNewline$Software\grepWinNP3\ExcludeDirsPattern$Software\grepWinNP3\IncludeBinary$Software\grepWinNP3\IncludeHidden$Software\grepWinNP3\IncludeSubfolders$Software\grepWinNP3\IncludeSymLinks$Software\grepWinNP3\IncludeSystem$Software\grepWinNP3\KeepFileDate$Software\grepWinNP3\OpacityNoFocus$Software\grepWinNP3\ShowContent$Software\grepWinNP3\Size$Software\grepWinNP3\SizeCombo$Software\grepWinNP3\StayOnTop$Software\grepWinNP3\UTF8$Software\grepWinNP3\UseFileMatchRegex$Software\grepWinNP3\UseRegex$Software\grepWinNP3\WholeWords$Software\grepWinNP3\backupinfolder$Software\grepWinNP3\editorcmd$Software\grepWinNP3\pattern$Software\grepWinNP3\searchpath$}
API String ID: 542301482-2113142885
Opcode ID: e74117559f97f645472766f45af5a380c2168b9ca20d15ee5ea5fcf8ee510823
Instruction ID: 7d78029b9176badf3d74bd20a8f42345dbcdc9da56a5eef343b2ab296bf29e84
Opcode Fuzzy Hash: e74117559f97f645472766f45af5a380c2168b9ca20d15ee5ea5fcf8ee510823
Instruction Fuzzy Hash: 1F1335B0D01749AEDB58DFB8C89879EBBF1BF08304F20461DE059A7691E7B96654CF80

Function 04231394 Relevance: 52.0, APIs: 12, Strings: 17, Instructions: 1229threadwindowtimeCOMMON

Download Yara Rule

APIs

GetOEMCP.KERNEL32 ref: 0423164D
GetWindowTextLengthA.USER32 ref: 042317F5
GetDialogBaseUnits.USER32 ref: 04231D06
GetMessageTime.USER32 ref: 04231DFA

Part of subcall function 04240240: GetModuleHandleW.KERNEL32 ref: 042402B1
Part of subcall function 04240240: GetLastActivePopup.USER32(00000000), ref: 042402CC

GetShellWindow.USER32 ref: 0423208C
GetCurrentThreadId.KERNEL32 ref: 04232262
GetSystemDefaultLangID.KERNEL32 ref: 04232290
GetOEMCP.KERNEL32 ref: 04232331
GetDesktopWindow.USER32 ref: 0423240E

Part of subcall function 04241790: GetOEMCP.KERNEL32 ref: 0424179E
Part of subcall function 04241790: GetLastActivePopup.USER32 ref: 042417B9

GetModuleHandleW.KERNEL32 ref: 04232794
GetCurrentThreadId.KERNEL32 ref: 0423280F
GetLastActivePopup.USER32 ref: 042328B6

Strings

Floating-point inexact result., xrefs: 042314DD, 042317FE, 04231D32, 04231E49, 04231F19, 04232150, 04232358, 04232479, 042327B6
services.exe, xrefs: 0423148C, 04231792, 04231AED, 04231F66, 04231FC6, 0423212D
Object Path Component was not a directory object., xrefs: 04231596
Large Screen, xrefs: 04231A96
The command was not recognized by the security core, xrefs: 042321F2
The cloud file provider exited unexpectedly., xrefs: 042324A3
SXS: %s() NtMapViewOfSection failed, xrefs: 0423147A, 042314BD, 04231A42, 04231AA7, 04231AD9, 04231B82, 04231C5D, 04231ED6, 04231F21, 04231F5E, 04231F8B, 04231FDA, 0423211D, 042321FE, 042324E4, 042327EA, 042327F6
The driver stack doesn't match the expected driver model., xrefs: 04231484, 04231494, 04231B8E, 04231FBE, 04231FCE, 04232011, 0423205F, 04232125, 04232135, 0423229B, 042322FE
The cluster node already exists., xrefs: 0423278D
rswop.icm, xrefs: 042313BF
SdbpCheckPackageAttributes, xrefs: 04231F3F
Debugger received RIP exception., xrefs: 04231CD1
Failed to get HWID, xrefs: 04232647
MachinePreferredUILanguages, xrefs: 04231968
The RPC call completed before all pipes were processed., xrefs: 042313F5, 04231AE1, 04231B31, 04231B71, 04231CE3, 04231E24, 04231FB6, 04232029, 04232052, 0423222A, 042325B2, 0423269B, 042326B0, 04232821, 042328E1
Network access is denied., xrefs: 042316EC
Business rule scripts are disabled for the calling application., xrefs: 0423187A

Memory Dump Source

Source File: 00000000.00000002.1699427684.0000000004230000.00000040.00001000.00020000.00000000.sdmp, Offset: 04230000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4230000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: ActiveLastPopupWindow$CurrentHandleModuleThread$BaseDefaultDesktopDialogLangLengthMessageShellSystemTextTimeUnits
String ID: Business rule scripts are disabled for the calling application.$Debugger received RIP exception.$Failed to get HWID$Floating-point inexact result.$Large Screen$MachinePreferredUILanguages$Network access is denied.$Object Path Component was not a directory object.$SXS: %s() NtMapViewOfSection failed$SdbpCheckPackageAttributes$The RPC call completed before all pipes were processed.$The cloud file provider exited unexpectedly.$The cluster node already exists.$The command was not recognized by the security core$The driver stack doesn't match the expected driver model.$rswop.icm$services.exe
API String ID: 474283001-2113168018
Opcode ID: 42b84f2fd2ec22a417bb43f0120f43d7de443a8caa36e1420f3a303598efeecc
Instruction ID: e4c1e271350f80ab2f9aa842e48e7c8a548b53592c6e74b416101e6643ee29a8
Opcode Fuzzy Hash: 42b84f2fd2ec22a417bb43f0120f43d7de443a8caa36e1420f3a303598efeecc
Instruction Fuzzy Hash: 8EC24571B243998EDB148FB8E8843E9BFF5FF85210F1494BACC8897251D6789985CF90

Function 042335F4 Relevance: 44.7, APIs: 12, Strings: 13, Instructions: 924windowtimethreadCOMMON

Download Yara Rule

APIs

GetWindowTextLengthA.USER32 ref: 042336DA
GetModuleHandleW.KERNEL32(00000000), ref: 04233798
GetMessageTime.USER32 ref: 042339B3
SetLastError.KERNEL32 ref: 04233AEE
GetForegroundWindow.USER32(00000000), ref: 04233D71
GetModuleHandleW.KERNEL32 ref: 04233EBF

Part of subcall function 0424058C: GetTopWindow.USER32 ref: 042405AC
Part of subcall function 0424058C: GetWindowTextLengthA.USER32 ref: 042405DC
Part of subcall function 0424058C: GetLargePageMinimum.KERNEL32(00000000), ref: 04240609

GetShellWindow.USER32 ref: 04233FF6
GetParent.USER32 ref: 04234041
GetOEMCP.KERNEL32 ref: 042340E3
GetThreadUILanguage.KERNEL32 ref: 042341ED
GetLastError.KERNEL32 ref: 04234305
GetUserDefaultLangID.KERNEL32 ref: 04234589

Part of subcall function 0423EB18: GetMessageTime.USER32 ref: 0423EB42
Part of subcall function 0423EB18: GetForegroundWindow.USER32 ref: 0423EB57
Part of subcall function 0423EB18: lstrlenW.KERNEL32 ref: 0423EC17

Strings

Too many Sids have been specified., xrefs: 04233633, 04233BAF, 04233BBF, 04233CBB, 04233CC3, 042341B9, 04234573
AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 04233ABC, 04233BB7, 04233C57, 04233CB3, 04233FCE, 04234125, 0423412D, 04234135, 042341A9, 042341B1, 04234563, 0423456B
AVRF: exception raised while probing provider %ws , xrefs: 04233E6B
P, xrefs: 0423451A
The disk contains non-simple volumes., xrefs: 04234385
L, xrefs: 04234510
Win32AppCompat, xrefs: 04233C37
{Mapped View Alignment Incorrect}, xrefs: 04233627
The package is currently not available., xrefs: 04233786, 0423398D, 042339DE, 04233AB0, 04233B31, 04233B8C, 04233C68, 04233CAB, 04233EB8, 04233F86, 04233F95, 04233FBA, 04233FDA, 04234010, 0423411D, 04234205, 042344D8, 0423466B, 04234678, 04234689
The server version does not match the requested version., xrefs: 04233AA8, 04233B29, 04233BA7, 04233C4B, 04233FC2, 04234165, 042341A1, 0423420D, 042344E0, 04234504, 0423455B
The callback data queue has been disabled., xrefs: 0423395D
FrontHeapLockCount, xrefs: 0423414C
UUUUUUUU, xrefs: 04233808

Memory Dump Source

Source File: 00000000.00000002.1699427684.0000000004230000.00000040.00001000.00020000.00000000.sdmp, Offset: 04230000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4230000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: Window$ErrorForegroundHandleLastLengthMessageModuleTextTime$DefaultLangLanguageLargeMinimumPageParentShellThreadUserlstrlen
String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p) $AVRF: exception raised while probing provider %ws $FrontHeapLockCount$L$P$The callback data queue has been disabled.$The disk contains non-simple volumes.$The package is currently not available.$The server version does not match the requested version.$Too many Sids have been specified.$UUUUUUUU$Win32AppCompat${Mapped View Alignment Incorrect}
API String ID: 3832088895-2269772536
Opcode ID: a9f73eadaa8946861013831d39a94f87f1f9b2d3e9daed458cb4ec9ba926dad2
Instruction ID: 78ebbe22b8ef46a99c2f7138848ae1294d624a4efbe6150f3e1e8a8a113561df
Opcode Fuzzy Hash: a9f73eadaa8946861013831d39a94f87f1f9b2d3e9daed458cb4ec9ba926dad2
Instruction Fuzzy Hash: 8A9203B1B243588EE750DF78E4882AA7FF9FB95300F1544A9C88D97241D638DA85CFB1

Function 0423997C Relevance: 39.2, APIs: 12, Strings: 10, Instructions: 722
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastActivePopup.USER32 ref: 04239B75
GetWindowTextLengthA.USER32 ref: 04239C91
GetShellWindow.USER32 ref: 04239CCC
GetThreadUILanguage.KERNEL32 ref: 04239D55

Part of subcall function 0423FB34: lstrlenW.KERNEL32 ref: 0423FB79
Part of subcall function 0423FB34: GetWindowTextLengthW.USER32(00000000), ref: 0423FBC7
Part of subcall function 0423FB34: GetShellWindow.USER32 ref: 0423FBDD
Part of subcall function 0423FB34: SetLastError.KERNEL32 ref: 0423FC37
Part of subcall function 0423FB34: GetUserDefaultLangID.KERNEL32 ref: 0423FC3E
Part of subcall function 0423FB34: GetForegroundWindow.USER32 ref: 0423FC5F

Part of subcall function 0423B85C: RtlAllocateHeap.NTDLL(?,?,?,?,?,0423BF0B), ref: 0423B882

GetShellWindow.USER32 ref: 04239CE9

Part of subcall function 0423F2A8: GetTopWindow.USER32 ref: 0423F2BD

GetThreadUILanguage.KERNEL32 ref: 04239EE4
GetParent.USER32 ref: 04239F78
SetLastError.KERNEL32 ref: 04239FE3
GetCurrentThread.KERNEL32 ref: 0423A168

Part of subcall function 0423B88C: RtlFreeHeap.NTDLL ref: 0423B8B0

GetLastActivePopup.USER32(00000000), ref: 0423A38B
GetThreadUILanguage.KERNEL32 ref: 0423A43D
GetDialogBaseUnits.USER32 ref: 0423A5A2

Strings

InitOnceGetStringTableOffset, xrefs: 04239AB7, 04239D1C, 04239D6B, 04239D73, 04239D7B, 04239DD0, 04239DD8, 0423A2FF, 0423A3C3, 0423A3EC
;, xrefs: 0423A4E7
,, xrefs: 04239BE8
Microsoft Himalaya, xrefs: 04239D24, 04239DE0, 0423A2CB
An attempt was made to execute an illegal instruction., xrefs: 042399CD, 04239A5C, 0423A075, 0423A1B2
Error reading size data, xrefs: 04239B7B, 0423A452
@, xrefs: 0423A0CF
[, xrefs: 04239E26
*, xrefs: 0423A4F3
AslpFileGetClrVersionAttribute failed [%x], xrefs: 04239A98, 04239D2C, 04239F23, 0423A4A8

Memory Dump Source

Source File: 00000000.00000002.1699427684.0000000004230000.00000040.00001000.00020000.00000000.sdmp, Offset: 04230000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4230000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: Window$LastThread$LanguageShell$ActiveErrorHeapLengthPopupText$AllocateBaseCurrentDefaultDialogForegroundFreeLangParentUnitsUserlstrlen
String ID: *$,$;$@$An attempt was made to execute an illegal instruction.$AslpFileGetClrVersionAttribute failed [%x]$Error reading size data$InitOnceGetStringTableOffset$Microsoft Himalaya$[
API String ID: 3023793282-4021808248
Opcode ID: e17191d11ca74bf5efe601ac6c46fe8e36a62bd65aee32cc619d2db9c2b79d02
Instruction ID: f46ded7312971aa1f3b119bab9d168d9737e1281da22c9b7240a6d0519b4ba43
Opcode Fuzzy Hash: e17191d11ca74bf5efe601ac6c46fe8e36a62bd65aee32cc619d2db9c2b79d02
Instruction Fuzzy Hash: 137245B1A243458BE714EF7CE48865ABBF4FB84304F41896AD589DB640E778ED80DB42

Function 04232918 Relevance: 35.7, APIs: 10, Strings: 10, Instructions: 687
stringthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLargePageMinimum.KERNEL32 ref: 0423295C
GetForegroundWindow.USER32 ref: 04232A7B
GetWindowTextLengthA.USER32 ref: 04232AE2

Part of subcall function 042402E0: GetTickCount.KERNEL32 ref: 042402E6

Part of subcall function 0424058C: GetTopWindow.USER32 ref: 042405AC
Part of subcall function 0424058C: GetWindowTextLengthA.USER32 ref: 042405DC
Part of subcall function 0424058C: GetLargePageMinimum.KERNEL32(00000000), ref: 04240609

GetTickCount.KERNEL32 ref: 04232D0A
GetTopWindow.USER32 ref: 04232D35
lstrlenW.KERNEL32 ref: 04232E29
GetLastActivePopup.USER32 ref: 04232ED4
GetOEMCP.KERNEL32(00000000), ref: 0423312C

Part of subcall function 04242084: GetOEMCP.KERNEL32 ref: 04242096
Part of subcall function 04242084: GetLastActivePopup.USER32 ref: 042420B8
Part of subcall function 04242084: GetModuleHandleW.KERNEL32 ref: 042420D2
Part of subcall function 04242084: GetDialogBaseUnits.USER32 ref: 04242137
Part of subcall function 04242084: GetWindowTextLengthW.USER32 ref: 04242150

GetCurrentThreadId.KERNEL32 ref: 04233176

Part of subcall function 042413D4: GetCurrentThreadId.KERNEL32 ref: 042413F1
Part of subcall function 042413D4: GetDesktopWindow.USER32 ref: 0424141F
Part of subcall function 042413D4: GetParent.USER32 ref: 04241483
Part of subcall function 042413D4: SetLastError.KERNEL32 ref: 042414E9

Part of subcall function 04240240: GetModuleHandleW.KERNEL32 ref: 042402B1
Part of subcall function 04240240: GetLastActivePopup.USER32(00000000), ref: 042402CC

GetUserDefaultLangID.KERNEL32 ref: 04233523

Strings

STATUS_WAIT_3, xrefs: 04232F7B
windows blue, xrefs: 04232A49, 04232A51, 04232B79, 04232B96, 04232BE6, 04232C58, 04232D46, 04232DFE, 04232E5A, 04232F63, 04232FDB, 042330DD, 04233132, 0423313B, 042331E1, 04233244, 0423333C, 04233376, 04233412, 0423341A, 042334EE
AslpPathGetFormatInfo failed [%x], xrefs: 04232A5D, 04232C33, 04232C60, 04232E06, 04232E16
{Device Offline}, xrefs: 04232A76
The request failed due to a fatal device hardware error., xrefs: 04233118
ForceFlags, xrefs: 04232DD4
SdbpCheckMatchingRegistryEntry, xrefs: 04232B71, 04232BF2, 04232D4E, 04233148, 04233268, 04233270, 042332E7, 042332EF
Your interactive logon privilege has been disabled., xrefs: 04232E22
An invalid parameter was passed to a service or function., xrefs: 04232941
Please refer to your System Event Log for further information., xrefs: 04232B1C, 04232B86, 04232C68, 04232C70, 04232E0E, 0423327C, 042332FB, 0423337E, 04233386, 0423338E

Memory Dump Source

Source File: 00000000.00000002.1699427684.0000000004230000.00000040.00001000.00020000.00000000.sdmp, Offset: 04230000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4230000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: Window$Last$ActiveLengthPopupText$CountCurrentHandleLargeMinimumModulePageThreadTick$BaseDefaultDesktopDialogErrorForegroundLangParentUnitsUserlstrlen
String ID: An invalid parameter was passed to a service or function.$AslpPathGetFormatInfo failed [%x]$ForceFlags$Please refer to your System Event Log for further information.$STATUS_WAIT_3$SdbpCheckMatchingRegistryEntry$The request failed due to a fatal device hardware error.$Your interactive logon privilege has been disabled.$windows blue${Device Offline}
API String ID: 2597146153-1639703026
Opcode ID: c7b00517d1d6a3fcbb16168e403ee95c21319e0ae5dd150faa0c379a00156b7d
Instruction ID: acdda88a044bc1944f9f71419f90d4478a8729412a225212f0e519baf755611f
Opcode Fuzzy Hash: c7b00517d1d6a3fcbb16168e403ee95c21319e0ae5dd150faa0c379a00156b7d
Instruction Fuzzy Hash: 9262B0B1B643498FD711DF6CE5882AA7BF5FB85301F0484E9D8898B310D638A985CFA1

Function 0423C6A0 Relevance: 30.1, APIs: 8, Strings: 9, Instructions: 387
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 04241138: GetCurrentThreadId.KERNEL32 ref: 0424117A

Part of subcall function 042423AC: GetForegroundWindow.USER32 ref: 04242432

Part of subcall function 04241A30: GetModuleHandleW.KERNEL32 ref: 04241AE1
Part of subcall function 04241A30: GetDesktopWindow.USER32 ref: 04241BC2

GetModuleHandleW.KERNEL32 ref: 0423C73F
GetOEMCP.KERNEL32 ref: 0423C7F2
GetCurrentThread.KERNEL32 ref: 0423C84F
GetDesktopWindow.USER32 ref: 0423C978
GetLastActivePopup.USER32 ref: 0423C994
GetLargePageMinimum.KERNEL32 ref: 0423CBBC
GetThreadUILanguage.KERNEL32 ref: 0423CCB2
GetWindowTextLengthW.USER32 ref: 0423CCDA

Strings

Monitor descriptor could not be obtained., xrefs: 0423C79A, 0423C7AB, 0423C81C, 0423C903, 0423C90B, 0423CA1B, 0423CAFF, 0423CB61
G, xrefs: 0423CC28
RtlDosPathNameToNtPathName_U_WithStatus failed for %S [%x], xrefs: 0423C738
l.dl, xrefs: 0423C940
ntdl, xrefs: 0423C931
Indicates two revision levels are incompatible., xrefs: 0423C6F1, 0423C6F9, 0423C864, 0423C88A, 0423C892, 0423CA49, 0423CA51, 0423CAE1, 0423CAE9, 0423CD22
), xrefs: 0423C705
RtlArrayGet failed to get the next node, xrefs: 0423C792, 0423CA23, 0423CB07, 0423CC59, 0423CCF5
Access to the cloud file is denied., xrefs: 0423C8A6, 0423CC61, 0423CCFD

Memory Dump Source

Source File: 00000000.00000002.1699427684.0000000004230000.00000040.00001000.00020000.00000000.sdmp, Offset: 04230000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4230000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: Window$Thread$CurrentDesktopHandleModule$ActiveForegroundLanguageLargeLastLengthMinimumPagePopupText
String ID: )$Access to the cloud file is denied.$G$Indicates two revision levels are incompatible.$Monitor descriptor could not be obtained.$RtlArrayGet failed to get the next node$RtlDosPathNameToNtPathName_U_WithStatus failed for %S [%x]$l.dl$ntdl
API String ID: 2824035724-3218422991
Opcode ID: d4a72307eb90ea2d520351cb849e2aa661e7c8b7976bc9dc04ec454f20b283b8
Instruction ID: 3cd606b148782ab7dbc18173feec179ab4f8a7a454f31fa28547375b7abfec26
Opcode Fuzzy Hash: d4a72307eb90ea2d520351cb849e2aa661e7c8b7976bc9dc04ec454f20b283b8
Instruction Fuzzy Hash: B7029CB2B613018FE714EF6DE688619BBF9FBA4325F068469E445DB250E338E840DF41

Function 0423AF48 Relevance: 23.1, APIs: 9, Strings: 4, Instructions: 330
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetThreadUILanguage.KERNEL32 ref: 0423AF81

Part of subcall function 042409FC: GetDesktopWindow.USER32 ref: 04240A07
Part of subcall function 042409FC: GetThreadUILanguage.KERNEL32(?,0423B752), ref: 04240A48

GetDialogBaseUnits.USER32 ref: 0423AFCB
SetLastError.KERNEL32 ref: 0423B011
GetParent.USER32 ref: 0423B0DA
GetTickCount.KERNEL32 ref: 0423B0FD
GetWindowTextLengthA.USER32 ref: 0423B1EF
GetDialogBaseUnits.USER32 ref: 0423B2D0
GetDialogBaseUnits.USER32 ref: 0423B2D2
GetDialogBaseUnits.USER32 ref: 0423B2D4

Strings

The provider context is of the wrong type., xrefs: 0423AFA3, 0423B03D, 0423B38F
The specified plex is missing., xrefs: 0423B035, 0423B1D0, 0423B420, 0423B46F
, xrefs: 0423B19A
failureId, xrefs: 0423B0AF, 0423B0B7, 0423B1F9

Memory Dump Source

Source File: 00000000.00000002.1699427684.0000000004230000.00000040.00001000.00020000.00000000.sdmp, Offset: 04230000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4230000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: BaseDialogUnits$LanguageThreadWindow$CountDesktopErrorLastLengthParentTextTick
String ID: The provider context is of the wrong type.$The specified plex is missing.$failureId$
API String ID: 3857300698-4291309561
Opcode ID: 0fdd99bc2dc625fca0f137d374a93f75011ce672e2a41a208c2c59dc29ccb82c
Instruction ID: 93fcb6c704099fb5242d1953c19e457b36ad3102fd25a179df618894c7fa6b5c
Opcode Fuzzy Hash: 0fdd99bc2dc625fca0f137d374a93f75011ce672e2a41a208c2c59dc29ccb82c
Instruction Fuzzy Hash: E3E156B0B603458FDB04EF6CF48865ABBF9FB88341F15882AD585DB215E778AD81CB41

Function 0423A8A0 Relevance: 16.1, APIs: 4, Strings: 5, Instructions: 331
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserDefaultLangID.KERNEL32 ref: 0423A90D
CreateToolhelp32Snapshot.KERNEL32 ref: 0423AB3C
GetLargePageMinimum.KERNEL32 ref: 0423ACC6
AnyPopup.USER32 ref: 0423ACD6

Strings

No receive buffer has been supplied in a synchronous request., xrefs: 0423A9A9, 0423AB71, 0423AD03, 0423AD0B
{Bad Image Checksum}, xrefs: 0423AC42
The object does not exist., xrefs: 0423A8A1, 0423A97A, 0423AA04, 0423ABDA, 0423ABE6
The session has been cancelled., xrefs: 0423A8F9, 0423A901, 0423A982
AVRF: provider %ws did not initialize correctly , xrefs: 0423A942, 0423A9C3, 0423AC8E

Memory Dump Source

Source File: 00000000.00000002.1699427684.0000000004230000.00000040.00001000.00020000.00000000.sdmp, Offset: 04230000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4230000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: CreateDefaultLangLargeMinimumPagePopupSnapshotToolhelp32User
String ID: AVRF: provider %ws did not initialize correctly $No receive buffer has been supplied in a synchronous request.$The object does not exist.$The session has been cancelled.${Bad Image Checksum}
API String ID: 646634548-3299865291
Opcode ID: 532b2f9473d3f1e4e3f2a19b690ea4843dece43a95849a4a6791b3e0e7c36610
Instruction ID: 5a3bb1b0f38f65297416c37dc5b3f2a16215875ee2078fa59bfdff2c2b7ae661
Opcode Fuzzy Hash: 532b2f9473d3f1e4e3f2a19b690ea4843dece43a95849a4a6791b3e0e7c36610
Instruction Fuzzy Hash: 25E1ACB1B643558FD711EF6CE9482AABBF9FB85305F0084AAD889DB250D338AD45CF11

Function 042310E8 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 140
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 042413D4: GetCurrentThreadId.KERNEL32 ref: 042413F1
Part of subcall function 042413D4: GetDesktopWindow.USER32 ref: 0424141F
Part of subcall function 042413D4: GetParent.USER32 ref: 04241483
Part of subcall function 042413D4: SetLastError.KERNEL32 ref: 042414E9

CreateToolhelp32Snapshot.KERNEL32 ref: 04231212

Strings

A primary pack is already present., xrefs: 04231127, 0423112F, 042312FA
Windows.Core, xrefs: 0423111F, 0423113D, 0423125D
No leaks detected., xrefs: 04231117, 042312E6
An ACPI Power Object failed to transition state, xrefs: 04231151, 04231159, 042311B5, 04231298
No buffer is bound to composition surface, xrefs: 042311AD, 042312EE, 04231326

Memory Dump Source

Source File: 00000000.00000002.1699427684.0000000004230000.00000040.00001000.00020000.00000000.sdmp, Offset: 04230000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4230000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: CreateCurrentDesktopErrorLastParentSnapshotThreadToolhelp32Window
String ID: A primary pack is already present.$An ACPI Power Object failed to transition state$No buffer is bound to composition surface$No leaks detected.$Windows.Core
API String ID: 853061127-4035815744
Opcode ID: fc550d858755060c741b84d3a1306deb68c571dd35f7c13a3f019c4019f382e2
Instruction ID: 004cb6c824d92f4fed80c8d1e1bba67a2292dec5e14afd936a21be9aff6fdb4b
Opcode Fuzzy Hash: fc550d858755060c741b84d3a1306deb68c571dd35f7c13a3f019c4019f382e2
Instruction Fuzzy Hash: F55180F17743419FE700EF29E94866ABBF4FB84385F018519E889CB210E778E8508B52

Function 001577C0 Relevance: 11.7, APIs: 2, Strings: 4, Instructions: 1245COMMON

Download Yara Rule

APIs

PathFileExistsW.KERNELBASE(?), ref: 00157936

Part of subcall function 001D8A29: AcquireSRWLockExclusive.KERNEL32(0022A12C,00000000,?,?,0015FA33,0022B250,0022B1DC,?,00000003,001A50B5,?,?), ref: 001D8A34
Part of subcall function 001D8A29: ReleaseSRWLockExclusive.KERNEL32(0022A12C,?,0015FA33,0022B250,0022B1DC,?,00000003,001A50B5,?,?), ref: 001D8A6E

Part of subcall function 001D89D8: AcquireSRWLockExclusive.KERNEL32(0022A12C,?,?,0015FA49,0022B250,00000003), ref: 001D89E2
Part of subcall function 001D89D8: ReleaseSRWLockExclusive.KERNEL32(0022A12C,?,0015FA49,0022B250,00000003), ref: 001D8A15
Part of subcall function 001D89D8: WakeAllConditionVariable.KERNEL32(0022A128,?,0015FA49,0022B250,00000003), ref: 001D8A20

Strings

msgid, xrefs: 00157C36
X, xrefs: 00157A1D
@, xrefs: 00157A0C
msgstr, xrefs: 00157D90

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease$ConditionExistsFilePathVariableWake
String ID: @$X$msgid$msgstr
API String ID: 492889668-3581600636
Opcode ID: 7019adde60b3560a3238237aa4820785e22a7eaf03c9d62a0d1ac4dd019ee51c
Instruction ID: aaae4e86cc8f82b5fdc27eadd598f66fa48314ab6b1d714b11dcaa34aa2abb86
Opcode Fuzzy Hash: 7019adde60b3560a3238237aa4820785e22a7eaf03c9d62a0d1ac4dd019ee51c
Instruction Fuzzy Hash: 62C228B1D00218DFDB14DFA8D895BEDBBF0BF58304F1445AAE419AB291EB705A89CF50

Function 0423B4AC Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 190COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 0423B695

Strings

8, xrefs: 0423B70E
X, xrefs: 0423B704
Failed to allocate DB structure, xrefs: 0423B544, 0423B54C, 0423B5DE, 0423B5E6, 0423B626, 0423B746
WER/ReportFault:%u: ERROR Invalid params passed, xrefs: 0423B55B

Memory Dump Source

Source File: 00000000.00000002.1699427684.0000000004230000.00000040.00001000.00020000.00000000.sdmp, Offset: 04230000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4230000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: ForegroundWindow
String ID: 8$Failed to allocate DB structure$WER/ReportFault:%u: ERROR Invalid params passed$X
API String ID: 2020703349-1544440979
Opcode ID: 41afc280b499035ab31c86cee7eb61cf491f6c6e0f72288c9277673e4a8b11c0
Instruction ID: 237580a7e4bccf600f10da32049ff40d16168653c846dd0110f8bf23641fa30a
Opcode Fuzzy Hash: 41afc280b499035ab31c86cee7eb61cf491f6c6e0f72288c9277673e4a8b11c0
Instruction Fuzzy Hash: 65817DF1B243158FDB50EF3DE99865ABBF5FB98354F01866AC9489B201D638E840CF85

Function 04233548 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 42COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 0423357E
CheckRemoteDebuggerPresent.KERNELBASE ref: 042335E7

Strings

AslEnvGetProcessWowInfo failed [%x], xrefs: 04233577
pd /TilingType 1 put, xrefs: 04233549

Memory Dump Source

Source File: 00000000.00000002.1699427684.0000000004230000.00000040.00001000.00020000.00000000.sdmp, Offset: 04230000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4230000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: CheckDebuggerHandleModulePresentRemote
String ID: AslEnvGetProcessWowInfo failed [%x]$pd /TilingType 1 put
API String ID: 276317622-1007002732
Opcode ID: 08502877c7fd44032d30ed7ebd8497e00d357f1343f8fda1e8c7a458f51c243c
Instruction ID: 38605ffde944eaa400663299db9bf4d88661ca112b371e3f1c419cbeb046faa6
Opcode Fuzzy Hash: 08502877c7fd44032d30ed7ebd8497e00d357f1343f8fda1e8c7a458f51c243c
Instruction Fuzzy Hash: 940100B0B113488FD304DF2CE54956A7FF8EBC8350F04896DC892D7291E638A840CB00

Function 04231000 Relevance: 1.5, APIs: 1, Instructions: 28nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 0423C4B4: GetLastError.KERNEL32 ref: 0423C4D6
Part of subcall function 0423C4B4: GetLastActivePopup.USER32 ref: 0423C501
Part of subcall function 0423C4B4: GetLastActivePopup.USER32 ref: 0423C565

NtAlpcCreateSectionView.NTDLL(00000000,?,?,?,?,?,?,?,?,?,0423B8C7), ref: 04231052

Memory Dump Source

Source File: 00000000.00000002.1699427684.0000000004230000.00000040.00001000.00020000.00000000.sdmp, Offset: 04230000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4230000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: Last$ActivePopup$AlpcCreateErrorSectionView
String ID:
API String ID: 3416713291-0
Opcode ID: 7bed7bf154d5339e91a034665ef4a29caf3c48a2951a0cfdfb4dfc63859d48bb
Instruction ID: 2202dbdeed0839bfb48af007588f3dd971b66009a8b7d81684783dccde11dee1
Opcode Fuzzy Hash: 7bed7bf154d5339e91a034665ef4a29caf3c48a2951a0cfdfb4dfc63859d48bb
Instruction Fuzzy Hash: 49F0F8BA7001A0DFEB00EF98F84E7A63BB0F7A4215B014925D829D3310E23CAC24CB41

Function 001A0F00 Relevance: 88.4, APIs: 48, Strings: 2, Instructions: 854
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0014BE30: GetDlgItem.USER32(?,?), ref: 0014BE44
Part of subcall function 0014BE30: GetWindowTextLengthW.USER32(00000000), ref: 0014BE4B
Part of subcall function 0014BE30: GetDlgItemTextW.USER32(?,?,00000000,00000001), ref: 0014BE8D

IsDlgButtonChecked.USER32(?,000003E9), ref: 001A0F7C
SetDlgItemTextW.USER32(?,000003EC,00000000), ref: 001A1395
GetDlgItem.USER32(?,00000001), ref: 001A13BC
EnableWindow.USER32(00000000,00000001), ref: 001A13C5
GetDlgItem.USER32(?,00000419), ref: 001A13D2
EnableWindow.USER32(00000000,00000001), ref: 001A13DB
GetDlgItem.USER32(?,00000405), ref: 001A13E8
EnableWindow.USER32(00000000,00000001), ref: 001A13F1
GetDlgItem.USER32(?,000003E8), ref: 001A1407
RedrawWindow.USER32(00000000,?,000003E8,00000000,00000000,00000401,?,00000405,?,00000419,?,00000001,?,000003EC,00000000), ref: 001A140A

Strings

${fileext}, xrefs: 001A1185
${filepath}, xrefs: 001A1013, 001A10C2

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: Item$Window$EnableText$ButtonCheckedLengthRedraw
String ID: ${fileext}$${filepath}
API String ID: 4123494488-2440594156
Opcode ID: 3b4f7522a28693f94a4bbaa8c1e40a1a838e909c64590ba3de37161bee0e1f0a
Instruction ID: 7c79a255abbf45f50a5d666eb1fe1ad6c9a21492b031f0a26bda850036f3264c
Opcode Fuzzy Hash: 3b4f7522a28693f94a4bbaa8c1e40a1a838e909c64590ba3de37161bee0e1f0a
Instruction Fuzzy Hash: CE728BB4D00208EFDF14DFA8DC99BEDBBB1AF15304F248169E506AB292DBB15A45CF50

Function 0014B9A0 Relevance: 54.6, APIs: 29, Strings: 2, Instructions: 357
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowLongW.USER32(?,000000EB,?), ref: 0014B9CC
CreateWindowExW.USER32(00000000,tooltips_class32,00000000,80000003,80000000,80000000,80000000,80000000,?,00000000,?,00000000), ref: 0014B9FF
SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000013), ref: 0014BA15
SendMessageW.USER32(?,00000418,00000000,00000258), ref: 0014BA30
SendMessageW.USER32(?,00000401,00000001,00000000), ref: 0014BA3E
GetWindowLongW.USER32(?,000000EB), ref: 0014BA46
DefDlgProcW.USER32(?,00000110,?,?), ref: 0014BAB1
GetClientRect.USER32(?,?), ref: 0014BAC4
SetBkColor.GDI32(?,00000000), ref: 0014BAD3
ExtTextOutW.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 0014BAEB
SetWindowLongW.USER32(?,00000000,00000001), ref: 0014BAFC
SetBkColor.GDI32(?,00000000), ref: 0014BB0D
ExtTextOutW.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 0014BB4C
ExtTextOutW.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 0014BB81
ExtTextOutW.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 0014BBB6
ExtTextOutW.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 0014BBEB
SetWindowLongW.USER32(?,00000000,00000001), ref: 0014BBF8

Strings

DwmExtendFrameIntoClientArea, xrefs: 0014BD29
tooltips_class32, xrefs: 0014B9F8

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: Window$Text$Long$ColorMessageSend$ClientCreateProcRect
String ID: DwmExtendFrameIntoClientArea$tooltips_class32
API String ID: 2355803220-4124622142
Opcode ID: 358ea0db7a088fd9a58740aa62701fa79e5473b9a5c0c21bb0ef73f0473764cf
Instruction ID: 95e2bc64588ad290b7f44985e19c6f5d1b57e75f6a5c6b2a11d39921b89cf437
Opcode Fuzzy Hash: 358ea0db7a088fd9a58740aa62701fa79e5473b9a5c0c21bb0ef73f0473764cf
Instruction Fuzzy Hash: 8AC1A071644304BBD720CF69EC89F5ABBA8FB48761F10461AFA49E72E1D770E940CB91

Function 0014F580 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 103
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClientRect.USER32(?,?), ref: 0014F593
GetWindowRect.USER32(?,?), ref: 0014F59E
OffsetRect.USER32(?,?,?), ref: 0014F5B0
GetSystemMetrics.USER32(00000002), ref: 0014F5BE
GetSystemMetrics.USER32(00000003), ref: 0014F5C5
CreateWindowExW.USER32 ref: 0014F601
CreateRectRgn.GDI32(00000000,00000000,00000001,00000001), ref: 0014F617
CreateRectRgnIndirect.GDI32(00000000), ref: 0014F624
SetRectRgn.GDI32(00000000,00000000,00000000,?,00000001), ref: 0014F641
CombineRgn.GDI32(00000000,00000000,00000000,00000004), ref: 0014F64C
SetWindowRgn.USER32(?,00000000,00000000), ref: 0014F65F
ShowWindow.USER32(?,?), ref: 0014F682

Strings

ScrollBar, xrefs: 0014F5E2

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: Rect$Window$Create$MetricsSystem$ClientCombineIndirectOffsetShow
String ID: ScrollBar
API String ID: 3369083536-3978720103
Opcode ID: a9dd4f764562f5ee14ecc08084c8c7c8fe9b31f2460c5de3e1f78846e00dd644
Instruction ID: 156b8f53149aca78885d725204ef73c04d21da58beab13b96e2e7c5ef7e2284d
Opcode Fuzzy Hash: a9dd4f764562f5ee14ecc08084c8c7c8fe9b31f2460c5de3e1f78846e00dd644
Instruction Fuzzy Hash: C3314371240311AFEB509F65EC8EF663BACEB49701F510059FE06DA2D7D7B1A881CB64

Function 0014B630 Relevance: 18.1, APIs: 12, Instructions: 100
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDialogParamW.USER32(?,?,00000000,Function_0003B9A0), ref: 0014B652
ShowWindow.USER32(00000000,00000005,?,00000000,?,?,?,?,?,?,?), ref: 0014B65E
BringWindowToTop.USER32(?), ref: 0014B667
SetForegroundWindow.USER32(?), ref: 0014B670
LoadAcceleratorsW.USER32(?,?), ref: 0014B6A1
GetMessageW.USER32(00000000,00000000,00000000,00000000), ref: 0014B6D1
TranslateAcceleratorW.USER32(?,?,?), ref: 0014B6FA
IsDialogMessageW.USER32(?,?), ref: 0014B70C
TranslateMessage.USER32(?), ref: 0014B71B
DispatchMessageW.USER32(?), ref: 0014B722
PostQuitMessage.USER32(?), ref: 0014B738
DestroyWindow.USER32(?), ref: 0014B741

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: Message$Window$DialogTranslate$AcceleratorAcceleratorsBringCreateDestroyDispatchForegroundLoadParamPostQuitShow
String ID:
API String ID: 3538134301-0
Opcode ID: 3274388584a6452d8d9bb5708587b2d2b30516802ab4abd6b95e4ac3469da3d0
Instruction ID: 498b30e102689ab6306fe8357c9fa60a5ed97232dfef0fb378e5a14e2f6369ef
Opcode Fuzzy Hash: 3274388584a6452d8d9bb5708587b2d2b30516802ab4abd6b95e4ac3469da3d0
Instruction Fuzzy Hash: 4331FE71508301AFD710DF69EC88B6BBBE8BF88705F04491DF19AC21A2D771E885CB55

Function 04240008 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 130
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 04240064
GetLastError.KERNEL32(?,00000000,?,0423AE8A), ref: 0424007E
GetLastActivePopup.USER32 ref: 042400F6
GetModuleHandleW.KERNELBASE(00000000,?,0423AE8A), ref: 04240134
GetLargePageMinimum.KERNEL32(?,?,0423AE8A), ref: 04240177
GetSystemDefaultLangID.KERNEL32(?,?,0423AE8A), ref: 042401E5

Strings

{Insufficient Resources on Remote Computer}, xrefs: 042400BF, 04240183
The driver package cannot find a required driver configuration., xrefs: 0424003E
Checking file system on %wZ, xrefs: 0424012D
The specified named pipe is in the connected state., xrefs: 04240140, 042401F0

Memory Dump Source

Source File: 00000000.00000002.1699427684.0000000004230000.00000040.00001000.00020000.00000000.sdmp, Offset: 04230000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4230000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: Last$ActiveCurrentDefaultErrorHandleLangLargeMinimumModulePagePopupSystemThread
String ID: Checking file system on %wZ$The driver package cannot find a required driver configuration.$The specified named pipe is in the connected state.${Insufficient Resources on Remote Computer}
API String ID: 584268533-1900623555
Opcode ID: cb01a67eadc7ecdbb971cf6627c464623f2e6289292f1519bc171d1f1d1cbd19
Instruction ID: 0d6f422e3212b9f25e913b9445bffffa01461da1219876512733f8bd2f7e87a3
Opcode Fuzzy Hash: cb01a67eadc7ecdbb971cf6627c464623f2e6289292f1519bc171d1f1d1cbd19
Instruction Fuzzy Hash: 765177B5BA03028FE358CF6DF9891667FFAEBC8300B04C46AD945AB351E63C98458F40

Function 0423C100 Relevance: 16.0, APIs: 4, Strings: 5, Instructions: 213
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDefaultLangID.KERNEL32(?,?,?,?,?,00000B86,?,?,?,04231042,00000000), ref: 0423C194
GetUserDefaultLangID.KERNEL32 ref: 0423C235

Part of subcall function 0423D27C: GetDesktopWindow.USER32 ref: 0423D2D7
Part of subcall function 0423D27C: GetLastActivePopup.USER32 ref: 0423D337
Part of subcall function 0423D27C: GetSystemDefaultLangID.KERNEL32 ref: 0423D3A9
Part of subcall function 0423D27C: AnyPopup.USER32 ref: 0423D3BE
Part of subcall function 0423D27C: GetUserDefaultLangID.KERNEL32 ref: 0423D44A

Part of subcall function 04240F00: GetDesktopWindow.USER32 ref: 04240FA2
Part of subcall function 04240F00: GetDesktopWindow.USER32 ref: 04240FD9
Part of subcall function 04240F00: GetTopWindow.USER32 ref: 04241021

Part of subcall function 0423E4E0: GetCurrentThread.KERNEL32 ref: 0423E57C
Part of subcall function 0423E4E0: GetShellWindow.USER32 ref: 0423E638
Part of subcall function 0423E4E0: GetUserDefaultLangID.KERNEL32 ref: 0423E648

GetUserDefaultLangID.KERNEL32 ref: 0423C3B3
GetParent.USER32 ref: 0423C422

Strings

An invalid address was found on the control flow stack., xrefs: 0423C203, 0423C2F5, 0423C32B
AslpFileLargeGetChecksumAttributes, xrefs: 0423C3A7, 0423C45B
The volume repair could not be performed while it is online., xrefs: 0423C1E4, 0423C240, 0423C39F, 0423C463
WER/CrashAPI:%u: ERROR Exception in WerpCurrentPeb, xrefs: 0423C154, 0423C333
Secure Boot policy has unexpectedly changed., xrefs: 0423C14C, 0423C20B, 0423C27E, 0423C2BC

Memory Dump Source

Source File: 00000000.00000002.1699427684.0000000004230000.00000040.00001000.00020000.00000000.sdmp, Offset: 04230000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4230000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: DefaultLang$Window$User$Desktop$PopupSystem$ActiveCurrentLastParentShellThread
String ID: An invalid address was found on the control flow stack.$AslpFileLargeGetChecksumAttributes$Secure Boot policy has unexpectedly changed.$The volume repair could not be performed while it is online.$WER/CrashAPI:%u: ERROR Exception in WerpCurrentPeb
API String ID: 3278762495-1392373765
Opcode ID: 63a5808757deda1a40ac0ab697f47f7acbf1e4228e8801588f425df769743c92
Instruction ID: 784f252a31347bacce06ca2cad2dcbfe517407826e6b5c93209a321d9b91cbda
Opcode Fuzzy Hash: 63a5808757deda1a40ac0ab697f47f7acbf1e4228e8801588f425df769743c92
Instruction Fuzzy Hash: 1E91A1B2B603019BD311EF3EF44823ABBF9F780359F018929D9459B264E778A941CF91

Function 04240810 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 101
windowtimethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDefaultLangID.KERNEL32(?,?,?,0423B79D), ref: 04240862
GetMessageTime.USER32 ref: 04240883
GetCurrentThread.KERNEL32 ref: 04240898
GetLastError.KERNEL32(?,?,?,0423B79D), ref: 042408F4
GetForegroundWindow.USER32(?,?,?,0423B79D), ref: 04240982

Strings

TPM 2.0: Insufficient space for NV allocation., xrefs: 0424082B, 04240904
The specified port already has a completion list., xrefs: 042408C4
Built-in HEIC Codec, xrefs: 042408A4, 04240936
NumberOfWaitingExclusive = %lx, xrefs: 04240811

Memory Dump Source

Source File: 00000000.00000002.1699427684.0000000004230000.00000040.00001000.00020000.00000000.sdmp, Offset: 04230000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4230000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: CurrentDefaultErrorForegroundLangLastMessageSystemThreadTimeWindow
String ID: NumberOfWaitingExclusive = %lx$Built-in HEIC Codec$TPM 2.0: Insufficient space for NV allocation.$The specified port already has a completion list.
API String ID: 3541390845-3688297793
Opcode ID: 815364c1882b40251d5dd0176afe8cb604ac284fe66c4d485417409a23670aad
Instruction ID: 534958b8f8b2d35e45cb7a5e958b7d7df15248eee1a7fd28782e1773748ecb7f
Opcode Fuzzy Hash: 815364c1882b40251d5dd0176afe8cb604ac284fe66c4d485417409a23670aad
Instruction Fuzzy Hash: 8C419174BA03028FE3189F2CF6C92253FAAE7E8354F14546AD6468F254F279EC80CB50

Function 04240D70 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetOEMCP.KERNEL32 ref: 04240D82
GetWindowTextLengthA.USER32 ref: 04240DD8
GetLastActivePopup.USER32 ref: 04240E2C
GetForegroundWindow.USER32 ref: 04240E77
GetSystemDefaultLangID.KERNEL32 ref: 04240ED4

Strings

The system does not support fault tolerant volumes., xrefs: 04240DDE
The system is now ready for hibernation., xrefs: 04240D7A
FeatureUsage, xrefs: 04240E82
Microsoft America Operations1&0$, xrefs: 04240E32

Memory Dump Source

Source File: 00000000.00000002.1699427684.0000000004230000.00000040.00001000.00020000.00000000.sdmp, Offset: 04230000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4230000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: Window$ActiveDefaultForegroundLangLastLengthPopupSystemText
String ID: FeatureUsage$Microsoft America Operations1&0$$The system does not support fault tolerant volumes.$The system is now ready for hibernation.
API String ID: 1400623325-3058726051
Opcode ID: ac2aee04a30a3ae28d7e72eb67da7f88f68c6b414700976df9da2de6b697f286
Instruction ID: dc78adb5062b4b25dc41ed614df852f0bf644b51bb67a51a4331ee8fd721abd0
Opcode Fuzzy Hash: ac2aee04a30a3ae28d7e72eb67da7f88f68c6b414700976df9da2de6b697f286
Instruction Fuzzy Hash: 79417BB5F607019BE3089F2CF8896A5BBE9FBC9314B04807AD955DB701F27D9984CB41

Function 0423BBAC Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 95COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 0423BBBF
GetOEMCP.KERNEL32 ref: 0423BC50

Strings

AslpFileMakeStringVersionAttributes, xrefs: 0423BC0D
An attempt was made to decommit uncommitted virtual memory., xrefs: 0423BC05
!Process, xrefs: 0423BC1D
Microsoft, xrefs: 0423BBCB, 0423BC6F, 0423BC78
An attempt was made to access an exiting process., xrefs: 0423BC80
/TableEntry, xrefs: 0423BC15, 0423BC88, 0423BCD2
gsave translate , xrefs: 0423BC90

Memory Dump Source

Source File: 00000000.00000002.1699427684.0000000004230000.00000040.00001000.00020000.00000000.sdmp, Offset: 04230000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4230000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: ErrorLast
String ID: !Process$/TableEntry$An attempt was made to access an exiting process.$An attempt was made to decommit uncommitted virtual memory.$AslpFileMakeStringVersionAttributes$Microsoft$gsave translate
API String ID: 1452528299-771149502
Opcode ID: dbaac42792bdd91d10b5c1f50fcf3cf0cb7c791976655f6001f76654d39a51f7
Instruction ID: 6107c70f42b2233924a75800b76ce3d9b96bdcc7844827a24c8d3b05b63c9679
Opcode Fuzzy Hash: dbaac42792bdd91d10b5c1f50fcf3cf0cb7c791976655f6001f76654d39a51f7
Instruction Fuzzy Hash: B64168B0B613058FE710AF3CE58922EBFF8EB84785F40485AD496DB251E738A804CB42

Function 04235E9C Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 137memorythreadCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,0423BB94), ref: 04235ED3
GetOEMCP.KERNEL32 ref: 04235F22
GetWindowTextLengthA.USER32 ref: 04235FC6

Part of subcall function 042413D4: GetCurrentThreadId.KERNEL32 ref: 042413F1
Part of subcall function 042413D4: GetDesktopWindow.USER32 ref: 0424141F
Part of subcall function 042413D4: GetParent.USER32 ref: 04241483
Part of subcall function 042413D4: SetLastError.KERNEL32 ref: 042414E9

GetCurrentThreadId.KERNEL32 ref: 0423606C
VirtualFree.KERNELBASE ref: 0423609D

Strings

CheckAllProcessMachinePolicyEnabled, xrefs: 04235F28, 04236017
The string UUID is invalid., xrefs: 04235FE9, 04235FF1, 04235FF9
A account group cannot have a universal group as a member., xrefs: 04235FE1

Memory Dump Source

Source File: 00000000.00000002.1699427684.0000000004230000.00000040.00001000.00020000.00000000.sdmp, Offset: 04230000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4230000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: CurrentThreadVirtualWindow$AllocDesktopErrorFreeLastLengthParentText
String ID: A account group cannot have a universal group as a member.$CheckAllProcessMachinePolicyEnabled$The string UUID is invalid.
API String ID: 732584986-1906444222
Opcode ID: d80d25bdacf77ed30d4273b47bd8be98176121e8b37607b047bdc5d481c662a0
Instruction ID: 9aeb2d2defa4e66267a067e870427d3b886d5043596ea6482f1b8c77abb055c6
Opcode Fuzzy Hash: d80d25bdacf77ed30d4273b47bd8be98176121e8b37607b047bdc5d481c662a0
Instruction Fuzzy Hash: E45172B1B243029FD724DF28E44A71A7FF9FB88355F018929E84DCB252E379A844CB41

Function 0423F860 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 84threadCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,0000000B,?,0423A731), ref: 0423F87E
GetCurrentThreadId.KERNEL32 ref: 0423F8B9
AnyPopup.USER32 ref: 0423F95B
GetCurrentThread.KERNEL32 ref: 0423F991
GetLastError.KERNEL32(?,0000000B,?,0423A731), ref: 0423F997

Strings

The specified task name is invalid., xrefs: 0423F961
An error occurred while NDIS tried to map the file., xrefs: 0423F8BF, 0423F933
Too many files are opened on a remote server., xrefs: 0423F884

Memory Dump Source

Source File: 00000000.00000002.1699427684.0000000004230000.00000040.00001000.00020000.00000000.sdmp, Offset: 04230000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4230000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: CurrentThread$ErrorForegroundLastPopupWindow
String ID: An error occurred while NDIS tried to map the file.$The specified task name is invalid.$Too many files are opened on a remote server.
API String ID: 1115741200-1773836707
Opcode ID: 38decefc3f13f1128d098848080e50c208c6a87c35f6c02dfbf97c206026468e
Instruction ID: 89c2f2e63b9a7fe5073fcff505bfd90577f6978d6074da3657949f8521c0fbab
Opcode Fuzzy Hash: 38decefc3f13f1128d098848080e50c208c6a87c35f6c02dfbf97c206026468e
Instruction Fuzzy Hash: 82319CB0B713869FD708CF3CF65C1287BBAE795789B15806AD8468E265E779A801CF04

Function 042372A4 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 116COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 042372BB
GetLargePageMinimum.KERNEL32 ref: 04237337

Strings

fDa4P9+d9sUhAxNtkA8rSqPR/YC9ci1IF5ZhBUb9pBFS5pnX7GJyuTRrRXK0JOsL1rP1a8enzEZmpPpqbTgOpLkt9tEO3RiAY0YJOXeYBzNTw9DT43DwYHu6jXJ1z8dWxhEJv0Ij6iO0ebdg87m6OhtROnYgAnJjsuzRnHkSVsa4c89NSnduqn/JL9vDotf5uTdc2ENjZ8tmytdJwTe6CU7GZZhhyOTFCfqCJYhcH9ccLUTJPKT1QLwoA9GEBlQTP5jt, xrefs: 04237499
WER/CrashAPI:%u: ERROR Final gather block size exceeds limit, xrefs: 0423741F
RtlUnicodeStringCbCatStringN failed [%x], xrefs: 04237439
AslpFileQuery16BitDescription, xrefs: 042372D0
FrontEndHeap, xrefs: 04237431

Memory Dump Source

Source File: 00000000.00000002.1699427684.0000000004230000.00000040.00001000.00020000.00000000.sdmp, Offset: 04230000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4230000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: DesktopLargeMinimumPageWindow
String ID: AslpFileQuery16BitDescription$FrontEndHeap$RtlUnicodeStringCbCatStringN failed [%x]$WER/CrashAPI:%u: ERROR Final gather block size exceeds limit$fDa4P9+d9sUhAxNtkA8rSqPR/YC9ci1IF5ZhBUb9pBFS5pnX7GJyuTRrRXK0JOsL1rP1a8enzEZmpPpqbTgOpLkt9tEO3RiAY0YJOXeYBzNTw9DT43DwYHu6jXJ1z8dWxhEJv0Ij6iO0ebdg87m6OhtROnYgAnJjsuzRnHkSVsa4c89NSnduqn/JL9vDotf5uTdc2ENjZ8tmytdJwTe6CU7GZZhhyOTFCfqCJYhcH9ccLUTJPKT1QLwoA9GEBlQTP5jt
API String ID: 2359144380-4176750766
Opcode ID: 9f3c500749e2f38bc33f8054dd83fa1ab85809d60f8b9797e39301f0d7cd76fb
Instruction ID: a39ba169037507b9bc22ed09a7579ebc5a3f29363935ae6e39f19fa947949f49
Opcode Fuzzy Hash: 9f3c500749e2f38bc33f8054dd83fa1ab85809d60f8b9797e39301f0d7cd76fb
Instruction Fuzzy Hash: 0451D4B1B143884EDB18DF39F8882EA7FA5EBE5315F0485F9C88987341C6389985CF91

Function 04243454 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,04236374,?,?,?,?,?,?,?,?,?,?,?), ref: 0424345E
GetUserDefaultLangID.KERNEL32(?,?,?,?,04236374,?,?,?,?,?,?,?,?,?,?,?), ref: 04243464
GetDesktopWindow.USER32 ref: 04243491
GetTopWindow.USER32 ref: 04243527
AnyPopup.USER32 ref: 04243559

Strings

The specified storage reserve ID is invalid., xrefs: 0424346A
AslpFileGetHeaderAttributesPE failed [%x], xrefs: 04243497

Memory Dump Source

Source File: 00000000.00000002.1699427684.0000000004230000.00000040.00001000.00020000.00000000.sdmp, Offset: 04230000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4230000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: Window$DefaultDesktopForegroundLangPopupUser
String ID: AslpFileGetHeaderAttributesPE failed [%x]$The specified storage reserve ID is invalid.
API String ID: 2508019835-289983430
Opcode ID: b80a9020bc89120df966210a8627f09fd4bb8c005f20882e2b91c155f0bb5730
Instruction ID: 1d986f2e36227611738194f8380f9d8f5699af55b01c807cd92661d0059e7fe1
Opcode Fuzzy Hash: b80a9020bc89120df966210a8627f09fd4bb8c005f20882e2b91c155f0bb5730
Instruction Fuzzy Hash: 4821A3B0B103419FEB19EF78E48C66977E5E788394F1548A9D956C7291E33DE984CB00

Function 0015D450 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 185COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.KERNELBASE(?,?,?,00000002,00000000), ref: 0015D4B2
GetFileVersionInfoW.KERNELBASE(?,00000000,?,00000000,?,?,?,00000000), ref: 0015D541
VerQueryValueW.VERSION(00000000,\VarFileInfo\Translation,?,00000000,?,?,?,00000000), ref: 0015D555
VerQueryValueW.VERSION(00000000,?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 0015D5DC

Strings

\StringFileInfo\%04x%04x\ProductVersion, xrefs: 0015D56A
\VarFileInfo\Translation, xrefs: 0015D54F

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: FileInfoQueryValueVersion$Size
String ID: \StringFileInfo\%04x%04x\ProductVersion$\VarFileInfo\Translation
API String ID: 2099394744-1825429935
Opcode ID: a6d193a2013b3bed0a13b53444b32b3f71b915455368ec679cff9da3c9154879
Instruction ID: 417c7d5e08f03a628131215b8fbe4fb9ec204dd49950a64140599e076edc3ff4
Opcode Fuzzy Hash: a6d193a2013b3bed0a13b53444b32b3f71b915455368ec679cff9da3c9154879
Instruction Fuzzy Hash: 7A6168B1D00209EFDB14DFA8D884BAEBBF5FF48304F10452AE429E7641E775AA45CB90

Function 04231065 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 102processCOMMON

Download Yara Rule

APIs

Part of subcall function 04231000: NtAlpcCreateSectionView.NTDLL(00000000,?,?,?,?,?,?,?,?,?,0423B8C7), ref: 04231052

Part of subcall function 042413D4: GetCurrentThreadId.KERNEL32 ref: 042413F1
Part of subcall function 042413D4: GetDesktopWindow.USER32 ref: 0424141F
Part of subcall function 042413D4: GetParent.USER32 ref: 04241483
Part of subcall function 042413D4: SetLastError.KERNEL32 ref: 042414E9

CreateToolhelp32Snapshot.KERNEL32 ref: 04231212

Part of subcall function 0423EB18: GetMessageTime.USER32 ref: 0423EB42
Part of subcall function 0423EB18: GetForegroundWindow.USER32 ref: 0423EB57
Part of subcall function 0423EB18: lstrlenW.KERNEL32 ref: 0423EC17

Strings

A primary pack is already present., xrefs: 04231127, 0423112F
Windows.Core, xrefs: 0423111F, 0423113D
No leaks detected., xrefs: 04231117
An ACPI Power Object failed to transition state, xrefs: 04231151, 04231159, 042311B5
No buffer is bound to composition surface, xrefs: 042311AD

Memory Dump Source

Source File: 00000000.00000002.1699427684.0000000004230000.00000040.00001000.00020000.00000000.sdmp, Offset: 04230000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4230000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: CreateWindow$AlpcCurrentDesktopErrorForegroundLastMessageParentSectionSnapshotThreadTimeToolhelp32Viewlstrlen
String ID: A primary pack is already present.$An ACPI Power Object failed to transition state$No buffer is bound to composition surface$No leaks detected.$Windows.Core
API String ID: 1494823140-4035815744
Opcode ID: f1ca121b3b13e1bce272fbca2f993fccd5d27274ca225465d4173d8de17ec2e2
Instruction ID: 5e2cb2e297b97791e597f007bf0f030e4d10c63a6c25c67bbe20a76baee6ef0d
Opcode Fuzzy Hash: f1ca121b3b13e1bce272fbca2f993fccd5d27274ca225465d4173d8de17ec2e2
Instruction Fuzzy Hash: 373125F17342509AE720BB74EE0573A77F4EB803DBF148414E889D6108E778F8248B62

Function 0423C4B4 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0423C4D6
GetLastActivePopup.USER32 ref: 0423C501
GetLastActivePopup.USER32 ref: 0423C565

Strings

;, xrefs: 0423C4C8
H, xrefs: 0423C52B
;, xrefs: 0423C4C1

Memory Dump Source

Source File: 00000000.00000002.1699427684.0000000004230000.00000040.00001000.00020000.00000000.sdmp, Offset: 04230000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4230000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: Last$ActivePopup$Error
String ID: ;$;$H
API String ID: 1952306238-2656199830
Opcode ID: 0bf5ede4d49d5f49f97282ea169d529b0f31ba8fccf77ec397c9605a1ddd8f25
Instruction ID: aafb86ca9e34166931b2c544cf8646ad7079151583bcf9218a2f80460210baaf
Opcode Fuzzy Hash: 0bf5ede4d49d5f49f97282ea169d529b0f31ba8fccf77ec397c9605a1ddd8f25
Instruction Fuzzy Hash: 0B31A2B5F103159FCB01DFADF48825EBBB8FB88354F018529E855EB240EB385900CB80

Function 0014FA50 Relevance: 10.5, APIs: 7, Instructions: 48COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 0014FA5D
SetWindowPos.USER32(?,00000001,?,?,00000000,00000000,00000211,?,?,?,?,?,0014F786), ref: 0014FA89
IsZoomed.USER32 ref: 0014FA91
EnableWindow.USER32(?,00000000), ref: 0014FAA1
ShowWindow.USER32(?,00000000,?,?,?,?,?,?,0014F786), ref: 0014FAAC
EnableWindow.USER32(?,00000001), ref: 0014FABA
ShowWindow.USER32(?,?,?,?,?,?,?,?,0014F786), ref: 0014FACF

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: Window$EnableShow$ClientRectZoomed
String ID:
API String ID: 989374080-0
Opcode ID: 23fe34988886a949d3f917bcef50609705ab3134d088ed0a68d21e60ff2a3b5d
Instruction ID: 0c05cc73bf19958cfb44f5ce9bdc021b3c005168b6685a4161fe7ab4eab66f16
Opcode Fuzzy Hash: 23fe34988886a949d3f917bcef50609705ab3134d088ed0a68d21e60ff2a3b5d
Instruction Fuzzy Hash: BE016D31140700AFE720AF28ED89FA67BE5FF44701F804918F983915A2D771E8508B00

Function 001D35F0 Relevance: 9.1, APIs: 6, Instructions: 62threadCOMMON

Download Yara Rule

APIs

#410.COMCTL32(?,001D4530,000004D2,0022B0B0,?,00000000,?), ref: 001D362E
#412.COMCTL32(?,001D4530,000004D2,?,00000000,?), ref: 001D3641
EnumChildWindows.USER32(?,001D36C0), ref: 001D364E
GetCurrentThreadId.KERNEL32 ref: 001D365A
EnumThreadWindows.USER32(00000000), ref: 001D3661
RedrawWindow.USER32(?,00000000,00000000,00000587,?,?,?,00000000,?), ref: 001D3671

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: EnumThreadWindows$#410#412ChildCurrentRedrawWindow
String ID:
API String ID: 1422472111-0
Opcode ID: 50580199027c328dd14afd52a79cf2ebfbf2809e4ef57bd21aae33c3f54802c6
Instruction ID: 466a8fefcdaf76976ce64c1078da934b091f536231362345c0d87fb7165e519e
Opcode Fuzzy Hash: 50580199027c328dd14afd52a79cf2ebfbf2809e4ef57bd21aae33c3f54802c6
Instruction Fuzzy Hash: 3B117371249350BBD211AF55BC0DF9B7BA8AF95B00F04400AF591A63A2D7B4D70ACB7B

Function 0423AE58 Relevance: 7.6, APIs: 5, Instructions: 69threadCOMMON

Download Yara Rule

APIs

Part of subcall function 04240008: GetCurrentThreadId.KERNEL32 ref: 04240064
Part of subcall function 04240008: GetLastError.KERNEL32(?,00000000,?,0423AE8A), ref: 0424007E
Part of subcall function 04240008: GetLastActivePopup.USER32 ref: 042400F6
Part of subcall function 04240008: GetModuleHandleW.KERNELBASE(00000000,?,0423AE8A), ref: 04240134
Part of subcall function 04240008: GetLargePageMinimum.KERNEL32(?,?,0423AE8A), ref: 04240177

GetThreadUILanguage.KERNEL32 ref: 0423AE8A
GetDialogBaseUnits.USER32 ref: 0423AEA5

Part of subcall function 0423FC94: AnyPopup.USER32 ref: 0423FCEE
Part of subcall function 0423FC94: GetSystemDefaultLangID.KERNEL32(?,0423AEB0), ref: 0423FD25
Part of subcall function 0423FC94: GetTopWindow.USER32 ref: 0423FD53

GetLastActivePopup.USER32 ref: 0423AF0C
GetDesktopWindow.USER32 ref: 0423AF1D
GetOEMCP.KERNEL32 ref: 0423AF23

Memory Dump Source

Source File: 00000000.00000002.1699427684.0000000004230000.00000040.00001000.00020000.00000000.sdmp, Offset: 04230000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4230000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: LastPopup$ActiveThreadWindow$BaseCurrentDefaultDesktopDialogErrorHandleLangLanguageLargeMinimumModulePageSystemUnits
String ID:
API String ID: 1843500158-0
Opcode ID: b7431450158faf57664d54bc19ff348140b119626532179cbc7b01bbd6154b81
Instruction ID: 777acc063f25def0195725155cc74307c3ae0a26699793f5c02e9d5f6f8ea35a
Opcode Fuzzy Hash: b7431450158faf57664d54bc19ff348140b119626532179cbc7b01bbd6154b81
Instruction Fuzzy Hash: ED217CB1BA13048BDB209F6CF58C6597BB9EB84352F058536EC4987280E379E944CF91

Function 0014BDA0 Relevance: 7.5, APIs: 5, Instructions: 41COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 0014BDAB
KiUserCallbackDispatcher.NTDLL(00000000,?), ref: 0014BDCB

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: CallbackDispatcherItemUser
String ID:
API String ID: 4250310104-0
Opcode ID: a4e482449966995363a90bf5ee6830e3adfd8661004f5ddc6c01ab0850ca5ea8
Instruction ID: f15337eca6ab8bda53d2166dbe1d2986290ab4ea4fbab7daf088cba22d30d7d3
Opcode Fuzzy Hash: a4e482449966995363a90bf5ee6830e3adfd8661004f5ddc6c01ab0850ca5ea8
Instruction Fuzzy Hash: EDF0F6322482206BD7215B65BC4DBDE7B54BF91721F01C855F881991A2C710C8D79650

Function 042423AC Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 153COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 04242432
GetLastActivePopup.USER32 ref: 04242562
GetDialogBaseUnits.USER32 ref: 04242581

Strings

The system does not support fault tolerant volumes., xrefs: 042424A4

Memory Dump Source

Source File: 00000000.00000002.1699427684.0000000004230000.00000040.00001000.00020000.00000000.sdmp, Offset: 04230000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4230000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: ActiveBaseDialogForegroundLastPopupUnitsWindow
String ID: The system does not support fault tolerant volumes.
API String ID: 3505280388-4025416350
Opcode ID: cc6d2e1810e2dafcfecf2c96dad37dd87bef492f0cac1fae5a5873ebe618d4c7
Instruction ID: 0ff3c797a54b4eb1c9167bc3a2b555e4771b25ee38e839784490219f74bb076f
Opcode Fuzzy Hash: cc6d2e1810e2dafcfecf2c96dad37dd87bef492f0cac1fae5a5873ebe618d4c7
Instruction Fuzzy Hash: 6A51DE71B60352DBD31DCF2DF4982A9BBE9E7C5360F1980BAA8458B344D63D9C85CB90

Function 04236E98 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 102COMMON

Download Yara Rule

APIs

GetLastActivePopup.USER32 ref: 04236ED9

Strings

Failed to allocate process history buffer, xrefs: 04236EC6
dBG5xOZ9SrUbniavLIPRLiUBop3jpwxLm0b09L8W9yJBZxL8klaODa2zWo78Xyd+XEVXQlKy2nWCFNHyHMODh69lI+2/2WnD5oSli6kx/aEi5sa9lspGSc2d/CdOozkWnCDHvMkFBW77dNXssfJuPEb0LKdNRvkqfUTL2d41uwxNQKxjtUVVDJ3UiwGgHYLgq4+ecro3l0xEhxTFrdahDQeTsAmQp72aEEx8qYKCdU854Kvtg5eAKjOxBrH5fFulettx, xrefs: 04237021
CLiP license hardware ID is out of tolerance., xrefs: 04236FCF

Memory Dump Source

Source File: 00000000.00000002.1699427684.0000000004230000.00000040.00001000.00020000.00000000.sdmp, Offset: 04230000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4230000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: ActiveLastPopup
String ID: CLiP license hardware ID is out of tolerance.$Failed to allocate process history buffer$dBG5xOZ9SrUbniavLIPRLiUBop3jpwxLm0b09L8W9yJBZxL8klaODa2zWo78Xyd+XEVXQlKy2nWCFNHyHMODh69lI+2/2WnD5oSli6kx/aEi5sa9lspGSc2d/CdOozkWnCDHvMkFBW77dNXssfJuPEb0LKdNRvkqfUTL2d41uwxNQKxjtUVVDJ3UiwGgHYLgq4+ecro3l0xEhxTFrdahDQeTsAmQp72aEEx8qYKCdU854Kvtg5eAKjOxBrH5fFulettx
API String ID: 3737024409-446137809
Opcode ID: 16695e7bc31d99c61c080fc11b7943b9ada4c94c49707f7ba595010493a4a816
Instruction ID: f0eb9c7ed955cb2e5a7dd9477f26d2ea898fd42fc01caa4526efd37608e746be
Opcode Fuzzy Hash: 16695e7bc31d99c61c080fc11b7943b9ada4c94c49707f7ba595010493a4a816
Instruction Fuzzy Hash: 62418C7171829C8EDB158E7DA8853EABFB6AB91300F4580FDD8CE97241C5B94D48CFA1

Function 0423EB18 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 91stringwindowtimeCOMMON

Download Yara Rule

APIs

GetMessageTime.USER32 ref: 0423EB42
GetForegroundWindow.USER32 ref: 0423EB57
lstrlenW.KERNEL32 ref: 0423EC17

Strings

CLR version string null or too long, xrefs: 0423EC10

Memory Dump Source

Source File: 00000000.00000002.1699427684.0000000004230000.00000040.00001000.00020000.00000000.sdmp, Offset: 04230000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4230000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: ForegroundMessageTimeWindowlstrlen
String ID: CLR version string null or too long
API String ID: 2918359910-2602880372
Opcode ID: 07aacf4fe72e8162a808d05d8c9eb25460d47905448f0292a0d98b0d646dc462
Instruction ID: c20ae554da3f0f8beb708b5dce433c685d657b5a1505c83698665836b7a49601
Opcode Fuzzy Hash: 07aacf4fe72e8162a808d05d8c9eb25460d47905448f0292a0d98b0d646dc462
Instruction Fuzzy Hash: AF3169B5B603428ECB15CF2CF8886697FB9F799382F0544AAD466CB640D338A908CB51

Function 042397A0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 81COMMON

Download Yara Rule

APIs

GetShellWindow.USER32 ref: 04239852

Strings

The RPC protocol sequence was not found., xrefs: 042397BE, 0423986C
An error occurred during an access to Region Space, xrefs: 042397A1
Failed to construct full key path, xrefs: 04239800, 04239836

Memory Dump Source

Source File: 00000000.00000002.1699427684.0000000004230000.00000040.00001000.00020000.00000000.sdmp, Offset: 04230000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4230000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: ShellWindow
String ID: An error occurred during an access to Region Space$Failed to construct full key path$The RPC protocol sequence was not found.
API String ID: 2831631499-4078023678
Opcode ID: c0f995e17791de0984bad71171252a5b0f2f7dd6bc428d5e51be524b74f48302
Instruction ID: 07edb2654bebfd8e2ffb62ffb7c0b5a500e27f6729ad3ad25e708b257558af16
Opcode Fuzzy Hash: c0f995e17791de0984bad71171252a5b0f2f7dd6bc428d5e51be524b74f48302
Instruction Fuzzy Hash: DA3176B5B643028BD300DF7DF84922ABBE9E7D4284F44886ACC468B349E67DE941CF51

Function 042430B4 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34threadCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,00001DA0,?,042398B5), ref: 042430BC
GetSystemDefaultLangID.KERNEL32(?,00001DA0,?,042398B5), ref: 042430ED
GetThreadUILanguage.KERNEL32(?,00001DA0,?,042398B5), ref: 04243115

Strings

An attempt was made to open an Anonymous level token., xrefs: 042430C2

Memory Dump Source

Source File: 00000000.00000002.1699427684.0000000004230000.00000040.00001000.00020000.00000000.sdmp, Offset: 04230000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4230000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: DefaultForegroundLangLanguageSystemThreadWindow
String ID: An attempt was made to open an Anonymous level token.
API String ID: 3065435761-254260388
Opcode ID: 0c12d9f4358372aa09bd2edd618cdb9fec322cdee8dd160e41c54ff9381db262
Instruction ID: b33cd6900edc34a37c783adf565f307e3a17af53fc5e48e01fcacca2341a8271
Opcode Fuzzy Hash: 0c12d9f4358372aa09bd2edd618cdb9fec322cdee8dd160e41c54ff9381db262
Instruction Fuzzy Hash: 0FF0B4717243019BD7289F28E88D26A76A8EB883A0F55857AE906DB680E779DC848650

Function 0015F0E0 Relevance: 6.1, APIs: 4, Instructions: 121registryCOMMON

Download Yara Rule

APIs

GetTickCount64.KERNEL32 ref: 0015F117
RegOpenKeyExW.KERNELBASE(0015D9A0,00212530,00000000,0015D990,00000000,00000000,00000000,?,0020313D,000000FF,?), ref: 0015F1BB
RegCloseKey.ADVAPI32(00000000), ref: 0015F20E
GetTickCount64.KERNEL32 ref: 0015F223

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: Count64Tick$CloseOpen
String ID:
API String ID: 4020578057-0
Opcode ID: d77d7dedc9f327cc8562c035039a93874a46a471b4e1c7486e43c0cc8b269921
Instruction ID: ebdffe384ee2f534c803d98a3d53d293f736c3a996e3b876fa1736db435786e6
Opcode Fuzzy Hash: d77d7dedc9f327cc8562c035039a93874a46a471b4e1c7486e43c0cc8b269921
Instruction Fuzzy Hash: FF41BF75900B44DFDB24CF64D8C8BAABBFAFB44315F04092ED8A297651D771A849CB50

Function 00158A90 Relevance: 6.0, APIs: 4, Instructions: 32threadwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00158D80: GetWindowTextLengthW.USER32(?), ref: 00158DA5
Part of subcall function 00158D80: GetWindowTextW.USER32(?,00000000,00000001), ref: 00158E0A

EnumChildWindows.USER32(?,Function_00048D80), ref: 00158AAB
GetCurrentThreadId.KERNEL32 ref: 00158AB7
EnumThreadWindows.USER32(00000000), ref: 00158ABE
GetSystemMenu.USER32(?,00000000,?,?,?), ref: 00158AC7

Part of subcall function 00158AF0: GetMenuItemCount.USER32(?), ref: 00158B1A
Part of subcall function 00158AF0: GetMenuItemInfoW.USER32(?,00000000,00000400,?), ref: 00158B9B
Part of subcall function 00158AF0: GetMenuItemInfoW.USER32(?,00000000,00000400,00000030), ref: 00158C0D

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: Menu$Item$EnumInfoTextThreadWindowWindows$ChildCountCurrentLengthSystem
String ID:
API String ID: 886740550-0
Opcode ID: e90dd77e5682039a75d00da7b924ca9ab5fefd3854f3d71cb1ee08dcf178da6b
Instruction ID: 5761e42a31a2b801207528e3f0556665216e54f73fa719ed0cfb8638121c6504
Opcode Fuzzy Hash: e90dd77e5682039a75d00da7b924ca9ab5fefd3854f3d71cb1ee08dcf178da6b
Instruction Fuzzy Hash: 6BE0E532211210B7C61027A96C0DE9F36AD9BA6712B08011AF922E60D2DFA0590586B9

Function 001D3000 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 001D5490: SystemParametersInfoW.USER32(00000042,0000000C,0000000C,00000000), ref: 001D54CE
Part of subcall function 001D5490: GetSysColor.USER32(00000008), ref: 001D54EE
Part of subcall function 001D5490: GetSysColor.USER32(00000005), ref: 001D5507

GetTickCount64.KERNEL32 ref: 001D304C

Strings

darkmode, xrefs: 001D3024
global, xrefs: 001D3029

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: Color$Count64InfoParametersSystemTick
String ID: darkmode$global
API String ID: 3447872873-3442901483
Opcode ID: d213ea90466768656fa8023e04b586d17ba5c5064f24420532c009de00bb4679
Instruction ID: 4bf680f8dea9983bd045285765b064535d4ba7c5b7ee6b6c1b4bbddc0db61422
Opcode Fuzzy Hash: d213ea90466768656fa8023e04b586d17ba5c5064f24420532c009de00bb4679
Instruction Fuzzy Hash: EE315A31300642AAEB2DE734D84A778F399BF00315F18821BF07482390DFA5E9A5C3A3

Function 042418F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,0423B77C), ref: 04241958
GetShellWindow.USER32 ref: 042419D4

Strings

Network interface aborted the request., xrefs: 042418F5, 0424195E, 04241974, 042419DF

Memory Dump Source

Source File: 00000000.00000002.1699427684.0000000004230000.00000040.00001000.00020000.00000000.sdmp, Offset: 04230000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4230000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: Window$ForegroundShell
String ID: Network interface aborted the request.
API String ID: 3950612657-3432463622
Opcode ID: 17f784a33bb4e0b5fe0d9073f729ddd37f966220dc6cc89c44c60efdc5bce700
Instruction ID: aa698adb7cea70ccbea2359f95b775389982e356f5295ca5128d42740b5f4566
Opcode Fuzzy Hash: 17f784a33bb4e0b5fe0d9073f729ddd37f966220dc6cc89c44c60efdc5bce700
Instruction Fuzzy Hash: 7331F175B703428FE30ACF7DF54C2627BEAE3C5390B1484A7DC41CB248E27898918B54

Function 0016E810 Relevance: 4.5, APIs: 3, Instructions: 46registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,0022BC98,00000000,00000000,00000000), ref: 0016E848
RegCloseKey.ADVAPI32(00000000), ref: 0016E881
GetTickCount64.KERNEL32 ref: 0016E88E

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: CloseCount64OpenTick
String ID:
API String ID: 2982736543-0
Opcode ID: 278f8522eff461a0fb862b84b1a4a544f46b1dc61f310cb5d7a8a28f746bda8b
Instruction ID: c71da87b26acc23527471f53e683dfa4696519088ee5c033f01c0dcbd11bbb30
Opcode Fuzzy Hash: 278f8522eff461a0fb862b84b1a4a544f46b1dc61f310cb5d7a8a28f746bda8b
Instruction Fuzzy Hash: 1711D274404B51AFD724CF28D988B57BBF5FB44704F00891EE88A87A61E372E888CB61

Function 001EC7FF Relevance: 4.5, APIs: 3, Instructions: 15COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,001EC7F9,00000101,001DEA52,?,?,0B9FDD92,001DEA52,?), ref: 001EC810
TerminateProcess.KERNEL32(00000000,?,001EC7F9,00000101,001DEA52,?,?,0B9FDD92,001DEA52,?), ref: 001EC817
ExitProcess.KERNEL32 ref: 001EC829

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: c6054b57fdeb3088b4a5b15995c4684ea9b9fbc5a87adebf1b8aacf41193a9f0
Instruction ID: cfd432b2ac8b0d509daf02506fb8dffef4896187dfb026047a4449ca4dc97b64
Opcode Fuzzy Hash: c6054b57fdeb3088b4a5b15995c4684ea9b9fbc5a87adebf1b8aacf41193a9f0
Instruction Fuzzy Hash: D6D09232000689BFCF152F66FE1DE9D7F6ABF48381B444024BA0A4A033DB319992DAC0

Function 0423B8BC Relevance: 1.7, APIs: 1, Instructions: 170COMMON

Download Yara Rule

APIs

Part of subcall function 042365D8: GetTopWindow.USER32 ref: 042366A6
Part of subcall function 042365D8: GetOEMCP.KERNEL32(?,?,?,?,?,?,?,?,0423B8C7), ref: 042366BC

GetUserDefaultLangID.KERNEL32(?,?,?,0423BD26), ref: 0423BA2A

Memory Dump Source

Source File: 00000000.00000002.1699427684.0000000004230000.00000040.00001000.00020000.00000000.sdmp, Offset: 04230000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4230000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: DefaultLangUserWindow
String ID:
API String ID: 2546096385-0
Opcode ID: b9503a027d2f1a9661d754ca25fec4e059baac70393d01d2262087f0388b6bb1
Instruction ID: eff4b5ab15ace41b98a4008adb1ab3b6a6d0723c59d4eedc60ef2b795136f1a1
Opcode Fuzzy Hash: b9503a027d2f1a9661d754ca25fec4e059baac70393d01d2262087f0388b6bb1
Instruction Fuzzy Hash: 3971F6F8B15701CFD714EF69E584519BBF5FF98206B0298AAE884DB312E734E8408F52

Function 0014A730 Relevance: 1.6, APIs: 1, Instructions: 123comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00209710,00000000,00000001,00209750,?), ref: 0014A782

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: 90037484e14388b147120e40844946ee7756e2e2aa887c0e763402802e84486f
Instruction ID: 5554c364b094b965b75bb35685de287117cb4c0f42cf8b5df937a73ebf59d628
Opcode Fuzzy Hash: 90037484e14388b147120e40844946ee7756e2e2aa887c0e763402802e84486f
Instruction Fuzzy Hash: 47419AB0650705AFDB24CF59C884B9ABBB8FF09B11F10416DF506CB6A0C7B2E850CBA1

Function 001F2656 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,?,?,001F18B4,00000001,00000364,?,00000006,000000FF,?,?,001E01C7,001F26F6), ref: 001F2697

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: a491f7cb25c54f63dbff99f7ce370d947f94f69ca381db9d8fa84c31a40b0eb1
Instruction ID: dfa58ebb63c959f2a7c1a3006d322d02f260dcd94d07fa4fc4a9e9fc0315b214
Opcode Fuzzy Hash: a491f7cb25c54f63dbff99f7ce370d947f94f69ca381db9d8fa84c31a40b0eb1
Instruction Fuzzy Hash: ADF0E93120162D67DB359B63EC05BBA7B48AF50770B198111FE04EA190DF70DD008AE4

Function 042407B0 Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,00000000,?,0423745D), ref: 042407BB

Memory Dump Source

Source File: 00000000.00000002.1699427684.0000000004230000.00000040.00001000.00020000.00000000.sdmp, Offset: 04230000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4230000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: 54ddf7670dc73ec2f7d40376dc7414a544f6309bf11a6581fd2237bf08970fe6
Instruction ID: a2c31fb7f925ef2e5485389ca0ec12303d19c5960df8a1d643a4c834e1b3a2b3
Opcode Fuzzy Hash: 54ddf7670dc73ec2f7d40376dc7414a544f6309bf11a6581fd2237bf08970fe6
Instruction Fuzzy Hash: 2EF0E96D736007CB9B242F6DD840597F346D7816523848193EE554F708F56068C3DF9B

Function 001F26B3 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,001D8961,?,?,00149DB0,00000024,?,?,0020359F,000000FF), ref: 001F26E5

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 7ae935a2cdd739bf04fa0a4d45bd3d744824ef3a1d4125050ca6ca7645c8691c
Instruction ID: 8caf36ed79771288165b67ab5f92cc154a11a8f577b98d02cdc001dc1726f582
Opcode Fuzzy Hash: 7ae935a2cdd739bf04fa0a4d45bd3d744824ef3a1d4125050ca6ca7645c8691c
Instruction Fuzzy Hash: EAE0ED3120262D6BDF312666AC04F7A3A48AB513F0FA50160FE45E61E1EFB0CC8295A1

Function 042398F4 Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

GetSystemDefaultLangID.KERNEL32 ref: 0423991C

Memory Dump Source

Source File: 00000000.00000002.1699427684.0000000004230000.00000040.00001000.00020000.00000000.sdmp, Offset: 04230000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4230000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: DefaultLangSystem
String ID:
API String ID: 706401283-0
Opcode ID: 0a3509bb6899e1f03f25945b6a36572ecdfacb5bb596f2b14bc1d60f7451c723
Instruction ID: 1d8e2267158d5a698ec5a75b7ab63406d8fd14d4679c49048c07c1e0e001a740
Opcode Fuzzy Hash: 0a3509bb6899e1f03f25945b6a36572ecdfacb5bb596f2b14bc1d60f7451c723
Instruction Fuzzy Hash: 46F01DF4B743054ABB15BBBCA85D11839BCEBC510AF10C955C04686150DA3CE8049F62

Function 0423B88C Relevance: 1.5, APIs: 1, Instructions: 17memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL ref: 0423B8B0

Memory Dump Source

Source File: 00000000.00000002.1699427684.0000000004230000.00000040.00001000.00020000.00000000.sdmp, Offset: 04230000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4230000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: e3c979a874c9ceac2972bdb9616bc18b104cdb5447bc6442f833e6fbd23fe710
Instruction ID: 476c50c3bf6470bdb1cb0f74017879ccc35be37aa4204f4ced761e8b4da26335
Opcode Fuzzy Hash: e3c979a874c9ceac2972bdb9616bc18b104cdb5447bc6442f833e6fbd23fe710
Instruction Fuzzy Hash: ADE0EC78A047059FC308EF29D18581AFBF2FFC8240B51C6A9DC844B31AD634E8959BD1

Function 0423B85C Relevance: 1.5, APIs: 1, Instructions: 15memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,?,?,?,?,0423BF0B), ref: 0423B882

Memory Dump Source

Source File: 00000000.00000002.1699427684.0000000004230000.00000040.00001000.00020000.00000000.sdmp, Offset: 04230000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4230000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: eaaa8d537e1a4e349e3c349d65f003a4f228d042062122b148dfb89f11ac089c
Instruction ID: e0a1dcffa17dd6c4998bc2eeed39052ce499764aed6638db8ca6fdd437afddae
Opcode Fuzzy Hash: eaaa8d537e1a4e349e3c349d65f003a4f228d042062122b148dfb89f11ac089c
Instruction Fuzzy Hash: CAE0BD786042019FC308EF28D18990ABBE1BB88214F51C698D8889B35AD674E8998BC2

Non-executed Functions

Function 0019E3E0 Relevance: 88.6, APIs: 22, Strings: 27, Instructions: 2836filetimesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00189860: QueryPerformanceCounter.KERNEL32(?,00000000,?,00000000,?,?,0019E845,00000000), ref: 001898A1

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0019E8FF

Part of subcall function 001A5070: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000040,00000000,00000000), ref: 001A5148

CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,.bak,00000004), ref: 0019FA46
GetLastError.KERNEL32 ref: 0019FA79
CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000000,00000000), ref: 0019FAE8
GetFileTime.KERNEL32(00000000,00000000,00000000,00000000), ref: 0019FB08
GetFileAttributesW.KERNEL32(?), ref: 0019FB2A
SetFileAttributesW.KERNEL32(?,00000000), ref: 0019FB4B
SetFileAttributesW.KERNEL32(?,00000000), ref: 0019FB78
CreateFileW.KERNEL32(?,40000000,00000007,00000000,00000003,00000000,00000000), ref: 0019FBAF
SetFileTime.KERNEL32(00000000,00000000,00000000,00000000), ref: 0019FBCE
CloseHandle.KERNEL32(00000000,00000000), ref: 0019FBDB
Sleep.KERNEL32(00000032), ref: 0019FBEA

Strings

${filepath}, xrefs: 0019E43F, 0019F330
Hn!, xrefs: 0019E655
${filename}, xrefs: 0019E4BE, 0019F4F5
4n!, xrefs: 0019E5F1
p1!, xrefs: 0019E5DD
,n!, xrefs: 0019E58D
P#!, xrefs: 0019E57D
nullbytes, xrefs: 0019E860
${fileext}, xrefs: 0019E51D, 0019F600
.bak, xrefs: 0019F7F7, 001A0482
Dn!, xrefs: 0019E641
${fileext}, xrefs: 001A0705
k!, xrefs: 0019E70D
settings, xrefs: 0019E865
Software\grepWinNP3\nullbytes, xrefs: 0019E873
${filepath}, xrefs: 001A0605
@, xrefs: 001A08A8
X*!, xrefs: 0019E5C9
8n!, xrefs: 0019E605
${filename}, xrefs: 001A06B1
@n!, xrefs: 0019E62D
0n!, xrefs: 0019E5A1
.grepwinreplaced, xrefs: 001A085F
file load and parse: , xrefs: 0019E81B
\grepWinNP3_backup\, xrefs: 0019F83B, 001A04AD
j, xrefs: 001A0900
<n!, xrefs: 0019E619

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: File$Attributes$CreateTime$ByteCharCloseCopyCounterErrorHandleLastMultiPerformanceQuerySleepUnothrow_t@std@@@Wide__ehfuncinfo$??2@
String ID: ${fileext}$${fileext}$${filename}$${filename}$${filepath}$${filepath}$,n!$.bak$.grepwinreplaced$0n!$4n!$8n!$<n!$@$@n!$Dn!$Hn!$P#!$Software\grepWinNP3\nullbytes$X*!$\grepWinNP3_backup\$file load and parse: $j$nullbytes$p1!$settings$k!
API String ID: 3915558587-2099232132
Opcode ID: 1bbe2efc947891fdd976d7267dfa71f277714ed07fbdb8bdecb7f90bff8be1ca
Instruction ID: 3faf5d2981160abfae612309be1533f24f39bad8a331c1a579da19bce41ec6ba
Opcode Fuzzy Hash: 1bbe2efc947891fdd976d7267dfa71f277714ed07fbdb8bdecb7f90bff8be1ca
Instruction Fuzzy Hash: 8C438C70D00218DFDF25DF64C895BEEBBB5AF15304F1441A9E41AA7292DB30AE89CF91

Function 00169960 Relevance: 61.0, APIs: 32, Strings: 2, Instructions: 1463COMMON

Download Yara Rule

APIs

GetCommandLineW.KERNEL32 ref: 00169994
CommandLineToArgvW.SHELL32(?,?,00000000,-00000002), ref: 00169A07
PathFileExistsW.SHLWAPI(?,00000000,?), ref: 00169B4B
PathFileExistsW.SHLWAPI(?), ref: 00169CA1
PathFileExistsW.SHLWAPI(?,00000000,?), ref: 00169D61
PathIsURLW.SHLWAPI(?,?), ref: 00169EF3
PathIsRelativeW.SHLWAPI(?), ref: 00169F0E
GetFullPathNameW.KERNEL32(?,00000000,00000000,00000000), ref: 00169F2F
GetFullPathNameW.KERNEL32(?,?,00000000,00000000), ref: 00169F8B
PathCanonicalizeW.SHLWAPI(?,?), ref: 0016A03A
GetLongPathNameW.KERNEL32(?,00000000,00000000), ref: 0016A053
GetLongPathNameW.KERNEL32(?,?,00000001), ref: 0016A0A8
GetShortPathNameW.KERNEL32(?,00000000,00000000), ref: 0016A0B8
GetLongPathNameW.KERNEL32(?,00000000,00000000), ref: 0016A11D
GetLongPathNameW.KERNEL32(?,00000000,?), ref: 0016A173
GetShortPathNameW.KERNEL32(00000000,00000000,00000000), ref: 0016A1FE
GetShortPathNameW.KERNEL32(00000000,?,?), ref: 0016A254
GetLongPathNameW.KERNEL32(?,00000000,?), ref: 0016A26D
PathIsURLW.SHLWAPI(?,?), ref: 0016A4D4
PathIsRelativeW.SHLWAPI(?), ref: 0016A4EF
GetFullPathNameW.KERNEL32(?,00000000,00000000,00000000), ref: 0016A510
GetFullPathNameW.KERNEL32(?,?,00000000,00000000), ref: 0016A56F
PathCanonicalizeW.SHLWAPI(?,?), ref: 0016A5F7
GetLongPathNameW.KERNEL32(?,00000000,00000000), ref: 0016A610
GetLongPathNameW.KERNEL32(?,?,00000001), ref: 0016A668
GetShortPathNameW.KERNEL32(?,00000000,00000000), ref: 0016A678
GetLongPathNameW.KERNEL32(?,00000000,00000000), ref: 0016A6E0
GetLongPathNameW.KERNEL32(?,00000000,?), ref: 0016A739
GetShortPathNameW.KERNEL32(00000000,00000000,00000000), ref: 0016A7C4
GetShortPathNameW.KERNEL32(00000000,?,?), ref: 0016A81D
GetLongPathNameW.KERNEL32(?,00000000,?), ref: 0016A836
LocalFree.KERNEL32(?), ref: 0016AA1F

Strings

", xrefs: 0016AB2A, 0016ABAC
T*!, xrefs: 00169E3F

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: Path$Name$Long$Short$Full$ExistsFile$CanonicalizeCommandLineRelative$ArgvFreeLocal
String ID: "$T*!
API String ID: 2970764310-1916945117
Opcode ID: 9ac5ca194b11371cdc7bddd312de6348355b2cd52da855f7669d4e375a11247f
Instruction ID: b1f744d32255673ef246260799c338fc294901051e2c10fed2bc8658171a9e15
Opcode Fuzzy Hash: 9ac5ca194b11371cdc7bddd312de6348355b2cd52da855f7669d4e375a11247f
Instruction Fuzzy Hash: 0ED217B1D012189FDB24DFA8DC85BEEBBF4BF18304F1441AAE409A7291E7749A85CF51

Function 0019C1C0 Relevance: 55.9, APIs: 24, Strings: 7, Instructions: 1671windowCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,SearchThread,0000000C), ref: 0019C22B

Part of subcall function 001D7690: GetNativeSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,0019C26D), ref: 001D769A

GetTickCount64.KERNEL32 ref: 0019C330

Part of subcall function 001A5070: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000040,00000000,00000000), ref: 001A5148

Part of subcall function 001D7705: WakeConditionVariable.KERNEL32(0018C02E,?,0018C032,0022B1A0), ref: 001D770F

SendMessageW.USER32(?,00008002,00000000,00000000), ref: 0019C8D6
PathIsDirectoryW.SHLWAPI(?), ref: 0019CAF3

Strings

SearchThread, xrefs: 0019C1F3
\x00, xrefs: 0019C96A
\/ , xrefs: 0019C63C
global, xrefs: 0019C288
, xrefs: 0019D571
MaxNumOfWorker, xrefs: 0019C283
Software\grepWinNP3\MaxNumOfWorker, xrefs: 0019C29E

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: ByteCharConditionCount64CounterDirectoryInfoMessageMultiNativePathPerformanceQuerySendSystemTickVariableWakeWide
String ID: $MaxNumOfWorker$SearchThread$Software\grepWinNP3\MaxNumOfWorker$\/ $\x00$global
API String ID: 3804574865-1410697583
Opcode ID: 74947cd3d6e21c62f3edeb412ee79a85213b41eede2b78bacce7cbe60a391329
Instruction ID: 823c94a722791c0f225fab1d65413da3ecdd26d19c3f95c4c5310350541435f4
Opcode Fuzzy Hash: 74947cd3d6e21c62f3edeb412ee79a85213b41eede2b78bacce7cbe60a391329
Instruction Fuzzy Hash: BCF24870D00258DFDF24DFA8D884BEDBBB1BF15304F1445A9E49AA7291E730AA85CF91

Function 00157170 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 276windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,00000000,00000000,?,?,00000001), ref: 001571BF
CloseWindow.USER32(?), ref: 001571E0
DestroyWindow.USER32(?), ref: 001571E9
SendMessageW.USER32(?,0000044B,00000000,?), ref: 0015726C
LoadCursorW.USER32(00000000,00007F89), ref: 001572A9
SetCursor.USER32(00000000), ref: 001572B0
ShellExecuteW.SHELL32(00000020,open,?,00000000,00000000,0000000A), ref: 001572D3
EndDialog.USER32(?,?), ref: 0015736D
GetClientRect.USER32(?,?), ref: 0015739E
CreateWindowExW.USER32(00000000,RICHEDIT50W,00211ABC,50A0880C,00000000,00000000,?,?,?,00000000,?,00000000), ref: 001573D1
FindResourceW.KERNEL32(?,?,?), ref: 001573EE
LoadResource.KERNEL32(?,00000000), ref: 001573FE
LockResource.KERNEL32(00000000), ref: 00157409
SizeofResource.KERNEL32(?,00000000), ref: 00157415
SendMessageW.USER32(?,00000461,?,00000000), ref: 00157440
SetFocus.USER32(?), ref: 00157445
SendMessageW.USER32(?,000000B1,000000FF,00000000), ref: 00157457
SendMessageW.USER32(?,000000CF,00000001,00000000), ref: 00157465
SendMessageW.USER32(?,00000445,00000000,04000004), ref: 00157476

Strings

RICHEDIT50W, xrefs: 001573CA
open, xrefs: 001572CB

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: MessageSend$ResourceWindow$CursorLoad$ClientCloseCreateDestroyDialogExecuteFindFocusLockMoveRectShellSizeof
String ID: RICHEDIT50W$open
API String ID: 4190574625-2205014345
Opcode ID: be7809946bea2c1b8e59c5ecd5846f71c3bf3a1b7b20b0ef7390e31e29561e38
Instruction ID: 9b4d9a1f1fd7d3498b50b1a9c10b5381ebd03e5a607f13491670c8e1f7867ceb
Opcode Fuzzy Hash: be7809946bea2c1b8e59c5ecd5846f71c3bf3a1b7b20b0ef7390e31e29561e38
Instruction Fuzzy Hash: F5A1A171A04205EFDB24DFA4EC8ABAEBBB4FF08711F104519F916EA6D1D770A854CB50

Function 00196780 Relevance: 36.4, APIs: 24, Instructions: 363windowkeyboardCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F6), ref: 001967BE
GetKeyState.USER32(00000011), ref: 001967D1
GetKeyState.USER32(00000010), ref: 001967E0
GetKeyState.USER32(00000012), ref: 001967EF
GetFocus.USER32 ref: 0019681C
SendMessageW.USER32(00000000,0000100C,000000FF,00000002), ref: 00196834
SendMessageW.USER32(00000000,0000100C,00000000,00000002), ref: 00196876
GetFocus.USER32 ref: 00196898
SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 001968D5
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 001968E1
SendMessageW.USER32(?,0000102B,00000000,?), ref: 00196909
SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 00196924
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00196934
GetFocus.USER32 ref: 00196958
SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 001969B1
SendMessageW.USER32(00000000,00001200,00000000,00000000), ref: 001969C0
SendMessageW.USER32(?,0000120B,00000000,-00000068), ref: 00196A17
SendMessageW.USER32(?,0000100C,000000FF,00000002), ref: 00196A54
SendMessageW.USER32(?,00001073,00000000,-00000074), ref: 00196A8E
SetFocus.USER32(00000000), ref: 00196B5E
IsDlgButtonChecked.USER32(?,00000423), ref: 00196BB0
SendMessageW.USER32(?,0000100C,000000FF,00000002), ref: 00196BC3
SendMessageW.USER32(?,0000100C,00000000,00000002), ref: 00196C23

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: MessageSend$Focus$State$ButtonCheckedItem
String ID:
API String ID: 2917284611-0
Opcode ID: 08ff2638a292382004518269e9641ad06145edb6360fe97786c818a92be4fa05
Instruction ID: d9a2ebadb81c0a73503f0afee835bd811cd77ecb530c714a4c24d471447c129d
Opcode Fuzzy Hash: 08ff2638a292382004518269e9641ad06145edb6360fe97786c818a92be4fa05
Instruction Fuzzy Hash: 18D1D171A00318AADF21DF64DC89FEDBBB4EB15750F100269F955BB2D2D7B05A81CB60

Function 001615F0 Relevance: 31.0, APIs: 15, Strings: 2, Instructions: 1248filesleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000014,?,?,?,?,?,?,?,?,?), ref: 001616D5
CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,08000000,00000000,?,?,?,?,?,?,?,?,?), ref: 001616EC
GetFileSizeEx.KERNEL32(?,?,00000001,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0016184A
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00161855
GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 001618B9
ReadFile.KERNEL32(?,00000000,?,?,00000000), ref: 00161920
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00161AFD
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00161B86
ReadFile.KERNEL32(?,00000000,?,?,00000000), ref: 00161C82
CloseHandle.KERNEL32(?), ref: 00161C91

Strings

\\?\UNC, xrefs: 00161695, 001616A3
\\?\, xrefs: 0016169E

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: CloseFileHandle$Read$CreateGlobalMemorySizeSleepStatus
String ID: \\?\$\\?\UNC
API String ID: 638801665-2523517826
Opcode ID: 4ff15de2c41cae4a49c3a5a3418a24e2f9d5277fb26cc189b6149d74dd9c3521
Instruction ID: b02821ef1ca3435cdf7296accd0f7f3feee666661b0bcd2986f2792d4d2755b4
Opcode Fuzzy Hash: 4ff15de2c41cae4a49c3a5a3418a24e2f9d5277fb26cc189b6149d74dd9c3521
Instruction Fuzzy Hash: DAA21071A00248AFDF24CF68CC81BAA77A5FF55300F19422AFC568B392D735D966CB91

Function 0423684C Relevance: 23.1, APIs: 5, Strings: 8, Instructions: 348threadCOMMON

Download Yara Rule

APIs

Part of subcall function 0423E3DC: GetLargePageMinimum.KERNEL32 ref: 0423E3EB
Part of subcall function 0423E3DC: GetParent.USER32 ref: 0423E44A
Part of subcall function 0423E3DC: GetParent.USER32 ref: 0423E4A1

GetParent.USER32 ref: 042368A1
SetLastError.KERNEL32(0000000B), ref: 04236AFF
GetParent.USER32 ref: 04236BF5
GetThreadUILanguage.KERNEL32 ref: 04236DC9
GetWindowTextLengthW.USER32(0000000B), ref: 04236E65

Part of subcall function 0423B88C: RtlFreeHeap.NTDLL ref: 0423B8B0

Strings

\, xrefs: 04236A03
The requested name already exists as a unique identifier., xrefs: 0423686B, 04236C69
Y, xrefs: 04236B9A
WER/CrashAPI:%u: ERROR Unable to create the m_hAliveEvent event, xrefs: 04236972, 04236C59, 04236C7A
Getting the shim engine exports failed with status 0x%08lx, xrefs: 0423688E
Floating-point stack check., xrefs: 04236863, 04236B06, 04236D4D
The Global system lock could not be acquired, xrefs: 0423695D, 04236965, 04236B0E, 04236C61, 04236D55
`, xrefs: 04236BA4

Memory Dump Source

Source File: 00000000.00000002.1699427684.0000000004230000.00000040.00001000.00020000.00000000.sdmp, Offset: 04230000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4230000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: Parent$ErrorFreeHeapLanguageLargeLastLengthMinimumPageTextThreadWindow
String ID: Floating-point stack check.$Getting the shim engine exports failed with status 0x%08lx$The Global system lock could not be acquired$The requested name already exists as a unique identifier.$WER/CrashAPI:%u: ERROR Unable to create the m_hAliveEvent event$Y$\$`
API String ID: 1213828948-3937182347
Opcode ID: 1fed5f3935afefd38ade969a7985a760d47705fda64848fdee407ecbd1ff4e88
Instruction ID: 68a451abfb577fddc4ab3e230844267d7c30d94c404d99fe3e92f1b2d0e380f3
Opcode Fuzzy Hash: 1fed5f3935afefd38ade969a7985a760d47705fda64848fdee407ecbd1ff4e88
Instruction Fuzzy Hash: CDF1F4B1B543598BE725DF2CE94939ABFF5EB94304F0484E9C888DB341D638AA85CF50

Function 00152C20 Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 347encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000), ref: 00152C69
CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 00152C8A
CryptHashData.ADVAPI32(?,?,?,00000000), ref: 00152C9D
CryptDestroyHash.ADVAPI32(?), ref: 00152CAA
CryptReleaseContext.ADVAPI32(?,00000000), ref: 00152CB5
CryptGetHashParam.ADVAPI32(?,00000004,?,?,00000000), ref: 00152D05
CryptGetHashParam.ADVAPI32(?,00000002,00000000,?,00000000), ref: 00152D71
CryptDestroyHash.ADVAPI32(?), ref: 00152D7E
CryptReleaseContext.ADVAPI32(?,00000000), ref: 00152D89
CryptDestroyHash.ADVAPI32(?), ref: 00152E64
CryptReleaseContext.ADVAPI32(?,00000000), ref: 00152E6F

Strings

H"!, xrefs: 00152FAC

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: Crypt$Hash$Context$DestroyRelease$Param$AcquireCreateData
String ID: H"!
API String ID: 2102843587-1779651348
Opcode ID: 8c0d614d85395d7217a3ea63de9b914be0d0eb9cb03b9c380759910d4d8cb2d0
Instruction ID: f5f45eaf9c1cdcb9643a3d743f8abe7bdd07f86f8a3606fed20656e12b87f03e
Opcode Fuzzy Hash: 8c0d614d85395d7217a3ea63de9b914be0d0eb9cb03b9c380759910d4d8cb2d0
Instruction Fuzzy Hash: 61C18972600205DFDB14CF28DD85BA9BBF5FF49305F108269FD29AB2A1D770A958CB90

Function 0017C1D0 Relevance: 16.1, Strings: 11, Instructions: 2364COMMON

Download Yara Rule

Strings

RUNE, xrefs: 0017EC01
Invalid or empty zero width assertion., xrefs: 0017E429
More than one alternation operator | was encountered inside a conditional expression., xrefs: 0017E58A
Character class declaration starting with [ terminated prematurely - either no ] was found or the set had no content., xrefs: 0017C229, 0017C348, 0017C3A3, 0017C442, 0017C58D, 0017C5FA, 0017C656, 0017C6FB, 0017C934
Alternation operators are not allowed inside a DEFINE block., xrefs: 0017E612
OMMIT, xrefs: 0017EAE6
Invalid alternation operators within (?...) block., xrefs: 0017DA67
A repetition operator cannot be applied to a zero-width assertion., xrefs: 0017E4E7
CCEPT, xrefs: 0017E9DB
Unterminated \Q...\E sequence., xrefs: 0017CAEF
AIL, xrefs: 0017E8D0

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID:
String ID: A repetition operator cannot be applied to a zero-width assertion.$AIL$Alternation operators are not allowed inside a DEFINE block.$CCEPT$Character class declaration starting with [ terminated prematurely - either no ] was found or the set had no content.$Invalid alternation operators within (?...) block.$Invalid or empty zero width assertion.$More than one alternation operator | was encountered inside a conditional expression.$OMMIT$RUNE$Unterminated \Q...\E sequence.
API String ID: 0-1123991675
Opcode ID: 3c50e1e81fb2a0cda8482577c72ff4d6fc8dfcb87eafd82f618a00ab0cb7584d
Instruction ID: 5bda11cb377bba19a576e6d34951ada8f78567cb87d6968b4af5880659b80b7b
Opcode Fuzzy Hash: 3c50e1e81fb2a0cda8482577c72ff4d6fc8dfcb87eafd82f618a00ab0cb7584d
Instruction Fuzzy Hash: DE239071A00248DFCB14DF68C490AAEBBF1FF59300F15859AE85AAB392D734ED45CB90

Function 042362A8 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 176threadCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 042362B1
GetLargePageMinimum.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0423B8E0), ref: 04236327
GetCurrentThread.KERNEL32 ref: 0423637E
GetSystemDefaultLangID.KERNEL32 ref: 042365A0

Strings

[, xrefs: 04236452
The binding handle is invalid., xrefs: 042363FF, 04236480, 042364FB, 04236503, 04236572
4, xrefs: 04236463
MaxLoaderThreads, xrefs: 042364D4
OverlayPackages, xrefs: 04236488, 04236490, 04236498, 042364E0, 04236510, 0423657A, 04236582, 0423658A

Memory Dump Source

Source File: 00000000.00000002.1699427684.0000000004230000.00000040.00001000.00020000.00000000.sdmp, Offset: 04230000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4230000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: CountCurrentDefaultLangLargeMinimumPageSystemThreadTick
String ID: 4$MaxLoaderThreads$OverlayPackages$The binding handle is invalid.$[
API String ID: 774141065-961749580
Opcode ID: cb5e3466502b4d532aacac872003d07972fce279445ea7733ca40a66982e3a53
Instruction ID: 7e537fc4e72e88875711798e4fe596b88f9d85718ae27352b4796ee2c5256733
Opcode Fuzzy Hash: cb5e3466502b4d532aacac872003d07972fce279445ea7733ca40a66982e3a53
Instruction Fuzzy Hash: B2718DF1B243019FD710DF6AE84825ABBF9EB843A5F14C969C885DB240E338E845DF42

Function 00160B80 Relevance: 13.6, APIs: 9, Instructions: 78clipboardsleepmemoryCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000001,?,00000000,00000000,00000000,00000002,002168B8), ref: 00160BAF
OpenClipboard.USER32(?), ref: 00160BB6
EmptyClipboard.USER32 ref: 00160BC0
GlobalAlloc.KERNEL32(00000002,00000000,?,00000000,00000000,00000000,00000002,002168B8), ref: 00160BE9
GlobalLock.KERNEL32(00000000), ref: 00160BF6
GlobalUnlock.KERNEL32(00000000), ref: 00160C10
SetClipboardData.USER32(0000000D,00000000), ref: 00160C19
CloseClipboard.USER32 ref: 00160C23

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: Clipboard$Global$AllocCloseDataEmptyLockOpenSleepUnlock
String ID:
API String ID: 3026512333-0
Opcode ID: 2b77c213f532e06947facf07031b9e7867eeeba733a8c815a9be761d714f939d
Instruction ID: 5fabfc13102695f9e0dffa938d0291f539e406d0fe0285b59008a9c304492c4d
Opcode Fuzzy Hash: 2b77c213f532e06947facf07031b9e7867eeeba733a8c815a9be761d714f939d
Instruction Fuzzy Hash: 8A11243A6003019BD7116F64BC8DBABB7ACEF88751F004829EC4B93243EB64DD59C6B1

Function 042381BC Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 146stringwindowtimeCOMMON

Download Yara Rule

APIs

GetShellWindow.USER32 ref: 0423825D
GetLastActivePopup.USER32 ref: 042382F8
lstrlenW.KERNEL32 ref: 0423836C
GetMessageTime.USER32 ref: 04238394

Strings

Specified VidPN present path importance ordinal is invalid., xrefs: 04238365
9XuFEqoKDcJEqWQIVJcVB7bgCnscClUO3Ek6DnrBRdd5/nGRvqwCDRNzntQHTrtpqzCAcpFuxTx5rVXUr4R9tb9QNcPxKZnkwCnojpukucKL3dOmPJ4LHIY3iDpV+k6X48+2mXXj978Ae9aPeYPM7YZYpUZDYXa82aZ7+NtxE09vfkntPmCV454Ed4jSnQK1nlLvNC266cXpGrPKXJq7//NWtY1i/YorAywptqoZx9jypXcovY3wr0/wpM3TS+iXsDKZ, xrefs: 04238435
Critical section debug info address, xrefs: 04238239

Memory Dump Source

Source File: 00000000.00000002.1699427684.0000000004230000.00000040.00001000.00020000.00000000.sdmp, Offset: 04230000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4230000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: ActiveLastMessagePopupShellTimeWindowlstrlen
String ID: 9XuFEqoKDcJEqWQIVJcVB7bgCnscClUO3Ek6DnrBRdd5/nGRvqwCDRNzntQHTrtpqzCAcpFuxTx5rVXUr4R9tb9QNcPxKZnkwCnojpukucKL3dOmPJ4LHIY3iDpV+k6X48+2mXXj978Ae9aPeYPM7YZYpUZDYXa82aZ7+NtxE09vfkntPmCV454Ed4jSnQK1nlLvNC266cXpGrPKXJq7//NWtY1i/YorAywptqoZx9jypXcovY3wr0/wpM3TS+iXsDKZ$Critical section debug info address$Specified VidPN present path importance ordinal is invalid.
API String ID: 2678776764-98429151
Opcode ID: e81333d72d0409f3df10cf8065d7711d4afbb5204548f6fb286207f64b7265dd
Instruction ID: 5870bc95b9bb51ff0abbd80a01303362ffda15f172b3d2563d361248015f6fc0
Opcode Fuzzy Hash: e81333d72d0409f3df10cf8065d7711d4afbb5204548f6fb286207f64b7265dd
Instruction Fuzzy Hash: DB51C0B0B243458ED710DF7DB88929A7BF5FB85300F1585BAE888D7241DB389985CB91

Function 0014EBD0 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 321fileCOMMON

Download Yara Rule

APIs

PathIsDirectoryW.SHLWAPI(?), ref: 0014EE0A
FindFirstFileExW.KERNEL32(00000007,00000001,?,00000000,00000000,00000002,00000001,?,?,?,?,?), ref: 0014EE9C
FindFirstFileW.KERNEL32(?,?), ref: 0014EEBF
GetLastError.KERNEL32 ref: 0014EED4
FindClose.KERNEL32(?,?,?,00000007), ref: 0014EF61

Strings

*.*, xrefs: 0014EC1B

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: Find$FileFirst$CloseDirectoryErrorLastPath
String ID: *.*
API String ID: 1803994648-438819550
Opcode ID: 4d63fbf4dc5b6e5523e875f6b4bc4c6858b57017bbd35ba729221224534d781e
Instruction ID: 6fd230734fce265871c2146f24542a807efe6df0de3470f997038354978ef1c6
Opcode Fuzzy Hash: 4d63fbf4dc5b6e5523e875f6b4bc4c6858b57017bbd35ba729221224534d781e
Instruction Fuzzy Hash: E0C17071E00214DFCB18DFA8D885BAEB7F5FF44314F204969E855EB2A1D730AA45CB90

Function 001FC5F7 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 182COMMON

Download Yara Rule

APIs

Part of subcall function 001F1716: GetLastError.KERNEL32(00000000,?,001F7DD7), ref: 001F171A
Part of subcall function 001F1716: SetLastError.KERNEL32(00000000,00000000,00000000,00000006,000000FF), ref: 001F17BC

GetUserDefaultLCID.KERNEL32 ref: 001FC6FF
IsValidCodePage.KERNEL32(00000000), ref: 001FC73D
IsValidLocale.KERNEL32(?,00000001), ref: 001FC750
GetLocaleInfoW.KERNEL32(?,00001001,?,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 001FC798
GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 001FC7B3

Strings

, , xrefs: 001FC65C

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID: ,
API String ID: 415426439-3892850022
Opcode ID: 5b197ca4e331f3756cbfc50b60554aaa5d1ff67e5c29845589b77e4b6e33b016
Instruction ID: 773932c1eb528ab108ed9f2d25fbe1f55d5329587919c241f673e52f6005384a
Opcode Fuzzy Hash: 5b197ca4e331f3756cbfc50b60554aaa5d1ff67e5c29845589b77e4b6e33b016
Instruction Fuzzy Hash: 0851A472E0020EABDF10EFA4DD85ABE73B8BF18700F144565FA05E7191E7719944EBA1

Function 001FCECF Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1473COMMONLIBRARYCODE

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 001FD0E6

Strings

1#SNAN, xrefs: 001FCFDB
1#IND, xrefs: 001FCFD4
1#INF, xrefs: 001FD005
1#QNAN, xrefs: 001FCFE2

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 8f52396c0691be2105456b8030e87446d50ea7e9f72ce26f68e578b30016aefc
Instruction ID: 292581a600aefa761ce20559637612a1bcc930b9ead61e9a3fb46184a1f2c9e6
Opcode Fuzzy Hash: 8f52396c0691be2105456b8030e87446d50ea7e9f72ce26f68e578b30016aefc
Instruction Fuzzy Hash: 2DD22671E0862C8BDB65CE28DD447FAB7B6EB85304F1541EAD50DE7240EB78AE818F41

Function 04237D18 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 134COMMON

Download Yara Rule

APIs

GetShellWindow.USER32 ref: 04237E04
GetParent.USER32 ref: 04237E96

Strings

/Gkn+M89bw5nJnjp4ayKmM1pCcZ0hwa1jU19grR+zqs0bMUJoO3oNRGpK+m00iCWBJ4Hqb4Ga1g8blg4X8dAZ2Kdx7G9ZK3SxVNAM9b2hXDZK5Ztt+flpTng7uy28mrmlNJ+ZeoQ9eUdF7XA6anHxiC5JuuV5FiGOfTolTRgueS5uUKjlMsclrvuJUaswdKguWHUCgN0CsNo1RoDtSfskr+hhW1KSQmgL9Y676t+MO0yFF6yLr9/t8U2h9Xg355LDVQs, xrefs: 04237F6F
Failed to get TAG_REG_VALUE_DATA_DWORD, xrefs: 04237D3E
Microsoft Time-Stamp PCA 20100, xrefs: 04237D59, 04237DEF, 04237ED2

Memory Dump Source

Source File: 00000000.00000002.1699427684.0000000004230000.00000040.00001000.00020000.00000000.sdmp, Offset: 04230000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4230000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: ParentShellWindow
String ID: /Gkn+M89bw5nJnjp4ayKmM1pCcZ0hwa1jU19grR+zqs0bMUJoO3oNRGpK+m00iCWBJ4Hqb4Ga1g8blg4X8dAZ2Kdx7G9ZK3SxVNAM9b2hXDZK5Ztt+flpTng7uy28mrmlNJ+ZeoQ9eUdF7XA6anHxiC5JuuV5FiGOfTolTRgueS5uUKjlMsclrvuJUaswdKguWHUCgN0CsNo1RoDtSfskr+hhW1KSQmgL9Y676t+MO0yFF6yLr9/t8U2h9Xg355LDVQs$Failed to get TAG_REG_VALUE_DATA_DWORD$Microsoft Time-Stamp PCA 20100
API String ID: 2724987481-3605572846
Opcode ID: f8538482bd9ed35d623ab5cf11afb008e19cde1317e9bdc3ad42947fc1b53b9c
Instruction ID: 7ca8f547073182e40c84e48e87bc163cfc9dec865abc4b6fbffc562130de808d
Opcode Fuzzy Hash: f8538482bd9ed35d623ab5cf11afb008e19cde1317e9bdc3ad42947fc1b53b9c
Instruction Fuzzy Hash: EF51AFB1A043998EDB15EF6DE9487EA7FF4EBA9300F8544E9C48997301C6389A45CF90

Function 04237888 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 134COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 0423798C
GetDesktopWindow.USER32 ref: 0423799C

Strings

An RPC protocol error occurred., xrefs: 042378CB
B6JBNJ6PRKKc2kvMjaLrLt3YZ32hT0WHOmQDBLvfQ8ma7v9L41vMKkBZMCJ2BiBBQGe68/Xky/+eddG9orwn5M0tVsxo1Ro1LpjpIN1KXMHnZ7bavYUXClyTzhwI5p4VcEukuoFe0hBKdKuohRhuGm/F/IlH4ZmeMc/8T4gBw2VoHAIpv7H1E82p6Tv4P97xC9eNtj23KcEkr1A54g5A1CFT0nD/HHbhN+XoBnOOxYCQOc7zKw18QAFv384h6T9UjIyN, xrefs: 04237AB0
A required privilege is not held by the client., xrefs: 042378DD, 042379FA

Memory Dump Source

Source File: 00000000.00000002.1699427684.0000000004230000.00000040.00001000.00020000.00000000.sdmp, Offset: 04230000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4230000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: Window$DesktopForeground
String ID: A required privilege is not held by the client.$An RPC protocol error occurred.$B6JBNJ6PRKKc2kvMjaLrLt3YZ32hT0WHOmQDBLvfQ8ma7v9L41vMKkBZMCJ2BiBBQGe68/Xky/+eddG9orwn5M0tVsxo1Ro1LpjpIN1KXMHnZ7bavYUXClyTzhwI5p4VcEukuoFe0hBKdKuohRhuGm/F/IlH4ZmeMc/8T4gBw2VoHAIpv7H1E82p6Tv4P97xC9eNtj23KcEkr1A54g5A1CFT0nD/HHbhN+XoBnOOxYCQOc7zKw18QAFv384h6T9UjIyN
API String ID: 3460230961-3038535665
Opcode ID: 0727a8c456899ee7e58c6dc0af9b1c40dec85aac258f7c067507ef031655df95
Instruction ID: 025945fe4e4334754521d0471e5c80cbe711ddb8d17c42f0addf0ce7bd5609fd
Opcode Fuzzy Hash: 0727a8c456899ee7e58c6dc0af9b1c40dec85aac258f7c067507ef031655df95
Instruction Fuzzy Hash: 215144B0B103988EDB148F2DF8953EA7FF1EBC5314F1986B9D49887201C6389985CF90

Function 001FC41B Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002), ref: 001FC4B4
GetLocaleInfoW.KERNEL32(?,20001004,?,00000002), ref: 001FC4DD
GetACP.KERNEL32 ref: 001FC4F2

Strings

OCP, xrefs: 001FC46F
ACP, xrefs: 001FC439

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: ac9f15be4a6eb9ed6716338d3ff003a6827d907c515b75fd39512987dfab2014
Instruction ID: 1609b02ac668b205795fcb21b197a0500de9678e1a946b0c7d30585a17a32e36
Opcode Fuzzy Hash: ac9f15be4a6eb9ed6716338d3ff003a6827d907c515b75fd39512987dfab2014
Instruction Fuzzy Hash: 5421B37270020EA6DB34DF14CA24AF7B3A6AB54F50B168424EB0ADB155E732DE81F7D0

Function 001EAA60 Relevance: 6.5, APIs: 4, Instructions: 455COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1efba251552fdea66bd40b4acbb61fcd993080fe13ac09347de62c1cb3ee0d26
Instruction ID: 97e94f23be857520bfb054f9184d7ff337d4525f3e0c12edfc1f2a874c1808f0
Opcode Fuzzy Hash: 1efba251552fdea66bd40b4acbb61fcd993080fe13ac09347de62c1cb3ee0d26
Instruction Fuzzy Hash: 26024A71E006599FDF14CFA9C8806AEFBB1FF48314F658269E919E7380D731A941CB91

Function 001F9310 Relevance: 6.1, APIs: 4, Instructions: 129fileCOMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000), ref: 001F93AB
FindNextFileW.KERNEL32(00000000,?), ref: 001F9426
FindClose.KERNEL32(00000000), ref: 001F9448
FindClose.KERNEL32(00000000), ref: 001F946B

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: Find$CloseFile$FirstNext
String ID:
API String ID: 1164774033-0
Opcode ID: 98a9361637cfdb091ab6d97d1eff0b0776943b60155355e0459520839cef0393
Instruction ID: 0d53ba2ce21f0e5333674279eff890e95686aa09f474c65ce8d9fa1cca216a08
Opcode Fuzzy Hash: 98a9361637cfdb091ab6d97d1eff0b0776943b60155355e0459520839cef0393
Instruction Fuzzy Hash: 2641A47190061DAEDB20FF78DD88ABEB3B9EB94304F004195EA0597181E7309E85CB61

Function 001D94D1 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 001D94DD
IsDebuggerPresent.KERNEL32 ref: 001D95A9
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 001D95C2
UnhandledExceptionFilter.KERNEL32(?), ref: 001D95CC

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 89765bc5182e71803a0494a2003728a9186c78a857a9684203a3404ea601654e
Instruction ID: 89a7b50359f86df800342a5059c59af2f3454a92cde8583077c2e522a5cdef35
Opcode Fuzzy Hash: 89765bc5182e71803a0494a2003728a9186c78a857a9684203a3404ea601654e
Instruction Fuzzy Hash: 8431D775D05319DBDF21EFA4D9897CDBBB8AF08300F1041AAE40DAB251EB719A85CF45

Function 00181A20 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 492libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(-000000D2), ref: 00181AB7
LoadStringW.USER32(?,-000002EA,-000002EA,00000100), ref: 00181BDB

Strings

Unable to open message catalog: , xrefs: 00181D7B

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: Load$LibraryString
String ID: Unable to open message catalog:
API String ID: 1664019954-3361316291
Opcode ID: 19755783f5934e2c2cd812263af6b914b8acf6da9e94b9e786af0ab97c4bac8b
Instruction ID: dbf747511250647c1a3e8a9edafd878d455107c4e3e76593abe9a3597ae62ce2
Opcode Fuzzy Hash: 19755783f5934e2c2cd812263af6b914b8acf6da9e94b9e786af0ab97c4bac8b
Instruction Fuzzy Hash: A012E272D04348AFCB14EFA8C8846AEBBF5BF54300F14855DE849AB341D7719A4ACF91

Function 001DA8C0 Relevance: 4.7, APIs: 3, Instructions: 207windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(0B9FDD92,?), ref: 001DA916
FormatMessageA.KERNEL32(00001100,00000000,00000000,00000400,?,00000000,00000000), ref: 001DA939
LocalFree.KERNEL32(?,?,?,00212150,00000002,?,?), ref: 001DAA06

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: ErrorFormatFreeLastLocalMessage
String ID:
API String ID: 1365068426-0
Opcode ID: 3548770b919891094badfa84a64e00d0a5af879d6728649d51080cffa261bbd4
Instruction ID: c0ebf049aaff328dac79142a26c068eee3687799e75532f6b639d0015ae5d318
Opcode Fuzzy Hash: 3548770b919891094badfa84a64e00d0a5af879d6728649d51080cffa261bbd4
Instruction Fuzzy Hash: 50612571900205AFCF18DF68D854BEEBBB8EF4A314F14831AE8157B2C2DB316945CBA0

Function 001FC09F Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 001F1716: GetLastError.KERNEL32(00000000,?,001F7DD7), ref: 001F171A
Part of subcall function 001F1716: SetLastError.KERNEL32(00000000,00000000,00000000,00000006,000000FF), ref: 001F17BC

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 001FC0F3
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 001FC13D
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 001FC203

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: InfoLocale$ErrorLast
String ID:
API String ID: 661929714-0
Opcode ID: 2619b9f48625fe9d32ec2deee95a9c8554398eeb3d73845cc17394ed888c583e
Instruction ID: ed0ea4dfd1a213b392857308bf49e627daba2d2031959e7cd83cae058a052479
Opcode Fuzzy Hash: 2619b9f48625fe9d32ec2deee95a9c8554398eeb3d73845cc17394ed888c583e
Instruction Fuzzy Hash: 6961BE7194020F9FDB289F68CE96BBAB3A8FF14300F104179EE05C6582E775D991EB90

Function 001DEA53 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 001DEB4B
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 001DEB55
UnhandledExceptionFilter.KERNEL32(-00000227,?,?,?,?,?,00000000), ref: 001DEB62

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 20ed6f5998adbdb4db4e4b4b0896c160e29b6894175535a247998b5e25a1fb35
Instruction ID: 70be1575ac9b49c30134fb1d1debde1001dbe54af33921864c431a99c1ce8a64
Opcode Fuzzy Hash: 20ed6f5998adbdb4db4e4b4b0896c160e29b6894175535a247998b5e25a1fb35
Instruction Fuzzy Hash: AA31D474941328ABCF21EF24D88878CBBB8BF18310F5041DAE40DA7261EB309B818F44

Function 001CA2C0 Relevance: 4.2, Strings: 3, Instructions: 458COMMON

Download Yara Rule

Strings

Q!, xrefs: 001CA6CD
MATCH, xrefs: 001CA31B
LAST_SUBMATCH_RESULTLAST_PAREN_MATCHPOSTMATCH, xrefs: 001CA61A

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID:
String ID: LAST_SUBMATCH_RESULTLAST_PAREN_MATCHPOSTMATCH$MATCH$Q!
API String ID: 0-3858289081
Opcode ID: 73c85b4170a7c043c0ee4d875fcbb84599c89dfb7e2146537fab5693d2773d35
Instruction ID: b5ececfe9dd04adc01a138a74f63fb2fbe827ea6984adf9621bb0aa4eb8df5da
Opcode Fuzzy Hash: 73c85b4170a7c043c0ee4d875fcbb84599c89dfb7e2146537fab5693d2773d35
Instruction Fuzzy Hash: ACE1C5726002549FCB16CF18D480B69B7E1FFA1328F98856ED955CB241D735FC4ACB62

Function 042360B0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

GetDialogBaseUnits.USER32 ref: 042360E2

Part of subcall function 04243328: GetLargePageMinimum.KERNEL32 ref: 042433E1
Part of subcall function 04243328: GetWindowTextLengthW.USER32 ref: 04243448

Strings

STATUS_ABIOS_NOT_PRESENT, xrefs: 0423611C, 04236124

Memory Dump Source

Source File: 00000000.00000002.1699427684.0000000004230000.00000040.00001000.00020000.00000000.sdmp, Offset: 04230000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4230000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: BaseDialogLargeLengthMinimumPageTextUnitsWindow
String ID: STATUS_ABIOS_NOT_PRESENT
API String ID: 2297771435-2188909095
Opcode ID: 8dab30732cd9aae40cf83419841e98df709cfa2c9f59436a421b78b515e2791f
Instruction ID: ef6d6c3a587e28b325b76aadd79cdc19ea3e7be9e6e64aa279e53a94347144c4
Opcode Fuzzy Hash: 8dab30732cd9aae40cf83419841e98df709cfa2c9f59436a421b78b515e2791f
Instruction Fuzzy Hash: 0B1188B2B613058BD720EF6DF48822A7BB9F780351F448529D495DB281D738A9858B92

Function 001E3B8A Relevance: 2.9, Strings: 2, Instructions: 385COMMON

Download Yara Rule

Strings

.2 , xrefs: 001E3D68, 001E3F40
0, xrefs: 001E3D1B

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID:
String ID: .2 $0
API String ID: 0-227393976
Opcode ID: d7c5970ccb85e1f67391ed15f235b9ff49338825bd95dd8ee597e8398ccd3ea4
Instruction ID: e97d0843eb29f06f8caee602d3d5646dff945ea4abfe95dd05948fc680d51ba6
Opcode Fuzzy Hash: d7c5970ccb85e1f67391ed15f235b9ff49338825bd95dd8ee597e8398ccd3ea4
Instruction Fuzzy Hash: 2ED1A130A00E868FCB28CF6AC588A7EB7F1FF45710B24461DE566AB691D731EE41CB51

Function 001F7559 Relevance: 1.9, APIs: 1, Instructions: 410timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,001F799E,00000000,00000000,00000000), ref: 001F785D

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: InformationTimeZone
String ID:
API String ID: 565725191-0
Opcode ID: 08d88afd3b2aa75ef4e55152b9a26a195b75a809f47306b3556a03614477182a
Instruction ID: 798a7485c07487d82f930daab7dbf566caf1d409ee2a9c0c3f82c4eb319adc2e
Opcode Fuzzy Hash: 08d88afd3b2aa75ef4e55152b9a26a195b75a809f47306b3556a03614477182a
Instruction Fuzzy Hash: E2D10772E04119ABDB20BB68DC46ABE77B9FF14760F144016FA05E72D1EB709E41C791

Function 001F1FD4 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,0014DFD0,?,00000008,?,?,001F1FCF,0014DFD0,?,00000008,?,?,00201BBF,00000000), ref: 001F2201

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: ce692be2a9ad3ed91209b3dd1c15924d904b34ebfbad36cc0f3be8b8056051c1
Instruction ID: 3d3e81a77c7575509d068ee27b39f750864c2e1df74d33e812485d005df05969
Opcode Fuzzy Hash: ce692be2a9ad3ed91209b3dd1c15924d904b34ebfbad36cc0f3be8b8056051c1
Instruction Fuzzy Hash: C4B17E32610608DFD719CF28C48AB657BE0FF45364F298658EA99CF2A1C735ED92CB40

Function 001D929C Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 001D92B2

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 4c8d38f62645799e8893197870860cbd5259aaac599b85bb9ed5df9358f44408
Instruction ID: ec093d68e0055f04a83387e0142df29fd4a440557fe14ba0e8ad38c315daeea0
Opcode Fuzzy Hash: 4c8d38f62645799e8893197870860cbd5259aaac599b85bb9ed5df9358f44408
Instruction Fuzzy Hash: A55181B1A01245EFDB24CFA4E9897AEBBF4FB48310F14912AD805EB395D3B49945CB90

Function 001FC2F2 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 001F1716: GetLastError.KERNEL32(00000000,?,001F7DD7), ref: 001F171A
Part of subcall function 001F1716: SetLastError.KERNEL32(00000000,00000000,00000000,00000006,000000FF), ref: 001F17BC

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 001FC346

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 24cd2b5ced02874aace9db08ab64278c1ed4ce17e8089455b2d574eda0a976cb
Instruction ID: ef5c16254ad76310c07b5535ee43659dbaa55b4a08318b7511ba398353274a37
Opcode Fuzzy Hash: 24cd2b5ced02874aace9db08ab64278c1ed4ce17e8089455b2d574eda0a976cb
Instruction Fuzzy Hash: AC21C532A0020EABDB289A29DD45ABB73ADFF54340B10407AFE05D6141EB76ED40A790

Function 001E382B Relevance: 1.6, Strings: 1, Instructions: 333COMMONLIBRARYCODE

Download Yara Rule

Strings

0, xrefs: 001E399B

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 1f4efeeafccb7aa199ae79a713ab1a6d54996364c4ba5bc5258073dc1cb49fd6
Instruction ID: 02c8d0278ae7b7945b5feee71ed3fde910c611805470597347ee808ec70ae62c
Opcode Fuzzy Hash: 1f4efeeafccb7aa199ae79a713ab1a6d54996364c4ba5bc5258073dc1cb49fd6
Instruction Fuzzy Hash: 50C1BF30900E8A8FCB29CE6AC59CA7EBBB1EF45304F144719E4B697692C371EE45CB51

Function 001FBF79 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 001F1716: GetLastError.KERNEL32(00000000,?,001F7DD7), ref: 001F171A
Part of subcall function 001F1716: SetLastError.KERNEL32(00000000,00000000,00000000,00000006,000000FF), ref: 001F17BC

EnumSystemLocalesW.KERNEL32(001FC09F,00000001), ref: 001FBFEB

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 8e4962d1a71f307e3862b6532a3905bb609bbee49b7a204d452af98dca181b66
Instruction ID: bc1c7e0aad9a4f7f5e3485c3f1568b622d1c3ffe99322a07eda33306b6cd4334
Opcode Fuzzy Hash: 8e4962d1a71f307e3862b6532a3905bb609bbee49b7a204d452af98dca181b66
Instruction Fuzzy Hash: 8911E93A2047099FDB18AF39C8D16BAB792FF84358B15442CE64787A41D7717943DB40

Function 001FC521 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 001F1716: GetLastError.KERNEL32(00000000,?,001F7DD7), ref: 001F171A
Part of subcall function 001F1716: SetLastError.KERNEL32(00000000,00000000,00000000,00000006,000000FF), ref: 001F17BC

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,001FC2BB,00000000,00000000,?), ref: 001FC54D

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 8bb68ba92488aa1c0182d896b7fb1d17fc8ac4c65fcceb5da453434eb1ecff45
Instruction ID: cbde85fa092a50dfe33f4b2156b6c2ecf6a8075a216b18a26ca3e12e5f6b2547
Opcode Fuzzy Hash: 8bb68ba92488aa1c0182d896b7fb1d17fc8ac4c65fcceb5da453434eb1ecff45
Instruction Fuzzy Hash: C601D67671011EABDB2C9A248D46AFB7758DB40754F154468EE07A3190EB70FE41E6D0

Function 001FC014 Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

APIs

Part of subcall function 001F1716: GetLastError.KERNEL32(00000000,?,001F7DD7), ref: 001F171A
Part of subcall function 001F1716: SetLastError.KERNEL32(00000000,00000000,00000000,00000006,000000FF), ref: 001F17BC

EnumSystemLocalesW.KERNEL32(001FC2F2,00000001), ref: 001FC05E

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 98ea6674b837de773ca346bee0a31d8a0205ebf55a20b61536fa055c182c7e60
Instruction ID: a7f79817162336db37a0bbcd67cdf114192f4476e2f3e553039de9a836928f97
Opcode Fuzzy Hash: 98ea6674b837de773ca346bee0a31d8a0205ebf55a20b61536fa055c182c7e60
Instruction Fuzzy Hash: B4F0F63A30030C9FDB245F799D85A7A7B91FF81768F15442CFB454B690DBB19C42E690

Function 001F5EA7 Relevance: 1.5, APIs: 1, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 001EDD9D: EnterCriticalSection.KERNEL32(?,?,001EECD5,00000000,00223218,0000000C,001EEC9D,?,?,001F2689,?,?,001F18B4,00000001,00000364,?), ref: 001EDDAC

EnumSystemLocalesW.KERNEL32(Function_000E5E9A,00000001,002234B8,0000000C,001F62D2,?), ref: 001F5EDF

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: ffa7bad1e479fa48ddbd80897d5a5e680688a01c70a8d5f22034de67127a18cd
Instruction ID: 29d4a3f35b48576bb508f565f2456041e77f27498faa6ed3f0800a7de231e74a
Opcode Fuzzy Hash: ffa7bad1e479fa48ddbd80897d5a5e680688a01c70a8d5f22034de67127a18cd
Instruction Fuzzy Hash: 7AF03776A00244EFD710EFA8E84AB9D77B1EB08721F00405AF515DB2A1CB7A5901CF41

Function 001FBF2E Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 001F1716: GetLastError.KERNEL32(00000000,?,001F7DD7), ref: 001F171A
Part of subcall function 001F1716: SetLastError.KERNEL32(00000000,00000000,00000000,00000006,000000FF), ref: 001F17BC

EnumSystemLocalesW.KERNEL32(001FBE87,00000001), ref: 001FBF65

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 32477d3a82d9e628519474aae54bd1b75a0c808ac6a7d5939eab28860683ceb7
Instruction ID: edf35ff8e6eb2b1a1dd31b6d45632705eb2434ac243fb7336b940157b5dc15fd
Opcode Fuzzy Hash: 32477d3a82d9e628519474aae54bd1b75a0c808ac6a7d5939eab28860683ceb7
Instruction Fuzzy Hash: 2CF0E53A300209A7CB04AF35DC89A7ABFA4EFC1754B064098FB098B691CB759842CB90

Function 001F642D Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,001F0EAC,?,20001004,00000000,00000002,?,?,001F049E), ref: 001F6461

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 8990d9edc7cb033c2840a7cc0c0f49d4e10f75c6c5cea83460a1cd5506914e84
Instruction ID: 66db404c0246d3521a6d09303c695a0c1446d33e5ef6ec1654bf6226ec3e2281
Opcode Fuzzy Hash: 8990d9edc7cb033c2840a7cc0c0f49d4e10f75c6c5cea83460a1cd5506914e84
Instruction Fuzzy Hash: CFE04F7150021CBBCF123F60EC08ABE7F2AEF44760F048010FE0665162CB328D61AA98

Function 001A49B0 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3262d2e818f5ec7b3eebc2c903f11d4aa5c0fb6e701161eff682ad2fce20ceb
Instruction ID: f07df3900e7dfa489caa1509bc95d07b8cf21bc0f65fc4e5a2cf793a74fde7af
Opcode Fuzzy Hash: c3262d2e818f5ec7b3eebc2c903f11d4aa5c0fb6e701161eff682ad2fce20ceb
Instruction Fuzzy Hash: 0A7189756052118FC714CF28C89062AFBE1FBD9364F148A2EF89ADB390D771E905CB95

Function 001E89F7 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0e1bea2186ccdaf5911758430073ecf0a306bc1d82e0eec42000191d8490b8c
Instruction ID: 74adba6dab9695e0e03ddcd7497419d79b28b7e7319467ba616f91e8f8aaf360
Opcode Fuzzy Hash: e0e1bea2186ccdaf5911758430073ecf0a306bc1d82e0eec42000191d8490b8c
Instruction Fuzzy Hash: D8518172D00259EFDF14CF99C841AEEBBB6FF88300F198469E919AB241D7749E50CB90

Function 001A47F0 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0f0a73c41b8169e5e60d41f4594f70cfefb0c30b59f3b6c78eb1d6e1a4a1e5a
Instruction ID: aa698debfa52bff4ebe6cd4061b63cd756543b13aa32325cddeaa989114eb992
Opcode Fuzzy Hash: d0f0a73c41b8169e5e60d41f4594f70cfefb0c30b59f3b6c78eb1d6e1a4a1e5a
Instruction Fuzzy Hash: 9351A8746182118F8708DF28C8A196EFBE5FBC9344F40892EF899DB391D770EA05CB91

Function 0016ACA0 Relevance: 68.6, APIs: 21, Strings: 18, Instructions: 306COMMON

Download Yara Rule

APIs

SHSetValueW.SHLWAPI(80000001,Software\Classes\Directory\shell\grepWinNP3,00000000,00000001,Search with grepWinNP3,00000030,?,?,?,?,?,?,?), ref: 0016AD84
SHSetValueW.SHLWAPI(80000001,Software\Classes\Directory\shell\grepWinNP3,Icon,00000001,?,?,?,?,?,?,?,?,?), ref: 0016ADAF
SHSetValueW.SHLWAPI(80000001,Software\Classes\Directory\shell\grepWinNP3\Command,00000000,00000001,?,?,?,?,?,?,?,?,?,?), ref: 0016ADD7
SHSetValueW.SHLWAPI(80000001,Software\Classes\Directory\Background\shell\grepWinNP3,00000000,00000001,Search with grepWinNP3,00000030,?,?,?,?,?,?,?,?,?), ref: 0016ADEE
SHSetValueW.SHLWAPI(80000001,Software\Classes\Directory\Background\shell\grepWinNP3,Icon,00000001,?,?,?,?,?,?,?,?,?,?,?), ref: 0016AE19
SHSetValueW.SHLWAPI(80000001,Software\Classes\Folder\shell\grepWinNP3,00000000,00000001,Search with grepWinNP3,00000030,?,?,?,?,?,?,?,?,?,?), ref: 0016AE30
SHSetValueW.SHLWAPI(80000001,Software\Classes\Folder\shell\grepWinNP3,Icon,00000001,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0016AE5B
SHSetValueW.SHLWAPI(80000001,Software\Classes\Folder\shell\grepWinNP3\Command,00000000,00000001,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0016AE83
SHSetValueW.SHLWAPI(80000001,Software\Classes\Drive\shell\grepWinNP3,00000000,00000001,Search with grepWinNP3,00000030), ref: 0016AE9A
SHSetValueW.SHLWAPI(80000001,Software\Classes\Drive\shell\grepWinNP3,Icon,00000001,?), ref: 0016AEC5
SHSetValueW.SHLWAPI(80000001,Software\Classes\Drive\shell\grepWinNP3\Command,00000000,00000001,?), ref: 0016AEED
SHSetValueW.SHLWAPI(80000001,Software\Classes\*\shell\grepWinNP3,00000000,00000001,Search with grepWinNP3,00000030), ref: 0016AF04
SHSetValueW.SHLWAPI(80000001,Software\Classes\*\shell\grepWinNP3,Icon,00000001,?), ref: 0016AF2F
SHSetValueW.SHLWAPI(80000001,Software\Classes\*\shell\grepWinNP3\Command,00000000,00000001,?), ref: 0016AF57
SHSetValueW.SHLWAPI(80000001,Software\Classes\*\shell\grepWinNP3,MultiSelectModel,00000001,Player,00000010), ref: 0016AF71
SHSetValueW.SHLWAPI(80000001,Software\Classes\Directory\Background\shell\grepWinNP3\Command,00000000,00000001,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0016B03D
SHDeleteKeyW.SHLWAPI(80000001,Software\Classes\Directory\shell\grepWinNP3,?,?), ref: 0016B06F
SHDeleteKeyW.SHLWAPI(80000001,Software\Classes\Directory\Background\shell\grepWinNP3), ref: 0016B07B
SHDeleteKeyW.SHLWAPI(80000001,Software\Classes\Folder\shell\grepWinNP3), ref: 0016B087
SHDeleteKeyW.SHLWAPI(80000001,Software\Classes\Drive\shell\grepWinNP3), ref: 0016B093
SHDeleteKeyW.SHLWAPI(80000001,Software\Classes\*\shell\grepWinNP3), ref: 0016B09F

Part of subcall function 0015D360: GetModuleFileNameW.KERNEL32(00000000,00000000,00000000), ref: 0015D3E1

Strings

Software\Classes\Directory\shell\grepWinNP3\Command, xrefs: 0016ADCD
Search with grepWinNP3, xrefs: 0016ADDB, 0016AE1D, 0016AE87, 0016AEF1
Software\Classes\Drive\shell\grepWinNP3\Command, xrefs: 0016AEE3
Search with grepWinNP3, xrefs: 0016AD71
Software\Classes\Folder\shell\grepWinNP3\Command, xrefs: 0016AE79
Software\Classes\*\shell\grepWinNP3\Command, xrefs: 0016AF4D
Software\Classes\Directory\Background\shell\grepWinNP3\Command, xrefs: 0016B033
%s /searchpath:"%%1", xrefs: 0016AD41
Software\Classes\Folder\shell\grepWinNP3, xrefs: 0016AE26, 0016AE51, 0016B07D
%s /searchpath:"%%V", xrefs: 0016AFA2
MultiSelectModel, xrefs: 0016AF62
%s,-%d, xrefs: 0016ACF3
Icon, xrefs: 0016ADA0, 0016AE0A, 0016AE4C, 0016AEB6, 0016AF20
Software\Classes\Drive\shell\grepWinNP3, xrefs: 0016AE90, 0016AEBB, 0016B089
Software\Classes\Directory\Background\shell\grepWinNP3, xrefs: 0016ADE4, 0016AE0F, 0016B071
Software\Classes\Directory\shell\grepWinNP3, xrefs: 0016AD7A, 0016ADA5, 0016B065
Software\Classes\*\shell\grepWinNP3, xrefs: 0016AEFA, 0016AF25, 0016AF67, 0016B095
Player, xrefs: 0016AF5B

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: Value$Delete$FileModuleName
String ID: %s /searchpath:"%%1"$%s /searchpath:"%%V"$%s,-%d$Icon$MultiSelectModel$Player$Search with grepWinNP3$Search with grepWinNP3$Software\Classes\*\shell\grepWinNP3$Software\Classes\*\shell\grepWinNP3\Command$Software\Classes\Directory\Background\shell\grepWinNP3$Software\Classes\Directory\Background\shell\grepWinNP3\Command$Software\Classes\Directory\shell\grepWinNP3$Software\Classes\Directory\shell\grepWinNP3\Command$Software\Classes\Drive\shell\grepWinNP3$Software\Classes\Drive\shell\grepWinNP3\Command$Software\Classes\Folder\shell\grepWinNP3$Software\Classes\Folder\shell\grepWinNP3\Command
API String ID: 3737704472-174100858
Opcode ID: 9396427be3105db04af490e059c52fbb35038c6b0e85ff8c32ad279d4e4d462c
Instruction ID: 5f0dd4f7ef55071001bf15dee296e784e204fb17cd6af494445f7941b7156f08
Opcode Fuzzy Hash: 9396427be3105db04af490e059c52fbb35038c6b0e85ff8c32ad279d4e4d462c
Instruction Fuzzy Hash: 8BB18B70A50219EEEB14DB94DD82FEDB7F4EB24708F100059F505B7291DBB17AA8CBA1

Function 00156CD0 Relevance: 45.7, APIs: 24, Strings: 2, Instructions: 238windowCOMMON

Download Yara Rule

APIs

GetPropW.USER32(?), ref: 00156CE8
SetCursor.USER32 ref: 00156D28
SetWindowLongW.USER32(?,000000FC,?), ref: 00156D42
SendMessageW.USER32(?,00000030,?,00000000), ref: 00156D50
DeleteObject.GDI32 ref: 00156D75
RemovePropW.USER32(?,-00000001), ref: 00156D8E
CallWindowProcW.USER32(?,?,?,?,?), ref: 00156DA0
ShellExecuteExW.SHELL32 ref: 00156E13
InvalidateRect.USER32(?,00000000,00000000), ref: 00156E25
CallWindowProcW.USER32(?,?,?,?,?), ref: 00156E5A
SendMessageW.USER32(?,00000030,?,00000000), ref: 00156E7F
InvalidateRect.USER32(?,00000000,00000000), ref: 00156E8A
GetParent.USER32(?), ref: 00156EAD
GetWindowRect.USER32(?,?), ref: 00156EC3
ScreenToClient.USER32(00000000,00000000), ref: 00156EE5
ScreenToClient.USER32(00000000,00000000), ref: 00156EED
GetDC.USER32(00000000), ref: 00156EF0
DrawFocusRect.USER32(00000000,00000000), ref: 00156EFE
ReleaseDC.USER32(00000000,00000000), ref: 00156F06
GetClientRect.USER32(?,?), ref: 00156F23
ReleaseCapture.USER32 ref: 00156F4A

Strings

open, xrefs: 00156E03
<, xrefs: 00156DFB

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: Rect$Window$Client$CallInvalidateMessageProcPropReleaseScreenSend$CaptureCursorDeleteDrawExecuteFocusLongObjectParentRemoveShell
String ID: <$open
API String ID: 2539734022-1930408713
Opcode ID: 79c9e5a24a19f1fca3fa5c2041ffa8294fbaac6279ecffc9ef97788adf6ee23b
Instruction ID: 50ab067f1f7d68d51571fc59dc0ea9ba2e9f0fe17a69c73784326a6e46b43edb
Opcode Fuzzy Hash: 79c9e5a24a19f1fca3fa5c2041ffa8294fbaac6279ecffc9ef97788adf6ee23b
Instruction Fuzzy Hash: 1781A132200205EFD721CFA4FC8CB6B7BF8EB89712F40055AF956C6192D7719949DBA1

Function 0014B7D0 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 124windowlibraryCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 0014B7EA
GetWindowPlacement.USER32(00000000,?), ref: 0014B7F8
GetDesktopWindow.USER32 ref: 0014B810
GetWindowRect.USER32(00000000,?), ref: 0014B824
GetWindowRect.USER32(?,?), ref: 0014B82C
CopyRect.USER32(?,?), ref: 0014B838
OffsetRect.USER32(?,?,?), ref: 0014B857
OffsetRect.USER32(?,?,?), ref: 0014B86C
OffsetRect.USER32(?,?,?), ref: 0014B881
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,00000041), ref: 0014B8A8
LoadImageW.USER32(?,?,00000001,00000000,00000000,00008040), ref: 0014B8C1
SendMessageW.USER32(?,00000080,00000001,00000000), ref: 0014B8DA
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0014B8E7
SetLastError.KERNEL32(000004DF), ref: 0014B8F4
LoadLibraryW.KERNEL32(dwmapi.dll), ref: 0014B901

Strings

,, xrefs: 0014B7E2
dwmapi.dll, xrefs: 0014B8FC

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: Rect$Window$Offset$LoadMessageSend$CopyDesktopErrorImageLastLibraryParentPlacement
String ID: ,$dwmapi.dll
API String ID: 2759369074-1731591866
Opcode ID: 0554b808af20179c67250249a6c82b6c2dfc024235fcebf6c522f62e9bb27638
Instruction ID: d23a6334d1e332d199b391849c4f9eb77c3bbb26140e305b18deeb395c8d3780
Opcode Fuzzy Hash: 0554b808af20179c67250249a6c82b6c2dfc024235fcebf6c522f62e9bb27638
Instruction Fuzzy Hash: E6412971504305AFD710DF24DC89F6B7BECEB89710F04451AFA46D7291C7B0E9448BA1

Function 00156AB0 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 123stringwindowCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(http://tools.stefankueng.com,?,?,?,?), ref: 00156AC2
lstrcpyW.KERNEL32(0021269C,http://tools.stefankueng.com,?,?,?,?,?), ref: 00156B13
GetParent.USER32(?), ref: 00156B1E
GetWindowLongW.USER32(00000000,000000FC), ref: 00156B39
SetPropW.USER32(00000000,00000000,00000000), ref: 00156B4C
SetWindowLongW.USER32(00000000,000000FC,00156C10), ref: 00156B5A
GetWindowLongW.USER32(?,000000F0), ref: 00156B5F
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00156B6A
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00156B73
GetObjectW.GDI32(00000000,0000005C,?), ref: 00156B9B
CreateFontIndirectW.GDI32(?), ref: 00156BAB
LoadCursorW.USER32(00000000,00007F89), ref: 00156BBD
LoadCursorW.USER32(00000000,00007F00), ref: 00156BD2
GetWindowLongW.USER32(?,000000FC), ref: 00156BE0
SetPropW.USER32(?,00000000,?), ref: 00156BEF
SetWindowLongW.USER32(?,000000FC,Function_00046CD0), ref: 00156BFD

Strings

http://tools.stefankueng.com, xrefs: 00156AB9, 00156B0C

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: LongWindow$CursorLoadProp$CreateFontIndirectMessageObjectParentSendlstrcpylstrlen
String ID: http://tools.stefankueng.com
API String ID: 3347581731-806382027
Opcode ID: ea405fdadf62085ac81058443cfa05d3a3763c5bc22aafca13479e2647828ee3
Instruction ID: 4541bf70aa5c735afc8bb60e5c8691bee58bea885e307a253988dc2fd61faaae
Opcode Fuzzy Hash: ea405fdadf62085ac81058443cfa05d3a3763c5bc22aafca13479e2647828ee3
Instruction Fuzzy Hash: D6310270204301FFD712AF24AC8DF6B7BA8EB44311F500219F962D72E2DB759946CBA5

Function 00195B30 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 104windowCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,FillResultList,0000000E), ref: 00195B77
LoadCursorW.USER32(00000000,00007F8A), ref: 00195B8B
SetCursor.USER32(00000000), ref: 00195B92
GetCursorPos.USER32(?), ref: 00195B9C
SetCursorPos.USER32(?,?), ref: 00195BA8
IsDlgButtonChecked.USER32(?,00000423), ref: 00195BB6
GetDlgItem.USER32(?,000003F6), ref: 00195BC6
SendMessageW.USER32(00000000,0000000B,00000000,00000000), ref: 00195BD5
SendMessageW.USER32(00000000,0000102F,?,00000003), ref: 00195C1D
SendMessageW.USER32(00000000,0000000B,00000001,00000000), ref: 00195C2D
LoadCursorW.USER32(00000000,00007F00), ref: 00195C36
SetCursor.USER32(00000000), ref: 00195C3D
GetCursorPos.USER32(?), ref: 00195C47
SetCursorPos.USER32(?,?), ref: 00195C53
RedrawWindow.USER32(00000000,00000000,00000000,00000485), ref: 00195C63

Strings

FillResultList, xrefs: 00195B54

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: Cursor$MessageSend$Load$ButtonCheckedCounterItemPerformanceQueryRedrawWindow
String ID: FillResultList
API String ID: 3380769934-393267765
Opcode ID: 25f3f5c1919faafd40c9c6ca8bca7d768f53d9faec7046beaa2529b33faed585
Instruction ID: e85cf44d7ba0103acb14f71f83c1ab253565f7c5537abc98a04871e98befacd3
Opcode Fuzzy Hash: 25f3f5c1919faafd40c9c6ca8bca7d768f53d9faec7046beaa2529b33faed585
Instruction Fuzzy Hash: 2A314B71A4030AAFDB149FB4ED4EFAEBBB9FB08701F104515F206A61D2DBB569508F50

Function 001A1A50 Relevance: 25.8, APIs: 17, Instructions: 268windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F6), ref: 001A1A83
SendMessageW.USER32(00000000,0000101F,00000000,00000000), ref: 001A1A9E
SendMessageW.USER32(00000000,00001004,00000000,00000000), ref: 001A1AAD
SendMessageW.USER32(?,00001200,00000000,00000000), ref: 001A1AEB
SendMessageW.USER32(?,00001002,00000001,00000000), ref: 001A1AFF
ImageList_GetImageCount.COMCTL32(00000000,?,75C05540,00000000), ref: 001A1B09
MulDiv.KERNEL32(00000003,00000000,?), ref: 001A1B38
ImageList_GetImageInfo.COMCTL32(?,00000000,?,?,75C05540,00000000), ref: 001A1B1B

Part of subcall function 0014B530: GetModuleHandleW.KERNEL32(user32.dll,?,?,?,00000000,00000000,0014C04D,?,00000060), ref: 0014B549
Part of subcall function 0014B530: GetProcAddress.KERNEL32(00000000,GetDpiForWindow), ref: 0014B563
Part of subcall function 0014B530: GetProcAddress.KERNEL32(?,GetDpiForSystem), ref: 0014B570
Part of subcall function 0014B530: GetProcAddress.KERNEL32(?,GetSystemMetricsForDpi), ref: 0014B57E
Part of subcall function 0014B530: GetProcAddress.KERNEL32(?,SystemParametersInfoForDpi), ref: 0014B58C

SendMessageW.USER32(?,0000120B,00000000,?), ref: 001A1BA8
SendMessageW.USER32(?,00001057,00000000,?), ref: 001A1BB7
SendMessageW.USER32(?,00001073,00000000,?), ref: 001A1C00
MulDiv.KERNEL32(0000000E,00000000,?), ref: 001A1C1D
SendMessageW.USER32(?,00001057,00000000,?), ref: 001A1C36
IsDlgButtonChecked.USER32(?,00000423), ref: 001A1C9C
SendMessageW.USER32(?,0000100E,00000000,?), ref: 001A1CC7
SendMessageW.USER32(?,0000100E,00000000,?), ref: 001A1CE7
SendMessageW.USER32(?,0000101E,00000000,00000000), ref: 001A1D4D

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: MessageSend$AddressImageProc$List_$ButtonCheckedCountHandleInfoItemModule
String ID:
API String ID: 1481306643-0
Opcode ID: 3b1b28309a5bf8d4268eb5ddcd87276653b4b29e97c52989906639aa64a70050
Instruction ID: f6c21d326e04dd2156c01b4abcb75bcbf6182871b3fc65b4fa19f025ee19aae2
Opcode Fuzzy Hash: 3b1b28309a5bf8d4268eb5ddcd87276653b4b29e97c52989906639aa64a70050
Instruction Fuzzy Hash: 40A13975A40348AFDB21DFA8DC89BEA7BA9FB44700F144129FA1597291D7B1E884CB90

Function 00170B40 Relevance: 24.8, APIs: 12, Strings: 2, Instructions: 264windowtimeCOMMON

Download Yara Rule

APIs

SetDlgItemTextW.USER32(?,000003E8,00214D74), ref: 00170CDF
SetDlgItemTextW.USER32(?,000003FF,?), ref: 00170CF3
GetDlgItem.USER32(?,000003E8), ref: 00170D01
SetFocus.USER32(00000000), ref: 00170D04
ShowWindow.USER32(?,-00000001,?), ref: 00170D3F

Part of subcall function 0014F6A0: GetDlgItem.USER32(?,?), ref: 0014F6B2
Part of subcall function 0014F6A0: GetWindowRect.USER32(00000000,?), ref: 0014F6D1
Part of subcall function 0014F6A0: OffsetRect.USER32(?,?,?), ref: 0014F6EA
Part of subcall function 0014F6A0: MapWindowPoints.USER32(?,?,?,00000002), ref: 0014F6FE

GetDlgItem.USER32(?,00000406), ref: 00170DC7
SendMessageW.USER32(00000000), ref: 00170DD0
GetDlgItem.USER32(?,00000406), ref: 00170DE6
SendMessageW.USER32(00000000), ref: 00170DE9
GetDlgItem.USER32(?,00000408), ref: 00170DFF
SendMessageW.USER32(00000000), ref: 00170E02
KillTimer.USER32(?,00000064), ref: 00170E3B

Strings

d, xrefs: 00170E29
tM!, xrefs: 00170C39, 00170C44

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: Item$MessageSendWindow$RectText$FocusKillOffsetPointsShowTimer
String ID: d$tM!
API String ID: 1684828882-3750166371
Opcode ID: c3269c339ea2b6838e434a60f8b0f7a7fbe43fbf736ae522127c5c769769e0dc
Instruction ID: 78e3464b427214a05a11f0678fefd7f938fb8a7972f72e9b198701ad7380cf52
Opcode Fuzzy Hash: c3269c339ea2b6838e434a60f8b0f7a7fbe43fbf736ae522127c5c769769e0dc
Instruction Fuzzy Hash: EF91D471A40204ABDF15EF64CC46FAD77A5EF18710F00816AFD09AB3D2CB359A51CB94

Function 0015CBB0 Relevance: 22.9, APIs: 15, Instructions: 438COMMON

Download Yara Rule

APIs

PathIsURLW.SHLWAPI ref: 0015CC20
PathIsRelativeW.SHLWAPI ref: 0015CC43
GetFullPathNameW.KERNEL32(?,00000000,00000000,00000000), ref: 0015CC61
GetFullPathNameW.KERNEL32(?,?,00000000,00000000), ref: 0015CCB4

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: Path$FullName$Relative
String ID:
API String ID: 153212401-0
Opcode ID: 163fc52b7b52f7146a2b30631012225aeae9f02b2631f46333e7515c6950c12c
Instruction ID: c064e31ed2cba586fa35ca79f15d4ef11a30bbc0bb6e77a4797694c510d055fb
Opcode Fuzzy Hash: 163fc52b7b52f7146a2b30631012225aeae9f02b2631f46333e7515c6950c12c
Instruction Fuzzy Hash: 2EF1B5B0E01209DFDB14DFA8D985BAEBBF8FB08300F14446AE91AE7351D775A944CB64

Function 001DA700 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 144filelibraryloaderCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000003,00000100), ref: 001DA784
CreateFileA.KERNEL32(?,C0000000,00000001,00000000,00000003,00000100), ref: 001DA798
SetFilePointer.KERNEL32(00000000,?,?,00000000), ref: 001DA7C7
GetLastError.KERNEL32 ref: 001DA7D2
SetEndOfFile.KERNEL32(?), ref: 001DA7E3
GetModuleHandleA.KERNEL32(kernel32.dll), ref: 001DA7F6
GetProcAddress.KERNEL32(00000000,GetFileSizeEx), ref: 001DA802
GetFileSize.KERNEL32(?,?), ref: 001DA82A

Strings

failed opening file, xrefs: 001DA876
GetFileSizeEx, xrefs: 001DA7FC
kernel32.dll, xrefs: 001DA7F1
failed setting file size, xrefs: 001DA882
failed querying file size, xrefs: 001DA88E

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: File$Create$AddressErrorHandleLastModulePointerProcSize
String ID: GetFileSizeEx$failed opening file$failed querying file size$failed setting file size$kernel32.dll
API String ID: 1272188909-882181951
Opcode ID: 992e3f87468bb5c6021c7cb0687fe2e9e2bc436293af7eb51f3d680a265bc28e
Instruction ID: a97fe9293e499215cebeee3e883850d80e4e175d5fad035ec156458836e9b95f
Opcode Fuzzy Hash: 992e3f87468bb5c6021c7cb0687fe2e9e2bc436293af7eb51f3d680a265bc28e
Instruction Fuzzy Hash: 9F419A31740309ABDB18CF28DC59BAE77B9AF44711F90462AF866933D1EB35EC41CA52

Function 0014B530 Relevance: 22.8, APIs: 8, Strings: 5, Instructions: 73libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(user32.dll,?,?,?,00000000,00000000,0014C04D,?,00000060), ref: 0014B549
GetProcAddress.KERNEL32(00000000,GetDpiForWindow), ref: 0014B563
GetProcAddress.KERNEL32(?,GetDpiForSystem), ref: 0014B570
GetProcAddress.KERNEL32(?,GetSystemMetricsForDpi), ref: 0014B57E
GetProcAddress.KERNEL32(?,SystemParametersInfoForDpi), ref: 0014B58C
GetDC.USER32(00000000), ref: 0014B5AE
GetDeviceCaps.GDI32(00000000,00000058), ref: 0014B5BD
ReleaseDC.USER32(00000000,00000000), ref: 0014B5C9

Strings

user32.dll, xrefs: 0014B544
GetSystemMetricsForDpi, xrefs: 0014B572
GetDpiForSystem, xrefs: 0014B565
GetDpiForWindow, xrefs: 0014B55D
SystemParametersInfoForDpi, xrefs: 0014B580

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: AddressProc$CapsDeviceHandleModuleRelease
String ID: GetDpiForSystem$GetDpiForWindow$GetSystemMetricsForDpi$SystemParametersInfoForDpi$user32.dll
API String ID: 3695273371-21495702
Opcode ID: 1af8fac8962b1587a5ac186a9edb402ca7a5660453843ab3b4ef95afc65133f9
Instruction ID: e9ba7e3f6f5132bc0e30972a89563442aff756e4f3107fe0fae97a8dae2b1cd3
Opcode Fuzzy Hash: 1af8fac8962b1587a5ac186a9edb402ca7a5660453843ab3b4ef95afc65133f9
Instruction Fuzzy Hash: 0B217FB0A09702AFD710CF25EC88A4AFFE4FF44710F00491AF90597651DB70E565CBA1

Function 001CC2D0 Relevance: 21.2, APIs: 3, Strings: 9, Instructions: 155COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 001CC41E
EnumFontsW.GDI32(00000000,Segoe UI,001CC2C0,00000000), ref: 001CC431
ReleaseDC.USER32(00000000,00000000), ref: 001CC43A

Strings

Microsoft YaHei UI, xrefs: 001CC3BA
Yu Gothic UI, xrefs: 001CC3E5
Segoe UI, xrefs: 001CC2FF, 001CC35F, 001CC42F
[ko-kr], xrefs: 001CC3FC
Malgun Gothic, xrefs: 001CC410
[zh-tw], xrefs: 001CC3A6
[ja-jp], xrefs: 001CC3D1
[zh-cn], xrefs: 001CC37B
Microsoft JhengHei UI, xrefs: 001CC38F

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: EnumFontsRelease
String ID: Malgun Gothic$Microsoft JhengHei UI$Microsoft YaHei UI$Segoe UI$Yu Gothic UI$[ja-jp]$[ko-kr]$[zh-cn]$[zh-tw]
API String ID: 2694381407-3191444076
Opcode ID: 340ec4f44fc31cb8822ddb7044b3d513b34e422c7e1a3d0a1278eb7b0b8fe9d7
Instruction ID: 60d2959c670cc2436f359889b47b7db7210bbfe5b018c2c07817ad92311f5b41
Opcode Fuzzy Hash: 340ec4f44fc31cb8822ddb7044b3d513b34e422c7e1a3d0a1278eb7b0b8fe9d7
Instruction Fuzzy Hash: BC51A071E04209ABCB14DF58D841BBE77B4FB69750F10821AED19A7281E730EE51CBE1

Function 0014BF60 Relevance: 21.1, APIs: 14, Instructions: 134windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 0014BF8A

Part of subcall function 0014BE30: GetDlgItem.USER32(?,?), ref: 0014BE44
Part of subcall function 0014BE30: GetWindowTextLengthW.USER32(00000000), ref: 0014BE4B
Part of subcall function 0014BE30: GetDlgItemTextW.USER32(?,?,00000000,00000001), ref: 0014BE8D

GetWindowDC.USER32(?,?,?), ref: 0014BFA9
GetWindowRect.USER32(?,?), ref: 0014BFBB
MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0014BFCC
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0014BFFE
SelectObject.GDI32(00000000,00000000), ref: 0014C006
OffsetRect.USER32(?,?,?), ref: 0014C01F
DrawTextW.USER32(00000000,?,000000FF,?,00000450), ref: 0014C032
MulDiv.KERNEL32(00000003,00000000,?), ref: 0014C050
GetSystemMetrics.USER32(0000002D), ref: 0014C061
GetSystemMetrics.USER32(00000047), ref: 0014C069
MoveWindow.USER32(?,?,?,?,?,00000001), ref: 0014C098
SelectObject.GDI32(00000000,?), ref: 0014C0A8
ReleaseDC.USER32(?,00000000), ref: 0014C0B2

Part of subcall function 0014B530: GetModuleHandleW.KERNEL32(user32.dll,?,?,?,00000000,00000000,0014C04D,?,00000060), ref: 0014B549
Part of subcall function 0014B530: GetProcAddress.KERNEL32(00000000,GetDpiForWindow), ref: 0014B563
Part of subcall function 0014B530: GetProcAddress.KERNEL32(?,GetDpiForSystem), ref: 0014B570
Part of subcall function 0014B530: GetProcAddress.KERNEL32(?,GetSystemMetricsForDpi), ref: 0014B57E
Part of subcall function 0014B530: GetProcAddress.KERNEL32(?,SystemParametersInfoForDpi), ref: 0014B58C

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: Window$AddressProc$ItemText$MetricsObjectRectSelectSystem$DrawHandleLengthMessageModuleMoveOffsetPointsReleaseSend
String ID:
API String ID: 586974731-0
Opcode ID: 25c343f00caac27b2e85a6e57ea53370e91c77228aceacc6f2c61ea3af6c3eb9
Instruction ID: 0c7ad6c0378e79cc38622a450a5a70ed570eabb5b8b86caeb51f609e80882759
Opcode Fuzzy Hash: 25c343f00caac27b2e85a6e57ea53370e91c77228aceacc6f2c61ea3af6c3eb9
Instruction Fuzzy Hash: 6F410F75A01209BFDB04DFA4EC89FAEBBB9FF48710F144115F916A32A2D774A941CB60

Function 0018E170 Relevance: 19.6, APIs: 1, Strings: 10, Instructions: 357COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000101,?,?,00000000,00204E60,000000FF,?,0018E148,?), ref: 0018E7BC

Strings

0%!, xrefs: 0018E6CD
0%!, xrefs: 0018E589
0%!, xrefs: 0018E51D
$!!, xrefs: 0018E4AE
0%!, xrefs: 0018E661
$!!, xrefs: 0018E4CC
$!!, xrefs: 0018E4A4
$!!, xrefs: 0018E4C2
0%!, xrefs: 0018E5F5
$!!, xrefs: 0018E4B8

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: FreeLibrary
String ID: $!!$$!!$$!!$$!!$$!!$0%!$0%!$0%!$0%!$0%!
API String ID: 3664257935-1921576383
Opcode ID: 577fae4cc628a646386df5efac14b011f071321c27587df1e91251ee133538c4
Instruction ID: 6c4631fa005a2c29fab19a4a5de56ce2c2ecb5d7bf762292de8278baf754c718
Opcode Fuzzy Hash: 577fae4cc628a646386df5efac14b011f071321c27587df1e91251ee133538c4
Instruction Fuzzy Hash: 3EF19B74125B048BD76CEB30C8A5AFAB3E4BF24348F54491CA4AB47A72DF35BA45DB10

Function 001FF947 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 001FF600: CreateFileW.KERNEL32(?,00000000,?,001FF9F0,?,?,00000000,?,001FF9F0,?,0000000C), ref: 001FF61D

GetLastError.KERNEL32 ref: 001FFA5B
__dosmaperr.LIBCMT ref: 001FFA62
GetFileType.KERNEL32(00000000), ref: 001FFA6E
GetLastError.KERNEL32 ref: 001FFA78
__dosmaperr.LIBCMT ref: 001FFA81
CloseHandle.KERNEL32(00000000), ref: 001FFAA1
CloseHandle.KERNEL32(001F8D01), ref: 001FFBEE
GetLastError.KERNEL32 ref: 001FFC20
__dosmaperr.LIBCMT ref: 001FFC27

Strings

H, xrefs: 001FFBAC

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 1f974cf3c9edd4ec9f6118f16f393c7ea863c6c2d12fb47244cba211af736159
Instruction ID: 04ce532bd82a4f2c20f532237e56f1f26b111e695c93fe1eb651055091256b84
Opcode Fuzzy Hash: 1f974cf3c9edd4ec9f6118f16f393c7ea863c6c2d12fb47244cba211af736159
Instruction Fuzzy Hash: D9A13632A04159AFCF199F68EC95BBD3BA1AF06320F14016DF9159F2A2CBB58D43C752

Function 001562C0 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 210COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00156332
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0015637E
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 001564C4
std::_Lockit::~_Lockit.LIBCPMT ref: 00156559
Concurrency::cancel_current_task.LIBCPMT ref: 0015657E

Strings

,, xrefs: 0015647C
bad locale name, xrefs: 00156574
., xrefs: 0015643E
false, xrefs: 0015640F
true, xrefs: 00156428

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: std::_$Locinfo::_Lockit$Concurrency::cancel_current_taskLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
String ID: ,$.$bad locale name$false$true
API String ID: 3204333896-3659324578
Opcode ID: b659d9ecca786fae8c36fc31aa352798dfe6ae34001cb60aefe42f7c90e0862f
Instruction ID: 32200a92953921a7da1b1d53fc58377174b9fe4d17aa130f17db945efb825bfe
Opcode Fuzzy Hash: b659d9ecca786fae8c36fc31aa352798dfe6ae34001cb60aefe42f7c90e0862f
Instruction Fuzzy Hash: 4C8152B1D00248DBEF10DFD5D945BDEBBB8AF14304F14406AE914AB381E779DA58CBA1

Function 00155830 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 175COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00155853
std::_Lockit::_Lockit.LIBCPMT ref: 00155875
std::_Lockit::~_Lockit.LIBCPMT ref: 00155895
std::_Lockit::~_Lockit.LIBCPMT ref: 001558BF
std::_Lockit::_Lockit.LIBCPMT ref: 0015592D
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00155979
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00155993
std::_Lockit::~_Lockit.LIBCPMT ref: 00155A28
std::_Facet_Register.LIBCPMT ref: 00155A35

Strings

bad locale name, xrefs: 00155A4F

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Locinfo::_$Facet_Locinfo_ctorLocinfo_dtorRegister
String ID: bad locale name
API String ID: 3375549084-1405518554
Opcode ID: 0a6b79712235200280febf0f5922348f3f0d3adf89f47163ce96e849d6b7e3c0
Instruction ID: 5a43e2ae91a4b918561ebd4bc07e215c509805f5086b1cb18ea45e65d6f205d0
Opcode Fuzzy Hash: 0a6b79712235200280febf0f5922348f3f0d3adf89f47163ce96e849d6b7e3c0
Instruction Fuzzy Hash: F361BFB0D00648DBDF11DFA5D894BAEBBB5AF14314F184019EC15AB381EB74E909CBA2

Function 0015BC10 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 175COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0015BC33
std::_Lockit::_Lockit.LIBCPMT ref: 0015BC55
std::_Lockit::~_Lockit.LIBCPMT ref: 0015BC75
std::_Lockit::~_Lockit.LIBCPMT ref: 0015BC9F
std::_Lockit::_Lockit.LIBCPMT ref: 0015BD0D
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0015BD59
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0015BD73
std::_Lockit::~_Lockit.LIBCPMT ref: 0015BE08
std::_Facet_Register.LIBCPMT ref: 0015BE15

Strings

bad locale name, xrefs: 0015BE2F

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Locinfo::_$Facet_Locinfo_ctorLocinfo_dtorRegister
String ID: bad locale name
API String ID: 3375549084-1405518554
Opcode ID: 047e6ea51f60fcb34ba7f241591d4e7ed6bb03fa33376e885fde94e8ccb30bdc
Instruction ID: 5efda06f0dcf29c77024aad4979606f387e7539f7a99247b37349520e7d456fa
Opcode Fuzzy Hash: 047e6ea51f60fcb34ba7f241591d4e7ed6bb03fa33376e885fde94e8ccb30bdc
Instruction Fuzzy Hash: E26190B4D04248DFDF11DFA5D985BAEBBB4AF14314F184019EC18AB381EB74E949CB92

Function 04242DA4 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 112stringCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(?,?,?,?,?,?,04239A36), ref: 04242E00
GetLargePageMinimum.KERNEL32(?,?,?,?,?,?,?,04239A36), ref: 04242E20
lstrlenW.KERNEL32(?,?,?,?,?,?,?,04239A36), ref: 04242E7B
GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,04239A36), ref: 04242EB9
SetLastError.KERNEL32(?,?,?,?,?,?,?,?,04239A36), ref: 04242EE0

Strings

APPOINTMENTS, xrefs: 04242E81
The specified resiliency type is not valid., xrefs: 04242DD1
The filter weight is not valid., xrefs: 04242E74
OnMachineUILanguageClear, xrefs: 04242EE2
{Invalid Current Directory}, xrefs: 04242DA5

Memory Dump Source

Source File: 00000000.00000002.1699427684.0000000004230000.00000040.00001000.00020000.00000000.sdmp, Offset: 04230000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4230000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: ErrorLast$ForegroundLargeMinimumPageWindowlstrlen
String ID: APPOINTMENTS$OnMachineUILanguageClear$The filter weight is not valid.$The specified resiliency type is not valid.${Invalid Current Directory}
API String ID: 2730288062-1783351758
Opcode ID: 78d926077c5a7f7cd688a42e811a288785248838d99001e92d90bbf23f1788ea
Instruction ID: ba9b024d63bc6ec6b9b1692619b8073ce945ad68473c1071670d6bfaa4c081e5
Opcode Fuzzy Hash: 78d926077c5a7f7cd688a42e811a288785248838d99001e92d90bbf23f1788ea
Instruction Fuzzy Hash: 2041A4B1B513018BE318DF2DF988556BBFAEBC4300B4494BAD849CB358E63CAD41CB61

Function 0014C2F0 Relevance: 16.1, APIs: 4, Strings: 5, Instructions: 381comCOMMON

Download Yara Rule

APIs

PathFileExistsW.SHLWAPI(00226DE4,?,00000002), ref: 0014C37E
CoCreateInstance.OLE32(002097A0,00000000,00000001,00211AEC,?), ref: 0014C3DF
SHCreateItemFromParsingName.SHELL32(00226DE4,00000000,00211AFC,00000000), ref: 0014C473
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,-00000002), ref: 0014C696

Strings

m", xrefs: 0014C371
m", xrefs: 0014C454
m", xrefs: 0014C38F
m", xrefs: 0014C32E
m", xrefs: 0014C360

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: Create$ExistsFileFreeFromInstanceItemNameParsingPathTask
String ID: m"$m"$m"$m"$m"
API String ID: 4132989732-1508189999
Opcode ID: f1e95d337002145a63ffa529e7c1792eadd3838a58f7afc9e4e395e817057cb7
Instruction ID: ea8f87fed625da2bddc80a5051e0a71bcf18f22d1687208817786d6a6295d76b
Opcode Fuzzy Hash: f1e95d337002145a63ffa529e7c1792eadd3838a58f7afc9e4e395e817057cb7
Instruction Fuzzy Hash: B0E16C71A01219AFCB54DFA8D898FAE7BF5FF48304F108559F91AAB261D731E901CB90

Function 001D5490 Relevance: 16.1, APIs: 4, Strings: 5, Instructions: 334COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000042,0000000C,0000000C,00000000), ref: 001D54CE
GetSysColor.USER32(00000008), ref: 001D54EE
GetSysColor.USER32(00000005), ref: 001D5507
GetTickCount64.KERNEL32 ref: 001D5562

Part of subcall function 0016E810: RegOpenKeyExW.KERNELBASE(80000001,0022BC98,00000000,00000000,00000000), ref: 0016E848
Part of subcall function 0016E810: RegCloseKey.ADVAPI32(00000000), ref: 0016E881
Part of subcall function 0016E810: GetTickCount64.KERNEL32 ref: 0016E88E

Strings

uiribbon.dll, xrefs: 001D55E9
stol argument out of range, xrefs: 001D5874, 001D5888, 001D589C
darkmode, xrefs: 001D553A
invalid stol argument, xrefs: 001D586A, 001D587E, 001D5892
global, xrefs: 001D553F

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: ColorCount64Tick$CloseInfoOpenParametersSystem
String ID: darkmode$global$invalid stol argument$stol argument out of range$uiribbon.dll
API String ID: 763119031-2917169372
Opcode ID: bc480f1946eabd88bd9d112303a7bde1d4e1455dfbbad7d37f7241ddec0bfc5c
Instruction ID: 209e1896322e249592412ae9a9ea224c476a99dd560d119c9ea034ac7f050e15
Opcode Fuzzy Hash: bc480f1946eabd88bd9d112303a7bde1d4e1455dfbbad7d37f7241ddec0bfc5c
Instruction Fuzzy Hash: C6C12471E00A45EFDF29DFA4C886BEDBBB2BF15300F14411AE401AB382D774A954CBA1

Function 04243128 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 125COMMON

Download Yara Rule

APIs

GetDialogBaseUnits.USER32 ref: 0424318E
GetLastError.KERNEL32(00000001,?,?,0423CF01,?,?,?,0423B33B), ref: 0424321D
AnyPopup.USER32 ref: 042432BB
GetForegroundWindow.USER32(?,0423CF01,?,?,?,0423B33B), ref: 042432F8

Strings

Built-in PNG Codec, xrefs: 04243228
AslRegistryOpenKey failed [%x], xrefs: 04243143
Compressing this object would not save space., xrefs: 04243280
CFGOptions, xrefs: 0424319E
An invalid characteristics table was used., xrefs: 04243129

Memory Dump Source

Source File: 00000000.00000002.1699427684.0000000004230000.00000040.00001000.00020000.00000000.sdmp, Offset: 04230000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4230000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: BaseDialogErrorForegroundLastPopupUnitsWindow
String ID: An invalid characteristics table was used.$AslRegistryOpenKey failed [%x]$Built-in PNG Codec$CFGOptions$Compressing this object would not save space.
API String ID: 2560853714-4095279174
Opcode ID: 6d6e69974bc177cddad635cbea6771f6cd1a265f041dbe97d15b8ea7b228c091
Instruction ID: bef7382d8acabe4437ca11ed923f2b182d38a3a1deccc41550740c2d002c3d84
Opcode Fuzzy Hash: 6d6e69974bc177cddad635cbea6771f6cd1a265f041dbe97d15b8ea7b228c091
Instruction Fuzzy Hash: F751CEB1BA03028BE318DF3EF88D2557BAAF7D5300F588166C8418B695E77CA845CB40

Function 0423D82C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 111COMMON

Download Yara Rule

APIs

GetOEMCP.KERNEL32(?,?,82040462,?,0423886D), ref: 0423D8BC
GetLastActivePopup.USER32 ref: 0423D8F2
GetForegroundWindow.USER32(00000000,?,?,82040462,?,0423886D), ref: 0423D979
GetForegroundWindow.USER32(?,?,82040462,?,0423886D), ref: 0423D9B1
GetDesktopWindow.USER32 ref: 0423D9BD
GetSystemDefaultLangID.KERNEL32(?,?,82040462,?,0423886D), ref: 0423D9D7

Strings

ExecuteOptions, xrefs: 0423D894, 0423D8F8
AslRegistryOpenSubKey passed bad Path [%x], xrefs: 0423D82D
Waiter TCB, xrefs: 0423D97B

Memory Dump Source

Source File: 00000000.00000002.1699427684.0000000004230000.00000040.00001000.00020000.00000000.sdmp, Offset: 04230000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4230000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: Window$Foreground$ActiveDefaultDesktopLangLastPopupSystem
String ID: AslRegistryOpenSubKey passed bad Path [%x]$ExecuteOptions$Waiter TCB
API String ID: 219059782-3912792277
Opcode ID: b729bf4f0338eabedd9dd141ed84464a87e0dd3519ca73811928bc646dbeea9a
Instruction ID: f30bf44de32e0865cad7e9faa0ce8556bd712aa09afce96d3e53f497087814ab
Opcode Fuzzy Hash: b729bf4f0338eabedd9dd141ed84464a87e0dd3519ca73811928bc646dbeea9a
Instruction Fuzzy Hash: 564156B8BA13429FD304EF3DF5582257BAAF788215F14846AD841DB265E739AC068B05

Function 001DF795 Relevance: 14.5, APIs: 1, Strings: 7, Instructions: 487COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 001DFB6D

Strings

p, xrefs: 001DF8F4
f, xrefs: 001DF8A7
f, xrefs: 001DF88B
f, xrefs: 001DF8ED
p, xrefs: 001DF8AE
p, xrefs: 001DF892
:, xrefs: 001DF860

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: __aulldiv
String ID: :$f$f$f$p$p$p
API String ID: 3732870572-1434680307
Opcode ID: 97986b8538d5f89c871bdc3f9bcc664c2bcc637c3cfe150ad1ee66712ad1f84c
Instruction ID: 1283bdd5f7fc1d9a6d24e6fab2ace9d91a56a65f8105695ca9813b7c03c5862d
Opcode Fuzzy Hash: 97986b8538d5f89c871bdc3f9bcc664c2bcc637c3cfe150ad1ee66712ad1f84c
Instruction Fuzzy Hash: 1A026079A002189ADF249FA8D8646EDB776FF40B18F64812FD8167B384D7309F86CB15

Function 001DA190 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 195COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000001,001DAC22,failed create mapping), ref: 001DA194
CloseHandle.KERNEL32(00000000,?,00000001,001DAC22,failed create mapping), ref: 001DA1A4
CloseHandle.KERNEL32(?,?,00000001,001DAC22,failed create mapping), ref: 001DA1B3
SetLastError.KERNEL32(00000000,?,00000001,001DAC22,failed create mapping), ref: 001DA1BA

Strings

failed closing mapped file, xrefs: 001DA3A7

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: CloseErrorHandleLast
String ID: failed closing mapped file
API String ID: 918212764-752119354
Opcode ID: 8c8cdab7e6bde69b712ed8195f4fb4b23c1428296f4b3bb14b95be8094a7cf87
Instruction ID: e2d01f53d3538eb42a960efefb0f3ff0cb116904ca69573709f6fb816e4177c9
Opcode Fuzzy Hash: 8c8cdab7e6bde69b712ed8195f4fb4b23c1428296f4b3bb14b95be8094a7cf87
Instruction Fuzzy Hash: 9951BD71A00748ABDB24DFA8D8587AEBBB6BF45310F10470EF562977E2CB759980CB41

Function 00163580 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 177COMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(?,open,?,00000000,00000000,00000005), ref: 0016364F
EndDialog.USER32(?,?), ref: 0016369B
GetDlgItem.USER32(?,00000415), ref: 001636FA
SetDlgItemTextW.USER32(?,00000413,?), ref: 001637AC
SetDlgItemTextW.USER32(?,00000414,2024-01-10), ref: 001637BB

Strings

open, xrefs: 00163647
grepWinNP3 (x86) version %ld.%ld.%ld.%ld, xrefs: 0016377E
2024-01-10, xrefs: 001637AE

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: Item$Text$DialogExecuteShell
String ID: 2024-01-10$grepWinNP3 (x86) version %ld.%ld.%ld.%ld$open
API String ID: 616644314-1604778358
Opcode ID: cf731f448edaf665efa98750ae4488676e0013c4df87ccbd45aa454d06552a6c
Instruction ID: 54eba3cf97188fd596243fc7e8ea29bf49050f0ab8689137f296124f996292ff
Opcode Fuzzy Hash: cf731f448edaf665efa98750ae4488676e0013c4df87ccbd45aa454d06552a6c
Instruction Fuzzy Hash: 2951C471A00248AFCB14DF64CC4AFA977A9EF14710F004269F916AB3D2DB759EA0CB50

Function 04241A30 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 129threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 04241AE1
GetDesktopWindow.USER32 ref: 04241BC2
GetCurrentThread.KERNEL32 ref: 04241C14

Strings

/languagelevel where {pop languagelevel} {1} ifelse, xrefs: 04241A36
SdbpGetProcessHostGuestArchitectures, xrefs: 04241AE7
MachinePreferredUILanguages, xrefs: 04241ADA, 04241B6D
Stack trace available at %p, xrefs: 04241AA6
AslRegistryBuildUserPath, xrefs: 04241B22, 04241BA8

Memory Dump Source

Source File: 00000000.00000002.1699427684.0000000004230000.00000040.00001000.00020000.00000000.sdmp, Offset: 04230000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4230000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: CurrentDesktopHandleModuleThreadWindow
String ID: /languagelevel where {pop languagelevel} {1} ifelse$AslRegistryBuildUserPath$MachinePreferredUILanguages$SdbpGetProcessHostGuestArchitectures$Stack trace available at %p
API String ID: 2956977152-1075518002
Opcode ID: ac8f3bb69d508a291d53a898fcf3bef5bf532a50a91a2a412daa921510f2b9cd
Instruction ID: 49d174eb1785f77e50ecd53d77ce779782f3024cb1a180dc935b87010af56b85
Opcode Fuzzy Hash: ac8f3bb69d508a291d53a898fcf3bef5bf532a50a91a2a412daa921510f2b9cd
Instruction Fuzzy Hash: 0051D175B513119FD319CF2DF55C275BBE9EBC5390F0881AAD8458B385E238AD90CB41

Function 0423D27C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 127COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0423D2D7
GetLastActivePopup.USER32 ref: 0423D337
GetSystemDefaultLangID.KERNEL32 ref: 0423D3A9
AnyPopup.USER32 ref: 0423D3BE
GetUserDefaultLangID.KERNEL32 ref: 0423D44A
GetUserDefaultLangID.KERNEL32 ref: 0423D46E
GetSystemDefaultLangID.KERNEL32 ref: 0423D48E

Strings

The device is pending further configuration., xrefs: 0423D27D, 0423D2C3, 0423D38F

Memory Dump Source

Source File: 00000000.00000002.1699427684.0000000004230000.00000040.00001000.00020000.00000000.sdmp, Offset: 04230000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4230000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: DefaultLang$PopupSystemUser$ActiveDesktopLastWindow
String ID: The device is pending further configuration.
API String ID: 3968625898-3241136172
Opcode ID: ea8116e5d86de8ac2d670206ceadc4432d21d88b253c2bf6032347e6f07e5190
Instruction ID: d61e1a5e571d5ea816af68edc6ed0021c2ff4453b2c760e1d3ebc1c6c4f0fb6d
Opcode Fuzzy Hash: ea8116e5d86de8ac2d670206ceadc4432d21d88b253c2bf6032347e6f07e5190
Instruction Fuzzy Hash: 125122B5B913008FDB18DF2CF68E6257FBDF788210F0489AAD4498B251E73CAD418B95

Function 0423DDB4 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 92COMMON

Download Yara Rule

APIs

GetLargePageMinimum.KERNEL32(?,00000001,?,04238BA1), ref: 0423DE3E
GetWindowTextLengthW.USER32 ref: 0423DEA4
GetDesktopWindow.USER32 ref: 0423DEAB
GetModuleHandleW.KERNEL32(?,00000001,?,04238BA1), ref: 0423DEF5
GetLastError.KERNEL32(?,?,00000001,?,04238BA1), ref: 0423DF0B

Strings

An IKE policy cannot contain an Extended Mode policy., xrefs: 0423DE34
No device query callback specified, xrefs: 0423DEC1
Windows.Mobile, xrefs: 0423DDE3

Memory Dump Source

Source File: 00000000.00000002.1699427684.0000000004230000.00000040.00001000.00020000.00000000.sdmp, Offset: 04230000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4230000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: Window$DesktopErrorHandleLargeLastLengthMinimumModulePageText
String ID: An IKE policy cannot contain an Extended Mode policy.$No device query callback specified$Windows.Mobile
API String ID: 1650162651-460382086
Opcode ID: e002208665e7f5315d39d6991251564bb12e518ec1b0b5cc1394ba9087155c29
Instruction ID: 1a29fa2a5040e7d1ce9104d47b5efb2fe90a3bb88f726180dea1938f081affcc
Opcode Fuzzy Hash: e002208665e7f5315d39d6991251564bb12e518ec1b0b5cc1394ba9087155c29
Instruction Fuzzy Hash: B24136B5BB03069FD744DF29FA8DA557FF9F798201F11856A9461CB708E3399805CB10

Function 001A46A0 Relevance: 13.6, APIs: 9, Instructions: 117fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,08000000,00000000,00000000,?,?,00000000), ref: 001A4702
GetFileSize.KERNEL32(00000000,00000000,?,?,?,00000000), ref: 001A4717
CreateFileMappingW.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000000,?,?,00000000), ref: 001A472B
CloseHandle.KERNEL32(00000000,?,?,00000000), ref: 001A4738
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,?,00000000), ref: 001A474C
CloseHandle.KERNEL32(00000000,?,?,00000000), ref: 001A4760
CloseHandle.KERNEL32(00000000,?,?,00000000), ref: 001A4763
CloseHandle.KERNEL32(00000000,?,?,00000000), ref: 001A4767
CloseHandle.KERNEL32(00000000,?,?,00000000), ref: 001A476A

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: CloseHandle$File$Create$MappingSizeView
String ID:
API String ID: 506559639-0
Opcode ID: d35428361355031b6a2af906f357fd771b82cf06bbb613c59e6555982bb959bd
Instruction ID: 377512a7b3b8022c64c37cd2013937fe9d9c9d072d81ccb8d2a86b0319b7e123
Opcode Fuzzy Hash: d35428361355031b6a2af906f357fd771b82cf06bbb613c59e6555982bb959bd
Instruction Fuzzy Hash: C4419FB4A00315AFD720CF68DC89B5ABBA8FF05720F204119F61AAB7D1D7B4A914CF94

Function 001634B0 Relevance: 13.6, APIs: 9, Instructions: 76windowCOMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 001634CD
BeginPaint.USER32(?,?), ref: 001634E5

Part of subcall function 0014B530: GetModuleHandleW.KERNEL32(user32.dll,?,?,?,00000000,00000000,0014C04D,?,00000060), ref: 0014B549
Part of subcall function 0014B530: GetProcAddress.KERNEL32(00000000,GetDpiForWindow), ref: 0014B563
Part of subcall function 0014B530: GetProcAddress.KERNEL32(?,GetDpiForSystem), ref: 0014B570
Part of subcall function 0014B530: GetProcAddress.KERNEL32(?,GetSystemMetricsForDpi), ref: 0014B57E
Part of subcall function 0014B530: GetProcAddress.KERNEL32(?,SystemParametersInfoForDpi), ref: 0014B58C

MulDiv.KERNEL32(00000040,00000000), ref: 00163503

Part of subcall function 0014B530: GetDC.USER32(00000000), ref: 0014B5AE
Part of subcall function 0014B530: GetDeviceCaps.GDI32(00000000,00000058), ref: 0014B5BD
Part of subcall function 0014B530: ReleaseDC.USER32(00000000,00000000), ref: 0014B5C9

MulDiv.KERNEL32(0000000C,00000000), ref: 00163519
MulDiv.KERNEL32(0000000C,00000000), ref: 0016352F
GetSysColorBrush.USER32(0000000F), ref: 00163535
DrawIconEx.USER32(00000060,00000000,00000000,00000000,00000000,00000000,00000000,00000003), ref: 0016354F
ReleaseDC.USER32(?,00000060), ref: 00163557
EndPaint.USER32(?,?,?,00000060,?,00000060,?,00000060,?,00000060,?,?), ref: 00163563

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: AddressProc$PaintRelease$BeginBrushCapsColorDeviceDrawHandleIconModule
String ID:
API String ID: 2460367397-0
Opcode ID: f2e4ce78b45df7845d2cb6837f864166cc60b2f7b53a16c02b2f3d18f1165c72
Instruction ID: a1b372e25aa0b70829bf1c3f37c731b340d8ee4a0cfb88878b8ab8ecbd6d28bc
Opcode Fuzzy Hash: f2e4ce78b45df7845d2cb6837f864166cc60b2f7b53a16c02b2f3d18f1165c72
Instruction Fuzzy Hash: 6011BF3164431C7FE7206BB4BC4EF6B7B9CEB18760F040025BA06D72E3EB64A90086A4

Function 001DD9D6 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

___TypeMatch.LIBVCRUNTIME ref: 001DDC03
CatchIt.LIBVCRUNTIME ref: 001DDC54
_UnwindNestedFrames.LIBCMT ref: 001DDD55
CallUnexpected.LIBVCRUNTIME ref: 001DDD70

Strings

csm, xrefs: 001DDA13
csm, xrefs: 001DDA80
csm, xrefs: 001DDB2C

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: CallCatchFramesMatchNestedTypeUnexpectedUnwind
String ID: csm$csm$csm
API String ID: 944608866-393685449
Opcode ID: c3a55cf76ad29b75ab722e7557c699be6ad042d1b47ab06f01de550b4ef5ef93
Instruction ID: 3034e388990e65e5db2b17d4b6c4c4ae033dc36cbaf1a53008eb902bac9a5a3b
Opcode Fuzzy Hash: c3a55cf76ad29b75ab722e7557c699be6ad042d1b47ab06f01de550b4ef5ef93
Instruction Fuzzy Hash: E5B18971800209EFCF28DFA4E8819AEBBB5FF24310F15815BE8156B356D771EA52CB91

Function 001F5B0F Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 292COMMONLIBRARYCODE

Download Yara Rule

Strings

, xrefs: 001F5D90, 001F5D93

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3907804496
Opcode ID: dab4d86cf30abf2bfbf4fb7d47fe06aafefea3ea96a4bd52385de748f223df7b
Instruction ID: 76eb382129f606f2143fe1db3d09da4a9156a80f805384d39ddb68834edea5e2
Opcode Fuzzy Hash: dab4d86cf30abf2bfbf4fb7d47fe06aafefea3ea96a4bd52385de748f223df7b
Instruction Fuzzy Hash: 3AB12370A00A4DAFDB15DFD8D884BBDBBB6BF59314F144148E7419B292C770DA82CBA1

Function 001898B0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 175COMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,75C05540,00000000), ref: 001898DC
QueryPerformanceFrequency.KERNEL32(00000000,?,75C05540,00000000), ref: 001898E6
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0018990D
GetTickCount64.KERNEL32 ref: 00189941
GetTickCount64.KERNEL32 ref: 001899B1

Strings

Software\grepWinNP3\DebugOutput, xrefs: 0018994F
%s : %lld ms, xrefs: 00189A67

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: Count64PerformanceQueryTick$CounterFrequencyUnothrow_t@std@@@__ehfuncinfo$??2@
String ID: %s : %lld ms$Software\grepWinNP3\DebugOutput
API String ID: 2281104147-2271610753
Opcode ID: 03ed1d31b2255c823a3dfc1ced69f94170f394dcb46107bbecbf29d02a416753
Instruction ID: 6db61d97678fbb3b1dfd8fb9a971bc98884bc93a2df5a7097f06d2088504b8a5
Opcode Fuzzy Hash: 03ed1d31b2255c823a3dfc1ced69f94170f394dcb46107bbecbf29d02a416753
Instruction Fuzzy Hash: 565190B09002499FDF14EF68D885BEEB7B4FF54304F188619F815A7682D7749A54CF90

Function 001524F0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 156COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0015255B
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 001525AA
__Getctype.LIBCPMT ref: 001525C0
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0015260A
std::_Lockit::~_Lockit.LIBCPMT ref: 001526A2
__Getwctype.LIBCPMT ref: 001526D8

Strings

bad locale name, xrefs: 001526BD

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: std::_$Locinfo::_Lockit$GetctypeGetwctypeLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
String ID: bad locale name
API String ID: 2702795554-1405518554
Opcode ID: ad8e679adeff662b402b77ac3879e7366c4b4ee62ebc8ea5ecfb2a7793e73afa
Instruction ID: 469d983109b41c8b4b4825aa0dcadfc43ec63822ecc6d022c035fd5eb711f84f
Opcode Fuzzy Hash: ad8e679adeff662b402b77ac3879e7366c4b4ee62ebc8ea5ecfb2a7793e73afa
Instruction Fuzzy Hash: B7516FB1D00348DBDF10DFA5C945B9EBBB8AF15304F148169ED08AB341EB74E958CB92

Function 0423FDF4 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 137COMMON

Download Yara Rule

APIs

GetShellWindow.USER32 ref: 0423FE36
GetWindowTextLengthW.USER32 ref: 0423FF0B

Strings

Win32 x86 emulation subsystem Floating-point stack check., xrefs: 0423FF6E
Operating System, xrefs: 0423FDF5
The same member index was specified more than once., xrefs: 0423FEC8
{Invalid Parameter}, xrefs: 0423FE42
LdrpResSearchResourceInsideDirectory Enter, xrefs: 0423FE89, 0423FF11, 0423FF46

Memory Dump Source

Source File: 00000000.00000002.1699427684.0000000004230000.00000040.00001000.00020000.00000000.sdmp, Offset: 04230000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4230000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: Window$LengthShellText
String ID: Operating System$LdrpResSearchResourceInsideDirectory Enter$The same member index was specified more than once.$Win32 x86 emulation subsystem Floating-point stack check.${Invalid Parameter}
API String ID: 4278117263-4043220159
Opcode ID: 9c5a9d444b0521d05ffba5fe752dacd3dec6f9e932a2296f7bdcf096348ce6d0
Instruction ID: d9a236f3d1b96d9a571e21f033b58bd2a29dc141342ba72e177ff6aa6ad222f9
Opcode Fuzzy Hash: 9c5a9d444b0521d05ffba5fe752dacd3dec6f9e932a2296f7bdcf096348ce6d0
Instruction Fuzzy Hash: F051C5F5FA43028FD3148F2DF6A82617BB9E795355F0580AEDC958F382E278A901CB40

Function 04240BA0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32 ref: 04240BEA
GetUserDefaultLangID.KERNEL32(00000000,?,?,00000000,?,04237B52), ref: 04240C2E
GetTopWindow.USER32 ref: 04240C6A
GetLastActivePopup.USER32 ref: 04240C9C
GetModuleHandleW.KERNEL32(00000000,?,?,?,00000000,?,04237B52), ref: 04240CF3
GetDesktopWindow.USER32 ref: 04240D04

Strings

A context is already defined for this object., xrefs: 04240CD8

Memory Dump Source

Source File: 00000000.00000002.1699427684.0000000004230000.00000040.00001000.00020000.00000000.sdmp, Offset: 04230000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4230000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: Window$ActiveDefaultDesktopHandleLangLastLengthModulePopupTextUser
String ID: A context is already defined for this object.
API String ID: 284326558-2900652361
Opcode ID: d98f64ced783f76af59a163f2fcb808f4b082662a49d9b249f26a0d405f5667e
Instruction ID: 2cf103da4efff1f80a939dc61964b676f91e343c9421a79ad311ccb294540149
Opcode Fuzzy Hash: d98f64ced783f76af59a163f2fcb808f4b082662a49d9b249f26a0d405f5667e
Instruction Fuzzy Hash: C44158B0BA03029BC704DF2CF5996297BE8EBD8310F1085AAE951CB244E73CAD80CB11

Function 042376B8 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 108COMMON

Download Yara Rule

APIs

GetUserDefaultLangID.KERNEL32 ref: 04237770

Strings

The resource is owned exclusively by thread %p, xrefs: 042376DE
DaylightName, xrefs: 042377CC, 04237811
Allocating a data table entry for the executable failed, xrefs: 0423782B
AslFileMappingGetFileKindDetail, xrefs: 0423781F
b+5sghCuTgLs2LpDuMG00CRzvBlcU2oDDNrm1FMrSmiHV7s0W+ogurH0ZtnOeQbMnH8kzF3bGH/4hLo6kn0JFv1X208aNZNbVOEEZwKP3NU/F/7D6+FhwHEs5ifoYPnJ3oqTX0KTlJY0pQDDKpnnZZNQUfKaedhfgw5bYlgxyqaNMPsYvat9XC1evsJIEqsdO/UepnIK1oGjnCjpx5xRMCWV9AbHkIwRKw2zUeoZB/zLa6772qyL/GlcgHtVITf7bl7p, xrefs: 04237867
LdrpCodeAuthzInitialize failed with status 0x%08lx, xrefs: 04237833

Memory Dump Source

Source File: 00000000.00000002.1699427684.0000000004230000.00000040.00001000.00020000.00000000.sdmp, Offset: 04230000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4230000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: DefaultLangUser
String ID: Allocating a data table entry for the executable failed$AslFileMappingGetFileKindDetail$DaylightName$LdrpCodeAuthzInitialize failed with status 0x%08lx$The resource is owned exclusively by thread %p$b+5sghCuTgLs2LpDuMG00CRzvBlcU2oDDNrm1FMrSmiHV7s0W+ogurH0ZtnOeQbMnH8kzF3bGH/4hLo6kn0JFv1X208aNZNbVOEEZwKP3NU/F/7D6+FhwHEs5ifoYPnJ3oqTX0KTlJY0pQDDKpnnZZNQUfKaedhfgw5bYlgxyqaNMPsYvat9XC1evsJIEqsdO/UepnIK1oGjnCjpx5xRMCWV9AbHkIwRKw2zUeoZB/zLa6772qyL/GlcgHtVITf7bl7p
API String ID: 768647712-1029917157
Opcode ID: 9da13c597fd121c434a8de290ddd226363e74b705109bd4b703a6b3d97aedefd
Instruction ID: ba45c25fc2396db654136bf056e247808d751834422dbb2053254d24c57e7956
Opcode Fuzzy Hash: 9da13c597fd121c434a8de290ddd226363e74b705109bd4b703a6b3d97aedefd
Instruction Fuzzy Hash: 544156B1B183988ADB149F29E4582EA7FF1ABC4310F1485F9DC8C97341C2785D49CFA1

Function 001A1DA0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 107windowmemoryCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32(00001300,00000000,?,00000400,?), ref: 001A1DF1
LocalAlloc.KERNEL32(00000000,00000040,?,00000400,?), ref: 001A1E42
MessageBoxW.USER32(00000000,grepWinNP3,00000000,00000010), ref: 001A1E98
LocalFree.KERNEL32(00000000,?,00000400,?), ref: 001A1EC1

Strings

Unknown error 0x%0lX, xrefs: 001A1E7B
IDispatch error #%d, xrefs: 001A1E73
grepWinNP3, xrefs: 001A1E91

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: LocalMessage$AllocFormatFree
String ID: IDispatch error #%d$Unknown error 0x%0lX$grepWinNP3
API String ID: 59769524-447017682
Opcode ID: fcded3a5bd7adb74ad1f3998d5a54ee4c02c994739bb98e1c4bb77f0454f9620
Instruction ID: 889d70aa5b505e030445b6a15a779489cefaea31fb942e6e1d90e27b2c9c0ba8
Opcode Fuzzy Hash: fcded3a5bd7adb74ad1f3998d5a54ee4c02c994739bb98e1c4bb77f0454f9620
Instruction Fuzzy Hash: 9A31F078A40306EBEB19DB58C84ABBEB3B4FF45B04F14819DED06A72C1D7B16950CB90

Function 04240670 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 76threadCOMMON

Download Yara Rule

APIs

GetDialogBaseUnits.USER32 ref: 042406A5
SetLastError.KERNEL32(?,?,?,?,04239A03), ref: 042406DF
GetThreadUILanguage.KERNEL32(00000000,?,?,?,?,04239A03), ref: 04240734
GetLastError.KERNEL32(?,?,?,?,04239A03), ref: 0424077C

Strings

windows seven, xrefs: 0424073F
Luminance, xrefs: 042406E5
/WhitePointY, xrefs: 04240671

Memory Dump Source

Source File: 00000000.00000002.1699427684.0000000004230000.00000040.00001000.00020000.00000000.sdmp, Offset: 04230000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4230000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: ErrorLast$BaseDialogLanguageThreadUnits
String ID: /WhitePointY$Luminance$windows seven
API String ID: 3268890622-1929846185
Opcode ID: b644f88829c4f5168571b8b15d0553ccfdf51b7bdda5246fe5cec5bd891928d1
Instruction ID: 752cb067dc43e3a58194203aea4e272bc02a220fb96fbc20e37ca3bf8100612d
Opcode Fuzzy Hash: b644f88829c4f5168571b8b15d0553ccfdf51b7bdda5246fe5cec5bd891928d1
Instruction Fuzzy Hash: 5B316BB4B50342DFD708DF2CF598915BBBAFBC8354B0484AAE8069F754EB38AD418B10

Function 0423F498 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 74COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(00000003,?,?,0423B508), ref: 0423F4B6
GetTickCount.KERNEL32 ref: 0423F4DB
GetLastError.KERNEL32(?,?,?,0423B508), ref: 0423F534
GetLastActivePopup.USER32 ref: 0423F5BB

Strings

The type UUID has already been registered., xrefs: 0423F588
The Directory Service is shutting down., xrefs: 0423F53A
There is not enough power to complete the requested operation., xrefs: 0423F4E6

Memory Dump Source

Source File: 00000000.00000002.1699427684.0000000004230000.00000040.00001000.00020000.00000000.sdmp, Offset: 04230000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4230000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: Last$Error$ActiveCountPopupTick
String ID: The Directory Service is shutting down.$The type UUID has already been registered.$There is not enough power to complete the requested operation.
API String ID: 815136527-3840197208
Opcode ID: 70f8209d9ac0353907163a7ad9de9b9642f907badffaf37359bb8defccc95dec
Instruction ID: 18ee77028252e0f48bb63fb09bfbda725e7046d1efd18fd04c6ec46996cbcff2
Opcode Fuzzy Hash: 70f8209d9ac0353907163a7ad9de9b9642f907badffaf37359bb8defccc95dec
Instruction Fuzzy Hash: 5C3189B1B913129FD704DF6CF6A8651BBA9F7D9361F0140AAE9958B290E33C69048B80

Function 0423FB34 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 73stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32 ref: 0423FB79
GetWindowTextLengthW.USER32(00000000), ref: 0423FBC7
GetShellWindow.USER32 ref: 0423FBDD
SetLastError.KERNEL32 ref: 0423FC37
GetUserDefaultLangID.KERNEL32 ref: 0423FC3E
GetForegroundWindow.USER32 ref: 0423FC5F

Strings

,fiWymsJEXztn8kHA9xx5OCWQKcoq4y+YMm7zZyi7gEU=0Z, xrefs: 0423FB6D

Memory Dump Source

Source File: 00000000.00000002.1699427684.0000000004230000.00000040.00001000.00020000.00000000.sdmp, Offset: 04230000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4230000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: Window$DefaultErrorForegroundLangLastLengthShellTextUserlstrlen
String ID: ,fiWymsJEXztn8kHA9xx5OCWQKcoq4y+YMm7zZyi7gEU=0Z
API String ID: 4116212751-1031629053
Opcode ID: 41061d36a982bb3472495c43dc2f928b2d2c90e7acb0b42d32663b79a8f08ae4
Instruction ID: 228365efa07eb0342b84e1895fbd5dd8774d4ee031668e5f96c490a4b3f54fd6
Opcode Fuzzy Hash: 41061d36a982bb3472495c43dc2f928b2d2c90e7acb0b42d32663b79a8f08ae4
Instruction Fuzzy Hash: D631E6B1B903029FC708EF2CF98E6197BBEF7C4214B11956AE405DB644E73C9941CB40

Function 04241FE4 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 51COMMON

Download Yara Rule

APIs

GetDialogBaseUnits.USER32 ref: 0424200C
GetSystemDefaultLangID.KERNEL32 ref: 04242031
GetOEMCP.KERNEL32 ref: 04242072

Strings

This stream is not DAX mappable., xrefs: 04242037
Driver %2 has been blocked from loading., xrefs: 04241FE5, 04241FFB
AslFileMappingGetImageTypeEx failed [%x], xrefs: 04242012
AslpFileQuery16BitModuleName, xrefs: 04242053

Memory Dump Source

Source File: 00000000.00000002.1699427684.0000000004230000.00000040.00001000.00020000.00000000.sdmp, Offset: 04230000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4230000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: BaseDefaultDialogLangSystemUnits
String ID: AslFileMappingGetImageTypeEx failed [%x]$AslpFileQuery16BitModuleName$Driver %2 has been blocked from loading.$This stream is not DAX mappable.
API String ID: 3966756997-4087607733
Opcode ID: 7de738e7c4cb196c8741652c59417f289a6f9ab565505e478c08c1793d8e978b
Instruction ID: 0ce181f2d5ba40ed047c0bb6bfe2970b1fa90333a2af73c4d91e0f7c4eecfba7
Opcode Fuzzy Hash: 7de738e7c4cb196c8741652c59417f289a6f9ab565505e478c08c1793d8e978b
Instruction Fuzzy Hash: AA01D224720147C6EB181B29802827EBBA3DBE5385B5490A1ED835F684F968E983C321

Function 0423F108 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

GetShellWindow.USER32 ref: 0423F12D
GetTickCount.KERNEL32 ref: 0423F133
lstrlenW.KERNEL32(?,?,?,?,?,04236694,?,?,?,?,?,?,?,?,0423B8C7), ref: 0423F16D

Strings

Error reading tag, xrefs: 0423F166
A consistency check failed., xrefs: 0423F139
{Kernel Debugger Awakened}, xrefs: 0423F14A
/chrominance, xrefs: 0423F109

Memory Dump Source

Source File: 00000000.00000002.1699427684.0000000004230000.00000040.00001000.00020000.00000000.sdmp, Offset: 04230000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4230000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: CountShellTickWindowlstrlen
String ID: /chrominance$A consistency check failed.$Error reading tag${Kernel Debugger Awakened}
API String ID: 2562418233-4088426988
Opcode ID: 28d7500eb69e331f5bd8db05d094930a19edee628dec9768f47ea45c034755e5
Instruction ID: 3526b03e5ffbcb05b9e42a4b203ba575cd8a93fce2a09bdcf51f76f132687e2a
Opcode Fuzzy Hash: 28d7500eb69e331f5bd8db05d094930a19edee628dec9768f47ea45c034755e5
Instruction Fuzzy Hash: 36F0F6A4B201038BEB102F29F52823A7B71EB81306F454054D8C2AF784E578ED46C752

Function 042425EC Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 25stringthreadwindowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32 ref: 042425F9
GetCurrentThread.KERNEL32 ref: 04242600
lstrlenW.KERNEL32 ref: 0424262C
GetMessageTime.USER32 ref: 04242633
GetSystemDefaultLangID.KERNEL32 ref: 04242639

Strings

Indicates that the specified image is already loaded., xrefs: 04242625
WER/CrashAPI:%u: ERROR NtQueryInformationProcess failed 0x%x, xrefs: 04242606

Memory Dump Source

Source File: 00000000.00000002.1699427684.0000000004230000.00000040.00001000.00020000.00000000.sdmp, Offset: 04230000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4230000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: CurrentDefaultLangLengthMessageSystemTextThreadTimeWindowlstrlen
String ID: Indicates that the specified image is already loaded.$WER/CrashAPI:%u: ERROR NtQueryInformationProcess failed 0x%x
API String ID: 3973347586-578630763
Opcode ID: 5d9163fda6e96f51c7410fbd5d869a34752d440fbfb849269e188822ed59f140
Instruction ID: bb7b71661707128232a3de7d7c499310200d75e7b867ab0224bf9f3bd0db18df
Opcode Fuzzy Hash: 5d9163fda6e96f51c7410fbd5d869a34752d440fbfb849269e188822ed59f140
Instruction Fuzzy Hash: D2E06574A14316CBE7043F79E80C13D3BACEF44345F824858F986A7640DA3CA945C772

Function 0016E9F0 Relevance: 12.2, APIs: 8, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c681594fb1c4ceedaa128981165bb1525555bead0e1e6bfde598b892fdc6f508
Instruction ID: f757d0f8306bac929adefce64fec2bafae87222a2b2751f2477aac0c299f4880
Opcode Fuzzy Hash: c681594fb1c4ceedaa128981165bb1525555bead0e1e6bfde598b892fdc6f508
Instruction Fuzzy Hash: 3161C271A00248AFCB14EFA4DC86FAE77A9EF54710F004169FD06EB392DB359950CBA4

Function 001D45E0 Relevance: 12.1, APIs: 8, Instructions: 86windowCOMMON

Download Yara Rule

APIs

#412.COMCTL32(?,001D45E0,000004D2), ref: 001D4610
#413.COMCTL32(?,?,?,?), ref: 001D461E
SendMessageW.USER32(?,00001073,?,?), ref: 001D4676
SetBkColor.GDI32(?,00202020), ref: 001D468F
ExtTextOutW.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 001D46A7
SetTextColor.GDI32(?,00DDDDDD), ref: 001D46B5
SetBkMode.GDI32(?,00000001), ref: 001D46BE
DrawTextW.USER32(?,?,000000FF,?,00008824), ref: 001D46D6

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: Text$Color$#412#413DrawMessageModeSend
String ID:
API String ID: 1438310018-0
Opcode ID: ae0f6a4cfeffba3cace870a177987b4e41dbb11e69222b18be1124f11b181a8f
Instruction ID: b2b664ff920c8bc33b851e17ce51e59fb75a6405e4dec428287ed8eaca0a5d26
Opcode Fuzzy Hash: ae0f6a4cfeffba3cace870a177987b4e41dbb11e69222b18be1124f11b181a8f
Instruction Fuzzy Hash: E7316B72204705ABD710CF14EC49B9ABBA9FB49710F00421AFA51A26D1D7B0A998CBD6

Function 001D3550 Relevance: 12.1, APIs: 8, Instructions: 52windowstringCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000031,00000000,00000000), ref: 001D3579
GetObjectW.GDI32(00000000,?,?), ref: 001D3580
lstrcpynW.KERNEL32 ref: 001D35A1
CreateFontIndirectW.GDI32(?), ref: 001D35AC
GetDC.USER32(?), ref: 001D35B5
SetBkMode.GDI32(00000000,00000002), ref: 001D35C0
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 001D35CC
ReleaseDC.USER32(?,00000000), ref: 001D35D4

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: MessageSend$CreateFontIndirectModeObjectReleaselstrcpyn
String ID:
API String ID: 3096525694-0
Opcode ID: ad10324e5ed25266be3fc2846529887375554c8545b1b0e59d045084c9be2cfd
Instruction ID: 557d2667a78e3966e090c2b0116490a2b930f660ec66818c3bdc220ccfaaeb73
Opcode Fuzzy Hash: ad10324e5ed25266be3fc2846529887375554c8545b1b0e59d045084c9be2cfd
Instruction Fuzzy Hash: DA012931544304BFE720AB60AC4DF9B7BECFB88B51F040519FB06961E3D6B5A588CB62

Function 001F2806 Relevance: 10.8, APIs: 7, Instructions: 329COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 001F288C

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 418969ae6e46c0b55661fc9f540cf272c5e0b5a421fbc640b1c478988cf86484
Instruction ID: 17ca002fbd63d16bfc74d6779ae2e4aef7eb60107999cef51b02d0af777a85f1
Opcode Fuzzy Hash: 418969ae6e46c0b55661fc9f540cf272c5e0b5a421fbc640b1c478988cf86484
Instruction Fuzzy Hash: A6B14772A003699FDB26CF64CC82BBE7BA5EF55350F254156EA44AF282D374DD01CBA0

Function 00158AF0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 203windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(?), ref: 00158B1A
GetMenuItemInfoW.USER32(?,00000000,00000400,?), ref: 00158B9B
GetMenuItemInfoW.USER32(?,00000000,00000400,00000030), ref: 00158C0D

Part of subcall function 00158AF0: SetMenuItemInfoW.USER32(?,?,00000400,00000030), ref: 00158D32

Strings

0, xrefs: 00158B80
@, xrefs: 00158D0C

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: ItemMenu$Info$Count
String ID: 0$@
API String ID: 4286743509-1545510068
Opcode ID: 51fb110c5892d0d3e1d03e04078cf8647f9bed101aeede1928aa37a0a00e0966
Instruction ID: 79ae52d43cc09242dd5883c3c9ee3429a0e9c77bb4cdaf3363dee7687db208a4
Opcode Fuzzy Hash: 51fb110c5892d0d3e1d03e04078cf8647f9bed101aeede1928aa37a0a00e0966
Instruction Fuzzy Hash: 8F715CB1D01209DBDB10DF98D884BEEB7F8FF14305F104159E915BB291DB746A49CBA0

Function 001574B0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00157518
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00157564
__Getctype.LIBCPMT ref: 0015757A
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 001575A6
std::_Lockit::~_Lockit.LIBCPMT ref: 0015763B

Strings

bad locale name, xrefs: 00157656

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: std::_$Locinfo::_Lockit$GetctypeLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
String ID: bad locale name
API String ID: 1840309910-1405518554
Opcode ID: b6d31fe62a46447705a0bfddcec85648ddde87c7c58672ca8743bae7cc5b1e57
Instruction ID: 3af8a29189b3e0956fd8587cb229a1c7dabec605555478694179e56e56b3fff8
Opcode Fuzzy Hash: b6d31fe62a46447705a0bfddcec85648ddde87c7c58672ca8743bae7cc5b1e57
Instruction Fuzzy Hash: 0A5161B1D04248DFDF10DFA9D985B9EBBB8AF24314F184069EC09AB381E774D918CB51

Function 001DD4E0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 001DD517
___except_validate_context_record.LIBVCRUNTIME ref: 001DD51F
_ValidateLocalCookies.LIBCMT ref: 001DD5A8
__IsNonwritableInCurrentImage.LIBCMT ref: 001DD5D3
_ValidateLocalCookies.LIBCMT ref: 001DD628

Strings

csm, xrefs: 001DD5BD

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: b94acd3f760ceaba037875566c4cdde4a4be3ec27313d8a7adda45c73556e717
Instruction ID: 9d324c3a4aab489fa9e5902c7b865665e7eb6162480d86d692174902800e7cef
Opcode Fuzzy Hash: b94acd3f760ceaba037875566c4cdde4a4be3ec27313d8a7adda45c73556e717
Instruction Fuzzy Hash: 9B41E834A00309ABCF10EF68E885A9E7BF5AF55328F148157E8189B392D731E955CF91

Function 04242778 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 125COMMON

Download Yara Rule

APIs

GetDialogBaseUnits.USER32 ref: 042427C3
GetTickCount.KERNEL32 ref: 0424284C
GetLastError.KERNEL32(?,?,?,04239C2F), ref: 042428AA
GetLastActivePopup.USER32 ref: 04242941

Strings

WER/CrashAPI:%u: ERROR Final gather block size exceeds limit, xrefs: 04242858, 042428B0
AslFileMappingEnsureMappedAs failed [%x], xrefs: 042427D8

Memory Dump Source

Source File: 00000000.00000002.1699427684.0000000004230000.00000040.00001000.00020000.00000000.sdmp, Offset: 04230000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4230000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: Last$ActiveBaseCountDialogErrorPopupTickUnits
String ID: AslFileMappingEnsureMappedAs failed [%x]$WER/CrashAPI:%u: ERROR Final gather block size exceeds limit
API String ID: 3113536026-921639215
Opcode ID: 74bdf2ed5a00bb700009877b74d8137da4deb960ad58121b66c2a41fad0a0953
Instruction ID: 18a5d2b30502353870ec2c8b5d9db41702d127ebe6beea0c0ccf5a536c377d4a
Opcode Fuzzy Hash: 74bdf2ed5a00bb700009877b74d8137da4deb960ad58121b66c2a41fad0a0953
Instruction Fuzzy Hash: 0C516AB1B64302CED708DF2DF48C2657BEAF7C42A4F15959AE445CB225E778A841DB20

Function 001D5F00 Relevance: 10.6, APIs: 7, Instructions: 121COMMON

Download Yara Rule

APIs

GdipResetPath.GDIPLUS ref: 001D5F38
GdipStartPathFigure.GDIPLUS ref: 001D5F49
GdipAddPathArcI.GDIPLUS(?,?,?,00000005,00000005), ref: 001D5F77
GdipAddPathArcI.GDIPLUS(?,?,?,00000005,00000005,00000005,00000005), ref: 001D5FBD
GdipAddPathArcI.GDIPLUS(?,?,?,00000005,00000005,00000005,00000005,00000005,00000005), ref: 001D5FF8
GdipAddPathArcI.GDIPLUS(?,?,?,00000005,00000005,00000005,00000005,00000005,00000005,00000005,00000005), ref: 001D6027
GdipClosePathFigure.GDIPLUS(?,?,?,?,00000005,00000005,00000005,00000005,00000005,00000005,00000005,00000005), ref: 001D6035

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: GdipPath$Figure$CloseResetStart
String ID:
API String ID: 2226062657-0
Opcode ID: 14d8acf6d18167fb3d41a037ba452340183a7458ad0c48b5335bacf5df691b9d
Instruction ID: 6a0b94169d941179cd866e76caa5b8dbd7c2183bff33a93dc4de0add924d5c09
Opcode Fuzzy Hash: 14d8acf6d18167fb3d41a037ba452340183a7458ad0c48b5335bacf5df691b9d
Instruction Fuzzy Hash: 14411771204201EFCB119F2AED8892ABFF9FB85700B40896DF8D5D6265DB31C924DF52

Function 0423F6D0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 106COMMON

Download Yara Rule

APIs

GetUserDefaultLangID.KERNEL32(?,?,?,04238DEC,00000000), ref: 0423F71A
GetLargePageMinimum.KERNEL32(?,?,?,04238DEC,00000000), ref: 0423F731
GetTopWindow.USER32 ref: 0423F7B3

Strings

Xbox One X, xrefs: 0423F6D1, 0423F720, 0423F73D
The object does not exist., xrefs: 0423F7B9
No security context is available to allow impersonation., xrefs: 0423F7EF, 0423F80E

Memory Dump Source

Source File: 00000000.00000002.1699427684.0000000004230000.00000040.00001000.00020000.00000000.sdmp, Offset: 04230000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4230000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: DefaultLangLargeMinimumPageUserWindow
String ID: No security context is available to allow impersonation.$The object does not exist.$Xbox One X
API String ID: 330300774-3044702618
Opcode ID: bc447a1a1759ff7d9e1c59219ba08138cbd0158c0650bca0baac326abeceae0c
Instruction ID: 14d2408f0aa30cb28dfbb54b9f4003145d117cbc61156d7b32deae78e7a8e74a
Opcode Fuzzy Hash: bc447a1a1759ff7d9e1c59219ba08138cbd0158c0650bca0baac326abeceae0c
Instruction Fuzzy Hash: 3A41EFB5F603429BE7048F2CF9682697BB9E795345F55849AD896DB340E63CE882CB00

Function 0019D9F0 Relevance: 10.6, APIs: 7, Instructions: 102windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00008003,?,FFFFFFFF), ref: 0019DA7B
SendMessageW.USER32(?,00008004,00000000,00000000), ref: 0019DAD0
GetCursorPos.USER32(?), ref: 0019DAD7
SetCursorPos.USER32(?,?), ref: 0019DAE5
PostMessageW.USER32(?,00008005,00000000,00000000), ref: 0019DB05
std::_Throw_Cpp_error.LIBCPMT ref: 0019DB16
std::_Throw_Cpp_error.LIBCPMT ref: 0019DB27

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: Message$Cpp_errorCursorSendThrow_std::_$Post
String ID:
API String ID: 1558700196-0
Opcode ID: 082ace4ab732ab3782de21aa2f5e47b099e92a3c6adc03674daa7a9dd0ff99d7
Instruction ID: a5b09c10110585a1bea29c589338dbf39f295f2396328f0b8ea33826f3513c49
Opcode Fuzzy Hash: 082ace4ab732ab3782de21aa2f5e47b099e92a3c6adc03674daa7a9dd0ff99d7
Instruction Fuzzy Hash: CF31C431608301ABDB21EF75FC1AB16B7A4BF52720F104629F569931E1EB70E825CB92

Function 0423EF68 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 98COMMON

Download Yara Rule

APIs

GetLargePageMinimum.KERNEL32 ref: 0423EF82
GetParent.USER32 ref: 0423EFE5
GetOEMCP.KERNEL32 ref: 0423F075

Strings

Calling KernelbasePostInit failed with status 0x%08lx, xrefs: 0423F02E, 0423F0A6
Failed to get the string from the database, xrefs: 0423F07B
The system file %1 has become corrupt and has been replaced., xrefs: 0423EFEB

Memory Dump Source

Source File: 00000000.00000002.1699427684.0000000004230000.00000040.00001000.00020000.00000000.sdmp, Offset: 04230000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4230000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: LargeMinimumPageParent
String ID: Calling KernelbasePostInit failed with status 0x%08lx$Failed to get the string from the database$The system file %1 has become corrupt and has been replaced.
API String ID: 1858583498-2516440567
Opcode ID: 8fa62ebcc954edc8b2c6a329fd8590aeaeccd8f483c36d7fa47ccae1bddbc236
Instruction ID: 1e156b8bf0f69d6fbcef6be5b480f890b82455e92b1344dc44b62056a9aabf77
Opcode Fuzzy Hash: 8fa62ebcc954edc8b2c6a329fd8590aeaeccd8f483c36d7fa47ccae1bddbc236
Instruction Fuzzy Hash: 27418EB4B623028FE3149F3CF6596267BBEEBC4301B0580AAE541DB359EA78D845C740

Function 0423D4C4 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 93COMMON

Download Yara Rule

APIs

GetUserDefaultLangID.KERNEL32 ref: 0423D4EB
GetOEMCP.KERNEL32 ref: 0423D536
GetUserDefaultLangID.KERNEL32 ref: 0423D580

Strings

Extended error information is available., xrefs: 0423D4C5
OptionValue, xrefs: 0423D53C
NtQueryInformationFile failed [%x], xrefs: 0423D5E8

Memory Dump Source

Source File: 00000000.00000002.1699427684.0000000004230000.00000040.00001000.00020000.00000000.sdmp, Offset: 04230000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4230000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: DefaultLangUser
String ID: Extended error information is available.$NtQueryInformationFile failed [%x]$OptionValue
API String ID: 768647712-457629104
Opcode ID: 538a5d7dbe5ac284fa028b4cc2f0dacab441846dab0f713d5e308e7097fe90bd
Instruction ID: 26f1f43d5737a16fbb8e5bcd02ce2f90459588271ec87514a8bd1f7d2f17bd07
Opcode Fuzzy Hash: 538a5d7dbe5ac284fa028b4cc2f0dacab441846dab0f713d5e308e7097fe90bd
Instruction Fuzzy Hash: CC316AB0BB43468EE304DF2EB55D2257BBEF3C9209F54916AC1528B264E638A942CF00

Function 0423F9B0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 83COMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 0423FA03
GetTickCount.KERNEL32 ref: 0423FA48
GetWindowTextLengthW.USER32 ref: 0423FA8A

Strings

SdbUnpackQueryResult, xrefs: 0423FA90
An invalid region for the target was specified, xrefs: 0423F9B1
image/x-wmf, xrefs: 0423FA0E

Memory Dump Source

Source File: 00000000.00000002.1699427684.0000000004230000.00000040.00001000.00020000.00000000.sdmp, Offset: 04230000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4230000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: CountLengthParentTextTickWindow
String ID: An invalid region for the target was specified$SdbUnpackQueryResult$image/x-wmf
API String ID: 3915914195-847515522
Opcode ID: 384f3fe99d1535a5e141b27b7e72127acc015b897abd1ae525af9fc8c079dd4f
Instruction ID: f4dce6da4283fba900c5b2e689915f7ac3f6872097b1c094223a37b39244a2d1
Opcode Fuzzy Hash: 384f3fe99d1535a5e141b27b7e72127acc015b897abd1ae525af9fc8c079dd4f
Instruction Fuzzy Hash: 86318CB1BA1302DFD708EF2DF989265BBF9E7C9315B15842AD442CB340E63DA881CB44

Function 0423DA00 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

GetUserDefaultLangID.KERNEL32(0000000B,00000000,?,0423A70D), ref: 0423DA12
GetOEMCP.KERNEL32(?,0423A70D), ref: 0423DA58
GetLastActivePopup.USER32 ref: 0423DA94
GetTopWindow.USER32 ref: 0423DABB

Strings

OnUILanguageAdd, xrefs: 0423DA5E
AeGetPersistedLocation failed [%#x], xrefs: 0423DA0A

Memory Dump Source

Source File: 00000000.00000002.1699427684.0000000004230000.00000040.00001000.00020000.00000000.sdmp, Offset: 04230000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4230000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: ActiveDefaultLangLastPopupUserWindow
String ID: AeGetPersistedLocation failed [%#x]$OnUILanguageAdd
API String ID: 2912674099-3659897179
Opcode ID: ef2847acf03213d1bf4cd4dab6bd7ac93d09bd05b4cd3768bf81a57d2266d5c9
Instruction ID: 67e0a196087b10aadfde7f890299f98f350e50a933cdd288c2c2c1e5a3cdac51
Opcode Fuzzy Hash: ef2847acf03213d1bf4cd4dab6bd7ac93d09bd05b4cd3768bf81a57d2266d5c9
Instruction Fuzzy Hash: 4D31C2B1F603028FE3089F2CF5891127BFAF7C8381F588066E945CB214E638A9818B40

Function 001F6077 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,?,?,0B9FDD92,?,001F6186,?,?,00000000,?), ref: 001F6138

Strings

api-ms-, xrefs: 001F60CE
ext-ms-, xrefs: 001F60E2

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 4dd461bc9b66f9f810bc0d6d2e22f9fd1c707f02ca77edaa509347e340999679
Instruction ID: 7fcce60e756ca63b9446a1f6eb404d934ea1252f3b8d8ffaca160eb1ecd27e23
Opcode Fuzzy Hash: 4dd461bc9b66f9f810bc0d6d2e22f9fd1c707f02ca77edaa509347e340999679
Instruction Fuzzy Hash: D8210632A05319BBCB219B64FC89A7A7769AB91774F250111FE16A72D3DB30ED01C6D0

Function 0423D648 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 73COMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 0423D6B5
GetUserDefaultLangID.KERNEL32(00000000), ref: 0423D6E4
GetForegroundWindow.USER32 ref: 0423D714

Strings

The user/kernel marshalling buffer has overflowed., xrefs: 0423D71F
TPM 1.2: Unacceptable encryption scheme., xrefs: 0423D670
Nirmala UI, xrefs: 0423D649

Memory Dump Source

Source File: 00000000.00000002.1699427684.0000000004230000.00000040.00001000.00020000.00000000.sdmp, Offset: 04230000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4230000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: DefaultForegroundLangParentUserWindow
String ID: Nirmala UI$TPM 1.2: Unacceptable encryption scheme.$The user/kernel marshalling buffer has overflowed.
API String ID: 2007750773-339840602
Opcode ID: f77b1d8047d59e52f6d3ea9d674b5711fb9e8fb8ed7b11ec1ed4175fa6ae5bcf
Instruction ID: 016fd63ac6921efe9883cb1441ccf5aee56c5a9fc0deaff5e0f21a07250a0771
Opcode Fuzzy Hash: f77b1d8047d59e52f6d3ea9d674b5711fb9e8fb8ed7b11ec1ed4175fa6ae5bcf
Instruction Fuzzy Hash: 96219CA1F703418BE3149F78F89972A3AAAEB94345F188466D906CF395E73DE8418F50

Function 0424225C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 72windowtimethreadCOMMON

Download Yara Rule

APIs

GetDialogBaseUnits.USER32 ref: 04242291
GetLastActivePopup.USER32 ref: 042422CE
GetMessageTime.USER32 ref: 042422FD
GetWindowTextLengthA.USER32 ref: 04242345
GetCurrentThread.KERNEL32 ref: 04242389

Strings

The TDI indication has completed successfully., xrefs: 0424225D

Memory Dump Source

Source File: 00000000.00000002.1699427684.0000000004230000.00000040.00001000.00020000.00000000.sdmp, Offset: 04230000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4230000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: ActiveBaseCurrentDialogLastLengthMessagePopupTextThreadTimeUnitsWindow
String ID: The TDI indication has completed successfully.
API String ID: 206609152-2274360702
Opcode ID: 84ae2c60daf8ec755c81587f1efed0ce1b04db148996bbbf98ddd89cf9d2fb55
Instruction ID: e42edc946cf1af23cc56b98615e5e12781e9923a2ac014f7cb4080d7c2d5a2dc
Opcode Fuzzy Hash: 84ae2c60daf8ec755c81587f1efed0ce1b04db148996bbbf98ddd89cf9d2fb55
Instruction Fuzzy Hash: C63133B0B903018FD350EF6DF88D5027BEEF7C8340B14896AE449DB610EB789942CB91

Function 04242084 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

GetOEMCP.KERNEL32 ref: 04242096
GetLastActivePopup.USER32 ref: 042420B8
GetModuleHandleW.KERNEL32 ref: 042420D2
GetDialogBaseUnits.USER32 ref: 04242137
GetWindowTextLengthW.USER32 ref: 04242150

Strings

AslEnvGetSysNativeDirPathForGuestBuf, xrefs: 042420CB

Memory Dump Source

Source File: 00000000.00000002.1699427684.0000000004230000.00000040.00001000.00020000.00000000.sdmp, Offset: 04230000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4230000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: ActiveBaseDialogHandleLastLengthModulePopupTextUnitsWindow
String ID: AslEnvGetSysNativeDirPathForGuestBuf
API String ID: 1122648610-2648611450
Opcode ID: ffd5b71a64019fbde1eed5e15a2b3fbc83cbb1c7d291abb70ebc8300112730bd
Instruction ID: f704af4091307da2c619b20f766bdb1b1f76ca1d717b8b2e3bab12a408e8a7ea
Opcode Fuzzy Hash: ffd5b71a64019fbde1eed5e15a2b3fbc83cbb1c7d291abb70ebc8300112730bd
Instruction Fuzzy Hash: 1B212274B14242DBCB049F6DE88C66A7FEEEB94380F1040A6E5869B341E63C9D42CB71

Function 0423DB3C Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 67COMMON

Download Yara Rule

APIs

GetWindowTextLengthA.USER32 ref: 0423DC0B
GetModuleHandleW.KERNEL32(00000000), ref: 0423DC19

Strings

0123456789abcdef, xrefs: 0423DBCB
The RPC call completed before all pipes were processed., xrefs: 0423DB3D
AslPathIsTemporaryDirectory, xrefs: 0423DC12
{Verifying Disk}, xrefs: 0423DB64

Memory Dump Source

Source File: 00000000.00000002.1699427684.0000000004230000.00000040.00001000.00020000.00000000.sdmp, Offset: 04230000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4230000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: HandleLengthModuleTextWindow
String ID: 0123456789abcdef$AslPathIsTemporaryDirectory$The RPC call completed before all pipes were processed.${Verifying Disk}
API String ID: 3424440608-2488994354
Opcode ID: e3a0489f1996d6a205d3014df2ab8bb8fab3649cc99891a4921b6606475ba3c3
Instruction ID: 397b626ba26525283ab8877273ab0fd847aa2fb6c0207997d6f4585ca98e7ea3
Opcode Fuzzy Hash: e3a0489f1996d6a205d3014df2ab8bb8fab3649cc99891a4921b6606475ba3c3
Instruction Fuzzy Hash: 2321A7B0B303468BD755CF3CE49832A7BBFE795346F1480AAC5419B386E639A9858741

Function 00165700 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 66fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000004,00000080,00000000), ref: 00165747
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00165769
SetEndOfFile.KERNEL32(?), ref: 00165772
FlushFileBuffers.KERNEL32(?, )!,?), ref: 00165799
CloseHandle.KERNEL32(00000000), ref: 001657A0

Strings

)!, xrefs: 0016577B, 00165785

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: File$BuffersCloseCreateFlushHandlePointer
String ID: )!
API String ID: 3397818590-3475181639
Opcode ID: 30416444ff38cf72cf90f03b06a4760b28f6c4a531fdc2ddd723b2de257b45b0
Instruction ID: d7ab9b747210e5f2d6e6e6b0670e31c67856952b9b9743b53444fc65a560e147
Opcode Fuzzy Hash: 30416444ff38cf72cf90f03b06a4760b28f6c4a531fdc2ddd723b2de257b45b0
Instruction Fuzzy Hash: 5621B431A40705EBD7219F5CDC09FADB7BAFB44B20F104216F911A32D0D7B159208B90

Function 0018C250 Relevance: 10.6, APIs: 7, Instructions: 53COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 0018C263
GetDCEx.USER32(?,?,00000081), ref: 0018C272
GetWindowRect.USER32(?,?), ref: 0018C292
MapWindowPoints.USER32(00000000,?,00000081,00000002), ref: 0018C2A2
SetBkColor.GDI32(00000000,000000FF), ref: 0018C2AE
ExtTextOutW.GDI32(00000000,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 0018C2C6
ReleaseDC.USER32(?,00000000), ref: 0018C2CE

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: Window$ColorPointsRectReleaseText
String ID:
API String ID: 288212811-0
Opcode ID: 7ddff03174f29e576f20dd77817e37b042538f62927806df27f2528310154b91
Instruction ID: 1b266d21c774b5b1e046e205d5203891c0dcddc6ce09613994e3a4eb25002c70
Opcode Fuzzy Hash: 7ddff03174f29e576f20dd77817e37b042538f62927806df27f2528310154b91
Instruction Fuzzy Hash: 34019231544300BFE3109B64AC4EFAB3BACEB89B11F008529F646D11D2DBB055428BB6

Function 04240240 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 042402B1
GetLastActivePopup.USER32(00000000), ref: 042402CC

Strings

The log file has changed between reads., xrefs: 04240277
TimeZoneKeyName, xrefs: 0424025B
Windows, xrefs: 04240241
Checking file system on %wZ, xrefs: 04240295

Memory Dump Source

Source File: 00000000.00000002.1699427684.0000000004230000.00000040.00001000.00020000.00000000.sdmp, Offset: 04230000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4230000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: ActiveHandleLastModulePopup
String ID: Windows$Checking file system on %wZ$The log file has changed between reads.$TimeZoneKeyName
API String ID: 4230660008-443829936
Opcode ID: 313230d09c1c3b61ac748053e8dc5fcfcab40b94d07bb5efca1fca9881ba7abc
Instruction ID: d2bb898c48accddd07d2ac4216603b0e4d84d150d87c652d05734f92759a201d
Opcode Fuzzy Hash: 313230d09c1c3b61ac748053e8dc5fcfcab40b94d07bb5efca1fca9881ba7abc
Instruction Fuzzy Hash: F901D6B4B10246CBDB05EF2CD0985B9BBA9FBC5304F1440A9D6829F784FA38EC418B10

Function 04240344 Relevance: 10.5, APIs: 7, Instructions: 39COMMON

Download Yara Rule

APIs

GetUserDefaultLangID.KERNEL32 ref: 04240361
GetOEMCP.KERNEL32 ref: 0424036F
GetForegroundWindow.USER32 ref: 0424037B
GetSystemDefaultLangID.KERNEL32 ref: 04240394
GetUserDefaultLangID.KERNEL32 ref: 042403AB
GetTopWindow.USER32 ref: 042403B4
GetForegroundWindow.USER32(00000000), ref: 042403C1

Memory Dump Source

Source File: 00000000.00000002.1699427684.0000000004230000.00000040.00001000.00020000.00000000.sdmp, Offset: 04230000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4230000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: DefaultLangWindow$ForegroundUser$System
String ID:
API String ID: 3104731404-0
Opcode ID: e9409b423cabe5bedbcb971185da6c5a4b9c7468d0e019a0f3372fc100adfae4
Instruction ID: 96c3ddc9210115521c31b90396b4786a51915b33a5a68393f753da8638b1f8b8
Opcode Fuzzy Hash: e9409b423cabe5bedbcb971185da6c5a4b9c7468d0e019a0f3372fc100adfae4
Instruction Fuzzy Hash: 42012C71B503098BCB00BF6DFD8D4497FBCEB94210B01046AE904EB200E63C9E098FA1

Function 0424050C Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetDialogBaseUnits.USER32 ref: 0424051F
GetCurrentThreadId.KERNEL32 ref: 04240531
GetDesktopWindow.USER32 ref: 0424055D
GetLastError.KERNEL32(?,042373AB), ref: 04240574

Strings

The validation process needs to continue on to the next step., xrefs: 04240563
The cluster node is already down., xrefs: 04240537

Memory Dump Source

Source File: 00000000.00000002.1699427684.0000000004230000.00000040.00001000.00020000.00000000.sdmp, Offset: 04230000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4230000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: BaseCurrentDesktopDialogErrorLastThreadUnitsWindow
String ID: The cluster node is already down.$The validation process needs to continue on to the next step.
API String ID: 504704107-3347549321
Opcode ID: e4abf141a9bc2e824631112dd709f223f0e8e6d32085e31b00ba6d02cf59c791
Instruction ID: f7859323ad64617c8d11a2a416699d11e686c1e60661e38339b8d60cf73a67c3
Opcode Fuzzy Hash: e4abf141a9bc2e824631112dd709f223f0e8e6d32085e31b00ba6d02cf59c791
Instruction Fuzzy Hash: FDF028B0B10305DFE7159F3CF89C26ABB6CFB822A8B218036D9459B301E1389D858B50

Function 0018BCC0 Relevance: 9.3, APIs: 6, Instructions: 312COMMON

Download Yara Rule

APIs

std::_Throw_Cpp_error.LIBCPMT ref: 0018C0A1
std::_Throw_Cpp_error.LIBCPMT ref: 0018C0AE
std::_Throw_Cpp_error.LIBCPMT ref: 0018C0B5
std::_Throw_Cpp_error.LIBCPMT ref: 0018C0C6
std::_Throw_Cpp_error.LIBCPMT ref: 0018C0CD
std::_Throw_Cpp_error.LIBCPMT ref: 0018C0DE

Part of subcall function 001D7705: WakeConditionVariable.KERNEL32(0018C02E,?,0018C032,0022B1A0), ref: 001D770F

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: Cpp_errorThrow_std::_$ConditionVariableWake
String ID:
API String ID: 3351412794-0
Opcode ID: 9376fb9823756c83ccb76258274b42038593d62df9bd930ef92da4cb6c2a452f
Instruction ID: 9d0253102101e5d6f9c8b62f4b20d0fbf10065a5af9b8ecf73dffa201cdd79f3
Opcode Fuzzy Hash: 9376fb9823756c83ccb76258274b42038593d62df9bd930ef92da4cb6c2a452f
Instruction Fuzzy Hash: 19C1C170A04205EFC725EFA5D8A5B6AB7A0FF15310F14812DE95A8B3A1E731ED12CF91

Function 001EBFAF Relevance: 9.3, APIs: 6, Instructions: 270COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 001EC137
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 001EC153
__allrem.LIBCMT ref: 001EC16A
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 001EC188
__allrem.LIBCMT ref: 001EC19F
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 001EC1BD

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: ed0b14b891f1ca67b06fcb8e2644b0cd8ea197fc79ddaf6f00705ef0a89ee138
Instruction ID: ed916e0d7f0e45363bf63ced39bfe59b1639cb2004c4fe54b17e5c423a4d9158
Opcode Fuzzy Hash: ed0b14b891f1ca67b06fcb8e2644b0cd8ea197fc79ddaf6f00705ef0a89ee138
Instruction Fuzzy Hash: 1E812676A00F46DBD728AF6ACC41B6EB3EAAF54760F24412AF510D72C2E770D9418BD0

Function 00152420 Relevance: 9.2, APIs: 6, Instructions: 219COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 001524E4
std::_Lockit::_Lockit.LIBCPMT ref: 0015255B
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 001525AA
__Getctype.LIBCPMT ref: 001525C0
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0015260A
std::_Lockit::~_Lockit.LIBCPMT ref: 001526A2
__Getwctype.LIBCPMT ref: 001526D8

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: std::_$Locinfo::_Lockit$Concurrency::cancel_current_taskGetctypeGetwctypeLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
String ID:
API String ID: 606201873-0
Opcode ID: 18d455f8c06d2e4acae8a7a0677ae4eef58ce676e592944a7f3e263b97009da6
Instruction ID: 7ff7f154dc734994b7f1db3e1a151b2f5916cd3d491d76aa013d2b8bedf7877d
Opcode Fuzzy Hash: 18d455f8c06d2e4acae8a7a0677ae4eef58ce676e592944a7f3e263b97009da6
Instruction Fuzzy Hash: AB719FB2900349DBEB10DFA9C945BAEBBF8AF15304F144169ED48AB341E775D908CB92

Function 001A8B20 Relevance: 9.2, APIs: 6, Instructions: 214COMMON

Download Yara Rule

APIs

__Xtime_get_ticks.LIBCPMT ref: 001A8C50

Part of subcall function 001D73A3: ReleaseSRWLockExclusive.KERNEL32(0018A82B), ref: 001D73B7

std::_Throw_Cpp_error.LIBCPMT ref: 001A8D65
std::_Throw_Cpp_error.LIBCPMT ref: 001A8D70
std::_Throw_Cpp_error.LIBCPMT ref: 001A8D77

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: Cpp_errorThrow_std::_$ExclusiveLockReleaseXtime_get_ticks
String ID:
API String ID: 4152233557-0
Opcode ID: 544dfd07c8affab39454ecda54030a5c1672c66b7e5e884552f385cf74228d55
Instruction ID: 670bb14bd1123e6256de982b28527a4d72a4b35f10e4d410e5c63a03f83ce2f3
Opcode Fuzzy Hash: 544dfd07c8affab39454ecda54030a5c1672c66b7e5e884552f385cf74228d55
Instruction Fuzzy Hash: 167117B5E002089BCF24DFA8C8407EDBBB5FB56720F25465AE815B73D5DB709D018BA0

Function 0015E100 Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 439COMMON

Download Yara Rule

Strings

%s%d, xrefs: 0015E1AC
%s\%s%d, xrefs: 0015E217, 0015E3CF, 0015E4E5

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID:
String ID: %s%d$%s\%s%d
API String ID: 0-3353845208
Opcode ID: 118a550ac5724a571bc516d1f6a93ecc60d91da9c48de9af0b1919e48277e773
Instruction ID: 7710c5ff1c893b36a1d260ae65261b41aa6661e2af3013b714e53fbd157bd5a5
Opcode Fuzzy Hash: 118a550ac5724a571bc516d1f6a93ecc60d91da9c48de9af0b1919e48277e773
Instruction Fuzzy Hash: C4125A71800218EFDB28DF64C995BEDB7F4BF24304F404159F91A9B691E770AA99CF90

Function 001D86B5 Relevance: 9.2, APIs: 6, Instructions: 175COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001,00000000,?,00212189,?,?,bad locale name), ref: 001D86FE
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,00000000), ref: 001D8769
LCMapStringEx.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 001D8786
LCMapStringEx.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000,00000000), ref: 001D87C5
LCMapStringEx.KERNEL32(00000000,?,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 001D8824
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000), ref: 001D8847

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: ByteCharMultiStringWide
String ID:
API String ID: 2829165498-0
Opcode ID: 041440a189f2c25d1360eedb0d680cc31c5b0925b6bc73c4de688d1c40e76bbb
Instruction ID: 45165df2efba925ced56a1e318ea721b5e446ddb777a374382206112232a8102
Opcode Fuzzy Hash: 041440a189f2c25d1360eedb0d680cc31c5b0925b6bc73c4de688d1c40e76bbb
Instruction Fuzzy Hash: 0A51CF72900206BFEF205F65DC45FAF7BA9EF00B50F21442AF915A62A0DB30DC50DBA0

Function 00154130 Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 418COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00154265
_swprintf.LIBCMT ref: 00154435

Strings

%, xrefs: 001544E4
+, xrefs: 001544F1

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: _swprintf
String ID: %$+
API String ID: 589789837-2626897407
Opcode ID: d25d02f32971571229c7f774495d7504c12526577ac86508110c3e9c0072348c
Instruction ID: 555afa902e5486c6045b9da22f127d4d8eb77aea71f2b2f97b99fcaa3b34b8c5
Opcode Fuzzy Hash: d25d02f32971571229c7f774495d7504c12526577ac86508110c3e9c0072348c
Instruction Fuzzy Hash: C5D1E071D00128DBCF18DF58DC85BAEBBB6FF58305F048129FC65AB291D73499988BA1

Function 001655D0 Relevance: 9.1, APIs: 6, Instructions: 103fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(-00000002,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,?,00000000,-00000002), ref: 00165602
GetFileSize.KERNEL32(00000000,?), ref: 00165629
CloseHandle.KERNEL32(00000000,?,?,00000000,-00000002), ref: 00165660
ReadFile.KERNEL32 ref: 00165688
CloseHandle.KERNEL32(00000000,00000000,?,?,00000000,-00000002), ref: 001656AF
CloseHandle.KERNEL32(00000000), ref: 001656D0

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: CloseFileHandle$CreateReadSize
String ID:
API String ID: 1620663982-0
Opcode ID: ed345502c67b8588f53d998082c1ddbb0a3b6524f81e094b199ef73304beebf1
Instruction ID: b2f31cf00537264a8f95311ed093f9b2565e6f21c7ec70030698f2b8f924f936
Opcode Fuzzy Hash: ed345502c67b8588f53d998082c1ddbb0a3b6524f81e094b199ef73304beebf1
Instruction Fuzzy Hash: 902136727027016BD7105A2CFC49B5AB38ADB90732F540232FE01D22D1EB759819C6B1

Function 001614E0 Relevance: 9.1, APIs: 6, Instructions: 92timefileCOMMON

Download Yara Rule

APIs

GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 00161568
CloseHandle.KERNEL32(00000000), ref: 0016156F
WriteFile.KERNEL32(00000000,?,?,00000000,00000000), ref: 001615A3
CloseHandle.KERNEL32(00000000,?,?,00000000,00000000), ref: 001615AE
SetFileTime.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,00000000), ref: 001615D1
CloseHandle.KERNEL32(00000000,?,?,00000000,00000000), ref: 001615D8

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: CloseFileHandle$Time$Write
String ID:
API String ID: 1785683994-0
Opcode ID: a6c7b1138a29daa7b2505b42cc187fd3b9ebfd61f70e959a96ccd2c3d728f3f9
Instruction ID: 00bbdc0a82e78e63723b01518a4d7b555b33b55994bf118efc243594c0afa813
Opcode Fuzzy Hash: a6c7b1138a29daa7b2505b42cc187fd3b9ebfd61f70e959a96ccd2c3d728f3f9
Instruction Fuzzy Hash: ED3104721043007BE310DF18EC89FDBB7ECBB89310F04061AFA56961D1D7749A58CBA5

Function 001A54B0 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 338libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,?,071C71C7), ref: 001A5517
LoadStringA.USER32(?,?,?,00000100), ref: 001A55DA
GetStringTypeExA.KERNEL32(?,00000001,001B3B05,00000001,?,?,?,071C71C7), ref: 001A570B
LCMapStringA.KERNEL32(?,00000100,?,00000100,?,00000100,?,?,071C71C7), ref: 001A5781

Strings

Unable to open message catalog: , xrefs: 001A5838

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: String$Load$LibraryType
String ID: Unable to open message catalog:
API String ID: 2888867733-3361316291
Opcode ID: b883e55003077daefba434296d0330bfe9a7d272fcb183a0e518f47425781c61
Instruction ID: 2ba883f4a557bf72b9e840f979126753bc1126afef8c5814f5cdcd47c67e6337
Opcode Fuzzy Hash: b883e55003077daefba434296d0330bfe9a7d272fcb183a0e518f47425781c61
Instruction Fuzzy Hash: DCC13774D04648DFCF15CFA8C884BEDBBFAAF16300F548169E459EB292DB749A44CB60

Function 001DD668 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,001DD65F,001DB1D4,001D842D,0B9FDD92,?,?,?,?,00208218,000000FF), ref: 001DD676
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 001DD684
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 001DD69D
SetLastError.KERNEL32(00000000,?,001DD65F,001DB1D4,001D842D,0B9FDD92,?,?,?,?,00208218,000000FF), ref: 001DD6EF

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: c97e3495e123eda7a87b871e7ffc4f7d85985c46d70d6ce5097bc1f196a25cf9
Instruction ID: a29ad17788395fcf341e8cb46f32006e83b6485348b9f1b8545a2daa122ed197
Opcode Fuzzy Hash: c97e3495e123eda7a87b871e7ffc4f7d85985c46d70d6ce5097bc1f196a25cf9
Instruction Fuzzy Hash: AC01D433209311AEA73936F57C8DA2A2B85DB51771720032BF924852F2FF518C41A1C4

Function 00163AB0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 194COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,00000000,00007FFF), ref: 00163AFE
SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,00000000), ref: 00163C2B
CreateDirectoryW.KERNEL32(?,00000000), ref: 00163C67

Strings

\bookmarks, xrefs: 00163C6D
\grepWinNP3, xrefs: 00163C4E

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: CreateDirectoryFileFolderModuleNamePath
String ID: \bookmarks$\grepWinNP3
API String ID: 486951923-2245591162
Opcode ID: a402df00d6e93ee415c9306eb284cd8442f81eb68c017b10d7818842bdd25e80
Instruction ID: b50fa42d97f5f0afa2e559feb6e8448a7b967f4b84ccc74bca1bbadcdcbfa9be
Opcode Fuzzy Hash: a402df00d6e93ee415c9306eb284cd8442f81eb68c017b10d7818842bdd25e80
Instruction Fuzzy Hash: BE61E170A002049BCB28DF28DC45BBEB7F5EF49710F104A2EE466A7781D770AA55CBA4

Function 001510E0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00209720,00000000,00000001,002097D0,00000000), ref: 00151234
CoCreateInstance.OLE32(00209720,00000000,00000001,00209780,00000000), ref: 00151253
GetCursorPos.USER32(00000000), ref: 0015126B
DoDragDrop.OLE32(00000000,00000000,00000003,00000000), ref: 001512C3

Strings

T !, xrefs: 001512FF

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: CreateInstance$CursorDragDrop
String ID: T !
API String ID: 1547148105-1293511554
Opcode ID: 311b5ea552156bf7f97cb3a9eba0b906153b0093018e4160b5e148bb4a4e16c2
Instruction ID: 0cc4e8fdbd7598d07b231413119ce4b6c7b9f46f4ef8e6339ef7a555c87625ab
Opcode Fuzzy Hash: 311b5ea552156bf7f97cb3a9eba0b906153b0093018e4160b5e148bb4a4e16c2
Instruction Fuzzy Hash: 95718DB0901305EFDB15CF94C988BAEBBF4FF09715F244158E825AB681C7B5A958CBA0

Function 001F6F30 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 132COMMON

Download Yara Rule

Strings

!, xrefs: 001F6FF8

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID:
String ID: !
API String ID: 0-502725263
Opcode ID: 0830bac3b75a16746e1ea8954f09497462cc735e256d2791bb81b3bd9d937906
Instruction ID: 7b6f9e9a904fc623526f7029ebd6c0891f91c775dce2139d4829090d08556593
Opcode Fuzzy Hash: 0830bac3b75a16746e1ea8954f09497462cc735e256d2791bb81b3bd9d937906
Instruction Fuzzy Hash: C8410B72A00748AFD7299F78DC41BAEBBE9EF98710F14852AF111DB2C2D771E9518780

Function 001DAB00 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 123fileCOMMON

Download Yara Rule

APIs

CreateFileMappingA.KERNEL32(?,00000000,?,00000000,00000000,00000000), ref: 001DAB65
MapViewOfFileEx.KERNEL32(00000000,?,?,?,00000007,?), ref: 001DABC8

Part of subcall function 001DB679: RaiseException.KERNEL32(E06D7363,00000001,00000003,001D94C0,?,?,?,?,001D94C0,?,0022371C), ref: 001DB6D9

Part of subcall function 001DA190: GetLastError.KERNEL32(?,00000001,001DAC22,failed create mapping), ref: 001DA194
Part of subcall function 001DA190: CloseHandle.KERNEL32(00000000,?,00000001,001DAC22,failed create mapping), ref: 001DA1A4
Part of subcall function 001DA190: CloseHandle.KERNEL32(?,?,00000001,001DAC22,failed create mapping), ref: 001DA1B3
Part of subcall function 001DA190: SetLastError.KERNEL32(00000000,?,00000001,001DAC22,failed create mapping), ref: 001DA1BA

Strings

bad numeric conversion: overflow, xrefs: 001DAC60
failed mapping view, xrefs: 001DAC47
failed create mapping, xrefs: 001DAC16

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: CloseErrorFileHandleLast$CreateExceptionMappingRaiseView
String ID: bad numeric conversion: overflow$failed create mapping$failed mapping view
API String ID: 2473760820-1174817036
Opcode ID: 53cad6ac0a7b89c62300def32965cdd00ab3f6da8031f9f8ed50001c18defe36
Instruction ID: 5f91b1c7e2e99b3c4f8b11d15ff31b78869bb7ccf936e2fd4ce6973011900814
Opcode Fuzzy Hash: 53cad6ac0a7b89c62300def32965cdd00ab3f6da8031f9f8ed50001c18defe36
Instruction Fuzzy Hash: 47312535A50308ABDB10DBA4DC41BAEB7AAEF55710FA0061BF801E23C0D775E940CB92

Function 04240F00 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 04240FA2
GetDesktopWindow.USER32 ref: 04240FD9
GetTopWindow.USER32 ref: 04241021

Strings

ScriptBreak, xrefs: 04240F3C
AslEnvExpandStrings2, xrefs: 04240FE0

Memory Dump Source

Source File: 00000000.00000002.1699427684.0000000004230000.00000040.00001000.00020000.00000000.sdmp, Offset: 04230000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4230000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: Window$Desktop
String ID: AslEnvExpandStrings2$ScriptBreak
API String ID: 2849500299-2721211007
Opcode ID: fb7a235e7104d9647d4ebc0c2891fb71e968a6e0f56919e7bc3792828a5c5f24
Instruction ID: 8f5cd415e8433259d69d97683c8b6a9d2efd68397ed1134b973510145048ffcd
Opcode Fuzzy Hash: fb7a235e7104d9647d4ebc0c2891fb71e968a6e0f56919e7bc3792828a5c5f24
Instruction Fuzzy Hash: 4941F2B1B903018FE318DF2EFA892217EFEF7E8304F05C16A85058B259E679EC518B54

Function 0423EA00 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 87stringthreadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0423EA5D
GetDialogBaseUnits.USER32 ref: 0423EA8B
lstrlenW.KERNEL32 ref: 0423EAD0

Strings

The specified pack is offline., xrefs: 0423EAC9
The server received the messages but did not send a reply., xrefs: 0423EAD6

Memory Dump Source

Source File: 00000000.00000002.1699427684.0000000004230000.00000040.00001000.00020000.00000000.sdmp, Offset: 04230000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4230000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: BaseCurrentDialogThreadUnitslstrlen
String ID: The server received the messages but did not send a reply.$The specified pack is offline.
API String ID: 1613970765-1132203946
Opcode ID: ae17c047247074918fdc753b9ad76c930f6c7e982207d4ce118fe078a4a26938
Instruction ID: 77b93f0e645a1f2526224ed27d5a2cd6c8b06dc894002c14ec5e737b5f271f76
Opcode Fuzzy Hash: ae17c047247074918fdc753b9ad76c930f6c7e982207d4ce118fe078a4a26938
Instruction Fuzzy Hash: B421E9B8F20216CBDB205F28D458276B7B6FB84343B568466EC86CB744F734AC86C751

Function 0423EC6C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 87COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(75BF7910,?,04238D02,00000000), ref: 0423ECB8
GetParent.USER32 ref: 0423ED08
GetLastActivePopup.USER32 ref: 0423ED86

Strings

Enclosure awareness is not supported for this virtual disk., xrefs: 0423ED57
AslPathToSystemPathBuf, xrefs: 0423ED0E

Memory Dump Source

Source File: 00000000.00000002.1699427684.0000000004230000.00000040.00001000.00020000.00000000.sdmp, Offset: 04230000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4230000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: ActiveForegroundLastParentPopupWindow
String ID: AslPathToSystemPathBuf$Enclosure awareness is not supported for this virtual disk.
API String ID: 880296319-2013822429
Opcode ID: fd644533f7ff01ded77788bc693728c1d26465113c113710d1ab9c2924b9c3b1
Instruction ID: 652d35dca083545f5e481cb5c6a1467cc8aae341584ee5c4d937ef2d4fadbd11
Opcode Fuzzy Hash: fd644533f7ff01ded77788bc693728c1d26465113c113710d1ab9c2924b9c3b1
Instruction Fuzzy Hash: 7A3146B0BA13458BD704DF2DF8892157FFDEB88201B45C8AAD459DB349E678E909CB50

Function 042413D4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 87threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 042413F1
GetDesktopWindow.USER32 ref: 0424141F
GetParent.USER32 ref: 04241483
SetLastError.KERNEL32 ref: 042414E9

Strings

vK, xrefs: 04241442, 0424144E, 0424148A, 042414E1, 042414FD

Memory Dump Source

Source File: 00000000.00000002.1699427684.0000000004230000.00000040.00001000.00020000.00000000.sdmp, Offset: 04230000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4230000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: CurrentDesktopErrorLastParentThreadWindow
String ID: vK
API String ID: 3735582752-3317896225
Opcode ID: 7fc955f7e73014b1eff5663b0d3a6f60a20f172fe85fb3f168ee4091017db87c
Instruction ID: 0912343f44103da6615a080d507ce689fa7c465475883b2895da312b98993f44
Opcode Fuzzy Hash: 7fc955f7e73014b1eff5663b0d3a6f60a20f172fe85fb3f168ee4091017db87c
Instruction Fuzzy Hash: 7E318D75B603019BD754DF3DF88C1B5BBE9EBC8360B148476D856DB340E63CA9908B51

Function 0423F360 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 78COMMON

Download Yara Rule

APIs

GetLastActivePopup.USER32 ref: 0423F3C6
GetSystemDefaultLangID.KERNEL32 ref: 0423F45C

Strings

windows blue, xrefs: 0423F41C
WER/Heap:%u: ERROR Arithmetic overflow when aligning block size, xrefs: 0423F361
GCInterval, xrefs: 0423F3D7

Memory Dump Source

Source File: 00000000.00000002.1699427684.0000000004230000.00000040.00001000.00020000.00000000.sdmp, Offset: 04230000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4230000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: ActiveDefaultLangLastPopupSystem
String ID: GCInterval$WER/Heap:%u: ERROR Arithmetic overflow when aligning block size$windows blue
API String ID: 3479583571-1642325539
Opcode ID: 77e01ac0f9ae0fc1a5c3c27698c91614551d85b645da3f3d701481da95e70fce
Instruction ID: 43a340a8548e55f4027a74b56bd68d887500ee89cbe3e0ea2c99cfad9a03c22a
Opcode Fuzzy Hash: 77e01ac0f9ae0fc1a5c3c27698c91614551d85b645da3f3d701481da95e70fce
Instruction Fuzzy Hash: 4631E3B2FA13068BD714AF2CF9D96657BF9E784301F068166C8169B308E23DAC408B91

Function 0423E7A4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 77threadwindowtimeCOMMON

Download Yara Rule

APIs

GetMessageTime.USER32 ref: 0423E7D5
GetCurrentThreadId.KERNEL32 ref: 0423E820
AnyPopup.USER32 ref: 0423E852
GetCurrentThread.KERNEL32 ref: 0423E8B3

Strings

VirtualMemoryThreshold, xrefs: 0423E8B9

Memory Dump Source

Source File: 00000000.00000002.1699427684.0000000004230000.00000040.00001000.00020000.00000000.sdmp, Offset: 04230000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4230000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: CurrentThread$MessagePopupTime
String ID: VirtualMemoryThreshold
API String ID: 1332121241-3178925693
Opcode ID: 4231e91cfd343ff540e9ec34c569ca2c6ce48e68e7520435f784456c2a6ac18d
Instruction ID: fb4f09b1d1d678be4b6cb835cbac37b562de5d4217431aff1d40b16305a75ee7
Opcode Fuzzy Hash: 4231e91cfd343ff540e9ec34c569ca2c6ce48e68e7520435f784456c2a6ac18d
Instruction Fuzzy Hash: BD310EB0BA13018FD304DF3EF98DA15BBE9EBC8214B45886AE419CB314E678AD45CF40

Function 00152AF0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 76COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00152B8D

Part of subcall function 001DB679: RaiseException.KERNEL32(E06D7363,00000001,00000003,001D94C0,?,?,?,?,001D94C0,?,0022371C), ref: 001DB6D9

Strings

ios_base::badbit set, xrefs: 00152B27
|7", xrefs: 00152B71
ios_base::failbit set, xrefs: 00152B2E
ios_base::eofbit set, xrefs: 00152B38, 00152B51, 00152B70

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: ExceptionRaise___std_exception_copy
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set$|7"
API String ID: 3109751735-2255861287
Opcode ID: 39ffe04009b78fda01775d33b38782e30195ae376a7248b1209c6874f760d8a5
Instruction ID: 494cb54f6ad405a456745f4e1b2c67cd2e7ca826a076d34c4b5a4468535bf5d6
Opcode Fuzzy Hash: 39ffe04009b78fda01775d33b38782e30195ae376a7248b1209c6874f760d8a5
Instruction Fuzzy Hash: 2811EBB3914305EBC714DF58D841B95B7E8AB26311F04842AFD698B682E770E968C791

Function 0423E1C0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 76windowtimeCOMMON

Download Yara Rule

APIs

GetUserDefaultLangID.KERNEL32(?,?,?,0423BD67), ref: 0423E207
GetMessageTime.USER32 ref: 0423E26B

Strings

STATUS_SUCCESS, xrefs: 0423E21F
The validation was not successful., xrefs: 0423E2AD
MajorVersion mismatch, MajorVersion 0x%lx Expected 0x%lx, xrefs: 0423E1CF

Memory Dump Source

Source File: 00000000.00000002.1699427684.0000000004230000.00000040.00001000.00020000.00000000.sdmp, Offset: 04230000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4230000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: DefaultLangMessageTimeUser
String ID: MajorVersion mismatch, MajorVersion 0x%lx Expected 0x%lx$STATUS_SUCCESS$The validation was not successful.
API String ID: 1049946065-3575248791
Opcode ID: ccfb919113123c518ea9ba0e479e9370236444bf0c0d7efaf0b1664d327b74d9
Instruction ID: 4d5b5a9f9aafd285ed10ec4d385ab38944ea29b2457b800aacdae0c859abfcf6
Opcode Fuzzy Hash: ccfb919113123c518ea9ba0e479e9370236444bf0c0d7efaf0b1664d327b74d9
Instruction Fuzzy Hash: AC21D0B5BA13428EE344DF2CF9981617FFAE7E9311F1980AAC8458B252E67DDC488644

Function 04242974 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 73threadCOMMON

Download Yara Rule

APIs

GetLastActivePopup.USER32 ref: 042429EA
GetThreadUILanguage.KERNEL32 ref: 04242A2C

Strings

The binding handle is invalid., xrefs: 04242A32
SdbpGetProcessHostGuestArchitectures failed [%x], xrefs: 0424299F
LdrResSearchResource Exit, xrefs: 04242975

Memory Dump Source

Source File: 00000000.00000002.1699427684.0000000004230000.00000040.00001000.00020000.00000000.sdmp, Offset: 04230000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4230000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: ActiveLanguageLastPopupThread
String ID: LdrResSearchResource Exit$SdbpGetProcessHostGuestArchitectures failed [%x]$The binding handle is invalid.
API String ID: 2119500835-3222778300
Opcode ID: 1d950e2c6f5d2ae6df1d796cdd7afaf1338727c3d1f50371e8233cd37e838d54
Instruction ID: d0c592e06d2200da1ced1fc80e86fc04601b3cf3acb125b811a95b9b0906ba3e
Opcode Fuzzy Hash: 1d950e2c6f5d2ae6df1d796cdd7afaf1338727c3d1f50371e8233cd37e838d54
Instruction Fuzzy Hash: E921E7B5F20301CBD7289F6DF59D1293BEAE7C1384B1494E5D841DB344F238A842DB50

Function 0424264C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 73stringthreadCOMMON

Download Yara Rule

APIs

GetTopWindow.USER32 ref: 04242696
GetCurrentThreadId.KERNEL32 ref: 042426E0
lstrlenW.KERNEL32 ref: 0424275E

Strings

The supplied device ID is invalid., xrefs: 04242727
function, xrefs: 0424264D, 042426EB, 04242757

Memory Dump Source

Source File: 00000000.00000002.1699427684.0000000004230000.00000040.00001000.00020000.00000000.sdmp, Offset: 04230000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4230000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: CurrentThreadWindowlstrlen
String ID: The supplied device ID is invalid.$function
API String ID: 582314876-3737079412
Opcode ID: 6ccb228c82b804a27826e14f6d7ab61b9e3dd1e124f18068f2a8e5d661ef386d
Instruction ID: 2929998521d027b4334b8599812deb411b28a7e1a43d7e67448e3eb0727e37f8
Opcode Fuzzy Hash: 6ccb228c82b804a27826e14f6d7ab61b9e3dd1e124f18068f2a8e5d661ef386d
Instruction Fuzzy Hash: B7218DB1BA0302CFD345EF2DB8591257FA9F7D0280F55C2D9E1929B259E378A842CF21

Function 04242F70 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,00000000,?,04239B45), ref: 04242FEC
GetWindowTextLengthW.USER32(00000000), ref: 04243027

Strings

The specified volume is offline., xrefs: 04242F71
Directory Service cannot start., xrefs: 04242FAA
A mapped section could not be extended., xrefs: 04242FC3

Memory Dump Source

Source File: 00000000.00000002.1699427684.0000000004230000.00000040.00001000.00020000.00000000.sdmp, Offset: 04230000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4230000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: LengthTextWindowlstrlen
String ID: A mapped section could not be extended.$Directory Service cannot start.$The specified volume is offline.
API String ID: 3761700447-438102289
Opcode ID: d5fe3f781f76369079f9769b378559b4eb7d0fd541251ea6a28eb1d795e96861
Instruction ID: bf4f2f788369c24bf968f4c0409f8f6e8a9244e2b6b8d1213778cf66640d2b40
Opcode Fuzzy Hash: d5fe3f781f76369079f9769b378559b4eb7d0fd541251ea6a28eb1d795e96861
Instruction Fuzzy Hash: 012158B0B603018BD708AF7EF8A91167BEAF798344F45869AE446DB355E77898008B61

Function 04241E90 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45threadstringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32 ref: 04241EA1
GetCurrentThreadId.KERNEL32 ref: 04241EBB
GetThreadUILanguage.KERNEL32 ref: 04241F01
GetWindowTextLengthW.USER32 ref: 04241F0E

Strings

The proximity domain information is invalid., xrefs: 04241E9A

Memory Dump Source

Source File: 00000000.00000002.1699427684.0000000004230000.00000040.00001000.00020000.00000000.sdmp, Offset: 04230000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4230000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: Thread$CurrentLanguageLengthTextWindowlstrlen
String ID: The proximity domain information is invalid.
API String ID: 1355267480-2565701227
Opcode ID: 21a0df5beb02ab462f3593ba4118ba1a34faabc0234141c4c858b8033050524a
Instruction ID: 123505053e4d235ddc3586c51005833c4c8269dd86e223b43e8f25f617237ef8
Opcode Fuzzy Hash: 21a0df5beb02ab462f3593ba4118ba1a34faabc0234141c4c858b8033050524a
Instruction Fuzzy Hash: C401F77C720103CBDB242F6DD48C17BF766EB89251B458025DD828A748FE746AD2D726

Function 001EC849 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,0B9FDD92,00000101,?,00000000,0020809B,000000FF,?,001EC825,?,?,001EC7F9,00000101), ref: 001EC87E
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 001EC890
FreeLibrary.KERNEL32(00000000,?,00000000,0020809B,000000FF,?,001EC825,?,?,001EC7F9,00000101), ref: 001EC8B2

Strings

mscoree.dll, xrefs: 001EC877
CorExitProcess, xrefs: 001EC888

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 7eb0bb379ac800005ed815a43d146ed3020ad181afb391b01989480dd51922be
Instruction ID: da961bb4f6d9784032ba014f2bc899fa9bd0495e64f4eefb0c26d37b424fe931
Opcode Fuzzy Hash: 7eb0bb379ac800005ed815a43d146ed3020ad181afb391b01989480dd51922be
Instruction Fuzzy Hash: D601A271954765BFDB118F54EC0DFAEB7B8FB44B11F000626F812A22E1DB759840CB80

Function 0423F300 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

GetOEMCP.KERNEL32(?,?,0000000B,?,0423A7B3), ref: 0423F30D
GetOEMCP.KERNEL32(?,?,0000000B,?,0423A7B3), ref: 0423F30F
GetOEMCP.KERNEL32(?,?,0000000B,?,0423A7B3), ref: 0423F32D
GetParent.USER32 ref: 0423F349

Strings

GlobalFlag, xrefs: 0423F311

Memory Dump Source

Source File: 00000000.00000002.1699427684.0000000004230000.00000040.00001000.00020000.00000000.sdmp, Offset: 04230000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4230000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: Parent
String ID: GlobalFlag
API String ID: 975332729-4289803471
Opcode ID: ae945c105041946932793fc33c0993c732cea6f313e5e527d6a5684c0dbafd14
Instruction ID: c0cf41bb67615d9c5beb618f67099ae9a073f733c3109e0eb57071f3fb92f9b7
Opcode Fuzzy Hash: ae945c105041946932793fc33c0993c732cea6f313e5e527d6a5684c0dbafd14
Instruction Fuzzy Hash: 4CF05CE1B202C39FDB00FB38D98C36CB7A8DB04301F464464D482CB682D53CF9418710

Function 00162390 Relevance: 8.0, APIs: 5, Instructions: 485COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 001626A2
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,000A00BC,00000007,00000000,00000000), ref: 00162726
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 0016274D
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 001627E4
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000007,00000000,00000000), ref: 00162848

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: 23e7db85105d3525f1de179d445c39fc3e31642afc55ba4d69c089d56974a66c
Instruction ID: 8525ad404aa8ceb589a93e700a1535a956122f38769746b1993981df0d921030
Opcode Fuzzy Hash: 23e7db85105d3525f1de179d445c39fc3e31642afc55ba4d69c089d56974a66c
Instruction Fuzzy Hash: B4F195B1A01616EBEB24DF54DC81B6A77A8FF14700F244525ED12EB385EB74ED20CBA1

Function 001A3350 Relevance: 7.7, APIs: 5, Instructions: 200COMMON

Download Yara Rule

APIs

std::_Throw_Cpp_error.LIBCPMT ref: 001A3437
std::_Throw_Cpp_error.LIBCPMT ref: 001A3442
std::_Throw_Cpp_error.LIBCPMT ref: 001A3525
std::_Throw_Cpp_error.LIBCPMT ref: 001A3530
__Cnd_unregister_at_thread_exit.LIBCPMT ref: 001A3559

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: Cpp_errorThrow_std::_$Cnd_unregister_at_thread_exit
String ID:
API String ID: 1267939008-0
Opcode ID: 59ad843609f923c861fc98f10fa59dbe83197bcaabd883e374499d6dd7caef9b
Instruction ID: ace42b27ae22cc8fc33c1ab516288c5386ac7bb09b2de7d877a771a12d775e00
Opcode Fuzzy Hash: 59ad843609f923c861fc98f10fa59dbe83197bcaabd883e374499d6dd7caef9b
Instruction Fuzzy Hash: EB510BB1C04744ABDB31DBB8D8067ABB7F8AF25314F04091EF566536C1E775AA08C7A2

Function 0016EFB0 Relevance: 7.7, APIs: 5, Instructions: 153windowCOMMON

Download Yara Rule

APIs

IsDlgButtonChecked.USER32(?,00000426), ref: 0016F043
EndDialog.USER32(?,?), ref: 0016F06F
SetDlgItemTextW.USER32(?,0000040D,?), ref: 0016F145
GetDlgItem.USER32(?,0000040D), ref: 0016F151
SetFocus.USER32(00000000,?,?,?,?,?,?,?,?,?,?,?,00203795,000000FF), ref: 0016F158

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: Item$ButtonCheckedDialogFocusText
String ID:
API String ID: 3578702649-0
Opcode ID: 9f70fd542f21e0c2bded08f14e1505f6f9878853a41d2372511fe6023cc56f4e
Instruction ID: 5ed4e5378c52974c19e0ba705f3303bae6ed3e3b9e273ed7107677620d270084
Opcode Fuzzy Hash: 9f70fd542f21e0c2bded08f14e1505f6f9878853a41d2372511fe6023cc56f4e
Instruction Fuzzy Hash: 1C510671A00605ABCB14DFA8EC49BAEB766FF54310F04422AF81597792DB35AD61CB90

Function 001D73C1 Relevance: 7.6, APIs: 5, Instructions: 116threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 001D73D5
AcquireSRWLockExclusive.KERNEL32(0022B2C0), ref: 001D73F4
AcquireSRWLockExclusive.KERNEL32(0022B2C0,00000000,00000000), ref: 001D7422
TryAcquireSRWLockExclusive.KERNEL32(0022B2C0,00000000,00000000), ref: 001D747D
TryAcquireSRWLockExclusive.KERNEL32(0022B2C0,00000000,00000000), ref: 001D7494

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: AcquireExclusiveLock$CurrentThread
String ID:
API String ID: 66001078-0
Opcode ID: 6fd1e8757ef649f7fd21951703f61f4af9b2ab3453ce6392d52570ae0ae2746d
Instruction ID: efb32888836ddb9165a60019251cb1151697ca4e35432283492fc0148e6737f1
Opcode Fuzzy Hash: 6fd1e8757ef649f7fd21951703f61f4af9b2ab3453ce6392d52570ae0ae2746d
Instruction Fuzzy Hash: 05413831508A1ADFCB26DF64D4849AABBB5FF04310B20492FD44AD7B91E734E985CBA1

Function 0015BA60 Relevance: 7.6, APIs: 5, Instructions: 104COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0015BA83
std::_Lockit::_Lockit.LIBCPMT ref: 0015BAA6
std::_Lockit::~_Lockit.LIBCPMT ref: 0015BAC6
std::_Facet_Register.LIBCPMT ref: 0015BB3B
std::_Lockit::~_Lockit.LIBCPMT ref: 0015BB53

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID:
API String ID: 459529453-0
Opcode ID: 419274404c7dac4e6871816fe7e9cf90a5d24cf572936637a03fa95836b22494
Instruction ID: fe74a07e0fdf3654e005c75f625769a9dfff47abd0271baca9ca8891e6646307
Opcode Fuzzy Hash: 419274404c7dac4e6871816fe7e9cf90a5d24cf572936637a03fa95836b22494
Instruction Fuzzy Hash: FC31F375904219DFCB21DF84E884BAEBBB4FB10321F19425AEC256B391D770AD49CBD1

Function 00155E60 Relevance: 7.6, APIs: 5, Instructions: 104COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00155E83
std::_Lockit::_Lockit.LIBCPMT ref: 00155EA6
std::_Lockit::~_Lockit.LIBCPMT ref: 00155EC6
std::_Facet_Register.LIBCPMT ref: 00155F3B
std::_Lockit::~_Lockit.LIBCPMT ref: 00155F53

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID:
API String ID: 459529453-0
Opcode ID: 3cd43a1f2200c518d45afd9518670763a33b06c81701a2f31148ebbc4fb46f5a
Instruction ID: 38f013359d9bdb55f7fc43673270fb42585bba56af394ab3e87845f0a606b010
Opcode Fuzzy Hash: 3cd43a1f2200c518d45afd9518670763a33b06c81701a2f31148ebbc4fb46f5a
Instruction Fuzzy Hash: 5331EF71800619DFCB21DF88E894AAEBB75FB14324F14421AEC246B391D730AD49CBD0

Function 00155F80 Relevance: 7.6, APIs: 5, Instructions: 104COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00155FA3
std::_Lockit::_Lockit.LIBCPMT ref: 00155FC6
std::_Lockit::~_Lockit.LIBCPMT ref: 00155FE6
std::_Facet_Register.LIBCPMT ref: 0015605B
std::_Lockit::~_Lockit.LIBCPMT ref: 00156073

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID:
API String ID: 459529453-0
Opcode ID: 9e21f271564a160fc4c34679692a9d309a373cdfdceeb76d2488366157757abb
Instruction ID: 0bf97f6a7e5294b562a3e627b5c681bfbd414375b6abfd77578ae361187cb9a8
Opcode Fuzzy Hash: 9e21f271564a160fc4c34679692a9d309a373cdfdceeb76d2488366157757abb
Instruction Fuzzy Hash: 3631CE71900216DFCB21DF94E885BAEBB74FB54320F14425AEC256B391DB30AD8ACBD0

Function 0015D790 Relevance: 7.6, APIs: 5, Instructions: 83sleepCOMMON

Download Yara Rule

APIs

PathIsRootW.SHLWAPI ref: 0015D7C3
CreateDirectoryW.KERNEL32(?,00000000), ref: 0015D7DF
GetLastError.KERNEL32(?,00000000), ref: 0015D7EB
CreateDirectoryW.KERNEL32(?,00000000,?,?,00000000), ref: 0015D82D
Sleep.KERNEL32(00000032,?,00000000,?,?,00000000), ref: 0015D83B

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: CreateDirectory$ErrorLastPathRootSleep
String ID:
API String ID: 1188401217-0
Opcode ID: 7ce61b8aedee284fa24c2064ce71874eb0b28072801f41b6467ae0fbcf47dffb
Instruction ID: 01779793455d035c6017f8e65ca467dcdfc259c9723ca7a76b73032071b2ba51
Opcode Fuzzy Hash: 7ce61b8aedee284fa24c2064ce71874eb0b28072801f41b6467ae0fbcf47dffb
Instruction Fuzzy Hash: 99219031A40745DBC731DF68A849BA9B3F9EB84B16F10456DEC668B781DB309C48CB91

Function 001A0E10 Relevance: 7.6, APIs: 5, Instructions: 73timeCOMMON

Download Yara Rule

APIs

FileTimeToSystemTime.KERNEL32(?,?), ref: 001A0E2D
GetTimeZoneInformation.KERNEL32(00226D38), ref: 001A0E41
SystemTimeToTzSpecificLocalTime.KERNEL32(00226D38,?,?), ref: 001A0E56
GetDateFormatW.KERNEL32(00000400,00000001,?,00000000,?,00000064), ref: 001A0E99
GetTimeFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000064), ref: 001A0EB7

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: Time$FormatSystem$DateFileInformationLocalSpecificZone
String ID:
API String ID: 2901416390-0
Opcode ID: d16105557c0080f6244017183c1a6abbb1f19da645ba5798831b580ab25a5a48
Instruction ID: 11fecc1aab8a7188c9d7faf79b83bb531d676b797003d8f7e395a3f6fea7fb7d
Opcode Fuzzy Hash: d16105557c0080f6244017183c1a6abbb1f19da645ba5798831b580ab25a5a48
Instruction Fuzzy Hash: 93219672294309BFE210DBA0EC4EFEB739C9B44B10F000915F754970D1E7B1955587A7

Function 001B3AD0 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 426libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 001A54B0: LoadLibraryA.KERNEL32(?,?,?,071C71C7), ref: 001A5517
Part of subcall function 001A54B0: LoadStringA.USER32(?,?,?,00000100), ref: 001A55DA

LoadLibraryA.KERNEL32(?,?,?,071C71C7), ref: 001B3BCC
LoadStringA.USER32(?,000000C8,?,00000100), ref: 001B3CA1
LoadStringA.USER32(?,0000012C,?,00000100), ref: 001B3E88

Part of subcall function 001D8A29: AcquireSRWLockExclusive.KERNEL32(0022A12C,00000000,?,?,0015FA33,0022B250,0022B1DC,?,00000003,001A50B5,?,?), ref: 001D8A34
Part of subcall function 001D8A29: ReleaseSRWLockExclusive.KERNEL32(0022A12C,?,0015FA33,0022B250,0022B1DC,?,00000003,001A50B5,?,?), ref: 001D8A6E

Part of subcall function 001D89D8: AcquireSRWLockExclusive.KERNEL32(0022A12C,?,?,0015FA49,0022B250,00000003), ref: 001D89E2
Part of subcall function 001D89D8: ReleaseSRWLockExclusive.KERNEL32(0022A12C,?,0015FA49,0022B250,00000003), ref: 001D8A15
Part of subcall function 001D89D8: WakeAllConditionVariable.KERNEL32(0022A128,?,0015FA49,0022B250,00000003), ref: 001D8A20

Strings

Unable to open message catalog: , xrefs: 001B3FD3

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: Load$ExclusiveLock$String$AcquireLibraryRelease$ConditionVariableWake
String ID: Unable to open message catalog:
API String ID: 941639143-3361316291
Opcode ID: 3b783ff97a55d778a43f4e5d36bc17062fc41b74699b4315778a7e21116d7874
Instruction ID: 38ed5f24cf21a21f227311d2384c02da91e9483294b293cf8527a848fefdf3b6
Opcode Fuzzy Hash: 3b783ff97a55d778a43f4e5d36bc17062fc41b74699b4315778a7e21116d7874
Instruction Fuzzy Hash: D702CCB1900248DFCB18DF68C884BEDBBF4AF19300F14816AF9699B282D771DA54CB91

Function 0017B8E0 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 400libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00181A20: LoadLibraryA.KERNEL32(-000000D2), ref: 00181AB7

LoadLibraryA.KERNEL32(-00000024), ref: 0017B9D5

Part of subcall function 001D89D8: AcquireSRWLockExclusive.KERNEL32(0022A12C,?,?,0015FA49,0022B250,00000003), ref: 001D89E2
Part of subcall function 001D89D8: ReleaseSRWLockExclusive.KERNEL32(0022A12C,?,0015FA49,0022B250,00000003), ref: 001D8A15
Part of subcall function 001D89D8: WakeAllConditionVariable.KERNEL32(0022A128,?,0015FA49,0022B250,00000003), ref: 001D8A20

LoadStringW.USER32(?,000000C8,-0000023C,00000100), ref: 0017BAE2
LoadStringW.USER32(?,0000012C,-0000023C,00000100), ref: 0017BC76

Part of subcall function 00151E40: ___std_exception_copy.LIBVCRUNTIME ref: 00151E71

Strings

Unable to open message catalog: , xrefs: 0017BD97

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: Load$ExclusiveLibraryLockString$AcquireConditionReleaseVariableWake___std_exception_copy
String ID: Unable to open message catalog:
API String ID: 783877595-3361316291
Opcode ID: ae010a085843fec7fe3efa9fb8bf7a631e418468f8390ca7c7e4b7d129ac2432
Instruction ID: 4b58bd57fef6cfc5733c7bdce043b1e1fc2bade4ee5a4038539863606fd322b7
Opcode Fuzzy Hash: ae010a085843fec7fe3efa9fb8bf7a631e418468f8390ca7c7e4b7d129ac2432
Instruction Fuzzy Hash: B6F179B1904248DFCB19DF68C884BDE7BF4AF18304F14816AFD199B292EB759A44CF91

Function 001ED6F7 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 370COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 001ED871
__freea.LIBCMT ref: 001ED88D

Strings

am/pm, xrefs: 001ED8EF
a/p, xrefs: 001ED953

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: __freea
String ID: a/p$am/pm
API String ID: 240046367-3206640213
Opcode ID: 70ae0b0143d1df57372c2ac1cad4f039a6d281f8f1b0f4d7de32cc89e4f0797a
Instruction ID: c3e49927757de5d43595c0c432def7bc00dafc176f911bdc523e84f482407b32
Opcode Fuzzy Hash: 70ae0b0143d1df57372c2ac1cad4f039a6d281f8f1b0f4d7de32cc89e4f0797a
Instruction Fuzzy Hash: 9EC14634A04A86CFCB289F6AE885BBEB7B1FF96304F154169F901AB351D3319E41CB51

Function 042365D8 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 152COMMON

Download Yara Rule

APIs

GetTopWindow.USER32 ref: 042366A6
GetOEMCP.KERNEL32(?,?,?,?,?,?,?,?,0423B8C7), ref: 042366BC

Strings

An invalid volume label has been specified., xrefs: 04236727
Specified gamma ramp is invalid., xrefs: 042365D9, 0423660A, 0423663A, 04236667, 042366D7, 042366EB, 042366F7, 04236717, 0423671F, 04236746, 04236764, 042367CD, 042367F8, 04236820

Memory Dump Source

Source File: 00000000.00000002.1699427684.0000000004230000.00000040.00001000.00020000.00000000.sdmp, Offset: 04230000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4230000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: Window
String ID: An invalid volume label has been specified.$Specified gamma ramp is invalid.
API String ID: 2353593579-1471136984
Opcode ID: 8fcbd5ab50677ba184fedac6f3c6ee557ea96a66b5b47390a755aa2090e95901
Instruction ID: 1b8850b9b72d476709f0c1aba9e4dfcddd8e29892a496a4ce1733ef11148cff7
Opcode Fuzzy Hash: 8fcbd5ab50677ba184fedac6f3c6ee557ea96a66b5b47390a755aa2090e95901
Instruction Fuzzy Hash: 775180F0B64342AFE760EF2CA5582267FFDE798359F10845AD8818B214E67CE855CF12

Function 001DDD7B Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?), ref: 001DDDA0
CatchIt.LIBVCRUNTIME ref: 001DDE86

Strings

RCC, xrefs: 001DDDBA
MOC, xrefs: 001DDDB2

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: CatchEncodePointer
String ID: MOC$RCC
API String ID: 1435073870-2084237596
Opcode ID: 98d892473254fbded0b3bdf47246b2e4dcaafa811c1325eed20cb740b2f1e55d
Instruction ID: b1cbdb9b008bdb05480def53f45c00ebfcbe706faf23ddc5d230ee300a094993
Opcode Fuzzy Hash: 98d892473254fbded0b3bdf47246b2e4dcaafa811c1325eed20cb740b2f1e55d
Instruction Fuzzy Hash: 15418B72900209EFCF15DF98DD81AEEBBB5FF58304F14805AF908AB265D335A950DB51

Function 04241D28 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

APIs

GetTopWindow.USER32 ref: 04241D5B
GetLastError.KERNEL32 ref: 04241E07
GetTopWindow.USER32 ref: 04241E75

Strings

The cluster node has been poisoned., xrefs: 04241E0D

Memory Dump Source

Source File: 00000000.00000002.1699427684.0000000004230000.00000040.00001000.00020000.00000000.sdmp, Offset: 04230000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4230000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: Window$ErrorLast
String ID: The cluster node has been poisoned.
API String ID: 531141135-1625712938
Opcode ID: 3e979735bdf2e2359b7b0d16a67ced6c3a3610556be2cde225bf66f720bdea19
Instruction ID: 624645912c24ce25487616bfe13559fd38e4d839b7e1f6adafe078d08f46f79b
Opcode Fuzzy Hash: 3e979735bdf2e2359b7b0d16a67ced6c3a3610556be2cde225bf66f720bdea19
Instruction Fuzzy Hash: 103169B2B603459ED318DF3CEA4D6657EE9F7C8328F14863AC444CA665E738D8809B40

Function 0423F180 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 71threadCOMMON

Download Yara Rule

APIs

GetDialogBaseUnits.USER32 ref: 0423F194
GetCurrentThreadId.KERNEL32 ref: 0423F1B3

Strings

TPM 1.2: Authentication failed., xrefs: 0423F23B
A device was removed so enumeration must be restarted., xrefs: 0423F1F0

Memory Dump Source

Source File: 00000000.00000002.1699427684.0000000004230000.00000040.00001000.00020000.00000000.sdmp, Offset: 04230000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4230000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: BaseCurrentDialogThreadUnits
String ID: A device was removed so enumeration must be restarted.$TPM 1.2: Authentication failed.
API String ID: 4123241832-380985876
Opcode ID: 4c7de2cfddb179ee5b12a026e711772b04859ff09abd7d9f923f4e4b27660d0c
Instruction ID: fbcbc0fe455850470919e02ab4b26b5705eee442aa5dac0c904e411123d5d66d
Opcode Fuzzy Hash: 4c7de2cfddb179ee5b12a026e711772b04859ff09abd7d9f923f4e4b27660d0c
Instruction Fuzzy Hash: EB218BB1F61302CFD314DF2DFA896613FBEF798305B4540A6C8448B618E379AD448B41

Function 0423FC94 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

AnyPopup.USER32 ref: 0423FCEE
GetSystemDefaultLangID.KERNEL32(?,0423AEB0), ref: 0423FD25
GetTopWindow.USER32 ref: 0423FD53

Strings

Stick PC, xrefs: 0423FD80

Memory Dump Source

Source File: 00000000.00000002.1699427684.0000000004230000.00000040.00001000.00020000.00000000.sdmp, Offset: 04230000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4230000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: DefaultLangPopupSystemWindow
String ID: Stick PC
API String ID: 2971084555-3603036135
Opcode ID: adbcf95fb687bc03fde93bbf308af03fef5982a15af1355b192bb425c747d1a8
Instruction ID: 6e62c369f76b33e817d49ccbf4f215b481fda90908eb629e131f5e33ef03cbd6
Opcode Fuzzy Hash: adbcf95fb687bc03fde93bbf308af03fef5982a15af1355b192bb425c747d1a8
Instruction Fuzzy Hash: BF214AB1BA13018BD714CF3CF5882697FBAF788249F85866AD859CA254E73C98418F81

Function 0423E910 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

GetLargePageMinimum.KERNEL32(00001103,00000001,?,0423CEDD,?,?,?,0423B33B), ref: 0423E936
GetSystemDefaultLangID.KERNEL32(00001103,00000001,?,0423CEDD,?,?,?,0423B33B), ref: 0423E99C

Strings

The volume must undergo garbage collection., xrefs: 0423E911, 0423E971, 0423E98D
The Platform Manifest file was not authorized on this machine., xrefs: 0423E946

Memory Dump Source

Source File: 00000000.00000002.1699427684.0000000004230000.00000040.00001000.00020000.00000000.sdmp, Offset: 04230000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4230000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: DefaultLangLargeMinimumPageSystem
String ID: The Platform Manifest file was not authorized on this machine.$The volume must undergo garbage collection.
API String ID: 3676040673-3218441631
Opcode ID: 343ac4673b26d4115bb7dc51f573d34da107ef68b5ad239485d0003368d3b3ea
Instruction ID: c891d0f681c67c62420291bb6b5fce90b991ae9f68f46ad9a5d1fb1076d64bdb
Opcode Fuzzy Hash: 343ac4673b26d4115bb7dc51f573d34da107ef68b5ad239485d0003368d3b3ea
Instruction Fuzzy Hash: 6621C5B4B743468FE3418F2CB0986367FBAF7C231EB158096C4964F716E275A809C784

Function 0423C008 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 68COMMON

Download Yara Rule

APIs

GetOEMCP.KERNEL32(00000032,?,?,042392A9), ref: 0423C05B

Strings

SdbpGetProcessHostGuestArchitectures failed [%x], xrefs: 0423C090
Can't get the name string, xrefs: 0423C009
Maker Board, xrefs: 0423C088

Memory Dump Source

Source File: 00000000.00000002.1699427684.0000000004230000.00000040.00001000.00020000.00000000.sdmp, Offset: 04230000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4230000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID:
String ID: Can't get the name string$Maker Board$SdbpGetProcessHostGuestArchitectures failed [%x]
API String ID: 0-4055452779
Opcode ID: eb55a27aaddd099d7dc1c996abd4c3f178f98760578b02513b1309c1de234f96
Instruction ID: b39a8a1f106c79c6f4619ce4763da97d639b059fe81ebf15adfb27962bd64d0e
Opcode Fuzzy Hash: eb55a27aaddd099d7dc1c996abd4c3f178f98760578b02513b1309c1de234f96
Instruction Fuzzy Hash: F421D7B2B243428FD704EF3CE44A6167BF8FB80255F05441AE549DF211E779E800CB46

Function 0423E0C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

GetOEMCP.KERNEL32(?,?,?,0423B04D), ref: 0423E0DE
GetTickCount.KERNEL32 ref: 0423E102
GetDesktopWindow.USER32 ref: 0423E108

Strings

TermsrvUpdateAllUserMenu, xrefs: 0423E0EB

Memory Dump Source

Source File: 00000000.00000002.1699427684.0000000004230000.00000040.00001000.00020000.00000000.sdmp, Offset: 04230000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4230000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: CountDesktopTickWindow
String ID: TermsrvUpdateAllUserMenu
API String ID: 1610731074-1499210260
Opcode ID: 154e17f354b38c138f5b9f93b4c9ba542defb0a48b403d3e4a4901528108687c
Instruction ID: c69f4e2b6454a343cfd9359a9a8e66b0ea07ae63cb3d0eaf5f3206cb49584a83
Opcode Fuzzy Hash: 154e17f354b38c138f5b9f93b4c9ba542defb0a48b403d3e4a4901528108687c
Instruction Fuzzy Hash: 920149B9730202CBDB305F2CD4482A6BB76EB453127068052E895AF704E674AD86C711

Function 0014A4E0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45libraryloaderCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(80040007,00000000,0014BD0C), ref: 0014A4F0
SystemParametersInfoW.USER32(00000042,0000000C,?,00000000), ref: 0014A519
GetProcAddress.KERNEL32(0000000C,DwmIsCompositionEnabled), ref: 0014A526

Strings

DwmIsCompositionEnabled, xrefs: 0014A51F

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: AddressErrorInfoLastParametersProcSystem
String ID: DwmIsCompositionEnabled
API String ID: 32703461-3099646739
Opcode ID: 78e58282a8e0ba8211f8f0413d41c9d47be45177389ba33c39b9229da1354977
Instruction ID: 703686ca4d2d3ff8a8463b9223ddfd19bf92da869f9a6a58ac56d68d062e28c9
Opcode Fuzzy Hash: 78e58282a8e0ba8211f8f0413d41c9d47be45177389ba33c39b9229da1354977
Instruction Fuzzy Hash: C8018470544341AFE760AF28D91CB9B7BD8AF48304F8C892DF989911A2E7B9C894C653

Function 001DA350 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27fileCOMMON

Download Yara Rule

APIs

UnmapViewOfFile.KERNEL32(00000000,?,00000000,00000000), ref: 001DA35C
CloseHandle.KERNEL32(00000000), ref: 001DA36A
CloseHandle.KERNEL32(?), ref: 001DA384

Strings

failed closing mapped file, xrefs: 001DA3A7

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: CloseHandle$FileUnmapView
String ID: failed closing mapped file
API String ID: 260491571-752119354
Opcode ID: f612e07d52a89f1dd791ede974a7fa883786ca30cd137acd202587bf65db3e29
Instruction ID: ceb5d23aea8ab8a1a53400e8f1fbccfcef38dcb894fe4f46e49dc042479861bc
Opcode Fuzzy Hash: f612e07d52a89f1dd791ede974a7fa883786ca30cd137acd202587bf65db3e29
Instruction Fuzzy Hash: B8E012303417116BDB216B35AD0979A3AEE7F11B41F440519F547D22F2CB75E8408B52

Function 001DE747 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000800,?,001DE6F8,?,?,00000000,?,?,?,001DE822,00000002,FlsGetValue,0020B668,FlsGetValue), ref: 001DE754
GetLastError.KERNEL32(?,001DE6F8,?,?,00000000,?,?,?,001DE822,00000002,FlsGetValue,0020B668,FlsGetValue,?,?,001DD689), ref: 001DE75E
LoadLibraryExW.KERNEL32(?,00000000,00000000), ref: 001DE786

Strings

api-ms-, xrefs: 001DE76B

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: a46a212d22b3e0aa8e8065e9fb324e149a385fbab5886f982a42a146d0e300bf
Instruction ID: 43424e91eca0033dea24f714d3a69682065ce8360913eec51d94de083a1a5af3
Opcode Fuzzy Hash: a46a212d22b3e0aa8e8065e9fb324e149a385fbab5886f982a42a146d0e300bf
Instruction Fuzzy Hash: 86E0483074030DB7DB202B51FC8AB5C3F599B10B59F140061F91DEC1E3D77598909585

Function 001F4138 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(0B9FDD92,00000000,00000000,?), ref: 001F419B

Part of subcall function 001F6DB3: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,001F6C89,?,00000000,-00000008), ref: 001F6E14

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 001F43ED
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 001F4433
GetLastError.KERNEL32 ref: 001F44D6

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: edefc46ec189a248747723865f1d06e79811870b7100b89eaa4d97067df7b723
Instruction ID: 96f2c36671160fbe8e177e4391293563964ca8fa28a0d61fe2b18fc0eb8072e4
Opcode Fuzzy Hash: edefc46ec189a248747723865f1d06e79811870b7100b89eaa4d97067df7b723
Instruction Fuzzy Hash: D5D17A75D0025CAFCB14CFE8D894AAEBBB5FF08314F28416AE656EB751D730A942CB50

Function 001D1E10 Relevance: 6.3, APIs: 4, Instructions: 280memoryCOMMON

Download Yara Rule

APIs

CoTaskMemFree.OLE32(?), ref: 001D1E73
CoTaskMemFree.OLE32(?), ref: 001D1E7C
SHGetDesktopFolder.SHELL32(?), ref: 001D1E8C
CoTaskMemAlloc.OLE32(?), ref: 001D1EB6

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: Task$Free$AllocDesktopFolder
String ID:
API String ID: 1141445250-0
Opcode ID: b3f34ed060f7d089d2895dbd48bd7d48a26a49f2375c0fd0f97a1163c04cc065
Instruction ID: c763e8bb82fb4763d06278dc34a7aa1bab9ead22bbfc7d0a829c14c9845b2fca
Opcode Fuzzy Hash: b3f34ed060f7d089d2895dbd48bd7d48a26a49f2375c0fd0f97a1163c04cc065
Instruction Fuzzy Hash: 55A190B5A00215AFCB04DF68C985BAEBBB5FF58300F14815AE915AB386D735ED41CBA0

Function 001DD77F Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 001DD846
___AdjustPointer.LIBCMT ref: 001DD869
___AdjustPointer.LIBCMT ref: 001DD905

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: cf819392250b4ed3248a7fc6216011cc0d70fe6baa8dea3212a87a3f0028d1de
Instruction ID: 6a37c604db158abc6c981f7d5791528d10d364bf0d3c6c27f89ad0a96814ee10
Opcode Fuzzy Hash: cf819392250b4ed3248a7fc6216011cc0d70fe6baa8dea3212a87a3f0028d1de
Instruction Fuzzy Hash: C351D072A04302AFEB2A9F14E881BAA77B4FF64310F15406FE84647391E731EC81E790

Function 04237F84 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 134COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 042380AE

Part of subcall function 0423DA00: GetUserDefaultLangID.KERNEL32(0000000B,00000000,?,0423A70D), ref: 0423DA12
Part of subcall function 0423DA00: GetOEMCP.KERNEL32(?,0423A70D), ref: 0423DA58
Part of subcall function 0423DA00: GetLastActivePopup.USER32 ref: 0423DA94
Part of subcall function 0423DA00: GetTopWindow.USER32 ref: 0423DABB

Strings

QoZYLJECoSANG9LKyFMwEKYh0Q/roiGXvMuN5tmTrwsxnTqcC6pOtcAqwstU1ZU44MzYvTUqgXsKdmRAZdGj19WaYYkz6H1J87nQJTG60X2vY29CMEoYO+9N32IS6/XdAR5UH61VsFsvjGfewxiOgtUOkPwJnmHn+Hs5QG1DDnddkjJ6013s7ZloCkhkyERpSGMVjh+pMDMnLUmQiL0ag4tzdzTDrbUomRmtKFvcgqp71Jdv1LsJl5FnnBGc5NEpLB1u, xrefs: 042381A8
AslFileMappingEnsureMappedAs, xrefs: 04237FAA
The specified address range is already committed., xrefs: 04237FC5, 04238110, 04238161

Memory Dump Source

Source File: 00000000.00000002.1699427684.0000000004230000.00000040.00001000.00020000.00000000.sdmp, Offset: 04230000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4230000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: Last$ActiveDefaultErrorLangPopupUserWindow
String ID: AslFileMappingEnsureMappedAs$QoZYLJECoSANG9LKyFMwEKYh0Q/roiGXvMuN5tmTrwsxnTqcC6pOtcAqwstU1ZU44MzYvTUqgXsKdmRAZdGj19WaYYkz6H1J87nQJTG60X2vY29CMEoYO+9N32IS6/XdAR5UH61VsFsvjGfewxiOgtUOkPwJnmHn+Hs5QG1DDnddkjJ6013s7ZloCkhkyERpSGMVjh+pMDMnLUmQiL0ag4tzdzTDrbUomRmtKFvcgqp71Jdv1LsJl5FnnBGc5NEpLB1u$The specified address range is already committed.
API String ID: 1206660600-3279949425
Opcode ID: 14918c110b69d68d5750a16ba8d3a3f5e23dd8a793db9aee579b1478f032af27
Instruction ID: 7c432e21ba8a90f46a9e55737b22158011b54f637c7110b8a0a84d5f9575c8f4
Opcode Fuzzy Hash: 14918c110b69d68d5750a16ba8d3a3f5e23dd8a793db9aee579b1478f032af27
Instruction Fuzzy Hash: C45123B1B643998FDB44DF6CB4883E97BF5EB85310F2441B9DC88C7251C638A985DB90

Function 00161450 Relevance: 6.1, APIs: 4, Instructions: 127timefileCOMMON

Download Yara Rule

APIs

GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 00161568
CloseHandle.KERNEL32(00000000), ref: 0016156F
WriteFile.KERNEL32(00000000,?,?,00000000,00000000), ref: 001615A3
CloseHandle.KERNEL32(00000000,?,?,00000000,00000000), ref: 001615AE
SetFileTime.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,00000000), ref: 001615D1
CloseHandle.KERNEL32(00000000,?,?,00000000,00000000), ref: 001615D8

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: CloseFileHandle$Time$Write
String ID:
API String ID: 1785683994-0
Opcode ID: 768457e63d2fe123cac169664b52ab12f431d008d04ac7693c9c5fbb8667aa60
Instruction ID: ff259845b59c64c99665a4ac16cea5fc32aa851cc834fad4d6e0da2d986ff686
Opcode Fuzzy Hash: 768457e63d2fe123cac169664b52ab12f431d008d04ac7693c9c5fbb8667aa60
Instruction Fuzzy Hash: 8A411371100300ABE724EF28DC49BABB7E8BF44310F180619F996972D1EB74EA44CB95

Function 00189510 Relevance: 6.1, APIs: 4, Instructions: 111COMMON

Download Yara Rule

APIs

Part of subcall function 001D75A9: QueryPerformanceFrequency.KERNEL32(?,?,?,?,00189522,?,?,?,?,?,?,?,?,001A8B9C), ref: 001D75C7

Part of subcall function 001D7592: QueryPerformanceCounter.KERNEL32(?,?,?,?,00189531,?,?,?,?,?,?,?,?,001A8B9C), ref: 001D759B

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00189573
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 001895A5
__alldvrm.LIBCMT ref: 001895C8
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 001895EC

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$PerformanceQuery$CounterFrequency__alldvrm
String ID:
API String ID: 2057067329-0
Opcode ID: 85e12fba6b8acb37627b600c50b54ad45a2044a855940a57d984c9f8cbb6f4f6
Instruction ID: 47df9b83af8199850d89d909e16ca2ff9225fa57f6e200dc2838c47147e38097
Opcode Fuzzy Hash: 85e12fba6b8acb37627b600c50b54ad45a2044a855940a57d984c9f8cbb6f4f6
Instruction Fuzzy Hash: 1C21D4713043182FD714EE2D9C42B3BB6DDDBC8790F05852AF909DB392E6649C084BA5

Function 04241C34 Relevance: 6.1, APIs: 4, Instructions: 65threadCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 04241C72
GetShellWindow.USER32 ref: 04241C93
GetCurrentThread.KERNEL32 ref: 04241CCB
GetWindowTextLengthA.USER32 ref: 04241D14

Memory Dump Source

Source File: 00000000.00000002.1699427684.0000000004230000.00000040.00001000.00020000.00000000.sdmp, Offset: 04230000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4230000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: Window$CurrentLengthParentShellTextThread
String ID:
API String ID: 2226962073-0
Opcode ID: d257ea89e938ebfee6ae202973a74fd48c4e0a8316175f79d73bb2233809190d
Instruction ID: 7cadabc4b8d390c120bb2e678d5a5dee694d3a3d9e46002694644b6eaa3cf67e
Opcode Fuzzy Hash: d257ea89e938ebfee6ae202973a74fd48c4e0a8316175f79d73bb2233809190d
Instruction Fuzzy Hash: 97216D75F40311CBCB049F6CE89D1A5BBBCEB88341F40446AE8528B240E63CAD99CB51

Function 0014F6A0 Relevance: 6.1, APIs: 4, Instructions: 62COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 0014F6B2
GetWindowRect.USER32(00000000,?), ref: 0014F6D1
OffsetRect.USER32(?,?,?), ref: 0014F6EA
MapWindowPoints.USER32(?,?,?,00000002), ref: 0014F6FE

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: RectWindow$ItemOffsetPoints
String ID:
API String ID: 2681051736-0
Opcode ID: 35e3d3fc67795a9aaeb7c46cf44053a963ec32a9da71f98cb06c2d0063bda186
Instruction ID: 5188ae9bf6f736f6c392a7abaa65a2cc9ca31b8f7c72f01fc8575dd9f448d999
Opcode Fuzzy Hash: 35e3d3fc67795a9aaeb7c46cf44053a963ec32a9da71f98cb06c2d0063bda186
Instruction Fuzzy Hash: AD21FCB5504305AFC700DF58D8459ABBBE8EB48310F10895EF85AC7262D731E955CFA2

Function 04241098 Relevance: 6.1, APIs: 4, Instructions: 55threadwindowtimeCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 042410AA
AnyPopup.USER32 ref: 042410C1
GetMessageTime.USER32 ref: 042410FD
GetLastError.KERNEL32 ref: 04241116

Memory Dump Source

Source File: 00000000.00000002.1699427684.0000000004230000.00000040.00001000.00020000.00000000.sdmp, Offset: 04230000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4230000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: CurrentErrorLastMessagePopupThreadTime
String ID:
API String ID: 3839394117-0
Opcode ID: 93f21c17ad14bc75eea44c54f91a55894b3f9428f7937fb802adfe43268af3a8
Instruction ID: 9e665a2d98df0eca12e9500c5aa138b49dd9b7fd1cfdfe29d882e37d17f4add8
Opcode Fuzzy Hash: 93f21c17ad14bc75eea44c54f91a55894b3f9428f7937fb802adfe43268af3a8
Instruction Fuzzy Hash: E401266DF20163CBDB242F69D90C17BB765DBC4352B458032EC495F708FA3468E2C662

Function 0014A440 Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003,00000000), ref: 0014A498
VerSetConditionMask.KERNEL32(00000000), ref: 0014A49C
VerSetConditionMask.KERNEL32(00000000), ref: 0014A4A0
VerifyVersionInfoW.KERNEL32(00000023), ref: 0014A4C5

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: ConditionMask$InfoVerifyVersion
String ID:
API String ID: 2793162063-0
Opcode ID: b3ccc211e5af287d8ba3ceaf309f3912018727771be420582ca63606fa466bd4
Instruction ID: 2e0b662ebffc4f96e18feea213ef3dcc38cf27a2894efad96c43ff46fd0a74ad
Opcode Fuzzy Hash: b3ccc211e5af287d8ba3ceaf309f3912018727771be420582ca63606fa466bd4
Instruction Fuzzy Hash: 0501ECB0644304BEF720DF21DC4AFAB7AECEF84710F00481DB588E61D1D7B896588BA6

Function 001D68C0 Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 001D68C7
std::_Lockit::_Lockit.LIBCPMT ref: 001D68D2
std::_Lockit::~_Lockit.LIBCPMT ref: 001D6940

Part of subcall function 001D6A23: std::locale::_Locimp::_Locimp.LIBCPMT ref: 001D6A3B

std::locale::_Setgloballocale.LIBCPMT ref: 001D68ED

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_Setgloballocale
String ID:
API String ID: 677527491-0
Opcode ID: 5a4e68862ff7068e257a10ad6c271781893f5a0a63a6c90d57ec91d493345e10
Instruction ID: 57a78142e725de1002943687da06139256f3bec3e1019691d43494b2513c9783
Opcode Fuzzy Hash: 5a4e68862ff7068e257a10ad6c271781893f5a0a63a6c90d57ec91d493345e10
Instruction Fuzzy Hash: 9F01BCB5A401109BCB0AEF60E85567D7B75BF94340B18400AE85157392CF786E86CBD1

Function 001EBC45 Relevance: 6.0, APIs: 4, Instructions: 32COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(?,?,?,001EBD34,?), ref: 001EBC50
GetLastError.KERNEL32(?,001EBD34,?), ref: 001EBC5A
__dosmaperr.LIBCMT ref: 001EBC61
GetCurrentDirectoryW.KERNEL32(?,?,?,?,001EBD34,?), ref: 001EBC88

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: CurrentDirectory$ErrorLast__dosmaperr
String ID:
API String ID: 1554857224-0
Opcode ID: 8ac1b789d5b95268bddcc4b2830c97245da30d42e527bc7baa489556e7244869
Instruction ID: bca048523d87ba7b398ba5d479b3c1adc652fb9f44c77dda513f80cafb455bb8
Opcode Fuzzy Hash: 8ac1b789d5b95268bddcc4b2830c97245da30d42e527bc7baa489556e7244869
Instruction Fuzzy Hash: EFF05E31209B919FEB21AB77EC4891F7BA9AF543103208919E196C7421DB31D880C750

Function 002009C9 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,00000000,001E56DA,00000000,00000000,?,001FE752,00000000,00000001,?,?,?,001F452A,?,00000000,00000000), ref: 002009E0
GetLastError.KERNEL32(?,001FE752,00000000,00000001,?,?,?,001F452A,?,00000000,00000000,?,?,?,001F4B04,00000000), ref: 002009EC

Part of subcall function 002009B2: CloseHandle.KERNEL32(FFFFFFFE,002009FC,?,001FE752,00000000,00000001,?,?,?,001F452A,?,00000000,00000000,?,?), ref: 002009C2

___initconout.LIBCMT ref: 002009FC

Part of subcall function 00200974: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,002009A3,001FE73F,?,?,001F452A,?,00000000,00000000,?), ref: 00200987

WriteConsoleW.KERNEL32(00000000,00000000,001E56DA,00000000,?,001FE752,00000000,00000001,?,?,?,001F452A,?,00000000,00000000,?), ref: 00200A11

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 3fb01f8a10be961d6b6cfc274ec746b46a54f2fc1f46e3dd69359770217d15c6
Instruction ID: 641cfb35b802bcca818d278b660cfda6fb7606ddcbdc85d89a86933543c36b5c
Opcode Fuzzy Hash: 3fb01f8a10be961d6b6cfc274ec746b46a54f2fc1f46e3dd69359770217d15c6
Instruction Fuzzy Hash: F5F0AC36510359BBDF222FD5EC4CA9A3F26FB087A5F044551FA1995173CA328860DF90

Function 001FA80A Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 352COMMON

Download Yara Rule

Strings

xb", xrefs: 001FAADC
xb", xrefs: 001FA836

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID:
String ID: xb"$xb"
API String ID: 0-1271913031
Opcode ID: 5a5ac79e3363ea0635cbf6524d40e291a516e08294437ec5c35705a7e276270c
Instruction ID: ddd5baa9db77449b30619b9ce40eb94de7c32b69858db8f6dc7fde5fd3beced4
Opcode Fuzzy Hash: 5a5ac79e3363ea0635cbf6524d40e291a516e08294437ec5c35705a7e276270c
Instruction Fuzzy Hash: 37B14EB2D4020CABDB20DAA48C82FFB77ECAF58740F554565FB15EB182EB74E9048B51

Function 001C6EB0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 176COMMON

Download Yara Rule

APIs

Part of subcall function 001D73A3: ReleaseSRWLockExclusive.KERNEL32(0018A82B), ref: 001D73B7

std::_Throw_Cpp_error.LIBCPMT ref: 001C70C7
std::_Throw_Cpp_error.LIBCPMT ref: 001C70D7

Strings

0R!, xrefs: 001C6ED2

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: Cpp_errorThrow_std::_$ExclusiveLockRelease
String ID: 0R!
API String ID: 3666349979-533598986
Opcode ID: 365564bf404be78fe1dbc4f146f549a3de8260f491c46101084774af90d14bcd
Instruction ID: 2f89e6bc02e290153abe17a21718daac0ceb52101aae5305243c3ff24ed8519a
Opcode Fuzzy Hash: 365564bf404be78fe1dbc4f146f549a3de8260f491c46101084774af90d14bcd
Instruction Fuzzy Hash: 506199B0A01248DFDB14DFA4C844B9EBBA4BF25318F10455EF8199B380E775EA19CB91

Function 001FB26E Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 001F261C: HeapFree.KERNEL32(00000000,00000000,?,001FAE0A,?,00000000,?,?,001FB0AB,?,00000007,?,?,001FB405,?,?), ref: 001F2632
Part of subcall function 001F261C: GetLastError.KERNEL32(?,?,001FAE0A,?,00000000,?,?,001FB0AB,?,00000007,?,?,001FB405,?,?), ref: 001F263D

___free_lconv_mon.LIBCMT ref: 001FB2B2

Strings

xb", xrefs: 001FB284
hd", xrefs: 001FB35A

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: ErrorFreeHeapLast___free_lconv_mon
String ID: hd"$xb"
API String ID: 4068849827-4199064980
Opcode ID: e1c0785283c2fa815fbb5ea80adecf9aaca74ac998c8b8b49bcc08145242245b
Instruction ID: a53cac361ff6dde159c3355ff0ef1c5a4abfbee5dd8ed82664bc8cbb2725a330
Opcode Fuzzy Hash: e1c0785283c2fa815fbb5ea80adecf9aaca74ac998c8b8b49bcc08145242245b
Instruction Fuzzy Hash: EE314CB16092089FEB21AA79D885B7F77E9BF10720F244919EA49D7152DF30BC40CB15

Function 0423E2E4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 94COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,04238E7A,00000000), ref: 0423E30C

Strings

DefaultBrowser_NOPUBLISHERID, xrefs: 0423E2E7
The file designated by DCERPCCHARTRANS cannot be opened., xrefs: 0423E305

Memory Dump Source

Source File: 00000000.00000002.1699427684.0000000004230000.00000040.00001000.00020000.00000000.sdmp, Offset: 04230000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4230000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: HandleModule
String ID: DefaultBrowser_NOPUBLISHERID$The file designated by DCERPCCHARTRANS cannot be opened.
API String ID: 4139908857-370230117
Opcode ID: 8400c39e12d4517c36458efabe819edb827a1515d86009d8d04a8cda745d1431
Instruction ID: c5757a59cd59e34886a5adcaaf05f88d897f88d50a6a64aa5e2104e642e91862
Opcode Fuzzy Hash: 8400c39e12d4517c36458efabe819edb827a1515d86009d8d04a8cda745d1431
Instruction Fuzzy Hash: 3D2126E4B34053CADB205E2880642BEF777DB41743B5A8066D89A8F348E671B88BC741

Function 042403D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83threadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 042404A5
GetCurrentThread.KERNEL32 ref: 042404C5

Strings

{Filemark Found}, xrefs: 0424049E

Memory Dump Source

Source File: 00000000.00000002.1699427684.0000000004230000.00000040.00001000.00020000.00000000.sdmp, Offset: 04230000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4230000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: CurrentHandleModuleThread
String ID: {Filemark Found}
API String ID: 2752942033-1305916082
Opcode ID: cd1eaa1b5957a7091ee3013d3413bdb33dfe36d2d2c504384f63b7e86f11ee1d
Instruction ID: 724a1f2bef73799b2aeb02b0740fc4ad75999a398673630f51bf08c0d5333aaa
Opcode Fuzzy Hash: cd1eaa1b5957a7091ee3013d3413bdb33dfe36d2d2c504384f63b7e86f11ee1d
Instruction Fuzzy Hash: 3C31C271B603069BCB18DF2CF5495A6BBB9F7D4750B00406AD906CB340E77C6D80CB90

Function 04240A70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32 ref: 04240B24
GetSystemDefaultLangID.KERNEL32(00000000,?,?,00000000,?,042384F8), ref: 04240B6C

Strings

The callback function must be invoked inline., xrefs: 04240A71

Memory Dump Source

Source File: 00000000.00000002.1699427684.0000000004230000.00000040.00001000.00020000.00000000.sdmp, Offset: 04230000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4230000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: DefaultLangLengthSystemTextWindow
String ID: The callback function must be invoked inline.
API String ID: 3266653797-1109098526
Opcode ID: ab8542e3cd12e01a65ebd7971909b653cc145d9578c508529360d7469c4c02af
Instruction ID: d3f071534cb12752b1940c687715672031374bd747aa3b601f13794687e8bb58
Opcode Fuzzy Hash: ab8542e3cd12e01a65ebd7971909b653cc145d9578c508529360d7469c4c02af
Instruction Fuzzy Hash: B3315CB0B913018FD714DF6CF68D6157BEAF7C8304F0489A6E505CB248E7789981CBA2

Function 04243328 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

GetLargePageMinimum.KERNEL32 ref: 042433E1
GetWindowTextLengthW.USER32 ref: 04243448

Strings

A write operation failed while converting the volume., xrefs: 0424336E

Memory Dump Source

Source File: 00000000.00000002.1699427684.0000000004230000.00000040.00001000.00020000.00000000.sdmp, Offset: 04230000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4230000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: LargeLengthMinimumPageTextWindow
String ID: A write operation failed while converting the volume.
API String ID: 3158731419-61448210
Opcode ID: d072412230022a89f1fee9829045815a82cb9e714107318348ff3d16f86981ae
Instruction ID: 9445f4c285af7448153173e1a4f764982c418542b683f51de4f4b7313ed3e88f
Opcode Fuzzy Hash: d072412230022a89f1fee9829045815a82cb9e714107318348ff3d16f86981ae
Instruction Fuzzy Hash: 2621A1B6F703018BDB14EF7CF8CA1157AEAF794300B088626C821CB691E778E848C781

Function 0423CDD8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0423CE17
GetShellWindow.USER32 ref: 0423CE41

Strings

setmiterlimit, xrefs: 0423CDD9

Memory Dump Source

Source File: 00000000.00000002.1699427684.0000000004230000.00000040.00001000.00020000.00000000.sdmp, Offset: 04230000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4230000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: CurrentShellThreadWindow
String ID: setmiterlimit
API String ID: 262587986-743676673
Opcode ID: e1c3f71ebfede07ffcaa499b0102cf1c31a5be262ccada7a15ab3bc8bd842ea5
Instruction ID: 095f009e22d0347dbee8e3f1e1788e5061a49c2f212fe0c52fcad200f4e663af
Opcode Fuzzy Hash: e1c3f71ebfede07ffcaa499b0102cf1c31a5be262ccada7a15ab3bc8bd842ea5
Instruction Fuzzy Hash: 6E21D1B2B543569FD700DF3DF48C26A7BB8EB89321F4405A5E88ADF200D739A805CB91

Function 00154580 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00154600

Strings

+, xrefs: 001545A1
%, xrefs: 00154594

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: _swprintf
String ID: %$+
API String ID: 589789837-2626897407
Opcode ID: fc1dafd169ab910db28b66a04fa97e48f06b952931c2034271e33f729ffc7716
Instruction ID: 58ee514b11358060a31dcce0d8fd1d3e1bfc9f4a34df798061917825957cf947
Opcode Fuzzy Hash: fc1dafd169ab910db28b66a04fa97e48f06b952931c2034271e33f729ffc7716
Instruction Fuzzy Hash: DF1154620143449FDB118E18D889BDB7BD99F55309F08805AFD984B292E775D91C87A3

Function 00154630 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 001546A3

Strings

+, xrefs: 00154650
%, xrefs: 00154644

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: _swprintf
String ID: %$+
API String ID: 589789837-2626897407
Opcode ID: a3b72f0b22335ff30c80bbcba514fa06435b1ede7dd33deeb7e530f75ec359d3
Instruction ID: 7121cd8485bb755b0b1c870be20331483d727665d4430968c6734ce7415ba101
Opcode Fuzzy Hash: a3b72f0b22335ff30c80bbcba514fa06435b1ede7dd33deeb7e530f75ec359d3
Instruction Fuzzy Hash: 04113872104344EFDB11CD58CC00BDBBBE89F5A318F04850AFDA85B281D374A85997F2

Function 001546D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61COMMON

Download Yara Rule

APIs

_swprintf.LIBCMT ref: 00154743

Strings

%, xrefs: 001546E4
+, xrefs: 001546F0

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: _swprintf
String ID: %$+
API String ID: 589789837-2626897407
Opcode ID: 75545949910e4368b5cf1099c73b23fb14ecee2b1ffe9e188ec4ad00851b3ef2
Instruction ID: 4004105e8074c72925f7040db395271e8c7185a514983a76a7654445a4267799
Opcode Fuzzy Hash: 75545949910e4368b5cf1099c73b23fb14ecee2b1ffe9e188ec4ad00851b3ef2
Instruction Fuzzy Hash: 3F117436108340EBDB118E18CC00BDBBBD89F5A359F04810AFDA89B281D374A95997E2

Function 001745D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 53COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00174616

Strings

PM!, xrefs: 00174669
XM!, xrefs: 00174662

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: ___std_exception_copy
String ID: PM!$XM!
API String ID: 2659868963-3047116728
Opcode ID: aa9d513fe74cfdb32499b4782e5e8e94a049fe2ed612c362f706e09a1dfc72bc
Instruction ID: 878e12ff351956f2671a677b5b1ad6fa33716267d311a054f2ad023eb00ebee3
Opcode Fuzzy Hash: aa9d513fe74cfdb32499b4782e5e8e94a049fe2ed612c362f706e09a1dfc72bc
Instruction Fuzzy Hash: EA2159B1A11B45EFC724CF18D544A46FBF8FF09710F008A2EE49A87B41D7B0A958CB90

Function 0423DF38 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 53COMMON

Download Yara Rule

APIs

GetWindowTextLengthA.USER32 ref: 0423DF6A

Strings

{Network Request Timeout}, xrefs: 0423DF39
2147483647, xrefs: 0423DFB1

Memory Dump Source

Source File: 00000000.00000002.1699427684.0000000004230000.00000040.00001000.00020000.00000000.sdmp, Offset: 04230000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4230000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: LengthTextWindow
String ID: 2147483647${Network Request Timeout}
API String ID: 298885082-3867047420
Opcode ID: f84715a00e1832ba20de643b454ce87c541ebc668571d8ecae5296868607e6d8
Instruction ID: a94bbe7fab8850a904c0a1487f94e5a6541f0a66ac969b26b71f7aaf994df4e2
Opcode Fuzzy Hash: f84715a00e1832ba20de643b454ce87c541ebc668571d8ecae5296868607e6d8
Instruction Fuzzy Hash: 9F119EF1B703428BD704DF39F8886A17BBAE7A9344F148599E4528B254E2B8E958CF44

Function 0423E6D4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 53threadCOMMON

Download Yara Rule

APIs

GetThreadUILanguage.KERNEL32(05008D72,?,?,0423741F), ref: 0423E71D

Strings

The operation failed because the log is a dedicated log., xrefs: 0423E6DE
heap_failure_listentry_corruption, xrefs: 0423E728

Memory Dump Source

Source File: 00000000.00000002.1699427684.0000000004230000.00000040.00001000.00020000.00000000.sdmp, Offset: 04230000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4230000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: LanguageThread
String ID: The operation failed because the log is a dedicated log.$heap_failure_listentry_corruption
API String ID: 243849632-2863350049
Opcode ID: 5835219211f4259209c3feac094761d4da283d57f4c42d5fa52ae3cbc272d043
Instruction ID: 42a8893a32dee09d35552419bde488d2619916e53d4cdf4899942485ccf05762
Opcode Fuzzy Hash: 5835219211f4259209c3feac094761d4da283d57f4c42d5fa52ae3cbc272d043
Instruction Fuzzy Hash: F0119EB2FA43058BEB44DF6DF89D6207BB9FBA4204B444D65E460CB750E779ED008A80

Function 0423E000 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51COMMON

Download Yara Rule

APIs

GetUserDefaultLangID.KERNEL32(?,0000022C,?,04231276), ref: 0423E078

Strings

Failed to read text to match, xrefs: 0423E030
The attribute cannot be written., xrefs: 0423E001

Memory Dump Source

Source File: 00000000.00000002.1699427684.0000000004230000.00000040.00001000.00020000.00000000.sdmp, Offset: 04230000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4230000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: DefaultLangUser
String ID: Failed to read text to match$The attribute cannot be written.
API String ID: 768647712-3297483619
Opcode ID: 746905283e66aa406dbe5ff25f2fe4bcd297b12f48c00fe04b2da894ab47424b
Instruction ID: d5cd5e0cd7f688ab7d7cea749b28a60a64512b9c0e430d7cc7ea45cedec5128e
Opcode Fuzzy Hash: 746905283e66aa406dbe5ff25f2fe4bcd297b12f48c00fe04b2da894ab47424b
Instruction Fuzzy Hash: 4D11A9B07653029FE300DF6CF988126BBFDF7C5325B158066E4459B748D639AC46DB60

Function 04241F1C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 04241F21
AnyPopup.USER32 ref: 04241FA8

Strings

The specified disk is not empty., xrefs: 04241F78

Memory Dump Source

Source File: 00000000.00000002.1699427684.0000000004230000.00000040.00001000.00020000.00000000.sdmp, Offset: 04230000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4230000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: CurrentPopupThread
String ID: The specified disk is not empty.
API String ID: 2908149267-2386209912
Opcode ID: 58d62599ea9d93543677138bf8e2678c10d18168b55abea4376aaf388c455195
Instruction ID: 5642739717137bd64be55d811ef6c54295b1bde0aa49c100528bb32153115226
Opcode Fuzzy Hash: 58d62599ea9d93543677138bf8e2678c10d18168b55abea4376aaf388c455195
Instruction Fuzzy Hash: D9119E75B913428FD318CF2CFA8D6657BEDE7C4210F15886AE806CB2A1E73C9D418B51

Function 0424131C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48windowtimeCOMMON

Download Yara Rule

APIs

GetMessageTime.USER32 ref: 0424135E
GetSystemDefaultLangID.KERNEL32(?,?,?,0423BCC7), ref: 042413BC

Strings

/iCCP/ProfileName, xrefs: 04241320

Memory Dump Source

Source File: 00000000.00000002.1699427684.0000000004230000.00000040.00001000.00020000.00000000.sdmp, Offset: 04230000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4230000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: DefaultLangMessageSystemTime
String ID: /iCCP/ProfileName
API String ID: 1876246435-2957417691
Opcode ID: fb2a64924091d4a66b50853b45a26766bfef3cfeeb3fb2de85d94e2e2d356aeb
Instruction ID: 7cd055675067c67696809919136582c63c01d7dd5450fc7526ce1a90c764e7a9
Opcode Fuzzy Hash: fb2a64924091d4a66b50853b45a26766bfef3cfeeb3fb2de85d94e2e2d356aeb
Instruction Fuzzy Hash: 561157B6BA43808FE304DE3CF889625BBD9F7D4394F448526D889C6A14E33C9D518650

Function 04241228 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 04241286
GetOEMCP.KERNEL32(00000000), ref: 0424129A

Strings

RR.Raphael.Install.Builder, xrefs: 0424127F

Memory Dump Source

Source File: 00000000.00000002.1699427684.0000000004230000.00000040.00001000.00020000.00000000.sdmp, Offset: 04230000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4230000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: HandleModule
String ID: RR.Raphael.Install.Builder
API String ID: 4139908857-540015930
Opcode ID: 98bbbf5d8d53615d844a07ef06e9947bb0ede881907c0d3b1ebe824aeda68f50
Instruction ID: 3c52100a99cbe5d491e4e031926c95c88cf8af827537c03d2a0b3d1d0dbb4475
Opcode Fuzzy Hash: 98bbbf5d8d53615d844a07ef06e9947bb0ede881907c0d3b1ebe824aeda68f50
Instruction Fuzzy Hash: F1014771B102668FCF04DFACD4AC2BA7BA9EB89350F040065ECA5CF780E638E9918741

Function 04241710 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 0424174A

Strings

Print or disk redirection is temporarily paused., xrefs: 0424171A
The IPsec cipher transform is not compatible with the policy., xrefs: 04241743

Memory Dump Source

Source File: 00000000.00000002.1699427684.0000000004230000.00000040.00001000.00020000.00000000.sdmp, Offset: 04230000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4230000_iQPxJrxxaj.jbxd

Yara matches

Similarity

API ID: HandleModule
String ID: Print or disk redirection is temporarily paused.$The IPsec cipher transform is not compatible with the policy.
API String ID: 4139908857-1868017272
Opcode ID: aa55078afeaaad179f46b2ecd7cdf950602ffb0c6ced097f3f3b0ccae1bca32f
Instruction ID: 13f37f47d4eb0b4e432c6a04b1a05dece0cb4c7ef657bcc70a09ad32fcd62fcb
Opcode Fuzzy Hash: aa55078afeaaad179f46b2ecd7cdf950602ffb0c6ced097f3f3b0ccae1bca32f
Instruction Fuzzy Hash: 2CF0F472B51351DFC705DB1CF8895967BECEBC9340F4080A7D829CB214E239AD808F81

Function 00174DE0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00174E03

Strings

PM!, xrefs: 00174E3D
XM!, xrefs: 00174E36

Memory Dump Source

Source File: 00000000.00000002.1698401481.0000000000111000.00000020.00000001.01000000.00000003.sdmp, Offset: 00110000, based on PE: true

Associated: 00000000.00000002.1698387707.0000000000110000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698510074.0000000000209000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698534036.0000000000226000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698552966.0000000000227000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698571436.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1698590292.000000000022C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_110000_iQPxJrxxaj.jbxd

Similarity

API ID: ___std_exception_copy
String ID: PM!$XM!
API String ID: 2659868963-3047116728
Opcode ID: d39d0272aeb15e141a5e44f8987e558db863addbe5d40dff01939bfe8f4aa86d
Instruction ID: 448af6e030fc16e62a47131c26ada7e7e191b051794b3fb2ac372f188bc8119e
Opcode Fuzzy Hash: d39d0272aeb15e141a5e44f8987e558db863addbe5d40dff01939bfe8f4aa86d
Instruction Fuzzy Hash: EAF012B1014B008FC730DF18E808646BAF4AF15324F018B1EE0AA8BB91C3B0A1988B94

Analysis Process: ctfmon.exePID: 7508, Parent PID: 7440COMMON

Execution Graph

Execution Coverage:	39.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	19.7%
Total number of Nodes:	528
Total number of Limit Nodes:	2

Executed Functions

Function 00666740 Relevance: 41.6, APIs: 3, Strings: 20, Instructions: 1362memorysynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00665098: LdrGetProcedureAddress.NTDLL ref: 006652C9

CreateMutexW.KERNELBASE ref: 00667AC8
GetUserNameW.ADVAPI32 ref: 00667C9D
LocalAlloc.KERNEL32 ref: 00667FF8

Strings

or-IN, xrefs: 00666A94, 00667126, 00667933
chr-Cher-US, xrefs: 00666A6D
ca-ES, xrefs: 006667FD, 006668E4, 00666D86, 006670F1, 0066711D, 0066713E, 00667230, 00667280, 0066764A, 0066768C, 006676BA, 00667B17, 00667B82, 00667B8A, 00667DD7, 00667E14, 00667F50, 00668005
|$g, xrefs: 00668035
|$g, xrefs: 00667191
SECURITY, xrefs: 00666781, 0066679F, 00666A78, 00666B52, 00666B97, 00666BE9, 006670D7, 0066715A, 006676A9
threadId, xrefs: 00666C60, 00666DA2, 00666F88, 0066729B, 006672A9, 00667F16
ult, xrefs: 00666CB1
resu, xrefs: 00666D60
$$g, xrefs: 00666752
:, xrefs: 00666AB6
onecoreuap\base\appmodel\search\common\utils\regredirect.cxx, xrefs: 00666789, 006667CD, 00666A4C, 00666C68, 00666FEA, 0066709B
, xrefs: 00667FE9
=g, xrefs: 00667189
sq-AL, xrefs: 00666889, 00667006, 0066707F
failureId, xrefs: 006667BA
address_family_not_supported, xrefs: 0066686D, 00666875, 00666C44, 00666D8E, 00666E0F, 00666EA1, 00666F90, 006671AB, 00667668, 00667F48, 0066803D
`$g, xrefs: 00666F1D
failureType, xrefs: 00666F36
=g, xrefs: 00667162

Memory Dump Source

Source File: 00000001.00000002.3546851366.0000000000661000.00000020.00000400.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Associated: 00000001.00000002.3546833938.0000000000660000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3546871324.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3546907022.0000000000672000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3546923524.0000000000676000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_660000_ctfmon.jbxd

Similarity

API ID: AddressAllocCreateLocalMutexNameProcedureUser
String ID: $$$g$:$SECURITY$`$g$address_family_not_supported$ca-ES$chr-Cher-US$failureId$failureType$onecoreuap\base\appmodel\search\common\utils\regredirect.cxx$or-IN$resu$sq-AL$threadId$ult$|$g$|$g$=g$=g
API String ID: 664105279-2225064490
Opcode ID: 6069faa92322cf384d6d45382f98079d1b3ec4d642d29d9c23528cc6c3481e65
Instruction ID: 96337fb4c63754b5c698239ff5a5cbbf7c97fc707f06c163d731c70b867d49d9
Opcode Fuzzy Hash: 6069faa92322cf384d6d45382f98079d1b3ec4d642d29d9c23528cc6c3481e65
Instruction Fuzzy Hash: 34E253B09087448FD754DF68E98469ABFE2BF49300F15A9ADE48CCB322DB708985CF55

Function 006680CC Relevance: 28.7, APIs: 6, Strings: 10, Instructions: 705
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE ref: 006684C6

Part of subcall function 00668EA4: LocalReAlloc.KERNELBASE(?,?,?,?,?,?,?,?,-14DD7C7A,-14DD7C7A), ref: 00668ECF

CreateToolhelp32Snapshot.KERNEL32(?,?,00000000), ref: 00668A53
Process32FirstW.KERNEL32(09CBFAF9,09CBFAF9,?,?,00000000), ref: 00668A82
Process32NextW.KERNEL32(?,?,?,?,?,00000000), ref: 00668C5E
IsWow64Process.KERNEL32 ref: 00668CD1
CloseHandle.KERNELBASE(?,?,?,?,?,?,?,00000000), ref: 00668CF5

Strings

d1g, xrefs: 0066823E
message, xrefs: 006681E2, 00668236, 00668606, 00668992, 0066899A, 00668A31, 00668B45
lt-LT, xrefs: 006680CD, 0066867B, 00668728, 00668740, 00668816, 0066887C
HKEY_DYN_DATA, xrefs: 00668257, 006686AB, 006687B0
@, xrefs: 0066812B
d1g, xrefs: 006689F1
(g, xrefs: 006689E9
%lS\%lS, xrefs: 00668112, 00668B59, 00668D0F
d1g, xrefs: 006685FE
device or resource busy, xrefs: 0066824B, 006685C1, 006689D7

Memory Dump Source

Source File: 00000001.00000002.3546851366.0000000000661000.00000020.00000400.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Associated: 00000001.00000002.3546833938.0000000000660000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3546871324.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3546907022.0000000000672000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3546923524.0000000000676000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_660000_ctfmon.jbxd

Similarity

API ID: Process32$AllocCloseCreateFirstGlobalHandleLocalMemoryNextProcessSnapshotStatusToolhelp32Wow64
String ID: (g$%lS\%lS$@$HKEY_DYN_DATA$d1g$d1g$d1g$device or resource busy$lt-LT$message
API String ID: 1357830228-436939079
Opcode ID: 6839cf6f7e5873059f580f757104e13c207493efaf8b9faedf9e4a87c074aeaf
Instruction ID: d1d66e229461f7d5d7c470b575672f27de3a9134614cea9331a7b37a0af4ab79
Opcode Fuzzy Hash: 6839cf6f7e5873059f580f757104e13c207493efaf8b9faedf9e4a87c074aeaf
Instruction Fuzzy Hash: 607217B4914315DFE754EF29E984659BBF2FB89700F00A96DE588CB321EB749880CF52

Function 00661468 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 112
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNELBASE ref: 006615E8

Strings

+g, xrefs: 006614B0
originatingContextId, xrefs: 0066149F, 00661513
host unreachable, xrefs: 006614CC

Memory Dump Source

Source File: 00000001.00000002.3546851366.0000000000661000.00000020.00000400.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Associated: 00000001.00000002.3546833938.0000000000660000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3546871324.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3546907022.0000000000672000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3546923524.0000000000676000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_660000_ctfmon.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID: host unreachable$originatingContextId$+g
API String ID: 3662101638-4234654825
Opcode ID: d5aa163044c3bd52f70a530e0299e4ba8402a9fff168d34692485b62ca95d947
Instruction ID: e9f36d4408131243de308e42cf3a507ed5e58e7958d2ee40e4e964daecf7c463
Opcode Fuzzy Hash: d5aa163044c3bd52f70a530e0299e4ba8402a9fff168d34692485b62ca95d947
Instruction Fuzzy Hash: 6841FDB5804340CFEB48DF25C84529ABBF7FB85314F08A86EE45A9B3A1C7748985CF21

Function 006652F8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 120
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL ref: 0066543B

Strings

|:g, xrefs: 00665446
no such process, xrefs: 006653B8

Memory Dump Source

Source File: 00000001.00000002.3546851366.0000000000661000.00000020.00000400.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Associated: 00000001.00000002.3546833938.0000000000660000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3546871324.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3546907022.0000000000672000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3546923524.0000000000676000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_660000_ctfmon.jbxd

Similarity

API ID: Load
String ID: no such process$|:g
API String ID: 2234796835-3662211940
Opcode ID: da84e30a79ddeb3f2cd6c085f50114841da74b61e4cf529d237900ceefe3e115
Instruction ID: 8fab7d174cc8622b755eeafed6b55141a7cc568e6f33a06968e4ee7546d1028a
Opcode Fuzzy Hash: da84e30a79ddeb3f2cd6c085f50114841da74b61e4cf529d237900ceefe3e115
Instruction Fuzzy Hash: 3C51BF70A05314DFC754DF68E98555ABBF2FB88740F1085AEE089C7311E7709A84CF46

Function 00661000 Relevance: 1.5, APIs: 1, Instructions: 28
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAcquireCrossVmMutant.NTDLL(00000000), ref: 00661052

Memory Dump Source

Source File: 00000001.00000002.3546851366.0000000000661000.00000020.00000400.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Associated: 00000001.00000002.3546833938.0000000000660000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3546871324.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3546907022.0000000000672000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3546923524.0000000000676000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_660000_ctfmon.jbxd

Similarity

API ID: AcquireCrossMutant
String ID:
API String ID: 1552271985-0
Opcode ID: 370b09dd146b1e71db04d8a56240ea3f599afd11768509b605c0ae358b85eed5
Instruction ID: b4181e70769e2347169eceaf1608c99446f41eca52761dcc5e162cfedfdf4dfe
Opcode Fuzzy Hash: 370b09dd146b1e71db04d8a56240ea3f599afd11768509b605c0ae358b85eed5
Instruction Fuzzy Hash: 57F0F2B2510200DFEB00CF64FD02A513FA3FB24315B00B579E81AD3620EAB4A810EF41

Function 00665098 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 170
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrGetProcedureAddress.NTDLL ref: 006652C9

Strings

not enough memory, xrefs: 0066510A
ActivityError, xrefs: 00665099

Memory Dump Source

Source File: 00000001.00000002.3546851366.0000000000661000.00000020.00000400.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Associated: 00000001.00000002.3546833938.0000000000660000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3546871324.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3546907022.0000000000672000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3546923524.0000000000676000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_660000_ctfmon.jbxd

Similarity

API ID: AddressProcedure
String ID: ActivityError$not enough memory
API String ID: 3653107232-1586099713
Opcode ID: 1d4bc9e2197648a2924c33f448c14bce30ef98eb3dcb99e2a697280ddd4d5c6e
Instruction ID: 8e9090ceece1727deeeabfdbc2848966be79cf647a69b68560046169ff95b1b7
Opcode Fuzzy Hash: 1d4bc9e2197648a2924c33f448c14bce30ef98eb3dcb99e2a697280ddd4d5c6e
Instruction Fuzzy Hash: 3B712470A14614CFDB18DFA9D8916AEBBF2BF89300F10942EE85ADB311E7749941CF91

Function 00668E3C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00668EA4: LocalReAlloc.KERNELBASE(?,?,?,?,?,?,?,?,-14DD7C7A,-14DD7C7A), ref: 00668ECF

LocalReAlloc.KERNELBASE(?,?,?,?,?,?,?,00000000,?,006692F8,?,?,-14DD7C7A,-14DD7C7A), ref: 00668E7A

Strings

B, xrefs: 00668E5E

Memory Dump Source

Source File: 00000001.00000002.3546851366.0000000000661000.00000020.00000400.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Associated: 00000001.00000002.3546833938.0000000000660000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3546871324.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3546907022.0000000000672000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3546923524.0000000000676000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_660000_ctfmon.jbxd

Similarity

API ID: AllocLocal
String ID: B
API String ID: 3494564517-1255198513
Opcode ID: 694d3ad7f9d9acebe08c2b6ec61120f71a5c530c2dd47280d39bf7b9dd1f92da
Instruction ID: 6a70757b620cb4a932515f220e1b33c82671056a7303d23145d496938a9d5f87
Opcode Fuzzy Hash: 694d3ad7f9d9acebe08c2b6ec61120f71a5c530c2dd47280d39bf7b9dd1f92da
Instruction Fuzzy Hash: FC01E4B19053149FCB40EF68D98558ABBE4EF44710F05C96EE9888B306D671DC40CB95

Function 00669A6C Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 51
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LocalAlloc.KERNELBASE ref: 00669AA2

Strings

p?g, xrefs: 00669AD7

Memory Dump Source

Source File: 00000001.00000002.3546851366.0000000000661000.00000020.00000400.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Associated: 00000001.00000002.3546833938.0000000000660000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3546871324.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3546907022.0000000000672000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3546923524.0000000000676000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_660000_ctfmon.jbxd

Similarity

API ID: AllocLocal
String ID: p?g
API String ID: 3494564517-548958085
Opcode ID: 26c23399d7880d1b0762a526be8aed969443dcd088048b36a145c8e2802a6d17
Instruction ID: 9dd2532966f26d4916624e57b620bd30caa276c25f00acd9eab2e9d05b239d84
Opcode Fuzzy Hash: 26c23399d7880d1b0762a526be8aed969443dcd088048b36a145c8e2802a6d17
Instruction Fuzzy Hash: 6A1126B0904305DFE740DF69E88595ABBEAFB88750F00D85EEA8C8B312D3319840CFA1

Function 00668EA4 Relevance: 1.5, APIs: 1, Instructions: 26
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LocalReAlloc.KERNELBASE(?,?,?,?,?,?,?,?,-14DD7C7A,-14DD7C7A), ref: 00668ECF

Memory Dump Source

Source File: 00000001.00000002.3546851366.0000000000661000.00000020.00000400.00020000.00000000.sdmp, Offset: 00660000, based on PE: true

Associated: 00000001.00000002.3546833938.0000000000660000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3546871324.000000000066F000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3546907022.0000000000672000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3546923524.0000000000676000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_660000_ctfmon.jbxd

Similarity

API ID: AllocLocal
String ID:
API String ID: 3494564517-0
Opcode ID: c06899cb25a6c39038a206807d3a7b8955f3b6702c936705e66354c4b9047273
Instruction ID: d1ffbe66820466a093844586775732c5732b8f75b5f2e4a1c0f62a0df8570cae
Opcode Fuzzy Hash: c06899cb25a6c39038a206807d3a7b8955f3b6702c936705e66354c4b9047273
Instruction Fuzzy Hash: 3BF0B2B06043449FDB00EF68D5C5A09BBF4BF44214F04C468E9888F306D670E844CB61

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report iQPxJrxxaj.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Pikabot

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

Statistics

CPU Usage

Windows Analysis Report
iQPxJrxxaj.exe

Function 0014E040 Relevance: 73.9, APIs: 26, Strings: 16, Instructions: 368
libraryloaderCOMMON

Function 0423997C Relevance: 39.2, APIs: 12, Strings: 10, Instructions: 722
threadCOMMON

Function 04232918 Relevance: 35.7, APIs: 10, Strings: 10, Instructions: 687
stringthreadCOMMON

Function 0423C6A0 Relevance: 30.1, APIs: 8, Strings: 9, Instructions: 387
threadCOMMON

Function 0423AF48 Relevance: 23.1, APIs: 9, Strings: 4, Instructions: 330
threadCOMMON

Function 0423A8A0 Relevance: 16.1, APIs: 4, Strings: 5, Instructions: 331
processCOMMON

Function 042310E8 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 140
processCOMMON

Function 001A0F00 Relevance: 88.4, APIs: 48, Strings: 2, Instructions: 854
COMMON

Function 0014B9A0 Relevance: 54.6, APIs: 29, Strings: 2, Instructions: 357
windowCOMMON

Function 0014F580 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 103
COMMON

Function 0014B630 Relevance: 18.1, APIs: 12, Instructions: 100
windowCOMMON

Function 04240008 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 130
threadCOMMON

Function 0423C100 Relevance: 16.0, APIs: 4, Strings: 5, Instructions: 213
COMMON

Function 04240810 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 101
windowtimethreadCOMMON

Function 04240D70 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 98
COMMON