Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Login_msifar.txt.exe

Overview

General Information

Sample name:Login_msifar.txt.exe
Analysis ID:1580459
MD5:13dd101017041158be942e586719cdf1
SHA1:d917ed7a07cc1ffabd5dfb65f975dc0eedd1bdb0
SHA256:2d1c88afa341777d212d56763f07c87c3b06e14fc15bf88792e6f906d79a2e9e
Infos:

Detection

Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Sigma detected: Suspicious Double Extension File Execution
AI detected suspicious sample
Contains functionality to register a low level keyboard hook
Sample or dropped binary is a compiled AutoHotkey binary
Uses an obfuscated file name to hide its real file extension (double extension)
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
PE file contains executable resources (Code or Archives)
Potential key logger detected (key state polling based)
Program does not show much activity (idle)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Uses the system / local time for branch decision (may execute only at specific dates)

Classification

Process Tree

  • System is w10x64
  • Login_msifar.txt.exe (PID: 3560 cmdline: "C:\Users\user\Desktop\Login_msifar.txt.exe" MD5: 13DD101017041158BE942E586719CDF1)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Suspicious Double Extension File Execution
Source: Process startedAuthor: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Users\user\Desktop\Login_msifar.txt.exe", CommandLine: "C:\Users\user\Desktop\Login_msifar.txt.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\Login_msifar.txt.exe, NewProcessName: C:\Users\user\Desktop\Login_msifar.txt.exe, OriginalFileName: C:\Users\user\Desktop\Login_msifar.txt.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Users\user\Desktop\Login_msifar.txt.exe", ProcessId: 3560, ProcessName: Login_msifar.txt.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 94.0% probability
Source: Login_msifar.txt.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_00482870 FindFirstFileW,FindFirstFileW,FindClose,FindFirstFileW,FindFirstFileW,FindClose,0_2_00482870
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_00458060 GetFullPathNameW,GetFullPathNameW,GetFullPathNameW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,FindFirstFileW,GetLastError,GetTickCount,PeekMessageW,GetTickCount,MoveFileW,DeleteFileW,MoveFileW,CopyFileW,GetLastError,FindNextFileW,FindClose,0_2_00458060
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_00421100 FindFirstFileW,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,FindFirstFileW,FindFirstFileW,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,GetTickCount,FindNextFileW,FindClose,0_2_00421100
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_004213A0 FindFirstFileW,GetLastError,FindClose,FileTimeToLocalFileTime,FileTimeToSystemTime,0_2_004213A0
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_00421700 CreateFileW,GetFileSizeEx,CloseHandle,FindFirstFileW,GetLastError,FindClose,0_2_00421700
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_00421850 GetFileAttributesW,FindFirstFileW,FindNextFileW,FindNextFileW,FindNextFileW,FindClose,FindClose,0_2_00421850
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_004ADB1B FindFirstFileExW,0_2_004ADB1B
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_0044AC00 FindFirstFileW,FindNextFileW,FindNextFileW,FindNextFileW,FindNextFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,0_2_0044AC00
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_004570C0 InternetOpenW,InternetOpenUrlW,InternetOpenUrlW,GetLastError,InternetOpenUrlW,GetLastError,InternetCloseHandle,CreateFileW,GetLastError,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetReadFile,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,WriteFile,InternetReadFile,GetLastError,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CloseHandle,GetLastError,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CloseHandle,InternetReadFileExA,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,WriteFile,InternetReadFileExA,GetLastError,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,CloseHandle,DeleteFileW,0_2_004570C0
Source: Login_msifar.txt.exeString found in binary or memory: https://autohotkey.com
Source: Login_msifar.txt.exeString found in binary or memory: https://autohotkey.comCould

Key, Mouse, Clipboard, Microphone and Screen Capturing

barindex
Contains functionality to register a low level keyboard hook
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_00413060 SetWindowsHookExW 0000000D,Function_0000E970,000000000_2_00413060
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_00406D40 IsClipboardFormatAvailable,GetTickCount,GetTickCount,OpenClipboard,OpenClipboard,GetTickCount,OpenClipboard,0_2_00406D40
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_004067A0 GlobalAlloc,GlobalLock,GlobalFree,EmptyClipboard,GlobalUnlock,CloseClipboard,GlobalUnlock,GlobalUnlock,GlobalFree,GlobalUnlock,CloseClipboard,SetClipboardData,GlobalUnlock,CloseClipboard,0_2_004067A0
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_00484C60 EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalUnlock,CloseClipboard,GlobalFree,GlobalUnlock,CloseClipboard,GlobalUnlock,CloseClipboard,0_2_00484C60
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_00406C20 IsClipboardFormatAvailable,GetClipboardFormatNameW,GetClipboardData,0_2_00406C20
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_004281B0 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetDC,GetDC,GetLastError,DestroyIcon,DeleteObject,CreateCompatibleDC,GetIconInfo,DeleteObject,DeleteObject,DeleteObject,GetDC,CreateCompatibleDC,GetIconInfo,GetObjectW,CreateCompatibleBitmap,SelectObject,CreateSolidBrush,FillRect,DeleteObject,DrawIconEx,SelectObject,DeleteObject,DeleteObject,DeleteDC,ReleaseDC,DestroyIcon,CreateCompatibleDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GetLastError,ReleaseDC,DeleteObject,SelectObject,DeleteDC,DeleteObject,0_2_004281B0
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_0041C240 GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetTickCount,0_2_0041C240
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_004191D8 GetKeyState,GetKeyState,GetKeyState,GetForegroundWindow,GetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,AttachThreadInput,BlockInput,GetTickCount,0_2_004191D8
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_004191EC GetTickCount,GetKeyState,GetKeyState,GetKeyState,GetForegroundWindow,GetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,AttachThreadInput,BlockInput,GetTickCount,0_2_004191EC
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_00418248 CloseHandle,CloseHandle,CreateMutexW,GetLastError,GetWindowThreadProcessId,GetWindowThreadProcessId,GetModuleHandleW,GetProcAddress,SendMessageTimeoutW,AttachThreadInput,GetKeyboardLayout,__alloca_probe_16,BlockInput,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,PostMessageW,PostMessageW,GetTickCount,PeekMessageW,GetTickCount,PostMessageW,PostMessageW,PostMessageW,PostMessageW,GetKeyState,GetKeyState,GetKeyState,GetForegroundWindow,GetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetForegroundWindow,GetWindowThreadProcessId,AttachThreadInput,BlockInput,GetTickCount,GetForegroundWindow,GetWindowThreadProcessId,0_2_00418248
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_0041828D CloseHandle,CloseHandle,CreateMutexW,GetLastError,GetWindowThreadProcessId,GetWindowThreadProcessId,GetModuleHandleW,GetProcAddress,AttachThreadInput,GetKeyboardLayout,__alloca_probe_16,BlockInput,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,GetKeyState,GetKeyState,GetKeyState,GetForegroundWindow,GetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,AttachThreadInput,BlockInput,GetTickCount,0_2_0041828D
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_00418296 CloseHandle,CloseHandle,CreateMutexW,GetLastError,GetWindowThreadProcessId,GetWindowThreadProcessId,GetModuleHandleW,GetProcAddress,AttachThreadInput,GetKeyboardLayout,__alloca_probe_16,BlockInput,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,GetKeyState,GetKeyState,GetKeyState,GetForegroundWindow,GetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,AttachThreadInput,BlockInput,GetTickCount,0_2_00418296
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_0041829F CloseHandle,CloseHandle,CreateMutexW,GetLastError,GetWindowThreadProcessId,GetWindowThreadProcessId,GetModuleHandleW,GetProcAddress,AttachThreadInput,GetKeyboardLayout,__alloca_probe_16,BlockInput,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,GetKeyState,GetKeyState,GetKeyState,GetForegroundWindow,GetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,AttachThreadInput,BlockInput,GetTickCount,0_2_0041829F
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_004182A8 CloseHandle,CloseHandle,CreateMutexW,GetLastError,GetWindowThreadProcessId,GetWindowThreadProcessId,GetModuleHandleW,GetProcAddress,AttachThreadInput,GetKeyboardLayout,__alloca_probe_16,BlockInput,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,GetKeyState,GetKeyState,GetKeyState,GetForegroundWindow,GetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,AttachThreadInput,BlockInput,GetTickCount,0_2_004182A8
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_00418356 GetWindowThreadProcessId,GetWindowThreadProcessId,GetModuleHandleW,GetProcAddress,AttachThreadInput,GetKeyboardLayout,__alloca_probe_16,BlockInput,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,GetKeyState,GetKeyState,GetKeyState,GetForegroundWindow,GetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,AttachThreadInput,BlockInput,GetTickCount,0_2_00418356
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_004183BF GetWindowThreadProcessId,GetWindowThreadProcessId,GetModuleHandleW,GetProcAddress,AttachThreadInput,GetKeyboardLayout,__alloca_probe_16,BlockInput,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,GetKeyState,GetKeyState,GetKeyState,GetForegroundWindow,GetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,AttachThreadInput,BlockInput,GetTickCount,0_2_004183BF
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_00418495 GetTickCount,GetCurrentThreadId,GetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetGUIThreadInfo,GetWindowThreadProcessId,GetKeyboardLayout,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,__alloca_probe_16,BlockInput,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,GetKeyState,GetKeyState,GetKeyState,GetForegroundWindow,GetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,AttachThreadInput,BlockInput,GetTickCount,0_2_00418495
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_004186B2 __alloca_probe_16,BlockInput,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,GetKeyState,GetKeyState,GetKeyState,GetForegroundWindow,GetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,AttachThreadInput,BlockInput,GetTickCount,0_2_004186B2
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_00450960 GetKeyState,GetKeyState,GetKeyState,GetForegroundWindow,GetWindowThreadProcessId,GetKeyState,0_2_00450960

System Summary

barindex
Sample or dropped binary is a compiled AutoHotkey binary
Source: C:\Users\user\Desktop\Login_msifar.txt.exeWindow found: window name: AutoHotkeyJump to behavior
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_0041F62A: GetDriveTypeW,GetDriveTypeW,CreateFileW,DeviceIoControl,CloseHandle,0_2_0041F62A
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_0044D360 GetFileAttributesW,__alloca_probe_16,__alloca_probe_16,__alloca_probe_16,CreateProcessWithLogonW,GetLastError,CreateProcessW,CloseHandle,CloseHandle,GetLastError,__alloca_probe_16,SetCurrentDirectoryW,SetCurrentDirectoryW,GetFileAttributesW,SetCurrentDirectoryW,SetCurrentDirectoryW,ShellExecuteExW,CloseHandle,CloseHandle,SetCurrentDirectoryW,GetLastError,FormatMessageW,0_2_0044D360
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_004585C0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,0_2_004585C0
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_004B60620_2_004B6062
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_0043D0A00_2_0043D0A0
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_0045D1700_2_0045D170
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_0048B1000_2_0048B100
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_004811100_2_00481110
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_004271F00_2_004271F0
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_004281B00_2_004281B0
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_004182480_2_00418248
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_0042B2740_2_0042B274
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_004A23440_2_004A2344
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_0042D3200_2_0042D320
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_004B03F60_2_004B03F6
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_004415F00_2_004415F0
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_004656400_2_00465640
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_004016230_2_00401623
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_0048B6DE0_2_0048B6DE
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_0048E6AC0_2_0048E6AC
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_004257000_2_00425700
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_0047D7A00_2_0047D7A0
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_004698E00_2_004698E0
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_004A69CE0_2_004A69CE
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_004A8A000_2_004A8A00
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_00454AD00_2_00454AD0
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_0042BAE00_2_0042BAE0
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_00427BC00_2_00427BC0
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_00499B900_2_00499B90
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_0043EBB00_2_0043EBB0
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_0040EC500_2_0040EC50
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_004B4C6A0_2_004B4C6A
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_0045FC200_2_0045FC20
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_00411D800_2_00411D80
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_00423E000_2_00423E00
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_004A1FE50_2_004A1FE5
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_004B5FA80_2_004B5FA8
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: String function: 0049BFA0 appears 34 times
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: String function: 0049CA21 appears 32 times
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: String function: 0040E150 appears 40 times
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: String function: 004B57A0 appears 35 times
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: String function: 0049EE91 appears 159 times
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: String function: 0040C830 appears 102 times
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: String function: 0049F012 appears 48 times
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: String function: 0040D460 appears 54 times
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: String function: 00481800 appears 37 times
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: String function: 0040D660 appears 65 times
Source: Login_msifar.txt.exeStatic PE information: Resource name: RT_VERSION type: MIPSEB-LE MIPS-III ECOFF executable not stripped - version 0.79
Source: Login_msifar.txt.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engineClassification label: mal64.spyw.evad.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_0044D360 GetFileAttributesW,__alloca_probe_16,__alloca_probe_16,__alloca_probe_16,CreateProcessWithLogonW,GetLastError,CreateProcessW,CloseHandle,CloseHandle,GetLastError,__alloca_probe_16,SetCurrentDirectoryW,SetCurrentDirectoryW,GetFileAttributesW,SetCurrentDirectoryW,SetCurrentDirectoryW,ShellExecuteExW,CloseHandle,CloseHandle,SetCurrentDirectoryW,GetLastError,FormatMessageW,0_2_0044D360
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_004585C0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,0_2_004585C0
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_0041F550 GetDiskFreeSpaceExW,0_2_0041F550
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_00458650 OpenProcess,GetProcessId,WaitForSingleObject,CloseHandle,GetLastError,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,Process32NextW,CloseHandle,CloseHandle,CloseHandle,0_2_00458650
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_00450310 GetFileAttributesW,__alloca_probe_16,CoCreateInstance,SHCreateItemFromParsingName,PostMessageW,IsWindow,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,0_2_00450310
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_004837A0 LoadLibraryExW,EnumResourceNamesW,FindResourceW,LoadResource,LockResource,GetSystemMetrics,FindResourceW,LoadResource,LockResource,SizeofResource,CreateIconFromResourceEx,FreeLibrary,ExtractIconW,ExtractIconW,0_2_004837A0
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCommand line argument: AutoHotkey0_2_00404660
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCommand line argument: AutoHotkey0_2_00404660
Source: Login_msifar.txt.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Login_msifar.txt.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: Login_msifar.txt.exeString found in binary or memory: HG@Q@Can't open clipboard for reading.GlobalLockAn internal function call failed.Can't open clipboard for writing.EmptyClipboardSetClipboardDataLink SourceObjectLinkOwnerLinkNativeEmbed SourceMSDEVColumnSelectMSDEVLineSelectudptcp65535%ugetaddrinfogetnameinfofreeaddrinfo\ws2_32\wship6Auto-executerunstep_intostep_overstep_outbreakstopdetachstatusstack_getstack_depthcontext_getcontext_namesproperty_getproperty_setproperty_valuefeature_getfeature_setbreakpoint_setbreakpoint_getbreakpoint_updatebreakpoint_removebreakpoint_liststdoutstderrtypemap_getsourceexceptionerror -startingrunning<response command="status" status="%s" reason="ok" transaction_id="%e"/>language_supports_threads0nameAutoHotkeyversionencodingUTF-8protocol_versionsupports_async1breakpoint_typesline exceptionmultiple_sessionsmax_datamax_childrenmax_depth<response command="feature_get" feature_name="%e" supported="%i" transaction_id="%e">%s</response><response command="feature_set" feature="%e" success="%i" transaction_id="%e"/>enableddisabledAnyline<response command="breakpoint_set" transaction_id="%e" state="%s" id="%i"/><breakpoint id="%i" type="line" state="%s" filename="%r" lineno="%u"/><breakpoint id="%i" type="exception" state="%s" exception="Any"/><response command="breakpoint_get" transaction_id="%e"></response><response command="breakpoint_list" transaction_id="%e"><response command="stack_depth" depth="%i" transaction_id="%e"/><response command="stack_get" transaction_id="%e"><stack level="%i" type="file" filename="%r" lineno="%u" where="%e thread%e()"/><response command="context_names" transaction_id="%e"><context name="Local" id="0"/><context name="Global" id="1"/></response><response command="context_get" context="%i" transaction_id="%e"><response command="typemap_get" transaction_id="%e" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><map type="string" name="string" xsi:type="xsd:string"/><map type="int" name="integer" xsi:type="xsd:long"/><map type="float" name="float" xsi:type="xsd:double"/><map type="object" name="object"/></response>__Enumobject<enum> Alias Builtin Staticstringintegerfloatundefined<property name="%e" fullname="%e" type="%s" facet="%s" children="0" encoding="base64" size="</property>.%s%u">.[(<exception>Object(<base><enum><response command="property_get" transaction_id="%e"><response command="property_value" transaction_id="%e" encoding="base64" size="<response command="property_set" success="%i" transaction_id="%e"/><response command="source" success="1" transaction_id="%e" encoding="base64"><response command="source" success="0" transaction_id="%e"/><response command="%s" success="1" transaction_id="%e"/><stream type="%s"></stream><response command="%s" transaction_id="%e"><error code="%i"/></response><response command="%s" transaction_id="%e"/><response command="%s" status="%s" reason="%s" transaction_id="%e"/>An internal error has occurred in the debugger engine.
Source: C:\Users\user\Desktop\Login_msifar.txt.exeSection loaded: wsock32.dllJump to behavior
Source: C:\Users\user\Desktop\Login_msifar.txt.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\Login_msifar.txt.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\Login_msifar.txt.exeSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\Desktop\Login_msifar.txt.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\Login_msifar.txt.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\Desktop\Login_msifar.txt.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\Login_msifar.txt.exeSection loaded: iconcodecservice.dllJump to behavior
Source: C:\Users\user\Desktop\Login_msifar.txt.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Users\user\Desktop\Login_msifar.txt.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\Login_msifar.txt.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\Login_msifar.txt.exeSection loaded: wldp.dllJump to behavior
Source: Login_msifar.txt.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_0041E270 GetModuleHandleW,GetModuleHandleW,GetModuleHandleW,GetModuleHandleW,GetModuleHandleW,WideCharToMultiByte,GetProcAddress,GetProcAddress,GetProcAddress,WideCharToMultiByte,GetModuleHandleW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,0_2_0041E270
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_004B5381 push ecx; ret 0_2_004B5394
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_0047E750 push ecx; mov dword ptr [esp], ecx0_2_0047E751
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_004B5980 push eax; ret 0_2_004B599E

Hooking and other Techniques for Hiding and Protection

barindex
Uses an obfuscated file name to hide its real file extension (double extension)
Source: Possible double extension: txt.exeStatic PE information: Login_msifar.txt.exe
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_00469060 GetWindowLongW,GetWindowLongW,GetWindowLongW,SetWindowLongW,SetWindowPos,IsWindow,SetParent,EnableWindow,IsWindowVisible,IsIconic,InvalidateRect,0_2_00469060
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_0044F140 SendMessageW,IsWindowVisible,ShowWindow,ShowWindow,IsIconic,ShowWindow,GetForegroundWindow,SetForegroundWindow,SendMessageW,0_2_0044F140
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_00455440 GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,CreateDCW,GetDC,GetPixel,DeleteDC,ReleaseDC,0_2_00455440
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_004704C0 SendMessageW,SendMessageW,GetWindowLongW,IsWindowVisible,IsIconic,GetFocus,GetWindowRect,GetPropW,ShowWindow,GetUpdateRect,SendMessageW,GetWindowLongW,ShowWindow,EnableWindow,GetWindowRect,PtInRect,PtInRect,SetFocus,SendMessageW,ShowWindow,SetFocus,InvalidateRect,InvalidateRect,InvalidateRect,MapWindowPoints,InvalidateRect,0_2_004704C0
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_0046C5B0 IsZoomed,IsIconic,MulDiv,MulDiv,ShowWindow,MulDiv,MulDiv,MulDiv,IsIconic,GetWindowLongW,GetWindowRect,GetParent,GetWindowLongW,GetWindowRect,GetWindowRect,MapWindowPoints,GetWindowLongW,GetWindowLongW,GetWindowRect,GetWindowRect,GetClientRect,IsWindowVisible,GetWindowLongW,GetMenu,GetWindowLongW,AdjustWindowRectEx,GetSystemMetrics,GetSystemMetrics,SendMessageW,GetClientRect,SystemParametersInfoW,GetWindowRect,IsZoomed,ShowWindow,ScreenToClient,MoveWindow,GetForegroundWindow,DefDlgProcW,ShowWindow,IsWindowVisible,GetAncestor,GetForegroundWindow,GetFocus,UpdateWindow,SetFocus,0_2_0046C5B0
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_0046C5B0 IsZoomed,IsIconic,MulDiv,MulDiv,ShowWindow,MulDiv,MulDiv,MulDiv,IsIconic,GetWindowLongW,GetWindowRect,GetParent,GetWindowLongW,GetWindowRect,GetWindowRect,MapWindowPoints,GetWindowLongW,GetWindowLongW,GetWindowRect,GetWindowRect,GetClientRect,IsWindowVisible,GetWindowLongW,GetMenu,GetWindowLongW,AdjustWindowRectEx,GetSystemMetrics,GetSystemMetrics,SendMessageW,GetClientRect,SystemParametersInfoW,GetWindowRect,IsZoomed,ShowWindow,ScreenToClient,MoveWindow,GetForegroundWindow,DefDlgProcW,ShowWindow,IsWindowVisible,GetAncestor,GetForegroundWindow,GetFocus,UpdateWindow,SetFocus,0_2_0046C5B0
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_00465640 MulDiv,MulDiv,GetDC,SelectObject,GetTextMetricsW,MulDiv,GetSystemMetrics,MulDiv,GetDC,SelectObject,GetTextMetricsW,GetSystemMetrics,GetDC,SelectObject,GetTextMetricsW,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,DrawTextW,DrawTextW,GetCharABCWidthsW,MulDiv,GetSystemMetrics,GetSystemMetrics,MulDiv,MulDiv,MulDiv,MulDiv,GetDC,SelectObject,GetTextMetricsW,MulDiv,GetSystemMetrics,IsWindowVisible,IsIconic,MapWindowPoints,GetPropW,SendMessageW,GetWindowLongW,SendMessageW,MoveWindow,SetWindowLongW,GetWindowRect,SetWindowTheme,InvalidateRect,CreateWindowExW,CreateWindowExW,DestroyWindow,CreateWindowExW,CreateWindowExW,CreateWindowExW,CreateWindowExW,MulDiv,MulDiv,SelectObject,ReleaseDC,SendMessageW,SendMessageW,SendMessageW,GetClientRect,SendMessageW,SendMessageW,SendMessageW,SetWindowPos,SetWindowPos,SetWindowPos,0_2_00465640
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_00485B00 GetWindowThreadProcessId,GetWindowThreadProcessId,GetModuleHandleW,GetProcAddress,SendMessageTimeoutW,GetForegroundWindow,GetForegroundWindow,IsIconic,ShowWindow,SetForegroundWindow,GetForegroundWindow,GetWindow,GetWindowThreadProcessId,GetModuleHandleW,GetProcAddress,SendMessageTimeoutW,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,GetForegroundWindow,GetWindow,SetForegroundWindow,GetForegroundWindow,GetWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,BringWindowToTop,0_2_00485B00
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_00482D40 GetCursorPos,GetForegroundWindow,IsIconic,GetWindowRect,ClientToScreen,0_2_00482D40
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_00436D00 IsZoomed,IsIconic,0_2_00436D00
Source: C:\Users\user\Desktop\Login_msifar.txt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Login_msifar.txt.exeWindow / User API: foregroundWindowGot 1023Jump to behavior
Source: C:\Users\user\Desktop\Login_msifar.txt.exeAPI coverage: 1.6 %
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_0041C900 GetKeyboardLayout followed by cmp: cmp cl, 00000019h and CTI: ja 0041CA11h country: Russian (ru)0_2_0041C900
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_00410C90 GetKeyboardLayout followed by cmp: cmp dword ptr [004ea8c4h], ebp and CTI: je 00410E7Fh0_2_00410C90
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_0042BAE0 GetLocalTime followed by cmp: cmp eax, 09h and CTI: jne 0042BC08h0_2_0042BAE0
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_0042BAE0 GetLocalTime followed by cmp: cmp di, dx and CTI: je 0042BDA8h0_2_0042BAE0
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_00482870 FindFirstFileW,FindFirstFileW,FindClose,FindFirstFileW,FindFirstFileW,FindClose,0_2_00482870
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_00458060 GetFullPathNameW,GetFullPathNameW,GetFullPathNameW,GetFileAttributesW,GetFileAttributesW,GetFileAttributesW,FindFirstFileW,GetLastError,GetTickCount,PeekMessageW,GetTickCount,MoveFileW,DeleteFileW,MoveFileW,CopyFileW,GetLastError,FindNextFileW,FindClose,0_2_00458060
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_00421100 FindFirstFileW,FindFirstFileW,GetTickCount,PeekMessageW,GetTickCount,FindNextFileW,FindClose,FindFirstFileW,FindFirstFileW,GetTickCount,GetTickCount,PeekMessageW,GetTickCount,GetTickCount,FindNextFileW,FindClose,0_2_00421100
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_004213A0 FindFirstFileW,GetLastError,FindClose,FileTimeToLocalFileTime,FileTimeToSystemTime,0_2_004213A0
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_00421700 CreateFileW,GetFileSizeEx,CloseHandle,FindFirstFileW,GetLastError,FindClose,0_2_00421700
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_00421850 GetFileAttributesW,FindFirstFileW,FindNextFileW,FindNextFileW,FindNextFileW,FindClose,FindClose,0_2_00421850
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_004ADB1B FindFirstFileExW,0_2_004ADB1B
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_0044AC00 FindFirstFileW,FindNextFileW,FindNextFileW,FindNextFileW,FindNextFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,0_2_0044AC00
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_004191D8 GetKeyState,GetKeyState,GetKeyState,GetForegroundWindow,GetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,AttachThreadInput,BlockInput,GetTickCount,0_2_004191D8
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_004AB58B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_004AB58B
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_0041E270 GetModuleHandleW,GetModuleHandleW,GetModuleHandleW,GetModuleHandleW,GetModuleHandleW,WideCharToMultiByte,GetProcAddress,GetProcAddress,GetProcAddress,WideCharToMultiByte,GetModuleHandleW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,0_2_0041E270
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_004AD930 GetProcessHeap,0_2_004AD930
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_0049C151 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0049C151
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_004AB58B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_004AB58B
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_0049BD9E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0049BD9E
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_0049BF2B SetUnhandledExceptionFilter,0_2_0049BF2B
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_0044D360 GetFileAttributesW,__alloca_probe_16,__alloca_probe_16,__alloca_probe_16,CreateProcessWithLogonW,GetLastError,CreateProcessW,CloseHandle,CloseHandle,GetLastError,__alloca_probe_16,SetCurrentDirectoryW,SetCurrentDirectoryW,GetFileAttributesW,SetCurrentDirectoryW,SetCurrentDirectoryW,ShellExecuteExW,CloseHandle,CloseHandle,SetCurrentDirectoryW,GetLastError,FormatMessageW,0_2_0044D360
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_00419AF0 PeekMessageW,GetCurrentThreadId,MapVirtualKeyW,GetKeyboardState,SetKeyboardState,SetKeyboardState,SetKeyboardState,SetKeyboardState,SetKeyboardState,SetKeyboardState,PostMessageW,PostMessageW,PostMessageW,GetForegroundWindow,GetWindowThreadProcessId,GetGUIThreadInfo,GetWindowThreadProcessId,GetKeyboardLayout,keybd_event,keybd_event,0_2_00419AF0
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_0041A7A0 GetSystemMetrics,mouse_event,mouse_event,mouse_event,mouse_event,0_2_0041A7A0
Source: Login_msifar.txt.exeBinary or memory string: Program Manager
Source: Login_msifar.txt.exeBinary or memory string: Shell_TrayWnd
Source: Login_msifar.txt.exeBinary or memory string: WMahk_groupTarget window not found.PosTarget control not found.%uCountSelectedFocusedind+-^HwndShell_TrayWndRtlGetVersionntdll.dll%u.%u.%u%s: %s...%s[%Iu of %Iu]: %-1.60s%sMinHide<object>AltTabShiftAltTabAltTabMenuAltTabAndMenuAltTabMenuDismissAbsACosASinATanCaretGetPosCeilChrComCallComObjActiveComObjConnectComObjFlagsComObjFromPtrComObjGetComObjQueryComObjTypeComObjValueCosDllCallExpFileOpenFloorFormatFormatTimeGetMethodHasBaseHasMethodHasPropInStrIsAlnumIsAlphaIsDigitIsFloatIsIntegerIsLowerIsNumberIsObjectIsSetRefIsSpaceIsTimeIsUpperIsXDigitLnLogLTrimModNumGetNumPutObjAddRefObjBindMethodObjFromPtrObjFromPtrAddRefObjGetBaseObjGetCapacityObjHasOwnPropObjOwnPropCountObjOwnPropsObjPtrObjPtrAddRefObjReleaseObjSetBaseObjSetCapacityOrdRegCreateKeyRegDeleteRegDeleteKeyRegExMatchRegExReplaceRegReadRegWriteRoundRTrimRunWaitSinSoundGetInterfaceSoundGetMuteSoundGetNameSoundGetVolumeSoundSetMuteSoundSetVolumeSplitPathSqrtStrCompareStrGetStrLenStrLowerStrPtrStrPutStrReplaceStrTitleStrUpperSubStrTanTrimTypeVarSetStrCapacityVerCompareWinActiveWinExistAhkPathAhkVersionAllowMainWindowAppDataAppDataCommonClipboardComputerNameControlDelayCoordModeCaretCoordModeMenuCoordModeMouseCoordModePixelCoordModeToolTipCursorDDDDDDDDDDefaultMouseSpeedDesktopDesktopCommonEndCharEventInfoHotkeyIntervalHotkeyModifierTimeoutHourIconFileIconHiddenIconNumberIconTipIndexInitialWorkingDirIs64bitOSIsAdminIsCompiledIsCriticalIsPausedIsSuspendedKeyDelayKeyDelayPlayKeyDurationKeyDurationPlayLanguageLastErrorLineFileLineNumberLoopFieldLoopFileAttribLoopFileDirLoopFileExtLoopFileFullPathLoopFileNameLoopFilePathLoopFileShortNameLoopFileShortPathLoopFileSizeLoopFileSizeKBLoopFileSizeMBLoopFileTimeAccessedLoopFileTimeCreatedLoopFileTimeModifiedLoopReadLineLoopRegKeyLoopRegNameLoopRegTimeModifiedLoopRegTypeMaxHotkeysPerIntervalMDayMenuMaskKeyMMMonMouseDelayMouseDelayPlayMyDocumentsNowNowUTCOSVersionPriorHotkeyPriorKeyProgramFilesProgramsProgramsCommonPtrSizeRegViewScreenDPIScreenHeightScreenWidthScriptDirScriptFullPathScriptHwndScriptNameSecStartMenuStartMenuCommonStartupStartupCommonStoreCapsLockModeThisFuncThisHotkeyTickCountTimeIdleTimeIdleKeyboardTimeIdleMouseTimeIdlePhysicalTimeSincePriorHotkeyTimeSinceThisHotkeyTitleMatchModeTitleMatchModeSpeedTrayMenuUserNameWinDelayWinDirWorkingDirYearYYYY.ahk - %sRegClassCreateWindowConsolasHICON:"%s"notepad.exeCould not open script./include "%s" /restart /script "%s"Script file not found.%s
Source: Login_msifar.txt.exeBinary or memory string: 'Mmsctls_statusbar321No StatusBar.Press OK to continue.IsHungAppWindowahk_idpidProgram ManagerError text not found (please report)Q\E{0,DEFINEUTF16)UCP)NO_START_OPT)CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument is compiled in 8 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_0049BBBA cpuid 0_2_0049BBBA
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_004214F0 SystemTimeToFileTime,LocalFileTimeToFileTime,GetSystemTimeAsFileTime,0_2_004214F0
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_00431820 GetComputerNameW,GetUserNameW,0_2_00431820
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_00401090 GetModuleHandleW,GetProcAddress,RtlGetVersion,GetVersionExW,0_2_00401090
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_00452AE0 AddClipboardFormatListener,RemoveClipboardFormatListener,0_2_00452AE0
Source: C:\Users\user\Desktop\Login_msifar.txt.exeCode function: 0_2_00438B70 UnhookWindowsHookEx,UnregisterHotKey,Shell_NotifyIconW,RemoveClipboardFormatListener,OleFlushClipboard,DestroyWindow,DeleteObject,DestroyIcon,DestroyIcon,DestroyIcon,RemoveMenu,RemoveMenu,DestroyMenu,DeleteObject,IsWindow,IsWindow,DestroyWindow,mciSendStringW,mciSendStringW,mciSendStringW,DeleteCriticalSection,OleUninitialize,0_2_00438B70

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire Infrastructure1
Valid Accounts		1
Native API		1
DLL Side-Loading		1
Exploitation for Privilege Escalation		1
Disable or Modify Tools		121
Input Capture		11
System Time Discovery		Remote Services1
Archive Collected Data		1
Ingress Tool Transfer		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts3
Command and Scripting Interpreter		1
Valid Accounts		1
DLL Side-Loading		1
Deobfuscate/Decode Files or Information		LSASS Memory1
Account Discovery		Remote Desktop Protocol1
Screen Capture		1
Encrypted Channel		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
Valid Accounts		12
Obfuscated Files or Information		Security Account Manager1
File and Directory Discovery		SMB/Windows Admin Shares121
Input Capture		SteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook11
Access Token Manipulation		1
DLL Side-Loading		NTDS24
System Information Discovery		Distributed Component Object Model3
Clipboard Data		Protocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
Process Injection		1
Masquerading		LSA Secrets2
Security Software Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Valid Accounts		Cached Domain Credentials2
Process Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
Access Token Manipulation		DCSync11
Application Window Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
Process Injection		Proc Filesystem1
System Owner/User Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://autohotkey.comCould0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://autohotkey.comLogin_msifar.txt.exefalse
    		high
    https://autohotkey.comCouldLogin_msifar.txt.exefalse
    • Avira URL Cloud: safe
    		unknown

    World Map of Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox version:41.0.0 Charoite
    Analysis ID:1580459
    Start date and time:2024-12-24 16:18:25 +01:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:0h 4m 17s
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
    Number of analysed new started processes analysed:4
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Sample name:Login_msifar.txt.exe
    Detection:MAL
    Classification:mal64.spyw.evad.winEXE@1/0@0/0
    EGA Information:
    • Successful, ratio: 100%
    HCA Information:
    • Successful, ratio: 100%
    • Number of executed functions: 15
    • Number of non-executed functions: 213
    Cookbook Comments:
    • Found application associated with file extension: .exe

    Warnings

    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
    • Excluded IPs from analysis (whitelisted): 13.107.246.63, 4.245.163.56
    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
    • Report size exceeded maximum capacity and may have missing disassembly code.
    • VT rate limit hit for: Login_msifar.txt.exe

    Simulations

    Behavior and APIs

    TimeTypeDescription
    10:19:14API Interceptor1x Sleep call for process: Login_msifar.txt.exe modified

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASNs

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    No created / dropped files found

    Static File Info

    General

    File type:PE32 executable (GUI) Intel 80386, for MS Windows
    Entropy (8bit):6.480374510748463
    TrID:
    • Win32 Executable (generic) a (10002005/4) 99.96%
    • Generic Win/DOS Executable (2004/3) 0.02%
    • DOS Executable Generic (2002/1) 0.02%
    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
    File name:Login_msifar.txt.exe
    File size:978'432 bytes
    MD5:13dd101017041158be942e586719cdf1
    SHA1:d917ed7a07cc1ffabd5dfb65f975dc0eedd1bdb0
    SHA256:2d1c88afa341777d212d56763f07c87c3b06e14fc15bf88792e6f906d79a2e9e
    SHA512:1ba52bda27893ecefcbd452653c2b0b3a416af05526416f10be44c7b5fcdc4175a22ad4bffdec2ff50d6cf36fe4625857ddfa2b7195480ca7026070456944c8e
    SSDEEP:24576:B93+x/P90TtURRZB8sz6su3BR7H1laslJf8Jjx:BU4UClaslt8JF
    TLSH:74257C53B3D3C2B1DFD215F3D5B66A365939B8380B3C89CBB2C0582ED9A16C05A36716
    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........IK.n.K.n.K.n...m.E.n..vk.g.n..vj.].n..vm.R.n...j.P.n...k...n...h.J.n...o.j.n.K.o...n..um.J.n..ug...n..u..J.n..ul.J.n.RichK.n

    File Icon

    Icon Hash:4bccccc4cccc4c31

    Static PE Info

    General

    Entrypoint:0x49ba99
    Entrypoint Section:.text
    Digitally signed:false
    Imagebase:0x400000
    Subsystem:windows gui
    Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
    DLL Characteristics:
    Time Stamp:0x6688FF20 [Sat Jul 6 08:24:00 2024 UTC]
    TLS Callbacks:
    CLR (.Net) Version:
    OS Version Major:6
    OS Version Minor:0
    File Version Major:6
    File Version Minor:0
    Subsystem Version Major:6
    Subsystem Version Minor:0
    Import Hash:65bccdf14c0d5a5e2ec64b3d11f0f1cf

    Entrypoint Preview

    Instruction
    call 00007F0964EF5929h
    jmp 00007F0964EF520Fh
    push ebp
    mov ebp, esp
    push esi
    push dword ptr [ebp+08h]
    mov esi, ecx
    call 00007F0964EF53EDh
    mov dword ptr [esi], 004B8960h
    mov eax, esi
    pop esi
    pop ebp
    retn 0004h
    and dword ptr [ecx+04h], 00000000h
    mov eax, ecx
    and dword ptr [ecx+08h], 00000000h
    mov dword ptr [ecx+04h], 004B8968h
    mov dword ptr [ecx], 004B8960h
    ret
    push ebp
    mov ebp, esp
    push esi
    push dword ptr [ebp+08h]
    mov esi, ecx
    call 00007F0964EF53BAh
    mov dword ptr [esi], 004B897Ch
    mov eax, esi
    pop esi
    pop ebp
    retn 0004h
    and dword ptr [ecx+04h], 00000000h
    mov eax, ecx
    and dword ptr [ecx+08h], 00000000h
    mov dword ptr [ecx+04h], 004B8984h
    mov dword ptr [ecx], 004B897Ch
    ret
    push ebp
    mov ebp, esp
    push esi
    mov esi, ecx
    lea eax, dword ptr [esi+04h]
    mov dword ptr [esi], 004B8940h
    and dword ptr [eax], 00000000h
    and dword ptr [eax+04h], 00000000h
    push eax
    mov eax, dword ptr [ebp+08h]
    add eax, 04h
    push eax
    call 00007F0964EF6F0Dh
    pop ecx
    pop ecx
    mov eax, esi
    pop esi
    pop ebp
    retn 0004h
    lea eax, dword ptr [ecx+04h]
    mov dword ptr [ecx], 004B8940h
    push eax
    call 00007F0964EF6F58h
    pop ecx
    ret
    push ebp
    mov ebp, esp
    push esi
    mov esi, ecx
    lea eax, dword ptr [esi+04h]
    mov dword ptr [esi], 004B8940h
    push eax
    call 00007F0964EF6F41h
    test byte ptr [ebp+08h], 00000001h
    pop ecx

    Data Directories

    NameVirtual AddressVirtual Size Is in Section
    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IMPORT0xdf67c0x154.rdata
    IMAGE_DIRECTORY_ENTRY_RESOURCE0xec0000x8554.rsrc
    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
    IMAGE_DIRECTORY_ENTRY_DEBUG0xdccf00x38.rdata
    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xdcc300x40.rdata
    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IAT0xb80000x7ac.rdata
    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

    Sections

    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
    .text0x10000xb60b60xb6200886085584fbe978f64260b3fab6a2776False0.5479648357069321data6.61277580602873IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    .rdata0xb80000x29f5c0x2a0008378d84e882733acbbcdb41f7f03e25eFalse0.2701416015625data4.970753590466824IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    .data0xe20000x91a40x62008ca4cc3b59ea27036c101dfe1cd79489False0.28188775510204084DOS executable (block device driver)3.6658726808639046IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .rsrc0xec0000x85540x86002270f53d134986173ada768cb47b30c4False0.4237115205223881data6.298520570729558IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

    Resources

    NameRVASizeTypeLanguageCountryZLIB Complexity
    RT_ICON0xec8200x244PNG image data, 32 x 32, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0189655172413794
    RT_ICON0xeca640x197PNG image data, 16 x 16, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0221130221130221
    RT_ICON0xecbfc0x1d1PNG image data, 20 x 20, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0236559139784946
    RT_ICON0xecdd00x229PNG image data, 24 x 24, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0198915009041591
    RT_ICON0xecffc0x26fPNG image data, 28 x 28, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0176565008025682
    RT_ICON0xed26c0x322PNG image data, 40 x 40, 8-bit/color RGBA, non-interlacedEnglishUnited States1.013715710723192
    RT_ICON0xed5900x3abPNG image data, 48 x 48, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0117145899893503
    RT_ICON0xed93c0x413PNG image data, 64 x 64, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0105465004793863
    RT_ICON0xedd500x26bPNG image data, 32 x 32, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0177705977382876
    RT_ICON0xedfbc0x19bPNG image data, 16 x 16, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0170316301703164
    RT_ICON0xee1580x1d8PNG image data, 20 x 20, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0233050847457628
    RT_ICON0xee3300x22aPNG image data, 24 x 24, 8-bit/color RGBA, non-interlacedEnglishUnited States1.01985559566787
    RT_ICON0xee55c0x252PNG image data, 28 x 28, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0185185185185186
    RT_ICON0xee7b00x16ePNG image data, 16 x 16, 8-bit/color RGBA, non-interlacedEnglishUnited States1.005464480874317
    RT_ICON0xee9200x1b0PNG image data, 20 x 20, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0208333333333333
    RT_ICON0xeead00x1edPNG image data, 24 x 24, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0223123732251522
    RT_ICON0xeecc00x22aPNG image data, 28 x 28, 8-bit/color RGBA, non-interlacedEnglishUnited States1.01985559566787
    RT_ICON0xeeeec0x203PNG image data, 32 x 32, 8-bit/color RGBA, non-interlacedEnglishUnited States1.021359223300971
    RT_ICON0xef0f00x163PNG image data, 16 x 16, 8-bit/color RGBA, non-interlacedEnglishUnited States1.008450704225352
    RT_ICON0xef2540x19fPNG image data, 20 x 20, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0192771084337349
    RT_ICON0xef3f40x1d6PNG image data, 24 x 24, 8-bit/color RGBA, non-interlacedEnglishUnited States1.023404255319149
    RT_ICON0xef5cc0x20fPNG image data, 28 x 28, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0208728652751422
    RT_ICON0xef7dc0x1f0PNG image data, 32 x 32, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0181451612903225
    RT_ICON0xef9cc0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.22396810506566603
    RT_ICON0xf0a740x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.15228215767634853
    RT_ICON0xf301c0x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.40425531914893614
    RT_ICON0xf34840x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 640EnglishUnited States0.43548387096774194
    RT_MENU0xf376c0x2c8dataEnglishUnited States0.46207865168539325
    RT_DIALOG0xf3a340xe0dataEnglishUnited States0.6339285714285714
    RT_DIALOG0xf3b140x18edataEnglishUnited States0.5150753768844221
    RT_ACCELERATOR0xf3ca40x48dataEnglishUnited States0.8194444444444444
    RT_RCDATA0xf3cec0x70ASCII textEnglishUnited States0.8928571428571429
    RT_GROUP_ICON0xf3d5c0x76dataEnglishUnited States0.7372881355932204
    RT_GROUP_ICON0xf3dd40x3edataEnglishUnited States0.8870967741935484
    RT_GROUP_ICON0xf3e140x4cdataEnglishUnited States0.8157894736842105
    RT_GROUP_ICON0xf3e600x4cdataEnglishUnited States0.7763157894736842
    RT_GROUP_ICON0xf3eac0x4cdataEnglishUnited States0.8026315789473685
    RT_VERSION0xf3ef80x140MIPSEB-LE MIPS-III ECOFF executable not stripped - version 0.79EnglishUnited States0.58125
    RT_MANIFEST0xf40380x519ASCII text, with very long lines (1305), with no line terminatorsEnglishUnited States0.47662835249042146

    Imports

    DLLImport
    WSOCK32.dllWSAGetLastError, getservbyname, htonl, send, recv, inet_addr, WSAAsyncSelect, inet_ntoa, gethostbyname, WSASetLastError, ioctlsocket, htons, gethostbyaddr, getservbyport, ntohs, WSAStartup, gethostname, shutdown, WSACleanup, closesocket, connect, socket
    WINMM.dlljoyGetPosEx, mciSendStringW, joyGetDevCapsW
    VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
    COMCTL32.dllImageList_GetIconSize, ImageList_Create, ImageList_Destroy, ImageList_AddMasked, ImageList_ReplaceIcon, CreateStatusWindowW
    PSAPI.DLLGetProcessImageFileNameW
    WININET.dllInternetCloseHandle, InternetReadFileExA, InternetReadFile, InternetOpenW, InternetOpenUrlW
    SHLWAPI.dllStrCmpLogicalW
    UxTheme.dllEnableThemeDialogTexture, SetWindowTheme, IsAppThemed
    dwmapi.dllDwmGetWindowAttribute
    KERNEL32.dllGlobalFree, GlobalUnlock, WideCharToMultiByte, GetCPInfo, GetSystemDirectoryA, LoadLibraryA, GetProcAddress, FreeLibrary, GetCurrentThreadId, GetEnvironmentVariableW, IsValidCodePage, LoadLibraryW, GetLastError, OutputDebugStringW, lstrcmpiW, GetStringTypeExW, CreateThread, SetThreadPriority, GetExitCodeThread, CloseHandle, CreateMutexW, VirtualProtect, SetLastError, GetModuleHandleW, GetDiskFreeSpaceExW, GetDriveTypeW, CreateFileW, DeviceIoControl, SetVolumeLabelW, GetVolumeInformationW, GetDiskFreeSpaceW, SetEnvironmentVariableW, MultiByteToWideChar, GetFullPathNameW, GetFileAttributesW, CreateDirectoryW, ReadFile, DeleteFileW, LoadResource, LockResource, WriteFile, SizeofResource, SetCurrentDirectoryW, CompareStringOrdinal, CopyFileW, SetFileAttributesW, FindFirstFileW, FindNextFileW, FindClose, FileTimeToLocalFileTime, LocalFileTimeToFileTime, GlobalLock, SetFileTime, GetFileSizeEx, MoveFileW, GetCurrentProcessId, OpenProcess, TerminateProcess, SetPriorityClass, GetProcessId, QueryDosDeviceW, EnterCriticalSection, LeaveCriticalSection, Beep, GetLocalTime, GetDateFormatW, GetTimeFormatW, GetDateFormatEx, GetTickCount64, GetSystemTime, GetSystemDefaultUILanguage, GetComputerNameW, GetCurrentDirectoryW, GetSystemWindowsDirectoryW, GetTempPathW, WaitForSingleObject, GetExitCodeProcess, WriteProcessMemory, ReadProcessMemory, GetVersionExW, InitializeCriticalSection, DeleteCriticalSection, GetModuleFileNameW, SetDllDirectoryW, GetModuleHandleExW, GetShortPathNameW, CreateProcessW, FormatMessageW, CompareStringW, RemoveDirectoryW, GetCurrentProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, GetPrivateProfileStringW, GetPrivateProfileSectionW, GetPrivateProfileSectionNamesW, WritePrivateProfileStringW, WritePrivateProfileSectionW, SetEndOfFile, GetACP, GetFileType, GetStdHandle, SetFilePointerEx, SystemTimeToFileTime, FileTimeToSystemTime, GetFileSize, IsWow64Process, VirtualAllocEx, VirtualFreeEx, EnumResourceNamesW, LoadLibraryExW, GlobalSize, FindResourceW, SetErrorMode, Sleep, GetTickCount, MulDiv, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, InitializeSListHead, RtlUnwind, RaiseException, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, IsProcessorFeaturePresent, IsDebuggerPresent, TlsSetValue, TlsFree, GetCommandLineA, GetCommandLineW, ExitProcess, HeapSize, HeapReAlloc, HeapQueryInformation, HeapFree, HeapAlloc, GetProcessHeap, FindFirstFileExW, GetOEMCP, GetEnvironmentStringsW, FreeEnvironmentStringsW, LCMapStringW, GlobalAlloc, SetStdHandle, GetStringTypeW, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, DecodePointer, WriteConsoleW, GetSystemTimeAsFileTime, VirtualQuery, UnhandledExceptionFilter
    USER32.dllEnumChildWindows, SetActiveWindow, IsWindowVisible, IsChild, SetWindowRgn, SetWindowPos, EnumWindows, IsZoomed, IsIconic, GetLayeredWindowAttributes, SetLayeredWindowAttributes, DestroyWindow, RegisterClassExW, SystemParametersInfoW, CreateWindowExW, GetMenu, EnableMenuItem, LoadAcceleratorsW, AddClipboardFormatListener, RemoveClipboardFormatListener, LoadImageW, PostQuitMessage, CheckMenuItem, RegisterWindowMessageW, DefWindowProcW, SetForegroundWindow, MonitorFromPoint, GetSystemMenu, GetMenuItemCount, GetMenuItemID, GetSubMenu, GetMenuStringW, ExitWindowsEx, GetPropW, GetClassLongW, SetMenu, SetPropW, RemovePropW, GetSysColor, RedrawWindow, DrawTextW, SetParent, GetClassInfoExW, AdjustWindowRectEx, GetAncestor, UpdateWindow, FlashWindow, GetMessagePos, GetSysColorBrush, FillRect, CallWindowProcW, CheckRadioButton, IntersectRect, GetUpdateRect, PtInRect, CreateDialogIndirectParamW, CreateAcceleratorTableW, DestroyAcceleratorTable, InsertMenuItemW, RemoveMenu, SetMenuItemInfoW, GetMenuItemInfoW, SetMenuDefaultItem, CreateMenu, CreatePopupMenu, SetMenuInfo, DestroyMenu, TrackPopupMenuEx, CopyImage, CreateIconIndirect, CreateIconFromResourceEx, DrawIconEx, EnumClipboardFormats, GetWindow, BringWindowToTop, MapVirtualKeyExW, GetLastInputInfo, GetLastActivePopup, GetShellWindow, GetGUIThreadInfo, GetWindowTextW, mouse_event, WindowFromPoint, keybd_event, SetKeyboardState, GetKeyboardState, GetCursorPos, GetAsyncKeyState, AttachThreadInput, SendInput, UnregisterHotKey, RegisterHotKey, SendMessageTimeoutW, CharUpperW, UnhookWindowsHookEx, SetWindowsHookExW, PostThreadMessageW, IsCharAlphaNumericW, IsCharUpperW, IsCharLowerW, ToUnicodeEx, GetKeyboardLayout, CallNextHookEx, CharLowerW, ReleaseDC, DialogBoxParamW, ScrollWindow, GetSystemMetrics, GetWindowRect, SetFocus, DefDlgProcW, MoveWindow, MapWindowPoints, GetClientRect, EnableWindow, MapDialogRect, GetDlgItem, SetWindowTextW, MessageBoxW, OpenClipboard, GetClipboardData, GetClipboardFormatNameW, CloseClipboard, SetClipboardData, EmptyClipboard, PostMessageW, FindWindowW, EndDialog, IsWindow, DispatchMessageW, TranslateMessage, ShowWindow, IsClipboardFormatAvailable, CountClipboardFormats, LoadCursorW, GetCursorInfo, ClientToScreen, MessageBeep, GetIconInfo, GetWindowTextLengthW, InvalidateRect, AdjustWindowRect, SetDlgItemTextW, SendDlgItemMessageW, IsCharAlphaW, DestroyIcon, EnumDisplayMonitors, GetMonitorInfoW, BlockInput, MapVirtualKeyW, SetWindowLongW, ScreenToClient, GetKeyboardLayoutNameW, IsDialogMessageW, SendMessageW, IsWindowEnabled, GetWindowLongW, GetKeyState, TranslateAcceleratorW, KillTimer, PeekMessageW, GetFocus, GetClassNameW, GetWindowThreadProcessId, GetForegroundWindow, GetMessageW, SetTimer, GetParent, GetDlgCtrlID, GetQueueStatus, VkKeyScanExW, ActivateKeyboardLayout, GetDC
    GDI32.dllGdiFlush, CreateDIBSection, EnumFontFamiliesExW, SetBrushOrgEx, CreatePatternBrush, GetClipBox, GetObjectW, SetBkMode, SetBkColor, GetDeviceCaps, CreateCompatibleDC, CreateFontIndirectW, GetStockObject, CreateSolidBrush, GetCharABCWidthsW, GetTextMetricsW, GetPixel, GetDIBits, SelectObject, CreateDCW, CreateFontW, CreatePolygonRgn, CreateRectRgn, CreateRoundRectRgn, CreateEllipticRgn, DeleteObject, BitBlt, CreateCompatibleBitmap, DeleteDC, GetSystemPaletteEntries, SetTextColor
    ADVAPI32.dllUnlockServiceDatabase, RegDeleteKeyW, RegSetValueExW, RegCreateKeyExW, RegQueryValueExW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, RegDeleteValueW, GetUserNameW, RegConnectRegistryW, RegCloseKey, RegOpenKeyExW, RegQueryInfoKeyW, RegEnumValueW, RegEnumKeyExW, CreateProcessWithLogonW, OpenSCManagerW, LockServiceDatabase, CloseServiceHandle, RegDeleteKeyExW
    SHELL32.dllSHBrowseForFolderW, DragFinish, SHGetKnownFolderPath, ExtractIconW, DragQueryPoint, SHEmptyRecycleBinW, SHFileOperationW, SHGetPathFromIDListW, DragQueryFileW, SHGetDesktopFolder, SHGetMalloc, SHCreateItemFromParsingName, ShellExecuteExW, SHGetFolderPathW, Shell_NotifyIconW
    ole32.dllCoCreateInstance, CoTaskMemFree, CLSIDFromString, OleInitialize, OleFlushClipboard, OleUninitialize, CoInitialize, CoUninitialize, CLSIDFromProgID, CoGetObject, StringFromGUID2, CreateStreamOnHGlobal
    OLEAUT32.dllSafeArrayUnaccessData, SafeArrayGetElemsize, SafeArrayAccessData, SafeArrayUnlock, SafeArrayPtrOfIndex, SafeArrayLock, SafeArrayGetDim, OleLoadPicture, SafeArrayGetUBound, SafeArrayDestroy, SysFreeString, GetActiveObject, SysStringLen, SafeArrayCreate, VariantClear, SafeArrayGetLBound, VariantChangeType, SysAllocString, SafeArrayCopy, SysAllocStringLen, VariantCopyInd

    Possible Origin

    Language of compilation systemCountry where language is spokenMap
    EnglishUnited States

    Network Behavior

    No network behavior found

    Statistics

    CPU Usage

    Click to jump to process

    Memory Usage

    Click to jump to process

    System Behavior

    General

    Target ID:0
    Start time:10:19:14
    Start date:24/12/2024
    Path:C:\Users\user\Desktop\Login_msifar.txt.exe
    Wow64 process (32bit):true
    Commandline:"C:\Users\user\Desktop\Login_msifar.txt.exe"
    Imagebase:0x400000
    File size:978'432 bytes
    MD5 hash:13DD101017041158BE942E586719CDF1
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:low
    Has exited:false

    Disassembly

    Reset < >

      Execution Graph

      Execution Coverage:0.9%
      Dynamic/Decrypted Code Coverage:0%
      Signature Coverage:8.7%
      Total number of Nodes:658
      Total number of Limit Nodes:29
      execution_graph 97499 401070 97504 438970 97499->97504 97501 401075 97507 49b835 44 API calls 97501->97507 97503 40107f 97505 438b1a __InternalCxxFrameHandler 97504->97505 97506 438b4a InitializeCriticalSection OleInitialize 97505->97506 97506->97501 97507->97503 97508 44e4d0 97509 44e4e7 RegisterWindowMessageW 97508->97509 97510 44e506 97508->97510 97509->97510 97511 44e583 97510->97511 97512 44e65d 97510->97512 97516 44e54a 97510->97516 97513 44e59a 97511->97513 97518 44e7a4 97511->97518 97522 44e714 97511->97522 97523 44e6b6 97511->97523 97524 44e617 97511->97524 97525 44e5ca 97511->97525 97526 44e69b 97511->97526 97571 44e5a6 97511->97571 97514 44e870 97512->97514 97515 44e668 97512->97515 97517 44ebd8 DefWindowProcW 97513->97517 97513->97571 97514->97518 97527 44e8f5 GetCurrentProcessId EnumWindows 97514->97527 97528 44eae5 97514->97528 97529 44e9d3 PostMessageW 97514->97529 97530 44e88c 97514->97530 97531 44ea89 IsWindow 97514->97531 97536 44ea5b 97514->97536 97560 44eaad 97514->97560 97563 44e95a 97514->97563 97519 44e843 97515->97519 97520 44e66e 97515->97520 97534 44e7c5 97518->97534 97592 439760 97518->97592 97521 44e850 PostMessageW 97519->97521 97519->97571 97532 44e78d 97520->97532 97533 44e679 97520->97533 97522->97517 97564 44e737 97522->97564 97523->97517 97553 44e6d7 ShowWindow 97523->97553 97524->97517 97537 44e623 SetFocus 97524->97537 97525->97517 97535 44e5d7 97525->97535 97589 44eec0 243 API calls 97526->97589 97538 44e923 97527->97538 97527->97571 97608 486e30 GetWindowThreadProcessId GetClassNameW 97527->97608 97528->97517 97545 44eaf3 ioctlsocket 97528->97545 97567 44e9ee 97529->97567 97529->97571 97547 44e8c4 97530->97547 97550 44e8ce 97530->97550 97557 44e8a0 97530->97557 97539 44ea98 GetWindowTextW 97531->97539 97531->97571 97540 44e794 97532->97540 97541 44e801 GetMenu CheckMenuItem 97532->97541 97542 44e765 97533->97542 97543 44e67f 97533->97543 97546 44e7d4 RegisterWindowMessageW 97534->97546 97570 44eb24 97534->97570 97548 44e5f0 MoveWindow 97535->97548 97549 44e5dc ShowWindow 97535->97549 97603 485b00 121 API calls 97538->97603 97540->97513 97540->97518 97540->97529 97541->97513 97541->97517 97542->97517 97554 44e76d 97542->97554 97543->97518 97543->97522 97543->97523 97543->97526 97543->97571 97556 44eb08 97545->97556 97546->97570 97547->97517 97547->97550 97558 44e8d9 PostMessageW 97550->97558 97550->97571 97552 44e6a6 97552->97517 97552->97571 97554->97571 97581 44e775 97554->97581 97556->97517 97607 407eb1 175 API calls 2 library calls 97556->97607 97557->97517 97565 44e8a9 97557->97565 97559 44e934 97566 44e93c SetTimer 97559->97566 97559->97571 97561 44ead6 97560->97561 97560->97571 97604 44a320 26 API calls __InternalCxxFrameHandler 97561->97604 97562 44e9c1 PostMessageW 97562->97581 97563->97562 97563->97571 97576 44e9b7 97563->97576 97577 44e989 GetTickCount 97563->97577 97564->97571 97590 439d80 IsWindowVisible IsWindowVisible 97564->97590 97602 4732f0 225 API calls 97565->97602 97567->97571 97567->97581 97582 44ea1e GetTickCount 97567->97582 97570->97517 97579 44eb8c 97570->97579 97580 44eb7f inet_ntoa 97570->97580 97574 44e8b9 97576->97562 97576->97571 97577->97576 97583 44e99d 97577->97583 97578 44eadc 97584 44ebb3 97579->97584 97585 44eba3 97579->97585 97580->97579 97581->97571 97591 4015e0 63 API calls ___scrt_uninitialize_crt 97581->97591 97582->97581 97583->97576 97606 40a98c 193 API calls __EH_prolog 97584->97606 97605 4a39fc 41 API calls 97585->97605 97588 44ebc5 97588->97517 97588->97556 97589->97552 97590->97571 97591->97571 97593 439898 97592->97593 97595 439770 97592->97595 97593->97534 97594 439875 Shell_NotifyIconW 97594->97593 97600 439890 Shell_NotifyIconW 97594->97600 97595->97593 97595->97594 97596 439804 GetModuleHandleW GetProcAddress 97595->97596 97597 439828 GetSystemMetrics 97595->97597 97596->97597 97598 43983b FindWindowW 97597->97598 97599 43985f LoadImageW 97597->97599 97601 43984f MulDiv 97598->97601 97599->97594 97600->97593 97601->97599 97602->97574 97603->97559 97604->97578 97605->97584 97606->97588 97607->97517 97609 49b91d 97610 49b929 __FrameHandler3::FrameUnwindToState 97609->97610 97635 49b66f 97610->97635 97612 49b930 97613 49ba83 97612->97613 97624 49b95a ___scrt_is_nonwritable_in_current_image __InternalCxxFrameHandler ___scrt_release_startup_lock 97612->97624 97685 49bd9e IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter __InternalCxxFrameHandler 97613->97685 97615 49ba8a 97686 4aa067 21 API calls __InternalCxxFrameHandler 97615->97686 97617 49ba90 97687 4aa02b 21 API calls __InternalCxxFrameHandler 97617->97687 97619 49ba98 97620 49b979 97621 49b9fa 97646 49beb3 97621->97646 97623 49ba00 97650 404660 SetErrorMode 97623->97650 97624->97620 97624->97621 97681 4aa041 41 API calls 3 library calls 97624->97681 97627 49ba15 97682 49bee9 GetModuleHandleW 97627->97682 97629 49ba1c 97629->97615 97630 49ba20 97629->97630 97631 49ba29 97630->97631 97683 4aa01c 21 API calls __InternalCxxFrameHandler 97630->97683 97684 49b7e0 77 API calls ___scrt_uninitialize_crt 97631->97684 97634 49ba31 97634->97620 97636 49b678 97635->97636 97688 49bbba IsProcessorFeaturePresent 97636->97688 97638 49b684 97689 49d66e 10 API calls 2 library calls 97638->97689 97640 49b689 97641 49b68d 97640->97641 97690 4ab197 97640->97690 97641->97612 97644 49b6a4 97644->97612 97749 49d7a0 97646->97749 97648 49bec6 GetStartupInfoW 97649 49bed9 97648->97649 97649->97623 97751 450290 97650->97751 97652 404681 97652->97652 97660 4046cd __InternalCxxFrameHandler 97652->97660 97910 47e560 97652->97910 97655 4046c3 97657 40492a 97655->97657 97655->97660 97918 40dbe0 182 API calls 97657->97918 97757 47a740 97660->97757 97662 4047a0 97663 404911 97662->97663 97664 404835 97662->97664 97665 40483e FindWindowW 97662->97665 97667 4047e2 FindWindowW 97662->97667 97663->97627 97664->97665 97666 4048b7 97664->97666 97665->97666 97675 404822 97665->97675 97863 439300 97666->97863 97667->97664 97670 4047f5 97667->97670 97669 404856 PostMessageW Sleep IsWindow 97671 4048b3 Sleep 97669->97671 97679 404879 97669->97679 97670->97663 97672 404803 97670->97672 97671->97666 97672->97675 97916 486cb0 99 API calls ___scrt_uninitialize_crt 97672->97916 97674 4048a3 Sleep IsWindow 97674->97671 97674->97679 97675->97663 97675->97669 97678 404908 97678->97627 97679->97663 97679->97674 97917 486cb0 99 API calls ___scrt_uninitialize_crt 97679->97917 97680 4048c1 __InternalCxxFrameHandler ___std_exception_copy 97680->97663 97895 404c20 97680->97895 97681->97621 97682->97629 97683->97631 97684->97634 97685->97615 97686->97617 97687->97619 97688->97638 97689->97640 97694 4aec92 97690->97694 97693 49d68d 7 API calls 2 library calls 97693->97641 97695 4aeca2 97694->97695 97696 49b696 97694->97696 97695->97696 97698 4ad1fa 97695->97698 97696->97644 97696->97693 97699 4ad206 __FrameHandler3::FrameUnwindToState 97698->97699 97710 4ad7ac EnterCriticalSection 97699->97710 97701 4ad20d 97711 4af394 97701->97711 97706 4ad23c 97706->97695 97707 4ad226 97725 4ad14a GetStdHandle GetFileType 97707->97725 97709 4ad22b 97726 4ad251 LeaveCriticalSection __InternalCxxFrameHandler 97709->97726 97710->97701 97712 4af3a0 __FrameHandler3::FrameUnwindToState 97711->97712 97713 4af3ca 97712->97713 97714 4af3a9 97712->97714 97727 4ad7ac EnterCriticalSection 97713->97727 97735 4ab919 14 API calls __floor_pentium4 97714->97735 97717 4af3ae 97736 4ab787 41 API calls _unexpected 97717->97736 97720 4af3d6 97723 4af402 97720->97723 97728 4af2e4 97720->97728 97721 4ad21c 97721->97709 97724 4ad094 44 API calls 97721->97724 97737 4af429 LeaveCriticalSection __InternalCxxFrameHandler 97723->97737 97724->97707 97725->97709 97726->97706 97727->97720 97738 4ad351 97728->97738 97730 4af303 97746 4ac035 14 API calls 2 library calls 97730->97746 97732 4af2f6 97732->97730 97745 4aeb6f 6 API calls _unexpected 97732->97745 97733 4af358 97733->97720 97735->97717 97736->97721 97737->97721 97743 4ad35e _unexpected 97738->97743 97739 4ad39e 97748 4ab919 14 API calls __floor_pentium4 97739->97748 97740 4ad389 RtlAllocateHeap 97741 4ad39c 97740->97741 97740->97743 97741->97732 97743->97739 97743->97740 97747 4aa632 EnterCriticalSection LeaveCriticalSection _unexpected 97743->97747 97745->97732 97746->97733 97747->97743 97748->97741 97750 49d7b7 97749->97750 97750->97648 97750->97750 97919 4b57a0 97751->97919 97754 4502c7 97754->97652 97755 4502bb 97921 44dd30 15 API calls 2 library calls 97755->97921 97922 49b5a6 97757->97922 97759 47a768 97931 479120 97759->97931 97762 47a7d1 97765 47a7e0 97762->97765 98123 477bb0 14 API calls 97762->98123 97766 49b5a6 3 API calls 97765->97766 97767 47a801 97766->97767 97768 479120 42 API calls 97767->97768 97769 47a857 97768->97769 97770 47a86a 97769->97770 98124 4795e0 41 API calls __InternalCxxFrameHandler 97769->98124 97773 47a879 97770->97773 98125 477bb0 14 API calls 97770->98125 97774 49b5a6 3 API calls 97773->97774 97775 47a89c 97774->97775 97776 479120 42 API calls 97775->97776 97777 47a8f2 97776->97777 97778 47a905 97777->97778 98126 4795e0 41 API calls __InternalCxxFrameHandler 97777->98126 97783 47a914 97778->97783 98127 477bb0 14 API calls 97778->98127 97784 47a9df 97783->97784 97935 443d20 97783->97935 97967 476dd0 97783->97967 98128 4b5fa8 3 API calls 6 library calls 97783->98128 97785 479120 42 API calls 97784->97785 97787 47a9f5 97785->97787 97788 47aa0a 97787->97788 98129 4795e0 41 API calls __InternalCxxFrameHandler 97787->98129 97790 47aa10 97788->97790 98130 477f80 14 API calls ___vcrt_freefls@4 97788->98130 97792 443d20 190 API calls 97790->97792 97796 47aa76 97792->97796 97793 47aa21 97794 49b5a6 3 API calls 97793->97794 97794->97790 97795 443d20 190 API calls 97803 47aafd 97795->97803 97800 47aac3 97796->97800 98131 4b5fa8 3 API calls 6 library calls 97796->98131 97798 47ab4a 97799 47ab99 97798->97799 97801 47e560 3 API calls 97798->97801 97804 476dd0 43 API calls 97799->97804 97800->97795 97802 47ab8f 97801->97802 97802->97799 97805 47bbaa 97802->97805 97803->97798 98132 4b5fa8 3 API calls 6 library calls 97803->98132 97810 47abfe 97804->97810 98135 40dbe0 182 API calls 97805->98135 97976 475ea0 97810->97976 97812 475ea0 183 API calls 97813 47ac4c 97812->97813 97814 49b5a6 3 API calls 97813->97814 97815 47ac59 97814->97815 97816 479120 42 API calls 97815->97816 97817 47acaf 97816->97817 97818 47acc2 97817->97818 98133 4795e0 41 API calls __InternalCxxFrameHandler 97817->98133 97821 47acd1 97818->97821 98134 477bb0 14 API calls 97818->98134 97988 476310 97821->97988 97824 476310 190 API calls 97825 47ad45 97824->97825 97826 479120 42 API calls 97825->97826 97827 47ad5d 97826->97827 98015 47a650 97827->98015 97830 47a650 190 API calls 97831 47bb35 97830->97831 98023 461e50 97831->98023 97834 475ea0 183 API calls 97835 47bb51 97834->97835 97836 475ea0 183 API calls 97835->97836 97837 47bb68 97836->97837 98060 406130 97837->98060 97842 404930 FindResourceW 97862 404950 97842->97862 97843 404b70 97844 443d20 190 API calls 97843->97844 97845 404ba0 97844->97845 97846 404c14 97845->97846 97849 404bd3 97845->97849 98216 444470 190 API calls __InternalCxxFrameHandler 97845->98216 97846->97662 97847 49ee91 42 API calls 97847->97862 97849->97846 98217 475a60 15 API calls __alloca_probe_16 97849->98217 97851 404bf3 97851->97846 97852 404bf7 97851->97852 98218 485310 189 API calls 97852->98218 97854 404bff 98219 438ea0 188 API calls 2 library calls 97854->98219 97856 49f012 42 API calls 97856->97862 97857 404c0c 97857->97662 97860 404d90 15 API calls 97860->97862 97861 47e8f0 17 API calls 97861->97862 97862->97843 97862->97846 97862->97847 97862->97856 97862->97860 97862->97861 98214 40c190 46 API calls 97862->98214 98215 481f90 44 API calls __aulldiv 97862->98215 97864 439691 97863->97864 97865 439331 97863->97865 97864->97680 97865->97864 98220 4837a0 97865->98220 97867 439379 GetSystemMetrics 97868 4837a0 14 API calls 97867->97868 97869 43939a LoadCursorW RegisterClassExW 97868->97869 97870 4393e5 GetForegroundWindow 97869->97870 97871 4393db 97869->97871 97872 439414 SystemParametersInfoW CreateWindowExW 97870->97872 97873 4393ef GetClassNameW 97870->97873 97874 439678 97871->97874 97872->97874 97879 4394a2 97872->97879 97873->97872 97875 439403 97873->97875 98256 486cb0 99 API calls ___scrt_uninitialize_crt 97874->98256 98255 49ee91 42 API calls 2 library calls 97875->98255 97881 49b5a6 3 API calls 97879->97881 97880 43968e 97880->97864 97882 4394a9 97881->97882 98242 473210 97882->98242 97884 4394d3 97885 43952b CreateWindowExW 97884->97885 97886 4394dc GetMenu EnableMenuItem 97884->97886 97885->97874 97887 439564 9 API calls 97885->97887 97886->97885 97888 439503 EnableMenuItem EnableMenuItem EnableMenuItem EnableMenuItem 97886->97888 97889 439602 ShowWindow SetWindowLongW 97887->97889 97890 43961c LoadAcceleratorsW 97887->97890 97888->97885 97889->97890 97891 43965b 97890->97891 97892 43963b 97890->97892 98251 4396b0 97891->98251 97892->97680 97896 404c53 97895->97896 97897 404c98 97895->97897 97896->97897 97899 404c67 97896->97899 98272 413d40 43 API calls 2 library calls 97897->98272 98270 40a98c 193 API calls __EH_prolog 97899->98270 97900 404c9d 98259 439bf0 97900->98259 97903 404ca9 98273 439d80 IsWindowVisible IsWindowVisible 97903->98273 97904 404c85 97904->97897 98271 407eb1 175 API calls 2 library calls 97904->98271 97907 404cb5 97909 404cc3 97907->97909 98274 4015e0 63 API calls ___scrt_uninitialize_crt 97907->98274 97909->97678 97911 47e56a 97910->97911 97915 47e59d ___std_exception_copy 97910->97915 97912 49b5a6 3 API calls 97911->97912 97913 47e57a ___std_exception_copy 97911->97913 97912->97913 97914 49b5a6 3 API calls 97913->97914 97913->97915 97914->97915 97915->97655 97916->97675 97917->97679 97920 45029a GetCurrentDirectoryW 97919->97920 97920->97754 97920->97755 97921->97754 97923 49b5ab ___std_exception_copy 97922->97923 97924 49b5c5 97923->97924 97927 49b5c7 97923->97927 98136 4aa632 EnterCriticalSection LeaveCriticalSection _unexpected 97923->98136 97924->97759 97926 49bb8f 98138 49d726 RaiseException 97926->98138 97927->97926 98137 49d726 RaiseException 97927->98137 97930 49bbac 97930->97759 97932 479150 97931->97932 97934 479193 97931->97934 97932->97934 98139 49ee91 42 API calls 2 library calls 97932->98139 97934->97762 98122 4795e0 41 API calls __InternalCxxFrameHandler 97934->98122 97936 443d42 97935->97936 97954 44405d 97935->97954 97938 443fbc 97936->97938 97941 443da6 97936->97941 97936->97954 97939 44400d 97938->97939 98144 49ee91 42 API calls 2 library calls 97938->98144 97943 444084 97939->97943 97953 443f49 97939->97953 98145 443680 183 API calls 97939->98145 97947 443dfc 97941->97947 98140 49ee91 42 API calls 2 library calls 97941->98140 97943->97783 97945 444037 97946 444041 97945->97946 97945->97953 98146 444470 190 API calls __InternalCxxFrameHandler 97946->98146 97948 443e60 97947->97948 97955 443e7a 97947->97955 98141 49ee91 42 API calls 2 library calls 97947->98141 97948->97783 97951 444057 97951->97954 98147 485310 189 API calls 97951->98147 97952 443ea2 97952->97783 97953->97954 97960 4440bc 97953->97960 98143 49ee91 42 API calls 2 library calls 97953->98143 97954->97783 97955->97952 97955->97953 97963 443ef9 97955->97963 98142 4440f0 190 API calls 97955->98142 97956 443f14 97959 443d20 190 API calls 97956->97959 97964 443f25 97959->97964 97960->97954 98148 444660 43 API calls __InternalCxxFrameHandler 97960->98148 97961 443f2e 97961->97953 97966 443d20 190 API calls 97961->97966 97962 444095 97962->97783 97963->97954 97963->97956 97963->97961 97964->97783 97966->97953 97968 479120 42 API calls 97967->97968 97969 476de3 97968->97969 97970 476df8 97969->97970 98149 4795e0 41 API calls __InternalCxxFrameHandler 97969->98149 97975 476dfe 97970->97975 98150 477f80 14 API calls ___vcrt_freefls@4 97970->98150 97973 476e11 97974 49b5a6 3 API calls 97973->97974 97974->97975 97975->97783 97984 475ecd __InternalCxxFrameHandler 97976->97984 97977 4762ec 97977->97812 97978 479120 42 API calls 97978->97984 97979 4762ff 98153 40dbe0 182 API calls 97979->98153 97984->97977 97984->97978 97984->97979 97985 49b5a6 3 API calls 97984->97985 97986 47e560 RaiseException EnterCriticalSection LeaveCriticalSection 97984->97986 97987 476dd0 43 API calls 97984->97987 98151 4795e0 41 API calls __InternalCxxFrameHandler 97984->98151 98152 477f80 14 API calls ___vcrt_freefls@4 97984->98152 97985->97984 97986->97984 97987->97984 98154 475d40 97988->98154 97990 476340 97991 47644e 97990->97991 97993 47e560 3 API calls 97990->97993 97991->97991 97995 443d20 190 API calls 97991->97995 98004 476498 97991->98004 98001 47638b 97993->98001 97994 476508 97994->97824 97997 4764d1 97995->97997 97996 47651f 98165 40dbe0 182 API calls 97996->98165 97997->98004 98163 444470 190 API calls __InternalCxxFrameHandler 97997->98163 97999 4763d9 __InternalCxxFrameHandler 98007 476dd0 43 API calls 97999->98007 98001->97996 98001->97999 98001->98001 98006 47e560 3 API calls 98001->98006 98164 485310 189 API calls 98004->98164 98009 4763cf 98006->98009 98007->97991 98009->97996 98009->97999 98016 47a675 98015->98016 98017 47a72a 98015->98017 98016->98017 98019 476310 190 API calls 98016->98019 98020 475ea0 183 API calls 98016->98020 98021 406130 183 API calls 98016->98021 98022 47a650 190 API calls 98016->98022 98168 475df0 98016->98168 98017->97830 98019->98016 98020->98016 98021->98016 98022->98016 98024 443d20 190 API calls 98023->98024 98025 461e8a 98024->98025 98026 475df0 43 API calls 98025->98026 98037 461ead __InternalCxxFrameHandler 98026->98037 98027 462571 98204 40dbe0 182 API calls 98027->98204 98030 47e560 RaiseException EnterCriticalSection LeaveCriticalSection 98030->98037 98031 479120 42 API calls 98031->98037 98032 476dd0 43 API calls 98032->98037 98035 46213f 98036 475df0 43 API calls 98035->98036 98046 462153 __InternalCxxFrameHandler 98036->98046 98037->98027 98037->98030 98037->98031 98037->98032 98037->98035 98038 49b5a6 3 API calls 98037->98038 98200 4795e0 41 API calls __InternalCxxFrameHandler 98037->98200 98201 477f80 14 API calls ___vcrt_freefls@4 98037->98201 98038->98037 98039 47e560 RaiseException EnterCriticalSection LeaveCriticalSection 98039->98046 98040 479120 42 API calls 98040->98046 98041 476dd0 43 API calls 98041->98046 98044 4623df 98045 475d40 43 API calls 98044->98045 98048 4623f2 98045->98048 98046->98027 98046->98039 98046->98040 98046->98041 98046->98044 98047 49b5a6 3 API calls 98046->98047 98202 4795e0 41 API calls __InternalCxxFrameHandler 98046->98202 98203 477f80 14 API calls ___vcrt_freefls@4 98046->98203 98047->98046 98049 475d40 43 API calls 98048->98049 98050 462402 98049->98050 98179 47bbe0 98050->98179 98052 46244b 98053 47bbe0 189 API calls 98052->98053 98058 462459 98053->98058 98054 462560 98054->97834 98055 475df0 43 API calls 98055->98058 98056 406130 183 API calls 98056->98058 98057 475d40 43 API calls 98057->98058 98058->98054 98058->98055 98058->98056 98058->98057 98059 47bbe0 189 API calls 98058->98059 98059->98058 98070 40615c __InternalCxxFrameHandler 98060->98070 98061 4063f6 98072 480620 98061->98072 98062 47e560 RaiseException EnterCriticalSection LeaveCriticalSection 98062->98070 98063 406409 98210 40dbe0 182 API calls 98063->98210 98066 479120 42 API calls 98066->98070 98067 476dd0 43 API calls 98067->98070 98070->98061 98070->98062 98070->98063 98070->98066 98070->98067 98071 49b5a6 3 API calls 98070->98071 98208 4795e0 41 API calls __InternalCxxFrameHandler 98070->98208 98209 477f80 14 API calls ___vcrt_freefls@4 98070->98209 98071->98070 98073 475df0 43 API calls 98072->98073 98101 480651 __InternalCxxFrameHandler 98073->98101 98074 47e560 RaiseException EnterCriticalSection LeaveCriticalSection 98074->98101 98075 480922 98213 40dbe0 182 API calls 98075->98213 98091 476dd0 43 API calls 98091->98101 98094 479120 42 API calls 98094->98101 98101->98074 98101->98075 98101->98091 98101->98094 98103 4808df 98101->98103 98104 49b5a6 3 API calls 98101->98104 98211 4795e0 41 API calls __InternalCxxFrameHandler 98101->98211 98212 477f80 14 API calls ___vcrt_freefls@4 98101->98212 98106 476310 190 API calls 98103->98106 98104->98101 98107 404797 98106->98107 98107->97842 98122->97762 98123->97765 98124->97770 98125->97773 98126->97778 98127->97783 98128->97783 98129->97788 98130->97793 98131->97800 98132->97798 98133->97818 98134->97821 98136->97923 98137->97926 98138->97930 98139->97932 98140->97941 98141->97947 98142->97963 98143->97953 98144->97938 98145->97945 98146->97951 98147->97962 98148->97954 98149->97970 98150->97973 98151->97984 98152->97984 98155 49b5a6 3 API calls 98154->98155 98156 475d4f 98155->98156 98157 479120 42 API calls 98156->98157 98158 475db7 98157->98158 98159 475dcb 98158->98159 98166 4795e0 41 API calls __InternalCxxFrameHandler 98158->98166 98162 475ddb 98159->98162 98167 477bb0 14 API calls 98159->98167 98162->97990 98163->98004 98164->97994 98166->98159 98167->98162 98169 49b5a6 3 API calls 98168->98169 98170 475e01 98169->98170 98171 479120 42 API calls 98170->98171 98172 475e58 98171->98172 98175 475e6c 98172->98175 98177 4795e0 41 API calls __InternalCxxFrameHandler 98172->98177 98176 475e7c 98175->98176 98178 477bb0 14 API calls 98175->98178 98176->98016 98177->98175 98178->98176 98180 479120 42 API calls 98179->98180 98181 47bc0b 98180->98181 98182 47bc1c 98181->98182 98205 4795e0 41 API calls __InternalCxxFrameHandler 98181->98205 98184 47bc22 98182->98184 98206 477f80 14 API calls ___vcrt_freefls@4 98182->98206 98187 47e560 3 API calls 98184->98187 98186 47bc33 98188 49b5a6 3 API calls 98186->98188 98189 47bc73 98187->98189 98188->98184 98191 47e560 3 API calls 98189->98191 98198 47bd0a 98189->98198 98196 47bc96 98191->98196 98197 47e560 3 API calls 98196->98197 98196->98198 98197->98198 98199 47bd10 98198->98199 98207 40dbe0 182 API calls 98198->98207 98199->98052 98200->98037 98201->98037 98202->98046 98203->98046 98205->98182 98206->98186 98208->98070 98209->98070 98211->98101 98212->98101 98214->97862 98215->97862 98216->97849 98217->97851 98218->97854 98219->97857 98221 4837bb LoadLibraryExW 98220->98221 98222 4837cd 98220->98222 98221->98222 98223 4837ec EnumResourceNamesW 98222->98223 98224 4837e3 98222->98224 98233 483986 98222->98233 98223->98224 98227 483828 FindResourceW 98224->98227 98229 48395d 98224->98229 98225 48399c ExtractIconW 98225->97867 98226 4839b1 ExtractIconW 98226->97867 98228 48383a LoadResource 98227->98228 98227->98229 98228->98229 98230 48384a LockResource 98228->98230 98231 48396b 98229->98231 98232 48397f FreeLibrary 98229->98232 98229->98233 98230->98229 98234 48385f 98230->98234 98231->97867 98232->98233 98233->98225 98233->98226 98235 48398a 98233->98235 98236 48386d GetSystemMetrics 98234->98236 98237 48387b 98234->98237 98235->97867 98236->98237 98237->98229 98238 48390f FindResourceW 98237->98238 98238->98229 98239 483923 LoadResource 98238->98239 98239->98229 98240 48392f LockResource 98239->98240 98240->98229 98241 48393c SizeofResource CreateIconFromResourceEx 98240->98241 98241->98229 98244 473235 98242->98244 98245 47328b 98244->98245 98246 4732e1 98244->98246 98257 472390 212 API calls 2 library calls 98244->98257 98247 4732bf 98245->98247 98250 4732b3 SetMenuDefaultItem 98245->98250 98246->97884 98248 4732d6 98247->98248 98258 4655d0 GetMenu IsWindowVisible SetWindowPos RedrawWindow 98247->98258 98248->97884 98250->98247 98252 4396ce __InternalCxxFrameHandler 98251->98252 98253 439736 Shell_NotifyIconW 98252->98253 98254 439662 98253->98254 98254->97680 98255->97872 98256->97880 98257->98244 98258->98248 98260 439c07 ___std_exception_copy 98259->98260 98261 439c13 98260->98261 98262 439c17 SetTimer 98260->98262 98261->97903 98263 439c63 GetTickCount GetTickCount 98262->98263 98264 439c59 98262->98264 98265 439ca0 98263->98265 98268 439d4a 98264->98268 98276 49ef92 14 API calls ___free_lconv_mon 98264->98276 98275 4487d0 202 API calls 98265->98275 98267 439cee 98267->98264 98268->97903 98270->97904 98271->97897 98272->97900 98273->97907 98274->97909 98275->98267 98276->98268 98277 4ac06f 98278 4ac0ad 98277->98278 98282 4ac07d _unexpected 98277->98282 98285 4ab919 14 API calls __floor_pentium4 98278->98285 98280 4ac098 RtlAllocateHeap 98281 4ac0ab 98280->98281 98280->98282 98282->98278 98282->98280 98284 4aa632 EnterCriticalSection LeaveCriticalSection _unexpected 98282->98284 98284->98282 98285->98281 98286 482870 98287 4829f3 __InternalCxxFrameHandler 98286->98287 98293 482890 __InternalCxxFrameHandler ___vcrt_FlsGetValue 98286->98293 98288 482941 FindFirstFileW 98288->98287 98290 482961 FindClose 98288->98290 98289 4829d2 98289->98287 98291 4829d8 FindFirstFileW 98289->98291 98290->98293 98291->98287 98292 4829e5 FindClose 98291->98292 98292->98287 98293->98287 98293->98288 98293->98289 98294 40376c 98295 4031e0 98294->98295 98306 404430 98295->98306 98297 401b6f PeekMessageW 98304 401886 98297->98304 98300 401590 GetDlgCtrlID GetParent 98300->98304 98301 4022f3 KillTimer 98301->98304 98302 401e52 98302->98304 98314 470a10 31 API calls 98302->98314 98316 403fa0 joyGetPosEx PostMessageW 98302->98316 98317 403c70 27 API calls __InternalCxxFrameHandler 98302->98317 98304->98297 98304->98300 98304->98301 98304->98302 98315 470a10 31 API calls 98304->98315 98307 404445 98306->98307 98309 404460 98306->98309 98307->98309 98318 49ef92 14 API calls ___free_lconv_mon 98307->98318 98308 439760 8 API calls 98310 40449b 98308->98310 98309->98308 98313 4044b7 98310->98313 98319 439d80 IsWindowVisible IsWindowVisible 98310->98319 98313->98304 98314->98302 98315->98304 98316->98304 98317->98302 98318->98309 98319->98313 98320 43aa1d 98321 43aa29 98320->98321 98324 43aafd 98320->98324 98323 43aa3c 98321->98323 98325 43aa97 98321->98325 98322 43aadb 98329 43aa59 98323->98329 98378 40c280 179 API calls ___vcrt_freefls@4 98323->98378 98328 43ab38 98324->98328 98334 43ac0c 98324->98334 98325->98322 98379 40c730 182 API calls ___scrt_uninitialize_crt 98325->98379 98327 43aa8e 98331 43ab4b 98328->98331 98335 43aba6 98328->98335 98338 43ab68 98331->98338 98380 40c280 179 API calls ___vcrt_freefls@4 98331->98380 98332 43aad0 98333 43abea 98340 43ac54 CharUpperW 98334->98340 98348 43ac32 98334->98348 98335->98333 98381 40c730 182 API calls ___scrt_uninitialize_crt 98335->98381 98337 43adf9 98341 49b5a6 3 API calls 98337->98341 98339 43ab9d 98351 43ac84 98340->98351 98344 43ae00 98341->98344 98343 43ad00 FindResourceW 98343->98337 98346 43ad17 LoadResource 98343->98346 98349 43ae44 GetCPInfo 98344->98349 98358 43adb8 98344->98358 98345 43abdf 98350 43ad28 LockResource 98346->98350 98346->98358 98347 43ac90 CompareStringOrdinal 98347->98351 98352 43afbd 98347->98352 98348->98337 98348->98343 98349->98358 98353 43ad3b SizeofResource 98350->98353 98350->98358 98351->98347 98351->98348 98354 49b5a6 3 API calls 98353->98354 98356 43ad62 98354->98356 98357 43ada6 GetCPInfo 98356->98357 98356->98358 98357->98358 98371 47ed60 98358->98371 98359 43af17 FindResourceW 98361 43af26 98359->98361 98360 43ae8f 98362 47e560 3 API calls 98360->98362 98368 43aedc __InternalCxxFrameHandler 98360->98368 98366 43b0cb 98361->98366 98382 450220 17 API calls 98361->98382 98364 43aed0 98362->98364 98367 43b0d6 98364->98367 98364->98368 98365 43af65 98383 40dbe0 182 API calls 98367->98383 98368->98359 98372 47ed85 98371->98372 98373 47ed89 98372->98373 98374 47eda9 GetCPInfo 98372->98374 98376 47edb7 ___std_exception_copy 98372->98376 98373->98360 98374->98376 98375 47eebf 98375->98360 98376->98375 98377 47eeb9 GetCPInfo 98376->98377 98377->98375 98378->98327 98379->98332 98380->98339 98381->98345 98382->98365

      Executed Functions

      Function 00404660 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 206sleepwindowCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 320 404660-40468d SetErrorMode call 450290 323 40469a-40469e 320->323 324 40468f-404698 320->324 325 4046e8 323->325 326 4046a0-4046a2 323->326 324->323 324->325 328 4046ed-4047a2 call 49d7a0 call 47a740 call 404930 325->328 327 4046a5-4046ae 326->327 327->327 330 4046b0-4046c7 call 47e560 327->330 345 4047a8-4047b4 call 43a3d0 328->345 346 40491c-404927 328->346 336 40492a-40492f call 40dbe0 330->336 337 4046cd-4046d3 330->337 340 4046e0-4046e6 337->340 341 4046d5-4046dd call 49cad0 337->341 340->328 341->340 345->346 350 4047ba-4047bc 345->350 351 404911-404919 350->351 352 4047c2-4047cf 350->352 353 4047d1-4047d8 352->353 354 404835 352->354 356 4047da-4047e0 353->356 357 40483e-40484f FindWindowW 353->357 355 40483a-40483c 354->355 355->357 358 4048b7-4048c3 call 439300 355->358 356->355 360 4047e2-4047f3 FindWindowW 356->360 357->358 359 404851 357->359 358->346 370 4048c5-4048cc 358->370 362 404856-404877 PostMessageW Sleep IsWindow 359->362 360->354 363 4047f5-4047fd 360->363 365 4048b3-4048b5 Sleep 362->365 366 404879 362->366 363->351 367 404803-404806 363->367 365->358 371 404880-404883 366->371 368 404808-404828 call 486cb0 367->368 369 40482e-404833 367->369 368->351 368->369 369->362 373 4048fc-404903 call 404c20 370->373 374 4048ce-4048e4 call 49efad 370->374 375 4048a3-4048b1 Sleep IsWindow 371->375 376 404885-40489f call 486cb0 371->376 382 404908-40490e 373->382 374->373 384 4048e6-4048f9 call 49d7a0 374->384 375->365 375->371 376->346 385 4048a1 376->385 384->373 385->375
      APIs
      • SetErrorMode.KERNELBASE(00000001), ref: 00404674
        • Part of subcall function 00450290: GetCurrentDirectoryW.KERNEL32(00008000,?,?,0045027B), ref: 004502A7
      • FindWindowW.USER32(AutoHotkey,?), ref: 004047ED
      • FindWindowW.USER32(AutoHotkey,?), ref: 00404849
      • PostMessageW.USER32(00000000,00000044,00000406,00000000), ref: 0040485C
      • Sleep.KERNEL32(00000014), ref: 0040486C
      • IsWindow.USER32(00000000), ref: 0040486F
      • Sleep.KERNEL32(00000014), ref: 004048A6
      • IsWindow.USER32(00000000), ref: 004048A9
      • Sleep.KERNEL32(00000064), ref: 004048B5
      Strings
      • Could not close the previous instance of this script. Keep waiting?, xrefs: 0040488F
      • An older instance of this script is already running. Replace it with this instance?Note: To avoid this message, see #SingleInsta, xrefs: 00404818
      • AutoHotkey, xrefs: 004047E8, 00404844
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: Window$Sleep$Find$CurrentDirectoryErrorMessageModePost
      • String ID: An older instance of this script is already running. Replace it with this instance?Note: To avoid this message, see #SingleInsta$AutoHotkey$Could not close the previous instance of this script. Keep waiting?
      • API String ID: 130427939-579680267
      • Opcode ID: 6df8225a8d0ce90989be9459fb14ef78a8e7a962ab839c6e50f4e719879db5b5
      • Instruction ID: 6ad3f7ec9e5157f20d2701386fc39849f48f01c632b690100923ad0882a5dc19
      • Opcode Fuzzy Hash: 6df8225a8d0ce90989be9459fb14ef78a8e7a962ab839c6e50f4e719879db5b5
      • Instruction Fuzzy Hash: BD7145B56007405AE730AB359C4576777D4AB81314F048A3FEA95AB3D2EBBDA800CB6D
      Function 004837A0 Relevance: 21.2, APIs: 14, Instructions: 204windowlibraryCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 388 4837a0-4837b9 389 4837bb-4837cb LoadLibraryExW 388->389 390 4837cd-4837d3 388->390 391 4837d7-4837d9 389->391 390->391 392 4837df-4837e1 391->392 393 483994 391->393 395 4837ec-483819 EnumResourceNamesW 392->395 396 4837e3-4837ea 392->396 394 483998-48399a 393->394 398 48399c-4839b0 ExtractIconW 394->398 399 4839b1-4839ca ExtractIconW 394->399 397 48381d-483822 395->397 396->397 400 483828-483834 FindResourceW 397->400 401 48395f-483965 397->401 400->401 402 48383a-483844 LoadResource 400->402 403 483977-48397d 401->403 404 483967-483969 401->404 402->401 405 48384a-483859 LockResource 402->405 407 48397f-483980 FreeLibrary 403->407 408 483986-483988 403->408 404->403 406 48396b-483976 404->406 405->401 409 48385f-48386b 405->409 407->408 408->394 410 48398a-483993 408->410 411 48387b-483892 409->411 412 48386d-483879 GetSystemMetrics 409->412 413 483898-4838a1 411->413 414 48395d 411->414 412->411 415 4838a3-4838b6 413->415 414->401 416 4838b8-4838bf 415->416 417 4838c1 415->417 418 4838d3-4838fd 416->418 419 4838cc-4838d0 417->419 420 4838c3-4838ca 417->420 418->415 421 4838ff-48390d 418->421 419->418 420->418 421->414 422 48390f-483921 FindResourceW 421->422 422->414 423 483923-48392d LoadResource 422->423 423->414 424 48392f-48393a LockResource 423->424 424->414 425 48393c-48395b SizeofResource CreateIconFromResourceEx 424->425 425->401
      APIs
      • LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,-00000002,?,?,?,?,00439379,00000000,00000000,00000000,00000000,-00000002,?), ref: 004837BF
      • EnumResourceNamesW.KERNEL32(00400000,0000000E,00483770,?), ref: 00483813
      • FindResourceW.KERNEL32(00400000,004EA8B8,0000000E), ref: 0048382C
      • LoadResource.KERNEL32(00400000,00000000), ref: 0048383C
      • LockResource.KERNEL32(00000000), ref: 0048384B
      • GetSystemMetrics.USER32(0000000B), ref: 0048386F
      • FindResourceW.KERNEL32(?,?,00000003), ref: 00483917
      • LoadResource.KERNEL32(?,00000000), ref: 00483925
      • LockResource.KERNEL32(00000000), ref: 00483930
      • SizeofResource.KERNEL32(?,00000000,00000001,00030000,00000000,00000000,00000000), ref: 0048394B
      • CreateIconFromResourceEx.USER32(00000000,00000000), ref: 00483953
      • FreeLibrary.KERNEL32(00400000), ref: 00483980
      • ExtractIconW.SHELL32(00000000,?,FFFFFF60), ref: 004839A3
      • ExtractIconW.SHELL32(00000000,?,00000000), ref: 004839BD
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: Resource$IconLoad$ExtractFindLibraryLock$CreateEnumFreeFromMetricsNamesSizeofSystem
      • String ID:
      • API String ID: 2349713634-0
      • Opcode ID: 68ce2d8145cc7af460e33e130ee27c67c5ce5a3320ac24eedbb28b4cc8cc7663
      • Instruction ID: 99842125b3710f85f94211698d5871d230e47fe56072319e7522c5ffd2e6169c
      • Opcode Fuzzy Hash: 68ce2d8145cc7af460e33e130ee27c67c5ce5a3320ac24eedbb28b4cc8cc7663
      • Instruction Fuzzy Hash: 2C51B4B53053019BD714AF299C84B2FB7E8EFC8B52F04092EF945D2290DBB8DA458769
      Function 00482870 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 165fileCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 457 482870-48288a 458 482a48-482a54 457->458 459 482890-482898 457->459 460 48289a-48289e 459->460 461 4828cb-4828dd call 4a9c76 459->461 460->461 462 4828a0-4828c9 460->462 461->458 467 4828e3-4828f0 call 49ca21 461->467 464 482927-48293b call 49ca21 462->464 470 482941-48295b FindFirstFileW 464->470 471 4829d2-4829d6 464->471 474 4828f2-482902 call 49ca21 467->474 475 482907-482913 467->475 470->458 473 482961-48296f FindClose 470->473 476 482a28-482a47 471->476 477 4829d8-4829e3 FindFirstFileW 471->477 478 482970-482979 473->478 474->475 488 482904 474->488 475->458 480 482919-482924 call 49cad0 475->480 477->458 481 4829e5-4829f0 FindClose 477->481 478->478 482 48297b-48298b 478->482 480->464 485 4829f3-4829fc 481->485 482->458 487 482991-4829cc call 49cad0 call 49ca21 482->487 485->485 486 4829fe-482a0b 485->486 486->458 490 482a0d-482a26 call 49cad0 486->490 487->470 487->471 488->475 490->476
      APIs
      • FindFirstFileW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0048294D
      • FindClose.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00482962
      • FindFirstFileW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?), ref: 004829DE
      • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004829E6
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: Find$CloseFileFirst
      • String ID: :
      • API String ID: 2295610775-336475711
      • Opcode ID: 3cc61cb7503f8ebfa4ee15a60b1305e69cb25397f84100d1d34c6b28e4e1fdf3
      • Instruction ID: dd6ef1fce1eefe21fb8263a77ffe5acb0a5f2ce0bc0d43b3e7c520ef70310a3b
      • Opcode Fuzzy Hash: 3cc61cb7503f8ebfa4ee15a60b1305e69cb25397f84100d1d34c6b28e4e1fdf3
      • Instruction Fuzzy Hash: 5A5136716007059FCB24FF64CC41BAB73A8EF94304F444A2EE905D7291F7B8E90A8799
      Function 00401623 Relevance: 8.2, APIs: 2, Strings: 2, Instructions: 1209timeCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 00403FA0: joyGetPosEx.WINMM ref: 00403FD3
        • Part of subcall function 00403FA0: PostMessageW.USER32(00000312,00000000,00000000), ref: 00404046
      • SetTimer.USER32(00000009,0000000A,00000000), ref: 004016DA
      Strings
      • #32770, xrefs: 004021F8
      • %u hotkeys have been received in the last %ums.Do you want to continue?(see A_MaxHotkeysPerInterval in the help file), xrefs: 004038F8
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: MessagePostTimer
      • String ID: #32770$%u hotkeys have been received in the last %ums.Do you want to continue?(see A_MaxHotkeysPerInterval in the help file)
      • API String ID: 2370412193-2419636548
      • Opcode ID: 41e389b61fa3f6bf741d003babedc9396a245a88df3a714ab0260f31f4472c9e
      • Instruction ID: dd384f65e065895e40002e9b6416e57e493e8db2146e2c14fecce93e835ca95b
      • Opcode Fuzzy Hash: 41e389b61fa3f6bf741d003babedc9396a245a88df3a714ab0260f31f4472c9e
      • Instruction Fuzzy Hash: FFB28E746083818FD720DF14C984B6BBBE1BB99304F14496EE9856B3E2D778EC41CB5A
      Function 00439300 Relevance: 58.0, APIs: 26, Strings: 7, Instructions: 275windowregistryCOMMON
      Download Yara Rule

      Control-flow Graph

      APIs
        • Part of subcall function 004837A0: LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,-00000002,?,?,?,?,00439379,00000000,00000000,00000000,00000000,-00000002,?), ref: 004837BF
        • Part of subcall function 004837A0: FindResourceW.KERNEL32(00400000,004EA8B8,0000000E), ref: 0048382C
        • Part of subcall function 004837A0: LoadResource.KERNEL32(00400000,00000000), ref: 0048383C
        • Part of subcall function 004837A0: LockResource.KERNEL32(00000000), ref: 0048384B
        • Part of subcall function 004837A0: GetSystemMetrics.USER32(0000000B), ref: 0048386F
        • Part of subcall function 004837A0: FindResourceW.KERNEL32(?,?,00000003), ref: 00483917
      • GetSystemMetrics.USER32(00000031), ref: 00439387
        • Part of subcall function 004837A0: EnumResourceNamesW.KERNEL32(00400000,0000000E,00483770,?), ref: 00483813
        • Part of subcall function 004837A0: LoadResource.KERNEL32(?,00000000), ref: 00483925
        • Part of subcall function 004837A0: LockResource.KERNEL32(00000000), ref: 00483930
        • Part of subcall function 004837A0: SizeofResource.KERNEL32(?,00000000,00000001,00030000,00000000,00000000,00000000), ref: 0048394B
        • Part of subcall function 004837A0: CreateIconFromResourceEx.USER32(00000000,00000000), ref: 00483953
      • LoadCursorW.USER32(00000000,00007F00), ref: 004393B5
      • RegisterClassExW.USER32(00000030), ref: 004393D0
      • GetForegroundWindow.USER32 ref: 004393E5
      • GetClassNameW.USER32(00000000,?,00000040), ref: 004393F9
      • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0043942F
      • CreateWindowExW.USER32(00000001,AutoHotkey,?,00CF0000,80000000,80000000,?,?,00000000,00000000,00000000), ref: 0043948F
      • GetMenu.USER32 ref: 004394E2
      • EnableMenuItem.USER32(00000000,0000FF79,00000003), ref: 004394F8
      • EnableMenuItem.USER32(00000000,0000FF81,00000003), ref: 0043950B
      • EnableMenuItem.USER32(00000000,0000FF7E,00000003), ref: 00439515
      • EnableMenuItem.USER32(00000000,0000FF7F,00000003), ref: 0043951F
      • EnableMenuItem.USER32(00000000,0000FF80,00000003), ref: 00439529
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: Resource$Menu$EnableItem$Load$System$ClassCreateFindLockMetricsWindow$CursorEnumForegroundFromIconInfoLibraryNameNamesParametersRegisterSizeof
      • String ID: 0$AutoHotkey$Consolas$CreateWindow$Edit$RegClass$Shell_TrayWnd
      • API String ID: 733243997-1166232510
      • Opcode ID: 902ade045cc74797da2e79e58f87c7ffba96c80ec9edf34377a4d3707a0baec0
      • Instruction ID: 900bcb54e3e78fb3c5b691581e22f4301714ec5848f78d989e5c35113252a26b
      • Opcode Fuzzy Hash: 902ade045cc74797da2e79e58f87c7ffba96c80ec9edf34377a4d3707a0baec0
      • Instruction Fuzzy Hash: F391C771A40245ABEB219F64DC46F697B68FB09700F14427EF608BA2D1DFB95900CB6C
      Function 0044E4D0 Relevance: 46.0, APIs: 22, Strings: 4, Instructions: 539registrywindowCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 38 44e4d0-44e4e5 39 44e506-44e519 38->39 40 44e4e7-44e501 RegisterWindowMessageW 38->40 41 44e526-44e52d 39->41 42 44e51b-44e51e 39->42 40->39 43 44e563-44e57d 41->43 44 44e52f-44e548 call 404070 41->44 42->41 45 44e520-44e524 42->45 47 44e583 43->47 48 44e65d-44e662 43->48 54 44e557-44e55d 44->54 55 44e54a-44e554 44->55 45->43 50 44e589-44e58d 47->50 51 44e63a-44e640 47->51 52 44e870-44e878 48->52 53 44e668 48->53 58 44e7a4-44e7ae 50->58 59 44e593 50->59 56 44e646-44e65a call 43a0c0 51->56 57 44ebd8-44ebeb DefWindowProcW 51->57 52->58 60 44e87e-44e885 52->60 61 44e843-44e84a 53->61 62 44e66e-44e673 53->62 54->43 84 44e7b0-44e7b7 58->84 85 44e7cb-44e7ce 58->85 59->58 65 44e782-44e78a 59->65 66 44e714-44e71a 59->66 67 44e6b6-44e6bc 59->67 68 44e617-44e61d 59->68 69 44e59a-44e5a0 59->69 70 44e5ca-44e5d1 59->70 71 44e6eb-44e6ed 59->71 72 44e69b-44e6ab call 44eec0 59->72 60->58 73 44e8f5-44e91d GetCurrentProcessId EnumWindows 60->73 74 44eae5-44eaed 60->74 75 44ea72-44ea86 call 43a0c0 60->75 76 44e9d3-44e9e8 PostMessageW 60->76 77 44e88c-44e899 60->77 78 44eaad-44eab5 60->78 79 44ea89-44ea92 IsWindow 60->79 80 44e95a-44e961 60->80 81 44ea5b-44ea6f call 43a0c0 60->81 64 44e850-44e86d PostMessageW 61->64 61->65 82 44e78d-44e792 62->82 83 44e679 62->83 66->57 109 44e720-44e724 66->109 104 44e6be-44e6c4 67->104 105 44e6ca-44e6d1 67->105 68->57 89 44e623-44e637 SetFocus 68->89 69->57 108 44e5a6-44e5ad 69->108 70->57 86 44e5d7-44e5da 70->86 71->65 107 44e6f3-44e711 call 43a0c0 71->107 72->65 144 44e6b1 72->144 73->65 90 44e923-44e936 call 485b00 73->90 74->57 101 44eaf3-44eb06 ioctlsocket 74->101 76->65 106 44e9ee-44e9f5 76->106 110 44e8c4-44e8c8 77->110 111 44e89b-44e89e 77->111 78->65 93 44eabb 78->93 79->65 91 44ea98-44eaaa GetWindowTextW 79->91 80->65 94 44e967-44e96e 80->94 95 44e794-44e797 82->95 96 44e801-44e82e GetMenu CheckMenuItem 82->96 97 44e765-44e767 83->97 98 44e67f-44e687 83->98 84->85 99 44e7b9-44e7c5 call 439760 84->99 102 44eb24 85->102 103 44e7d4-44e7ed RegisterWindowMessageW 85->103 112 44e5f0-44e614 MoveWindow 86->112 113 44e5dc-44e5ed ShowWindow 86->113 90->65 152 44e93c-44e957 SetTimer 90->152 126 44eac0-44eac2 93->126 94->65 116 44e974-44e97b 94->116 127 44e7f2-44e7fc 95->127 128 44e799-44e79e 95->128 96->57 133 44e834-44e83e 96->133 97->57 125 44e76d-44e773 97->125 98->58 117 44e68d-44e694 98->117 99->85 130 44eb13-44eb17 101->130 131 44eb08-44eb11 101->131 132 44eb29-44eb2d 102->132 103->132 104->57 104->105 105->57 119 44e6d7-44e6e8 ShowWindow 105->119 106->65 120 44e9fb-44ea02 106->120 108->65 134 44e5b3-44e5c7 call 43a0c0 108->134 109->57 122 44e72a-44e731 109->122 110->57 114 44e8ce-44e8d3 110->114 111->114 135 44e8a0-44e8a3 111->135 114->65 136 44e8d9-44e8f2 PostMessageW 114->136 141 44e9c1-44e9ce PostMessageW 116->141 142 44e97d-44e981 116->142 117->58 117->66 117->67 117->71 117->72 138 44e775-44e77d call 4015e0 120->138 147 44ea08-44ea12 120->147 122->57 150 44e737-44e73e 122->150 125->65 125->138 139 44eac4-44eac9 126->139 140 44ead6-44eae2 call 44a320 126->140 127->57 128->58 128->76 130->57 145 44eb1d-44eb1f 130->145 131->130 131->145 132->57 146 44eb33-44eb3a 132->146 133->57 135->57 151 44e8a9-44e8c1 call 4732f0 135->151 138->65 139->126 157 44eacb-44ead3 139->157 141->138 142->141 153 44e983-44e987 142->153 144->57 159 44ebce-44ebd3 call 407eb1 145->159 146->57 160 44eb40-44eb7d 146->160 147->138 154 44ea18-44ea1c 147->154 150->65 155 44e740-44e74c call 439d80 150->155 166 44e9b7-44e9bb 153->166 167 44e989-44e99b GetTickCount 153->167 171 44ea4c-44ea50 154->171 172 44ea1e-44ea30 GetTickCount 154->172 155->65 181 44e74e-44e762 call 43a0c0 155->181 159->57 169 44eb9f-44eba1 160->169 170 44eb7f-44eb8a inet_ntoa 160->170 166->65 166->141 167->166 173 44e99d-44e9a1 167->173 178 44ebb6-44ebc7 call 40a98c 169->178 179 44eba3-44ebb3 call 4a39fc 169->179 170->169 177 44eb8c-44eb90 170->177 171->65 175 44ea56 171->175 172->171 174 44ea32-44ea36 172->174 173->166 182 44e9a3-44e9ae 173->182 174->171 184 44ea38-44ea43 174->184 175->138 183 44eb92-44eb9d 177->183 178->57 191 44ebc9 178->191 179->178 182->166 187 44e9b0 182->187 183->169 183->183 184->171 188 44ea45 184->188 187->166 188->171 191->159
      APIs
      • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0044E4F5
      • ShowWindow.USER32(00010418,00000000), ref: 0044E5DF
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: Window$MessageRegisterShow
      • String ID: 9000$AHK_ATTACH_DEBUGGER$D$TaskbarCreated
      • API String ID: 1947581024-853869076
      • Opcode ID: e39f721ea325cb1572377a88280b4df8a36e188e112856240809c7086b7220db
      • Instruction ID: 28422a0cff7191c25910b0d0c7f6648fe2660e787a2fd73fac33bdfd427b8e82
      • Opcode Fuzzy Hash: e39f721ea325cb1572377a88280b4df8a36e188e112856240809c7086b7220db
      • Instruction Fuzzy Hash: CB025B316002809BFB20DF6AEC84B6B7794F791326F14467FE545CA2D2DB3A9841C76E
      Function 0043AA1D Relevance: 23.2, APIs: 9, Strings: 4, Instructions: 457COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 193 43aa1d-43aa23 194 43aa29-43aa36 193->194 195 43aafd-43aaff 193->195 196 43aa97-43aa9e 194->196 197 43aa38-43aa3a 194->197 198 43ab13 195->198 199 43ab01-43ab0a 195->199 201 43aaa0-43aaa2 196->201 202 43aadb-43aafa call 40d460 196->202 197->196 203 43aa3c-43aa45 197->203 200 43ab18-43ab32 call 49efb8 198->200 199->200 204 43ab0c-43ab11 199->204 217 43ab38-43ab45 200->217 218 43ac0c-43ac30 200->218 201->202 206 43aaa4-43aaa6 201->206 207 43aa47-43aa4e 203->207 208 43aa78-43aa94 call 40c280 203->208 204->200 211 43aab1-43aab7 206->211 212 43aaa8-43aaaf 206->212 207->208 213 43aa50-43aa57 207->213 219 43aabd-43aad8 call 40c730 211->219 212->219 213->208 220 43aa59-43aa75 call 40d460 213->220 221 43ab47-43ab49 217->221 222 43aba6-43abad 217->222 236 43ac32-43ac3a 218->236 237 43ac44-43ac88 call 4aa484 CharUpperW 218->237 221->222 226 43ab4b-43ab54 221->226 230 43abea-43ac09 call 40d460 222->230 231 43abaf-43abb1 222->231 233 43ab87-43aba3 call 40c280 226->233 234 43ab56-43ab5d 226->234 231->230 232 43abb3-43abb5 231->232 238 43abc0-43abc6 232->238 239 43abb7-43abbe 232->239 234->233 240 43ab5f-43ab66 234->240 243 43acc6-43acec 236->243 256 43acba-43acbf 237->256 257 43ac8a-43ac8e 237->257 245 43abcc-43abe7 call 40c730 238->245 239->245 240->233 248 43ab68-43ab84 call 40d460 240->248 246 43acf2-43acfa 243->246 247 43adf9-43ae42 call 49b5a6 243->247 246->247 254 43ad00-43ad11 FindResourceW 246->254 264 43ae44-43ae54 GetCPInfo 247->264 265 43ae59-43ae6e 247->265 254->247 260 43ad17-43ad22 LoadResource 254->260 256->243 262 43ac90-43acac CompareStringOrdinal 257->262 263 43acb7 257->263 266 43ae70 260->266 267 43ad28-43ad35 LockResource 260->267 268 43acb2-43acb5 262->268 269 43afbd-43afc8 262->269 263->256 264->265 270 43ae56 264->270 271 43ae73-43aea1 call 47ed60 265->271 266->271 267->266 272 43ad3b-43ada4 SizeofResource call 49b5a6 267->272 268->262 268->263 270->265 282 43aea3-43aea9 271->282 283 43af0d-43af24 FindResourceW 271->283 278 43ada6-43adb6 GetCPInfo 272->278 279 43adbb-43adf4 272->279 278->279 281 43adb8 278->281 279->271 281->279 285 43af05 282->285 286 43aeab-43aeaf 282->286 288 43af26-43af36 call 43b0e0 283->288 289 43af3c-43af44 283->289 287 43af0a 285->287 290 43aeb2-43aebb 286->290 287->283 288->289 302 43b0cb-43b0d3 288->302 291 43af46-43af54 call 43b0e0 289->291 292 43af5a-43af73 call 450220 289->292 290->290 293 43aebd-43aed6 call 47e560 290->293 291->292 291->302 303 43b0d6-43b11b call 40dbe0 call 43a9e0 293->303 304 43aedc-43aee2 293->304 314 43b12b-43b12d 303->314 315 43b11d-43b129 call 43b150 303->315 305 43aef7-43af03 304->305 306 43aee4-43aef4 call 49cad0 304->306 305->287 306->305 316 43b137-43b13f 314->316 317 43b12f-43b133 314->317 315->314 317->316
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID:
      • String ID: *#2$Out of memory.$Too many includes.$V'
      • API String ID: 0-2292992742
      • Opcode ID: ce0caa19827a966c1ee27339a19ba5a566f4992d7f5e0bd619b0391cfe3fd64f
      • Instruction ID: cec0c458aa8fb6dd67ec2ed722e31e2d81bc2ddc1d06d1386b57533113ec245a
      • Opcode Fuzzy Hash: ce0caa19827a966c1ee27339a19ba5a566f4992d7f5e0bd619b0391cfe3fd64f
      • Instruction Fuzzy Hash: F1F11371240301ABD720DF25D885B67B7A5FF88314F10162FF9858B3C1D7B9A865CB9A
      Function 0043A406 Relevance: 14.3, APIs: 3, Strings: 5, Instructions: 337COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 426 43a406-43a410 GetFileAttributesW 427 43a416-43a41d 426->427 428 43a528-43a556 call 43a9e0 426->428 430 43a460-43a477 427->430 431 43a41f-43a45d call 481800 call 486cb0 427->431 434 43a4c4-43a4c6 430->434 435 43a479-43a47b 430->435 436 43a4c8-43a4ca 434->436 438 43a502-43a504 434->438 435->436 437 43a47d-43a486 435->437 442 43a4d5-43a4da 436->442 443 43a4cc-43a4d3 436->443 440 43a488-43a48f 437->440 441 43a49f-43a4c1 call 40c280 437->441 445 43a506-43a525 call 40d460 438->445 440->441 447 43a491-43a498 440->447 449 43a4e0-43a4ff call 40c730 442->449 443->449 447->441 452 43a49a-43a49d 447->452 452->445
      APIs
      • GetFileAttributesW.KERNEL32 ref: 0043A407
      • SetDllDirectoryW.KERNEL32(00000000), ref: 0043A58D
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: AttributesDirectoryFile
      • String ID: %s%s$An internal function call failed.$Line$Script file not found.$Unknown class.
      • API String ID: 2567440233-1827641252
      • Opcode ID: 25b6ed9fbd70c0d6d4772139d58dcaa7fd7e2da46697603302cc784657048529
      • Instruction ID: 2feafa91b3650af5ecee049f3f10afdc34bd4aa621d915ff3bee5344292652c5
      • Opcode Fuzzy Hash: 25b6ed9fbd70c0d6d4772139d58dcaa7fd7e2da46697603302cc784657048529
      • Instruction Fuzzy Hash: 66B117717802806EE720DB25AC8AB377750AB48715F18523FF9909B3D2DB6CAC60C75E
      Function 004015E0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 255COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID:
      • String ID: #32770
      • API String ID: 0-463685578
      • Opcode ID: 727ffe80c6b21837e2e6ebd05a01f5ba116da0ba999c19fe8cba39e06e5e303f
      • Instruction ID: 6a08a801710bec0205dfac583447c0f0dccbc134ab8943be1d4857ea390bdbad
      • Opcode Fuzzy Hash: 727ffe80c6b21837e2e6ebd05a01f5ba116da0ba999c19fe8cba39e06e5e303f
      • Instruction Fuzzy Hash: E7C13B745083818FD360CF28D884B9BBBF4AB99304F15497EE988973A1D735A941CF5A
      Function 00439BF0 Relevance: 4.6, APIs: 3, Instructions: 102timeCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 970 439bf0-439c11 call 49efad 973 439c13-439c16 970->973 974 439c17-439c57 SetTimer 970->974 975 439c63-439c9e GetTickCount * 2 974->975 976 439c59-439c5e 974->976 978 439ca0-439ca5 call 40708e 975->978 979 439cab-439cb1 975->979 977 439d1c-439d2d 976->977 982 439d67-439d73 977->982 983 439d2f-439d33 977->983 978->979 980 439cb3-439cba 979->980 981 439cc0-439d05 call 4487d0 979->981 980->981 993 439d07-439d0f 981->993 994 439d15 981->994 987 439d35-439d38 983->987 988 439d3d-439d42 983->988 987->988 990 439d44-439d4a call 49ef92 988->990 991 439d4d-439d61 call 49b598 988->991 990->991 991->982 993->994 994->977
      APIs
      • SetTimer.USER32(0000000E,04EF6D80,004045F0,004CEEA8), ref: 00439C4A
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: Timer
      • String ID:
      • API String ID: 2870079774-0
      • Opcode ID: 1bf9698358ff631a008e88053692174a4d71a4597013c163277a550e01390753
      • Instruction ID: 0ab9ab6ffe52c0d2bec5c820206b7d36f6d78a115b31ee3da4c31f2d689caae2
      • Opcode Fuzzy Hash: 1bf9698358ff631a008e88053692174a4d71a4597013c163277a550e01390753
      • Instruction Fuzzy Hash: 9E416C715002809FDB10DF28ECC5B153BA1EB49314F25507EE5059F3A2DBBAAC41CB9D
      Function 0047ED60 Relevance: 3.2, APIs: 2, Instructions: 175COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 998 47ed60-47ed87 1000 47ed92-47eda7 998->1000 1001 47ed89-47ed8f 998->1001 1002 47edba-47edd4 1000->1002 1003 47eda9-47edb5 GetCPInfo 1000->1003 1005 47ef35-47ef3d 1002->1005 1006 47edda-47eddd 1002->1006 1003->1002 1004 47edb7 1003->1004 1004->1002 1007 47ef06-47ef08 1006->1007 1008 47ede3-47ede7 1006->1008 1011 47ef23-47ef25 1007->1011 1012 47ef0a-47ef20 1007->1012 1009 47ede9-47edf2 1008->1009 1010 47ee48-47ee54 1008->1010 1013 47edf4-47edf9 call 49efad 1009->1013 1014 47ee0c-47ee3a 1009->1014 1016 47ee56-47ee5b 1010->1016 1017 47eec2-47eec5 1010->1017 1011->1005 1015 47ef27-47ef2d 1011->1015 1026 47edfe-47ee0a 1013->1026 1030 47ee3f-47ee45 1014->1030 1031 47ee3c 1014->1031 1015->1005 1018 47ee84-47ee87 1016->1018 1019 47ee5d-47ee61 1016->1019 1022 47eec7-47eeca 1017->1022 1023 47eecc-47eed7 1017->1023 1018->1017 1025 47ee89-47ee8d 1018->1025 1019->1018 1024 47ee63-47ee70 1019->1024 1022->1005 1022->1023 1033 47ef03 1023->1033 1034 47eed9-47eedc 1023->1034 1024->1017 1028 47ee72-47ee82 1024->1028 1025->1017 1029 47ee8f-47ee92 1025->1029 1026->1010 1026->1014 1035 47eeb9-47eebd GetCPInfo 1028->1035 1029->1017 1036 47ee94-47ee98 1029->1036 1030->1010 1031->1030 1033->1007 1034->1005 1037 47eede-47ef00 1034->1037 1035->1017 1039 47eebf 1035->1039 1036->1017 1038 47ee9a-47eea7 1036->1038 1038->1017 1040 47eea9-47eeb4 1038->1040 1039->1017 1040->1035
      APIs
      • GetCPInfo.KERNEL32(00000001,004D2094,?,00000000,00000001), ref: 0047EDB1
      • GetCPInfo.KERNEL32(0000FDE9,004D2094,?,00000000,00000001), ref: 0047EEB9
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: Info
      • String ID:
      • API String ID: 1807457897-0
      • Opcode ID: 90769df2c06e7920b7a824801ce7688276073fbf783d57d447b269a58adcdffe
      • Instruction ID: 89bd1e154f7f8df7f6da110562f702d7d28ba1ca8239f8bc2fed1ff2f6c04c28
      • Opcode Fuzzy Hash: 90769df2c06e7920b7a824801ce7688276073fbf783d57d447b269a58adcdffe
      • Instruction Fuzzy Hash: 1951F471700702ABDB24CF2AD885BA6F7A5FB58320F04C76BE91887B90D734E850CB95
      Function 00438970 Relevance: 3.1, APIs: 2, Instructions: 74comCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 1042 438970-438b39 call 49d7a0 call 49efb8 1047 438b3b-438b40 1042->1047 1048 438b4a-438b62 InitializeCriticalSection OleInitialize 1042->1048 1047->1048
      APIs
      • InitializeCriticalSection.KERNEL32(004E9010), ref: 00438B4F
      • OleInitialize.OLE32(00000000), ref: 00438B57
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: Initialize$CriticalSection
      • String ID:
      • API String ID: 49594357-0
      • Opcode ID: e61419ac69a3e14ae105138f7a0113737b291bd86eaf89b51deefc79017cb9eb
      • Instruction ID: 165bd683d17a9ed859693aae87b88edf9a0575de7cdc055fa720dade538ddbcb
      • Opcode Fuzzy Hash: e61419ac69a3e14ae105138f7a0113737b291bd86eaf89b51deefc79017cb9eb
      • Instruction Fuzzy Hash: 1F41A8B58153C09EE750CF25ADC87553FA0B36A308F19527ED4448E2B3D7B825A8CB4E
      Function 004396B0 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 1049 4396b0-43971f call 49d7a0 1052 439721 1049->1052 1053 439727-43974c call 4aa484 Shell_NotifyIconW 1049->1053 1052->1053 1056 439754-439757 1053->1056 1057 43974e 1053->1057 1057->1056
      APIs
      • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00439744
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: IconNotifyShell_
      • String ID:
      • API String ID: 1144537725-0
      • Opcode ID: 934fc3994814c39d71d0e53cb50f8b364310fdca51730f0f5d2415c81678d9a9
      • Instruction ID: f158582a92851cc22e09c6fffbf3d525b078f13552855581a5b11c97432901c6
      • Opcode Fuzzy Hash: 934fc3994814c39d71d0e53cb50f8b364310fdca51730f0f5d2415c81678d9a9
      • Instruction Fuzzy Hash: 82111EB5700602AFD754CF75D849B92F7E9BB44348F00012AE61CC6241EBB47925DB95
      Function 004AD351 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 1058 4ad351-4ad35c 1059 4ad36a-4ad370 1058->1059 1060 4ad35e-4ad368 1058->1060 1062 4ad389-4ad39a RtlAllocateHeap 1059->1062 1063 4ad372-4ad373 1059->1063 1060->1059 1061 4ad39e-4ad3a9 call 4ab919 1060->1061 1067 4ad3ab-4ad3ad 1061->1067 1064 4ad39c 1062->1064 1065 4ad375-4ad37c call 4ab447 1062->1065 1063->1062 1064->1067 1065->1061 1071 4ad37e-4ad387 call 4aa632 1065->1071 1071->1061 1071->1062
      APIs
      • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,004ABE08,00000001,00000364,00000000,00000006,000000FF,?,?,004AB91E,004AC06A), ref: 004AD392
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: AllocateHeap
      • String ID:
      • API String ID: 1279760036-0
      • Opcode ID: 782a6ac84f8b5f10e2ba777e1bb9f525687111428c883e9e85052c24db32fbfe
      • Instruction ID: af764ad1da86fec83121d8d4812892f048276d5c16359d29ec091865c5170cd4
      • Opcode Fuzzy Hash: 782a6ac84f8b5f10e2ba777e1bb9f525687111428c883e9e85052c24db32fbfe
      • Instruction Fuzzy Hash: 07F02431A02224A7DF205A629C01B5B3758AF63760B154127BC0AE7A85CB28D80187EF
      Function 004AC06F Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 1074 4ac06f-4ac07b 1075 4ac0ad-4ac0b8 call 4ab919 1074->1075 1076 4ac07d-4ac07f 1074->1076 1083 4ac0ba-4ac0bc 1075->1083 1078 4ac098-4ac0a9 RtlAllocateHeap 1076->1078 1079 4ac081-4ac082 1076->1079 1080 4ac0ab 1078->1080 1081 4ac084-4ac08b call 4ab447 1078->1081 1079->1078 1080->1083 1081->1075 1086 4ac08d-4ac096 call 4aa632 1081->1086 1086->1075 1086->1078
      APIs
      • RtlAllocateHeap.NTDLL(00000000,00000000,004AB09A,?,004AC0D2,?,00000000,?,004AE888,00000000,004AB09A,00000000,?,?,?,004AAE94), ref: 004AC0A1
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: AllocateHeap
      • String ID:
      • API String ID: 1279760036-0
      • Opcode ID: db3cb5d76b9cbd46e41210e0bf13e8e2f4b8be75272ba0b1309a1ef5241310ce
      • Instruction ID: 185fb1d947de282ebdd4e337b3c6c92c0ca3a7a1b83ecfdd3dea3fec468b1e9b
      • Opcode Fuzzy Hash: db3cb5d76b9cbd46e41210e0bf13e8e2f4b8be75272ba0b1309a1ef5241310ce
      • Instruction Fuzzy Hash: FAE0E531109220D7DAB026F6DC40B5B368CDB733A4F440127BD059A292CF18CC0282EE

      Non-executed Functions

      Function 004698E0 Relevance: 144.2, APIs: 12, Strings: 69, Instructions: 2403COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID:
      • String ID: -$AltSubmit$Background$Border$Bottom$Buddy$Buttons$Center$Check3$Checked$Choose$Class$Count$Default$Disabled$Failed$Gray$Grid$HScroll$Hdr$Hidden$Horz$Icon$ImageList$Invalid option.$Invert$Left$Limit$Line$List$Lowercase$MPS+$Multi$NoSort$NoTab$NoTicks$None$Not supported for this control type.$Number$Page$Password$Range$ReadOnly$Redraw$Report$Right$Section$Simple$Small$Smooth$Sort$Tabstop$Theme$Thick$TickInterval$Tile$ToolTip$Trans$Unrecognized window class.$Uppercase$VScroll$Vertical$WantCtrlA$WantF2$WantReturn$WantTab$Wrap$XYWHTER$group
      • API String ID: 0-4110433459
      • Opcode ID: 3ea42bb1be961e06373b298c31bcd6cb6d7871ded47eea52be2650bf1b3bd3ed
      • Instruction ID: e9b9a7f29fa7eda8f67543d23b5f5d067539fe9d41d257cde854a81bef3362c9
      • Opcode Fuzzy Hash: 3ea42bb1be961e06373b298c31bcd6cb6d7871ded47eea52be2650bf1b3bd3ed
      • Instruction Fuzzy Hash: 5013BEB0644741ABDB248B21C851BA7BBE4FF05344F14092BE991D62D1F3BCE895DB8B
      Function 00465640 Relevance: 117.8, APIs: 56, Strings: 10, Instructions: 2263COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID:
      • String ID: 0$</a>$Button$Can't create control.$ComboBox$Too many controls.$Too many status bars.$Too many tab controls.$ahk_dlg$static
      • API String ID: 0-2757417816
      • Opcode ID: 179e62eea877221bbe65b1e63a4ae1e0a444259eb8426c0ab59bb45e09c88131
      • Instruction ID: 7a2b7e45abb935f7b78b0f16b213abb5d920937c7aa045532e6f6ba0fee75aa0
      • Opcode Fuzzy Hash: 179e62eea877221bbe65b1e63a4ae1e0a444259eb8426c0ab59bb45e09c88131
      • Instruction Fuzzy Hash: 4723AF706083819FD724CF28C844B6BBBE1BF89304F048A2EF59997391E7799845CB5B
      Function 00418248 Relevance: 78.1, APIs: 30, Strings: 14, Instructions: 1122threadlibraryloaderCOMMON
      Download Yara Rule
      APIs
      • CloseHandle.KERNEL32(00000000), ref: 00418326
      • CreateMutexW.KERNEL32(00000000,00000000,AHK Keybd,?,?,?), ref: 00418331
      • GetLastError.KERNEL32(?,?), ref: 00418339
      • GetWindowThreadProcessId.USER32(?,00000000), ref: 004183E9
      • GetModuleHandleW.KERNEL32(user32,IsHungAppWindow), ref: 00418422
      • GetProcAddress.KERNEL32(00000000), ref: 00418429
      • AttachThreadInput.USER32(00000000,00000001), ref: 00418475
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: HandleThread$AddressAttachCloseCreateErrorInputLastModuleMutexProcProcessWindow
      • String ID: AHK Keybd$ASC$Click$Down$IsHungAppWindow$Raw$Temp$Text$^+!#{}$user32${Blind${Click${Text}$PB
      • API String ID: 3819048334-112610890
      • Opcode ID: 94d7f4f8807d5e6e7329f385f4785be55adc1211b9d587279ef93e09536dcd0e
      • Instruction ID: 93e2b67fcff4230d53986c7d8ab51740cb76e6d703e5799d7b6086b67eb04597
      • Opcode Fuzzy Hash: 94d7f4f8807d5e6e7329f385f4785be55adc1211b9d587279ef93e09536dcd0e
      • Instruction Fuzzy Hash: 1892E031A042849BDF209F249C957EA3BA5AB16304F18016FFC558B392DB79DCC5CB9E
      Function 0046C5B0 Relevance: 77.8, APIs: 35, Strings: 9, Instructions: 823windowCOMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: IconicZoomed
      • String ID: ACMNRXYWH$AutoSize$Center$Hide$Invalid option.$Maximize$Minimize$NoActivate$Restore
      • API String ID: 435559836-723606646
      • Opcode ID: 28f0e5b7ad0d82a2e43d4e2e4b64b23f9f60296d943a24843ee02055f821fc3b
      • Instruction ID: 6e855bff8ff68f892905cdd015fb4ddaeaba84c550d7dbb21817ec0a21d6789e
      • Opcode Fuzzy Hash: 28f0e5b7ad0d82a2e43d4e2e4b64b23f9f60296d943a24843ee02055f821fc3b
      • Instruction Fuzzy Hash: 7E724C716087419FD720CF28C884B6BBBE5BB94714F14492EF8C9972A1E778E845CB4B
      Function 004281B0 Relevance: 70.9, APIs: 35, Strings: 5, Instructions: 913windowCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 00482D40: GetForegroundWindow.USER32(?,?,?,75A75360,?,?,00000000,00000000,?,?,?,?,?,00000000), ref: 00482D65
        • Part of subcall function 00482D40: IsIconic.USER32(00000000), ref: 00482D72
        • Part of subcall function 00482D40: GetWindowRect.USER32(00000000,?), ref: 00482D87
      • GetSystemMetrics.USER32(00000031), ref: 00428265
      • GetSystemMetrics.USER32(00000032), ref: 0042826F
      • GetDC.USER32(00000000), ref: 004284CD
      • GetLastError.KERNEL32(?,?,?,?,?,?,?,0000002E), ref: 004284D7
      • DestroyIcon.USER32(00000000), ref: 004284EE
      • DeleteObject.GDI32(00000000), ref: 00428503
      • GetIconInfo.USER32(00000000,?), ref: 00428554
      • DeleteObject.GDI32(?), ref: 00428593
      • DeleteObject.GDI32(?), ref: 0042859C
      • GetDC.USER32(00000000), ref: 004285A1
      • CreateCompatibleDC.GDI32(00000000), ref: 004285AA
      • GetIconInfo.USER32(?,?), ref: 004285C2
      • GetObjectW.GDI32(?,00000018,?), ref: 004285E1
      • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 004285FE
      • SelectObject.GDI32(00000000,00000000), ref: 00428610
      • CreateSolidBrush.GDI32 ref: 00428659
      • FillRect.USER32(00000000,?,00000000), ref: 0042866B
      • DeleteObject.GDI32(00000000), ref: 00428672
      • DrawIconEx.USER32(00000000,00000000,00000000,?,?,?,00000000,00000000,00000003), ref: 00428695
      • SelectObject.GDI32(00000000,?), ref: 004286A0
      • DeleteObject.GDI32(?), ref: 004286B1
      • DeleteObject.GDI32(?), ref: 004286BE
      • DeleteDC.GDI32(00000000), ref: 004286C5
      • ReleaseDC.USER32(00000000,00000000), ref: 004286CE
      • DestroyIcon.USER32(?), ref: 004286D8
        • Part of subcall function 004279C0: CreateCompatibleDC.GDI32 ref: 004279CF
        • Part of subcall function 004279C0: GetDIBits.GDI32(00000000,?,00000000,00000000,00000000,?,00000000), ref: 00427A07
        • Part of subcall function 004279C0: SelectObject.GDI32(00000000), ref: 00427A92
        • Part of subcall function 004279C0: GetDIBits.GDI32(00000000,?,00000000,?,00000000,00000028,00000000), ref: 00427AAE
        • Part of subcall function 004279C0: __alloca_probe_16.LIBCMT ref: 00427ACB
        • Part of subcall function 004279C0: GetSystemPaletteEntries.GDI32(00000000,00000000,00000100), ref: 00427ADE
      • CreateCompatibleDC.GDI32(?), ref: 0042872F
      • CreateCompatibleBitmap.GDI32(?,?,?), ref: 00428745
      • SelectObject.GDI32(00000000,00000000), ref: 00428759
      • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,?,?,00CC0020), ref: 00428781
      • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000002E), ref: 00428C83
      • ReleaseDC.USER32(00000000,?), ref: 00428C91
      • DeleteObject.GDI32(?), ref: 00428CA7
      • SelectObject.GDI32(?,?), ref: 00428CBF
      • DeleteDC.GDI32(?), ref: 00428CC6
      • DeleteObject.GDI32(?), ref: 00428CD5
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: Object$Delete$Create$CompatibleIconSelect$System$BitmapBitsDestroyErrorInfoLastMetricsRectReleaseWindow$BrushDrawEntriesFillForegroundIconicPaletteSolid__alloca_probe_16
      • String ID: Icon$Trans$dll$exe$ico
      • API String ID: 2516378866-2549557054
      • Opcode ID: fc3d4bef0dedfbcaad59b1f7a64ba72759f527229b10c8b66915f1603846bc82
      • Instruction ID: 8cac69942b9c86e5c57cba38b314f3c7297e4c93c02983beb54a8b8922182aa9
      • Opcode Fuzzy Hash: fc3d4bef0dedfbcaad59b1f7a64ba72759f527229b10c8b66915f1603846bc82
      • Instruction Fuzzy Hash: E572FF71A093618FC720DF29D88076FBBE4BF94304F94492EF98597251EB38D845CB9A
      Function 0044D360 Relevance: 70.7, APIs: 17, Strings: 23, Instructions: 725windowCOMMON
      Download Yara Rule
      APIs
      • GetFileAttributesW.KERNEL32(00000000,?,00000000,?,?,00439F51,Edit,?,00000000,00000000,00000000,00000000,00000000,00000202), ref: 0044D3AC
      • __alloca_probe_16.LIBCMT ref: 0044D560
      • __alloca_probe_16.LIBCMT ref: 0044D749
      • SetCurrentDirectoryW.KERNEL32(004CEEA8), ref: 0044DADE
      • ShellExecuteExW.SHELL32(0000003C), ref: 0044DAED
      • CloseHandle.KERNEL32(00000000), ref: 0044DB24
      • GetLastError.KERNEL32 ref: 0044DB4B
      • FormatMessageW.KERNEL32(00001200,00000000,00000000,00000000,?,000001FF,00000000,?,00000000,?), ref: 0044DB88
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: __alloca_probe_16$AttributesCloseCurrentDirectoryErrorExecuteFileFormatHandleLastMessageShell
      • String ID: Verb: <%s>$"%s" %s$%sAction: <%-0.400s%s>%sParams: <%-0.400s%s>$...$.exe.bat.com.cmd.hta$<$D$D$Edit$Failed attempt to launch program or document:$Hide$Launch Error (possibly related to RunAs):$Max$Min$Parameter #2 invalid.$String too long.$System verbs unsupported with RunAs.$\/.$explore$find$open$print$properties
      • API String ID: 2264502937-1130582227
      • Opcode ID: 374fac6b36e478108bef266542886113fbd6e4f1f74225ed048702e2f225aa7e
      • Instruction ID: 3a6f25a38b2a86fa10f0ca6f1ae255e5394c1142267316fd43a84d7dc8513feb
      • Opcode Fuzzy Hash: 374fac6b36e478108bef266542886113fbd6e4f1f74225ed048702e2f225aa7e
      • Instruction Fuzzy Hash: 3642B071E003059BEF209F65CC41BAB77A4AF49345F14416BE905EB381FB789D41CBA9
      Function 004570C0 Relevance: 56.3, APIs: 30, Strings: 2, Instructions: 312networkfilewindowCOMMON
      Download Yara Rule
      APIs
      • InternetOpenW.WININET(AutoHotkey,00000004,00000000,00000000,00000000), ref: 00457162
      • InternetOpenUrlW.WININET(00000000,?,00000000,00000000,84000000,00000000), ref: 004571A1
      • GetLastError.KERNEL32 ref: 004571AD
      • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 004571C6
      • InternetCloseHandle.WININET(?), ref: 004571DF
      • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00457206
      • InternetCloseHandle.WININET(00000000), ref: 00457225
      • InternetCloseHandle.WININET(?), ref: 0045722B
      • InternetReadFile.WININET(00000000,?,00000400,?), ref: 00457296
      • GetTickCount.KERNEL32 ref: 004572BB
      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 004572DB
      • GetTickCount.KERNEL32 ref: 004572F2
      • WriteFile.KERNEL32(?,?,00000028,?,00000000), ref: 0045730E
      • InternetReadFile.WININET(00000000,?,00000400,00000000), ref: 00457328
      • InternetCloseHandle.WININET(?), ref: 0045734B
      • InternetCloseHandle.WININET(?), ref: 00457351
      • CloseHandle.KERNEL32(?), ref: 00457357
      • DeleteFileW.KERNEL32(?), ref: 00457467
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: Internet$CloseHandle$File$Open$CountReadTick$CreateDeleteErrorLastMessagePeekWrite
      • String ID: ($AutoHotkey
      • API String ID: 2186926113-2766205875
      • Opcode ID: 707ae78c28eb8d4878c06660adb737ea7de27d455b9aaae361449c8cb89fe165
      • Instruction ID: a41856bacfc29e816b7cf7a6cbc0c1371bcec6fd20854d0f40b28cb9c24a927d
      • Opcode Fuzzy Hash: 707ae78c28eb8d4878c06660adb737ea7de27d455b9aaae361449c8cb89fe165
      • Instruction Fuzzy Hash: EFB1A2716043019BD7209F68EC84B2BBBE9EB84751F14063AFE84D72A1DB74DC05CB9A
      Function 00418296 Relevance: 49.4, APIs: 20, Strings: 8, Instructions: 441threadlibraryloaderCOMMON
      Download Yara Rule
      APIs
      • CloseHandle.KERNEL32(00000000), ref: 00418326
      • CreateMutexW.KERNEL32(00000000,00000000,AHK Keybd,?,?,?), ref: 00418331
      • GetLastError.KERNEL32(?,?), ref: 00418339
      • GetWindowThreadProcessId.USER32(?,00000000), ref: 004183E9
      • GetModuleHandleW.KERNEL32(user32,IsHungAppWindow), ref: 00418422
      • GetProcAddress.KERNEL32(00000000), ref: 00418429
      • AttachThreadInput.USER32(00000000,00000001), ref: 00418475
      • GetKeyboardLayout.USER32(00000000), ref: 0041855E
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: HandleThread$AddressAttachCloseCreateErrorInputKeyboardLastLayoutModuleMutexProcProcessWindow
      • String ID: 0$AHK Keybd$IsHungAppWindow$^+!#{}$user32${Click${Text}$PB
      • API String ID: 3182891854-2488157086
      • Opcode ID: a97f399368f889cf48cc9cb61fd2aa44ea70f5aaf778b1e18ca2cd565f23ddfa
      • Instruction ID: 9ed0899d5213b3857696359a104697e9e0f75daecba6896b1afa7164b147cc6b
      • Opcode Fuzzy Hash: a97f399368f889cf48cc9cb61fd2aa44ea70f5aaf778b1e18ca2cd565f23ddfa
      • Instruction Fuzzy Hash: 8C02C2305043C49BEB219F2498A57EA3FE1AB16344F18016EE8558B3D3CB799CC6CB5E
      Function 0041828D Relevance: 47.7, APIs: 20, Strings: 7, Instructions: 441threadlibraryloaderCOMMON
      Download Yara Rule
      APIs
      • CloseHandle.KERNEL32(00000000), ref: 00418326
      • CreateMutexW.KERNEL32(00000000,00000000,AHK Keybd,?,?,?), ref: 00418331
      • GetLastError.KERNEL32(?,?), ref: 00418339
      • GetWindowThreadProcessId.USER32(?,00000000), ref: 004183E9
      • GetModuleHandleW.KERNEL32(user32,IsHungAppWindow), ref: 00418422
      • GetProcAddress.KERNEL32(00000000), ref: 00418429
      • AttachThreadInput.USER32(00000000,00000001), ref: 00418475
      • GetKeyboardLayout.USER32(00000000), ref: 0041855E
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: HandleThread$AddressAttachCloseCreateErrorInputKeyboardLastLayoutModuleMutexProcProcessWindow
      • String ID: AHK Keybd$IsHungAppWindow$^+!#{}$user32${Click${Text}$PB
      • API String ID: 3182891854-771593373
      • Opcode ID: 875d9c998feb8b8bd56d047cdfb68186623a02ddf0d3201950f6d02a7dc00d94
      • Instruction ID: 9e29e480932d02e863b225522214314f53b5a6ba5d175fe546b4afcdbad4e8ea
      • Opcode Fuzzy Hash: 875d9c998feb8b8bd56d047cdfb68186623a02ddf0d3201950f6d02a7dc00d94
      • Instruction Fuzzy Hash: 6F02C2305043C49BEB219F2498957EA3FE1AB16304F18016EE8558B3D3CB799CC6CB5E
      Function 0041829F Relevance: 47.7, APIs: 20, Strings: 7, Instructions: 441threadlibraryloaderCOMMON
      Download Yara Rule
      APIs
      • CloseHandle.KERNEL32(00000000), ref: 00418326
      • CreateMutexW.KERNEL32(00000000,00000000,AHK Keybd,?,?,?), ref: 00418331
      • GetLastError.KERNEL32(?,?), ref: 00418339
      • GetWindowThreadProcessId.USER32(?,00000000), ref: 004183E9
      • GetModuleHandleW.KERNEL32(user32,IsHungAppWindow), ref: 00418422
      • GetProcAddress.KERNEL32(00000000), ref: 00418429
      • AttachThreadInput.USER32(00000000,00000001), ref: 00418475
      • GetKeyboardLayout.USER32(00000000), ref: 0041855E
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: HandleThread$AddressAttachCloseCreateErrorInputKeyboardLastLayoutModuleMutexProcProcessWindow
      • String ID: AHK Keybd$IsHungAppWindow$^+!#{}$user32${Click${Text}$PB
      • API String ID: 3182891854-771593373
      • Opcode ID: c65ca66806eed4b1d25d97561db1af6b6a28283b0d38aff8f75e55a2320583be
      • Instruction ID: 7bcf24b4398ea98546da244d2664c1e45e8891a9369ab7a166c24ba085e90e83
      • Opcode Fuzzy Hash: c65ca66806eed4b1d25d97561db1af6b6a28283b0d38aff8f75e55a2320583be
      • Instruction Fuzzy Hash: 7802C2305043C49BEB219F2498957EA3FE1AB16304F18016EE8558B3D3CB7A9CC6CB5E
      Function 004182A8 Relevance: 47.7, APIs: 20, Strings: 7, Instructions: 440threadlibraryloaderCOMMON
      Download Yara Rule
      APIs
      • CloseHandle.KERNEL32(00000000), ref: 00418326
      • CreateMutexW.KERNEL32(00000000,00000000,AHK Keybd,?,?,?), ref: 00418331
      • GetLastError.KERNEL32(?,?), ref: 00418339
      • GetWindowThreadProcessId.USER32(?,00000000), ref: 004183E9
      • GetModuleHandleW.KERNEL32(user32,IsHungAppWindow), ref: 00418422
      • GetProcAddress.KERNEL32(00000000), ref: 00418429
      • AttachThreadInput.USER32(00000000,00000001), ref: 00418475
      • GetKeyboardLayout.USER32(00000000), ref: 0041855E
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: HandleThread$AddressAttachCloseCreateErrorInputKeyboardLastLayoutModuleMutexProcProcessWindow
      • String ID: AHK Keybd$IsHungAppWindow$^+!#{}$user32${Click${Text}$PB
      • API String ID: 3182891854-771593373
      • Opcode ID: d3dd32f0111e23f7ea8f5b5412190c1825c66ead797724b461bd07956e9b6dff
      • Instruction ID: cb53f142e07c3032910fabadada2452be89e9b62c423cb7625927d2d86a06914
      • Opcode Fuzzy Hash: d3dd32f0111e23f7ea8f5b5412190c1825c66ead797724b461bd07956e9b6dff
      • Instruction Fuzzy Hash: 0102C1305043C49BEB219F2498957EA3FE1AB16344F18016EE8558B3D3CB799CC6CB5E
      Function 00469060 Relevance: 44.3, APIs: 5, Strings: 20, Instructions: 571windowCOMMON
      Download Yara Rule
      APIs
      • GetWindowLongW.USER32(00000000,000000F0), ref: 0046908A
      • GetWindowLongW.USER32(00000000,000000EC), ref: 00469094
      • IsWindowVisible.USER32(00000000), ref: 004696DF
      • IsIconic.USER32(00000000), ref: 004696EC
      • InvalidateRect.USER32(00000000,00000000,00000001,?,?), ref: 0046973C
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: Window$Long$IconicInvalidateRectVisible
      • String ID: -$AlwaysOnTop$Border$Caption$DPIScale$Disabled$Invalid option.$Invalid or nonexistent owner or parent window.$LastFound$MaxSize$MaximizeBox$MinSize$MinimizeBox$OwnDialogs$Owner$Parent$Resize$SysMenu$Theme$ToolWindow
      • API String ID: 4202639353-3541528036
      • Opcode ID: 3969e9ccc9f593325755309d1319d18240ad8eb783a8bb459c57395fc0060098
      • Instruction ID: 3c78c2adae273fa014c71dfe2b2c6046854380afbc4375d551c3273153b13f42
      • Opcode Fuzzy Hash: 3969e9ccc9f593325755309d1319d18240ad8eb783a8bb459c57395fc0060098
      • Instruction Fuzzy Hash: 68129A716443019BDB20DE25C851B6BB7E8AF95344F14092FE992C7390FBB9EC09CB5A
      Function 004704C0 Relevance: 44.0, APIs: 24, Strings: 1, Instructions: 258windowCOMMON
      Download Yara Rule
      APIs
      • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 004704DC
      • GetWindowLongW.USER32(?,000000F0), ref: 004704EB
      • IsWindowVisible.USER32(?), ref: 0047050E
      • IsIconic.USER32(?), ref: 0047051D
      • GetFocus.USER32 ref: 00470550
      • GetWindowRect.USER32(?,?), ref: 00470593
      • GetPropW.USER32(?,ahk_dlg), ref: 004705A1
      • ShowWindow.USER32(00000000,00000000), ref: 004705B2
      • GetUpdateRect.USER32(?,?,00000000), ref: 004705D1
      • SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 004705E0
      • GetWindowLongW.USER32(?,000000F0), ref: 0047065C
      • ShowWindow.USER32(?,00000000), ref: 0047068C
      • EnableWindow.USER32(?,?), ref: 004706A7
      • GetWindowRect.USER32(?,?), ref: 004706BB
      • PtInRect.USER32(?,?,?), ref: 004706CE
      • PtInRect.USER32(?,?,?), ref: 004706E5
      • SetFocus.USER32(?), ref: 0047072F
      • SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 0047075F
      • ShowWindow.USER32(?,00000005), ref: 00470777
      • SetFocus.USER32(?), ref: 0047078A
      • InvalidateRect.USER32(?,00000000,00000001), ref: 004707A5
      • InvalidateRect.USER32(?,?,00000001), ref: 004707CD
      • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004707DB
      • InvalidateRect.USER32(?,?,00000001), ref: 004707EB
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: Window$Rect$FocusInvalidateMessageSendShow$Long$EnableIconicPointsPropUpdateVisible
      • String ID: ahk_dlg
      • API String ID: 1662922230-2093416220
      • Opcode ID: d783614428926baf5998602cdb6a825cc411c0a424ee988096c83b582233a44a
      • Instruction ID: 82b8dc1d16124ec62e8cbcc99585f0c942bd3067a3ecea9b158a597805cc41f5
      • Opcode Fuzzy Hash: d783614428926baf5998602cdb6a825cc411c0a424ee988096c83b582233a44a
      • Instruction Fuzzy Hash: 33A1B430409381EFDB218F24C814BABBFE5AF95304F04895EF885962D1C779E959CF96
      Function 00418495 Relevance: 42.5, APIs: 21, Strings: 3, Instructions: 466threadkeyboardCOMMON
      Download Yara Rule
      APIs
      • GetTickCount.KERNEL32 ref: 00418495
      • GetCurrentThreadId.KERNEL32 ref: 004184BC
      • GetForegroundWindow.USER32(?,?), ref: 0041851B
      • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0041852F
      • GetGUIThreadInfo.USER32(00000000,00000030), ref: 0041853F
      • GetWindowThreadProcessId.USER32(?,00000000), ref: 00418553
      • GetKeyboardLayout.USER32(00000000), ref: 0041855E
      • GetAsyncKeyState.USER32(0000005B), ref: 00418665
      • GetAsyncKeyState.USER32(0000005C), ref: 0041866E
      • __alloca_probe_16.LIBCMT ref: 0041876E
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: Thread$Window$AsyncProcessState$CountCurrentForegroundInfoKeyboardLayoutTick__alloca_probe_16
      • String ID: 0$^+!#{}$PB
      • API String ID: 563566061-2189176445
      • Opcode ID: d1e24f63ee7ed6236334faf34defad38a8943310f92352af3ab60a5cb862e2be
      • Instruction ID: 80377b47c0c61f2aedff3282857d37fc36e564d603b9aa90ca5c8d18d472ddaf
      • Opcode Fuzzy Hash: d1e24f63ee7ed6236334faf34defad38a8943310f92352af3ab60a5cb862e2be
      • Instruction Fuzzy Hash: 5F02E4305042D59BEB219F2498957EA3BE1AB12348F18006EE8958F3D3DB7D9CC6C75E
      Function 00418356 Relevance: 38.9, APIs: 17, Strings: 5, Instructions: 396threadlibraryloaderCOMMON
      Download Yara Rule
      APIs
      • GetWindowThreadProcessId.USER32(?,00000000), ref: 004183E9
      • GetModuleHandleW.KERNEL32(user32,IsHungAppWindow), ref: 00418422
      • GetProcAddress.KERNEL32(00000000), ref: 00418429
      • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00418459
      • AttachThreadInput.USER32(00000000,00000001), ref: 00418475
      • GetKeyboardLayout.USER32(00000000), ref: 0041855E
        • Part of subcall function 00413000: CloseHandle.KERNEL32(00000000,0041A5F3), ref: 0041300A
        • Part of subcall function 00413000: CreateMutexW.KERNEL32(00000000,00000000,AHK Mouse,?,?,0041A5F3), ref: 0041301B
        • Part of subcall function 00413000: GetLastError.KERNEL32(?,?,0041A5F3), ref: 00413023
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: HandleThread$AddressAttachCloseCreateErrorInputKeyboardLastLayoutMessageModuleMutexProcProcessSendTimeoutWindow
      • String ID: IsHungAppWindow$^+!#{}$user32${Click$PB
      • API String ID: 3465329959-3024596934
      • Opcode ID: 4462fefe2ae87ac89a1d3334d4db0c179be42804223532f4b8bae7a94c558f5b
      • Instruction ID: 082975a2ad333c6fbe8b2f895071ca5acac218b6b620eafa81a5c863bded1b76
      • Opcode Fuzzy Hash: 4462fefe2ae87ac89a1d3334d4db0c179be42804223532f4b8bae7a94c558f5b
      • Instruction Fuzzy Hash: 40F1D4305042C49AEB259F249CA57EA3FD0AB16304F18016EE8944B3D3CB799CC6CB5E
      Function 004415F0 Relevance: 37.8, Strings: 29, Instructions: 1530COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID:
      • String ID: %s := %.*s$%s.%s$%s.Prototype.%s$Duplicate declaration.$Expected ":="$False$Full class name is too long.$Invalid function declaration.$Line$Missing ")"$Missing a required parameter.$Missing class name.$Missing comma$Missing parameter name.$Only the first parameter of a hotkey function is permitted to be non-optional.$Out of memory.$Parameter default required.$Prototype$Syntax error in class definition.$This class definition is nested too deep.$Too many params.$True$__Class$class$extends$parameter$this$unset$value
      • API String ID: 0-906699699
      • Opcode ID: ab153aff57cc23d480d4721a8146b4913f7b19bd62b2e65b9790bb878875a22f
      • Instruction ID: acc1d3524a29ab8ebd4294922c24896cf09e2f3c773bbdfb5f8ae07b6326100d
      • Opcode Fuzzy Hash: ab153aff57cc23d480d4721a8146b4913f7b19bd62b2e65b9790bb878875a22f
      • Instruction Fuzzy Hash: 86C2EE716043019BEB24DF25C881B6BB7E0EF84304F14492FF98997391EB79E945CB9A
      Function 004183BF Relevance: 37.1, APIs: 17, Strings: 4, Instructions: 382threadkeyboardlibraryCOMMON
      Download Yara Rule
      APIs
      • GetWindowThreadProcessId.USER32(?,00000000), ref: 004183E9
      • GetModuleHandleW.KERNEL32(user32,IsHungAppWindow), ref: 00418422
      • GetProcAddress.KERNEL32(00000000), ref: 00418429
      • AttachThreadInput.USER32(00000000,00000001), ref: 00418475
      • GetKeyboardLayout.USER32(00000000), ref: 0041855E
      • __alloca_probe_16.LIBCMT ref: 0041876E
      • BlockInput.USER32(00000001), ref: 004187E0
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: InputThread$AddressAttachBlockHandleKeyboardLayoutModuleProcProcessWindow__alloca_probe_16
      • String ID: IsHungAppWindow$^+!#{}$user32$PB
      • API String ID: 159966632-2164863719
      • Opcode ID: 9a101b1817c1c2eaf2d2499bc16b0b53119c565840bfd1d95cb0fe6a5690568f
      • Instruction ID: 7c2bd63fb5ceb6c6621a53fdfceed92132f6a3e157bbfdf3f84210c2ccd82317
      • Opcode Fuzzy Hash: 9a101b1817c1c2eaf2d2499bc16b0b53119c565840bfd1d95cb0fe6a5690568f
      • Instruction Fuzzy Hash: F2F1C3305042C59BEB259F249D957EA3FE1AB16304F18016EE8944B3E3CB799CC6CB5E
      Function 00458060 Relevance: 37.1, APIs: 16, Strings: 5, Instructions: 340fileCOMMON
      Download Yara Rule
      APIs
      • GetFullPathNameW.KERNEL32(?,00008000,?,00000000), ref: 0045808D
      • GetFullPathNameW.KERNEL32(?,00008000,?,00000000,?,00008000,?,00000000), ref: 004580D6
      • GetFileAttributesW.KERNEL32(?,?,00008000,?,00000000,?,00008000,?,00000000), ref: 00458116
      • GetFileAttributesW.KERNEL32(?,?,00008000,?,00000000,?,00008000,?,00000000), ref: 0045815D
      • FindFirstFileW.KERNEL32(?,?,?,00008000,?,00000000,?,00008000,?,00000000), ref: 004581A7
      • GetLastError.KERNEL32(?,00008000,?,00000000,?,00008000,?,00000000), ref: 004581B6
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: File$AttributesFullNamePath$ErrorFindFirstLast
      • String ID: *$.$\$\$\*.*
      • API String ID: 445072128-601153783
      • Opcode ID: 820c38cbde961278fed0ba1b85ab3884e73929ca8ac50c03eddb78f2c7058071
      • Instruction ID: 19853cc93ff40f5bfb1c7c17c0e4b93a77f9f532fa5f3bf85fde7dbad258698a
      • Opcode Fuzzy Hash: 820c38cbde961278fed0ba1b85ab3884e73929ca8ac50c03eddb78f2c7058071
      • Instruction Fuzzy Hash: 51D105341003418BDB20DF64C884BAB77E8FF85305F144A6EEC89E7291EF35994ACB5A
      Function 004356A0 Relevance: 33.8, APIs: 15, Strings: 4, Instructions: 512windowtimememoryCOMMON
      Download Yara Rule
      APIs
      • SendMessageTimeoutW.USER32(?,00001004,00000000,00000000,00000002,000007D0,?), ref: 0043570E
      • SendMessageTimeoutW.USER32(?,0000101F,00000000,00000000,00000002,000007D0,?), ref: 00435739
      • SendMessageTimeoutW.USER32(?,00001200,00000000,00000000,00000002,000007D0,FFFFFFFF), ref: 0043575D
      • GetWindowThreadProcessId.USER32(?,?), ref: 0043585F
      • OpenProcess.KERNEL32(00000438,00000000,?), ref: 00435870
      • VirtualAllocEx.KERNEL32(00000000,00000000,00000858,00003000,00000004), ref: 0043588F
      • CloseHandle.KERNEL32(00000000), ref: 004358A0
      • GetCurrentProcess.KERNEL32(?), ref: 00435910
      • IsWow64Process.KERNEL32(00000000), ref: 0043591D
      • IsWow64Process.KERNEL32(00000000,00000000), ref: 00435930
      • VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 00435B0B
      • CloseHandle.KERNEL32(?), ref: 00435B12
      • ReadProcessMemory.KERNEL32(?,?,00000000,00000000,00000000), ref: 00435C69
      • VirtualFreeEx.KERNEL32(?,?,00000000,00008000), ref: 00435CC4
      • CloseHandle.KERNEL32(?), ref: 00435CCB
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: Process$CloseHandleMessageSendTimeoutVirtual$FreeWow64$AllocCurrentMemoryOpenReadThreadWindow
      • String ID: Col$Count$Focused$Selected
      • API String ID: 1110641186-81583591
      • Opcode ID: ffa49acef9cfe81e882448943e7c7b13b97b383dea1e973c55dd918e11d01922
      • Instruction ID: d5463477365cfd4580deaae644dd48b762db5bcee5df34e0c9b61e3c1457ede2
      • Opcode Fuzzy Hash: ffa49acef9cfe81e882448943e7c7b13b97b383dea1e973c55dd918e11d01922
      • Instruction Fuzzy Hash: B902CF71608741ABD720DF24CC84B6BBBE4FF88714F142A2EF985962E0D778D845CB4A
      Function 004067A0 Relevance: 31.7, APIs: 13, Strings: 5, Instructions: 200clipboardmemoryCOMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: Global$Clipboard$Unlock$Close$Free$AllocDataEmptyLock
      • String ID: An internal function call failed.$Can't open clipboard for writing.$EmptyClipboard$Out of memory.$SetClipboardData
      • API String ID: 870983584-261313822
      • Opcode ID: abdd792a5bc9c219a9adbd70a3dc54ff950702e28b19e6a4559b7fea26041945
      • Instruction ID: a01a880bcb1c588eb1f6f21557cd45c4ea07c9991313eee776604d3c4502fded
      • Opcode Fuzzy Hash: abdd792a5bc9c219a9adbd70a3dc54ff950702e28b19e6a4559b7fea26041945
      • Instruction Fuzzy Hash: D46107722012408BD720AF75EC89B2277A4EB92315F1A453FEC45AA2E1D7786C74CB5E
      Function 0041E270 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 175libraryloaderCOMMON
      Download Yara Rule
      APIs
      • GetModuleHandleW.KERNEL32(user32,00000000,?,?,?), ref: 0041E2A0
      • GetModuleHandleW.KERNEL32(kernel32,?,?), ref: 0041E2AC
      • GetModuleHandleW.KERNEL32(comctl32,?,?), ref: 0041E2B8
      • GetModuleHandleW.KERNEL32(gdi32,?,?), ref: 0041E2C4
      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000104,00000000,00000000,?,?,?,?,?), ref: 0041E325
      • GetProcAddress.KERNEL32(00000000,?), ref: 0041E342
      • GetProcAddress.KERNEL32(00000057,?), ref: 0041E38C
      • WideCharToMultiByte.KERNEL32(00000000,00000000,-00000002,000000FF,?,00000104,00000000,00000000,?,?,?,?,?), ref: 0041E3C0
      • GetModuleHandleW.KERNEL32(?,?,?,?,?,?), ref: 0041E3CE
      • LoadLibraryW.KERNEL32(?,?,?,?,?,?), ref: 0041E3E2
      • GetProcAddress.KERNEL32(00000000,?), ref: 0041E429
      • GetProcAddress.KERNEL32(00000000,?), ref: 0041E44F
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: HandleModule$AddressProc$ByteCharMultiWide$LibraryLoad
      • String ID: Call to nonexistent function.$Failed to load DLL.$comctl32$gdi32$kernel32$user32
      • API String ID: 2554685833-2055167431
      • Opcode ID: ddb1c30613f05f8edc42b7d4188c25e8a0acd389618983ce7ba34168fb6112b7
      • Instruction ID: 47df5420f24297464050ec7f4017d15ab154f492760431c7e577eb4d61dc48a8
      • Opcode Fuzzy Hash: ddb1c30613f05f8edc42b7d4188c25e8a0acd389618983ce7ba34168fb6112b7
      • Instruction Fuzzy Hash: 9B51E7759043565BDB209F669C40AA7B7ECEF54700F000A3BED44D7351E778E8158B9D
      Function 0045D170 Relevance: 24.9, APIs: 4, Strings: 9, Instructions: 2171COMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: __alloca_probe_16
      • String ID: %.17g$Class$Divide by zero.$Integer$Number$Out of memory.$Prototype$String$String or VarRef
      • API String ID: 1700504859-2784045135
      • Opcode ID: d45e9031007fe0d4a22725aaa0b2643a1cf8941722e95fff7d1126ef541884bf
      • Instruction ID: 48d4e1d5280c9e7dcdf47a7b70852feb1b387601eecc531d0499893d4443cfbe
      • Opcode Fuzzy Hash: d45e9031007fe0d4a22725aaa0b2643a1cf8941722e95fff7d1126ef541884bf
      • Instruction Fuzzy Hash: 15138F74E00605DFDB29CF59C480A6EB7B1FF49305F24816BE816AB352D738AD49CB89
      Function 00421100 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 197filewindowCOMMON
      Download Yara Rule
      APIs
      • FindFirstFileW.KERNEL32(?,?,?,?,?,00000003), ref: 00421139
      • GetTickCount.KERNEL32 ref: 00421146
      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0042116A
      • GetTickCount.KERNEL32 ref: 00421181
      • FindNextFileW.KERNEL32(00000000,00000010), ref: 00421242
      • FindClose.KERNEL32(00000000), ref: 00421255
      • FindFirstFileW.KERNEL32(?,?), ref: 0042128C
      • GetTickCount.KERNEL32 ref: 004212A3
      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 004212C3
      • GetTickCount.KERNEL32 ref: 004212DA
      • FindNextFileW.KERNEL32(00000000,00000010), ref: 0042136C
      • FindClose.KERNEL32(00000000), ref: 0042137B
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: Find$CountFileTick$CloseFirstMessageNextPeek
      • String ID: %s\%s$.
      • API String ID: 651082337-2631528844
      • Opcode ID: c25fb9ee30cd5a15c65a4abb0d7fb5c3fdb327a2fb289e2923898df739dba0a9
      • Instruction ID: 5701fa05077a80bb08ad830bcb5d525222b8b49f53fe38bc3e86de57baa2fec4
      • Opcode Fuzzy Hash: c25fb9ee30cd5a15c65a4abb0d7fb5c3fdb327a2fb289e2923898df739dba0a9
      • Instruction Fuzzy Hash: 4A7105307043169BC714DF24D8847ABB7E8BB54304F90066EF895932A0DB78E991CB9A
      Function 00425700 Relevance: 23.4, APIs: 7, Strings: 6, Instructions: 688COMMON
      Download Yara Rule
      APIs
      • WideCharToMultiByte.KERNEL32(000004B0,?,?,?,00000000,00000000,00000000,00000000), ref: 00425C1C
      • GetLastError.KERNEL32 ref: 00425C26
      • WideCharToMultiByte.KERNEL32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00425C52
      • GetLastError.KERNEL32 ref: 00425C5C
      • WideCharToMultiByte.KERNEL32(000004B0,?,?,?,00010000,00000000,00000000,00000000), ref: 00425C91
      • GetLastError.KERNEL32 ref: 00425CA3
      • WideCharToMultiByte.KERNEL32(?,00000000,?,?,00010000,00000000,00000000,00000000), ref: 00425CC5
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: ByteCharMultiWide$ErrorLast
      • String ID: %.17g$Invalid Encoding.$Invalid Length.$Invalid parameter(s).$Parameter #1 invalid.$String
      • API String ID: 1717984340-2429157911
      • Opcode ID: 19312ee4671b203eceba44b91be914f10db1136d4294d9a440e11658a961aa0e
      • Instruction ID: 1b8c4836000c28741a64299f45ca15d16b9dd25b97df705cbc551828fdf08d7a
      • Opcode Fuzzy Hash: 19312ee4671b203eceba44b91be914f10db1136d4294d9a440e11658a961aa0e
      • Instruction Fuzzy Hash: 3132DF717047109BDB149F25E880B2BB7E1EF88318F94466EF9499B390E778DC41CB8A
      Function 00450310 Relevance: 23.3, APIs: 8, Strings: 5, Instructions: 527COMMON
      Download Yara Rule
      APIs
      • GetFileAttributesW.KERNEL32(?), ref: 00450385
      • __alloca_probe_16.LIBCMT ref: 004503EA
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: AttributesFile__alloca_probe_16
      • String ID: AutoHotkey v2.0.18$File$Folder$Select %s - %s$The maximum number of File Dialogs has been reached.
      • API String ID: 2990345066-3139239738
      • Opcode ID: e95963c27fcff531fb6c37167720b89213f460ff0d548ce64a2f31bec0c46be1
      • Instruction ID: 0fbdeb07dfbbee608a064bb3774daf91c57abf4a4dbdd9ba60740f0d60f83c09
      • Opcode Fuzzy Hash: e95963c27fcff531fb6c37167720b89213f460ff0d548ce64a2f31bec0c46be1
      • Instruction Fuzzy Hash: 4812C175A002099FDB10DF64C885BAEB7B4FF88305F14806AE905EB392DB789D45CB95
      Function 004186B2 Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 321keyboardwindowCOMMON
      Download Yara Rule
      APIs
      • __alloca_probe_16.LIBCMT ref: 0041876E
      • BlockInput.USER32(00000001), ref: 004187E0
      • GetTickCount.KERNEL32 ref: 00418826
      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00418845
      • GetTickCount.KERNEL32 ref: 00418870
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: CountTick$BlockInputMessagePeek__alloca_probe_16
      • String ID: ^+!#{}
      • API String ID: 1328274611-4054666095
      • Opcode ID: 48990696cc14db27c1826203071698f1bca697151d4f9ec0484f8a1c5aa72025
      • Instruction ID: 4f119648728cde98a86eec70e03ed7ac89b1ea861e01e0edd211f69ecd686be4
      • Opcode Fuzzy Hash: 48990696cc14db27c1826203071698f1bca697151d4f9ec0484f8a1c5aa72025
      • Instruction Fuzzy Hash: A2D1C3305043C49AEF159F2499A57EA3FD1AB16308F58016EE8944B3E3CB7A9CC5CB5E
      Function 00455440 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 133windowCOMMON
      Download Yara Rule
      APIs
      • GetForegroundWindow.USER32 ref: 004554B4
      • IsIconic.USER32(00000000), ref: 004554C1
      • GetWindowRect.USER32(00000000,?), ref: 004554D6
      • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 0045552C
        • Part of subcall function 00427BC0: GetDC.USER32(00000000), ref: 00427CC2
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: Window$CreateForegroundIconicRect
      • String ID: 0x%06X$Alt$DISPLAY$Slow
      • API String ID: 1835368863-997900968
      • Opcode ID: 873b166272e6db8820c8554b9a73f442ac3d9704130516a55c17c9328dceb841
      • Instruction ID: a8651f70795387fdb9e8f175c2f76ffdb4ca550749da0d9336e7a84f2f6b4c54
      • Opcode Fuzzy Hash: 873b166272e6db8820c8554b9a73f442ac3d9704130516a55c17c9328dceb841
      • Instruction Fuzzy Hash: BE41B031600614ABD7109F25DC59B7E77E9EF85352F01416AFC099B281EB38ED09CBAA
      Function 0042D320 Relevance: 18.2, APIs: 4, Strings: 6, Instructions: 711libraryloaderstringCOMMON
      Download Yara Rule
      APIs
      • GetProcAddress.KERNEL32(00000000), ref: 0042D86A
      • GetProcAddress.KERNEL32(00000000), ref: 0042D8FD
      • StrCmpLogicalW.SHLWAPI(?,00000000), ref: 0042DB4A
      • lstrcmpiW.KERNEL32(00000000,00000000), ref: 0042DB74
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: AddressProc$Logicallstrcmpi
      • String ID: Advapi32$Off$Random$SystemFunction036$ocale$ogical
      • API String ID: 3942001992-1781886413
      • Opcode ID: f5329900c66211f03e578ff88e3b23eff847f5a1776c8ed351f68155e028d3a3
      • Instruction ID: bbeb24065279c3d5653e0747aad662ec3365b49b067ee85640dc91fb9f291dbf
      • Opcode Fuzzy Hash: f5329900c66211f03e578ff88e3b23eff847f5a1776c8ed351f68155e028d3a3
      • Instruction Fuzzy Hash: 3D422670B043519BDB14DF24E880B6BB7E1AF94308F94442FE8899B391E779DD45C78A
      Function 00458650 Relevance: 18.1, APIs: 12, Instructions: 132processsynchronizationCOMMON
      Download Yara Rule
      APIs
      • OpenProcess.KERNEL32(00101000,00000000,00000000), ref: 0045868F
      • GetProcessId.KERNEL32(00000000), ref: 0045869F
      • WaitForSingleObject.KERNEL32(00000000,00000000), ref: 004586AC
      • CloseHandle.KERNEL32(00000000), ref: 004586B5
      • GetLastError.KERNEL32 ref: 004586D5
      • CreateToolhelp32Snapshot.KERNEL32 ref: 00458700
      • Process32FirstW.KERNEL32(00000000,?), ref: 0045870E
      • Process32NextW.KERNEL32(00000000,?), ref: 00458720
      • Process32NextW.KERNEL32(00000000,?), ref: 00458760
      • CloseHandle.KERNEL32(00000000), ref: 00458767
      • CloseHandle.KERNEL32(00000000), ref: 0045877B
      • CloseHandle.KERNEL32(00000000,?,?,00000002,00000000), ref: 00458799
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: CloseHandle$Process32$NextProcess$CreateErrorFirstLastObjectOpenSingleSnapshotToolhelp32Wait
      • String ID:
      • API String ID: 2845856064-0
      • Opcode ID: b29619dd7ab461294b81115de22709510889d5e0693a3a7fd2f49273e4f9d07e
      • Instruction ID: 59936a43267be737c48344e2229ca60a79dc0c7355de6462757e68af676d593e
      • Opcode Fuzzy Hash: b29619dd7ab461294b81115de22709510889d5e0693a3a7fd2f49273e4f9d07e
      • Instruction Fuzzy Hash: 1441F6326053406BE7606B259C49B6F779CEF85356F44063EFD40A1282DF6DC90DC6AA
      Function 004271F0 Relevance: 17.9, APIs: 6, Strings: 4, Instructions: 361libraryloaderCOMMON
      Download Yara Rule
      APIs
      • GetModuleHandleW.KERNEL32(Advapi32,SystemFunction036), ref: 00427223
      • GetProcAddress.KERNEL32(00000000), ref: 0042722A
      • __aullrem.LIBCMT ref: 004273D9
      • GetModuleHandleW.KERNEL32(Advapi32,SystemFunction036,000000FF,000000FF,?,?), ref: 0042741F
      • GetProcAddress.KERNEL32(00000000), ref: 00427426
      • __aullrem.LIBCMT ref: 00427465
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: AddressHandleModuleProc__aullrem
      • String ID: Advapi32$An internal function call failed.$Number$SystemFunction036
      • API String ID: 1875050735-678479747
      • Opcode ID: 6fc6b096d1ba2c2adb4d7b3fd0a5987345706caa5730eb0369e4bdd3bf9d31e1
      • Instruction ID: f19d34b2dbefd85eefbc9b73f4ae524cc452288664a67e7155f0fd332f40dc49
      • Opcode Fuzzy Hash: 6fc6b096d1ba2c2adb4d7b3fd0a5987345706caa5730eb0369e4bdd3bf9d31e1
      • Instruction Fuzzy Hash: 74D12731B08B21CBC711DF25E88062BB7A2EFDA354F54475FF8551B262DB389881C78A
      Function 004191EC Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 143keyboardthreadCOMMON
      Download Yara Rule
      APIs
      • GetTickCount.KERNEL32 ref: 004191EC
      • GetKeyState.USER32(00000014), ref: 00419297
      • GetKeyState.USER32(00000014), ref: 004192A3
      • GetForegroundWindow.USER32(00000000), ref: 004192E6
      • GetWindowThreadProcessId.USER32(00000000), ref: 004192EF
      • AttachThreadInput.USER32(?,00000000), ref: 00419339
      • BlockInput.USER32(00000000), ref: 0041934D
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: InputStateThreadWindow$AttachBlockCountForegroundProcessTick
      • String ID: (
      • API String ID: 1854081239-1334834377
      • Opcode ID: 151e542cbbd1c34412b3d821f62eb4728ce4b76482d54a7dcfb63c2dffed0db1
      • Instruction ID: 3ffb47d555199440253620cb374f1ae60b818384ea171c6c487113cab765c737
      • Opcode Fuzzy Hash: 151e542cbbd1c34412b3d821f62eb4728ce4b76482d54a7dcfb63c2dffed0db1
      • Instruction Fuzzy Hash: CD511A309042C49BEF159F64DDA57E93B90AB06308F58016AE9604F3E3C7799CC5CB5D
      Function 004191D8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 137keyboardthreadCOMMON
      Download Yara Rule
      APIs
      • GetKeyState.USER32(00000014), ref: 00419297
      • GetKeyState.USER32(00000014), ref: 004192A3
      • GetForegroundWindow.USER32(00000000), ref: 004192E6
      • GetWindowThreadProcessId.USER32(00000000), ref: 004192EF
      • AttachThreadInput.USER32(?,00000000), ref: 00419339
      • BlockInput.USER32(00000000), ref: 0041934D
      • GetTickCount.KERNEL32 ref: 004193A9
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: InputStateThreadWindow$AttachBlockCountForegroundProcessTick
      • String ID: (
      • API String ID: 1854081239-1334834377
      • Opcode ID: d91adb930c7b5b3ae489b4ede97307e49d51e2019ce35abd02fc2327074c284d
      • Instruction ID: ed25082630f35ba4bf09d02e107cfdd65aba681d83cb81ba848c6c24b2b8557d
      • Opcode Fuzzy Hash: d91adb930c7b5b3ae489b4ede97307e49d51e2019ce35abd02fc2327074c284d
      • Instruction Fuzzy Hash: 175119309042C49BEF159F64DDA57E93BA0AB06308F18016AE9654F3E3C7B99CC6CB5D
      Function 00421850 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 126fileCOMMON
      Download Yara Rule
      APIs
      • GetFileAttributesW.KERNEL32 ref: 004218E2
      • FindFirstFileW.KERNEL32(?,?), ref: 0042192A
      • FindNextFileW.KERNEL32(00000000,?), ref: 00421963
      • FindNextFileW.KERNEL32(00000000,?), ref: 00421988
      • FindClose.KERNEL32(00000000), ref: 00421999
      • FindClose.KERNEL32(00000000), ref: 004219A9
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: Find$File$CloseNext$AttributesFirst
      • String ID: .$\\?\
      • API String ID: 318733699-1717246988
      • Opcode ID: 814a563f06485572b0adfdce974a25ff2b17036bdd952c17b0277b77ac2ffd35
      • Instruction ID: 170c8a1967bbb2268519e2ce6bf995db4ed9fb3cee80478b671a25b10726a66d
      • Opcode Fuzzy Hash: 814a563f06485572b0adfdce974a25ff2b17036bdd952c17b0277b77ac2ffd35
      • Instruction Fuzzy Hash: 5741C8B57003219BCB209B18E89073BB3E4AF95750F84466FF854973A0DB78CC85C799
      Function 00413060 Relevance: 13.6, APIs: 9, Instructions: 148windowthreadCOMMON
      Download Yara Rule
      APIs
      • GetMessageW.USER32(00000000,00000000,00000000,00000000), ref: 0041308B
      • SetWindowsHookExW.USER32(0000000D,Function_0000E970,00000000), ref: 004130F7
      • UnhookWindowsHookEx.USER32(00000000), ref: 00413110
      • GetLastError.KERNEL32 ref: 00413116
      • SetWindowsHookExW.USER32(0000000E,Function_0000EAB0,00000000), ref: 0041315C
      • UnhookWindowsHookEx.USER32(00000000), ref: 00413170
      • GetLastError.KERNEL32 ref: 00413176
      • PostThreadMessageW.USER32(00000417,00000000,00000000), ref: 004131A5
      • GetTickCount.KERNEL32 ref: 00413231
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: HookWindows$ErrorLastMessageUnhook$CountPostThreadTick
      • String ID:
      • API String ID: 2550890409-0
      • Opcode ID: f00ea6cb16f3c925980807a51e161bb720f9db2a0228e1b078c74065107413b7
      • Instruction ID: fa896f01f3a4773703b62f8b3f73e371bfd0eef5f94ad89133a794d48c42aaac
      • Opcode Fuzzy Hash: f00ea6cb16f3c925980807a51e161bb720f9db2a0228e1b078c74065107413b7
      • Instruction Fuzzy Hash: CC51B470540341BAEB20DF29EC45BA73AD4A71474AF14047FE5049A2E2DB7D9AC8CB9E
      Function 0041C240 Relevance: 13.6, APIs: 9, Instructions: 123keyboardCOMMON
      Download Yara Rule
      APIs
      • GetAsyncKeyState.USER32(000000A0), ref: 0041C262
      • GetAsyncKeyState.USER32(000000A1), ref: 0041C274
      • GetAsyncKeyState.USER32(000000A2), ref: 0041C290
      • GetAsyncKeyState.USER32(000000A3), ref: 0041C2AC
      • GetAsyncKeyState.USER32(000000A4), ref: 0041C2C8
      • GetAsyncKeyState.USER32(000000A5), ref: 0041C2E4
      • GetAsyncKeyState.USER32(0000005B), ref: 0041C2FD
      • GetAsyncKeyState.USER32(0000005C), ref: 0041C316
      • GetTickCount.KERNEL32 ref: 0041C34F
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: AsyncState$CountTick
      • String ID:
      • API String ID: 2436570381-0
      • Opcode ID: 2f7cb55a06780485849cf7e3ca1f44b5caa316beef9e38e16f25660b438a9cc3
      • Instruction ID: 2c346c4d75e8fc85744cb4534b4e55fd7a6c44fd87afc067e7f132d7b6a7ddc8
      • Opcode Fuzzy Hash: 2f7cb55a06780485849cf7e3ca1f44b5caa316beef9e38e16f25660b438a9cc3
      • Instruction Fuzzy Hash: F83126386903B19FE705872698E07FA3BD05786351F14C06FA8D08B3D2CABD48499B5C
      Function 00450960 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 150keyboardthreadCOMMON
      Download Yara Rule
      APIs
      • GetKeyState.USER32(?), ref: 004509FF
      • GetKeyState.USER32(?), ref: 00450A11
      • GetForegroundWindow.USER32(00000000), ref: 00450A52
      • GetWindowThreadProcessId.USER32(00000000), ref: 00450A59
      • GetKeyState.USER32(?), ref: 00450A96
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: State$Window$ForegroundProcessThread
      • String ID: AlwaysOff$AlwaysOn
      • API String ID: 2921243749-824823093
      • Opcode ID: 3cbd08aaa8b963c3975a6ce0ab54e1163017e04ed46bd71fe17f1c7fd8fa8ca2
      • Instruction ID: 2a068d03dd8e63efb69d09282ca752a9b3b2f389497dccf6ec53ee1574e34061
      • Opcode Fuzzy Hash: 3cbd08aaa8b963c3975a6ce0ab54e1163017e04ed46bd71fe17f1c7fd8fa8ca2
      • Instruction Fuzzy Hash: C2417D72A402905BEB106B29AC917EA7790DB9171AF54013FF9419F3C3D7BE5C4883AD
      Function 00401090 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 80libraryloaderCOMMON
      Download Yara Rule
      APIs
      • GetModuleHandleW.KERNEL32(ntdll.dll,RtlGetVersion), ref: 004010AB
      • GetProcAddress.KERNEL32(00000000), ref: 004010B2
      • GetVersionExW.KERNEL32(004EA680), ref: 004010DB
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: AddressHandleModuleProcVersion
      • String ID: %u.%u.%u$10.0.19045$RtlGetVersion$ntdll.dll
      • API String ID: 3310240892-3673595452
      • Opcode ID: dcceb92e92ec763735ffbd051c0038fe71b3a479114339dbff9df39ed2850efb
      • Instruction ID: 518c6011e0b49e29ac7d5d4dd8bc8d36bf6524e51a7ca4c5b0590b2729c21d33
      • Opcode Fuzzy Hash: dcceb92e92ec763735ffbd051c0038fe71b3a479114339dbff9df39ed2850efb
      • Instruction Fuzzy Hash: 473167305042C08EDB05CB38ADD87567BB4E32A304F9984BEE4409E7A7D2B9E4A4C71F
      Function 004585C0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 39shutdownCOMMON
      Download Yara Rule
      APIs
      • GetCurrentProcess.KERNEL32(00000028), ref: 004585C9
      • OpenProcessToken.ADVAPI32(00000000), ref: 004585D0
      • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004585E6
      • AdjustTokenPrivileges.ADVAPI32 ref: 0045860D
      • GetLastError.KERNEL32 ref: 00458613
      • ExitWindowsEx.USER32(00000000,00000000), ref: 00458622
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
      • String ID: SeShutdownPrivilege
      • API String ID: 107509674-3733053543
      • Opcode ID: 083d0b2601dcc088826daef6c042392a3ea99cd1cb50748ab2f23ae9f5a24927
      • Instruction ID: 55ce9a847fce807ae8b896f3c89a6718734bec11ad7196f8aba6484eb12d4ff3
      • Opcode Fuzzy Hash: 083d0b2601dcc088826daef6c042392a3ea99cd1cb50748ab2f23ae9f5a24927
      • Instruction Fuzzy Hash: A301A4B5254701ABE710BF60DC0AF5A7AACBB40B46F81492CB945D12E1EF78C40CCA3B
      Function 0044F140 Relevance: 12.1, APIs: 8, Instructions: 116windowCOMMON
      Download Yara Rule
      APIs
      • SendMessageW.USER32(0000000C,00000000,?,00000000), ref: 0044F22B
      • IsWindowVisible.USER32 ref: 0044F237
      • ShowWindow.USER32(00000005,?,00000000,?,0040D1B0,00000000), ref: 0044F24F
      • IsIconic.USER32 ref: 0044F257
      • ShowWindow.USER32(00000009,?,00000000,?,0040D1B0,00000000), ref: 0044F269
      • GetForegroundWindow.USER32(?,00000000,?,0040D1B0,00000000), ref: 0044F26B
      • SetForegroundWindow.USER32(00010418), ref: 0044F27C
      • SendMessageW.USER32(000000B6,00000000,000F423F), ref: 0044F2A9
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: Window$ForegroundMessageSendShow$IconicVisible
      • String ID:
      • API String ID: 631031280-0
      • Opcode ID: bae5cc1e8322417a3995b664a03010f21be1b37f4d60de874558e17ac2fc49d2
      • Instruction ID: eb46dd2f4be5da59884f783b142d1b481f8822a50db1ad1fd4df65a2fcea1686
      • Opcode Fuzzy Hash: bae5cc1e8322417a3995b664a03010f21be1b37f4d60de874558e17ac2fc49d2
      • Instruction Fuzzy Hash: 7831D3395452419BFB20AB60ED81BAB7758BB21300F58057FF80597262DF7E980CCB5E
      Function 0048B6DE Relevance: 11.4, Strings: 8, Instructions: 1431COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID:
      • String ID: $@$E$Q\E$]$^$alpha$hK
      • API String ID: 0-1449264828
      • Opcode ID: 9217f614031511de544536b898498ed1436420b6cc428570e62ea3e2efc842db
      • Instruction ID: a27c6eac762b5a2e30d4fd445a28b048757f52d42870b5a222a316f36c6fc25d
      • Opcode Fuzzy Hash: 9217f614031511de544536b898498ed1436420b6cc428570e62ea3e2efc842db
      • Instruction Fuzzy Hash: CFC2AB71A083518FD724DF18C49036FB7E1FF89314F188D2EE9998B391D77898858B9A
      Function 0042B274 Relevance: 11.1, APIs: 3, Strings: 3, Instructions: 576COMMON
      Download Yara Rule
      APIs
      • CLSIDFromString.OLE32(00000000,?), ref: 0042B31C
        • Part of subcall function 0042AE62: CoCreateInstance.OLE32(004D53F4,00000000,00000017,004D5404,?), ref: 0042AE87
      Strings
      • Device not found, xrefs: 0042B456
      • Component not found, xrefs: 0042B614
      • Component doesn't support this control type, xrefs: 0042B65D
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: CreateFromInstanceString
      • String ID: Component doesn't support this control type$Component not found$Device not found
      • API String ID: 432265043-3153638422
      • Opcode ID: 38214a155089a88688a53f7362e32734eb5c0be1e5132abf4ffe59d8da023f04
      • Instruction ID: 0bdf0956d1bde0bdafc6937c7d4fd4e008822de8a64bfa0666a9370ef292cb7f
      • Opcode Fuzzy Hash: 38214a155089a88688a53f7362e32734eb5c0be1e5132abf4ffe59d8da023f04
      • Instruction Fuzzy Hash: 9B22D170A00729DFDB15DF36D880AAE77A5EF49340F54865AFC05AB251EB38EC85CB84
      Function 0043D0A0 Relevance: 10.7, Strings: 8, Instructions: 663COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID:
      • String ID: Comments$Invalid option.$Join$LTrim$Missing ")"$Out of memory.$RTrim$uM
      • API String ID: 0-4144549416
      • Opcode ID: 9a1096c10deeb9eb29a75fc21ae679745d606f662f85ec0031745bf85119635e
      • Instruction ID: de9067138576e978e2ec42ed5d74f6b7e53c660881b793ef527bf82fde45c01d
      • Opcode Fuzzy Hash: 9a1096c10deeb9eb29a75fc21ae679745d606f662f85ec0031745bf85119635e
      • Instruction Fuzzy Hash: C532D271A043018BCB24DF18E481A6BB3E1FF99708F14956FE8958B391E739ED45CB4A
      Function 004213A0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 118timefileCOMMON
      Download Yara Rule
      APIs
      • FindFirstFileW.KERNEL32(?,?), ref: 0042142D
      • GetLastError.KERNEL32 ref: 00421438
      • FindClose.KERNEL32(00000000), ref: 00421453
      • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0042145F
      • FileTimeToSystemTime.KERNEL32(?,?), ref: 00421485
      Strings
      • %04d%02d%02d%02d%02d%02d, xrefs: 004214B3
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: FileTime$Find$CloseErrorFirstLastLocalSystem
      • String ID: %04d%02d%02d%02d%02d%02d
      • API String ID: 3800350769-4847443
      • Opcode ID: 7bd8d89355ad2d128d0a75358ab60eeed178b0fc0a160c5b07eb2e8df1106b64
      • Instruction ID: dd3deb45c22636744374d111fa59d19221ccccead91ad51dfc98730b4332daf9
      • Opcode Fuzzy Hash: 7bd8d89355ad2d128d0a75358ab60eeed178b0fc0a160c5b07eb2e8df1106b64
      • Instruction Fuzzy Hash: A541C6726042159FC7209F5CE8446AB73E8EB99325F04066BFC58D72A0D778DC85C7A6
      Function 004B03F6 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1446COMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: __floor_pentium4
      • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
      • API String ID: 4168288129-2761157908
      • Opcode ID: 3485d9ed5f2828f8f05748354bf4ec353910a8278b2b4e7f99738cbc89075cd1
      • Instruction ID: 4720d8315967d53da1284a8f3e40025d7554fe38c99117de8fa3ebd8d5c741f7
      • Opcode Fuzzy Hash: 3485d9ed5f2828f8f05748354bf4ec353910a8278b2b4e7f99738cbc89075cd1
      • Instruction Fuzzy Hash: 32D23872E082288FDB64CE28CD507EAB7B5EB55305F5445EBD40DE3240EB78AE818F95
      Function 00421700 Relevance: 9.1, APIs: 6, Instructions: 117fileCOMMON
      Download Yara Rule
      APIs
      • CreateFileW.KERNEL32(?,00000080,00000007,00000000,00000003,00000000,00000000), ref: 0042174D
      • GetFileSizeEx.KERNEL32(00000000,?), ref: 00421760
      • CloseHandle.KERNEL32(00000000), ref: 00421769
      • FindFirstFileW.KERNEL32(?,?), ref: 00421783
      • GetLastError.KERNEL32 ref: 0042178E
      • FindClose.KERNEL32(00000000), ref: 004217AA
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: File$CloseFind$CreateErrorFirstHandleLastSize
      • String ID:
      • API String ID: 2200430037-0
      • Opcode ID: 884bf45b3631197993794c994b205e60d4af695133d4bf7b563c38a9fd2dad93
      • Instruction ID: eed560e0c4925a43e0c7ad0d9869df5ca471c24d76e03aa833f579c98615d465
      • Opcode Fuzzy Hash: 884bf45b3631197993794c994b205e60d4af695133d4bf7b563c38a9fd2dad93
      • Instruction Fuzzy Hash: 2141D272B002148FC320DF2CE88876AB7E8EBD5720F65462AF858973E0D7749C45C6A9
      Function 004B6062 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
      Download Yara Rule
      APIs
      • std::__non_rtti_object::__construct_from_string_literal.LIBVCRUNTIME ref: 004B606E
        • Part of subcall function 0049D726: RaiseException.KERNEL32(E06D7363,00000001,00000003,0049BBAC,00000000,00000001,?,?,0049BBAC,00000000,004DF048,00000000), ref: 0049D786
      • ___except_validate_context_record.LIBVCRUNTIME ref: 004B60BE
        • Part of subcall function 004B62E0: __FindPESection.LIBCMT ref: 004B6411
      • _CallDestructExceptionObject.LIBVCRUNTIME ref: 004B6140
      Strings
      • Access violation - no RTTI data!, xrefs: 004B6065
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: Exception$CallDestructFindObjectRaiseSection___except_validate_context_recordstd::__non_rtti_object::__construct_from_string_literal
      • String ID: Access violation - no RTTI data!
      • API String ID: 2298779798-2158758863
      • Opcode ID: b164f8f836cb7fd42ff6d76f5af93bc521382c868369902332023e6c96f0fcb2
      • Instruction ID: 0308f561a82baba4d12d777f204ceee7ae0e88f1519898c80cc18e726a09d201
      • Opcode Fuzzy Hash: b164f8f836cb7fd42ff6d76f5af93bc521382c868369902332023e6c96f0fcb2
      • Instruction Fuzzy Hash: 0231EA72900204ABCB14EF69CC858EBBBA5FF44350F05846AE91597246E738F915CBA5
      Function 0041F62A Relevance: 6.1, APIs: 4, Instructions: 94fileCOMMON
      Download Yara Rule
      APIs
      • GetDriveTypeW.KERNEL32(?), ref: 0041F69E
      • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 0041F6BD
      • DeviceIoControl.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,?,00000000), ref: 0041F6F2
      • CloseHandle.KERNEL32(00000000), ref: 0041F6FB
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: CloseControlCreateDeviceDriveFileHandleType
      • String ID:
      • API String ID: 3103408351-0
      • Opcode ID: c7deb4357a7eac283edbd35c8dd54121c146651c32cb0f2dce3193a875464aeb
      • Instruction ID: 5e10fb9592b780abdd669ee71a4cb1aa431bb41e0d2277cef995b5077fd4b183
      • Opcode Fuzzy Hash: c7deb4357a7eac283edbd35c8dd54121c146651c32cb0f2dce3193a875464aeb
      • Instruction Fuzzy Hash: AE210A31911214ABCB209BA89C44BEF777CEF45760F11453AE905E7290E2748F8BC7AA
      Function 0041A7A0 Relevance: 4.7, APIs: 3, Instructions: 158COMMON
      Download Yara Rule
      APIs
      • GetSystemMetrics.USER32(00000017), ref: 0041A805
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: MetricsSystem
      • String ID:
      • API String ID: 4116985748-0
      • Opcode ID: ef6ea63b91a74d730a2b8a08eb24b3e0bb71551068abd9992543f6e6cb50fa08
      • Instruction ID: a48ea0bfd18cce98b3630cfed6a4fb94b2f72ce934c11ac68ab5f5e69582da3b
      • Opcode Fuzzy Hash: ef6ea63b91a74d730a2b8a08eb24b3e0bb71551068abd9992543f6e6cb50fa08
      • Instruction Fuzzy Hash: 605125316052058FD711AA24D8817FB73E5EBC8314F15493EE859A3291D33C9EDA87AB
      Function 004214F0 Relevance: 4.6, APIs: 3, Instructions: 107timeCOMMON
      Download Yara Rule
      APIs
      • SystemTimeToFileTime.KERNEL32(?,?), ref: 004215B5
      • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 004215C9
      • GetSystemTimeAsFileTime.KERNEL32(?), ref: 004215E3
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: Time$File$System$Local
      • String ID:
      • API String ID: 2859370177-0
      • Opcode ID: 1414169e0c0603bf0de0a09a1a4fc2238c88d298e579dfec258239aa1bfbff6d
      • Instruction ID: 2f91c26ab6b27c83611026af497debf11f981cd1aa0e398c70e11ba186792721
      • Opcode Fuzzy Hash: 1414169e0c0603bf0de0a09a1a4fc2238c88d298e579dfec258239aa1bfbff6d
      • Instruction Fuzzy Hash: 7A31D6727102155BC7109E69B80169B73DC9BD4721F4846ABFC48C72A0EA34DD45C79A
      Function 004AB58B Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 004AB683
      • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 004AB68D
      • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 004AB69A
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: ExceptionFilterUnhandled$DebuggerPresent
      • String ID:
      • API String ID: 3906539128-0
      • Opcode ID: ce09050261eafa7afeaffa9ed45c51bff8ad5078d5b3b071489abe8290afa26f
      • Instruction ID: c1245e4f2872eaa8136eaa5db93b408ca2640f36a6acae7c35fc61d5aa21d4c2
      • Opcode Fuzzy Hash: ce09050261eafa7afeaffa9ed45c51bff8ad5078d5b3b071489abe8290afa26f
      • Instruction Fuzzy Hash: 9231C4749012189BCB21DF69DD897DDBBB8BF18310F5042EAE41CA6251EB749F818F49
      Function 0047D7A0 Relevance: 3.3, APIs: 2, Instructions: 292registryCOMMON
      Download Yara Rule
      APIs
      • RegOpenKeyExW.ADVAPI32(?,00000000,00000000,?,?), ref: 0047D7E2
      • RegCloseKey.ADVAPI32(?,?,00000000,00000000,?,?), ref: 0047DAAC
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: CloseOpen
      • String ID:
      • API String ID: 47109696-0
      • Opcode ID: b955c94ab10a9be6059f880927daf52cff4d63212c47712ad2b7ea46ffaed9a8
      • Instruction ID: 12ed81a88f694ae1596f9828dd9ed8ed5a3a4a299d4ac5f42b48c15453484e58
      • Opcode Fuzzy Hash: b955c94ab10a9be6059f880927daf52cff4d63212c47712ad2b7ea46ffaed9a8
      • Instruction Fuzzy Hash: 85B16FB1A143029BD724DF24C880B6BB7F4FF88314F118A2EE999D7250E774E915CB99
      Function 0048E6AC Relevance: 3.1, Strings: 2, Instructions: 639COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID:
      • String ID: >$hK
      • API String ID: 0-2687818355
      • Opcode ID: c9f86005d4ee89178901446dc1545e990b8c54811cf44c2c268f94df4bc12d5b
      • Instruction ID: 3c0ccb5df7d2da0b0335d1b202c08eb437b1b45dc4eceb175df402f2bb7d33ab
      • Opcode Fuzzy Hash: c9f86005d4ee89178901446dc1545e990b8c54811cf44c2c268f94df4bc12d5b
      • Instruction Fuzzy Hash: 9E427B75A083528BC724EF19C48066FB7E2FF89314F154E2EE8958B391D738D845CB9A
      Function 00431820 Relevance: 3.1, APIs: 2, Instructions: 62COMMON
      Download Yara Rule
      APIs
      • GetComputerNameW.KERNEL32(?,?), ref: 00431844
      • GetUserNameW.ADVAPI32(?,?), ref: 0043184C
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: Name$ComputerUser
      • String ID:
      • API String ID: 4229901323-0
      • Opcode ID: 2287bd178e81f401bceba5230447b8b9b2717e0d01e522c82b1f55bf7da7663c
      • Instruction ID: 96d62bc833e0046f29f34975aa70b5f4f8169cd8d17ce4c1c7c6167442224486
      • Opcode Fuzzy Hash: 2287bd178e81f401bceba5230447b8b9b2717e0d01e522c82b1f55bf7da7663c
      • Instruction Fuzzy Hash: 4C1196B59002029BDB28EF54D485AB7B7B8FF54344F11093EED5583250F738E919CBAA
      Function 0041F550 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
      Download Yara Rule
      APIs
      • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0041F5D1
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: DiskFreeSpace
      • String ID:
      • API String ID: 1705453755-0
      • Opcode ID: bfa6f6ddd888ba8d3504119213a5264a80a146f4951a5f768d5875e22dac63a1
      • Instruction ID: 08d45e4b4d6434f4957feaa2f23ba670158883450dda301b21d1790ba14bf2c3
      • Opcode Fuzzy Hash: bfa6f6ddd888ba8d3504119213a5264a80a146f4951a5f768d5875e22dac63a1
      • Instruction Fuzzy Hash: EF115171A10108ABDB11CFE4D844AEB73B9BB18304F1405BFE516D3252F678DA8ACB59
      Function 00481110 Relevance: 1.4, Strings: 1, Instructions: 172COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID:
      • String ID: %04d%02d
      • API String ID: 0-2611399059
      • Opcode ID: eaf5a6562bedb44ecb56102043d875a025ccb23e683f64987df188384c4a8484
      • Instruction ID: 5dd2711fdd8bf6cd440e5e454be005b871fa5d35338f383bca0de216830a5ded
      • Opcode Fuzzy Hash: eaf5a6562bedb44ecb56102043d875a025ccb23e683f64987df188384c4a8484
      • Instruction Fuzzy Hash: C341B692B1011A07CB0C747D8E2637DA88F97E9714F48963BE642CEBE5E958EE064384
      Function 0048B100 Relevance: .4, Instructions: 440COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: d5deea42a4a785f57d167b977e8bab4b3071fe3650c5221c1786f4ecf7c8f2f9
      • Instruction ID: 05839c76650d266486eb08bf63460c55dccfb887eb929b292897d503f6292971
      • Opcode Fuzzy Hash: d5deea42a4a785f57d167b977e8bab4b3071fe3650c5221c1786f4ecf7c8f2f9
      • Instruction Fuzzy Hash: 8C1247749083428FD724EF19C48176FB7E1FF88710F154A2EE999873A1D738A845CB9A
      Function 004A2344 Relevance: .3, Instructions: 342COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 424021fe8640cdd9bebbb85aadf927048a9c2772c2e32434fd296c459dcefb5c
      • Instruction ID: cb0586aa4392fddb84ac494b41255f75352669cb82f6ea743b82011273149595
      • Opcode Fuzzy Hash: 424021fe8640cdd9bebbb85aadf927048a9c2772c2e32434fd296c459dcefb5c
      • Instruction Fuzzy Hash: 0BD1E130A007069FCB24CF5CC690AABB7B1FF6A314F14461ED4569B391D7B8AD42EB19
      Function 004231D0 Relevance: 40.6, APIs: 8, Strings: 15, Instructions: 355COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID:
      • String ID: $ $ $"$-$Bold$Check$Expand$First$Icon$Invalid option.$Select$Sort$Vis$VisFirst
      • API String ID: 0-4153078325
      • Opcode ID: 409dfa62b03f2af5eea225dfceb1b8a1e8792664c7fbca484a50a8ab2b7889f3
      • Instruction ID: 11dea1e6a0651ca98e4b5e2f35eb358c2c671e9ef4c1683bb2d0d19eb3c6d498
      • Opcode Fuzzy Hash: 409dfa62b03f2af5eea225dfceb1b8a1e8792664c7fbca484a50a8ab2b7889f3
      • Instruction Fuzzy Hash: B6C105717083119BDB10DF65E801B6BBBF4AB94345F44082FF98497291E37CCA85CB9A
      Function 0040D120 Relevance: 38.8, APIs: 21, Strings: 1, Instructions: 300windowCOMMON
      Download Yara Rule
      APIs
      • GetWindowLongW.USER32(?,00000008), ref: 0040D168
      • EndDialog.USER32(?,00000002), ref: 0040D1BB
      • EndDialog.USER32(?,?), ref: 0040D1D6
      • SendMessageW.USER32(?,00000437,00000000,00000202), ref: 0040D26A
      • __alloca_probe_16.LIBCMT ref: 0040D279
      • SendMessageW.USER32(?,0000044B,00000000,00000202), ref: 0040D293
      • PostMessageW.USER32(?,00000028,00000001,00000000), ref: 0040D29F
      • GetWindowLongW.USER32(?,00000008), ref: 0040D2E2
      • GetWindowRect.USER32(?,000001F5), ref: 0040D31E
      • SendMessageW.USER32(?,000000B2,00000000,?), ref: 0040D330
      • GetSystemMetrics.USER32(00000001), ref: 0040D338
      • SendMessageW.USER32(?,00000460,00000001,00000001), ref: 0040D37A
      • GetWindowLongW.USER32(?,000000F0), ref: 0040D38E
      • SendMessageW.USER32(?,00000460,00000000,00000001), ref: 0040D3A5
      • GetSystemMetrics.USER32(00000003), ref: 0040D3AD
      • ScrollWindow.USER32(?,00000000,?,00000000,00000000), ref: 0040D3C3
      • MoveWindow.USER32(?,00000000,00000000,000001F5,?,00000001,?,000000B2,00000000,?,?,000001F5), ref: 0040D3E6
      • GetWindowRect.USER32(?,000001F5), ref: 0040D3ED
      • MoveWindow.USER32(?,000001F5,?,?,?,00000001,?,00000000,00000000,000001F5,?,00000001,?,000000B2,00000000,?), ref: 0040D418
        • Part of subcall function 00439E00: GetClassNameW.USER32(00000000,?,00000020), ref: 00439EA9
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: Window$Message$Send$Long$DialogMetricsMoveRectSystem$ClassNamePostScroll__alloca_probe_16
      • String ID: %M
      • API String ID: 502815767-78608726
      • Opcode ID: aa538aa493b92b2e4791d37e3222a67ea7f4c50d76a6760e17b1862935371221
      • Instruction ID: 7568a1aae6c06cc9da686762d501bbae527553f8c64a663b6dbf992e05cb5cd3
      • Opcode Fuzzy Hash: aa538aa493b92b2e4791d37e3222a67ea7f4c50d76a6760e17b1862935371221
      • Instruction Fuzzy Hash: C1A1A372A00109ABDB20DFA8DC45FAE77B8FB54711F00423AF905E72D0DB75A914CB99
      Function 00463540 Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 183windowCOMMON
      Download Yara Rule
      APIs
      • GetWindowRect.USER32(?,?), ref: 00463555
      • ScreenToClient.USER32(?,?), ref: 00463573
      • MulDiv.KERNEL32(?,00000060), ref: 0046359C
      • MulDiv.KERNEL32(?,00000060), ref: 004635BF
      • GetParent.USER32(?), ref: 004635CF
      • MapWindowPoints.USER32(?,00000000), ref: 004635D9
      • MulDiv.KERNEL32(?,00000060), ref: 00463607
      • MulDiv.KERNEL32(?,00000060), ref: 0046363A
      • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 00463653
      • SendMessageW.USER32(?,00000421,00000001,00000000), ref: 00463685
      • SendMessageW.USER32(?,00000421,00000000,00000000), ref: 00463695
      • SendMessageW.USER32(?,00000420,00000001,00000000), ref: 004636A8
      • InvalidateRect.USER32(00000000,00000000,00000001), ref: 004636B5
      • SendMessageW.USER32(?,00000420,00000000,00000000), ref: 004636D2
      • InvalidateRect.USER32(00000000,00000000,00000001), ref: 004636D9
      • GetPropW.USER32(?,ahk_autosize), ref: 00463713
      • SetPropW.USER32(?,ahk_autosize,00000000), ref: 0046372D
      • RemovePropW.USER32(?,ahk_autosize), ref: 00463748
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: MessageSend$PropRectWindow$Invalidate$ClientMoveParentPointsRemoveScreen
      • String ID: ahk_autosize
      • API String ID: 691529775-1503521729
      • Opcode ID: 5db6ff55992dd3a8ac89a502145f84192b1c76132dfad1a566b83afe5ca70cc0
      • Instruction ID: bf541d5f33b7882b3f75d9cad1402dbef28ee51dccacae39e95b9d9c92c5acbc
      • Opcode Fuzzy Hash: 5db6ff55992dd3a8ac89a502145f84192b1c76132dfad1a566b83afe5ca70cc0
      • Instruction Fuzzy Hash: 8F513671244345BFEB209F29CC85F5BBBA8FB04711F00052AF601962A1D779ED91DBAA
      Function 00432160 Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 115COMMON
      Download Yara Rule
      APIs
      • GetCursorInfo.USER32(?), ref: 00432171
      • LoadCursorW.USER32(00000000,00007F8A), ref: 004321B6
      • LoadCursorW.USER32(00000000,00007F00), ref: 004321C4
      • LoadCursorW.USER32(00000000,00007F03), ref: 004321D2
      • LoadCursorW.USER32(00000000,00007F8B), ref: 004321E0
      • LoadCursorW.USER32(00000000,00007F01), ref: 004321EE
      • LoadCursorW.USER32(00000000,00007F81), ref: 004321FC
      • LoadCursorW.USER32(00000000,00007F88), ref: 0043220A
      • LoadCursorW.USER32(00000000,00007F80), ref: 00432218
      • LoadCursorW.USER32(00000000,00007F86), ref: 00432226
      • LoadCursorW.USER32(00000000,00007F83), ref: 00432234
      • LoadCursorW.USER32(00000000,00007F85), ref: 00432242
      • LoadCursorW.USER32(00000000,00007F82), ref: 00432250
      • LoadCursorW.USER32(00000000,00007F84), ref: 0043225E
      • LoadCursorW.USER32(00000000,00007F04), ref: 0043226C
      • LoadCursorW.USER32(00000000,00007F02), ref: 0043227A
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: Cursor$Load$Info
      • String ID: Unknown
      • API String ID: 2577412497-1654365787
      • Opcode ID: 8541b789a29492f0716b9dd90ea3ac4b25cfcef369909756acb68664d4125fa1
      • Instruction ID: 89cc8d7ccd60a5d5934b4244bd68cb382c7bc7a54e5735d842b7cca727d42e21
      • Opcode Fuzzy Hash: 8541b789a29492f0716b9dd90ea3ac4b25cfcef369909756acb68664d4125fa1
      • Instruction Fuzzy Hash: F54152F0E48355AAEB109F25ED9AB173E90E745B10F004577E1089F2D2D7BEA411CF9A
      Function 0046D7B0 Relevance: 28.5, APIs: 14, Strings: 2, Instructions: 476windowCOMMON
      Download Yara Rule
      APIs
      • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 0046D802
      • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0046D85E
      • SendMessageW.USER32(?,0000133C,00000000,004E8C60), ref: 0046D8A0
      • SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 0046D915
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: MessageSend
      • String ID: %04d%02d%02d%02d%02d%02d$sc%03X
      • API String ID: 3850602802-2561627866
      • Opcode ID: 91e8d27b73b65aa6cec7860babb7b6ae831fca05c3ece5e3d4eca0bfaf37b8d5
      • Instruction ID: e24dabf94c6f53f30787e495c831b790ccf556a7dace2fc46a488198642b3d19
      • Opcode Fuzzy Hash: 91e8d27b73b65aa6cec7860babb7b6ae831fca05c3ece5e3d4eca0bfaf37b8d5
      • Instruction Fuzzy Hash: 8DF1C472600204ABD7209F5AEC45B6BB7E4FB89315F10426FFE48DB291E37AD850C7A5
      Function 004885D0 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 230libraryloaderwindowCOMMON
      Download Yara Rule
      APIs
      • IsWindowVisible.USER32(?), ref: 004885F0
      • DwmGetWindowAttribute.DWMAPI(?,0000000E,?,00000004), ref: 00488610
      • GetModuleHandleW.KERNEL32(user32,IsHungAppWindow), ref: 004886E9
      • GetProcAddress.KERNEL32(00000000), ref: 004886F0
      • ShowWindow.USER32(?,0000000B,?,00000000,00000000,00000000,00000002,00001388,?), ref: 0048884F
      • ShowWindow.USER32(?,00000000), ref: 00488864
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: Window$Show$AddressAttributeHandleModuleProcVisible
      • String ID: IsHungAppWindow$user32
      • API String ID: 1136472909-934392274
      • Opcode ID: b556d9d80f5db52bf712ab0df542c3ebf68b01da483f6883b113afd5ebce9a5c
      • Instruction ID: e24f0b763eef4af3907c798c5475de5fe01f80e8cee79d5432505d4b90a1fc92
      • Opcode Fuzzy Hash: b556d9d80f5db52bf712ab0df542c3ebf68b01da483f6883b113afd5ebce9a5c
      • Instruction Fuzzy Hash: FB71BF71740302ABE720BB259C89B6B779CEB51751FA0493FF512E62D1EB38D805CB68
      Function 0040C8D0 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 164windowCOMMON
      Download Yara Rule
      APIs
      • SendMessageW.USER32 ref: 0040C97F
      • SendMessageW.USER32(?,000000C2,00000000,Call stack:), ref: 0040C98E
      • SendMessageW.USER32(?,00000444,00000001,?), ref: 0040C9A5
      • SendMessageW.USER32(?,?,?,00000434), ref: 0040CA0A
      • SendMessageW.USER32(?,000000C2,00000000,004CEEA8), ref: 0040CA1D
      • SendMessageW.USER32(?,00000437,00000000,?), ref: 0040CA50
      • SendMessageW.USER32(?,00000444,00000001,?), ref: 0040CA62
      • SendMessageW.USER32(?,00000437,00000000,?), ref: 0040CAB0
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: MessageSend
      • String ID: $!$!$.ahk ($Call stack:$Stack$\$\
      • API String ID: 3850602802-136706711
      • Opcode ID: fd86200883240d5eb1811a525546e1084029636a1eb139e83c9972dde3a85d0e
      • Instruction ID: f3c92e2dfd03ae6b0911d876c31d28139de6d3fb730bac4eb3da36b3a1ebc95c
      • Opcode Fuzzy Hash: fd86200883240d5eb1811a525546e1084029636a1eb139e83c9972dde3a85d0e
      • Instruction Fuzzy Hash: 565196B1604305ABD720DF54CC86F6BB7E8AF44704F00462EFA49A72D1D778E94987AA
      Function 00486890 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 192windowtimeCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 00486B00: EnumChildWindows.USER32 ref: 00486BB8
        • Part of subcall function 00486B00: EnumChildWindows.USER32(?,00486C10,00486C10), ref: 00486BDC
      • SendMessageTimeoutW.USER32(00000000,00000406,00000000,00000000,00000002,000007D0,?), ref: 00486919
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: ChildEnumWindows$MessageSendTimeout
      • String ID: No StatusBar.$msctls_statusbar321
      • API String ID: 1443548730-1591047504
      • Opcode ID: 26f0dda4fe693c94d10139cb19c6547b4c1858d414b79d8e67c3dec3e5ed5ddc
      • Instruction ID: 0e9c27a7224a7a64e9a8f5c0224bca09a2a71ca0316f8e7aa0934936286ad8f1
      • Opcode Fuzzy Hash: 26f0dda4fe693c94d10139cb19c6547b4c1858d414b79d8e67c3dec3e5ed5ddc
      • Instruction Fuzzy Hash: B351E432204305AFD761AB54DC45FAF73A8EF88704F04492FFA49E6290DA78E945CB5A
      Function 004555B0 Relevance: 24.8, APIs: 13, Strings: 1, Instructions: 297windowCOMMON
      Download Yara Rule
      APIs
      • GetSystemMenu.USER32(?,00000000), ref: 004556DC
      • GetMenu.USER32(?), ref: 004556FF
      • GetMenuItemCount.USER32(00000000), ref: 00455746
      • GetMenuItemID.USER32(00000000,-00000001), ref: 004557C0
      • GetSubMenu.USER32(00000000,-00000001), ref: 004557D3
      • GetMenuItemCount.USER32(00000000), ref: 004557E0
      • GetMenuStringW.USER32(00000000,00000000,?,000003FF,00000400), ref: 00455841
      • CompareStringW.KERNEL32(00000400,00000001,?,00000000,?,?), ref: 0045585B
      • CompareStringW.KERNEL32(00000400,00000001,?,?,?,?), ref: 004558D7
      • GetMenuItemID.USER32(?,00000000), ref: 004558FD
      • GetSubMenu.USER32(?,00000000), ref: 00455914
      • GetMenuItemCount.USER32(00000000), ref: 00455921
      • PostMessageW.USER32(?,?,FFFFFFFF,00000000), ref: 00455952
      Strings
      • Non-existent or unsupported menu., xrefs: 00455722
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: Menu$Item$CountString$Compare$MessagePostSystem
      • String ID: Non-existent or unsupported menu.
      • API String ID: 3443966472-3010222921
      • Opcode ID: e03300efe95af393319864e7021a7b8fd0504ce2769ac2afba81e7468ad2c495
      • Instruction ID: ebe3f4173c66ad55939e8b3b2cb4e03b213717f72e681f3d8435bdbb2a14fae8
      • Opcode Fuzzy Hash: e03300efe95af393319864e7021a7b8fd0504ce2769ac2afba81e7468ad2c495
      • Instruction Fuzzy Hash: 6CB1BE716087019FC720DF65C890B6BB7E4FF88315F444A2EF98993291EB389909CB96
      Function 00486180 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 223windowthreadCOMMON
      Download Yara Rule
      APIs
      • GetForegroundWindow.USER32(?,00000000,?,00000000,004B6E40,000000FF,?,00439E5B,004CEEA8,004CEEA8), ref: 004861DC
      • IsWindowVisible.USER32(00000000), ref: 004861F2
      • DwmGetWindowAttribute.DWMAPI(00000000,0000000E,?,00000004), ref: 0048620C
      • IsWindow.USER32(?), ref: 0048632E
      • IsWindowVisible.USER32(?), ref: 0048634C
      • DwmGetWindowAttribute.DWMAPI(?,0000000E,?,00000004,?,00000000), ref: 00486366
      • GetWindowLongW.USER32(?,000000F0), ref: 0048637E
      • GetWindowTextW.USER32(?,?,00007FFF), ref: 004863DE
      • GetWindowThreadProcessId.USER32(?,?), ref: 0048640B
      • GetWindowThreadProcessId.USER32(?,?), ref: 00486420
      • GetClassNameW.USER32(?,?,00000101), ref: 00486464
      • EnumWindows.USER32(00486580,?), ref: 004864AA
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: Window$AttributeProcessThreadVisible$ClassEnumForegroundLongNameTextWindows
      • String ID:
      • API String ID: 2511573056-3916222277
      • Opcode ID: 02d410a51b3cc2ad26bd4e3b34a0e397cc2fa1f6cd0f24bf28580e425c5e174c
      • Instruction ID: f74cea9949ce63614d9224e9f2c6abbde9af2974cef9b84a688374c45380cb87
      • Opcode Fuzzy Hash: 02d410a51b3cc2ad26bd4e3b34a0e397cc2fa1f6cd0f24bf28580e425c5e174c
      • Instruction Fuzzy Hash: 5A91A6B19002699BEB61AF50DC84BEEB7B8EF01704F0545DBE948A7290D7B859C4CF9C
      Function 00406550 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194fileclipboardCOMMON
      Download Yara Rule
      APIs
      • IsClipboardFormatAvailable.USER32(0000000D), ref: 0040656E
      • IsClipboardFormatAvailable.USER32(0000000F), ref: 00406574
        • Part of subcall function 00406C20: GetClipboardFormatNameW.USER32(?,00000104,00000104,?,75A788A0), ref: 00406C5C
      • GlobalUnlock.KERNEL32(00000000), ref: 004065E6
      • CloseClipboard.USER32 ref: 004065F6
      • GlobalLock.KERNEL32(00000000), ref: 0040661C
      • DragQueryFileW.SHELL32(00000000,000000FF,004CEEA8,00000000), ref: 00406677
      • DragQueryFileW.SHELL32(00000000,00000000,00000000), ref: 0040669D
      • DragQueryFileW.SHELL32(000000FF,004CEEA8,00000000), ref: 00406713
      • DragQueryFileW.SHELL32(00000000,?,000003E7), ref: 00406732
      • GlobalUnlock.KERNEL32 ref: 00406768
      • CloseClipboard.USER32 ref: 00406778
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: Clipboard$DragFileQuery$FormatGlobal$AvailableCloseUnlock$LockName
      • String ID: Can't open clipboard for reading.$GlobalLock
      • API String ID: 1541606931-2469064134
      • Opcode ID: 3b3da96fa7056b288760945b092492b5b14ea54a7644e1c87c43575529379b8d
      • Instruction ID: d130ded2c03c8f4d1f1b4666c7d658fa2f7b66e08c2b94c4cdca531645071523
      • Opcode Fuzzy Hash: 3b3da96fa7056b288760945b092492b5b14ea54a7644e1c87c43575529379b8d
      • Instruction Fuzzy Hash: 63511A3121020287DB209F74ECC4B2677A4EB91365F1A063BED16AB3E1DF76A871C65D
      Function 00463760 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 167windowCOMMON
      Download Yara Rule
      APIs
      • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00463813
      • GetObjectW.GDI32(00000000,0000005C,?), ref: 00463824
      • SendMessageW.USER32(?,00000030,?,00000000), ref: 0046386C
      • SendMessageW.USER32(?,00001024,00000000,?), ref: 00463895
      • GetWindowRect.USER32(?,?), ref: 0046390D
      • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 00463923
      • InvalidateRect.USER32(?,?,00000001), ref: 00463933
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: MessageSend$RectWindow$InvalidateObjectPoints
      • String ID: Not supported for this control type.
      • API String ID: 212607952-38435632
      • Opcode ID: a48687ca4a3252f7b79c003a53b50c94bb60ed3a67a2268e368d1d4ec0559247
      • Instruction ID: 36758e24100d8b1daa654ce476233083468f0a47a57f5a96747b52e06d959d90
      • Opcode Fuzzy Hash: a48687ca4a3252f7b79c003a53b50c94bb60ed3a67a2268e368d1d4ec0559247
      • Instruction Fuzzy Hash: 6E511671604345AFE7209F15DC41FA6BBA4FB54722F00022BFA909B2D0E7B4AD55CB9A
      Function 004243D0 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 151COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID:
      • String ID: 0$EndKey$Match$Max$Stopped$Timeout$sc%03X
      • API String ID: 0-114367031
      • Opcode ID: b961b46b255075b3700852dfb567461d77006195b94b95fb6bd4e11e1d8445ee
      • Instruction ID: 8f05df6f2be313436a0ac657e3e323756e78251cc29225ab4969ab753740adbb
      • Opcode Fuzzy Hash: b961b46b255075b3700852dfb567461d77006195b94b95fb6bd4e11e1d8445ee
      • Instruction Fuzzy Hash: 05412A366102A06BC720AB64BC40BAB77A8EF95310F84442BFE84CB351E72ED559C36D
      Function 00468611 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 137libraryloaderCOMMON
      Download Yara Rule
      APIs
      • LoadLibraryW.KERNEL32(atl), ref: 0046861E
      • GetProcAddress.KERNEL32(00000000,AtlAxWinInit), ref: 00468632
      • FreeLibrary.KERNEL32(?), ref: 00468657
      • CreateWindowExW.USER32(?,AtlAxWin,?,?,?,?,?,?,?,?,00000000), ref: 00468699
      • GetModuleHandleW.KERNEL32(atl), ref: 004686BC
      • GetProcAddress.KERNEL32(00000000,AtlAxGetControl), ref: 004686CC
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: AddressLibraryProc$CreateFreeHandleLoadModuleWindow
      • String ID: AtlAxGetControl$AtlAxWin$AtlAxWinInit$Can't create control.$atl
      • API String ID: 902081544-2945516663
      • Opcode ID: 204763a44f8b02e7ce55d73578c625c7a2836a223bc224184f91273ae61a3017
      • Instruction ID: 60481000517a0c14c0943221c1f4e7f2f984bac44fd30597b1409c06f570694f
      • Opcode Fuzzy Hash: 204763a44f8b02e7ce55d73578c625c7a2836a223bc224184f91273ae61a3017
      • Instruction Fuzzy Hash: 30519870205341EFDB109F66DC44B2A7BE4BF88708F14462EF1459B2A1EB79E821CB5B
      Function 0044F8D0 Relevance: 22.9, APIs: 3, Strings: 10, Instructions: 137COMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: ErrorLast$Window
      • String ID: Abort$Cancel$Continue$Ignore$Retry$The maximum number of MsgBoxes has been reached.$Timeout$TryAgain$Yes$hOM
      • API String ID: 4186876087-608990978
      • Opcode ID: 279104bb806ba282a7ecf42e37dbedd291ea8c08706bba3f0d1658e5be3237a9
      • Instruction ID: d8fd5013a0da04903e6cd33ce77554bd8f8b42592ea14c8c81607794161b7821
      • Opcode Fuzzy Hash: 279104bb806ba282a7ecf42e37dbedd291ea8c08706bba3f0d1658e5be3237a9
      • Instruction Fuzzy Hash: A2416E717041098FDB14CF18F85176933E4EB85315F0146AAFD0DDB791EB3A9C208BAA
      Function 00468494 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 132COMMON
      Download Yara Rule
      APIs
      • DestroyWindow.USER32(?,00000000,00000000,?,?,?,?,?,?,80000000,?,?,?,00000000), ref: 00466FA1
      • CreateWindowExW.USER32(?,SysTabControl32,004CEEA8,?,?,?,?,?,?,?,00000000), ref: 004684CF
      • CreateDialogIndirectParamW.USER32(?,?,?,?,?), ref: 00468529
      • SetPropW.USER32(?,ahk_dlg,00000000), ref: 00468544
      • DestroyWindow.USER32(?,?,?,?,?,?,Function_00070DC0,00000000), ref: 00468552
      • EnableThemeDialogTexture.UXTHEME(?,00000006,?,?,?,?,?,Function_00070DC0,00000000), ref: 00468575
      • SetPropW.USER32(?,ahk_autosize,?), ref: 004685D3
      • SelectObject.GDI32(?,?), ref: 00468884
      • ReleaseDC.USER32(00000000,?), ref: 00468896
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: Window$CreateDestroyDialogProp$EnableIndirectObjectParamReleaseSelectTextureTheme
      • String ID: Can't create control.$SysTabControl32$ahk_autosize$ahk_dlg
      • API String ID: 206808241-2655182061
      • Opcode ID: 5043787770bd00012de855a406a567241881904f627dbe69f10279fcc239db13
      • Instruction ID: 7b6fb9a4934f10919cc1427035eec8629cdf25f426191dc068b1f03c02351fde
      • Opcode Fuzzy Hash: 5043787770bd00012de855a406a567241881904f627dbe69f10279fcc239db13
      • Instruction Fuzzy Hash: BE517B70208381EFDB219F11CC08F6BBBB5BF98704F140A2EF485962A1DB79D851DB5A
      Function 004673F7 Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 278COMMON
      Download Yara Rule
      APIs
      • CreateWindowExW.USER32(?,SysListView32,004CEEA8,?,?,?,?,?,?,?,00000000), ref: 00467455
      • GetSysColor.USER32(00000005), ref: 00467570
      • GetDC.USER32(?), ref: 00467603
      • SelectObject.GDI32(00000000,?), ref: 00467626
      • GetTextMetricsW.GDI32(?,?), ref: 0046763D
      • GetSystemMetrics.USER32(0000000C), ref: 00467698
      • GetSystemMetrics.USER32(00000032), ref: 004676D4
      • SelectObject.GDI32(?,?), ref: 00468884
      • ReleaseDC.USER32(00000000,?), ref: 00468896
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: Metrics$ObjectSelectSystem$ColorCreateReleaseTextWindow
      • String ID: Can't create control.$SysListView32
      • API String ID: 32085313-2372549606
      • Opcode ID: 69ab2990be5bccff37060b9b9df2a2e2e924c1661d58926ed7f06a66b81fdd40
      • Instruction ID: 39f5f286e50787921391bf45b10fa15ec90e378e391f230843a24a962e9bc128
      • Opcode Fuzzy Hash: 69ab2990be5bccff37060b9b9df2a2e2e924c1661d58926ed7f06a66b81fdd40
      • Instruction Fuzzy Hash: 2EB1D030608345AFE7218F25CC45F2ABBA5FF58704F10472EF145A62E1EB75E891CB4A
      Function 004237A0 Relevance: 21.2, APIs: 14, Instructions: 203windowCOMMON
      Download Yara Rule
      APIs
      • SendMessageW.USER32(?,0000110A,00000000,00000000), ref: 004237E1
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: MessageSend
      • String ID:
      • API String ID: 3850602802-0
      • Opcode ID: ee0f1777125465c3718b097ca6fbd3e3cae955763afb5b1553f2e1f36a12bd68
      • Instruction ID: d66e0f49386b788646bf7a0e1027345b3701fdf93207121a1dd10f4e0fbd0f58
      • Opcode Fuzzy Hash: ee0f1777125465c3718b097ca6fbd3e3cae955763afb5b1553f2e1f36a12bd68
      • Instruction Fuzzy Hash: 8C513C72B4033266D33259297C81FA776E9AFD5F62F850026FE49AF3C0D59CDE4081A9
      Function 004312A0 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 100windowCOMMON
      Download Yara Rule
      APIs
      • Shell_NotifyIconW.SHELL32(00000002,004EA1B5), ref: 004312CA
      • Shell_NotifyIconW.SHELL32(00000001,004EA1B5), ref: 004313EC
      • Shell_NotifyIconW.SHELL32(00000000,004EA1B5), ref: 004313F8
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: IconNotifyShell_
      • String ID: GetDpiForWindow$Shell_TrayWnd$user32.dll
      • API String ID: 1144537725-3718927445
      • Opcode ID: 51383a5739675138e93fb121af5efbbc3da8845e2e1bf99cf8412e12bc673230
      • Instruction ID: 05310c6cba60a806e1e38d2f4114be4e456b1e814a8187e13ec5c4bfedc29b46
      • Opcode Fuzzy Hash: 51383a5739675138e93fb121af5efbbc3da8845e2e1bf99cf8412e12bc673230
      • Instruction Fuzzy Hash: A331B2706003919FEB108B61AC88B673BA9FB19345F18517AEC418A2B3EB785C55CB6D
      Function 00487000 Relevance: 19.6, APIs: 5, Strings: 6, Instructions: 383threadCOMMON
      Download Yara Rule
      APIs
      • GetWindowTextW.USER32(?,?,00007FFF), ref: 00487427
      • GetWindowThreadProcessId.USER32(?,?), ref: 00487448
      • GetWindowThreadProcessId.USER32(?,?), ref: 00487458
      • GetClassNameW.USER32(?,?,00000101), ref: 00487497
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: Window$ProcessThread$ClassNameText
      • String ID: $ahk_$class$exe$group$pid
      • API String ID: 3420357866-2018379176
      • Opcode ID: 7b65c35903ad3e8d784216625ff71edc46f67f05f79ac2e47f45dfb21737dcfb
      • Instruction ID: cdf84b900d97dd446068128ff9040effdf638efb30a4b7e772fd66fc9dd22b75
      • Opcode Fuzzy Hash: 7b65c35903ad3e8d784216625ff71edc46f67f05f79ac2e47f45dfb21737dcfb
      • Instruction Fuzzy Hash: 84D1CE716083029BC711EF25C8A472EBBE4BF84304F24492FEC4897741E779E956DB9A
      Function 004732F0 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 175windowthreadCOMMON
      Download Yara Rule
      APIs
      • CheckMenuItem.USER32(?,0000FF19,00000000), ref: 004733AA
      • CheckMenuItem.USER32(?,0000FF1A,00000000), ref: 004733C2
      • GetCursorPos.USER32(00000001), ref: 004733DF
      • GetForegroundWindow.USER32 ref: 00473430
      • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0047343F
      • PostMessageW.USER32(00000000,00000101,00000000,00000000), ref: 00473485
      • TrackPopupMenuEx.USER32(?,00000000,?,?,00000000), ref: 004734CB
      • PostMessageW.USER32(00000000,00000000,00000000), ref: 004734EF
      • GetForegroundWindow.USER32 ref: 004734FF
      • SetForegroundWindow.USER32(00000000), ref: 0047350E
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: Window$ForegroundMenu$CheckItemMessagePost$CursorPopupProcessThreadTrack
      • String ID: Invalid menu type.
      • API String ID: 1816529542-643304128
      • Opcode ID: cd512095a1824ab55a78c7d098a69c4d53b64bb82a49c333ecdcca9b323003b9
      • Instruction ID: e8c04e4a100c09ab8e710976d2fa20330249628cc26dd5d2ec4f8389cff99764
      • Opcode Fuzzy Hash: cd512095a1824ab55a78c7d098a69c4d53b64bb82a49c333ecdcca9b323003b9
      • Instruction Fuzzy Hash: BB512631640241AFDB20DF24EC85B9A7790EB50716F14423FF8459B2D2CBB9AC54DB9D
      Function 0041C7C0 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 100libraryloaderCOMMON
      Download Yara Rule
      APIs
      • ActivateKeyboardLayout.USER32(00000000,00000000,?), ref: 0041C7FD
      • GetKeyboardLayoutNameW.USER32(?), ref: 0041C828
      • LoadLibraryW.KERNEL32(?), ref: 0041C85E
      • ActivateKeyboardLayout.USER32(?,00000000), ref: 0041C884
      • GetProcAddress.KERNEL32(00000000,KbdLayerDescriptor), ref: 0041C894
      • GetCurrentProcess.KERNEL32(?), ref: 0041C8A7
      • IsWow64Process.KERNEL32(00000000), ref: 0041C8AE
      • FreeLibrary.KERNEL32(00000000), ref: 0041C8D0
      Strings
      • Layout File, xrefs: 0041C841
      • KbdLayerDescriptor, xrefs: 0041C88E
      • SYSTEM\CurrentControlSet\Control\Keyboard Layouts\, xrefs: 0041C81A
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: KeyboardLayout$ActivateLibraryProcess$AddressCurrentFreeLoadNameProcWow64
      • String ID: KbdLayerDescriptor$Layout File$SYSTEM\CurrentControlSet\Control\Keyboard Layouts\
      • API String ID: 1788590160-320908820
      • Opcode ID: b96721216124ed74d90c58ea9c7bdb2f036a1e28987edcc4d0c03214d8456a92
      • Instruction ID: 4ddbbd29eff02969087c1e1531f170625234a79f6e56aa00b394a53cffb5da8a
      • Opcode Fuzzy Hash: b96721216124ed74d90c58ea9c7bdb2f036a1e28987edcc4d0c03214d8456a92
      • Instruction Fuzzy Hash: 6831A1756803049BD720AF29ECC8BBB77ACFB44345F44493EE805C2251EB78D845CBAA
      Function 00439760 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 94windowlibraryloaderCOMMON
      Download Yara Rule
      APIs
      • GetModuleHandleW.KERNEL32(user32.dll,GetDpiForWindow,?,?,?,?), ref: 00439816
      • GetProcAddress.KERNEL32(00000000), ref: 0043981D
      • GetSystemMetrics.USER32(00000031), ref: 0043982A
      • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00439842
      • MulDiv.KERNEL32(00000000,00000000), ref: 00439857
      • LoadImageW.USER32(0000009F,00000001,00000000,00000000,00008000), ref: 0043986F
      • Shell_NotifyIconW.SHELL32(00000001,004E9CAB), ref: 0043988A
      • Shell_NotifyIconW.SHELL32(00000000,004E9CAB), ref: 00439892
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: IconNotifyShell_$AddressFindHandleImageLoadMetricsModuleProcSystemWindow
      • String ID: GetDpiForWindow$Shell_TrayWnd$user32.dll
      • API String ID: 2322492689-3718927445
      • Opcode ID: 7d3846748fec0fe91850bc89a76319138ade5cbf80daf569943b20d80d944f50
      • Instruction ID: 451804a06903d1f3f97ba6b5bf9e4324ced847c354ada5e0bce043cc77fc3641
      • Opcode Fuzzy Hash: 7d3846748fec0fe91850bc89a76319138ade5cbf80daf569943b20d80d944f50
      • Instruction Fuzzy Hash: 1D3109705143819FEB215B749C88BA73FA9FB4A350F08153AE4858A392DBB95C41CBAD
      Function 0046E8C4 Relevance: 18.1, APIs: 12, Instructions: 130windowCOMMON
      Download Yara Rule
      APIs
      • GetClassLongW.USER32(?,000000E0), ref: 0046E8C7
      • GetWindowLongW.USER32(?,000000EB), ref: 0046E8E3
      • FillRect.USER32(?,?,?), ref: 0046E944
      • SetBkColor.GDI32(?,?), ref: 0046E950
      • GetClassLongW.USER32(?,000000F6), ref: 0046E95D
      • FillRect.USER32(?,?,00000000), ref: 0046E96A
      • SetTextColor.GDI32(?,?), ref: 0046E9AB
      • SendMessageW.USER32(?,0000133C,?,00000001), ref: 0046E9D3
      • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0046E9E9
      • DrawTextW.USER32(?,?,?,?,00000025), ref: 0046EA2C
      • SetTextColor.GDI32(?,?), ref: 0046EA48
      • DefDlgProcW.USER32(?,?,?,?), ref: 0046F790
      • GetTickCount.KERNEL32 ref: 0046F7C6
      • PostMessageW.USER32(?,?,?,?), ref: 0046F802
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: ColorLongMessageText$ClassFillRectSend$CountDrawPostProcTickWindow
      • String ID:
      • API String ID: 573537745-0
      • Opcode ID: e683335b80c38f2168b5e42bb4423edb6f68835a663d464b9db9e38554639998
      • Instruction ID: c52f5cb4be4a24f5016a3605563e9198b2e020d09c898f831ca4fa141b547900
      • Opcode Fuzzy Hash: e683335b80c38f2168b5e42bb4423edb6f68835a663d464b9db9e38554639998
      • Instruction Fuzzy Hash: F1518274104201AFD724DF14DC8496BBBF9FF88310F108A2EF952862A0EB31E949CF56
      Function 00461370 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: LongWindow
      • String ID: 0$AutoHotkey v2.0.18$AutoHotkeyGUI$Invalid usage.
      • API String ID: 1378638983-2907542111
      • Opcode ID: 2e9b3076558c5984f0d707d4c5c17edc17289a94959f5f627ecf0e6c97a6a660
      • Instruction ID: 1eae6f07c73f11d64c3d481bea2a3bbb6f5dd480677791cb24994aa6dda5ed07
      • Opcode Fuzzy Hash: 2e9b3076558c5984f0d707d4c5c17edc17289a94959f5f627ecf0e6c97a6a660
      • Instruction Fuzzy Hash: F771AF71600305AFD720CF1AEC84B56B7E4FB94314F14422FE9099B3A0EB79E854CB9A
      Function 0044D140 Relevance: 17.7, APIs: 2, Strings: 8, Instructions: 164COMMON
      Download Yara Rule
      APIs
      • GetForegroundWindow.USER32(?,?,00000001), ref: 0044D150
      • GetWindowTextW.USER32(00000000,?,00000064), ref: 0044D165
      Strings
      • Window: %sKeybd hook: %sMouse hook: %sEnabled Timers: %u of %u (%s)Interrupted threads: %d%sPaused threads: %d of %d (%d, xrefs: 0044D2DE
      • , xrefs: 0044D229
      • Press [F5] to refresh., xrefs: 0044D31D, 0044D336
      • Key History has been disabled via KeyHistory(0)., xrefs: 0044D32E
      • ..., xrefs: 0044D213
      • (preempted: they will resume when the current thread finishes), xrefs: 0044D299, 0044D2AD
      • %s , xrefs: 0044D1BF
      • yes, xrefs: 0044D2B3
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: Window$ForegroundText
      • String ID: Key History has been disabled via KeyHistory(0).$Press [F5] to refresh.$ $ (preempted: they will resume when the current thread finishes)$%s $...$Window: %sKeybd hook: %sMouse hook: %sEnabled Timers: %u of %u (%s)Interrupted threads: %d%sPaused threads: %d of %d (%d$yes
      • API String ID: 29597999-1471948537
      • Opcode ID: 8703baa439b32d7fe7299b392c9f01fc30f8286a2f4633e077726c78b249a3e2
      • Instruction ID: 756001d621cceebe8947b921ead1fafb309372b08887b985200b27923cbb64be
      • Opcode Fuzzy Hash: 8703baa439b32d7fe7299b392c9f01fc30f8286a2f4633e077726c78b249a3e2
      • Instruction Fuzzy Hash: CA51E331A00340AFE7249F28DC45BBB77A9AF84300F55496EE845DB291DBB8AD05C79A
      Function 0046C450 Relevance: 16.6, APIs: 11, Instructions: 130windowCOMMON
      Download Yara Rule
      APIs
      • SendMessageW.USER32(00000000,00000172,00000002,00000000), ref: 0046C4B7
      • DestroyIcon.USER32(00000000), ref: 0046C4BA
      • SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 0046C4CA
      • DeleteObject.GDI32(00000000), ref: 0046C4CD
      • DestroyIcon.USER32(00000000), ref: 0046C502
      • GetWindowLongW.USER32(00000000,000000F0), ref: 0046C512
      • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 0046C53C
      • SendMessageW.USER32(00000000,00000172,?,00000000), ref: 0046C54E
      • SendMessageW.USER32(00000000,00000173,?,00000000), ref: 0046C55B
      • DeleteObject.GDI32(00000000), ref: 0046C56F
      • DestroyIcon.USER32(00000000), ref: 0046C577
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: MessageSend$DestroyIcon$DeleteLongObjectWindow
      • String ID:
      • API String ID: 3469878039-0
      • Opcode ID: 7529c5fe24bcb18728b6e827fe88fc1579279c66c4d8eb09f0762ab28904cbd3
      • Instruction ID: 2ff9a62daecae7d33f217d6db535b4c16ae7914477b3858a4f72b1c359d5a86b
      • Opcode Fuzzy Hash: 7529c5fe24bcb18728b6e827fe88fc1579279c66c4d8eb09f0762ab28904cbd3
      • Instruction Fuzzy Hash: 6E4125322447106BCB209F658CC4B7BBBBAEB90310F40492FF1C282A91DA75F845DB5A
      Function 00411260 Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 315COMMON
      Download Yara Rule
      APIs
      • CharLowerW.USER32(?,?,00000000), ref: 004113D4
      • CharLowerW.USER32(00000000), ref: 004113E0
      • IsCharAlphaNumericW.USER32(?,?,00000000), ref: 0041141B
      • GetStringTypeExW.KERNEL32(00000400,00000004,?,00000001,?), ref: 00411438
      • IsCharLowerW.USER32(?,?,00000000), ref: 00411505
      • IsCharUpperW.USER32(00000000), ref: 00411513
      • IsCharUpperW.USER32(00000000), ref: 0041152D
      • IsCharLowerW.USER32(?), ref: 00411587
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: Char$Lower$Upper$AlphaNumericStringType
      • String ID: -()[]{}:;'"/\,.?!
      • API String ID: 1964238978-2658396598
      • Opcode ID: dcf861d41af5a0e9eafbe96699a9e77c0233da371a453a8eab0d181da38208ab
      • Instruction ID: 5151fa43a67741797bef46d461653559b532a69fcf6efbbcde207db5f3a10e9e
      • Opcode Fuzzy Hash: dcf861d41af5a0e9eafbe96699a9e77c0233da371a453a8eab0d181da38208ab
      • Instruction Fuzzy Hash: 76C111355042909BCB60CF25D9807EA77E2AB99744F05012FE989973A1EB39CC85CB5D
      Function 004574C0 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 231COMMON
      Download Yara Rule
      APIs
      Strings
      • AutoHotkey v2.0.18, xrefs: 0045769B
      • Select Folder - %s, xrefs: 004576A1
      • The maximum number of Folder Dialogs has been reached., xrefs: 004574E5
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: DesktopFolderMallocWindow
      • String ID: AutoHotkey v2.0.18$Select Folder - %s$The maximum number of Folder Dialogs has been reached.
      • API String ID: 2132918566-2473082017
      • Opcode ID: 12d6af04ba09a6bc3e83a49b362c6cebca4942750b6131827aab9af15f5028eb
      • Instruction ID: 05da8a464710cbdc80ba38b2564279e81577480aaa8c3f04afb8f5293cc9b7b0
      • Opcode Fuzzy Hash: 12d6af04ba09a6bc3e83a49b362c6cebca4942750b6131827aab9af15f5028eb
      • Instruction Fuzzy Hash: AC81AF75608345AFD710CF24D844BAB77E8EF84355F14892EF849CB292EB38D948CB5A
      Function 004672A1 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 137COMMON
      Download Yara Rule
      APIs
      • CreateWindowExW.USER32(?,ListBox,004CEEA8,?,?,?,?,?,?,?,00000000), ref: 004672DC
      • MulDiv.KERNEL32(00000008,00000060), ref: 00467344
      • GetSystemMetrics.USER32(00000003), ref: 00467365
      • MulDiv.KERNEL32(00000008,00000060), ref: 004673AA
      • GetSystemMetrics.USER32(00000003), ref: 004673DC
      • SelectObject.GDI32(?,?), ref: 00468884
      • ReleaseDC.USER32(00000000,?), ref: 00468896
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: MetricsSystem$CreateObjectReleaseSelectWindow
      • String ID: Can't create control.$ListBox
      • API String ID: 2054001118-3135675284
      • Opcode ID: 9b7ebab5ff372eb3bea0c4098e8fed30e61db213f5b734924b07931dbdf35fa1
      • Instruction ID: 9b9c339a444462e7ca9ffee0e1b0a66f5b61fd46c64c88a421555e228daea755
      • Opcode Fuzzy Hash: 9b7ebab5ff372eb3bea0c4098e8fed30e61db213f5b734924b07931dbdf35fa1
      • Instruction Fuzzy Hash: BE516A30208340EFD7218F55CC54F2BBBB2BF98704F044A2EF285962A1EB759950DB5B
      Function 00435300 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 88threadwindowlibraryCOMMON
      Download Yara Rule
      APIs
      • GetWindowThreadProcessId.USER32(?,00000000), ref: 0043533D
      • GetModuleHandleW.KERNEL32(user32,IsHungAppWindow), ref: 00435376
      • GetProcAddress.KERNEL32(00000000), ref: 0043537D
      • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 004353AB
      • AttachThreadInput.USER32(00001948,00000000,00000001), ref: 004353C4
      • SetFocus.USER32(?), ref: 004353D3
      • AttachThreadInput.USER32(00000000,00000000), ref: 004353FD
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: Thread$AttachInput$AddressFocusHandleMessageModuleProcProcessSendTimeoutWindow
      • String ID: IsHungAppWindow$user32
      • API String ID: 204136022-934392274
      • Opcode ID: a831bf6f873ed19159aa24f9bfdf8c31fa20cd686af726b3029c2d7df1307223
      • Instruction ID: 65bc606bf6a0db72c27f7d8b92a4baffd6b1108dcde563e94f9b104caf59c77e
      • Opcode Fuzzy Hash: a831bf6f873ed19159aa24f9bfdf8c31fa20cd686af726b3029c2d7df1307223
      • Instruction Fuzzy Hash: B221F530780701BBC7209B25EC85F9B3769EB89751F10562AF802DB2E1DBB99C41CB9C
      Function 004598A0 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 281COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID:
      • String ID: CLSID$Class$IID$Name
      • API String ID: 0-2779911541
      • Opcode ID: 9f2707af12343ca094fea5a15a26a116f3408efcfd7c1321280888ac9fda0157
      • Instruction ID: b35046dfe050e30f40f52a776bfa46862453b5ef42ec2f1e877e3f2cdaecb083
      • Opcode Fuzzy Hash: 9f2707af12343ca094fea5a15a26a116f3408efcfd7c1321280888ac9fda0157
      • Instruction Fuzzy Hash: D5A1CE71604201DFDB10DF55D844B2AB7E4EF84326F04846EED499B382E739EC09CBAA
      Function 0040760F Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 269COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID:
      • String ID: tcp$udp
      • API String ID: 0-3725065008
      • Opcode ID: 91bf14d277596e8baadffb6b490f8037bf50b34dfb0298623c8e5a64050ff2f3
      • Instruction ID: e6f98cefef312c891d44db0deaa15c5af77df797dc2c9cc2cf9e5466317ceb3b
      • Opcode Fuzzy Hash: 91bf14d277596e8baadffb6b490f8037bf50b34dfb0298623c8e5a64050ff2f3
      • Instruction Fuzzy Hash: 6D919B31E083018FDB289E19888862B77E0AF94354F14847FE885A73D1DB38ED41DB9B
      Function 004085C6 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 233COMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: H_prolog
      • String ID: <response command="breakpoint_set" transaction_id="%e" state="%s" id="%i"/>$Any$disabled$enabled$exception$line$x M
      • API String ID: 3519838083-3876874280
      • Opcode ID: 5a6703ba3db0be5ff822eb42dfd15a01c8f5b1df745b566354c02f4a5d81a296
      • Instruction ID: 8e7e79552f479aed0edd806a16f81bad1ebd10c10014e297318c65f2f9c7f597
      • Opcode Fuzzy Hash: 5a6703ba3db0be5ff822eb42dfd15a01c8f5b1df745b566354c02f4a5d81a296
      • Instruction Fuzzy Hash: BD7105329042569FCB159F688A406AEBBA0AF56310F25857FE884F73C1DF3DCA418B5D
      Function 004360A0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 225COMMON
      Download Yara Rule
      APIs
      • CreateEllipticRgn.GDI32(?,?,80000000,?), ref: 004362A7
      • CreateRoundRectRgn.GDI32(?,?,80000000,?,?,?), ref: 004362CA
      • CreateRectRgn.GDI32(?,?,80000000,?), ref: 004362DA
      • CreatePolygonRgn.GDI32(?,00000000,00000001), ref: 004362ED
      • SetWindowRgn.USER32(?,00000000,00000001), ref: 00436300
      • DeleteObject.GDI32(00000000), ref: 0043630B
      • SetWindowRgn.USER32(?,00000000,00000001), ref: 00436325
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: Create$RectWindow$DeleteEllipticObjectPolygonRound
      • String ID: ind
      • API String ID: 1229101157-166120149
      • Opcode ID: da56006d2c1247b491b853cfe10abf659641166b145959443aa9ed9f29004017
      • Instruction ID: 67c2c0db356917c0699c36eaaebdc96cc9516ca04f1453f9a57d49a4835edbfb
      • Opcode Fuzzy Hash: da56006d2c1247b491b853cfe10abf659641166b145959443aa9ed9f29004017
      • Instruction Fuzzy Hash: D3613471A04212ABCB20BF189844BBF7BD8AB89344F16456FFC4497380D73C8D428B9A
      Function 0046C160 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 201windowCOMMON
      Download Yara Rule
      APIs
      • SendMessageW.USER32(00000000,00001304,00000000,00000000), ref: 0046C1A9
      • SendMessageW.USER32(?,?,00000000,004CEEA8), ref: 0046C247
      • SendMessageW.USER32(00000000,0000133E,00000000,00000003), ref: 0046C36B
      • SendMessageW.USER32(?,00001061,00000000,00000004), ref: 0046C3A2
      • SendMessageW.USER32(00000000,0000108F,00000000,00000000), ref: 0046C3DF
      • SendMessageW.USER32(00000000,0000101E,00000000,0000FFFE), ref: 0046C3FD
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: MessageSend
      • String ID: %.17g$.
      • API String ID: 3850602802-2891238881
      • Opcode ID: d629518f4663e3d31854052341b25a5ccec3c11005981767a1c62c1c44bdf2d9
      • Instruction ID: 1750926ae273235c9b7c6ceafa401f77c47a43f755e9ef40e1f97a6acb7da926
      • Opcode Fuzzy Hash: d629518f4663e3d31854052341b25a5ccec3c11005981767a1c62c1c44bdf2d9
      • Instruction Fuzzy Hash: 6071D0306043009BD720CF28C894B7BBBE1BF49314F548A6EF8D597291E778E945CB9A
      Function 004563D0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 121windowtimeCOMMON
      Download Yara Rule
      APIs
      • GetClassNameW.USER32(?,?,00000101), ref: 00456425
      • GetWindowLongW.USER32(?,000000F0), ref: 0045648A
      • SendMessageTimeoutW.USER32(?,0000018F,000000FF,?,00000002,000007D0,?), ref: 004564C7
      • SendMessageTimeoutW.USER32(?,00000185,00000001,?,00000002,000007D0,?), ref: 004564F2
      • SendMessageTimeoutW.USER32(?,0000014D,000000FF,?,00000002,000007D0,?), ref: 00456546
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: MessageSendTimeout$ClassLongNameWindow
      • String ID: Combo$List$Not supported for this control type.
      • API String ID: 740591644-232151274
      • Opcode ID: cbe4f13db719710507a47969c2e4f53e29dbe914551c96831b37c1a1c539c8ca
      • Instruction ID: 8017d8c4b77178c2aab66079b274aaec5059f426c61485abba7753e46d0dc166
      • Opcode Fuzzy Hash: cbe4f13db719710507a47969c2e4f53e29dbe914551c96831b37c1a1c539c8ca
      • Instruction Fuzzy Hash: 1D3117702542057BE7209A14EC45FAF339DDB90324F50862AF958C62E1F73CDD09C79A
      Function 0040D49B Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 119libraryCOMMON
      Download Yara Rule
      APIs
      • LoadLibraryW.KERNEL32(riched20.dll), ref: 0040D562
      • DialogBoxParamW.USER32(00000000,000001F4,00000000,0040D120,?), ref: 0040D5D0
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: DialogLibraryLoadParam
      • String ID: Specifically: %s$%s (%d) : ==> %s%s$Warning: $pQH$riched20.dll$stderr
      • API String ID: 1562155488-3047650412
      • Opcode ID: 32cb18b506c671ab97c8c659d1965b8cf0ed8200a93851c0cd792776b4e6d25e
      • Instruction ID: e943497ca09c6b9d9a6ac3a7efda8ec92ea7fad60f2be0c1213272df612dab67
      • Opcode Fuzzy Hash: 32cb18b506c671ab97c8c659d1965b8cf0ed8200a93851c0cd792776b4e6d25e
      • Instruction Fuzzy Hash: CE41D071A04300ABC724DF68D881A6AB7E4EB98315F004A3FF895D73D1D779A819CB5A
      Function 0041D510 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 104keyboardCOMMON
      Download Yara Rule
      APIs
      • BlockInput.USER32(00000001), ref: 0041D53E
      • BlockInput.USER32(00000000), ref: 0041D554
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: BlockInput
      • String ID: Default$Mouse$MouseMove$MouseMoveOff$Send$SendAndMouse
      • API String ID: 3456056419-605279031
      • Opcode ID: dbacd40e02b489bed6c5a73e2fdeed9ae519e55d37d21a8badb5d4e70f230b12
      • Instruction ID: 00a56451d22df64472207dd73a9e322587c3a8a7a9fc5c266a401eb4a81f589c
      • Opcode Fuzzy Hash: dbacd40e02b489bed6c5a73e2fdeed9ae519e55d37d21a8badb5d4e70f230b12
      • Instruction Fuzzy Hash: E631E9B19052A05BEF00A71ABC557DA3BD99752309F15007FF4448E3C2FB6EA985C3AD
      Function 0045B0D0 Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 331memoryCOMMON
      Download Yara Rule
      APIs
      • SysAllocString.OLEAUT32(?), ref: 0045B19A
      • SysFreeString.OLEAUT32(00000000), ref: 0045B1B6
      • __alloca_probe_16.LIBCMT ref: 0045B209
      • __alloca_probe_16.LIBCMT ref: 0045B21A
      • SysFreeString.OLEAUT32(-00000008), ref: 0045B3A0
      • VariantClear.OLEAUT32(?), ref: 0045B40B
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: String$Free__alloca_probe_16$AllocClearVariant
      • String ID: hyN
      • API String ID: 628879196-3592220066
      • Opcode ID: 765f85c2829e3ac124569d613ac32ad5053ab68de434d13b8dc9e972be4343d1
      • Instruction ID: 4a61e7ff7b21d585ae04b1dd7bd72523b57cba5aafbdaa519d60341877a16083
      • Opcode Fuzzy Hash: 765f85c2829e3ac124569d613ac32ad5053ab68de434d13b8dc9e972be4343d1
      • Instruction Fuzzy Hash: 15C1CD71A002099FDF10CF98D884AEEB7B5FF48315F10812AED14AB352D735A959CBE4
      Function 004107E0 Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 317windowCOMMON
      Download Yara Rule
      APIs
      • FindWindowW.USER32(#32771,00000000), ref: 00410984
      • FindWindowW.USER32(#32771,00000000), ref: 00410AFC
        • Part of subcall function 00410690: PostMessageW.USER32(00000400,?,?,?), ref: 0041077B
        • Part of subcall function 00410690: PostMessageW.USER32(00000400,?,?), ref: 004107B0
        • Part of subcall function 00410690: PostMessageW.USER32(00000401,?,?,00000000), ref: 004107CF
      • CallNextHookEx.USER32(?,?,?,?), ref: 00410BCC
      • PostMessageW.USER32(00000400,?,?), ref: 00410C1F
      • PostMessageW.USER32(00000400,?,?), ref: 00410C58
      • PostMessageW.USER32(00000401,7FFFFFFF,?), ref: 00410C75
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: MessagePost$FindWindow$CallHookNext
      • String ID: #32771
      • API String ID: 2023431067-1822717788
      • Opcode ID: 378328426d8ce86a40f236fe00bf0d4b9aa9efcb7cec962cd4166135178935a4
      • Instruction ID: f91de7f3c1ed388626d0ddbb83fdcc641c086c815af7393de84a90633dab2e1f
      • Opcode Fuzzy Hash: 378328426d8ce86a40f236fe00bf0d4b9aa9efcb7cec962cd4166135178935a4
      • Instruction Fuzzy Hash: 7DC1E4705083C09EEB258B28EC95BA73BA19B56348F48056EF4844B3F3D7A968D4C75F
      Function 00465140 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 273COMMON
      Download Yara Rule
      APIs
      • GetWindowLongW.USER32(?,000000EC), ref: 00465241
      • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00465256
      • ___from_strstr_to_strchr.LIBCMT ref: 004653FD
      • GetWindowLongW.USER32(?,FFFFFFEC), ref: 0046542C
      • SetWindowLongW.USER32(?,FFFFFFEC,00000000), ref: 0046543B
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: LongWindow$___from_strstr_to_strchr
      • String ID: lyN$pyN
      • API String ID: 3966610967-246201823
      • Opcode ID: 54f665797f5e9e70044fb2e92f71daf276ccffa7c367b32c7795147266383d14
      • Instruction ID: 309b2e2d45e31e8f39b14fde5697b7aa3f50625080dabe4db1a20f29b0d69d92
      • Opcode Fuzzy Hash: 54f665797f5e9e70044fb2e92f71daf276ccffa7c367b32c7795147266383d14
      • Instruction Fuzzy Hash: E6911371A04B518BDB20CE19C880B6B7BA4EF95355F0485ABFC419B342E778DC91CB9B
      Function 00443410 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 168COMMON
      Download Yara Rule
      APIs
      • GetFileAttributesW.KERNEL32(?,?,\Lib\,00000000,?,?), ref: 00443447
      • SHGetKnownFolderPath.SHELL32(004B8850,00004000,00000000,?,?,?), ref: 00443512
      • CoTaskMemFree.OLE32(?), ref: 00443532
      • GetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?), ref: 004435D8
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: AttributesFile$FolderFreeKnownPathTask
      • String ID: %s%s$\AutoHotkey\Lib\$\Lib\
      • API String ID: 3145814908-2078434092
      • Opcode ID: 9d0e6a0a1e0650f99eb736fd7e603d22625d5236c9f4278fafb316eda0a5aad2
      • Instruction ID: cc93d5e407469a6d51542a08242f39c35a29fc74e63ce621eb59a4415887bfab
      • Opcode Fuzzy Hash: 9d0e6a0a1e0650f99eb736fd7e603d22625d5236c9f4278fafb316eda0a5aad2
      • Instruction Fuzzy Hash: 5E512970500305ABE721DF68DC85B9B77E8AF88705F00493EF94487291DB789945C7AE
      Function 00424795 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 139COMMON
      Download Yara Rule
      APIs
      • IsWindow.USER32(?), ref: 00424849
      • DialogBoxParamW.USER32(000000CD,00000000,Function_000249B0,?), ref: 0042487E
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: DialogParamWindow
      • String ID: AutoHotkey v2.0.18$Cancel$Timeout$Value$hOM
      • API String ID: 2019275597-231492468
      • Opcode ID: 3bcf22d8dd41d9dcaeeb200a49eaf2e8b3b38611151302c429c15baf3b86c408
      • Instruction ID: 1d090e4c9b217a708147c664a7fd7bccde4d19ed47eebdee9d2f455b9dad3ea4
      • Opcode Fuzzy Hash: 3bcf22d8dd41d9dcaeeb200a49eaf2e8b3b38611151302c429c15baf3b86c408
      • Instruction Fuzzy Hash: 6A517DB56143418FD320DF29E85475BBBE0EBC5714F514A2EE5A4C73A0E738D8488B8A
      Function 0045B8A0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 133COMMON
      Download Yara Rule
      APIs
      • SafeArrayGetDim.OLEAUT32(?), ref: 0045B8C6
      • SafeArrayLock.OLEAUT32(?), ref: 0045B937
      • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 0045B948
      • SafeArrayUnlock.OLEAUT32(?), ref: 0045B974
      • VariantCopyInd.OLEAUT32(?,?), ref: 0045B9DA
      • SafeArrayUnlock.OLEAUT32(?), ref: 0045B9FD
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: ArraySafe$Unlock$CopyIndexLockVariant
      • String ID: Number
      • API String ID: 1068925383-2436635234
      • Opcode ID: e86d61a09f98e6298f72a65a01a9e97a90043158ea0fcf2f75fefa670d60fbe8
      • Instruction ID: 97a816317ffce05233c8571737e7fa244661fc322cea5dc659bd246301ed92c1
      • Opcode Fuzzy Hash: e86d61a09f98e6298f72a65a01a9e97a90043158ea0fcf2f75fefa670d60fbe8
      • Instruction Fuzzy Hash: 6741C2766042059BC310DF69E881B6AB3E8EB84712F144A3FFA45C7352EB35D809C7DA
      Function 0049C820 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 120COMMON
      Download Yara Rule
      APIs
      • _ValidateLocalCookies.LIBCMT ref: 0049C857
      • ___except_validate_context_record.LIBVCRUNTIME ref: 0049C85F
      • _ValidateLocalCookies.LIBCMT ref: 0049C8E8
      • __IsNonwritableInCurrentImage.LIBCMT ref: 0049C913
      • _ValidateLocalCookies.LIBCMT ref: 0049C968
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
      • String ID: PF@$csm
      • API String ID: 1170836740-1746168127
      • Opcode ID: b381e4c78d17a5e6ae7a91cdab699178827361b5537a8c2166fc1ffa25968c82
      • Instruction ID: 65c63c193db5dd4af62cd763909899671d3b99a0300b3b14c11345c5ee59ea01
      • Opcode Fuzzy Hash: b381e4c78d17a5e6ae7a91cdab699178827361b5537a8c2166fc1ffa25968c82
      • Instruction Fuzzy Hash: 0C41C974A00205DFCF10EF69C8C4A9EBFB5AF44318F14817BE814AB392D7799A05CB95
      Function 0041F80A Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 114COMMON
      Download Yara Rule
      APIs
      • GetDriveTypeW.KERNEL32(?), ref: 0041F8EB
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: DriveType
      • String ID: CDROM$Fixed$Network$RAMDisk$Removable$Unknown
      • API String ID: 338552980-706929342
      • Opcode ID: 840f09e475bc764bd3094c6d8c53cfa17b256b68ebd727f7a3ac8558ea106310
      • Instruction ID: cd7e3a3a382a4f932837ff3a711ae74e72c21101fa0a252fdf8b6c0d266fc8e6
      • Opcode Fuzzy Hash: 840f09e475bc764bd3094c6d8c53cfa17b256b68ebd727f7a3ac8558ea106310
      • Instruction Fuzzy Hash: A831C63226C3425BDB14BA56EC11B9B67D4FF80714F20083FF585D6290E77988CA420E
      Function 00431150 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 111windowCOMMON
      Download Yara Rule
      APIs
      • GetMenu.USER32 ref: 0043118C
      • EnableMenuItem.USER32(00000000,0000FF81,00000003), ref: 004311A1
      • EnableMenuItem.USER32(00000000,0000FF7E,00000003), ref: 004311AA
      • EnableMenuItem.USER32(00000000,0000FF7F,00000003), ref: 004311B3
      • EnableMenuItem.USER32(00000000,0000FF80,00000003), ref: 004311BC
      • SetMenuDefaultItem.USER32(?,?,00000000,&Open,0000FF14,00000000,00000000,004CEEA8,00000020), ref: 00431248
        • Part of subcall function 004726C0: RemoveMenu.USER32(?,?,00000000), ref: 00472709
        • Part of subcall function 004726C0: SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0047273B
        • Part of subcall function 004726C0: DeleteObject.GDI32(00000000), ref: 00472744
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: Menu$Item$Enable$DefaultDeleteInfoObjectRemove
      • String ID: &Open
      • API String ID: 2296546975-2913328703
      • Opcode ID: 232ebb5a9d68fecc1ae60413a42bfeb28732bf3454c8a07c4687c94c6f38eaff
      • Instruction ID: ab6ea6ac7d62c153cf02149070b531ee5b126fad27a49568ab151cfcfe31e2cf
      • Opcode Fuzzy Hash: 232ebb5a9d68fecc1ae60413a42bfeb28732bf3454c8a07c4687c94c6f38eaff
      • Instruction Fuzzy Hash: 0B315631304306AFEB349B21AC80B3777A9EF8A350F14417FE40196692DB68EC05C769
      Function 00420240 Relevance: 12.3, APIs: 8, Instructions: 333fileCOMMON
      Download Yara Rule
      APIs
      • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,08000000,00000000), ref: 004202C4
      • GetLastError.KERNEL32 ref: 004202D5
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: CreateErrorFileLast
      • String ID:
      • API String ID: 1214770103-0
      • Opcode ID: 72cb64aeea84907bb5f59db0664b861b643c1f7abd92c172e309fb7f8d730e1f
      • Instruction ID: 920b8757688384c365522a62bd3680bb3f48520e118e4df47c619cc5b3de5318
      • Opcode Fuzzy Hash: 72cb64aeea84907bb5f59db0664b861b643c1f7abd92c172e309fb7f8d730e1f
      • Instruction Fuzzy Hash: FFC1EF716043119FCB20DF28E884B5AB7E5EB89324F54466EF855CB392E738D841CB9A
      Function 00455070 Relevance: 12.3, APIs: 8, Instructions: 260networkCOMMON
      Download Yara Rule
      APIs
      • WSAStartup.WSOCK32(00000101,?), ref: 00455102
      • gethostname.WSOCK32(?,00000100), ref: 00455133
      • gethostbyname.WSOCK32(?), ref: 00455148
      • inet_ntoa.WSOCK32(?), ref: 00455175
      • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000), ref: 004551A0
      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000), ref: 004551F9
      • WSACleanup.WSOCK32 ref: 00455326
      • WSACleanup.WSOCK32 ref: 0045534D
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: ByteCharCleanupMultiWide$Startupgethostbynamegethostnameinet_ntoa
      • String ID:
      • API String ID: 1074705832-0
      • Opcode ID: e1f2c0c3991c5d6a594f1b5a79153066e493dc211d0412c0bad24dcd220e57d9
      • Instruction ID: df2a0b5f61dc84988700f7fb93900c92a930128503eac37f5d6ec364c268eff6
      • Opcode Fuzzy Hash: e1f2c0c3991c5d6a594f1b5a79153066e493dc211d0412c0bad24dcd220e57d9
      • Instruction Fuzzy Hash: F0A170B0A006159FDB10CF59D884BAAFBB8FF08715F14826AEC19AB391D778D814CF94
      Function 0046E6B0 Relevance: 12.1, APIs: 8, Instructions: 149COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 22f7b6187411abdf81762e99ef57876b779ddfdf74b48fb0acbca6a9f463b49b
      • Instruction ID: ef6674ebfaf18876fa15f8a747f15021958cb7b6de67c7c6fcf42170868d9dc5
      • Opcode Fuzzy Hash: 22f7b6187411abdf81762e99ef57876b779ddfdf74b48fb0acbca6a9f463b49b
      • Instruction Fuzzy Hash: D4414875104146ABDB209F28EC48B673BE4BB56311F14427BF8958B291F738DC45C7AB
      Function 00427850 Relevance: 12.1, APIs: 8, Instructions: 120timeCOMMON
      Download Yara Rule
      APIs
      • SystemTimeToFileTime.KERNEL32(?,?), ref: 0042788C
      • GetSystemTimeAsFileTime.KERNEL32(?), ref: 004278A2
      • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 004278AE
      • SystemTimeToFileTime.KERNEL32(?,?), ref: 004278D9
      • GetSystemTimeAsFileTime.KERNEL32(?), ref: 004278EF
      • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 004278FB
      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0042791A
      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00427968
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: Time$File$System$LocalUnothrow_t@std@@@__ehfuncinfo$??2@
      • String ID:
      • API String ID: 677198785-0
      • Opcode ID: 330602a374c3d28f57cf41921ecfcce3a907e549cc191b4fb3fe48fcbe5f3ecd
      • Instruction ID: 02e114877b4dd73942271650c4c9eb5471ee0ac4b0f1c7839f61a57e31711fb9
      • Opcode Fuzzy Hash: 330602a374c3d28f57cf41921ecfcce3a907e549cc191b4fb3fe48fcbe5f3ecd
      • Instruction Fuzzy Hash: EF31F6726043059BD710DE69EC01F9BB3EC9BC4720F044A6BF944D7290EA74E945C7AA
      Function 004AC22B Relevance: 10.8, APIs: 7, Instructions: 329COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: _strrchr
      • String ID:
      • API String ID: 3213747228-0
      • Opcode ID: 4e09772e2803fc3a5aac83dd146b2c78676d8dbcb2e7d571661ae5495dff1c2d
      • Instruction ID: e6788c059f3ce24eb61f21b154c241a7ff3803f78e4cace0478367bcbda2a4ad
      • Opcode Fuzzy Hash: 4e09772e2803fc3a5aac83dd146b2c78676d8dbcb2e7d571661ae5495dff1c2d
      • Instruction Fuzzy Hash: ACB13872D00265AFDB118F68CCD1BFF7BA5EF6A314F148157E904AB382D6789901C7A8
      Function 004643D0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 156COMMON
      Download Yara Rule
      APIs
      • GetClientRect.USER32(?,?), ref: 004643E9
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: ClientRect
      • String ID: Icon$Invalid value.
      • API String ID: 846599473-2507988673
      • Opcode ID: c1a0e19f338ae53b1b7cbd55a41b4726d34a449ea90b1404f8bb756aad1e824c
      • Instruction ID: 9af3f6efe7b9ee976c576b0abf9a52c74d67a8a03a89477d9685f4653b921409
      • Opcode Fuzzy Hash: c1a0e19f338ae53b1b7cbd55a41b4726d34a449ea90b1404f8bb756aad1e824c
      • Instruction Fuzzy Hash: 7D51CD716002119BCB24AF14C882A7BB7E5EFD4758F44492BF98587394FB38DD42C7AA
      Function 00471670 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 152COMMON
      Download Yara Rule
      APIs
      • GetKeyboardLayout.USER32(00000000), ref: 00471792
      • CharLowerW.USER32(00000000,00000000,?,0047164B,00000000,00000000), ref: 0047179D
      • GetKeyboardLayout.USER32(00000000), ref: 004717B9
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: KeyboardLayout$CharLower
      • String ID: Alt$Ctrl$Shift
      • API String ID: 1607368298-3426316353
      • Opcode ID: e2b8f9a1176df1f05f8eec9438823917ae1f08933bfe7e0d702cca3508920775
      • Instruction ID: f34b7a7cf3769161f0c64da8ebf103b866805e463427d4becc9be7df88899a5e
      • Opcode Fuzzy Hash: e2b8f9a1176df1f05f8eec9438823917ae1f08933bfe7e0d702cca3508920775
      • Instruction Fuzzy Hash: F4415C3164420156DB345B6DAC46BFB77989FA1751F0C842BEC8C83291F76C898DD3AE
      Function 004161BA Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 149sleepCOMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: CharUpper$Sleep
      • String ID: %s%c${Raw}${Text}
      • API String ID: 3503790639-2444501380
      • Opcode ID: f422d64d4821e05b5a6dee8e5538533c78536459657110f0cd37f46473459ef8
      • Instruction ID: de605a57938d88ddc3ba0475024c3f6b023fbcee7ea02ed797db067d5139f89f
      • Opcode Fuzzy Hash: f422d64d4821e05b5a6dee8e5538533c78536459657110f0cd37f46473459ef8
      • Instruction Fuzzy Hash: 4D51E3746043858BCB24AF28C4507AA77E1BF94304F18466EE89587392E738D986C75D
      Function 00434210 Relevance: 10.6, APIs: 7, Instructions: 143windowCOMMON
      Download Yara Rule
      APIs
      • GetForegroundWindow.USER32(?,?), ref: 004342B4
      • PostMessageW.USER32(00000000,00000010,00000000,00000000), ref: 004342EB
      • GetTickCount.KERNEL32 ref: 004342F7
      • IsWindow.USER32(00000000), ref: 0043430B
      • GetTickCount.KERNEL32 ref: 00434315
      • IsWindow.USER32(00000000), ref: 00434334
      • GetForegroundWindow.USER32(00000000,00AE75C8,?,?), ref: 00434361
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: Window$CountForegroundTick$MessagePost
      • String ID:
      • API String ID: 4238487353-0
      • Opcode ID: d0905f46f660eb8a4c0ba6a1eec1114d6ea39964b8d5d8563a78b42c23eb9fab
      • Instruction ID: 19a0e90921d05fd1ba7c85c3f69a7f1c7bb3af149fa566885cbc1533c302bc96
      • Opcode Fuzzy Hash: d0905f46f660eb8a4c0ba6a1eec1114d6ea39964b8d5d8563a78b42c23eb9fab
      • Instruction Fuzzy Hash: A3410E303002124BDB216B29EC417EF77AAAFD8754F15146EF8419B3E2EB6CAC81C25D
      Function 00456230 Relevance: 10.6, APIs: 7, Instructions: 143windowtimeCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 00455E30: GetClassNameW.USER32(?,00000000,00000101), ref: 00455E43
      • SendMessageTimeoutW.USER32(?,00001330,?,00000000,00000002,000007D0,?), ref: 004562C9
      • GetWindowLongW.USER32(?,000000F0), ref: 004562DA
      • PostMessageW.USER32(?,00000100,00000020,00000001), ref: 004562F7
      • PostMessageW.USER32(?,00000101,00000020,C0000001), ref: 00456306
      • GetWindowLongW.USER32(?,000000F0), ref: 00456317
      • SendMessageTimeoutW.USER32(?,00000185,00000000,?,00000002,000007D0,?), ref: 00456352
      • SendMessageTimeoutW.USER32(?,0000014E,?,00000000,00000002,000007D0,?), ref: 0045638F
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: Message$SendTimeout$LongPostWindow$ClassName
      • String ID:
      • API String ID: 443451408-0
      • Opcode ID: e6c1e8e03d7aea69af799d14b074203698bdee4c6a7742a399500fa6802a4448
      • Instruction ID: 16ddde4757cbf9412b795806beaf65a2c1e0e8c6615056561574527377837e4e
      • Opcode Fuzzy Hash: e6c1e8e03d7aea69af799d14b074203698bdee4c6a7742a399500fa6802a4448
      • Instruction Fuzzy Hash: 0B4129327002017BEA205A18AC45FAF376CEB80732F85062FFE54D62D1D66DA80D97A6
      Function 0040C550 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 141fileCOMMON
      Download Yara Rule
      APIs
      • GetCPInfo.KERNEL32(000004E4,?), ref: 0040C5DC
      • WriteFile.KERNEL32(FFFFFFFF,00000000,00000000,00000000,00000000,00000000,?,FFFFFFFF,00000002,?), ref: 0040C651
      • CloseHandle.KERNEL32(FFFFFFFF,00000000,?,FFFFFFFF,00000002,?), ref: 0040C694
      • WriteFile.KERNEL32(FFFFFFFF,00000000,00000000,00000000,00000000), ref: 0040C6CF
      • CloseHandle.KERNEL32(FFFFFFFF), ref: 0040C6F6
        • Part of subcall function 0040A7DF: __EH_prolog.LIBCMT ref: 0040A7E4
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: CloseFileHandleWrite$H_prologInfo
      • String ID: stdout
      • API String ID: 1595584172-3267972124
      • Opcode ID: c381ac0e968483d793043f2c4fb66c5e7591593a4408f4ef0546cb800e9a54bd
      • Instruction ID: eff8854cb10230fcea5b39393844aff6a77c946aca48b362cdd52bdff9d52e7b
      • Opcode Fuzzy Hash: c381ac0e968483d793043f2c4fb66c5e7591593a4408f4ef0546cb800e9a54bd
      • Instruction Fuzzy Hash: 56514F70900209EBDB24DF98C984BAEB7B5EF54314F20862AF524B73D0D779AD05CB98
      Function 004678CE Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 120COMMON
      Download Yara Rule
      APIs
      • CreateWindowExW.USER32(?,Edit,?,?,?,?,?,?,?,?,00000000), ref: 0046795F
      • SelectObject.GDI32(?,?), ref: 00468884
      • ReleaseDC.USER32(00000000,?), ref: 00468896
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: CreateObjectReleaseSelectWindow
      • String ID: $Can't create control.$Edit
      • API String ID: 4043557977-1471620930
      • Opcode ID: 218d023aa8ae8b8318cdaee8e8146d8a6cab0845d093a6e360de12be5b9ff620
      • Instruction ID: f5c1951489b27233c377c566c42e204f7cf282a6ecd7efecb737bf6ebf3747aa
      • Opcode Fuzzy Hash: 218d023aa8ae8b8318cdaee8e8146d8a6cab0845d093a6e360de12be5b9ff620
      • Instruction Fuzzy Hash: 2F417970608341EFEB249F15CC45F6B7BE5BB84708F04892EF58997290EBB99C44CB5A
      Function 0047D350 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114COMMON
      Download Yara Rule
      APIs
      • GetFullPathNameW.KERNEL32(?,00008000,?,?), ref: 0047D387
      • GetPrivateProfileStringW.KERNEL32(?,?,?,?,0000FFFF,?), ref: 0047D3DA
      • GetLastError.KERNEL32 ref: 0047D3E0
      • GetPrivateProfileSectionW.KERNEL32(?,?,0000FFFF,?), ref: 0047D455
      Strings
      • The requested key, section or file was not found., xrefs: 0047D419
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: PrivateProfile$ErrorFullLastNamePathSectionString
      • String ID: The requested key, section or file was not found.
      • API String ID: 2876886682-121382301
      • Opcode ID: 59e88be2a08a096afa610d9a7ebc6a35e3dd976d5a28d29dbbb10cc98ecc31de
      • Instruction ID: ebafc98dd49ea55a72649643011c3675f396b90926ccc120b62b799eee9bb877
      • Opcode Fuzzy Hash: 59e88be2a08a096afa610d9a7ebc6a35e3dd976d5a28d29dbbb10cc98ecc31de
      • Instruction Fuzzy Hash: 10419F756153059FDB39DB14DCA5BEB73ECEF94300F80882EA589C6290E77C9848C76A
      Function 004AE8E0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      • FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,00000000,?,799FB8F6,?,004AE9EF,?,?,00000000,00000000), ref: 004AE9A1
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: FreeLibrary
      • String ID: api-ms-$ext-ms-
      • API String ID: 3664257935-537541572
      • Opcode ID: ac64805962c50de208a43f0357ca8402cdf7437502f6da91d8c965b4f26867ed
      • Instruction ID: cad3979959e4aeae813a1f4675d38bff01bdcaec3710107e7856cbdee00e442a
      • Opcode Fuzzy Hash: ac64805962c50de208a43f0357ca8402cdf7437502f6da91d8c965b4f26867ed
      • Instruction Fuzzy Hash: 342100F1A01310BBCB619726DC45A5B375CDF53760F140226F926A7391DB38ED02C6E9
      Function 004710FD Relevance: 9.3, APIs: 6, Instructions: 269windowstringCOMMON
      Download Yara Rule
      APIs
      • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00471234
      • SendMessageW.USER32(?,0000104B,00000000,?), ref: 0047124F
      • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00471291
      • SendMessageW.USER32(?,0000104B,00000000,?), ref: 004712B0
      • StrCmpLogicalW.SHLWAPI(?,?), ref: 004712C4
      • lstrcmpiW.KERNEL32(?,?), ref: 004712F2
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: MessageSend$Logicallstrcmpi
      • String ID:
      • API String ID: 3364671528-0
      • Opcode ID: 86bec8fe232a8e93de1d5d24ced7651911904717dddadc8d967a36b8e522db18
      • Instruction ID: 6bed7d28069e953cdb95bbdccc2e294161d75b7a3eec1bd9aa9038566b4a6dfb
      • Opcode Fuzzy Hash: 86bec8fe232a8e93de1d5d24ced7651911904717dddadc8d967a36b8e522db18
      • Instruction Fuzzy Hash: 1A514D30204A42BFD7019B39CC10BE7BBB5FF06344F14865BE989E79A2D728E455C799
      Function 00451380 Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 411COMMON
      Download Yara Rule
      APIs
      • IsCharAlphaNumericW.USER32(00000000), ref: 004515A9
      • IsCharAlphaW.USER32(00000001), ref: 0045161E
      • IsCharUpperW.USER32(00000001), ref: 00451680
      • IsCharLowerW.USER32(00000001), ref: 004516D9
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: Char$Alpha$LowerNumericUpper
      • String ID: String
      • API String ID: 3246533038-2568140703
      • Opcode ID: df569b71382c0696d82104ef9f68efd54c2d4f46f802cfcf22d1589634785c96
      • Instruction ID: 656c4065e9c2b2bf77aacf6fb0977977b964918405d3591c24c3fe42590c0416
      • Opcode Fuzzy Hash: df569b71382c0696d82104ef9f68efd54c2d4f46f802cfcf22d1589634785c96
      • Instruction Fuzzy Hash: 09C12735B002155BCB209E2DD41077A77D1DB86357F0445ABEC8ACB3A2EB3ACC4AC399
      Function 004713B0 Relevance: 9.2, APIs: 6, Instructions: 151windowCOMMON
      Download Yara Rule
      APIs
      • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004713FC
      • SendMessageW.USER32(?,0000104B,00000000,?), ref: 0047149B
      • SendMessageW.USER32(?,0000104C,00000000,00000001), ref: 004714D7
      • SendMessageW.USER32 ref: 00471551
      • SendMessageW.USER32(?,0000104C,00000000,00000004), ref: 0047158F
      • SendMessageW.USER32(?,00001030,?,004711F0), ref: 004715D4
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: MessageSend
      • String ID:
      • API String ID: 3850602802-0
      • Opcode ID: c04d8267d914156039d9e39b836fd47b6f69ce3a93cdb3cbf9eb979f8d473003
      • Instruction ID: 6d8d3a8712cdd6353ef3e46ae21bb93107dfd3471999105e4509afbf276d5995
      • Opcode Fuzzy Hash: c04d8267d914156039d9e39b836fd47b6f69ce3a93cdb3cbf9eb979f8d473003
      • Instruction Fuzzy Hash: 6D513CB0508381AFE320CF59C484B9BFBE4BB85348F54895EF5C9872A1C7B9D488CB56
      Function 00470190 Relevance: 9.1, APIs: 6, Instructions: 99windowCOMMON
      Download Yara Rule
      APIs
      • GetParent.USER32(00000000), ref: 00470201
      • CheckRadioButton.USER32(00000000,?,00000002,?), ref: 00470214
      • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00470250
      • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00470270
      • GetWindowLongW.USER32(00000000,000000F0), ref: 0047027D
      • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 0047028C
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: LongMessageSendWindow$ButtonCheckParentRadio
      • String ID:
      • API String ID: 490850741-0
      • Opcode ID: 598f49959cb860db3bfbf51fb4bed8059cf95318482eb6a8d383fdb9d964532c
      • Instruction ID: 3eefcebefd9f7c65846a6a7f2041c8e1161d4eb1d09150acf4e86dfe783c8585
      • Opcode Fuzzy Hash: 598f49959cb860db3bfbf51fb4bed8059cf95318482eb6a8d383fdb9d964532c
      • Instruction Fuzzy Hash: C331C632205215DFCB24CF88EC84F967369FB55320F11426AF5195B2A2CB71EC05CB98
      Function 004884C0 Relevance: 9.1, APIs: 6, Instructions: 91COMMON
      Download Yara Rule
      APIs
      • GetWindowLongW.USER32(?,000000F0), ref: 004884D0
      • GetLastActivePopup.USER32(?), ref: 004884E5
      • GetWindowLongW.USER32(?,000000EC), ref: 004884F6
      • GetWindow.USER32(?,00000004), ref: 00488516
      • DwmGetWindowAttribute.DWMAPI(?,0000000E,?,00000004), ref: 00488532
      • GetShellWindow.USER32 ref: 00488543
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: Window$Long$ActiveAttributeLastPopupShell
      • String ID:
      • API String ID: 404650234-0
      • Opcode ID: 27913c3119f4bec3cb1db3b7ab5e2f71511b694423052645d4cc68ccf927843e
      • Instruction ID: 78a9edeb074e971ffb5997f9a50eb481fd80474fdbb33d8f4d72c4ca4a685bc7
      • Opcode Fuzzy Hash: 27913c3119f4bec3cb1db3b7ab5e2f71511b694423052645d4cc68ccf927843e
      • Instruction Fuzzy Hash: F1318F72600212BBDB20BB15CD94B5FB799FF94314F944C2FE95196691DB38EC40CBA8
      Function 0047D510 Relevance: 9.1, APIs: 6, Instructions: 91fileCOMMON
      Download Yara Rule
      APIs
      • GetFileAttributesW.KERNEL32 ref: 0047D526
      • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000000,00000000), ref: 0047D544
      • __alloca_probe_16.LIBCMT ref: 0047D575
      • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0047D5A1
      • CloseHandle.KERNEL32(?,?,?,?,00000000), ref: 0047D5B3
      • CloseHandle.KERNEL32(?,?,?,?,00000000), ref: 0047D5CF
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: File$CloseHandle$AttributesCreateWrite__alloca_probe_16
      • String ID:
      • API String ID: 1124774520-0
      • Opcode ID: fe81b3d57f84f7349464247eb38f7aa50dac00ab2e927c31be62b0f3e75e4b68
      • Instruction ID: b7bec70a1df50597147858c86480f41363146eee866b297282b61eae86a44faa
      • Opcode Fuzzy Hash: fe81b3d57f84f7349464247eb38f7aa50dac00ab2e927c31be62b0f3e75e4b68
      • Instruction Fuzzy Hash: ED21F732E00118ABD7205B6DAC06BEEB77CEF41729F10426AFD1CE3290D6345D1686D4
      Function 004625E0 Relevance: 9.1, APIs: 6, Instructions: 91COMMON
      Download Yara Rule
      APIs
      • GetWindowRect.USER32(?,?), ref: 00462609
      • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0046261E
      • MulDiv.KERNEL32(?,00000060), ref: 00462649
      • MulDiv.KERNEL32(?,00000060), ref: 00462672
      • MulDiv.KERNEL32(?,00000060), ref: 004626A0
      • MulDiv.KERNEL32(?,00000060), ref: 004626CA
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: Window$PointsRect
      • String ID:
      • API String ID: 83551929-0
      • Opcode ID: e7485d01a99be7dc0b6cd1d583a5bc963b108391e6195a9ca8e739af05a9ffb5
      • Instruction ID: 9ed68aad2b67246552208f05aefd75a35f89e65d45d48fcc1e0821e5db6ae8f6
      • Opcode Fuzzy Hash: e7485d01a99be7dc0b6cd1d583a5bc963b108391e6195a9ca8e739af05a9ffb5
      • Instruction Fuzzy Hash: CA319E72208705AFD324CF28E944F67B7E6EB84700F04066DF545972A1E7B1EC15CB6A
      Function 004864D0 Relevance: 9.1, APIs: 6, Instructions: 69windowCOMMON
      Download Yara Rule
      APIs
      • IsWindow.USER32(?), ref: 004864E0
      • IsWindowVisible.USER32(?), ref: 004864FC
      • DwmGetWindowAttribute.DWMAPI(?,0000000E,?,00000004), ref: 00486518
      • GetWindowLongW.USER32(?,000000F0), ref: 00486534
      • GetClassLongW.USER32(?,000000E0), ref: 00486544
      • GetWindowLongW.USER32(?,000000EB), ref: 00486559
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: Window$Long$AttributeClassVisible
      • String ID:
      • API String ID: 4166653807-0
      • Opcode ID: 7faf310c28c1bb41503c4d8eea847447319cf16e81e0132ff325e41200f1fba2
      • Instruction ID: b44c94c98cd989c4f294093dd1f1b6e9fc4b7a23af243592546611d236d3e8d6
      • Opcode Fuzzy Hash: 7faf310c28c1bb41503c4d8eea847447319cf16e81e0132ff325e41200f1fba2
      • Instruction Fuzzy Hash: 001186722042117BEB20AB35BC44F6B77A8FB44761F154A2FF586D2694DB38E811D728
      Function 00456170 Relevance: 9.1, APIs: 6, Instructions: 66windowtimeCOMMON
      Download Yara Rule
      APIs
      • GetParent.USER32 ref: 00456177
      • SetLastError.KERNEL32(00000000), ref: 00456189
      • GetDlgCtrlID.USER32 ref: 00456190
      • GetLastError.KERNEL32 ref: 0045619C
      • SendMessageTimeoutW.USER32(00000000,00000111,?,?,00000002,000007D0,?), ref: 004561C4
      • SendMessageTimeoutW.USER32(00000000,00000111,?,?,00000002,000007D0,?), ref: 004561EC
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: ErrorLastMessageSendTimeout$CtrlParent
      • String ID:
      • API String ID: 1824895809-0
      • Opcode ID: cf1dd10ff7c49d9ad77918a37889cec1264b4c365ba5e01cb0c0056e5bf3e4bb
      • Instruction ID: cb10da67960b849bef07def19144f8be055d1bf2ef2744ebdc2e93230f3f0269
      • Opcode Fuzzy Hash: cf1dd10ff7c49d9ad77918a37889cec1264b4c365ba5e01cb0c0056e5bf3e4bb
      • Instruction Fuzzy Hash: 1911C2713412003BE2205B589C85FBB239CDF84722F51023FFA01D62D2DBA8DC45C669
      Function 004553A0 Relevance: 9.1, APIs: 6, Instructions: 58serviceCOMMON
      Download Yara Rule
      APIs
      • OpenSCManagerW.ADVAPI32(00000000,00000000,00000008), ref: 004553AC
      • LockServiceDatabase.ADVAPI32(00000000), ref: 004553C2
      • UnlockServiceDatabase.ADVAPI32(00000000), ref: 004553CD
      • CloseServiceHandle.ADVAPI32(00000000), ref: 004553DB
      • GetLastError.KERNEL32 ref: 004553FA
      • CloseServiceHandle.ADVAPI32(00000000), ref: 00455410
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: Service$CloseDatabaseHandle$ErrorLastLockManagerOpenUnlock
      • String ID:
      • API String ID: 1690418490-0
      • Opcode ID: b1e116f1564b3c5b0f1618ee5d180fe2b6c28c9a36795f5e4c591368021df02b
      • Instruction ID: da854b0ccf69c71e856c5cec95e6f1f1ada128b45b161c05ea00dab37e55b7b8
      • Opcode Fuzzy Hash: b1e116f1564b3c5b0f1618ee5d180fe2b6c28c9a36795f5e4c591368021df02b
      • Instruction Fuzzy Hash: 7C118276A443009FC7009F55E84460ABBA8FFD83A2F09853AFD4893211DA78984DCBA1
      Function 0040A0B2 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 293COMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: H_prolog
      • String ID: <response command="property_set" success="%i" transaction_id="%e"/>$float$integer$string
      • API String ID: 3519838083-181363890
      • Opcode ID: 4bc0152cca5cb49ec5bb86d7b23a32aedd698717d21465c5d505fe57a0519a44
      • Instruction ID: 233de11b6143515d658b0a483bdbd72bd10a2aa24d7bc5df23537162c52bc3c9
      • Opcode Fuzzy Hash: 4bc0152cca5cb49ec5bb86d7b23a32aedd698717d21465c5d505fe57a0519a44
      • Instruction Fuzzy Hash: 5AB1BF71900319DBCB24DFA9D8946AEBBB1AF48314F24813FE805BB391D7399D11CB5A
      Function 00472390 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 274COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID:
      • String ID: Menu item name too long.$Out of memory.$Too many menu items.
      • API String ID: 0-2238099254
      • Opcode ID: 394dcc56ba5b99a58ec5b21ab6238a89138ba7ea52f593193ba8bfa545d4d64c
      • Instruction ID: bec6794e00356840c00a78281df08dbb915b4d59005cd5fba19e01cfe2c80abe
      • Opcode Fuzzy Hash: 394dcc56ba5b99a58ec5b21ab6238a89138ba7ea52f593193ba8bfa545d4d64c
      • Instruction Fuzzy Hash: 2BA18C75A00205AFDB24CF59D981BAAB7B4FF48310F10816FEC099B781E779E901CB98
      Function 0042F6E0 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 272timeCOMMON
      Download Yara Rule
      APIs
      • GetTickCount.KERNEL32 ref: 0042F70F
      • GetLocalTime.KERNEL32(004EAF5C), ref: 0042F73D
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: CountLocalTickTime
      • String ID: %02d$%03d$MSec
      • API String ID: 173086840-2031959049
      • Opcode ID: 56bb13ad6da90b45a5bffcd1e4f58b2300933b355816ce54bca6b71ba14f18d0
      • Instruction ID: 1f88fb83b65ababc212c7612eb89fc5c877ef2861d89762cf5d1367754687a82
      • Opcode Fuzzy Hash: 56bb13ad6da90b45a5bffcd1e4f58b2300933b355816ce54bca6b71ba14f18d0
      • Instruction Fuzzy Hash: 8A81BB62F0135196D2009B19BC812BBB3E0FBD5719FC8453BFC88912A1F72D9D99C29E
      Function 0040A412 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 271COMMON
      Download Yara Rule
      APIs
      • __EH_prolog.LIBCMT ref: 0040A417
        • Part of subcall function 0040AFF6: _strlen.LIBCMT ref: 0040B124
      Strings
      • x M, xrefs: 0040A4BE
      • </response>, xrefs: 0040A70E
      • <response command="source" success="1" transaction_id="%e" encoding="base64">, xrefs: 0040A560
      • <response command="source" success="0" transaction_id="%e"/>, xrefs: 0040A6D4
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: H_prolog_strlen
      • String ID: </response>$<response command="source" success="0" transaction_id="%e"/>$<response command="source" success="1" transaction_id="%e" encoding="base64">$x M
      • API String ID: 3871006878-3045361736
      • Opcode ID: 77079109da96a543191f7dbce819b70cb079774876146231bfaad5ca6e9c8024
      • Instruction ID: 421b02ed63cdf2d0b1c472e2d07eb437e393dd593e78f086ad1b49159daad89f
      • Opcode Fuzzy Hash: 77079109da96a543191f7dbce819b70cb079774876146231bfaad5ca6e9c8024
      • Instruction Fuzzy Hash: 87A1ED31A00315ABCF14DFA9C891BAE73B1AF44714F14853BE905BB2C1DB799E50CB9A
      Function 004681D2 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 173COMMON
      Download Yara Rule
      APIs
      • CreateWindowExW.USER32(?,msctls_trackbar32,004CEEA8,?,?,?,?,?,?,?,00000000), ref: 0046820D
      • SelectObject.GDI32(?,?), ref: 00468884
      • ReleaseDC.USER32(00000000,?), ref: 00468896
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: CreateObjectReleaseSelectWindow
      • String ID: Can't create control.$msctls_trackbar32
      • API String ID: 4043557977-1544864918
      • Opcode ID: 4533ce87b76f8f5353c5735c76ccec34b7660d96183c79ae58a2418240825830
      • Instruction ID: c9b04b615c912f96e190654f843f97f082721e7d1a270c30e0cafd1b5aed390f
      • Opcode Fuzzy Hash: 4533ce87b76f8f5353c5735c76ccec34b7660d96183c79ae58a2418240825830
      • Instruction Fuzzy Hash: DF51BD70384345BFEB305B15CC06F6B7BA5BF54B00F00421EB740AA2E0DBB5A890DB9A
      Function 004728F0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 138windowCOMMON
      Download Yara Rule
      APIs
      • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00472975
      • RemoveMenu.USER32(?,?,00000000,00000000,?,004CEEA8,?,?,?,?,?,?,?,?,00471A8B,?), ref: 004729D6
      • InsertMenuItemW.USER32(?,00000000,00000001,00000030), ref: 00472A6A
        • Part of subcall function 00472A80: SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00472C73
      • GetMenuItemCount.USER32(?), ref: 00472A55
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: Menu$Item$Info$CountInsertRemove
      • String ID: 0
      • API String ID: 341723275-4108050209
      • Opcode ID: 74298064a202186aeacd506b5cc8cc5ef7178dceb439acb707971bf5e5a6f808
      • Instruction ID: e4275a9b64e69ecbe1b31bc4f736b5d69f8eeef82ca7c6877161329d2af74bef
      • Opcode Fuzzy Hash: 74298064a202186aeacd506b5cc8cc5ef7178dceb439acb707971bf5e5a6f808
      • Instruction Fuzzy Hash: 03513CB42047019FD724CF25CA84A67B7E8FF88700F04892EF99A97750D7B9E904CB65
      Function 004632E0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 136windowCOMMON
      Download Yara Rule
      APIs
      • SetMenu.USER32(00000000,00000000), ref: 004633E0
      • DestroyAcceleratorTable.USER32(?), ref: 004633F2
      • CreateAcceleratorTableW.USER32(?,00000000,00000000,?,?), ref: 00463427
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: AcceleratorTable$CreateDestroyMenu
      • String ID: MenuBar
      • API String ID: 2389976504-731504628
      • Opcode ID: 616eeba07f85dae0db324ee1e87ddf678883f86deb3bf766bb00d62f9d6a96fa
      • Instruction ID: 88fd2a93d844b21e409facc04b4beeab48118fdfede4a033d34391b0fee3f413
      • Opcode Fuzzy Hash: 616eeba07f85dae0db324ee1e87ddf678883f86deb3bf766bb00d62f9d6a96fa
      • Instruction Fuzzy Hash: 2E41B2707002519FD7249F25C844B6BB3A8BF41715F14806BEC058B351EB7CEE81C79A
      Function 004434C0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 126COMMON
      Download Yara Rule
      APIs
      • GetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?), ref: 004435D8
        • Part of subcall function 00443410: GetFileAttributesW.KERNEL32(?,?,\Lib\,00000000,?,?), ref: 00443447
      • SHGetKnownFolderPath.SHELL32(004B8850,00004000,00000000,?,?,?), ref: 00443512
      • CoTaskMemFree.OLE32(?), ref: 00443532
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: AttributesFile$FolderFreeKnownPathTask
      • String ID: \AutoHotkey\Lib\$\Lib\
      • API String ID: 3145814908-2051091515
      • Opcode ID: ba03d5918a30826027d748f68e1b9227b1c10985091d663e0840d628dc80a6ed
      • Instruction ID: 74ea1d070126a258f7fc5b642ff233a88d8b60e04ceea50d8d9e3f02ee98be24
      • Opcode Fuzzy Hash: ba03d5918a30826027d748f68e1b9227b1c10985091d663e0840d628dc80a6ed
      • Instruction Fuzzy Hash: 06411C30600341ABE720DF59DCC5BAB77E4AF49B05F00053EF9449B291DB79A945C7AE
      Function 00467789 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 122COMMON
      Download Yara Rule
      APIs
      • CreateWindowExW.USER32(?,SysTreeView32,004CEEA8,?,?,?,?,?,?,?,00000000), ref: 004677D2
      • SelectObject.GDI32(?,?), ref: 00468884
      • ReleaseDC.USER32(00000000,?), ref: 00468896
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: CreateObjectReleaseSelectWindow
      • String ID: Can't create control.$SysTreeView32
      • API String ID: 4043557977-3975907712
      • Opcode ID: 2d628ad103af6ee230dd3be39f53bd5fc6c998db52efc8e5a93c176f6d32cb28
      • Instruction ID: 3ab0e380c70a52254210909b76a4519eb551d49528cf0c029510085aa5541b2c
      • Opcode Fuzzy Hash: 2d628ad103af6ee230dd3be39f53bd5fc6c998db52efc8e5a93c176f6d32cb28
      • Instruction Fuzzy Hash: BF419F30244341AFE7359B15CC45F2ABBA6FF84714F10071EF255A62E1DBB8AC90CB5A
      Function 00468394 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 106COMMON
      Download Yara Rule
      APIs
      • CreateWindowExW.USER32(?,msctls_progress32,004CEEA8,?,?,?,?,?,?,?,00000000), ref: 004683CF
      • SelectObject.GDI32(?,?), ref: 00468884
      • ReleaseDC.USER32(00000000,?), ref: 00468896
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: CreateObjectReleaseSelectWindow
      • String ID: Can't create control.$msctls_progress32
      • API String ID: 4043557977-3641780397
      • Opcode ID: 61ebb6cb81f4083c32f6a0460bf1aaa725f64a2dfc493b030a6ca18fb0e40b14
      • Instruction ID: 1696aaa76b90ca9d82314ee643262f330a79578c6eaea59ab712c9a5aa91ed16
      • Opcode Fuzzy Hash: 61ebb6cb81f4083c32f6a0460bf1aaa725f64a2dfc493b030a6ca18fb0e40b14
      • Instruction Fuzzy Hash: 54419E30244341EFE7209B15CC49F2B7BA5BF84704F14461EF645A62E0EBB89C91CB5A
      Function 004630B0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 105COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID:
      • String ID: Array$ahk_dlg
      • API String ID: 0-4293111035
      • Opcode ID: f8574decbbd68ad0768daf1e1a6d17b70b4b1bf22803c1c2345f41f052a911a5
      • Instruction ID: 11d6114d1b2f18934557d644a2f1b9168b7a4889baabda0bb2121874e1f6db9b
      • Opcode Fuzzy Hash: f8574decbbd68ad0768daf1e1a6d17b70b4b1bf22803c1c2345f41f052a911a5
      • Instruction Fuzzy Hash: AF31EF717002406FE320DE29DC86F77B3A8EB81325F14022BF901C7281EB68ED0482AA
      Function 0040B279 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 100COMMON
      Download Yara Rule
      APIs
      • ___from_strstr_to_strchr.LIBCMT ref: 0040B2CA
      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,00000001,?,00000004,00000000,00000000,?,004E9EA8,?,00000002,00000000,00000000,?,0043A2CE), ref: 0040B327
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: ByteCharMultiWide___from_strstr_to_strchr
      • String ID: %%%02X$-_.!~*()/$file:///
      • API String ID: 4096677737-736925546
      • Opcode ID: 37d56351b5c5cd7aefd55f2186ae860daf3b048ce0a8191fa13c30f1bcd067fe
      • Instruction ID: d9d0049c6891f13b90361ae87c05a451c63c9b20fd78b6bc254da177f6f86cdc
      • Opcode Fuzzy Hash: 37d56351b5c5cd7aefd55f2186ae860daf3b048ce0a8191fa13c30f1bcd067fe
      • Instruction Fuzzy Hash: D531C2B66403029BE320AA5ACC96F377398DF11718F30453FFDA5A62C1E778AC45825C
      Function 0046877E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93COMMON
      Download Yara Rule
      APIs
      • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 0046882D
      • SelectObject.GDI32(?,?), ref: 00468884
      • ReleaseDC.USER32(00000000,?), ref: 00468896
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: CreateObjectReleaseSelectWindow
      • String ID: A window class is required.$Can't create control.
      • API String ID: 4043557977-953632240
      • Opcode ID: be71b482168b39578135c24f7787b4fd7d2e4e8693376ccfa62d402d6029b11f
      • Instruction ID: 36a2224744a433e238d2979f426c9753982459a1be022604fc18be919b27b879
      • Opcode Fuzzy Hash: be71b482168b39578135c24f7787b4fd7d2e4e8693376ccfa62d402d6029b11f
      • Instruction Fuzzy Hash: D3319C35341244EFEB209B46DC05F277BA1FB94B06F14026FF6415A2E1DBB89850DB6A
      Function 0040E770 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 92COMMON
      Download Yara Rule
      APIs
      • OutputDebugStringW.KERNEL32(?,?,?,?,0044456C,This local variable has the same name as a global variable.,?,00000000), ref: 0040E86C
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: DebugOutputString
      • String ID: Specifically: %s$%s (%d) : ==> %s%s$Warning: $stderr
      • API String ID: 1166629820-3119856357
      • Opcode ID: db7dbf513348a1263594909b9846cbfdf525b8e799a2017bae5e112d3711b9c4
      • Instruction ID: 60f28363ac19b3dbca35bd386b2b5422cae266b5a766046e8e692a9b7a6913ff
      • Opcode Fuzzy Hash: db7dbf513348a1263594909b9846cbfdf525b8e799a2017bae5e112d3711b9c4
      • Instruction Fuzzy Hash: A831D5B6604304ABC720BA55EC85FB77299EB80711F04483BF645A32D1E6B9AD14D2AD
      Function 00488170 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 91COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID:
      • String ID: Shell_TrayWnd
      • API String ID: 0-2988720461
      • Opcode ID: 641b2d0dbcba285b4a5bc09730ce92fac46350fdfaf5fe7fa592ae2d6f9be2cf
      • Instruction ID: f90a5f84fbc4e1eeb02523016fa5454f93125c6ed0dae1b440d7502a42a03b23
      • Opcode Fuzzy Hash: 641b2d0dbcba285b4a5bc09730ce92fac46350fdfaf5fe7fa592ae2d6f9be2cf
      • Instruction Fuzzy Hash: E43172B06002549FEB20DF25DCC5B9AB7B4BB04708F4045AEEA849B3D1CBF95984CF58
      Function 00456030 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 85COMMON
      Download Yara Rule
      APIs
      • GetClassNameW.USER32(?,?,00000101), ref: 0045609C
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: ClassName
      • String ID: Combo$List$Not supported for this control type.
      • API String ID: 1191326365-232151274
      • Opcode ID: 017b331e0a744a03027c435e9bf432e0e1ec0a94faef351b1394949c52fc1b56
      • Instruction ID: b528614fe1dbfb8a36637cff5d3962d211635f8e11df6ccdadd818d3aafe72ad
      • Opcode Fuzzy Hash: 017b331e0a744a03027c435e9bf432e0e1ec0a94faef351b1394949c52fc1b56
      • Instruction Fuzzy Hash: B62123316142066BEB20DB18DC95BFB3395EBA0315F80492AF854C62E2F77D9D48C79A
      Function 00432950 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 83timeCOMMON
      Download Yara Rule
      APIs
      • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 004329C1
      • FileTimeToSystemTime.KERNEL32(?,?), ref: 004329D1
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: Time$File$LocalSystem
      • String ID: %04d%02d%02d%02d%02d%02d$C$M
      • API String ID: 1748579591-3452254514
      • Opcode ID: a6ea2ea58506f7ddf3770bcd542806786cf965e47d47c12268b3e59d7910d341
      • Instruction ID: 1a9f0f1242bc59e603a48f0d3aa4cc842a1828629f2cc718296dfd591f25f713
      • Opcode Fuzzy Hash: a6ea2ea58506f7ddf3770bcd542806786cf965e47d47c12268b3e59d7910d341
      • Instruction Fuzzy Hash: 71214AB6204202ABC7149F59D880977F7E8FF88720F145A6BF994C7290E778D880C7A6
      Function 0040C190 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 81COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID:
      • String ID: UTF-16$UTF-16-RAW$UTF-8$UTF-8-RAW
      • API String ID: 0-2787617770
      • Opcode ID: 2feebaec4b0fa4a333d995d59585c3f8ec5f4420b900d86e37398c5c495b3bf2
      • Instruction ID: 843387244efbeaa4af23384dae58fe35d60909727f56df51af3eb46fb6913eb9
      • Opcode Fuzzy Hash: 2feebaec4b0fa4a333d995d59585c3f8ec5f4420b900d86e37398c5c495b3bf2
      • Instruction Fuzzy Hash: F311E621E0162053DE20B22D7CA26DB35841F51B1AF88427FED44E93C1F7ADCA48D1EE
      Function 00456600 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 71windowtimeCOMMON
      Download Yara Rule
      APIs
      • GetClassNameW.USER32(?,?,00000101), ref: 00456651
      • SendMessageTimeoutW.USER32(00000158,00000158,000000FF,?,00000002,000007D0,?), ref: 004566D3
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: ClassMessageNameSendTimeout
      • String ID: Combo$List$Not supported for this control type.
      • API String ID: 1632441287-232151274
      • Opcode ID: c7b796ec412fbe7231ef59adef965afe25eda2b97d8c7a2a5b40ad4c283e6f7d
      • Instruction ID: c27e12f021d7a53741b48d1f04a67a117e01e4bb8ce5eb181fb6023a87ba6084
      • Opcode Fuzzy Hash: c7b796ec412fbe7231ef59adef965afe25eda2b97d8c7a2a5b40ad4c283e6f7d
      • Instruction Fuzzy Hash: 1A21D570604201ABE724DB14EC86BAA7399EB60305F904A2EF954C22E2F77CDC48864A
      Function 0040A8E9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 64networkCOMMON
      Download Yara Rule
      APIs
      • ___from_strstr_to_strchr.LIBCMT ref: 0040A923
      • send.WSOCK32(FFFFFFFF,?,00000001,00000000,?,?,?,?,?,?,004E9EA8,00000002), ref: 0040A953
      • send.WSOCK32(FFFFFFFF,00000000,?,00000000,?,?,?,?,?,?,004E9EA8,00000002), ref: 0040A96B
      Strings
      • An internal error has occurred in the debugger engine.Continue running the script without the debugger?, xrefs: 0040A979
      • <?xml version="1.0" encoding="UTF-8"?>, xrefs: 0040A928
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: send$___from_strstr_to_strchr
      • String ID: <?xml version="1.0" encoding="UTF-8"?>$An internal error has occurred in the debugger engine.Continue running the script without the debugger?
      • API String ID: 518053669-3162732081
      • Opcode ID: 1bb9d1324a32e8066393e7ba5e6971a67f66ea0407c111904623ba8c09f72953
      • Instruction ID: 3dc112c4c8d89297928a009aba9e1fb36f4d35c32750d9ab7949104984f0e565
      • Opcode Fuzzy Hash: 1bb9d1324a32e8066393e7ba5e6971a67f66ea0407c111904623ba8c09f72953
      • Instruction Fuzzy Hash: EE11D3726046046BC300DE699D41FAAB7A8FB49314F14063BF914D36D1E774E9258BEA
      Function 00461950 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 53COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID:
      • String ID: Invalid value.
      • API String ID: 0-2933149348
      • Opcode ID: 0b5ff9cb3877629a7ac437237176f237ba788c28e32bba4b0290c22cff25f825
      • Instruction ID: 7a7f904ce26df292c2d4db8cfa69d7bff53893663e7d96eacc867b12ea57e60e
      • Opcode Fuzzy Hash: 0b5ff9cb3877629a7ac437237176f237ba788c28e32bba4b0290c22cff25f825
      • Instruction Fuzzy Hash: DF11E9B11007019FE7305B25DC54B57B7E8AF90355F14852FE58297670EB74E849CB1D
      Function 0042F650 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 44COMMON
      Download Yara Rule
      APIs
      • GetDateFormatEx.KERNEL32(00000000,00000000,00000000,dddd,?,00000100,00000000), ref: 0042F6AD
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: DateFormat
      • String ID: MMM$MMMM$ddd$dddd
      • API String ID: 2793631785-2187213731
      • Opcode ID: 36ca9118e328113e64c1250b729920236f2e7f8dcfb60ed7c0cd82e867f32655
      • Instruction ID: 2a92f03aff9f233c7a7f4d4cc223cba0c72cf5423acd9d1261ef5aa572854e00
      • Opcode Fuzzy Hash: 36ca9118e328113e64c1250b729920236f2e7f8dcfb60ed7c0cd82e867f32655
      • Instruction Fuzzy Hash: 9E015230704B119BDB248A28D81172773F2EB84710FA4C93FE596977E4DB78EC468749
      Function 00413000 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 31synchronizationCOMMON
      Download Yara Rule
      APIs
      • CloseHandle.KERNEL32(00000000,0041A5F3), ref: 0041300A
      • CreateMutexW.KERNEL32(00000000,00000000,AHK Mouse,?,?,0041A5F3), ref: 0041301B
      • GetLastError.KERNEL32(?,?,0041A5F3), ref: 00413023
      • CloseHandle.KERNEL32(00000000,?,?,0041A5F3), ref: 0041304B
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: CloseHandle$CreateErrorLastMutex
      • String ID: AHK Mouse
      • API String ID: 2372642624-1022267635
      • Opcode ID: d50d94c40b4e015b0d0a8dd5c55aeb0974152d856fca8468b4579d005664b9d8
      • Instruction ID: 885ff1216619d7fb8200f38ccf7d5c8cba41827bfc2ac524f7be428ede75bfa4
      • Opcode Fuzzy Hash: d50d94c40b4e015b0d0a8dd5c55aeb0974152d856fca8468b4579d005664b9d8
      • Instruction Fuzzy Hash: EEF06C3164231097DB601F64ADCC7863BDCA704B52F184136F5009A2D5C72D9D51C65D
      Function 0045A2B0 Relevance: 7.9, APIs: 5, Instructions: 388COMMON
      Download Yara Rule
      APIs
      • SysStringLen.OLEAUT32(?), ref: 0045A30E
      • VariantClear.OLEAUT32(00000000), ref: 0045A384
      • VariantChangeType.OLEAUT32(?,?,00000000,00000014), ref: 0045A661
      • VariantChangeType.OLEAUT32(00000008,?,00000000,00000008), ref: 0045A6C3
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: Variant$ChangeType$ClearString
      • String ID:
      • API String ID: 761406287-0
      • Opcode ID: 6353322461f5ebfad8287dc4b582e3eb6328c3d05372817f824373556e2bfb61
      • Instruction ID: 4a3ccb54b9e3fa85fc8b12bcbfd4aa5e042a02d9039e2899f0a818a7e588c835
      • Opcode Fuzzy Hash: 6353322461f5ebfad8287dc4b582e3eb6328c3d05372817f824373556e2bfb61
      • Instruction Fuzzy Hash: D1E1EEB0A00609DFCB14CF59D844BAAFBF4FF88315F10866EE80A9B750D779A854CB95
      Function 004AD4F5 Relevance: 7.7, APIs: 5, Instructions: 197COMMON
      Download Yara Rule
      APIs
      • __alloca_probe_16.LIBCMT ref: 004AD57A
      • __alloca_probe_16.LIBCMT ref: 004AD643
      • __freea.LIBCMT ref: 004AD6AA
        • Part of subcall function 004AC06F: RtlAllocateHeap.NTDLL(00000000,00000000,004AB09A,?,004AC0D2,?,00000000,?,004AE888,00000000,004AB09A,00000000,?,?,?,004AAE94), ref: 004AC0A1
      • __freea.LIBCMT ref: 004AD6BD
      • __freea.LIBCMT ref: 004AD6CA
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: __freea$__alloca_probe_16$AllocateHeap
      • String ID:
      • API String ID: 1423051803-0
      • Opcode ID: 017f37452bfb56e1b6048a321a18814464a6d0d015f17010e63bb4c3b8af0420
      • Instruction ID: 9705fbdb3291171b1ac2f96d32d8f4e8eda37661f9e6a9c4880c00f413193c8a
      • Opcode Fuzzy Hash: 017f37452bfb56e1b6048a321a18814464a6d0d015f17010e63bb4c3b8af0420
      • Instruction Fuzzy Hash: 4C51D272A00206BBDB209F618C81EBB3AB9EF76714B15002FFD0AD6651E679CD10C668
      Function 004198A0 Relevance: 7.7, APIs: 5, Instructions: 177COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: CountHookTick$CallNextUnhookWindows
      • String ID:
      • API String ID: 2092930497-0
      • Opcode ID: 5acdc982396a38250ff2a47247b76749a32c54cbfd85e906dde1214ad9e40d21
      • Instruction ID: 00dfcc5bb8d881a128167e274e83d81097a26e97af3b473bba66b49f9ac2844e
      • Opcode Fuzzy Hash: 5acdc982396a38250ff2a47247b76749a32c54cbfd85e906dde1214ad9e40d21
      • Instruction Fuzzy Hash: DE61A2711046819FD714DF28E8A07A6B7E0FF55340F14852ED8C98B362E739BCA5CB5A
      Function 00411940 Relevance: 7.7, APIs: 5, Instructions: 167windowCOMMON
      Download Yara Rule
      APIs
      • CharLowerW.USER32(00000000,?,00000000,?,00000001,00000000,00000000,00000001,?,?), ref: 00411991
      • CharLowerW.USER32(00000000), ref: 0041199A
      • CharLowerW.USER32(?), ref: 004119AF
      • PostMessageW.USER32(0000041B,00000000,00000000,?), ref: 00411B2C
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: CharLower$MessagePost
      • String ID:
      • API String ID: 1413635493-0
      • Opcode ID: 629589314f12229068a405bf44680c6ce273834cd8d800539d259dfff4ecb1de
      • Instruction ID: 9b88fc370057f1d9fcc51c2029f9420b91fa6e4d666a28b2fb8a1e87516c7b6d
      • Opcode Fuzzy Hash: 629589314f12229068a405bf44680c6ce273834cd8d800539d259dfff4ecb1de
      • Instruction Fuzzy Hash: 4C51B0756043419BC720DF11C980AABBBF2FF94384F05096EDA8647361E739E986CB69
      Function 00469760 Relevance: 7.6, APIs: 5, Instructions: 116COMMON
      Download Yara Rule
      APIs
      • GetWindowRect.USER32(00000000,?), ref: 00469799
      • GetClientRect.USER32(00000000,?), ref: 004697A7
      • MulDiv.KERNEL32(00000000,00000060,?), ref: 00469838
      • MulDiv.KERNEL32(00000000,00000060,?), ref: 00469869
      • GetWindowRect.USER32(00000000,?), ref: 004698AD
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: Rect$Window$Client
      • String ID:
      • API String ID: 1307596666-0
      • Opcode ID: bde22c1bc6c165b44d2f4ea57a48a3d2ba62dcbb1e689cbb71cb19e272c470f4
      • Instruction ID: 13c810f2007338c9767c29540a466022d5f551ab113d9ed4df5ab24b3bb8459f
      • Opcode Fuzzy Hash: bde22c1bc6c165b44d2f4ea57a48a3d2ba62dcbb1e689cbb71cb19e272c470f4
      • Instruction Fuzzy Hash: D9416975108301AFC714DF18D884A6BBBE8FB95304F44856EF88597351EB79EC44CB2A
      Function 0045B640 Relevance: 7.6, APIs: 5, Instructions: 114COMMON
      Download Yara Rule
      APIs
      • SafeArrayGetDim.OLEAUT32(?), ref: 0045B674
      • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 0045B68A
      • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0045B69F
      • SafeArrayAccessData.OLEAUT32(?,?), ref: 0045B6B2
      • SafeArrayGetElemsize.OLEAUT32(?), ref: 0045B6D3
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: ArraySafe$Bound$AccessDataElemsize
      • String ID:
      • API String ID: 505432365-0
      • Opcode ID: f71fe853b7419314fc5b5db22962a693e17ab083ea3d2dfde4b43279b9b8199c
      • Instruction ID: 9f6eab9a55417880f77602434953f72e7dbfda9845ca4ea953da294b4ab206c3
      • Opcode Fuzzy Hash: f71fe853b7419314fc5b5db22962a693e17ab083ea3d2dfde4b43279b9b8199c
      • Instruction Fuzzy Hash: 80413974A006059FCB10CFA9C984AAEBBF8FF08710F10452EE955E7791D779E901CBA4
      Function 0047D600 Relevance: 7.6, APIs: 5, Instructions: 91COMMON
      Download Yara Rule
      APIs
      • GetFullPathNameW.KERNEL32(?,00008000,?,?), ref: 0047D623
        • Part of subcall function 0047D510: GetFileAttributesW.KERNEL32 ref: 0047D526
        • Part of subcall function 0047D510: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000000,00000000), ref: 0047D544
        • Part of subcall function 0047D510: __alloca_probe_16.LIBCMT ref: 0047D575
        • Part of subcall function 0047D510: WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0047D5A1
        • Part of subcall function 0047D510: CloseHandle.KERNEL32(?,?,?,?,00000000), ref: 0047D5B3
      • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 0047D65C
      • __alloca_probe_16.LIBCMT ref: 0047D686
      • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0047D6CB
      • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0047D6EA
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: Write$FilePrivateProfile$String__alloca_probe_16$AttributesCloseCreateFullHandleNamePathSection
      • String ID:
      • API String ID: 1128869196-0
      • Opcode ID: f517b902d0a88c82754b22cd37aa4682145807678cf847011003ddd31338fcfe
      • Instruction ID: 7761215047ccd052a14e94174fd73096e0ceea60d2530f3a8e4eb142863471c4
      • Opcode Fuzzy Hash: f517b902d0a88c82754b22cd37aa4682145807678cf847011003ddd31338fcfe
      • Instruction Fuzzy Hash: BB31EA76A001159BCB259F24DC40FEA73B8FF48750F114269FD4E97344DA749E44CBA4
      Function 00421669 Relevance: 7.6, APIs: 5, Instructions: 55filetimeCOMMON
      Download Yara Rule
      APIs
      • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,22000000,00000000), ref: 00421687
      • GetLastError.KERNEL32 ref: 00421694
      • SetFileTime.KERNEL32(00000000,00000000,?,00000000), ref: 004216CC
      • GetLastError.KERNEL32 ref: 004216D8
      • CloseHandle.KERNEL32(00000000), ref: 004216E8
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: ErrorFileLast$CloseCreateHandleTime
      • String ID:
      • API String ID: 1269242970-0
      • Opcode ID: b946cf088a071a90b5e046b4056e62f71ec6b576c9d1d2504b436704382eccef
      • Instruction ID: 36489ecace8847870310889cf394208e73f587c2f941e74eb8a6a3ca8738fc17
      • Opcode Fuzzy Hash: b946cf088a071a90b5e046b4056e62f71ec6b576c9d1d2504b436704382eccef
      • Instruction Fuzzy Hash: 700188357412116BD3204F28FC4DF6A37E9EB95711F29022DF505A62F0DB645D02C95C
      Function 0044B7B0 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 300COMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: __alloca_probe_16
      • String ID: ,$Out of memory.
      • API String ID: 1700504859-2084262015
      • Opcode ID: 6f7c7678443dcdec600c43aaf4eea6844bda5d3849a4d410de8d48af343a9a8a
      • Instruction ID: 0f875f6bdd4c4fcf179846dd220313a733c2bf145df5f772fa06b55ebacf502a
      • Opcode Fuzzy Hash: 6f7c7678443dcdec600c43aaf4eea6844bda5d3849a4d410de8d48af343a9a8a
      • Instruction Fuzzy Hash: 27B1DF71E002159BEF24EFA8D881ABEB7B5EF48304F14406AE905AB341E779DD41CBD9
      Function 00464750 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 264COMMON
      Download Yara Rule
      APIs
      • GetWindowLongW.USER32(?,000000F0), ref: 00464784
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: LongWindow
      • String ID: LB_GETTEXTLEN
      • API String ID: 1378638983-2277187589
      • Opcode ID: 368d56890ed139829077be5b40a9f0ec4f42d1bc4fc1b1f22aa283535afec0e7
      • Instruction ID: 400b6214aa01ec849364d4b47de54033b15cd864bcf38cc8d79e7649acdfb060
      • Opcode Fuzzy Hash: 368d56890ed139829077be5b40a9f0ec4f42d1bc4fc1b1f22aa283535afec0e7
      • Instruction Fuzzy Hash: A291CD71604301AFDB00DF65D880B5BBBE4FF99314F004A2EF5898B2A1E779D955CB8A
      Function 00420610 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 254COMMON
      Download Yara Rule
      APIs
      • GetCPInfo.KERNEL32(000004E4,00000014,?,?,00000000), ref: 0042084F
      • GetLastError.KERNEL32(?,00000000,?,?,?,00000000), ref: 0042087D
      • GetLastError.KERNEL32(?,?), ref: 004208F4
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: ErrorLast$Info
      • String ID: stdout
      • API String ID: 545397826-3267972124
      • Opcode ID: 4c6a5946052b275f1b3fff86f029a49434883a2b14c0509432fed744d14cc456
      • Instruction ID: 747786a4aba9e91930e49bfbf1f7f88f2e2c2cb096cf3b1bf595b7cdb787d74d
      • Opcode Fuzzy Hash: 4c6a5946052b275f1b3fff86f029a49434883a2b14c0509432fed744d14cc456
      • Instruction Fuzzy Hash: CF917D757043118FD720CF19E484B2BB7E4EB84324F508A2EE99987392D779E845CF9A
      Function 0041D6A0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 183COMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: CountTick__alloca_probe_16
      • String ID: 4IM
      • API String ID: 1721169834-4126498111
      • Opcode ID: eb0776d2fe9856811f5fbb8118d8bf664dd267ed68cf76afb3da122b996002c3
      • Instruction ID: 2a1b0844179f514997b5ab746e244b379c29e51c168ef8169d5314cdd218651b
      • Opcode Fuzzy Hash: eb0776d2fe9856811f5fbb8118d8bf664dd267ed68cf76afb3da122b996002c3
      • Instruction Fuzzy Hash: AB7107B0D002848FDB14DF29D8857A67BB0FB45308F1442AED8995F3A2D779A9C5CF98
      Function 0041D940 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 179memoryCOMMON
      Download Yara Rule
      APIs
      • GlobalAlloc.KERNEL32(00000000,0000001C), ref: 0041DA37
      • VirtualProtect.KERNEL32(00000000,0000001C,00000040,?), ref: 0041DAFA
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: AllocGlobalProtectVirtual
      • String ID: HIM$PIM
      • API String ID: 2640651979-143064196
      • Opcode ID: fe24fe9b66e5eacc6c7d206b6b234ed2ab1b3e1400307afe07203a8051a9e065
      • Instruction ID: 0ed1959e41a5768b3915fb141744c314938d381695d2612f82c0879163a2ec32
      • Opcode Fuzzy Hash: fe24fe9b66e5eacc6c7d206b6b234ed2ab1b3e1400307afe07203a8051a9e065
      • Instruction Fuzzy Hash: 5C51D1F6A082118BDB20CF19D4407A7B7E0EF84790F05456BEC899B341E779DD85C7A9
      Function 00438480 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 142registryCOMMON
      Download Yara Rule
      APIs
      • RegConnectRegistryW.ADVAPI32(?,00000000,?), ref: 004385DD
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: ConnectRegistry
      • String ID: Menu$xtN$xtN
      • API String ID: 76216097-4224610985
      • Opcode ID: 50e6ae37661a441cef123f33e1adaedd85c43258cf63f8820d9339dcc0a47d10
      • Instruction ID: d863eb7e79701d76d114ed70b1509678316a0c6bb1fe273c5196a290535b9e39
      • Opcode Fuzzy Hash: 50e6ae37661a441cef123f33e1adaedd85c43258cf63f8820d9339dcc0a47d10
      • Instruction Fuzzy Hash: 9341B67660435557CF249EA998405ABB7D8AF98310F45483FFD85C3250EB39EA098399
      Function 0044C440 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 138COMMON
      Download Yara Rule
      APIs
      Strings
      • Script lines most recently executed (oldest first). Press [F5] to refresh. The seconds elapsed between a line and the one after , xrefs: 0044C447
      • Press [F5] to refresh., xrefs: 0044C5FB
      • ---- %s, xrefs: 0044C562
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: CountTick
      • String ID: Press [F5] to refresh.$---- %s$Script lines most recently executed (oldest first). Press [F5] to refresh. The seconds elapsed between a line and the one after
      • API String ID: 536389180-1384135373
      • Opcode ID: 42227110652b2d3e26a58b39d049f975eaf96b197a25e2896f4b3f28dc3705cb
      • Instruction ID: a877a8392c1a7f7780a134e07a43cc5133269fc5532761aa2e0360ee5977489d
      • Opcode Fuzzy Hash: 42227110652b2d3e26a58b39d049f975eaf96b197a25e2896f4b3f28dc3705cb
      • Instruction Fuzzy Hash: CF4139319012169FD714EF2CD8C46AE77D5EB84314F59063EEC8597391E738ED088B95
      Function 004631C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID:
      • String ID: ahk_dlg
      • API String ID: 0-2093416220
      • Opcode ID: 63969f693e1fb91e86422d462ea182fe5dde1dc5b7d6105bae57c8dbbe948554
      • Instruction ID: 896921e7ee682b6dace47d12bf2edc1bec16a28fabfa8228bdc2044c643d3b05
      • Opcode Fuzzy Hash: 63969f693e1fb91e86422d462ea182fe5dde1dc5b7d6105bae57c8dbbe948554
      • Instruction Fuzzy Hash: 0521C4722002455FD320CE1CDC95FB7F3A8EB95711F54426FF94187240EB65FD0686AA
      Function 004726C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON
      Download Yara Rule
      APIs
      • RemoveMenu.USER32(?,?,00000000), ref: 00472709
      • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0047273B
      • DeleteObject.GDI32(00000000), ref: 00472744
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: Menu$DeleteInfoItemObjectRemove
      • String ID: 0
      • API String ID: 1523629976-4108050209
      • Opcode ID: 6bf31ac2400d43b0543bb882191af4badc1fc05dcff57f95d3e2e1b9f1b9cabf
      • Instruction ID: 539c7a67fd6e5201cfdefc89f2edffc825cfc3eecf27c629fbadc6411589b557
      • Opcode Fuzzy Hash: 6bf31ac2400d43b0543bb882191af4badc1fc05dcff57f95d3e2e1b9f1b9cabf
      • Instruction Fuzzy Hash: 7D31A170600601EFDB28CF65DA48B9AB7B4FF04704F00862EE45997B90DBB8F854CB98
      Function 004727D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON
      Download Yara Rule
      APIs
      • RemoveMenu.USER32(00000000,?,00000000,00000000,?,75A91F70), ref: 0047280D
      • SetMenuItemInfoW.USER32(00000000,?,00000000,00000000), ref: 00472844
      • DeleteObject.GDI32(00000000), ref: 0047284D
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: Menu$DeleteInfoItemObjectRemove
      • String ID: 0
      • API String ID: 1523629976-4108050209
      • Opcode ID: 12430a6a890e850539286a816316f8f1ab3e25fe9cd3944a421740f95579be97
      • Instruction ID: 1bc5f7fe2a6de6795819e7f908ccfb360072c3b856575de077fe934cb7f3f607
      • Opcode Fuzzy Hash: 12430a6a890e850539286a816316f8f1ab3e25fe9cd3944a421740f95579be97
      • Instruction Fuzzy Hash: D831A171600701AFDB24DF56DA84B56B7B8FF08704F00862EE40997790CB79E844CBA9
      Function 0041F75D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60fileCOMMON
      Download Yara Rule
      APIs
      • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 0041F7AA
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: CreateFile
      • String ID: \\.\%c:
      • API String ID: 823142352-1260769427
      • Opcode ID: 8f172e2fe4c9e99a90e42d2ad3b5fd97753e19670bcb64e34239adf100122aee
      • Instruction ID: 4fc313157db31d5257bd5b72238c0ab231e8fb0d20576ed42256e63128c4ed33
      • Opcode Fuzzy Hash: 8f172e2fe4c9e99a90e42d2ad3b5fd97753e19670bcb64e34239adf100122aee
      • Instruction Fuzzy Hash: 4C01D672A011247BC7205AA9AC48FE77A5CEF46764F100277B855E3280D9788D4E86F5
      Function 00468838 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58COMMON
      Download Yara Rule
      APIs
      • CreateStatusWindowW.COMCTL32(?,?,?,?), ref: 00468847
      • SelectObject.GDI32(?,?), ref: 00468884
      • ReleaseDC.USER32(00000000,?), ref: 00468896
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: CreateObjectReleaseSelectStatusWindow
      • String ID: Can't create control.
      • API String ID: 251966648-1312452188
      • Opcode ID: ec726269e53a1e17c0377cb5aee8542d3e20e9030b24735b4025dc98231319db
      • Instruction ID: 37702bc73cfc565b0acbfcb13c2b6513f7d65a2ea3a793fac283a0ae13ccba25
      • Opcode Fuzzy Hash: ec726269e53a1e17c0377cb5aee8542d3e20e9030b24735b4025dc98231319db
      • Instruction Fuzzy Hash: 27116770600345EFDB24DF15CC48F2A7BA5BB88705F40462EF641A72D1DBB8D854CB6A
      Function 00435070 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51threadCOMMON
      Download Yara Rule
      APIs
      • GetWindowThreadProcessId.USER32(?,00000000), ref: 004350BA
      • GetGUIThreadInfo.USER32(00000000), ref: 004350C1
      • IsChild.USER32(00000030,?), ref: 004350E5
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: Thread$ChildInfoProcessWindow
      • String ID: 0
      • API String ID: 2321189416-4108050209
      • Opcode ID: b6742e41871eedd9f2d24e36e5f5e52fad547e26f69bb4cd7f55b03c1422ec55
      • Instruction ID: a43edb238f237d26489ed4d9d25366945627a62422890649970d1b5aff1a219d
      • Opcode Fuzzy Hash: b6742e41871eedd9f2d24e36e5f5e52fad547e26f69bb4cd7f55b03c1422ec55
      • Instruction Fuzzy Hash: 4B115B71214209AFCB14CF68DC46B6A7BE8EB49354F10466CF859C73A0EB36E810CB96
      Function 004B24BA Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE
      Download Yara Rule
      APIs
      • GetConsoleOutputCP.KERNEL32(799FB8F6,00000000,00000000,?), ref: 004B251D
        • Part of subcall function 004AE74E: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,004AD6A0,?,00000000,-00000008), ref: 004AE7AF
      • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 004B276F
      • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 004B27B5
      • GetLastError.KERNEL32 ref: 004B2858
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
      • String ID:
      • API String ID: 2112829910-0
      • Opcode ID: def888cc01d67b9b38237eb0d24972033c111a56b8bc669ecce5748c72221ad1
      • Instruction ID: 80656a21afd5c99e06c6541e2c5c904efc406c6bd829056dbab66d1f50273e38
      • Opcode Fuzzy Hash: def888cc01d67b9b38237eb0d24972033c111a56b8bc669ecce5748c72221ad1
      • Instruction Fuzzy Hash: FCD18C75D002489FCF15CFA8C9809EEBBF4FF09304F28466AE516EB351D674A942CB68
      Function 0046D3E0 Relevance: 6.3, APIs: 4, Instructions: 302COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 89915f6fa26174a4c05be1406fd03bf315a196554dd9e77e7ca0e3aeeea1fafa
      • Instruction ID: 2a87df0680ce7f4e7e38c61d6fa761332c3e60ac965bbdf41f3c5a3d49ac65a6
      • Opcode Fuzzy Hash: 89915f6fa26174a4c05be1406fd03bf315a196554dd9e77e7ca0e3aeeea1fafa
      • Instruction Fuzzy Hash: 9AB15870B043019FDB14DF25C884B6BBBE5BF88318F04492EF89987291EB79D845CB5A
      Function 004B62E0 Relevance: 6.3, APIs: 4, Instructions: 275COMMON
      Download Yara Rule
      APIs
      • __FindPESection.LIBCMT ref: 004B6411
      • VirtualQuery.KERNEL32(83000000,799FB8F6,0000001C,799FB8F6,00000005,00000000,?), ref: 004B64F6
      • __FindPESection.LIBCMT ref: 004B6533
      • __FindPESection.LIBCMT ref: 004B656D
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: FindSection$QueryVirtual
      • String ID:
      • API String ID: 2992484814-0
      • Opcode ID: 2437ea421b2a04e8a878a5395990921846e44b5cbc52b9cbd70e73c8c916aeb3
      • Instruction ID: 9eb565592eb6a996e35241b4caeffdbef8b363a27080e56916a638c3cbe5c507
      • Opcode Fuzzy Hash: 2437ea421b2a04e8a878a5395990921846e44b5cbc52b9cbd70e73c8c916aeb3
      • Instruction Fuzzy Hash: 8DA1BF71A00A159FCB25CF59D9907EEB7B4EB04364F16422ADC05AB3A1D73DEC41CBA8
      Function 0045A880 Relevance: 6.3, APIs: 4, Instructions: 259memoryCOMMON
      Download Yara Rule
      APIs
      • SysAllocString.OLEAUT32(?), ref: 0045A8C8
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: AllocString
      • String ID:
      • API String ID: 2525500382-0
      • Opcode ID: 7eef7becbb8e4e5eb6fad081ffdccc1ece16fa0f0ba74a47892d1f4fe48db44f
      • Instruction ID: 7b991ba33ad4de0797d6d40883f4384fc94a6f307ba79f8c94aa964a87535770
      • Opcode Fuzzy Hash: 7eef7becbb8e4e5eb6fad081ffdccc1ece16fa0f0ba74a47892d1f4fe48db44f
      • Instruction Fuzzy Hash: F181E9716047028BD720DF29D48072AF7E1EF89316F14466FE989C7352E73998A8C79A
      Function 004366B0 Relevance: 6.2, APIs: 4, Instructions: 177windowCOMMON
      Download Yara Rule
      APIs
      • GetForegroundWindow.USER32 ref: 00436801
      • IsWindowVisible.USER32(00000000), ref: 00436821
      • DwmGetWindowAttribute.DWMAPI(00000000,0000000E,?,00000004), ref: 0043683D
      • EnumWindows.USER32(00486580,?), ref: 004368C3
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: Window$AttributeEnumForegroundVisibleWindows
      • String ID:
      • API String ID: 862223837-0
      • Opcode ID: 147fda758da29c89ed6a4d6804c1f5faae254d3a360a691e2f65a68e6e481afa
      • Instruction ID: 59c3ba81d151470b4d247ee2a8bc07b634147ca7cdd1edd7525144808a61b9b8
      • Opcode Fuzzy Hash: 147fda758da29c89ed6a4d6804c1f5faae254d3a360a691e2f65a68e6e481afa
      • Instruction Fuzzy Hash: E661E2756083029BEB14DF19D48475BBBE4AF8C318F05986EF98497381D778DC48CBA6
      Function 004487D0 Relevance: 6.1, APIs: 4, Instructions: 135windowCOMMON
      Download Yara Rule
      APIs
      • GetTickCount.KERNEL32 ref: 00448813
      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0044883B
      • GetTickCount.KERNEL32 ref: 00448852
      • GetTickCount.KERNEL32 ref: 004488D8
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: CountTick$MessagePeek
      • String ID:
      • API String ID: 4145102785-0
      • Opcode ID: 7126d64586ac91be735c92ddb1c1de442e6e3f410669db5ea0cba7b038a9164c
      • Instruction ID: 22a2ff32dee32d44d248ee6b7bd7d61a2122b0a1cd15ab86bd4818c830480853
      • Opcode Fuzzy Hash: 7126d64586ac91be735c92ddb1c1de442e6e3f410669db5ea0cba7b038a9164c
      • Instruction Fuzzy Hash: D151F470A046448FF7249F28D8847BE7BE0EB85324F24017FE4558B3D2DB399851CB5A
      Function 00449876 Relevance: 6.1, APIs: 4, Instructions: 133windowCOMMON
      Download Yara Rule
      APIs
      • GetTickCount.KERNEL32 ref: 00448813
      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0044883B
      • GetTickCount.KERNEL32 ref: 00448852
      • GetTickCount.KERNEL32 ref: 004488D8
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: CountTick$MessagePeek
      • String ID:
      • API String ID: 4145102785-0
      • Opcode ID: 94caf8c466eef4d4a6d1105fd2ccdc010e64f757a5efa3b1cc5a148f3dd21281
      • Instruction ID: 8cc17ee093cb81fa5a30c608b5f76d5bcc2f4ab800ac4ba1f97ac7e19e8c1e6a
      • Opcode Fuzzy Hash: 94caf8c466eef4d4a6d1105fd2ccdc010e64f757a5efa3b1cc5a148f3dd21281
      • Instruction Fuzzy Hash: 6C51F370A046819BF728EF24D8847BF7BE1EB82314F24016FD4558B3D2CB399852DB5A
      Function 0047F7E0 Relevance: 6.1, APIs: 4, Instructions: 130fileCOMMON
      Download Yara Rule
      APIs
      • GetFileType.KERNEL32(?), ref: 0047F838
      • GetStdHandle.KERNEL32(00000000), ref: 0047F8A9
      • SetLastError.KERNEL32(00000006), ref: 0047F8B7
      • CreateFileW.KERNEL32(?,?,?,00000000,?,?,00000000), ref: 0047F91F
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: File$CreateErrorHandleLastType
      • String ID:
      • API String ID: 2333540142-0
      • Opcode ID: a622085ca03ea18d9c21db5a912d1f01cea03e5c52fa7b5a8ddbfe6fb2b9e487
      • Instruction ID: 33bbb8ee5b8cf7d68fe5b373480eab9d39e07a8f3a58abec2841be03d07896aa
      • Opcode Fuzzy Hash: a622085ca03ea18d9c21db5a912d1f01cea03e5c52fa7b5a8ddbfe6fb2b9e487
      • Instruction Fuzzy Hash: EE4103326152118BDB14AF28D8457ABB799EFD1331F25C23FF41A8B390D7389C898756
      Function 00470350 Relevance: 6.1, APIs: 4, Instructions: 125COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 1db2cb136545aa666e0c42066f33f1de049ee402d9af6970cbc33faddb35831a
      • Instruction ID: eb4b02ef7eaecf162d661210a29080e281c3c0441ddd4243c18df7603c3ddaff
      • Opcode Fuzzy Hash: 1db2cb136545aa666e0c42066f33f1de049ee402d9af6970cbc33faddb35831a
      • Instruction Fuzzy Hash: C7419A722053059FC705CF28C48099BBBE5FF89364F048B6AEC5993395D734E896CB85
      Function 004290DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON
      Download Yara Rule
      APIs
      • OpenProcess.KERNEL32(00001000,00000000,00000000,?,75A8A660), ref: 004290F0
      • GetProcessImageFileNameW.PSAPI(00000000,?,00000104,?), ref: 00429108
      • QueryDosDeviceW.KERNEL32(?,?,00000104,?), ref: 00429178
      • CloseHandle.KERNEL32(00000000), ref: 004291E7
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: Process$CloseDeviceFileHandleImageNameOpenQuery
      • String ID:
      • API String ID: 284135930-0
      • Opcode ID: 23f92d966259af8ceca0872773e623e60c13afabda0f9289a80b3c269e6a9e07
      • Instruction ID: e5a5ff9a35d5dcc11f3144450b6a1feeb2b81fc6127f040fd0ee37cf0a8e8633
      • Opcode Fuzzy Hash: 23f92d966259af8ceca0872773e623e60c13afabda0f9289a80b3c269e6a9e07
      • Instruction Fuzzy Hash: 8931D8666043066BE720AF65AC89FBB36ECEF55340F40082FF945C3251FA788D49C35A
      Function 004370B0 Relevance: 6.1, APIs: 4, Instructions: 93COMMON
      Download Yara Rule
      APIs
      • GetWindowLongW.USER32(?,000000EC), ref: 0043713A
      • SetWindowLongW.USER32(?,000000EC,00000000), ref: 0043714D
      • SetWindowLongW.USER32(?,000000EC,00000000), ref: 0043716A
      • SetLayeredWindowAttributes.USER32(?,?,?,00000000), ref: 00437177
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: Window$Long$AttributesLayered
      • String ID:
      • API String ID: 2169480361-0
      • Opcode ID: 054e2e2db9d8390a725871462677780582ee960ef718a4c5f6987b7241fac94d
      • Instruction ID: 8c4fd42d610e46ee1c0473c661691a655680fbca26e0cb695a4cb443f7f5387b
      • Opcode Fuzzy Hash: 054e2e2db9d8390a725871462677780582ee960ef718a4c5f6987b7241fac94d
      • Instruction Fuzzy Hash: 1F21B7B33082555FDB249E6D9C40A6B77AEEB89330F14422EFC55C23D4DB29CC0586AA
      Function 0041B540 Relevance: 6.1, APIs: 4, Instructions: 91keyboardCOMMON
      Download Yara Rule
      APIs
      • SendInput.USER32(0000001C,00000000,?,?,0041A735), ref: 0041B5A3
      • GetForegroundWindow.USER32(?,?,0041A735), ref: 0041B5E3
      • SendInput.USER32(0000001C,00000000,?,?,0041A735), ref: 0041B60E
      • SetWindowsHookExW.USER32(00000001,004198A0,00000000), ref: 0041B633
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: InputSend$ForegroundHookWindowWindows
      • String ID:
      • API String ID: 2076715878-0
      • Opcode ID: cd1ff1d49d6e3d903f111f7200ff0497a1dbc5a5e73b3b6e60a907274d05093c
      • Instruction ID: b9220d84052bb63e5c62c53273765e15b4170b463660d828c5d0fd1eac553329
      • Opcode Fuzzy Hash: cd1ff1d49d6e3d903f111f7200ff0497a1dbc5a5e73b3b6e60a907274d05093c
      • Instruction Fuzzy Hash: 1D316A31544280EFDB119B28ECD07D63BE0FB56309F54447AE4844B3A3CBBA5899CB9E
      Function 004AA55B Relevance: 6.1, APIs: 4, Instructions: 75COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 244655152c32c7ddf3df119b868eedd0bd5526c0d7ecc6d5ab3de6def866a521
      • Instruction ID: 0afc6bcf6ff933a94994675ed6bbaf1e7137d8c43b7524ae50be1b96fded5d7c
      • Opcode Fuzzy Hash: 244655152c32c7ddf3df119b868eedd0bd5526c0d7ecc6d5ab3de6def866a521
      • Instruction Fuzzy Hash: 0D115071601204FBDB302B65AC09B1B7B5CDB63B64F15013BF94197291DB74CC10DAAE
      Function 004702A0 Relevance: 6.1, APIs: 4, Instructions: 60windowCOMMON
      Download Yara Rule
      APIs
      • SetWindowTheme.UXTHEME(?,004CEEA8,004CEEA8,?,75A7CF90,?,?,0046BCAF,?,?,?,00000409,00000001,00000000), ref: 004702E0
      • SendMessageW.USER32(?,00000406,?,?), ref: 00470319
      • SendMessageW.USER32(?,00000409,00000000,?), ref: 0047032D
      • SendMessageW.USER32(?,00002001,00000000,?), ref: 00470344
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: MessageSend$ThemeWindow
      • String ID:
      • API String ID: 1518753382-0
      • Opcode ID: fc5535605325d691b336c5994efda4da04130f860d69e4dc675ac861ee0f0aaa
      • Instruction ID: 55815249e14003ec83bf762de08b2bd783653e5dfb505c41b8318251185e8d18
      • Opcode Fuzzy Hash: fc5535605325d691b336c5994efda4da04130f860d69e4dc675ac861ee0f0aaa
      • Instruction Fuzzy Hash: E5119D35242306EBE720CF15DC89BABF7A4FF00754F10451AF854626A0C335AC69CBA9
      Function 004874E0 Relevance: 6.1, APIs: 4, Instructions: 59threadCOMMON
      Download Yara Rule
      APIs
      • GetWindowTextW.USER32(?,?,00007FFF), ref: 00487511
      • GetWindowThreadProcessId.USER32(?,?), ref: 00487530
      • GetWindowThreadProcessId.USER32(?,?), ref: 0048753F
      • GetClassNameW.USER32(?,?,00000101), ref: 0048757D
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: Window$ProcessThread$ClassNameText
      • String ID:
      • API String ID: 3420357866-0
      • Opcode ID: 130c4b8f4955fa95489c27d52a4c0d8da3a49b6359f3beac02bf8190849487aa
      • Instruction ID: df4b80d755145c199fc83fe651bfe5ccf85ae3f7047d239db5b9e87f8b80692a
      • Opcode Fuzzy Hash: 130c4b8f4955fa95489c27d52a4c0d8da3a49b6359f3beac02bf8190849487aa
      • Instruction Fuzzy Hash: 3711B271108745ABD731AB14DC50EABB7E9AF45740F240D2EE8C682A90E779FD41CB28
      Function 00420070 Relevance: 6.1, APIs: 4, Instructions: 52COMMON
      Download Yara Rule
      APIs
      • GetFileAttributesW.KERNEL32(?,?,?,0042003A,?,00008000,?,00000000), ref: 00420075
      • SetLastError.KERNEL32(000000B7,?,?,?,0042003A,?,00008000,?,00000000), ref: 00420087
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: AttributesErrorFileLast
      • String ID:
      • API String ID: 1799206407-0
      • Opcode ID: b81ab96f4bb8f512c2afcbec67a414a8760fe447377c537aff1c908e6c3b7838
      • Instruction ID: 885506bbce0813c8655aba0d5aec82199e51315605a04f79410e3a11bfdb0314
      • Opcode Fuzzy Hash: b81ab96f4bb8f512c2afcbec67a414a8760fe447377c537aff1c908e6c3b7838
      • Instruction Fuzzy Hash: 9801D6217532315BFB20276CBC497DF33D89F86322F10022BE10487292DBA9088683AE
      Function 004655D0 Relevance: 6.0, APIs: 4, Instructions: 42windowCOMMON
      Download Yara Rule
      APIs
      • GetMenu.USER32(?), ref: 004655F8
      • IsWindowVisible.USER32(?), ref: 00465607
      • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037,?,00000000,00000000,?,00472656), ref: 0046561C
      • RedrawWindow.USER32(?,00000000,00000000,00000501,?,00000000,00000000,?,00472656), ref: 0046562A
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: Window$MenuRedrawVisible
      • String ID:
      • API String ID: 1537645765-0
      • Opcode ID: d6b1eaa8c03ee618964244f88f067aebedfdea1e586af0b580bd06c973974604
      • Instruction ID: d5fb773904ee674cd522d4fbcae0b57d2fd5bf0257b21824d0f0646ad9658981
      • Opcode Fuzzy Hash: d6b1eaa8c03ee618964244f88f067aebedfdea1e586af0b580bd06c973974604
      • Instruction Fuzzy Hash: 53F06D72601B11AFDB316F14EC40B1BB7B9EB44B60F20462EE646676A0DA61FC05CB6D
      Function 0047D710 Relevance: 6.0, APIs: 4, Instructions: 37COMMON
      Download Yara Rule
      APIs
      • GetFullPathNameW.KERNEL32(?,00008000,?,?), ref: 0047D731
      • WritePrivateProfileStringW.KERNEL32(?,?,00000000,?), ref: 0047D74C
      • GetLastError.KERNEL32 ref: 0047D754
      • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0047D76E
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: PrivateProfileStringWrite$ErrorFullLastNamePath
      • String ID:
      • API String ID: 1696864895-0
      • Opcode ID: ca806225e9341523cb9cc0e93833894cfed274598d69633f204eab03aaaa31b1
      • Instruction ID: ddbc1564f489a73e5e4e8994317ff6b777d3275962ced2afedbf1765b1dc6538
      • Opcode Fuzzy Hash: ca806225e9341523cb9cc0e93833894cfed274598d69633f204eab03aaaa31b1
      • Instruction Fuzzy Hash: E00181B9600204AFD7228B50DC45FDA77E8FB48700F824579B689C62A0DB74D985DB9D
      Function 004B45B9 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      • WriteConsoleW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,004B3798,00000000,00000001,?,?,?,004B28AC,?,00000000,00000000), ref: 004B45D0
      • GetLastError.KERNEL32(?,004B3798,00000000,00000001,?,?,?,004B28AC,?,00000000,00000000,?,?,?,004B2E4F,00000000), ref: 004B45DC
        • Part of subcall function 004B45A2: CloseHandle.KERNEL32(FFFFFFFE,004B45EC,?,004B3798,00000000,00000001,?,?,?,004B28AC,?,00000000,00000000,?,?), ref: 004B45B2
      • ___initconout.LIBCMT ref: 004B45EC
        • Part of subcall function 004B4564: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,004B4593,004B3785,?,?,004B28AC,?,00000000,00000000,?), ref: 004B4577
      • WriteConsoleW.KERNEL32(00000000,00000000,00000000,00000000,?,004B3798,00000000,00000001,?,?,?,004B28AC,?,00000000,00000000,?), ref: 004B4601
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
      • String ID:
      • API String ID: 2744216297-0
      • Opcode ID: 2ae2d0b9a0903fa11e5831b704dc93b7f7b8e4b78641a4a092c3ec314cf7cdd8
      • Instruction ID: 5d187ab13ce55bf7e45a78bde929f4876fcadee74657ac480dc7fc3d2a733108
      • Opcode Fuzzy Hash: 2ae2d0b9a0903fa11e5831b704dc93b7f7b8e4b78641a4a092c3ec314cf7cdd8
      • Instruction Fuzzy Hash: 3EF03036000258BBCF222F95DC059DA3F6AFB497A0B044525FE0895231DB768824DFA9
      Function 0045E959 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 345COMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: __alloca_probe_16
      • String ID: Out of memory.$String
      • API String ID: 1700504859-2321736810
      • Opcode ID: f5681efb8dbbd31695f964edc507807ac0a61db231ecbc94a42344fcee401c38
      • Instruction ID: e4d5f61c6776f9244bef16301f3546f35824cd0df9cfa88893c34012f2f30775
      • Opcode Fuzzy Hash: f5681efb8dbbd31695f964edc507807ac0a61db231ecbc94a42344fcee401c38
      • Instruction Fuzzy Hash: 91D13F70E00119DFDB18DFA5C480BAEB7B5BF48305F24406AE902AB352D779EE49CB59
      Function 0044A610 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 323COMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: __alloca_probe_16
      • String ID:
      • API String ID: 1700504859-3916222277
      • Opcode ID: 035109b1bd3970922f5db03be22da2e71b7968191893e3fee91ccec84dd22f0c
      • Instruction ID: e8c2bf190761e04d42ff48eb9cc48b189682e0e4ce769ec79aed8f03e00e7432
      • Opcode Fuzzy Hash: 035109b1bd3970922f5db03be22da2e71b7968191893e3fee91ccec84dd22f0c
      • Instruction Fuzzy Hash: 9FD178B4A002499FDB10CF98C880AAEFBF1FF49304F14855ED859AB352D739E945CB66
      Function 0044B410 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 302COMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: __alloca_probe_16
      • String ID: Out of memory.
      • API String ID: 1700504859-4087320997
      • Opcode ID: 759f9be47c6fc131327eac03f97bf66f40542008d149c19db98136f41a7b314a
      • Instruction ID: 86887012666defb8a80bb5fad1d690d48b23a6314b4e64020ebe0824b137efe6
      • Opcode Fuzzy Hash: 759f9be47c6fc131327eac03f97bf66f40542008d149c19db98136f41a7b314a
      • Instruction Fuzzy Hash: BCB19F75A002199BEF20DF64C8806BEB7B1EF88304F1580ABD845AB341E739DE41CBD9
      Function 004A4592 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 291COMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: __aulldiv
      • String ID: +$-
      • API String ID: 3732870572-2137968064
      • Opcode ID: 613000bf4a20b023215a36e1b5656f04373c04fdb9d956defdff5856e002e156
      • Instruction ID: fd4a5586ff31c57ff5716477bf105d3e5da01de6531d096b11c8dd787a436a00
      • Opcode Fuzzy Hash: 613000bf4a20b023215a36e1b5656f04373c04fdb9d956defdff5856e002e156
      • Instruction Fuzzy Hash: 1DA1D334901298AFCF14DE7888406EE7BA1AFE7324F14855BE8659B381D3BCD902CB59
      Function 00460680 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 254timeCOMMON
      Download Yara Rule
      APIs
      • GetTickCount.KERNEL32 ref: 0046094E
      • SetTimer.USER32(0000000D,00002710,0044FE70), ref: 00460984
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: CountTickTimer
      • String ID: Out of memory.
      • API String ID: 3511537334-4087320997
      • Opcode ID: d7d6f3b711d79ed03b176454b438da3975b3556de59496985e3d159e3a464850
      • Instruction ID: f9b381d1677c7890fbb5d9e3787ab663070925c9d1f21c2ea20e5b33948fa824
      • Opcode Fuzzy Hash: d7d6f3b711d79ed03b176454b438da3975b3556de59496985e3d159e3a464850
      • Instruction Fuzzy Hash: 499104B1A042559FD710EF29DC80B67B7E6AB84304F14853FE8858B392E739DC45CB9A
      Function 0044E2EC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 155windowCOMMON
      Download Yara Rule
      APIs
      • Shell_NotifyIconW.SHELL32(00000001,00000000), ref: 0044E492
      • Shell_NotifyIconW.SHELL32(00000001,00000000), ref: 0044E4B4
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: IconNotifyShell_
      • String ID:
      • API String ID: 1144537725-3916222277
      • Opcode ID: 55c5abde238032b814d17fe873288183518ea641551abbeb4cbc187e14e708c5
      • Instruction ID: 8850856ea8dd587be342bcbde6d011b1ef91e5fd3dc2db9c8514238bb7a89aee
      • Opcode Fuzzy Hash: 55c5abde238032b814d17fe873288183518ea641551abbeb4cbc187e14e708c5
      • Instruction Fuzzy Hash: AF3145706083419BF736DB65D8457ABB7E8BF99304F04082EE9C9C7291E7789A05C71B
      Function 0044A320 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 150COMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: CountTick
      • String ID: #HotIf
      • API String ID: 536389180-3987657291
      • Opcode ID: 63a5d3d6fd269ce9a74b98106a64bfc1ce3b1963a643e7b99d06812ccccf2600
      • Instruction ID: 567f68731d125af4b1ab3c5caa07e17dd26b3e764ba58123004eb3cd0b331024
      • Opcode Fuzzy Hash: 63a5d3d6fd269ce9a74b98106a64bfc1ce3b1963a643e7b99d06812ccccf2600
      • Instruction Fuzzy Hash: FC619EB09043808FD710CF28E9857567BE0FB59308F14456EE9899F3A2D7B5A894CF9E
      Function 004041D2 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 147COMMON
      Download Yara Rule
      APIs
        • Part of subcall function 00439760: GetModuleHandleW.KERNEL32(user32.dll,GetDpiForWindow,?,?,?,?), ref: 00439816
        • Part of subcall function 00439760: GetProcAddress.KERNEL32(00000000), ref: 0043981D
        • Part of subcall function 00439760: GetSystemMetrics.USER32(00000031), ref: 0043982A
        • Part of subcall function 00439760: FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00439842
        • Part of subcall function 00439760: MulDiv.KERNEL32(00000000,00000000), ref: 00439857
        • Part of subcall function 00439760: LoadImageW.USER32(0000009F,00000001,00000000,00000000,00008000), ref: 0043986F
        • Part of subcall function 00439760: Shell_NotifyIconW.SHELL32(00000001,004E9CAB), ref: 0043988A
        • Part of subcall function 00439760: Shell_NotifyIconW.SHELL32(00000000,004E9CAB), ref: 00439892
      • GetTickCount.KERNEL32 ref: 00404273
      • GetTickCount.KERNEL32 ref: 00404321
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: CountIconNotifyShell_Tick$AddressFindHandleImageLoadMetricsModuleProcSystemWindow
      • String ID: HL
      • API String ID: 3214655289-3233730968
      • Opcode ID: c29b8af0ddde3282164c3a09179c5b8229687bad313fa5dae456b52cc5b5d69e
      • Instruction ID: c74b263e2dfcbdeace0175923523d66292f5dd5e3058fda28f2010ad6b05e4b6
      • Opcode Fuzzy Hash: c29b8af0ddde3282164c3a09179c5b8229687bad313fa5dae456b52cc5b5d69e
      • Instruction Fuzzy Hash: 9151C7B4504380CFD710DF28D4807567BE0FB95308F1446AEEA859B3E2D7BAA885CF49
      Function 00413280 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON
      Download Yara Rule
      APIs
      • FindWindowW.USER32(#32771,00000000), ref: 0041343E
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: FindWindow
      • String ID: #32771$gfff
      • API String ID: 134000473-2475451717
      • Opcode ID: 2512bcff447c994b0906c34b34dc048f0f1d60de6739918b233018ad6b6b2e3c
      • Instruction ID: 79ff16cab9c94d6acf0db9dd01abc18523a8466a283d949ad798f82e7dbd0776
      • Opcode Fuzzy Hash: 2512bcff447c994b0906c34b34dc048f0f1d60de6739918b233018ad6b6b2e3c
      • Instruction Fuzzy Hash: BF518E30254BC08EE721CF24D869787BBD1AF61349F08455ED08A4B3A2D7B9A588CB5E
      Function 0045B490 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 139COMMON
      Download Yara Rule
      APIs
      • VariantCopyInd.OLEAUT32(?,?), ref: 0045B512
        • Part of subcall function 0045AB80: VariantClear.OLEAUT32(?), ref: 0045AB99
        • Part of subcall function 0045AD20: FormatMessageW.KERNEL32(00001200,00000000,?,00000000,?,00000FFF,00000000,00000000), ref: 0045AD95
        • Part of subcall function 0045AD20: SysFreeString.OLEAUT32(?), ref: 0045AE17
        • Part of subcall function 0045AD20: SysFreeString.OLEAUT32(?), ref: 0045AE1C
        • Part of subcall function 0045AD20: SysFreeString.OLEAUT32(?), ref: 0045AE21
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: FreeString$Variant$ClearCopyFormatMessage
      • String ID: Invalid usage.$Number
      • API String ID: 3986951414-1680953729
      • Opcode ID: ccae7ea7723f8bfbca8f7ccfbc29e296fcf58f374191a2285d696fde226b13fb
      • Instruction ID: ae6e47d0e057b147c8e9bc6ca22424aee6f411a057fb329870e009a8867c2054
      • Opcode Fuzzy Hash: ccae7ea7723f8bfbca8f7ccfbc29e296fcf58f374191a2285d696fde226b13fb
      • Instruction Fuzzy Hash: 0441E6366002089BD714DF1AE441B6B7395EF8431AF10852FED09CB352E73AE858C7DA
      Function 00426570 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 135COMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: __allrem
      • String ID: Divide by zero.$Invalid parameter(s).
      • API String ID: 2933888876-2588268656
      • Opcode ID: c0f9e21d0cd9b65e1ab30712687494980fb75701a7721a0dc8cc70cf829730d6
      • Instruction ID: f1866694e291520350f53f21345be16375424fad52471492e0bcf26b20fde37f
      • Opcode Fuzzy Hash: c0f9e21d0cd9b65e1ab30712687494980fb75701a7721a0dc8cc70cf829730d6
      • Instruction Fuzzy Hash: B64125317086149BC701EF25E45046FB3A5FFC5358F404A6FF8892B251DB39D9468B8B
      Function 004276D0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 117timeCOMMON
      Download Yara Rule
      APIs
      • SystemTimeToFileTime.KERNEL32(?,?), ref: 004276FF
      • FileTimeToSystemTime.KERNEL32(?,?), ref: 004277A8
      Strings
      • %04d%02d%02d%02d%02d%02d, xrefs: 004277D6
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: Time$FileSystem
      • String ID: %04d%02d%02d%02d%02d%02d
      • API String ID: 2086374402-4847443
      • Opcode ID: 585e9da30b644dbf33bdd774cb308afb857c2d7a43264b9d11e289a0b402e171
      • Instruction ID: 806cba751bb9611994912caa0ab7ab7568d42ef73754c5a4f399c6bac029d22c
      • Opcode Fuzzy Hash: 585e9da30b644dbf33bdd774cb308afb857c2d7a43264b9d11e289a0b402e171
      • Instruction Fuzzy Hash: 4331B2727042158BC714DF59A8416ABB3E8EB88765F04066BFD89D7390E738DC41C7E6
      Function 004307B0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 117COMMON
      Download Yara Rule
      APIs
      • GetKeyboardLayout.USER32(00000000), ref: 004308B6
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: KeyboardLayout
      • String ID: %.17g$Invalid value.
      • API String ID: 194098044-2967725938
      • Opcode ID: 90b5f6b3951653f08ec76b8132dca69f1c60b5ab4a89fa654d8fb2a1dcd7df67
      • Instruction ID: e9bed896e628877d1dbf17cc6366540469130a5710b9c3588b089c2a8c78f324
      • Opcode Fuzzy Hash: 90b5f6b3951653f08ec76b8132dca69f1c60b5ab4a89fa654d8fb2a1dcd7df67
      • Instruction Fuzzy Hash: F5415A369047509BD725BB28D8257AB77E0DF4A310F041B6FF84657392D768A94083DE
      Function 0049E03C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      • EncodePointer.KERNEL32(00000000,?), ref: 0049E061
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: EncodePointer
      • String ID: MOC$RCC
      • API String ID: 2118026453-2084237596
      • Opcode ID: 5462053dc8004f1a49fc29060c40e2dd8fb4948acd2c6a938e984cd622b9d618
      • Instruction ID: 74e00244af3cb2ec52435afe5f9b187a06fd4a88c7847bea03986bb5e01a2fa7
      • Opcode Fuzzy Hash: 5462053dc8004f1a49fc29060c40e2dd8fb4948acd2c6a938e984cd622b9d618
      • Instruction Fuzzy Hash: 89412872900109AFCF15DF95CD82AAEBFB5FF48304F1480AAF90466251D7799950DB58
      Function 00431440 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112windowCOMMON
      Download Yara Rule
      APIs
      • Shell_NotifyIconW.SHELL32(00000001,004EA1B5), ref: 00431593
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: IconNotifyShell_
      • String ID: %.17g$Login_msifar.txt.exe
      • API String ID: 1144537725-3468464262
      • Opcode ID: d3ca1d350ff50443f7101e129c98827dc901da94801c84393451a0190eea0cac
      • Instruction ID: 64e0c5b1935c68a59da82ede063477d02e06d2dc168ded151c3fab59c17faa8c
      • Opcode Fuzzy Hash: d3ca1d350ff50443f7101e129c98827dc901da94801c84393451a0190eea0cac
      • Instruction Fuzzy Hash: 8C412C32A00651ABC720AB24D80576B77A49FAA714F08156FE8475B3A2E76CED51C38E
      Function 0040B3DF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 76COMMON
      Download Yara Rule
      APIs
      • ___from_strstr_to_strchr.LIBCMT ref: 0040B3E9
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: ___from_strstr_to_strchr
      • String ID: file://$file:///
      • API String ID: 601868998-3202756431
      • Opcode ID: 4097ae7698ab9edc50d23f22b84ccb2fc22e2674d1a3ccf6a2e6e9991ba86dd1
      • Instruction ID: 96788a9ccd4a18b7be08a9bd496c92b6e66d14b3185e6e5519ee1f9a6a5b1d93
      • Opcode Fuzzy Hash: 4097ae7698ab9edc50d23f22b84ccb2fc22e2674d1a3ccf6a2e6e9991ba86dd1
      • Instruction Fuzzy Hash: 9A117F5268839069C7215A285C41FAB7B888FB7700F04452BFDC46A283F26C960A83EF
      Function 0040A7DF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54COMMON
      Download Yara Rule
      APIs
      • __EH_prolog.LIBCMT ref: 0040A7E4
        • Part of subcall function 0040AFF6: _strlen.LIBCMT ref: 0040B124
        • Part of subcall function 0040C037: __EH_prolog.LIBCMT ref: 0040C03C
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: H_prolog$_strlen
      • String ID: </stream>$<stream type="%s">
      • API String ID: 1490583215-2236912621
      • Opcode ID: b2842dfa85179736b3dd54ea9a718f3c0144f6cea419b657c2a13009b30bb41d
      • Instruction ID: aae3e0c90c3687447963147040a8215dddd7f1c2e7e97a58aebf5fb1a163d4b6
      • Opcode Fuzzy Hash: b2842dfa85179736b3dd54ea9a718f3c0144f6cea419b657c2a13009b30bb41d
      • Instruction Fuzzy Hash: 2A0170B2A00205AADB15A756C456ABFB764EF40308F10402FE901B7281DB786D01C7A9
      Function 0040B5FA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 53COMMON
      Download Yara Rule
      APIs
      • __EH_prolog.LIBCMT ref: 0040B5FF
        • Part of subcall function 0040C037: __EH_prolog.LIBCMT ref: 0040C03C
        • Part of subcall function 00409605: _strlen.LIBCMT ref: 00409626
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: H_prolog$_strlen
      • String ID: [%Ii]$[Object(%Ii)]
      • API String ID: 1490583215-3384451382
      • Opcode ID: de549e768a48ddd80afa7b5688bd7e28ad6b4324e31c136bb569f402111d1087
      • Instruction ID: a69ed254ab6b06f4beb44be365713151f49539ce5fa9a1b9ddbd1811f442349e
      • Opcode Fuzzy Hash: de549e768a48ddd80afa7b5688bd7e28ad6b4324e31c136bb569f402111d1087
      • Instruction Fuzzy Hash: D8119D31500500EFCB05ABA9C816EAA7B61EF08304F11812AFA02776F2C77AAD10DB8D
      Function 00431730 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33timeCOMMON
      Download Yara Rule
      APIs
      Strings
      • %04d%02d%02d%02d%02d%02d, xrefs: 00431779
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: Time$LocalSystem
      • String ID: %04d%02d%02d%02d%02d%02d
      • API String ID: 1098363292-4847443
      • Opcode ID: 1bedc1b934807a39462cfc9457b6cb797e97f8e0fe169587a32e778bda7c4171
      • Instruction ID: 468e84558a9d21840ef696848d874904c6aa7ac37d2c9a4b5d7829e4c919c589
      • Opcode Fuzzy Hash: 1bedc1b934807a39462cfc9457b6cb797e97f8e0fe169587a32e778bda7c4171
      • Instruction Fuzzy Hash: EFF0E771008212AFD760EF99D845A7BB7F8AF48701F04494AF9D1D21A1E738D898D7A6
      Function 00438160 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
      Download Yara Rule
      APIs
      • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00438173
      • PostMessageW.USER32(00000000), ref: 0043817A
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: FindMessagePostWindow
      • String ID: Shell_TrayWnd
      • API String ID: 2578315405-2988720461
      • Opcode ID: 72a7069c14767a6da9193d2310fc54cf7f96d10e1e8d8226b8665b68e6bae314
      • Instruction ID: 6f05f2c82ed38ae61321a732d70a92b9bd15aa647572ca8ff6c5a0c5cdd65765
      • Opcode Fuzzy Hash: 72a7069c14767a6da9193d2310fc54cf7f96d10e1e8d8226b8665b68e6bae314
      • Instruction Fuzzy Hash: 2AD0A734780300ABE6044760DCD6F513715AB44720FA10316F3129E7E1CBF89440C60D
      Function 00438120 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
      Download Yara Rule
      APIs
      • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00438133
      • PostMessageW.USER32(00000000), ref: 0043813A
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.3284142558.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.3284131612.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004B8000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284189468.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284218548.00000000004E2000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284228425.00000000004E3000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284238530.00000000004E4000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284248293.00000000004E6000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284257937.00000000004E7000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.3284269575.00000000004EC000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Login_msifar.jbxd
      Similarity
      • API ID: FindMessagePostWindow
      • String ID: Shell_TrayWnd
      • API String ID: 2578315405-2988720461
      • Opcode ID: 76a55d53400634b28757b1f1456e812dab38059c28fd9153c8aca8c9c792590d
      • Instruction ID: fcf3780096417f6170191495165c176d439f0649784a78873167661f339d2cdd
      • Opcode Fuzzy Hash: 76a55d53400634b28757b1f1456e812dab38059c28fd9153c8aca8c9c792590d
      • Instruction Fuzzy Hash: E7D0A734780300ABE6044760DCDBF513715A744720F610316F3229E7E1CBF89440C60D